CN101631024A - Enhanced certificate management method and enhanced certificate management system - Google Patents
Enhanced certificate management method and enhanced certificate management system Download PDFInfo
- Publication number
- CN101631024A CN101631024A CN200910166749A CN200910166749A CN101631024A CN 101631024 A CN101631024 A CN 101631024A CN 200910166749 A CN200910166749 A CN 200910166749A CN 200910166749 A CN200910166749 A CN 200910166749A CN 101631024 A CN101631024 A CN 101631024A
- Authority
- CN
- China
- Prior art keywords
- party
- certificate
- transmitting terminal
- signature
- institution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides an enhanced certificate management method comprising the following steps: a third party mechanism uses a private key corresponding to a third party certificate to sign a transmitting terminal certificate, and the signing result thereof is a third party signature and the third party signature is transmitted to a transmitting terminal; the transmitting terminal transmits the third party signature and the transmitting terminal certificate to a receiving terminal; and the receiving terminal acquires the third party certificate form the third party mechanism and uses the third party certificate to authenticate the third party signature so as to confirm whether the transmitting terminal certificate is a certificate authorized by the third party mechanism or not. The invention also provides an enhanced certificate management system. By using a third party to supervise certificates, the invention can further prevent attackers from using legal certificates awarded by a CA center to break law, thereby improving the security of the system.
Description
Technical field
The present invention relates to the security fields of information industry, particularly a kind of certificate management method of enhancing and system.
Background technology
In information security, certificate is widely used.In existing certificate management model, the entity of signing and issuing of certificate all is CA (Certificate Authority, certificate agency) usually, comes grant a certificate, certificate of certification, management to issue certificate by CA.Though CA can determine the legitimacy of certificate, because the certificate quantity that same CA signs and issues is all bigger usually, in some cases, whether must be when doing legal thing, have some limitation if utilizing CA to remove to supervise legal certificate.
Considering in the practical application need to pass data by following scene: C, to give its data source be safe, and the data that need to pass to it simultaneously are complete.Suppose that B passes data and gives C, the certificate that B has CA to issue, B utilizes the private key of its certificate correspondence to sending to the data signature of C, after C receives data and signature, it can be according to the integrality of the certification authentication data of B, but in some cases, B may be positioned at dangerous occasion, if at this moment B holds legal certificate illegal data are signed, C can't discern.On the other hand,, come B is supervised, will have certain limitation with CA because the quantity of CA grant a certificate is more.
In this case, be necessary the use of the certificate of B further to be supervised with additive method.
Summary of the invention
The technical problem to be solved in the present invention provides a kind of certificate management method and system of enhancing, can further supervise the legal use of certificate, prevents that the legal certificate that the assailant utilizes the CA center to issue from carrying out illegal act, enhances system security.
In order to address the above problem, the invention provides a kind of certificate management method of enhancing, comprising:
The third-party institution utilizes the private key of third party's certificate correspondence that transmitting terminal certificate is signed, and its signature result is third party's signature, and described third party's signature is sent to transmitting terminal;
Transmitting terminal sends to receiving terminal with described third party's signature and transmitting terminal certificate;
Receiving terminal obtains third party's certificate from the third-party institution, uses the described third party of described third party's certification authentication to sign and determines whether described transmitting terminal certificate is the certificate of third-party institution's approval.
Further, said method also can have following characteristics, and the described third-party institution utilizes the private key of third party's certificate correspondence that the partial content of described transmitting terminal certificate is signed, and obtains described third party's signature.
Further, said method also can have following characteristics, when the described third-party institution signs to described transmitting terminal certificate, merges additional information and signs after the described transmitting terminal certificate again and obtain described third party and sign; The described third-party institution sends to described transmitting terminal with described additional information in company with described third party's signature;
Described transmitting terminal sends to described receiving terminal with described additional information with described third party's signature and described transmitting terminal certificate.
Further, said method also can have following characteristics, and described additional information is a Digital Signature Algorithm.
Further, said method also can have following characteristics, when the described third-party institution sends to transmitting terminal with described third party's signature, also described transmitting terminal certificate is sent to transmitting terminal.
The present invention also provides a kind of certificate management system of enhancing, comprises the third-party institution, transmitting terminal and receiving terminal, wherein:
The described third-party institution is used to utilize the private key of third party's certificate correspondence that transmitting terminal certificate is signed, and its signature result is third party's signature, and described third party's signature is sent to described transmitting terminal;
Described transmitting terminal is used for described third party's signature and transmitting terminal certificate are sent to receiving terminal;
Described receiving terminal is used for obtaining third party's certificate from the described third-party institution, uses the described third party of described third party's certification authentication to sign and determines whether described transmitting terminal certificate is the certificate of third-party institution's approval.
Further, said system also can have following characteristics, and the described third-party institution is used to utilize the private key of third party's certificate correspondence that the partial content of described transmitting terminal certificate is signed, and obtains described third party's signature.
Further, said system also can have following characteristics, the described third-party institution also is used to merge additional information and signs after the described transmitting terminal certificate again and obtain described third party's signature, and described additional information is sent to described transmitting terminal in company with described third party's signature;
Described transmitting terminal also is used for described additional information is sent to described receiving terminal with described third party's signature and described transmitting terminal certificate.
Further, said system also can have following characteristics, and described additional information is a Digital Signature Algorithm.
Further, said system also can have following characteristics, and the described third-party institution also is used for when described third party's signature is sent to transmitting terminal described transmitting terminal certificate being sent to transmitting terminal.
The invention provides a kind of enhancing certificate management method and system based on third party's certificate, by the present invention, can in local environment, strengthen checking to certificate, thereby can verify the legitimacy of the data source of data and the integrality of data based on the legitimacy of certificate, the present invention can prevent further that the legal certificate that the assailant utilizes the CA center to issue from carrying out illegal act, the fail safe of enhanced system.
Description of drawings
Fig. 1 is the certificate management method flow chart that the present invention strengthens;
Fig. 2 is an embodiment of the invention device software integrity detection flow chart;
Fig. 3 is the PKI authorizing procedure figure of embodiment of the invention RFC 4306;
Fig. 4 is the certificate management system flow chart that the present invention strengthens.
Embodiment
Core concept of the present invention is, introduces the third-party institution transmitting terminal certificate is signed, and receiving terminal uses whether third-party institution's certification authentication transmitting terminal certificate is the certificate of third-party institution's approval, thereby strengthens the supervision that certificate is used.
Figure 1 shows that the certificate management method flow chart that the present invention strengthens, wherein, A is the third-party institution, and B is a transmitting terminal, and C is a receiving terminal, and B transmits data and gives C, specifically comprises the steps:
Step 102, the A of the third-party institution utilizes its certificate Cert
ACorresponding private key is to the certificate Cert of B
BSign, the signature result is Sr.
Wherein, A can utilize its certificate Cert
ACorresponding private key a certificate Cert to B
BIn partial content sign, the signature result is Sr, described partial content comprises certificate Cert
BIn the PKI part.
Step 103, A sends to B with Sr;
Wherein, in this step, A also can be with Cert
BSend to B.
Step 104, B is with Sr and Cert
BSend to C.
Step 105, C obtains the certificate Cert of A from A
A
Step 106, C utilizes the certificate Cert of A
AThe certificate Cert of checking B
BSignature Sr, determine the certificate Cert of B
BWhether be the certificate of A approval.
Wherein, in the step 102, the described A of the third-party institution can merge additional information to certificate Cert
BAfter carry out digital signature again, in the step 103, described additional information will send to B in company with Sr, perhaps, additional information will be in company with Sr and Cert
BSend to B; When carrying additional information, in the step 104, B is with additional information, Sr and Cert
BSend to C.Described additional information can be Digital Signature Algorithm.
Wherein, in the step 105, C obtains the certificate Cert of A from A
A, execution whenever that can be before step 106.
When C receives from the data of B, can utilize B the certification authentication data integrality and utilize whether the certificate of the certification authentication B of A is whether the certificate specified data source B of A approval is the data source of A approval, thereby the integrality of the legitimacy in specified data source and data.
Provide one embodiment of the present of invention below in conjunction with the authentication protocol of RFC 4306 and a kind of software integrity testing process of the network equipment, as shown in Figure 2, comprising:
Step 201: network management center (OMC) is with its certificate Cert
oSend to security gateway (SeGW);
Step 202: security gateway (SeGW) utilizes its certificate Cert
sTo Cert
oSign, the signature result is Sr
o
Step 203: security gateway (SeGW) is with Sr
oWith Cert
oSend to network management center (OMC);
Wherein, in this step, SeGW also can only send Sr
oGive OMC.
Step 204: the OMC of network management center utilizes Cert
oCorresponding private key is signed to the software document (file) of the network equipment (NE), and the signature result is Sr
f
Step 205: network management center (OMC) is when software download, with software file, Cert
o, Sr
o, Sr
fSend to the network equipment (NE).
Step 206: (Trust Environment TrE) preserves Cert to the trusted context TrE of the network equipment (NE)
o, Sr
o, utilize Cert
oSignature Sr to file
fVerify, determine that this document is not distorted.
Step 207: the network equipment (NE) is initiated authorizing procedure, (specifically sees Fig. 3) in authentication process, and the trusted context TrE of network equipment NE gets access to the certificate Cert of security gateway (SeGW)
s, the trusted context TrE of the network equipment (NE) utilizes Cert
sChecking Sr
oDetermine Cert
oWhether be the digital certificate of SeGW approval.
After step 207, the network equipment (NE) can determine that whether the file that this equipment is received is the file that sends through the data source that security gateway (SeGW) is signed, and can determine whether this document is complete.When receiving unsafe file, the network equipment (NE) can carry out corresponding safe protection treatment, such as deletion Cert
oAnd restart.
In other embodiments of the invention, the network equipment (NE) can verify earlier that also whether certificate is the certificate of third-party institution's approval, and then whether the judgment data source be through the data source of third-party institution's approval, promptly uses Cert earlier
sChecking Sr
oDetermine Cert
oWhether be the digital certificate of third-party institution's approval, and then utilize Cert
oThe integrality of verification msg.
NE uses Cert
sVerify Sr
oDetermine Cert
oWhether be the certificate of SeGW approval, obtain described Cert
sRequirements of process carry out the exchange of a series of agreement, as shown in Figure 3, comprising:
Step 2051, NE send IKE_SA_INT request (interchange key security association initialization request) message to SeGW;
Described IKE_SA_INT request is used for request and sets up an interchange key security association at NE and SeGW, is used for the transmission of follow-up digital certificate.
Step 2052, SeGW reply IKE_SA_INT response (interchange key security association initialization response) message to NE;
Described IKE_SA_INT response is used for the request that NE sends in the response of step 2051, agrees to set up the interchange key security association.
Step 2053, NE send IKE_SA_AUTH request (interchange key security association authorization requests) message to SeGW;
Described IKE_SA_AUTH request is used for asking SeGW to send Cert to NE
s, the data type that in this message, can carry the data to be signed of reception, SeGW can return corresponding C ert according to the type of data to be signed
s
Step 2054, SeGW reply IKE_SA_AUTH response (interchange key security association authorization response) message to NE;
In this step, the identity of SeGW checking NE when NE is legitimate device, sends IKE_SA_AUTH response message to NE, is used for the request of NE in the response of step 2053, and the request of NE is accepted in expression, and carries Cert in this message
s
The Cert that step 2055, NE checking receive
s
So far, NE obtains Cert
sFlow process finish.
NE also can directly send to SeGW and obtain Cert
sRequest, SeGW carries described Cert in the response message that returns then
s
The present invention also provides a kind of certificate management system of enhancing, as shown in Figure 4, comprises the third-party institution, transmitting terminal and receiving terminal, wherein:
The described third-party institution is used to utilize the private key of third party's certificate correspondence that transmitting terminal certificate is signed, and its signature result is third party's signature, and described third party's signature is sent to described transmitting terminal;
Described transmitting terminal is used for described third party's signature and transmitting terminal certificate are sent to receiving terminal;
Described receiving terminal is used for obtaining third party's certificate from the described third-party institution, uses the described third party of described third party's certification authentication to sign and determines whether described transmitting terminal certificate is the certificate of third-party institution's approval.
Further, the described third-party institution is used to utilize the private key of third party's certificate correspondence that the partial content of transmitting terminal certificate is signed, and obtains described third party's signature.
Further, the described third-party institution also is used to merge additional information and signs after the described transmitting terminal certificate again and obtain described third party's signature, and described additional information is sent to described transmitting terminal in company with described third party's signature; Described transmitting terminal also is used for described additional information is sent to described receiving terminal with described third party's signature and described transmitting terminal certificate.Described additional information is a Digital Signature Algorithm.
Further, the described third-party institution also is used for when described third party's signature is sent to transmitting terminal described transmitting terminal certificate being sent to transmitting terminal.
Certainly, the present invention also can have other various embodiments, such as in transmittance process, can carry some other parameters.Under the situation that does not deviate from spirit of the present invention and essence thereof, those of ordinary skill in the art work as can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
Claims (10)
1, a kind of certificate management method of enhancing is characterized in that, comprising:
The third-party institution utilizes the private key of third party's certificate correspondence that transmitting terminal certificate is signed, and its signature result is third party's signature, and described third party's signature is sent to transmitting terminal;
Transmitting terminal sends to receiving terminal with described third party's signature and transmitting terminal certificate;
Receiving terminal obtains third party's certificate from the third-party institution, uses the described third party of described third party's certification authentication to sign and determines whether described transmitting terminal certificate is the certificate of third-party institution's approval.
2, the method for claim 1 is characterized in that, the described third-party institution utilizes the private key of third party's certificate correspondence that the partial content of described transmitting terminal certificate is signed, and obtains described third party's signature.
3, the method for claim 1 is characterized in that,
When the described third-party institution signs to described transmitting terminal certificate, merge additional information and sign again after the described transmitting terminal certificate and obtain described third party and sign; The described third-party institution sends to described transmitting terminal with described additional information in company with described third party's signature;
Described transmitting terminal sends to described receiving terminal with described additional information with described third party's signature and described transmitting terminal certificate.
4, method as claimed in claim 3 is characterized in that, described additional information is a Digital Signature Algorithm.
5, as claim 1 or 3 described methods, it is characterized in that, when the described third-party institution sends to transmitting terminal with described third party's signature, also described transmitting terminal certificate is sent to transmitting terminal.
6, a kind of certificate management system of enhancing is characterized in that, comprises the third-party institution, transmitting terminal and receiving terminal, wherein:
The described third-party institution is used to utilize the private key of third party's certificate correspondence that transmitting terminal certificate is signed, and its signature result is third party's signature, and described third party's signature is sent to described transmitting terminal;
Described transmitting terminal is used for described third party's signature and transmitting terminal certificate are sent to receiving terminal;
Described receiving terminal is used for obtaining third party's certificate from the described third-party institution, uses the described third party of described third party's certification authentication to sign and determines whether described transmitting terminal certificate is the certificate of third-party institution's approval.
7, system as claimed in claim 6 is characterized in that, the described third-party institution is used to utilize the private key of third party's certificate correspondence that the partial content of described transmitting terminal certificate is signed, and obtains described third party's signature.
8, system as claimed in claim 6, it is characterized in that, the described third-party institution also is used to merge additional information and signs after the described transmitting terminal certificate again and obtain described third party's signature, and described additional information is sent to described transmitting terminal in company with described third party's signature;
Described transmitting terminal also is used for described additional information is sent to described receiving terminal with described third party's signature and described transmitting terminal certificate.
9, system as claimed in claim 8 is characterized in that, described additional information is a Digital Signature Algorithm.
As claim 6 or 8 described systems, it is characterized in that 10, the described third-party institution also is used for when described third party's signature is sent to transmitting terminal described transmitting terminal certificate being sent to transmitting terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910166749A CN101631024A (en) | 2009-08-11 | 2009-08-11 | Enhanced certificate management method and enhanced certificate management system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910166749A CN101631024A (en) | 2009-08-11 | 2009-08-11 | Enhanced certificate management method and enhanced certificate management system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101631024A true CN101631024A (en) | 2010-01-20 |
Family
ID=41575985
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910166749A Pending CN101631024A (en) | 2009-08-11 | 2009-08-11 | Enhanced certificate management method and enhanced certificate management system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101631024A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030084293A1 (en) * | 2001-10-26 | 2003-05-01 | Jari Arkko | Addressing mechanisms in mobile IP |
| CN1949250A (en) * | 2006-07-10 | 2007-04-18 | 王耀 | System and method of identifying electronic tag using mobile communication equipment |
| CN101136748A (en) * | 2006-08-31 | 2008-03-05 | 普天信息技术研究院 | Identification authentication method and system |
| CN101471775A (en) * | 2007-12-28 | 2009-07-01 | 三星电子株式会社 | Authentication method for MS and BS of WiMAX system |
-
2009
- 2009-08-11 CN CN200910166749A patent/CN101631024A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030084293A1 (en) * | 2001-10-26 | 2003-05-01 | Jari Arkko | Addressing mechanisms in mobile IP |
| CN1949250A (en) * | 2006-07-10 | 2007-04-18 | 王耀 | System and method of identifying electronic tag using mobile communication equipment |
| CN101136748A (en) * | 2006-08-31 | 2008-03-05 | 普天信息技术研究院 | Identification authentication method and system |
| CN101471775A (en) * | 2007-12-28 | 2009-07-01 | 三星电子株式会社 | Authentication method for MS and BS of WiMAX system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108390851B (en) | Safe remote control system and method for industrial equipment | |
| US8533806B2 (en) | Method for authenticating a trusted platform based on the tri-element peer authentication(TEPA) | |
| CN103067402B (en) | The generation method and system of digital certificate | |
| CN102164033B (en) | Method, device and system for preventing services from being attacked | |
| CN105791272A (en) | Method and device for secure communication in Internet of Things | |
| US20090240936A1 (en) | System and method for storing client-side certificate credentials | |
| JP2008507892A (en) | System and method for implementing a digital signature using a one-time private key | |
| CN100561919C (en) | A kind of broadband access user authentication method | |
| CN107733636B (en) | Authentication method and authentication system | |
| CN105790938A (en) | System and method for generating safety unit key based on reliable execution environment | |
| US8688976B2 (en) | Method for issuing a digital certificate by a certification authority, arrangement for performing the method, and computer system of a certification authority | |
| CN102438044A (en) | Digital content trusted usage control method based on cloud computing | |
| CN101136748A (en) | Identification authentication method and system | |
| CN103312691A (en) | Method and system for authenticating and accessing cloud platform | |
| CN109687965A (en) | The real name identification method of subscriber identity information in a kind of protection network | |
| CN103532713A (en) | Sensor authentication and sharing key generating method, sensor authentication and sharing key generating system and sensor | |
| CN107786515B (en) | Certificate authentication method and equipment | |
| CN111934884B (en) | Certificate management method and device | |
| CN101610150A (en) | Third party's digital signature method and data transmission system | |
| CN110929231A (en) | Digital asset authorization method and device and server | |
| US8850576B2 (en) | Methods for inspecting security certificates by network security devices to detect and prevent the use of invalid certificates | |
| CN110445782B (en) | Multimedia safe broadcast control system and method | |
| CN108075895B (en) | Node permission method and system based on block chain | |
| CN111800270B (en) | Certificate signing method and device, storage medium and computer equipment | |
| WO2017020530A1 (en) | Enhanced wlan certificate authentication method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20100120 |