CN101465728A - Method, system and device for distributing cipher key - Google Patents
Method, system and device for distributing cipher key Download PDFInfo
- Publication number
- CN101465728A CN101465728A CNA2008102416317A CN200810241631A CN101465728A CN 101465728 A CN101465728 A CN 101465728A CN A2008102416317 A CNA2008102416317 A CN A2008102416317A CN 200810241631 A CN200810241631 A CN 200810241631A CN 101465728 A CN101465728 A CN 101465728A
- Authority
- CN
- China
- Prior art keywords
- user
- private key
- open parameter
- authentication center
- maker
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0847—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of invention discloses a key allocation method, a system and a device for improving private key allocation security in IBE technology. In the embodiment of invention, a private key generator acquires user infrastructure public key and adopts the infrastructure public key to encrypt the IBE private key of the user, and sends the encrypted IBE private key to the user; the IBE private key allocated to the user by the private key generator is ensured not to be maliciously attacked or stolen, so the security in IBE private key allocation process is improved.
Description
Technical field
The present invention relates to information security field, particularly a kind of cryptographic key distribution method, system and device.
Background technology
The unsymmetrical key technology is the technology that often adopts in the modern secrecy technology.Adopt the cryptographic system of unsymmetrical key technology can use different keys that user's information is carried out encryption and decryption, that is to say that a user has pair of secret keys: be i.e. PKI and private key.PKI is disclosed, and all users can obtain it; Private key then is that the user is privately owned, has only user oneself to grasp.If prove certain file is certain specific user, this specific user just can be with this file of its encrypted private key, if other user can decipher this file with this specific user's PKI, illustrate that this file is exactly this specific user, thereby realize the checking of document source.If other user sends a file to this specific user, just can send with this specific user's public key encryption file cocurrent, have only this specific user's private key can decipher this file, thereby realize the secret transmission of fileinfo.
Technology is as a kind of asymmetric cryptographic technique for IBE (Identity-based Encryption is based on the encryption of sign), and system configuration is simple, easy to use.The IBE system utilizes PKG (Private Key Generator, private key maker) to generate open parameter and master key, and utilizes master key and user ID generation user's private key, and private key is distributed to the user.Information sends file of public key encryption that the user uses the open parameter of its PKG that has and receives the user, receives the user and uses open parameter of its PKG that has and the private key of himself deciphering associated documents.
There is following shortcoming at least in prior art: the PKG in the IBE system need generate user's IBE private key and this IBE private key is distributed to the user, if malicious attacker is stolen user's IBE private key in PKG distributes the process of IBE private key for the user, just may grasp user's secret file, this will have a strong impact on user's information security.
Summary of the invention
The purpose of the embodiment of the invention is to provide a kind of cryptographic key distribution method, comprises the steps:
The private key maker obtains user's infrastructure PKI;
The private key maker utilizes described user's infrastructure PKI that user's the private key based on sign is encrypted;
The private key based on sign after the private key maker will be encrypted sends to the user.
According to still another embodiment of the invention, provide a kind of key distribution device, be used for sending based on the private key that identifies, comprising to the user:
PKI obtains module, is used to obtain this user's infrastructure PKI;
Encrypting module is used to utilize described user's infrastructure PKI that the user is encrypted based on the private key of sign;
The private key sending module, the private key based on sign that is used for encrypting through encrypting module sends to the user.
According to still another embodiment of the invention, provide, a kind of key distribution system, be used for sending private key, comprising: private key maker and authentication center based on sign to the user;
Described private key maker comprises key distribution device;
Described key distribution device comprises:
Receiver module is used to receive the private key request based on sign from the user, this private key request be used to ask to obtain the user based on the sign private key;
PKI obtains module, is used to obtain this user's infrastructure PKI;
Encrypting module utilizes described user's infrastructure PKI that the user is encrypted based on the private key of sign;
The private key sending module will send to the user through the private key based on sign that encrypting module is encrypted;
The signature request module is used for open parameter is sent to described authentication center, signs to its open parameter in the request authentication center;
The parameter sending module is used to receive the open parameter through authentication center's signature, and the open parameter behind authentication center's signature is sent to the user;
Described authentication center is used to receive the open parameters signatures request of described signature request module, and open parameter is signed, and the open parameter behind the signature is sent to described parameter sending module.
According to description to technique scheme, the embodiment of the invention has following advantage: utilize the PKI PKI in the PKI technology that the IBE private key of the generation of PKG is encrypted, guarantee that the IBE private key of PKG distribution can not stolen by malicious attacker, improved the fail safe of IBE private key distribution.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
The schematic diagram of a kind of cryptographic key distribution method that Fig. 1 provides for embodiments of the invention one;
The schematic diagram of another cryptographic key distribution method that Fig. 2 provides for embodiments of the invention two;
Fig. 3 is the open parameter request that a kind of private key maker provided by the invention receives the user, its open parameter is sent to the schematic diagram of user's embodiment;
Fig. 4 obtains to be subjected to the schematic diagram of method embodiment of the open parameter of the highest authentication center's signature of user's trusting degree for a kind of private key maker provided by the invention;
The schematic diagram of the method that a kind of authentication center that Fig. 5 provides for embodiments of the invention five signs to the open parameter of private key maker;
The schematic diagram of a kind of key distribution device that Fig. 6 provides for embodiments of the invention six;
The schematic diagram of another key distribution device that Fig. 7 provides for embodiments of the invention seven;
The schematic diagram of another key distribution device that Fig. 8 provides for embodiments of the invention eight;
The schematic diagram of another key distribution device that Fig. 9 provides for embodiments of the invention nine;
The schematic diagram of another key distribution device that Figure 10 provides for embodiments of the invention ten;
The schematic diagram of a kind of key distribution system that Figure 11 provides for embodiments of the invention 11;
The schematic diagram of another key distribution system that Figure 12 provides for embodiments of the invention 12.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
The schematic diagram of a kind of cryptographic key distribution method that Fig. 1 provides for embodiments of the invention one, this method comprises the steps:
Step S101: the private key maker obtains this user's infrastructure PKI.
In PKI (Public Key Infrastructure, PKIX) system, each user has its corresponding public key and private key, they is called infrastructure PKI and infrastructure private key here, abbreviates PKI PKI and PKI private key as.Described private key maker need obtain user's PKI PKI.
Step S102: the private key maker utilizes user's infrastructure PKI that user's the private key based on sign is encrypted.
Described private key based on sign is that the private key maker utilizes user's identification information to generate.In the IBE system, the user has the private key based on sign, abbreviates the IBE private key as; PKG then is the unit that generates and sends the IBE private key in the IBE system.The user can utilize its identification information to ask the corresponding IBE private key of its sign to PKG, after PKG receives the request of IBE private key, the pairing IBE private key of user ID is sent to the user.
The private key maker is before the infrastructure PKI that utilizes the user is encrypted user's the private key based on sign, comprise the steps: that also the private key maker verifies user identity, if be proved to be successful, utilize user's infrastructure PKI that user's the private key based on sign is encrypted.
PKG can realize the checking to user identity by the certificate validity of verifying that CA (Certification Authority, authentication center) issues for the user.The user is in PKG request IBE private key, CA can be sent to PKG for its certificate of issuing, PKG receives the certificate that CA issues for the user, utilize the PKI PKI of CA that certificate validity is verified, if certificate is effectively, then user's PKI PKI is encrypted user's the private key based on sign in the certificate of utility.
If the certificate that relative users does not also have CA to issue, then this user can ask authentication to CA, if authentication is passed through, the user issues PKG with CA for its certificate of issuing again.Can comprise in the certificate that described user's identity information, user's PKI PKI and CA to the signature of this certificate, that is to say that CA binds user's identity and PKI PKI.
Step S103: the private key based on sign after the private key maker will be encrypted sends to the user.
In the cryptographic key distribution method that present embodiment provides, PKG can utilize user's PKI PKI that its IBE private key is encrypted before sending the IBE private key, has guaranteed the reliability of IBE private key distribution.Present embodiment also discloses the process that PKG verifies user identity simultaneously before sending the IBE private key to the user, guarantee that described IBE private key is distributed in the right user hand.
The schematic diagram of another cryptographic key distribution method that Fig. 2 provides for embodiments of the invention two, this method comprises the steps:
Step S201: the private key maker receives the private key request based on sign from the user, this private key request be used to ask to obtain the user based on the sign private key.
Described user uses the private key based on sign of its identification information to private key maker request correspondence, and sends this private key request to the private key maker.
Step S202: the private key maker obtains this user's infrastructure PKI.
Step S203: the private key maker utilizes user's infrastructure PKI that user's the private key based on sign is encrypted.
The private key maker is before the infrastructure PKI that utilizes the user is encrypted user's the private key based on sign, comprise the steps: that also the private key maker verifies user identity, if be proved to be successful, utilize user's infrastructure PKI that user's the private key based on sign is encrypted.
PKG can realize the checking to user identity by the certificate validity of verifying that CA issues for the user.The user is in PKG request IBE private key, CA can be sent to PKG for its certificate of issuing, PKG receives the certificate that CA issues for the user, utilize the PKI PKI of CA that certificate validity is verified, if certificate is effectively, then user's PKI PKI is encrypted user's the private key based on sign in the certificate of utility.
If the certificate that relative users does not also have CA to issue, then this user can ask authentication to CA, if authentication is passed through, the user issues PKG with CA for its certificate of issuing again.Can comprise in the certificate that described user's identity information, user's PKI PKI and CA to the signature of this certificate, that is to say that CA binds user's identity and PKI PKI.
Step S204: the private key based on sign after the private key maker will be encrypted sends to the user.
Further, present embodiment also can comprise step S205: the user utilizes its infrastructure private key that the private key based on sign after encrypting is decrypted, and obtains described private key based on sign.
The user utilizes its PKI private key to decipher the private key based on sign that process is encrypted, and behind the successful decryption, the user can obtain and use its private key based on sign to carry out based on the encryption or the decryption oprerations that identify.
Again further, present embodiment also can comprise the steps:
Step S206: the private key maker receives user's open parameter request, and its open parameter is sent to the user.
The user except using the IBE private key, also needs to use the open parameter of private key maker when carrying out based on encryption that identifies or deciphering, if the user does not also have the open parameter of described private key maker, just need the private key maker to send its open parameter to the user.
Step S207: the user utilizes it to carry out based on the encryption or the deciphering that identify based on the private key of sign and the open parameter of private key maker.
In encryption or deciphering based on sign, user's identification information is disclosed, is equivalent to a PKI, and it identifies pairing IBE private key can decipher the file of this mark encryption.Certain user A can utilize the identification information of another user B and the open parameter of PKG that file is encrypted; Described user B can utilize it based on the private key of sign and the open parameter of PKG the file that user A encrypts to be decrypted.Owing to have only user B to grasp the private key of its identification information correspondence,, guarantee that like this file is not used by other people so have only user B could decipher and obtain the file of encrypting through its identification information.
By encrypt and decrypt operation, usurp classified document except preventing other people, true source that can also authenticating documents.If certain user A utilize its based on the private key of sign and the open parameter of PKG to file encryption, another user B can utilize the identification information of described user A and the open parameter deciphering corresponding document of PKG, if successful decryption, confirm that this document belongs to described user A really, realize confirmation document source.
Present embodiment openly sends the technology that the PKI PKI that can utilize the user before the IBE private key is encrypted its IBE private key, the technology that sends open parameter to the user is disclosed simultaneously, so that the user uses open parameter and IBE private key to carry out based on the encryption or the deciphering that identify.
Mention in the foregoing description, the user except needs IBE private key, also will use the open parameter of PKG if carry out encryption or deciphering based on sign, and therefore, the reliability of the open parameter of the PKG that the user obtains also is a major issue.Fig. 3 is the open parameter request that a kind of private key maker provided by the invention receives the user, and its open parameter is sent to the schematic diagram of user's embodiment, and this method comprises the steps:
Step S301: the private key maker receives user's open parameter request, comprises in the disclosure parameter request identified by the authentication center of users to trust.
Can comprise in the disclosure parameter request that at least one is identified by the authentication center of users to trust; When the user provides a plurality of authentication center,, the private key maker selects for providing more.Further, comprise when at least one authentication center that is subjected to users to trust identifies in the open parameter request that authentication center's sign can have its corresponding priorities, different priority representative of consumer is to the different reliability ratings of this authentication center; Can store a plurality of authentication centers sign and corresponding priorities by the form of authentication center's tabulation.Authentication center's tabulation also can be sorted to authentication center's sign according to the degree of users to trust, and just that the users to trust degree is high authentication center comes the front of tabulation.
Step S302: the private key maker obtains the open parameter of authentication center's signature of users to trust.
The private key maker can be selected an authentication center from described authentication center sign, and obtains the open parameter of this authentication center's signature.When comprising a plurality of authentication centers sign in the described authentication center sign, the private key maker can be selected an authentication center arbitrarily, also can be identified at the high authentication center of sequencing selection users to trust degree in the tabulation according to the priority of authentication center sign or authentication center.
The private key maker can obtain the open parameter of authentication center's signature of users to trust in several ways.Under a kind of execution mode, PKG searches its certificate data bank, and therefrom finds the open parameter of the CA signature that is subjected to users to trust.Under this execution mode, need PKG to arrive first the signature that users to trust CA carries out open parameter in advance, and store the open parameter of this CA signature, in use by searching the open parameter that can obtain described signature, to improve system effectiveness.The process that PKG utilizes CA that its open parameter is signed is: PKG sends to the CA that is subjected to users to trust with its open parameter, ask corresponding CA that its open parameter is signed, at corresponding CA to it behind open parameters signatures, receive the open parameter of corresponding CA signature, thereby acquisition is subjected to the open parameter of the CA signature of users to trust.Certainly, can also adopt following execution mode: PKG to search its certificate data bank, its certificate data bank can not find the open parameter of the CA signature that is subjected to users to trust, then PKG sends to the CA that is subjected to users to trust with its open parameter, ask corresponding CA that its open parameter is signed, at corresponding CA it behind open parameters signatures, is received the open parameter of corresponding CA signature, thereby acquisition is subjected to the open parameter of the CA signature of users to trust.Described CA signs to the open parameter of PKG, exactly identity and its open parameter of PKG is bound.
This step can comprise: the private key maker obtains to be subjected to the open parameter of the highest authentication center's signature of user's trusting degree.
Step S303: the private key maker sends to the user with the open parameter of authentication center's signature of described users to trust.
This step can comprise: the private key maker will be subjected to the open parameter of the highest authentication center's signature of user's trusting degree to send to the user.
Further, present embodiment also can comprise step S304: the user verifies the open parameter that the authentication center that is subjected to its trust signs.
This step can comprise: the user verifies the open parameter of the authentication center of its trust signature, is effectively if verify the signature of described authentication center, prove that the disclosure parameter can trust, and can utilize the disclosure parameter to carry out based on the encryption that identifies.The process of checking specifically can comprise: the user is with the validity of this signature of PKI public key verifications of CA, if be proved to be successful, attestation-signatures is effective, and open parameter belongs to PKG really; If authentication failed abandons the disclosure parameter, can report an error to PKG simultaneously.
PKG in the present embodiment sends to the user by the open parameter that the CA that will be subjected to users to trust signs, guarantee that the open parameter that the user obtains is safe and reliable, when the user utilized corresponding open parameter that file is carried out encrypt and decrypt based on sign, fail safe was improved.
Fig. 4 obtains to be subjected to the schematic diagram of method embodiment of the open parameter of the highest authentication center's signature of user's trusting degree for a kind of private key maker provided by the invention, this method can comprise:
Step S401: the private key maker obtains to be subjected to the different authentication center of user's trusting degree according to the tabulation of the authentication center of users to trust.
The user will seek out the open parameter of PKG, will send open parameter request to PKG usually, and PKG then receives user's open parameter request, can comprise the tabulation of the CA that the user trusts in user's the open parameter request.Because the user is to the trusting degree difference of a plurality of different CA, tabulation is sorted to CA according to the degree of users to trust, and just that the users to trust degree is high CA comes the front of tabulation.Tabulation also can comprise a plurality of CA and corresponding priorities, and different priority representative of consumer is to the different trusting degrees of a plurality of different CA.PKG obtains to be subjected to the different CA of user's trusting degree according to ordering or priority.
Step S402: the private key maker obtains to be subjected to the open parameter of the highest authentication center's signature of user's trusting degree.
PKG searches its certificate data bank, acquisition is subjected to the open parameter of all CA signatures of users to trust, and, in the open parameter of all CA signatures that are subjected to users to trust, select to be subjected to the highest open parameter of user's trusting degree according to CA ordering in tabulating or the priority of CA.
Present embodiment utilizes the tabulation of the CA of users to trust, to be subjected to the open parameter of the highest CA signature of user's trusting degree to send to the user, further guaranteed the reliability of the open parameter that the user obtains, it will be safer to file encryption that the user utilizes corresponding open parameter.
The schematic diagram of the method that a kind of authentication center that Fig. 5 provides for embodiments of the invention five signs to the open parameter of private key maker, this method comprises:
Step S501: the open parameter of private key maker is received by authentication center.
PKG has PKI PKI and private key as the user in the PKI system.PKG can send the open parameter of needs authentication to the CA in the PKI system, and utilizes the PKI private key of self that this information is encrypted.
Step S502: authentication center signs to the open parameter of private key maker.
After CA receives the disclosure parameter, utilize the PKI PKI of PKG that the disclosure parameter is decrypted, if successful decryption proves that the disclosure parameter belongs to PKG really, CA will sign to open parameter.Comprise the open parameter of PKI PKI, PKG of identity information, the PKG of PKG and CA in the open parameter of CA signature to the signature of corresponding open parameter, that is to say that CA binds identity and its open parameter of PKG.
PKG can be kept at described open parameter in its certificate data bank after the open parameter of receiving the CA signature.
Further, present embodiment also can comprise step S503: after authentication center sent to the user with the open parameter of its signature, whether the user rs authentication signature was effective.The process of checking can comprise: the user is with the validity of this signature of PKI public key verifications of CA, if certifying signature is effective, the user can the described open parameter of relieved use carry out based on the encryption or the deciphering that identify; If authentication failed abandons the disclosure parameter, can report an error to PKG simultaneously.
The present embodiment utilization is signed to the open parameter of private key maker by the authentication center of users to trust, and the user needs the validity of certifying signature, thereby the source of guaranteeing open parameter is safe and reliable.
It will be appreciated by those skilled in the art that, all or part of flow process among the said method embodiment, can instruct related hardware to finish by computer program, described program can be stored in the computer read/write memory medium, this program can comprise the flow process as the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-Only Memory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
The schematic diagram of a kind of key distribution device that Fig. 6 provides for embodiments of the invention six, this device can be arranged in the private key maker, is used for sending private key based on sign to the user, and described device comprises:
PKI obtains module 601, is used to obtain this user's infrastructure PKI;
Described encrypting module 602 utilizes described user's infrastructure PKI that the user is encrypted based on the private key of sign;
Described private key sending module 603 will send to the user through the private key based on sign that encrypting module 602 is encrypted.
The described device of the foregoing description sends to user's IBE private key and need encrypt through PKI, guarantees that the process of transmitting of IBE private key is safe and reliable.
The schematic diagram of another key distribution device that Fig. 7 provides for embodiments of the invention seven, this device is that the basis comprises with embodiment six: PKI obtains module 701, encrypting module 702 and private key sending module 703, comprise receiver module 704 in addition, be used to receive private key request based on sign from the user, this private key request be used to ask to obtain the user based on the sign private key.
The described device of the foregoing description sends the operation of private key after the private key request of receiving the user.
The schematic diagram of another key distribution device that Fig. 8 provides for embodiments of the invention eight, this device can embodiment six or seven comprised for the basis: PKI obtains module 801, encrypting module 802, private key sending module 803 and receiver module 804, comprise authentication module 805 in addition, be used to receive certificate and the authentication certificate validity that authentication center issues for the user, if authentication certificate is effective, notice encrypting module 802 carries out cryptographic operation.
The described device of present embodiment verifies user identity, checking by after just the IBE private key of encrypting is sent to the user, guarantee that the IBE private key sends to right user, prevent that malicious attacker from obtaining private key.
The schematic diagram of another key distribution device that Fig. 9 provides for embodiments of the invention nine, this device can embodiment six, seven or eight comprised for the basis: PKI obtains module 901, encrypting module 902, private key sending module 903 receiver modules 904 and authentication module 905, comprise parameter sending module 906 in addition, be used to receive user's open parameter request, its open parameter is sent to the user.
The described key distribution device of present embodiment also can send open parameter to the user, and user-friendly father-in-law opens parameter.
The schematic diagram of another key distribution device that Figure 10 provides for embodiments of the invention ten, this device can embodiment six, seven, eight or nine comprised for the basis: PKI obtains module 1001, encrypting module 1002, private key sending module 1003, receiver module 1004, authentication module 1005 and parameter sending module 1006, comprise signature request module 1007 in addition, be used for the request authentication center its open parameter is signed, and receive the open parameter of signature.
Signing to its open parameter in present embodiment key distribution device request authentication center, guarantees that its open parameter safety that sends to the user is reliable.
The schematic diagram of a kind of key distribution system that Figure 11 provides for embodiments of the invention 11, this system is used for sending private key based on sign to the user, and it comprises: private key maker 1101 and authentication center 1102;
Comprise key distribution device 11011 in the described private key maker 1101;
Described key distribution device 11011 comprises: encrypting module 110111, private key sending module 110112, signature request module 110113, parameter sending module 110114, receiver module 110115 and PKI obtain module 110116;
Described encrypting module 110111 utilizes described user's infrastructure PKI that the user is encrypted based on the private key of sign;
Described private key sending module 110112 will send to the user through the private key based on sign that encrypting module 110111 is encrypted;
Described signature request module 110113 is used for open parameter is sent to described authentication center 1102, signs to its open parameter in request authentication center 1102;
Described parameter sending module 110114 is used to receive the open parameter through authentication center's 1102 signatures, and the open parameter behind authentication center's 1102 signatures is sent to the user;
PKI obtains module 110116, is used to obtain this user's infrastructure PKI;
Described authentication center 1102 is used to receive the open parameters signatures request of described signature request module 110113, and open parameter is signed, and the open parameter behind the signature is sent to described parameter sending module 110114.
The described system of present embodiment sends to user's IBE private key and need encrypt through PKI, guarantees that the process of transmitting of IBE private key is safe and reliable; This system open parameter of sending to the user has been passed through the signature of authentication center in the system simultaneously, guarantees that the user obtains safe open parameter; When the user utilized corresponding IBE private key and open parameter to carry out based on encryption that identifies or deciphering, fail safe was improved.。
The schematic diagram of another key distribution system that Figure 12 provides for embodiments of the invention 12, this system can comprise based on embodiment 11: private key maker 1201 and authentication center 1202; Described private key maker 11201 comprises key distribution device 12011; Described key distribution device 12011 comprises: encrypting module 120111, private key sending module 120112, signature request module 120113, parameter sending module 120114, receiver module 120115 and PKI obtain module 120116; In addition, described key distribution device 12011 also comprises: authentication module 120117;
Described authentication module 120117 is used to receive certificate and the authentication certificate validity that authentication center 1202 issues for the user, if authentication certificate is effective, notice encrypting module 120111 carries out cryptographic operation.
Present embodiment has increased the function that user identity is verified on embodiment hendecyl plinth, guarantee that the IBE private key sends to right user.
Be appreciated that several modules can be that hardware also can be software in described device of the foregoing description and the system, also can combine and realize same function.
In sum, embodiments of the invention utilize the PKI PKI in the PKI technology that the IBE private key of the generation of PKG is encrypted, and guarantee that the IBE private key of PKG distribution can not stolen by malicious attacker, have improved the fail safe of IBE private key distribution; The embodiment of the invention also discloses a kind of method that user identity is verified, guarantee that the IBE private key sends to right user; The CA that the embodiment of the invention also discloses in a kind of PKI of the utilization system signs to the open parameter of PKG, guarantees that the process that the user obtains the open parameter of PKG is safe and reliable; When the user utilized described IBE private key and the open parameter of PKG to carry out based on encryption that identifies or deciphering, fail safe was improved.
The above only is several embodiments of the present invention, and those skilled in the art can carry out various changes or modification to the present invention according to the disclosed content of application documents and not break away from the spirit and scope of the present invention.
Claims (20)
1, a kind of cryptographic key distribution method is characterized in that, comprises the steps:
The private key maker obtains user's infrastructure PKI;
The private key maker utilizes described user's infrastructure PKI that user's the private key based on sign is encrypted;
The private key based on sign after the private key maker will be encrypted sends to the user.
2, cryptographic key distribution method as claimed in claim 1 is characterized in that, comprises the steps: that also the private key maker receives the private key request based on sign from the user, this private key request be used to ask to obtain the user based on the sign private key.
3, cryptographic key distribution method as claimed in claim 1 is characterized in that, comprises the steps: that also the private key maker generates user's the private key based on sign according to user's identification information.
4, cryptographic key distribution method as claimed in claim 1, it is characterized in that, the private key maker comprises the steps: that also the private key maker verifies described user identity before the infrastructure PKI that utilizes the user is encrypted user's the private key based on sign.
5, cryptographic key distribution method as claimed in claim 4, it is characterized in that the process that described private key maker is verified described user identity comprises: the validity of the certificate that the private key maker is issued for the user by the authentication verification center realizes the checking to user identity.
6, cryptographic key distribution method as claimed in claim 1 is characterized in that, comprises the steps: that also the private key maker receives user's open parameter request, sends to the user with its open parameter.
7, cryptographic key distribution method as claimed in claim 6 is characterized in that, described private key maker receives user's open parameter request, and the process that its open parameter is sent to the user comprises:
The private key maker receives user's open parameter request, comprises authentication center's sign of users to trust in the disclosure parameter request;
The private key maker obtains the open parameter of authentication center's signature of users to trust;
The private key maker sends to the user with the described open parameter of authentication center's signature of users to trust that is subjected to.
8, cryptographic key distribution method as claimed in claim 7, it is characterized in that, described private key maker obtains to be subjected to the process of open parameter of authentication center's signature of users to trust to comprise: the private key maker is searched its certificate data bank, and therefrom finds the open parameter of the authentication center's signature that is subjected to users to trust.
9, cryptographic key distribution method as claimed in claim 8, it is characterized in that, described private key maker obtains to be subjected to the process of open parameter of authentication center's signature of users to trust also to comprise: if the private key maker can not find the open parameter of the authentication center's signature that is subjected to users to trust in its certificate data bank, then the private key maker sends to the authentication center that is subjected to users to trust with its open parameter, ask described authentication center that its open parameter is signed, receive the open parameter of described authentication center signature.
10, cryptographic key distribution method as claimed in claim 7, it is characterized in that described private key maker comprises the process that the open parameter of the described authentication center's signature that is subjected to users to trust sends to the user: the private key maker will be subjected to the open parameter of the highest authentication center's signature of user's trusting degree to send to the user.
11, cryptographic key distribution method as claimed in claim 10 is characterized in that, the process that described private key maker will be subjected to the open parameter of the highest authentication center's signature of user's trusting degree to send to the user comprises:
The private key maker finds the open parameter that is subjected to the highest authentication center's signature of user's trusting degree according to the tabulation that is subjected to the authentication center of users to trust;
The open parameter that is subjected to the highest authentication center's signature of user's trusting degree that the private key maker will find sends to the user.
12, cryptographic key distribution method as claimed in claim 11 is characterized in that, the process that described private key maker will be subjected to the open parameter of the highest authentication center's signature of user's trusting degree to send to the user also comprises:
The private key maker receives user's open parameter request, comprises the tabulation of the authentication center that is subjected to users to trust in user's the open parameter request.
13, cryptographic key distribution method as claimed in claim 7, it is characterized in that, described private key maker also comprises the process that its open parameter sends to the user: described authentication center signs to the open parameter of private key maker, and identity and its open parameter of private key maker are bound.
14, a kind of key distribution device is used for sending based on the private key that identifies to the user, it is characterized in that, comprising:
PKI obtains module, is used to obtain this user's infrastructure PKI;
Encrypting module is used to utilize described user's infrastructure PKI that the user is encrypted based on the private key of sign;
The private key sending module, the private key based on sign that is used for encrypting through encrypting module sends to the user.
15, a kind of key distribution device as claimed in claim 14 is characterized in that, also comprises: receiver module, be used to receive private key request based on sign from the user, this private key request be used to ask to obtain the user based on the sign private key.
16, a kind of key distribution device as claimed in claim 15 is characterized in that, also comprises: authentication module, be used to receive the certificate that authentication center issues for the user, and authentication certificate validity, if certificate is effective, the notice encrypting module carries out cryptographic operation.
17, as claim 14 or 15 or 16 described a kind of key distribution devices, it is characterized in that, also comprise: the parameter sending module, be used to receive user's open parameter request, its open parameter is sent to the user.
18, a kind of key distribution device as claimed in claim 17 is characterized in that, also comprises: the signature request module is used for the request authentication center its open parameter is signed, and receives the open parameter of signature.
19, a kind of key distribution system is used for sending based on the private key that identifies to the user, it is characterized in that, comprising: private key maker and authentication center;
Described private key maker comprises key distribution device;
Described key distribution device comprises:
Receiver module is used to receive the private key request based on sign from the user, this private key request be used to ask to obtain the user based on the sign private key;
PKI obtains module, is used to obtain this user's infrastructure PKI;
Encrypting module utilizes described user's infrastructure PKI that the user is encrypted based on the private key of sign;
The private key sending module will send to the user through the private key based on sign that encrypting module is encrypted;
The signature request module is used for open parameter is sent to described authentication center, signs to its open parameter in the request authentication center;
The parameter sending module is used to receive the open parameter through authentication center's signature, and the open parameter behind authentication center's signature is sent to the user;
Described authentication center is used to receive the open parameters signatures request of described signature request module, and open parameter is signed, and the open parameter behind the signature is sent to described parameter sending module.
20, key distribution system as claimed in claim 19 is characterized in that, described key distribution device also comprises: authentication module, be used to receive the certificate that authentication center issues for the user, authentication certificate validity, if certificate is effective, the notice encrypting module carries out cryptographic operation.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008102416317A CN101465728A (en) | 2008-12-17 | 2008-12-17 | Method, system and device for distributing cipher key |
| PCT/CN2009/073615 WO2010069180A1 (en) | 2008-12-17 | 2009-08-28 | Method, system and device for key distribution |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008102416317A CN101465728A (en) | 2008-12-17 | 2008-12-17 | Method, system and device for distributing cipher key |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101465728A true CN101465728A (en) | 2009-06-24 |
Family
ID=40806105
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008102416317A Pending CN101465728A (en) | 2008-12-17 | 2008-12-17 | Method, system and device for distributing cipher key |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101465728A (en) |
| WO (1) | WO2010069180A1 (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010069180A1 (en) * | 2008-12-17 | 2010-06-24 | 成都市华为赛门铁克科技有限公司 | Method, system and device for key distribution |
| WO2011000163A1 (en) * | 2009-07-02 | 2011-01-06 | 成都市华为赛门铁克科技有限公司 | Method, client end and server for key negotiation |
| CN102694650A (en) * | 2012-06-13 | 2012-09-26 | 苏州大学 | Secret key generating method based on identity encryption |
| CN103457735A (en) * | 2013-08-25 | 2013-12-18 | 郑静晨 | Method capable of preventing information of shelter hospital individual solider handheld intelligent terminal from being leaked |
| CN105553654A (en) * | 2015-12-31 | 2016-05-04 | 广东信鉴信息科技有限公司 | Key information query processing method and device and key information management system |
| CN107483209A (en) * | 2017-08-03 | 2017-12-15 | 淮阴工学院 | A kind of safe label decryption method based on heterogeneous system |
| CN108847942A (en) * | 2018-06-03 | 2018-11-20 | 李维刚 | A kind of authentication method and system based on mark public key |
| CN111464556A (en) * | 2016-10-25 | 2020-07-28 | 雷飏 | Portable user terminal |
| CN113497712A (en) * | 2020-04-04 | 2021-10-12 | 重庆傲雄在线信息技术有限公司 | KGC data processing system |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9025767B2 (en) | 2010-03-24 | 2015-05-05 | Nokia Corporation | Method and apparatus for querying content protected by identity-based encryption |
| CN110120927B (en) * | 2018-02-05 | 2022-03-25 | 华为技术有限公司 | Method and device for private key generation |
| CN111194033B (en) * | 2020-01-08 | 2023-03-24 | 浙江吉利汽车研究院有限公司 | In-vehicle secure communication method, system and computer storage medium |
| CN114301585B (en) * | 2021-11-17 | 2024-01-05 | 北京智芯微电子科技有限公司 | Identification private key using method, generation method and management system |
| CN114567426B (en) * | 2021-12-31 | 2023-10-13 | 电子科技大学广东电子信息工程研究院 | Data sharing method and system |
| CN116488800B (en) * | 2023-04-10 | 2024-03-29 | 中国民用航空总局第二研究所 | Heterogeneous aggregation signature system applied to signature terminal |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1534936A (en) * | 2003-03-31 | 2004-10-06 | 华为技术有限公司 | Key distribution method in radio local network based on public key certificate mechanism |
| US7017181B2 (en) * | 2003-06-25 | 2006-03-21 | Voltage Security, Inc. | Identity-based-encryption messaging system with public parameter host servers |
| CN1980123B (en) * | 2005-11-30 | 2010-07-21 | 中国科学院研究生院 | Realizing method for PKI system based on IBE and key management apparatus |
| CN101465728A (en) * | 2008-12-17 | 2009-06-24 | 成都市华为赛门铁克科技有限公司 | Method, system and device for distributing cipher key |
-
2008
- 2008-12-17 CN CNA2008102416317A patent/CN101465728A/en active Pending
-
2009
- 2009-08-28 WO PCT/CN2009/073615 patent/WO2010069180A1/en active Application Filing
Non-Patent Citations (1)
| Title |
|---|
| 郭庚麒等: "《网络操作系统》", 31 August 2003, 机械工业出版社 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010069180A1 (en) * | 2008-12-17 | 2010-06-24 | 成都市华为赛门铁克科技有限公司 | Method, system and device for key distribution |
| WO2011000163A1 (en) * | 2009-07-02 | 2011-01-06 | 成都市华为赛门铁克科技有限公司 | Method, client end and server for key negotiation |
| CN102694650A (en) * | 2012-06-13 | 2012-09-26 | 苏州大学 | Secret key generating method based on identity encryption |
| CN102694650B (en) * | 2012-06-13 | 2015-03-11 | 苏州大学 | Secret key generating method based on identity encryption |
| CN103457735A (en) * | 2013-08-25 | 2013-12-18 | 郑静晨 | Method capable of preventing information of shelter hospital individual solider handheld intelligent terminal from being leaked |
| CN105553654A (en) * | 2015-12-31 | 2016-05-04 | 广东信鉴信息科技有限公司 | Key information query processing method and device and key information management system |
| CN105553654B (en) * | 2015-12-31 | 2019-09-03 | 广东信鉴信息科技有限公司 | Key information processing method and device, key information management system |
| CN111464556A (en) * | 2016-10-25 | 2020-07-28 | 雷飏 | Portable user terminal |
| CN107483209A (en) * | 2017-08-03 | 2017-12-15 | 淮阴工学院 | A kind of safe label decryption method based on heterogeneous system |
| CN107483209B (en) * | 2017-08-03 | 2020-06-16 | 淮阴工学院 | Secure signcryption method based on heterogeneous system |
| CN108847942A (en) * | 2018-06-03 | 2018-11-20 | 李维刚 | A kind of authentication method and system based on mark public key |
| CN113497712A (en) * | 2020-04-04 | 2021-10-12 | 重庆傲雄在线信息技术有限公司 | KGC data processing system |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2010069180A1 (en) | 2010-06-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101465728A (en) | Method, system and device for distributing cipher key | |
| CN111010410B (en) | Mimicry defense system based on certificate identity authentication and certificate signing and issuing method | |
| CN103532713B (en) | Sensor authentication and shared key production method and system and sensor | |
| US9053347B2 (en) | Memory device, host device, and memory system | |
| JP5954609B1 (en) | Method and system for backing up private key of electronic signature token | |
| CN101828357B (en) | Credential provisioning method and device | |
| CN101212293B (en) | Identity authentication method and system | |
| CN104580250A (en) | System and method for authenticating credible identities on basis of safety chips | |
| CN102594558A (en) | Anonymous digital certificate system and verification method of trustable computing environment | |
| CN101243438A (en) | Distributed single sign-on service | |
| CN101610150B (en) | Third-party digital signature method and data transmission system | |
| CN104639516A (en) | Method, equipment and system for authenticating identities | |
| CN103634265B (en) | Method, equipment and the system of safety certification | |
| CN101588245A (en) | A kind of method of authentication, system and memory device | |
| CN102664898A (en) | Fingerprint identification-based encrypted transmission method, fingerprint identification-based encrypted transmission device and fingerprint identification-based encrypted transmission system | |
| CN101783800A (en) | Embedded system safety communication method, device and system | |
| CN103678174A (en) | Data safety method, storage device and data safety system | |
| CN110913390A (en) | Anti-quantum computing vehicle networking method and system based on identity secret sharing | |
| CN101296083A (en) | Enciphered data transmission method and system | |
| CN111917543A (en) | User access cloud platform security access authentication system and application method thereof | |
| CN106656499A (en) | Terminal equipment dependable authentication method and system in digital copyright protection system | |
| CN114331456A (en) | Communication method, device, system and readable storage medium | |
| JP4840575B2 (en) | Terminal device, certificate issuing device, certificate issuing system, certificate acquisition method and certificate issuing method | |
| CN100437422C (en) | System and method for enciphering and protecting software using right | |
| CN103138923A (en) | Method, device and system for internodal authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Applicant after: Huawei Symantec Technologies Co., Ltd. Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Applicant before: Chengdu Huawei Symantec Technologies Co., Ltd. |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: APPLICANT; FROM: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. TO: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. |
|
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20090624 |