Embodiment
In the producing electronic seal process that the embodiment of the invention provides, at first define the particular place information that authority is used E-seal; Then the authority that has that will determine is used particular place information and the binding of E-seal related data of E-seal.Correspondingly, in the E-seal use procedure that the embodiment of the invention provides, at first determine the current place information of E-seal, then verify whether the current place information of determining is with consistent with the particular place information of E-seal related data binding, when determining that particular place information that described current place information and E-seal related data are bound is consistent, allow current place to use described E-seal; Otherwise refuse current place and use described E-seal.
Fig. 1 is the process flow diagram of producing electronic seal method in the embodiment of the invention.As shown in Figure 1, the method may further comprise the steps:
Step 101: define the particular place information that authority is used E-seal.
Particular place information can comprise specific use facility information and/or the specific carrier information of depositing.
Determine the method for particular place information, reflected that directly Zhang Fang processed is to the restriction of E-seal particular place.Can use this E-seal at specific use equipment when chapter side processed wishes any user, then particular place information comprises specific use facility information.E-seal is specific deposits the carrier holder and can use this E-seal in any apparatus when chapter side processed wishes to only have, and then particular place information comprises the specific carrier information of depositing.E-seal is specific deposits the carrier holder when specific use equipment uses this E-seal when chapter side processed wishes to only have, and then particular place information comprises specific use facility information and the specific carrier information of depositing.
Wherein specific use facility information can obtain according to one or more characterization information of specific use equipment.The specific carrier information of depositing can obtain according to specific one or more characterization information of depositing carrier.
Specifically, a string serial data of one or more characterization information combination producings with specific use equipment obtains specific use facility information according to serial data; With the specific a string serial data of one or more characterization information combination producings of depositing carrier, obtain the specific carrier information of depositing according to serial data.
More specifically, can be with a string serial data of the direct combination producing of one or more characterization information of specific use equipment; Also can adopt preset algorithm respectively each characterization information of specific use equipment to be calculated digest value, with a string serial data of digest value combination producing that generates respectively.Can be with the specific a string serial data of the direct combination producing of one or more characterization information of depositing carrier; Also can adopt preset algorithm respectively specific each characterization information of depositing carrier to be calculated digest value, with a string serial data of digest value combination producing that generates respectively.
In addition, can be directly with the serial data that obtains as specific use facility information or the specific carrier information of depositing.Also can adopt preset algorithm that serial data is processed, with the serial data after processing as specific use facility information or the specific carrier information of depositing.Wherein preset algorithm can be hash algorithm, and said processing is the calculating digest value.
The below illustrates the specific use facility information of how to confirm.All characterization information of selected specific use equipment are formed a string data, adopt the hash algorithm this string data to be generated the summary of a regular length, should make a summary as using facility information.Perhaps, each characterization information of the specific use equipment that employing hash algorithm will be selected generates a summary, and then the summary that will generate forms a string data, process summary of generation by this string data that the hash algorithm will generate, this that generates at last made a summary as this specific use facility information.
Use equipment can be conventional equipment or safety equipment, and depositing carrier can be general carrier or safety barrier.Wherein conventional equipment can be computing machine, portable terminal etc.; General carrier can be the movable storage devices such as USB Key, USB flash disk, portable hard drive, IC-card.
When using equipment to be computing machine, then use the characterization information of equipment can be one of the following or arbitrarily combination: the sequence number of the MAC Address of the hard reel number of computing machine, CPU sequence number, network interface card, mainboard sequence number, internal memory sequence number, this computer specialized equipment etc.
When using equipment to be portable terminal, then use the characterization information of equipment can be one of the following or arbitrarily combination: the MAC Address of the SIM card of portable terminal number, IMEI, equipment Serial Number, CPU sequence number, network interface card etc.
Be USB flash disk when depositing carrier, the characterization information of then depositing carrier can be with the sequence number of this USB flash disk.
When carrying the right digital certificate of the PKI key that meets the PKI system in conventional equipment or the general carrier, these conventional equipments or general carrier just can be described as safety equipment or safety barrier.As the computing machine that carries private key is safety equipment; The secure hardware carrier that carries private key is safety barrier.When using equipment or deposit carrier as safety equipment or safety barrier, the characterization information of then using equipment or depositing carrier is PKI key pair.
Step 102: the authority that has that will determine is used particular place information and the binding of E-seal related data of E-seal.
Wherein, the E-seal related data can be electronic seal data itself, also can be the data relevant with E-seal, as: the usefulness Zhang Jilu of E-seal, the timestamp of E-seal, the pattern of E-seal, the digital certificate of E-seal etc.
Concrete binding mode can be: the authority that has that will determine uses the particular place information of E-seal to append in the E-seal related data.
Binding mode can also be: utilizing has authority to use the particular place information of E-seal that the E-seal related data is encrypted.Cryptographic algorithm can be general symmetric encipherment algorithm, and this algorithm is this area common technology means, repeats no more here.
When the particular place information of E-seal comprises specific use facility information and specific when depositing carrier information simultaneously, when the particular place information of E-seal and E-seal relevant data are bound, both can bind first specific use facility information and E-seal related data, bind again specific carrier information and the E-seal related data deposited; Also can bind first specific carrier information and the E-seal related data deposited, bind again specific use facility information and E-seal related data.But when using E-seal, whether the process consistent with described particular place information has fixing order to the current place information of checking E-seal, and this order is determined by the order of chapter process processed.
Illustrate above-mentioned producing electronic seal method, suppose Zhang Fang processed being restricted to the E-seal particular place: the holder of safety equipment can use this E-seal on any use equipment.Concrete chapter process processed is: utilize the disclosed development interface of safety equipment key manufacturer to obtain the PKI of the PKI system cipher key pair of safety equipment key, adopt the PKI that obtains that the E-seal related data is encrypted.
Need to prove, can limit E-seal can only use at a selected specific use equipment, also can limit E-seal and use at selected a plurality of specific use equipment.If selected E-seal can use at a plurality of specific use equipment, then need to generate a plurality of specific use facility informations, then the particular place information of this E-seal is combined by each specific use facility information.
Fig. 2 is the process flow diagram of E-seal using method in the embodiment of the invention.As shown in Figure 2, the method may further comprise the steps:
Step 201: obtain the current place information of E-seal, comprise the current use facility information and/or the current carrier information of depositing that obtain E-seal.
Current use facility information can obtain according to one or more characterization information of current use equipment.Wherein the step of " the one or more characterization information according to current use equipment obtain current use facility information " is similar with the step of " the one or more characterization information according to specific use equipment obtain specific use facility information " in the chapter process processed.
The current carrier information of depositing can obtain according to current one or more characterization information of depositing carrier.The step that wherein " according to current one or more characterization information of depositing carrier, obtains the current carrier information of depositing " is similar with the step of " according to specific one or more characterization information of depositing carrier, obtaining the specific carrier information of depositing " in the chapter process processed.
Step 202: determine whether the current place information of E-seal is with consistent with the particular place information of E-seal related data binding; If consistent; Execution in step 203; Otherwise execution in step 204.
When chapter side processed adopts the mode that directly particular place information is appended to the E-seal related data to bind particular place information and E-seal related data, the current place information of determining E-seal with and the particular place information of E-seal related data binding whether consistent process be: compare the current place information of E-seal whether with the E-seal related data in the particular place information of carrying consistent.
When chapter side processed adopts the mode that the E-seal related data is encrypted to bind particular place information and E-seal related data, the current place information of determining E-seal with and the particular place information of E-seal related data binding whether consistent process be: use current place information that the E-seal related data is decrypted, if successful decryption, then prove current place information with consistent with the particular place information of E-seal related data binding, namely current place has the authority of using this E-seal.
The current place information of determining E-seal with and the E-seal related data particular place information of binding whether consistent before, can also at first carry out the user validation inspection.
In addition, if at first will be by specific use facility information and electronic seal data binding in the chapter process processed, and then deposit the binding of carrier information and electronic seal data with specific, then in proof procedure, need at first verify and currently deposit carrier information to deposit carrier information consistent with E-seal specific, if consistent, further whether the current use facility information of checking is consistent with the specific use facility information of E-seal again, if consistent, then allow current place to use this E-seal, carry out follow-up operation, as affix one's seal, check seal information etc.; Otherwise refuse current place and use this E-seal.
Step 203: allow current place to use this E-seal.
When adding a cover E-seal, can further use characteristic and the binding of E-seal related data of the file of being affixed one's seal, comprise: all or part of data of extracting the file of being affixed one's seal, adopt preset algorithm such as hash algorithm that data are processed, data after processing as secret key encryption E-seal related data, are kept at the E-seal related data after encrypting in the file of being affixed one's seal.So correspondingly, the affixed one's seal method of the E-seal that file covered of checking comprises: adopt method identical when affixing one's seal, the affixed one's seal all or part of data of file of extraction, adopt preset algorithm that data are processed, the E-seal related data that the data after processing are encrypted when affixing one's seal as key is decrypted.
The affixed one's seal method of the characteristic of file and the binding of E-seal related data of use can also be: all or part of data of extracting the file of being affixed one's seal, adopt preset algorithm that data are processed, after data after processing and E-seal related data synthesized, use private key corresponding to E-seal or unique identification that the data after synthetic are signed electronically, E-seal related data and electronic signature are saved in the file of being affixed one's seal.So correspondingly, the affixed one's seal method of the E-seal that file covered of checking comprises: adopt method identical when affixing one's seal, the affixed one's seal all or part of data of file of extraction, adopt preset algorithm that data are processed, the data after processing and E-seal related data is synthetic after checking when affixing one's seal the electronic signature of generation whether effective.
Step 204: refuse current place and use this E-seal.
The below illustrates the described E-seal using method of the embodiment of the invention.
Suppose that the use scenes that chapter side processed limits uses at specific use equipment for only having E-seal to deposit the carrier holder, and the E-seal related data is electronic seal data itself.This moment, the E-seal using method can be as shown in Figure 3.Fig. 3 is the process flow diagram of E-seal using method in the embodiment of the invention.As shown in Figure 3, the method may further comprise the steps: step 301: the current use equipment of E-seal obtains the electronic seal data head by disclosed development interface.
Step 302: whether judge the electronic seal data head that obtains by the specific public key encryption of depositing carrier of E-seal, if encrypt, then execution in step 303; Otherwise, execution in step 305.
Here, judge whether encrypted method is the electronic seal data head: judge whether the electronic seal data head meets the form of the electronic seal data head of definition, if it is not meet, then encrypted; If do not meet, then encrypted.
Step 303: by disclosed development interface, obtain the key supplier that current E-seal is deposited carrier, if obtain successfully, execution in step 304; Otherwise, show that the current carrier of depositing is not that legal E-seal is deposited carrier, do not support to use under this mode this E-seal, process ends.
Step 304: by disclosed development interface, use from current and deposit the key supplier who obtains the carrier electronic seal data is deciphered, if successful decryption, execution in step 305; Otherwise currently deposit the specific carrier of depositing that carrier is not E-seal, do not support to use E-seal under this mode, process ends.
Step 305: judge after the current deciphering the electronic seal data head whether with the specific use apparatus bound of E-seal, if binding, then execution in step 308; Otherwise execution in step 306.
Step 306: utilize the mode identical with the specific use facility information of generation in the chapter process processed, according to one or more characterization information of current use equipment, generate current use facility information.
Step 307: judge whether the current use facility information that generates is consistent with the specific use facility information of electronic seal data binding, if consistent, then execution in step 308; Otherwise, determine that the current use equipment of E-seal does not have authority to use this E-seal, refuse current use equipment and use this E-seal, and process ends.
Step 308: utilize the electronic seal data obtain to carry out subsequent operation, as: use E-seal to affix one's seal at document, check E-seal information, and check E-seal with Zhang Jilu etc.
Suppose that use scenes that chapter side processed limits can be at a certain specific use equipment for anyone---computing machine is using this E-seal, and in the chapter process processed particular place information by the hard reel number of computing machine and/or internal memory sequence number through the generation of hash algorithm.Then before using E-seal, at first carry out the user validation inspection, if inspection is not passed through, then refuse current place and use this E-seal; If check and pass through, then need to obtain current use facility information, such as hard reel number and the internal memory sequence number according to current use equipment, adopt the hash algorithm identical with chapter side processed to generate the current use facility information of E-seal.The current use facility information that adopt to generate is decrypted the E-seal related data, if successful decryption, then current use equipment place has authority to use this E-seal, otherwise, refuse current place and use this E-seal.
Suppose that the use scenes that chapter side processed limits is: the holder of safety equipment can use this E-seal on any use equipment.Before using E-seal, at first carry out the user validation inspection, validity checking can have various ways, for example checks the hash of decruption key; If check and do not pass through, then refuse current place and use this E-seal; If check and to pass through, then need to obtain the private key of the cipher key pair of current safety equipment key, then utilize the private key that obtains that the E-seal related data is decrypted, if successful decryption proves that then current place has authority to use this E-seal; Otherwise, refuse current field of employment and use this E-seal.In addition, above-mentioned user validation inspection also can be omitted, and namely directly is decrypted.
Usually, for safety, private key in the E-seal safety equipment can not be obtained by miscellaneous equipment, for the E-seal related data of encrypting is decrypted, the current use equipment of E-seal needs at first to obtain by the disclosed development interface of safety equipment key manufacturer the key supplier of E-seal safety equipment, then by disclosed development interface, utilize the key supplier who obtains that the E-seal related data of encrypting is decrypted.Here, the key supplier is the standard processing mode that E-seal safety equipment manufacturer provides, and is techniques well known, repeats no more here.
By above embodiment as seen, by in chapter process processed with E-seal related data and have authority to use the particular place information of this E-seal to bind together, limited the field of employment of E-seal, further improved the security that E-seal uses.Such as, when E-seal is stolen, can also guarantee by the particular place information of E-seal binding the security of E-seal.Therefore, the field of employment that the producing electronic seal method that the embodiment of the invention provides and using method can limit E-seal, realization improves the goal of the invention of E-seal safety in utilization.
In a word, the above is preferred embodiment of the present invention only, is not for limiting protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.