CN101188616B - Method for terminal to apply for certificate - Google Patents
Method for terminal to apply for certificate Download PDFInfo
- Publication number
- CN101188616B CN101188616B CN2007102030139A CN200710203013A CN101188616B CN 101188616 B CN101188616 B CN 101188616B CN 2007102030139 A CN2007102030139 A CN 2007102030139A CN 200710203013 A CN200710203013 A CN 200710203013A CN 101188616 B CN101188616 B CN 101188616B
- Authority
- CN
- China
- Prior art keywords
- certificate
- terminal
- random number
- user
- private key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a DRM technology, and provides a method for secure and flexible certificate application. The method for terminal certificate application comprises the following steps: firstly, a public key/private key pair is generated at the terminal; secondly, the terminal uses user information and the public keys to generate a certificate request file, and sends the certificate request file to a certificate issue center; thirdly, the certificate issue center verifies that the user information is legal, and then issues the user certificate; random numbers are generated and stored, and then encrypted through public keys; fourthly, the certificate issue center sends the user certificate and the encrypted random numbers to the terminal; fifthly, the terminal uses the private keys to decrypt the random numbers, and sends the decrypted random numbers to the certificate issue center; whether the private keys are mutually matched with the certificate is detected; sixthly, the certificate issue center compares the received random numbers with the stored random numbers. The invention synthesizes the advantages of both methods in the prior art, thereby not only obtaining and renewing the private keys conveniently, but also guaranteeing the security of the private keys, and preventing data from being modified in the network transmission process.
Description
Technical field
The present invention relates to DRM (digital copyright management, Digital Right Management) technology.
Background technology
The DRM system can provide Digital Right Management end to end, is a kind of safe, flexible, efficient system.The major function of terminal is in the DRM system: initiate certificate of authority flow process to Certificate Authority, digital signature with the public key verifications certificate of Certificate Authority, confirm the correct integrality of certificate and consistency and the information of obtaining the authorization, and with the content key of private key deciphering certificate, the accessed content service system, set up RTSP/RTP and connect, obtain the encryption descriptor and the RTP packet of encrypted content, RTP is decrypted and plays digital decrypted contents after the deciphering by the authorization message that obtains.
Certificate and private key are very important in the DRM system, and private key must safety be preserved, and certificate must be signed and issued by Certificate Authority.Therefore obtaining private key and certificate how safely, efficiently is a problem that must solve.A kind of way is to generate private key and certificate by Certificate Authority in the prior art, again private key and certificate is write terminal.Though do safety like this, very dumb, terminal number is very many, if each terminal all will remove to write private key and certificate will bother very much to Certificate Authority.Another kind of way is by network private key and certificate to be passed to terminal, though relatively flexibly, private key will be breakneck thing in transmission over networks, even transmission channel is through encrypting.
Summary of the invention
Technical problem to be solved by this invention is, the method that a kind of not only safety is provided but also applies for certificate flexibly.
The present invention solves the problems of the technologies described above the technical scheme that is adopted to be, the method for terminal to apply for certificate may further comprise the steps:
It is right that a, terminal generate public/private keys, and preserve private key;
B, terminal use the demand file that Generates Certificate of user profile and PKI, and the certificate request file is sent to Certificate Authority;
Sign and issue user certificate after c, Certificate Authority checking user profile is legal; Produce and the preservation random number, again random number is used described public key encryption;
Random number after d, Certificate Authority send user certificate and encrypt is to terminal;
E, terminal are used private key decrypted random number, and the book at random after the deciphering is sent to Certificate Authority; And detect private key and whether mate with certificate, in this way, the preservation certificate; As denying the certificate request failure;
The random number that f, Certificate Authority are relatively received and the random number of preservation judge whether identically, in this way, preserve certificate; As denying the certificate request failure.
The invention has the beneficial effects as follows, combine the advantage of two kinds of methods of prior art, terminal can obtain and upgrade private key easily, can guarantee the safety of private key again, prevents that data are modified in the network transmission process.This method not only can be used in the certificate request in the DRM system, also can be applied to the certificate request of other system.
Embodiment
Below the terminal certificate application process will be described:
1, terminal uses certain algorithm to generate PKI and private key, and private key safety is preserved;
The right generation of key is a step important in the certificate request process, should produce the big key of intensity by the key generation system, and wherein the private key of Chan Shenging is answered and write terminal after encrypted, and PKI is then kept next step use.
In the system of a safety, the right backup of maintenance key is most important, if there is not this measure, after key is lost, for some significant datas, this will be catastrophic.So the backup of key and recovery also are the important rings in the DRM system, after key generation system writes private key, encrypted private key should be backed up simultaneously, even private key is lost like this, also can recover by the important information of public key encryption protection.
In addition, the DRM terminal also should be considered the life cycle of the key that uses, and it comprises the effective time of private key and certificate, and having served as after date, should to produce key again right.
2, terminal is used the demand file that Generates Certificate of user profile and PKI, and the certificate request file is sent to CA end (Certificate Authority);
The certificate request file is by certificate request (certReq), an optionally check (POP), and an optional register information item (regInfo) is formed.
The step that certificate request constitutes is as follows:
(1) produce certReq, its value comprises: other desired certificate codomains such as the name of the end entity of PKI, all or part, user profile, and the control information that interrelates with enrollment process;
(2) calculate POP by certReq and prove that terminal has the private key that the PKI with the certificate of being asked interrelates;
(3) insert needed other register information, these information and POP, certReq forms certificate request information.
POP is used for the certification requestor and has pairing private key really, this be for prevent some attack and allow CA end check end entity and key between corresponding validity.This can be calculated by certReq, and its content and structure changes with the type of public key algorithm and the change of operating mode.The CA end can freely select how to implement POP in certificate exchange.The regInfo item only comprises the side information relevant with certificate request.It also can comprise requestor's contact details, notice information, or the supplementary useful to certificate request.Directly the information relevant with the certificate content should be included among the certReq.
According to the desired Key Tpe of certificate, POP can realize with distinct methods.If key can be used for multiple purpose (as RSA key), POP can realize with any mode so.Key of the present invention is used to encrypt, and in order to realize POP, can use terminal public key encrypt a random number by the CA end, if the correct decrypted random number of terminal illustrates that then terminal has the private key of correspondence.
CertReq is made up of request identifier, certificate content template and one group of optional control information:
CertRequest::=SEQUENCE{
CertReqId INTEGER,--make request and answer the identifier that is complementary
CertTemplate CertTemplate,--the selection territory of the certificate of issuing
The attribute information of the relevant certificate issuance of controls Controls OPTIONAL}-
CertTemplate::=SEQUENCE{
Version[0] Version OPTIONAL,--the certificate version
SerialNumber[1] INTEGER OPTIONAL,--certificate serial number
SigningAlg[2] AlgorithmIdentifier OPTIONAL,--signature algorithm identifier
Issuer[3] Name OPTIONAL,--the certificate issuance person
Validity[4] OptionalValidity OPTIONAL,--validity period of certificate
Subject[5] Name OPTIONAL,--the certificate user name
PublicKey[6] SubjectPublicKeyInfo OPTIONAL,--certificate holder public key information
IssuerUID[7] UniqueIdentifier OPTIONAL,--the person's of signing and issuing unique identifier
SubjectUID[8] UniqueIdentifier OPTIONAL,--certificate holder unique identifier
Extensions[9] Extensions OPTIONAL}-certificate extension item
OptionalValidity::=SEQUENCE{
notBefore[0]Time?OPTIONAL,
NotAfter[1] there is one at least in Time OPTIONAL}-
Time::=CHOICE{
utcTime?UTCTime,
generalTime?GeneralizedTime}
The DRM terminal uses user profile and PKI to generate the certificate request file of DER coded format according to said structure, then its network by safety is sent to the CA end.
3, after the CA end is received the certificate request file, the legitimacy of checking user profile, if the verification passes, use root certificate and certificate request file to sign and issue user certificate, produce a random number, and with user's public key encryption, with certificate and the random number after encrypting send to terminal;
The legitimacy of checking user profile can also can be finished automatically by manual type.Proving program obtains user profile from the certificate request file, promptly be the content among the CertReq, should have the information of validated user and disabled user's feature in the system, can verify user's legitimacy by contrast.In order further to guarantee fail safe, also verify the legitimacy of IP address possibly.If authentication failed then certificate request failure.
If the verification passes, then use root certificate and certificate request file to sign and issue user certificate.All the content with the certificate request file is the same for most of field in the user certificate, file many Digital Signature Algorithm identifier and the signature value of certificate, signature is the signature at all parts of file front.
4, after terminal is received certificate and random number, use the private key decrypted random number of oneself, the random number after the deciphering is sent to CA end, ownly simultaneously check whether private key and certificate mate, if matching certificates then preserve, otherwise certificate request is failed.Why check whether private key and certificate mate, be the same with the initial PKI that produces really, and be not modified in order to ensure the PKI in the certificate.
5, CA end compares random number and the unencrypted random number of receiving, if equate then preserve certificate, otherwise certificate request is failed.CA end relatively random number is in order to ensure terminal corresponding private key to be arranged really, rather than pretend to be.
Above method is used for DRM terminal online application certificate.Because private key produces in terminal, and encrypted backup, and not be used in transmission over networks, the safety of private key just is guaranteed.The mode of online application is adopted in the application of user certificate, and is very convenient.Use in the application process simultaneously random number with prevent some attack and allow CA check terminal and key between corresponding validity.This method safety, flexible, efficient, versatility is very strong, with the method expansion, also can be applied to the certificate request of other system.
Claims (3)
1. the method for terminal to apply for certificate is characterized in that, may further comprise the steps:
It is right that a, DRM terminal generate public/private keys, and preserve private key;
B, DRM terminal use the demand file that Generates Certificate of user profile and PKI, and the certificate request file is sent to Certificate Authority;
After c, Certificate Authority verify that user profile is legal, use root certificate and certificate request file to sign and issue user certificate; Produce and the preservation random number, again random number is used described public key encryption;
Random number after d, Certificate Authority send user certificate and encrypt is to the DRM terminal;
E, DRM terminal are used private key decrypted random number, and the random number after the deciphering is sent to Certificate Authority; And detect private key and whether mate with certificate, in this way, the preservation certificate; As denying the certificate request failure;
The random number that f, Certificate Authority are relatively received and the random number of preservation judge whether identically, in this way, preserve certificate; As denying the certificate request failure.
2. the method for terminal to apply for certificate according to claim 1 is characterized in that, among the step c, after Certificate Authority checking user profile is legal, also need verify the legal user certificate of just signing and issuing of IP address.
3. the method for terminal to apply for certificate as claimed in claim 1 or 2 is characterized in that, in the steps d, Certificate Authority is inserted the check item of user certificate by the random number after will encrypting, and the random number after encrypting is sent to the DRM terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007102030139A CN101188616B (en) | 2007-12-12 | 2007-12-12 | Method for terminal to apply for certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007102030139A CN101188616B (en) | 2007-12-12 | 2007-12-12 | Method for terminal to apply for certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101188616A CN101188616A (en) | 2008-05-28 |
| CN101188616B true CN101188616B (en) | 2010-07-21 |
Family
ID=39480805
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007102030139A Expired - Fee Related CN101188616B (en) | 2007-12-12 | 2007-12-12 | Method for terminal to apply for certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101188616B (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101616002B (en) * | 2008-06-23 | 2012-03-21 | 阿里巴巴集团控股有限公司 | User identity authentication method and device thereof |
| CN101521883B (en) * | 2009-03-23 | 2011-01-19 | 中兴通讯股份有限公司 | Method and system for renewing and using digital certificate |
| CN102081770A (en) * | 2009-11-27 | 2011-06-01 | 中国移动通信集团湖南有限公司 | Payment method, system and device |
| CN102647279B (en) * | 2011-08-15 | 2015-09-09 | 华为终端有限公司 | Encryption method, encrypted card, terminal equipment and interlocking of phone and card device |
| CN103457735A (en) * | 2013-08-25 | 2013-12-18 | 郑静晨 | Method capable of preventing information of shelter hospital individual solider handheld intelligent terminal from being leaked |
| CN105160242B (en) * | 2015-08-07 | 2018-01-05 | 北京亿速码数据处理有限责任公司 | Certificate loading method, certificate update method and the card reader of a kind of card reader |
| CN109690543B (en) * | 2016-09-26 | 2021-04-09 | 华为技术有限公司 | Security authentication method, integrated circuit and system |
| CN108650220B (en) * | 2018-03-27 | 2020-12-08 | 北京安御道合科技有限公司 | Method and equipment for issuing and acquiring mobile terminal certificate and automobile end chip certificate |
| CN109462572B (en) * | 2018-09-13 | 2021-03-23 | 华东计算技术研究所(中国电子科技集团公司第三十二研究所) | Multi-factor authentication method, system, storage medium and security gateway based on encryption card and UsbKey |
| CN111641873A (en) * | 2019-03-01 | 2020-09-08 | 深圳Tcl数字技术有限公司 | Method and system for unlocking television developer mode and readable storage medium |
| CN110336769A (en) * | 2019-03-18 | 2019-10-15 | 上海飓金嵘通网络科技有限公司 | A kind of trans-departmental electronic certificate application method and device based on mobile phone wallet |
| CN110113339A (en) * | 2019-05-08 | 2019-08-09 | 北京百度网讯科技有限公司 | Elevator information display terminal letter of identity acquisition methods and device |
| CN113691365B (en) * | 2020-05-16 | 2024-04-26 | 成都天瑞芯安科技有限公司 | Cloud private key generation and use method |
| CN112311766B (en) * | 2020-09-29 | 2022-04-01 | 新华三大数据技术有限公司 | Method and device for acquiring user certificate and terminal equipment |
| CN113114699B (en) * | 2021-04-26 | 2023-04-28 | 中国第一汽车股份有限公司 | Vehicle terminal identity certificate application method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5796833A (en) * | 1996-09-23 | 1998-08-18 | Cylink Corporation | Public key sterilization |
| WO2001071970A2 (en) * | 2000-03-23 | 2001-09-27 | Cipherit Ltd. | Methods and systems for efficient chained certification |
| CN1708018A (en) * | 2004-06-04 | 2005-12-14 | 华为技术有限公司 | Method for switching in radio local-area network mobile terminal |
| CN101064610A (en) * | 2007-05-25 | 2007-10-31 | 四川长虹电器股份有限公司 | Identity authentication process |
-
2007
- 2007-12-12 CN CN2007102030139A patent/CN101188616B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5796833A (en) * | 1996-09-23 | 1998-08-18 | Cylink Corporation | Public key sterilization |
| WO2001071970A2 (en) * | 2000-03-23 | 2001-09-27 | Cipherit Ltd. | Methods and systems for efficient chained certification |
| CN1708018A (en) * | 2004-06-04 | 2005-12-14 | 华为技术有限公司 | Method for switching in radio local-area network mobile terminal |
| CN101064610A (en) * | 2007-05-25 | 2007-10-31 | 四川长虹电器股份有限公司 | Identity authentication process |
Non-Patent Citations (4)
| Title |
|---|
| Bogdan C. Popescu 等.A DRM security architecture for home networks.Proceedings of the 4th ACM workshop on Digital rights management.2004,(9),全文. |
| Bogdan C.Popescu等.A DRM security architecture for home networks.Proceedings of the 4th ACM workshop on Digital rights management.2004,(9),全文. * |
| 刘知贵 等.基于PKI技术的数字签名身份认证系统.计算机应用研究 9.2004,(9),全文. |
| 刘知贵等.基于PKI技术的数字签名身份认证系统.计算机应用研究 9.2004,(9),全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101188616A (en) | 2008-05-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101188616B (en) | Method for terminal to apply for certificate | |
| CN110474898B (en) | Data encryption and decryption and key distribution method, device, equipment and readable storage medium | |
| WO2020087805A1 (en) | Trusted authentication method employing two cryptographic values and chaotic encryption in measurement and control network | |
| CN104735068B (en) | Method based on the close SIP safety certification of state | |
| CN101212293B (en) | Identity authentication method and system | |
| CN107769922B (en) | Block chain safety management system and method | |
| CN103763356A (en) | Establishment method, device and system for connection of secure sockets layers | |
| CN104796265A (en) | Internet-of-things identity authentication method based on Bluetooth communication access | |
| CN101272301B (en) | Safety access method of wireless metropolitan area network | |
| CN104580250A (en) | System and method for authenticating credible identities on basis of safety chips | |
| CN108768930A (en) | A kind of encrypted transmission method of data | |
| CN105516119A (en) | Cross-domain identity authentication method based on proxy re-signature | |
| CN103490881A (en) | Authentication service system, user authentication method, and authentication information processing method and system | |
| JP2006174356A (en) | Pseudo public key encryption method and system | |
| US20210105136A1 (en) | Method for securing a data exchange in a distributed infrastructure | |
| CN101378320A (en) | Authentication method and system | |
| CN102970144A (en) | Identity-based authentication method | |
| CN103414559A (en) | Identity authentication method based on IBE-like system in cloud computing environment | |
| KR101383810B1 (en) | System and method for certificating security smart grid devices | |
| CN101277186B (en) | Method for implementing exterior authentication using asymmetry key algorithm | |
| CN104125239A (en) | Network authentication method and system based on data link encryption transmission | |
| CN114726536A (en) | Timestamp generation method and device, electronic equipment and storage medium | |
| CN109040109B (en) | Data transaction method and system based on key management mechanism | |
| CN100450109C (en) | A safety authentication method based on media gateway control protocol | |
| CN104270756A (en) | Intra-domain mapping updating authenticating method in identity and position separation network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100721 Termination date: 20201212 |