CN102195781B - Electronic evidence obtaining system based on electronic record correlated signature - Google Patents
Electronic evidence obtaining system based on electronic record correlated signature Download PDFInfo
- Publication number
- CN102195781B CN102195781B CN 201110142667 CN201110142667A CN102195781B CN 102195781 B CN102195781 B CN 102195781B CN 201110142667 CN201110142667 CN 201110142667 CN 201110142667 A CN201110142667 A CN 201110142667A CN 102195781 B CN102195781 B CN 102195781B
- Authority
- CN
- China
- Prior art keywords
- record
- signature
- evidence
- field
- evidence obtaining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention relates to an electronic evidence obtaining system based on an electronic record correlated signature, which comprises a record signature module, a record verification and evidence obtainment module, a record configuration management module, record configuration information, an electronic record application system and a record database. The system provided by the invention realizes the electronic record correlated signature by adding the correlated record information defined by the invention to the signed attributes in the signed data which are defined in cryptographic message syntax standards. The electronic records which have an incidence relation are correlated through a technical means by utilizing the electronic record correlated signature to realize the correlated evidence obtainment and correlated verification of the electronic records, thereby generating the evidence chain with repudiation resistance.
Description
Technical field
The message that the invention belongs to information security is differentiated (message authentication) and resisting denying (non-repudiation) technical field, especially, is a kind of electronic evidence evidence-obtaining system based on the related signature of electronical record.
Background technology
Record comprises Miscellaneous Documents, order, contract, agreement, Operation Log etc.One of key property of record is can be as evidence.The electronics existence form that electronical record namely records.But, because the characteristics of electronical record itself, it is to be solved that it also has many problems to have as effective legal argument, such as, because electronical record is easy to forge and distort, therefore, how to determine its primary, authenticity (whether being necessary being namely) and integrality (whether being forged), how to determine, confirm its source person of sending out (being who produces, submits to), person's of participating in (whom having participated in the production process of record), and make the source person of sending out, the person of participating in of record can't deny this record by its generation, have it to participate in, all be the major issue that needs solution.Primary, the authenticity and integrity of determining electronical record belong to the problem that message is differentiated, determine, confirm that its source person of sending out, the person of participating in make it can't deny its behavior and belong to the resisting denying problem.At present, for electronic data, the effective means that solves these two problems is digital signature (digital signature).
Digital signature is a kind of safe practice that is based upon on the public key encryption technical foundation, and it can differentiate and guarantee primary, the authenticity and integrity of electronic data, and the evidence of resisting denying is provided.And the public key encryption technology is based upon on the public key encryption algorithm basis.Public key encryption algorithm is called the asymmetric-key encryption algorithm again, it uses pair of secret keys to carry out information encryption, deciphering, and one of them is underground, is called private key, preserved by the right owner of key (or entity) safety, can be used for digital signature (or decrypts information); Another open issue is called PKI, and anyone can obtain by certain approach, can be used for the checking (or information encryption) of digital signature.
Digital signature technology based on public key algorithm, its principle briefly is such: the HASH value (hashed value) of the data that the calculating of signer elder generation will be signed, the digital finger-print that namely obtains the electronic data that will sign (is called eap-message digest again, Message Digest), then, signer is with this hashed value of its encrypted private key, and this encrypted result is called signed data; Whether the verifier is if to verify certain signed data be that this signer is to the signature of related data, then he uses the PKI decrypted signature data of signer earlier, then, and with the hashed value of same hashing algorithm compute dependent data, afterwards, data after the deciphering are compared with the hashed value that calculated just now, if equate, illustrate that then signed data is that signer uses its private key to the signature of related data really, otherwise, perhaps this signed data is forged, and perhaps, relevant data are distorted.
Digital signature has following characteristic: 1) have only the owner of private key to sign to data, and anyone can be with the validity of public key verifications signature; 2) to any modification of former data, all make signature verification fail, thereby can differentiate and guarantee the integrality of data, the authenticity of specified data, and find to distort at any of signed data; 3) the signature value can't be forged, be that other people can't forge private key owner's digital signature and can be passed through by public key verifications, in other words, if certain digital signature is passed through by public key verifications, be effectively, so, just can determine that this signature must be implemented by the private key owner, data necessarily come from, result from the private key owner, thus primary and the source person of sending out (or the person of participating in) of energy specified data, the purpose of realization resisting denying.At present the most frequently used asymmetric-key encryption algorithm has RSA, DSA algorithm etc., and oval algorithm (elliptic curve cryptography, ECC) be occur recently, obtain a kind of asymmetric-key encryption algorithm of extensively paying attention to.
Asymmetric encryption techniques really will obtain to use, and also must solve the safe RELEASE PROBLEM of PKI.In order to realize safe, the reliable issue of PKI, prevent personation, people have proposed Public Key Infrastructure safe practice system, i.e. Public Key Infrastructure (PKI).In PKI, (Certification Authority, entity CA) is signed and issued digital certificate (abbreviation certificate) by a certificate verification system (being called the CA system) for the right owner of public-key cryptography to be called certificate verification mechanism by one.Digital certificate is one group of electronic information, it (is the main body name that PKI, PKI owner title are arranged above it, Subject Name), certificate issuance person title (Issuer Name, be certificate verification mechanism), information such as certificate serial number, certificate key purposes, and by the private key digital signature of certificate verification mechanism, the validity of this signature can be through the public key verifications (PKI of certificate verification mechanism also is to issue by a kind of public key certificate specific, that be called CA certificate, and can obtain by certain secure way) of certificate certification authority.Can realize PKI (or public-key cryptography to) and the effectively bind of key to owner's (private key) by digital certificate, and the safety issue of PKI.
After digital certificate has been arranged, just can realize digital signature and the signature verification of electronic data safely: it is right that anyone can produce a public-key cryptography by certain secure way, apply for, sign and issue a digital certificate that includes PKI and PKI owner information to ca authentication mechanism then, with the private key of certificate correspondence data are signed then; Any other people can obtain the certificate of signer safely by open approach, then with the validity of the public key verifications digital signature on the certificate.At present, comprise that many countries of China have all promulgated law of electronic signature, thereby determined legal force and the status of digital signature legally.Therefore, by the digital signature of electronical record, can solve electronical record as evidence at primary, authenticity and integrity, and the problem that faces of aspect such as resisting denying ability, thus make electronical record can become real effectively legal argument.
Though, by the digital signature to electronical record, can make it become effective legal argument, but in actual applications, not enough often to single record signature, because, in actual lawsuit, juridical practice, people often need the evidence chain, namely need one group of electronical record (evidence) that has incidence relation each other.Such as, in electronic health record is used, be mutually related often at one group of electric doctor's advice of certain patient, a back doctor's advice is normally left in previous doctor's advice, or even to the change of previous doctor's advice, and one group of doctor's advice is associated with one group of laboratory test report again (and leaving on the basis) usually, therefore, doctor-patient dispute is appearring, when carrying out responsibility judgment, only see that single doctor's advice is not enough, also need to check related doctor's advice, laboratory test report.For this reason, all electric doctor's advices, laboratory test report all need to preserve as record (evidence), and need between the record of these preservations to associate by certain mode, thereby form an evidence chain, can obtain this evidence chain when being necessary, prove the existence of evidence chain, and can both verify its primary, authenticity to any one record in the evidence chain, determine its source person of sending out, the person of participating in, can both be found modification, forgery, the deletion of any one record in the evidence chain.Accomplish this point, common electronical record digital signature technology is just no longer suitable, and system of the present invention will address this problem exactly.
In actual applications, because the difference of purposes, object, purpose makes the content of electronical record, the form of expression vary.In the present invention, will be called an electronical record class (class) for same purpose, at one group of set that includes the electronical record object (object) of same information content of same customer group.According to the institutional framework of electronical record content, the difference of the form of expression, electronical record is divided into three types (type): list type (Form) record, file type (File) record and list+file (Form+File) type record.List type (Form) record, (field) forms by a plurality of record fields, and the data of each field are numeric type (as word string, integer etc.).List type (Form) record is common corresponding to the record of depositing in database table, each record field here corresponding with a data field in the database table (and by its storage), and it can use name1=value1﹠amp; Name2=value2... the form of " name-value pair " is represented, " name " corresponding record wherein and (or) field name (or ID) in the data-base recording table, the value of depositing in " value " corresponding field.Because " name-value pair " also is the form that is called the I/O data of list (Form) in the man-machine interface, therefore, the record of this form is called Form type record in the present invention.For file (File) type record, the corresponding file (document) of record is as Word document, PDF document.Record for list+file (Form+File) type, its some record field is deposited numeric type data (similar with the Form record), and other fields are corresponding with file: the content of perhaps directly depositing file, perhaps deposit the position indication of file and (as obtain the URL(uniform resource locator) of file, Uniform Resorce Locator, URL).
Summary of the invention
The present invention proposes a kind of electronic evidence evidence-obtaining system based on the related signature of electronical record, it not only can realize the function that common digital signature has, and the electronical record that can will be mutually related associates by technological means, and realize association evidence obtaining, the correlating validation of electronical record accordingly, thereby produce the evidence chain with resisting denying ability.
System of the present invention comprises as lower module or assembly:
The record signature blocks: provide digital signature function (comprising common signature and the related signature of record) towards the application system of all kinds of electronical records, its concrete form can be dynamic base, static library (as C C++ storehouse, com component), class bag (as java class bag, C# class bag etc.) or a service system that signature function is provided etc.
Record checking and evidence obtaining module: electronical record is carried out signature verification, and carry out the association search of electronical record, related evidence obtaining based on the related signature of electronical record, to form the evidence chain towards electronical record.
Recording configuration administration module: to title (name), the sign (identifier of related electronical record class (class), ID), type (type), content (content), signature (signature) and storage (storage) and (retrieval) mode etc. of obtaining be described, set, so that " record checking and the module of collecting evidence " can realize signature verification, association search and related evidence obtaining to electronical record automatically.
Recording configuration information: that expression, storage " recording configuration administration module " are set, about the electronical record class, with electronical record signature and signature verification, search and the relevant information of collecting evidence.
Electronical record application system: service recorder signature blocks, the application that electronical record is signed.
Database of record: the Database Systems of preserving the electronical record of application system.
The record checking can be positioned at same physics place, same network with the evidence obtaining module with database of record, also can be positioned at different physical field institute, heterogeneous networks.For the previous case, record checking and the directly Visitor Logs database of module of collecting evidence; For latter event, the record checking can be by procotol and network service interface (as http, WebServices etc.) visit external record database with the evidence obtaining module.
What the digital signature in record signature blocks and record checking and the evidence obtaining module adopted is the encrypting messages grammer, the signature form of definition among the Cryptographic Message Syntax (CMS is referring to RFC3852).But be noted that in CMS, the data of signature (SignedData) refer to a data type, and the data of signing in this manual refer to the data of SignedData type.
The main application of recording configuration information is the relevant information that record signature verification and related evidence obtaining aspect are provided for record checking and evidence obtaining module with purpose.The content of recording configuration information includes but not limited to, the acquisition methods of the name (name) of each record class to be processed (class), unique identification (ID), type (type) (as Form list type, File file type, Form+File list+file type), record and agreement etc.For Form list type record, its recording configuration information can also comprise, the field that the record class comprises and the value type of field, the record class is corresponding to which database table (different field of a record may disperse to leave in the different database tables) in the database, they are how corresponding (as which field of record which fields corresponding to which tables of data), thereby and are how to associate to operate on it (increase, delete, look into, change) as a logic integral body between these database tables.For Form+File type record, configuration information is except those configuration informations that comprise the Form class record and have (as the field that comprises and title, field value type etc.), comprise that also which field is file field, and the file field storage is file content or the position of file indication descriptors such as (being that file obtains uniform resource position mark URL).
For Form type and Form+File type record, field contents that normally will signature section to the mode of record digital signature shows with the form of " name-value pair ", then the content of " name-value pair " form is signed and (calculate the HASH value, use encrypted private key), therefore, for Form type and Form+File type record, recording configuration information also comprises, which field is to deposit the signature field of " data of signature " (this kind field can have a plurality of), and which record field is included in, and (signature contents of a signature field can comprise in the signature contents of this signature field, nested other signature field), and these be included in order when compute signature HASH value (hashed value) of record field in the signature contents (appearing at the order in " name to ") be what kind of etc.And for the digital signature of the record (as PDF, Word, Excel) of File file type, its proprietary endorsement method, scheme are often adopted in many concrete application, therefore, except the digital signature mode of standard, scheme (as the PDF document signature of standard), " record checking and evidence obtaining module " is to know the position that digital signature data is deposited in document and the document content scope of signing and covering, thereby just can't from document, obtain signed data, and carry out signature verification at the content that signature covers.In order to address this problem, the present invention is for the record class of file type, in recording configuration information, can specify signature verification module or the assembly (as dynamic base, class bag etc.) of this document type record class correspondence, call for " record checking and evidence obtaining module ", finish signature verification, and from the file record, obtain signed data, use for the related evidence obtaining of record.
In the present invention, the record that is associated with current signature record is called " associated record "; And record " related signature " namely to the signature of a record, not only covered should record itself content, and covered the content of " associated record " associated with it.In order in the digital signature of a record, to add the information of record associated therewith, the present invention is self-defined one be called " associated record information " many-valued (multiple values) attribute type (Attribute Type) (CorrelatedRecordInfo), and be that this attribute type distributes an object identity OID (Object Identifier), and stipulated a property value (Attribute Value) data structure (the single property value of a corresponding this attribute type of such data structure) for this attribute type, be used for depositing the information of other records (also being associated record) that are associated with current signature record.Particularly, this attribute value data structure comprises following data field:
1) RecordClassID (record class sign), its value is to record the record class sign (ID) of the associated record that is associated with current signature;
2) RecordSearchKeys (record searching key), Optional Field, towards Form list type and list+file (Form+File) type associated record, its value is that what to represent with the form of name-value pair (is name1=value1﹠amp; Name2=value2...), can be from the unique record searching condition that finds this associated record of database of record;
3) RecordHashValue (record hashed value), its value is to record the hashed value of the associated record that is associated with current signature;
4) RecordHashedFieldsList (tabulation of record hash calculated field), Optional Field, towards list type and list+file type associated record, its value is the record field tabulation of an associated record, the record field that expression covers when associated record is carried out hash calculating and order of the field (content of the associated record that related signature covers);
5) HashAlgorithm (hashing algorithm), its value representation calculate when record is related signs, the computational algorithm of the hashed value of the associated record that is associated with current record;
6) RecordRetrievalURL (record obtains URL(uniform resource locator)), this is mandatory field for the associated record of file type, the obtain manner of its value representation associated record, agreement and position, and for the associated record of list type and list+file type, this is Optional Field.
For the name-value pair of depositing among the record searching key RecordSearchKeys, one of them " name " corresponding record field name (or record field ID), ” ﹠amp; " presentation logic " with ", " name1=value1﹠amp; Name2=value2... " namely represent search condition: (name1=value1) and (name2=value2) ....In search from database of record, when searching corresponding associated record, this search condition will convert the querying condition of query sentence of database to.In addition, for Form list type associated record and list+file (Form+File) type associated record, if this record can obtain (as by the http agreement) by web service queries, then can comprise the RecordRetrievalURL field in " associated record information " property value, this field has provided inquiry, has obtained the method for respective record, agreement, position and parameter, and at this moment " associated record information " property value can not comprise the RecordSearchKeys field.
Call for digital signature common, dereferenced, the record signature blocks is signed to record by common mode.Call for the related signature of record, in the request that called side is submitted to except the record data that remain to be signed, also comprise other records of being associated with this record, can be used for generating " associated record information " (CorrelatedRecordInfo) information of property value.Call for the related signature of record, the record signature blocks is operated as follows:
The hashed value of the signature contents that S1. calculating waits to sign records;
S2. in the attribute value data structure that is stored in corresponding " associated record information " attribute type for information about of each associated record that will be associated with the current record of waiting to sign;
S3. with " associated record information " attribute value data of all associated records of producing among the step S2, carry out DER (Distinguished Encoding Rules) coding by the SET mode of ASN.1 (Abstract Syntax Notation One), generate the property value of many-valued " associated record information " attribute type at last;
Message Digest (eap-message digest) attribute of the record hashed value that Content Type (content type) attribute that S4. will be consistent with signature contents, its value produce for S1, with and value by step S3 generation " associated record information " attribute, " attribute of signature " of " the signer information " that joins the signature private key correspondence in " data of signature " (being the data of SignedData type) that " encrypting messages grammer " (CMS) stipulate in (signerInfo) is (signedAttrs) in the field;
S5. press " encrypting messages grammer " (CMS) method of middle regulation, produce the digital signature that comprises " attribute of signature ".
The value of Content Type (content type) attribute is an object OID (Object Identifier), be used to indicate the type of signed data content, it is worth normally 1.2.840.113549.1.7.1 (corresponding to the Data type) in electronical record, but also may be other values.
In the present invention, record for the Form+File type, if certain record field is file field, and what deposit in this field is document location indication (file obtains URL), so, even this field is in the content that digital signature covers, in the hashed value that this field corresponding file content records when also not being included in signature calculation, and have only its position indication (URL) to be included in the hashed value calculating.In this case, if file content will be included in the digital signature, then need corresponding file is used as a file type record independent, that be associated with current record, by the related signature of record of the present invention file content is included in the signed data of current record then.In this case, to the digital signature authentication of list+file (Form+File) class record, if include signature again in the file itself, then the checking to its signature is to carry out according to the signature verification of file type associated record itself.
" record checking and evidence obtaining module " provides two kinds of signature verifications at electronical record to call, and the one, common record signature verification is called, and the 2nd, record signature verification and related evidence obtaining are called.No matter be which kind of calls, calling interface need provide two kinds of data at least: the one, comprise the data of the electronical record of digital signature itself, and the 2nd, record corresponding record class sign.
Call for common record signature verification, namely only at the digital signature authentication of the primary of record own, integrality, " record checking and evidence obtaining module " verified (one or more) digital signature of record by common digital signature authentication mode.
Call with related evidence obtaining for the signature verification at certain record, " record checking and evidence obtaining module " not only will carry out digital signature authentication at the content of this record itself, and to manage to obtain the associated record of this record, whether the checking associated record is original associated record (namely carrying out " correlating validation "), and each associated record that obtains constantly repeated signature verification and related this process of evidence obtaining, all records that directly or indirectly are associated up to all and current evidence obtaining record to be verified all are acquired and finish checking.Like this, the result that checking, related evidence obtaining are returned at last, not only include record and the digital signature authentication result thereof that will verify evidence obtaining at first, and return all with the chain data structure and will verify record and the digital signature authentication result thereof that the record of evidence obtaining directly or indirectly is associated with this, and the checking result of incidence relation between record.The corresponding record of each node data structure (record data object) in this chain data structure, deposit this record information and the checking result's (as whether being distorted), and be directed to this record the associated record correspondence the node data structure link (namely point to the associated record correspondence the node data object pointer or quote).Like this, carry out record authentication and association evidence obtaining process of the present invention, will finally produce a record chain (evidence chain) that gets up by the link of association signature.The signature verification of recording with related evidence obtaining should be noted that the time a bit is, a record may have a plurality of " encrypting messages grammers " (CMS) " data of signature " (being the data of SignedData type) of middle regulation, and each " data of signature " may comprise a plurality of " signer information " (signerInfo) (being a plurality of signatures)." record checking and evidence obtaining module " is as follows to the specific operation process that record carries out signature verification and related evidence obtaining:
A1. one of initialization is used for put authentication and association evidence obtaining result's chain data structure, this initial chain structure only comprises a node, corresponding to the record that will verify evidence obtaining, then, as authentication and association evidence obtaining object, change next step with this record over to;
A2. take out the next one in the current evidence obtaining to be verified record without " data of signature " of this procedure inspection, if there are not " data of signature " desirable again, then return the chain data structure of depositing authentication and association evidence obtaining result.Otherwise, change next step over to;
A3. obtain in " data of signature " the next one without " the signer information " of this process verification (signerInfo), if there is not " signer information " desirable again, change steps A 2 over to; Otherwise, change next step over to;
A4. to obtain without this process verification should " signer information ", by common signature verification method whether the digital signature of this signer is effectively verified earlier and the result is kept at checking and evidence obtaining as a result in the node data structure in the chain data structure, corresponding to the record of current authenticating evidence obtaining, change next step then over to;
Whether " the signer information " that A5. checks authenticating includes " attribute of signature " (signedAttrs), if do not have, changes steps A 3 over to; Otherwise, change next step over to;
A6. check that whether " attribute of signature " in " signer information " comprises " associated record information " attribute in (signedAttrs), if do not have, changes steps A 3 over to; Otherwise, obtain this " associated record information " attribute and change next step over to;
A7. at the record of current authenticating evidence obtaining, and based on " associated record information " attribute that obtains in the steps A 6, and the chain data structure of verifying before, producing in the implementation of collecting evidence, carry out " the related evidence obtaining of record and correlating validation " subprocess, after complete, change steps A 3 over to;
In above steps A 2, " record checking and evidence obtaining module " obtains next untested " data of signature " (being the data of SignedData type) as follows:
Record class sign according to the record of the current authenticating evidence obtaining of importing in the calling interface, check recording configuration information, determine the type (type) of the record of current authenticating evidence obtaining, if file type record, then " record checking and the module of collecting evidence " calls corresponding specific signature verification module or the assembly of this record class of appointment in the recording configuration information, or call its corresponding default signature verification module or assembly according to the extension name (being file type) of file, obtain and return next untested " data of signature ", or return the results suggest of " free of data again "; If list type record or list+file type record, then " record checking and evidence obtaining module " is according to the descriptor that in the recording configuration information this is recorded class, determine which field is the record signature field, obtain and return next untested record signature field, or return " free of data again " prompting.
In above steps A 4, common digital signature authentication (signerInfo) is carried out as follows to record signed data " signer information ":
Record class sign according to the record of the current authenticating evidence obtaining of importing in the calling interface, check recording configuration information, determine the type (type) of the record of current authenticating evidence obtaining, if file type record, then " record checking and evidence obtaining module " calls signature verification module or the assembly of the corresponding record class of appointment in the recording configuration information, or call its corresponding default signature verification module or assembly according to the extension name (being file type) of file, the record signature is verified; If list type record or list+file type record, then " record checking and evidence obtaining module " is according to the configuration information of the corresponding record class of current record, the signed data of determining the record signature field at current " signer information " corresponding (place) has covered which record field and the order of these record fields in hashed value is calculated (when the hash of namely signing is calculated, the record field that covers and the order of these fields), then, according to these information, calculate, whether certifying digital signature correct.
In above steps A 7, " record checking and evidence obtaining module " carries out " recording related evidence obtaining and correlating validation " subprocess as follows.
B1. take out " associated record information " (CorrelatedRecordInfo) property value of handling without this subprocess of the next one in the multi-valued attribute, if do not have property value desirable again, return chain data structure result.Otherwise, change next step over to;
B2. (RecordClassID) value of field of " the record class sign " in " associated record information " property value that takes out according to step B1, check recording configuration information, judge the type of corresponding record class, if list (Form) or list+file (Form+File) type then change step B8 over to; Otherwise the type of corresponding record class is file (File) type, changes next step over to;
B3. utilize " record obtains URL(uniform resource locator) " in " associated record information " property value (RecordRetrievalURL) agreement, method and address of providing of field, obtain corresponding file type associated record, if obtain failure, then in the chain data structure, obtain the reason (not existing as connection failure, record) of failure corresponding to sign in the node data structure of the record of current authenticating evidence obtaining, change step B1 then over to; Otherwise, change next step over to;
B4. create a node data structure in the chain data structure, the information of the associated record that step B3 is obtained is kept at (this node is called the associated record node) in this node data structure, and a link that is directed to this associated record node data structure (be directed to the pointer of associated record node data object or quote as arranging) is set in the node data structure of the record correspondence of current authenticating evidence obtaining, namely in returning checking and evidence obtaining result's chain data structure, increase record node linking to the associated record node of collecting evidence from current authenticating;
B5. the algorithm that (HashAlgorithm) provides in the field of " hashing algorithm " in " associated record information " property value of obtaining according to step B1 calculates the hashed value of the file record that obtains;
B6. with " record hashed value " in the hashed value calculated among the step B5 and " associated record information " property value (RecordHashValue) value of field compare, if equate, then in the chain data structure, do not distort corresponding to this associated record of sign in the node data structure of this associated record, otherwise, be designated and distort;
B7. the associated record that obtains with step B3 is checking and related evidence obtaining object, and further execution is from the record authentication and association of steps A 2 to the A7 process of collecting evidence, complete after, change step B1 over to;
B8. check in " associated record information " property value of obtaining among the step B1 whether comprise " record obtains URL(uniform resource locator) " (RecordRetrievalURL) field, if do not have, change step B10 over to; Otherwise, change next step over to;
B9. utilize " record obtains URL(uniform resource locator) " (RecordRetrievalURL) agreement, method and address of providing of field, obtain corresponding associated record, if obtain failure, then in the chain data structure, obtain the reason (not existing as connection failure, record) of failure corresponding to sign in the node data structure of the record of current authenticating evidence obtaining, change step B1 then over to; Otherwise, change step B12 over to;
B10. (RecordClassID) value of field of " the record class sign " in " associated record information " property value of obtaining according to step B1 finds the configuration information of corresponding record class in recording configuration information;
B11. with " record searching key " in " associated record information " property value that obtains among the step B1 (RecordSearchKeys) content of field be querying condition, the record queries, the acquisition methods that from recording configuration information, obtain with step B10, from this locality or far-end database of record, inquire about, obtain corresponding associated record, if obtain failure, then in the chain data structure, obtain the reason (not existing as connection failure, record) of failure corresponding to sign in the node data of the record of current authenticating evidence obtaining, change step B1 then over to; Otherwise, change next step over to;
B12. create a node data structure in the chain data structure, the information of the associated record that obtains is kept at (this node is the associated record node) in this node data structure, and in the node data structure of the record correspondence of current authenticating evidence obtaining, a link of pointing to this associated record node data structure is set, namely in returning checking and evidence obtaining result's chain data structure, increase record node linking to the associated record node of collecting evidence from current authenticating;
B13. use " hashing algorithm " in " associated record information " property value (HashAlgorithm) algorithm of providing of field, by " tabulation of record hash calculated field " in " associated record information " property value (RecordHashedFieldsList) the record field order that provides of field, the associated record that obtains is carried out the hash computing;
B14. " the record hashed value " in the associated record hashed value that step B13 calculate is obtained and " associated record information " property value (RecordHashValue) value of field compare, if equate, then identifying this record in the chain data structure in the node data structure of this associated record correspondence does not distort, otherwise, be designated and distort;
B15. be authentication and association evidence obtaining object with the associated record that obtains among step B9 or the step B11, further execution in step A2 is to the record authentication and association evidence obtaining process of steps A 7, complete after, change step B1 over to;
Above step B6 and B14 namely are the correlating validations that records, if two hashed values equate, illustrate that the current associated record that obtains is the original associated record that is associated with the record of authenticating evidence obtaining really, otherwise the current so-called associated record that obtains is an associated record of having been distorted or having forged.
At above B11, " record checking and evidence obtaining module " as follows, obtains corresponding associated record from database of record:
Determine that according to recording configuration information database of record is in this locality or far-end, if at far-end, utilize and provide vlan query protocol VLAN, method and address in the recording configuration information, with " associated record information " (CorrelatedRecordInfo) in the property value " record searching key " (RecordSearchKeys) content of field be converted into corresponding querying condition, from far-end record data library inquiry, obtain corresponding record; Otherwise, with " record searching key " (RecordSearchKeys) content of field be querying condition, description in conjunction with incidence relation between the description of corresponding relation between the record class that provides in the recording configuration information and the local recordings database table and the database table, form concrete data base querying request (as SQL request or other query requests that is fit to), connect the local data library lookup, obtain corresponding associated record.
Can see that from top description whole record authentication and association evidence obtaining process comprises three parts, first is initialization, comprises steps A 1; Second portion is record checking, comprises steps A 2-A6, and third part is related evidence obtaining and checking (checking comprise the incidence relation checking of associated record and the signature verification of associated record itself), comprises steps A 7 and B1-B15.And in the third part, there is the recurrence execution (corresponding to the recursive call of subprogram, method) to steps A 2-A7 in B1-B15: a record can comprise one to a plurality of related signatures, to carry out related evidence obtaining and checking to each related signature, and each associated record itself that related evidence obtaining acquires may comprise one to a plurality of related signatures, need carry out association evidence obtaining and checking again further, constantly repeat this process, all be acquired, verify up to all associated records.Based on above related evidence obtaining process, final chain record data structure may not be a simple chain, but a tree, or even a net.For fear of in above record authentication and association evidence obtaining process, loop (looping) occurring, namely because the direct or indirect correlation between the record, cause the undying circulation checking to some record, related evidence obtaining, " record is verified and the evidence obtaining module " is before verifying the associated record that obtains and further collecting evidence, check in depositing checking and evidence obtaining result's chain data structure earlier whether this record has existed and finished and verified and related evidence obtaining, if, then no longer this record is further verified and related evidence obtaining, otherwise, continue to verify and related evidence obtaining at this record.
Introduce from the front, can see by the related signature of electronical record reaching following technique effect:
1, two records is associated, be convenient to related evidence obtaining to obtain the evidence chain;
2, the existence of two records of proof incidence relation, thereby the existence of proof evidence chain.By above record authentication and association evidence obtaining process, we can obtain following result:
1) acquisition and the every other record that record to be verified directly or indirectly is associated perhaps, are found the associated record of being lost, deleting;
2) by record association signature, check, confirm the original record (whether distorted, forge) when whether the associated record that obtains is related the signature;
3) obtain each checking result who records the digital signature validity of (comprising record to be verified and all and its record that directly or indirectly is associated) (namely whether record is forged, distorted).
These results have the meaning of following judicial proof aspect:
1. determine, prove primary, authenticity, the integrality of relative recording, and the source person of sending out, the person of participating in of relative recording generation;
2. the record of find, affirmation being distorted, is forged;
3. obtain the evidence chain of relative recording;
4. find the record being distorted, forge, delete in the evidence chain.
The present invention has following innovation and characteristics:
1) proposed a kind of electronic evidence evidence-obtaining system based on the related signature of electronical record, this system associates a record by the related signature of electronical record with other records associated with it; Based on the related signature of this record, not only can determine primary, authenticity, the integrality of the content of record own, and the association that can record accordingly evidence obtaining, obtain the evidence chain towards electronical record.
2) by the configuration management technology to the record class, system of the present invention can be applicable to the record of different classes of (class), dissimilar (type), has versatility.
Description of drawings
Fig. 1 is the structure chart of system of the present invention.
Fig. 2 is return recording authentication and association evidence obtaining result's of the present invention chain data structure schematic diagram.
Fig. 3 records authentication and association evidence obtaining subroutine flow chart for the present invention.
Fig. 4 a, Fig. 4 b be related evidence obtaining and correlating validation subroutine flow chart for the present invention records.
Embodiment
The present invention is described in further detail below in conjunction with accompanying drawing.
Adopt system of the present invention to comprise as lower module or assembly (as shown in Figure 1):
The record signature blocks: the application system to all kinds of electronical records provides digital signature function, comprises the related signature function of record.
Record checking and evidence obtaining module: electronical record is carried out signature verification, and based on recording association search, the correlating validation that related signature carries out electronical record, to produce the evidence chain towards electronical record.
The recording configuration administration module: title, sign, type, content, signature, storage and obtain manner etc. to related electronical record class are described, set, so that " record authentication and association evidence obtaining module " can realize the signature verification of associated electrical record and association search, correlating validation automatically.
Recording configuration information: that expression, storage " recording configuration administration module " are set, with electronical record signature and signature verification, the record association search relevant information about the electronical record class of collecting evidence.
Electronical record application system: call all kinds of application-specific that " record signature blocks " of the present invention signs to electronical record.
Database of record: the electronical record that is used for preserving application system.
The specific implementation of " record signature blocks ", relevant with concrete application and applied environment, it can be that dynamic base, static library (as C/C++ storehouse, Windows com component), class bag (as java class bag, C# class bag etc.) or provide service system of signature function etc.Correspondingly, the exploitation of module, system realizes adopting technology and platforms such as C/C++, J2EE, C#.NET." record signature blocks " can directly utilize existing numerous support " encrypting messages grammer " Cryptographic Message Syntax standard (CMS to the realization of common signature function, referring to RFC3852) encryption API and the kit of standard, encrypt the class bag as Windows CryptoAPI, OpenSSL, various Java." record signature blocks " can realize in the basis expansion that has the encrypting module (being front said encryption API and kit) of supporting CMS now the realization of association signature.The encrypting module of existing support CMS, all be supported in " signer information " (signerInfo) middle " attribute of signature " (signedAttrs) this field that adds, to this, " the associated record information " that only needs to add the present invention's definition in " attribute of signature " (CorrelatedRecordInfo) attribute can realize recording related the signature.
Similarly, the specific implementation of " record checking and evidence obtaining module " can be dynamic base, static library (as C/C++ storehouse, Windows com component), class bag (as java class bag, C# class bag etc.) or independent evidence obtaining service system.Similarly, the exploitation of module, system realizes adopting technology and platforms such as C/C++, J2EE, C#.NET.The encrypting module of existing support CMS can both be verified having " attribute of signature " digital signature data (being " data of signature " of SignedData type) (signedAttrs), and provides interface to extract the content of " attribute of signature ".Therefore, " record checking and evidence obtaining module " can use these modules to carry out signature verification, and further " associated record information " attribute (it is the self-defining multi-valued attribute of the present invention) that extracts in " attribute of signature ", " associated record information " attribute is realized association evidence obtaining, the correlating validation of record then, accordingly.For mention in the summary of the invention, at the special signature verification module of certain file type record class, need according to specific circumstances, perhaps use existing standard sigverif module, assembly, perhaps develop corresponding sigverif module, assembly (C/C++ storehouse, Java or C# class etc.), in order to finish signature verification, from the file record, obtain " data of signature " (being the data of SignedData type), and in these data, extract " associated record information " attribute further and carry out the association evidence obtaining.
The specific implementation of " recording configuration administration module " can be an independent system, also can be a subsystem that can work independently.It is exactly one at the information management system of record class configuration information, the exploitation of system realizes adopting technology and platforms such as C/C++, J2EE, C#.NET.
Expression, the storage of " recording configuration information " both can be adopted database, also can adopt XML document.
" database of record " depends on application system, it both can be to pass through SQL statement access relation Database Systems, also can be the Database Systems that to visit, to obtain record by network service protocol, service interface, the perhaps Database Systems of visiting by other means.
" the associated record information " that adds in (signedAttrs) at " attribute of signature " of digital signature is attribute (CorrelatedRecordInfo), be the specific object type of following general-purpose attribute type (referring to RFC3852, Cryptographic Message Syntax):
Particularly, in the concrete data in this data type, if the value of attrType equals (CorrelatedRecordInfo) OID of attribute type correspondence (this OID is an object ID that the present invention is self-defining, the overall situation is unique) of the present invention's self-defining " associated record information ", then the value of the attrValues of back is exactly the multi-valued attribute value (exactly it is the set of " associated record information " property value) of " associated record information " attribute.
The record authentication and association evidence obtaining process of steps A 1-A7 described in the summary of the invention, to return a chain data structure, deposit record and the signature verification result that will verify evidence obtaining, and all record the every other record that directly or indirectly is associated with this checking evidence obtaining, and at their checking result, this chain data structure a kind of may specific implementation as shown in Figure 2.Here, a record data structure is a node in the chain data structure, and corresponding record is deposited the relevant information of this record and verified result's (as whether being distorted); Each nodes records data structure has an adjustable length chain data structure (particularly, it can be the pointer chain in the C/C++ language, List structure among the Java etc.), be used in reference to the record data structure of (being linked to) a series of other records (be associated record) related with this record; In addition, each nodes records data structure also has another adjustable length chain data structure, be used in reference to (being linked to) is a series of and be called the data structure of " signer information and checking result ", each such data structure corresponding to one " signer information " in the record (signerInfo) and deposit corresponding signature verification result (record may have a plurality of " signer information ").
Steps A 2-A7 in the record authentication and association evidence obtaining process, an available subprogram (as the subprogram among the C/C++) or method (as the method for java class or C# class) realize that the parameter that passes to this subprogram or method comprises initial chain data structure, the current record that will verify evidence obtaining.The initial chain data structure of importing into when calling this subprogram or method, perhaps only include that record that to verify evidence obtaining at first, perhaps, also include other records that association evidence obtaining by early stage obtains, that directly or indirectly be associated with the record that will verify evidence obtaining at first.This subprogram or method will be upgraded according to the authentication and association evidence obtaining result at the current record that will verify evidence obtaining, expansion chain data structure, return renewals then, the chain data structure after expanding.Concrete subprogram or the method for implementing correspondence of steps A 2-A7 is called " record authentication and association evidence obtaining subprogram ", and its idiographic flow as shown in Figure 3.
Record authentication and association evidence obtaining process will further be called the subprocess that one of execution is called " related evidence obtaining and correlating validation " in steps A 7, the step B1-B15 that this association evidence obtaining is corresponding with the correlating validation subprocess, also an available subprogram (as the C/C++ subprogram) or method (as the method for java class or C# class) realize, the parameter that passes to this subprogram or method comprises preservation authentication and association before evidence obtaining result's initial chain data structure, the record of current authenticating evidence obtaining (also namely wanting the record of related evidence obtaining), and the authenticating in the said current checking evidence obtaining record in the steps A 7, " the associated record information " of " the signer information " of related evidence obtaining in (SignedInfo) is the multi-valued attribute Value Data of attribute (CorrelatedRecordInfo).This subprogram or method will be according to association evidence obtaining, correlating validation results, upgrade, expand this chain data structure, and at the associated record of each acquisition, subprogram or the method for recursive call preceding step A2-A7 correspondence further record checking and related evidence obtaining.Subprogram or the method for step B1-B15 correspondence is called " the related evidence obtaining of record and correlating validation subprogram ", and its idiographic flow is shown in Fig. 4 a, Fig. 4 b.
The content that is not described in detail in this specification belongs to this area professional and technical personnel's known prior art.
Claims (10)
1. electronic evidence evidence-obtaining system based on the related signature of electronical record, this system comprises following entity or assembly:
The record signature blocks: the application system to all kinds of electronical records provides the digital signature function that comprises the related signature of record;
Record checking and evidence obtaining module: electronical record is carried out signature verification, and the association search, the correlating validation that launch electronical record based on the related signature of electronical record, and the associated record that association search obtains constantly repeated signature verification, association search, this process of correlating validation, the final evidence chain that produces towards electronical record;
The recording configuration administration module: title, sign, type, content, signature, storage and obtain manner to related electronical record class are described, set, so that record checking and evidence obtaining module can realize the signature verification of associated electrical record and association search, correlating validation automatically;
Recording configuration information: that expression, storage are set by the recording configuration administration module, with electronical record signature and signature verification, record association search collect evidence relevant, about the information of electronical record class;
Electronical record application system: call the types of applications that the record signature blocks is signed to electronical record;
Database of record: application oriented system is preserved the Database Systems of electronical record;
Record signature blocks and record checking are deferred to encrypting messages grammer standard with the cryptographic function of evidence obtaining module, and the data of signing in encrypting messages grammer standard refer to a data type, and the data of the signature of the following stated refer to the data of SignedData type;
The record checking provides two kinds of signature verifications at electronical record to call with the evidence obtaining module, and the one, common record signature verification is called, and the 2nd, the record signature verification is called with related evidence obtaining; No matter be which kind of calls, calling interface need provide two kinds of data at least: the one, comprise the data of the electronical record of digital signature itself, and the 2nd, record corresponding record class sign;
The electronical record of this system is from the tissue of record content, the form of expression, be divided into list, three types of file and list+files, in recording configuration information, description for list type record class, configuration information comprises the field that has of record and the value type of field, the corresponding relation of record class and database table, corresponding relation between record field and the database table field, and an incidence relation that records between corresponding many database tables of class, thereby make these database tables to increase it as a logic integral body, delete, look into, change operation; For list+file type record, configuration information records those configuration informations that have except comprising the list type, comprise that also which field is file field, and file field storage is file content or the descriptor of the position of file indication, and the form of position indication is URL(uniform resource locator); For list type and list+file type record, recording configuration information also comprises, which field is to deposit the signature field of the data of signature, and which record field is included in the signature contents of this signature field, and what kind of these record field orders when compute signature hash (HASH) value that are included in the signature contents are; For the record class of file type, specify signature verification module or the assembly of this document record class correspondence in the recording configuration information.
2. according to claim 1 a kind of based on the related electronic evidence evidence-obtaining system of signing of electronical record, it is characterized in that: the data format that record signature blocks and record checking and evidence obtaining module define in realizing encrypting messages grammer standard, also be supported in the attribute field of signature of the signer information in the data of signature and add an attribute that is called the multi-valued attribute type of associated record information, be used for depositing the information of the associated record that is associated with current signature record, thereby make signature to a record not only covered should record itself content, and covered the content of associated record associated with it, also namely realize the related signature of record; The single property value of associated record information attribute type is a data structure that comprises following field:
1) record class sign: its value is to record the record class sign of the associated record that is associated with current signature;
2) record searching key: Optional Field, towards list type and list+file type associated record, its value be represent with the form of name-value pair, can be from database of record unique record searching condition that finds this associated record;
3) record hashed value: its value is to record the hashed value of the associated record that is associated with current signature;
4) record hash calculated field tabulation, Optional Field, towards list type and list+file type associated record, its value is that associated record is carried out the record field that covers when hash is calculated and the record field tabulation of order of the field;
5) hashing algorithm, its value representation calculate the computational algorithm of the hashed value of associated record when record is related signs;
6) record obtains URL(uniform resource locator), and this is mandatory field for the associated record of file type, the obtain manner of its value representation associated record, agreement and position, and for form types and list+file type, this is Optional Field.
3. a kind of electronic evidence evidence-obtaining system based on the related signature of electronical record according to claim 1 is characterized in that: call for digital signature common, dereferenced, record signature blocks and press common mode to the record signature; And call for the related signature of record, in the request msg that called side is submitted to except record to be signed, also comprise information other records related with this record, that can be used for generating associated record information attribute value, receive after the related signature of record calls, the record signature blocks records related signature operation as follows:
The first step. the hashed value of the signature contents that calculating waits to sign records;
Second step. in the attribute value data structure that is stored in a corresponding associated record information attribute type for information about of each associated record that will be associated with the current record of waiting to sign;
The 3rd step. the associated record information attribute Value Data with all associated records of generation in second step, carry out the DER coding by the SET mode among the ASN.1, generate the property value of many-valued associated record information attribute type at last;
The 4th step. the eap-message digest attribute of the record hashed value that the content type attribute that will be consistent with signature contents, its value produce for the first step, with and value be the associated record information attribute that goes on foot generation by the 3rd, join in the attribute field of the signature in the signer information of the signature private key correspondence in the data of signature of encrypting messages grammer standard code;
The 5th step. by the method for stipulating in the encrypting messages grammer standard, produce the digital signature of the attribute that comprises signature.
4. according to claim 3 a kind of based on the related electronic evidence evidence-obtaining system of signing of electronical record, it is characterized in that: in the related signature of described electronical record, record for list+file type, if certain record field is file field, and what deposit in this field is the document location indication, so, even this field is the content that digital signature covers, during the hashed value of this record was calculated when this field corresponding file content was not included in signature calculation yet, and have only the position indication to be included in the hashed value calculating; If file content will be included in the digital signature of this record, then corresponding file is used as independent, related with a current record file type record, by the related endorsement method of described record, file content is included in the current signed data that records of waiting to sign then.
5. according to claim 1 a kind of based on the related electronic evidence evidence-obtaining system of signing of electronical record, it is characterized in that: when the record checking is carried out signature verification and related evidence obtaining with the evidence obtaining module at certain record, call the result who returns, not only include record and the digital signature authentication result thereof that will verify evidence obtaining at first, and return all with the chain data structure and will verify every other record and the digital signature authentication result thereof that the record of evidence obtaining directly or indirectly is associated with this, and the checking result of incidence relation between these records; The corresponding record of each node data structure in this chain data structure, deposit information and the relevant checking result of this record, and the link of pointing to the node data structure of its associated record correspondence, the form of link be point to the associated record correspondence the node data structure pointer or quote.
6. according to claim 1 a kind of based on the related electronic evidence evidence-obtaining system of signing of electronical record, it is characterized in that: call for common record signature verification, namely only at the digital signature authentication of the primary of record own, integrality, the record checking is verified the digital signature of record by common digital signature authentication mode with the evidence obtaining module; And call with related evidence obtaining for the signature verification at certain record, the record checking is implemented digital signature authentication and related evidence obtaining to evidence obtaining record to be verified according to the following procedure with the evidence obtaining module:
One of step 1. initialization is used for put authentication and association evidence obtaining result's chain data structure, this initial chain structure only comprises a node, corresponding to the record that will verify evidence obtaining, then, as authentication and association evidence obtaining object, change next step with this record over to;
The next one in the current evidence obtaining record to be verified of step 2. taking-up if there are not the data of signature desirable again, then returns the chain data structure of depositing authentication and association evidence obtaining result without the data of the signature of this procedure inspection, otherwise, change next step over to;
Step 3. is obtained the next one in the data of signature without the signer information of this process verification, if do not have signer information desirable again, changes step 2 over to; Otherwise, change next step over to;
Step 4. pair this signer information without the said process checking of obtaining, by common signature verification method whether the digital signature of this signer is effectively verified earlier and the result is kept at checking and evidence obtaining as a result in the node data structure in the chain data structure, corresponding to the record of current authenticating evidence obtaining, change next step then over to;
Whether include the attribute of signature in the signer information of step 5. inspection authenticating, if do not have, change step 3 over to; Otherwise, change next step over to;
Whether comprise the associated record information attribute in the attribute of the signature in this signer information of step 6. inspection, if do not have, change step 3 over to; Otherwise, obtain this associated record information attribute and change next step over to;
Step 7. is at the record of current authenticating evidence obtaining, and based on the associated record information attribute that obtains in the step 6, and the chain data structure of verifying before, producing in the implementation of collecting evidence, the related evidence obtaining of executive logging and correlating validation subprocess, after complete, change step 3 over to.
7. according to claim 6 a kind of based on the related electronic evidence evidence-obtaining system of signing of electronical record, it is characterized in that: in step 2, record checking and evidence obtaining module are obtained the data of next untested signature as follows:
Record class sign according to the record of the current authenticating evidence obtaining of importing in the calling interface, check recording configuration information, determine the type of the record of current authenticating evidence obtaining, if file type record, then record checking and the module of collecting evidence are called corresponding specific signature verification module or the assembly of this record class of appointment in the recording configuration information, or call its corresponding default signature verification module or assembly according to the extension name of file, obtain and return the data of next untested signature, or return again the results suggest of free of data; If list type record or list+file type record, then record checking and evidence obtaining module are according to the descriptor that in the recording configuration information this is recorded class, determine which field is the record signature field, obtain next untested record signature field, or return again the free of data prompting.
8. according to claim 6 a kind of based on the related electronic evidence evidence-obtaining system of signing of electronical record, it is characterized in that: in step 4, the common digital signature authentication of record signed data signer information is carried out as follows:
Record class sign according to the record of the current authenticating evidence obtaining of importing in the calling interface, check recording configuration information, determine the type of the record of current authenticating evidence obtaining, if file type record, then record checking and evidence obtaining module are called signature verification module or the assembly of the corresponding record class of appointment in the recording configuration information, or call its corresponding default signature verification module or assembly according to the extension name of file, the record signature is verified; If list type record or list+file type record, then record checking and the configuration information of evidence obtaining module according to the corresponding record class, determine the record content that the digital signature in the record signature field of signer information correspondence covers, the i.e. record field of Fu Gaiing and these record fields order in hashed value is calculated, then, according to these information, calculate, whether certifying digital signature correct.
9. according to claim 6 based on the related electronic evidence evidence-obtaining system of signing of electronical record, it is characterized in that: in the related evidence obtaining of the record described in the described step 7 and correlating validation subprocess be:
Steps A. take out the property value that the next one in the associated record information multi-valued attribute is handled without this subprocess, if do not have property value desirable again, return chain data structure result; Otherwise, change next step over to;
Step B. checks recording configuration information according to the value of the record class identification field in the associated record information attribute value of steps A taking-up, judges the type of corresponding record class, if list type or list+file type record then changes step H over to; Otherwise the type of corresponding record class is file type, changes next step over to;
Step C. utilizes to record in the associated record information attribute value and obtains agreement, method and the address that the URL(uniform resource locator) field provides, obtain corresponding file type associated record, if obtain failure, then in the chain data structure, obtain the reason of failure corresponding to sign in the node data structure of the record of current authenticating evidence obtaining, change steps A then over to; Otherwise, change next step over to;
Step D. creates the node data structure in the chain data structure, the information of the associated record that step C is obtained is kept in this node data structure, this node is called the associated record node, and in the node data structure of the record correspondence of current authenticating evidence obtaining, a link that is directed to this associated record node data structure is set, namely in returning checking and evidence obtaining result's chain data structure, increase record node linking to the associated record node of collecting evidence from current authenticating;
Step e. the algorithm that provides in the hashing algorithm field in the associated record information attribute value that obtains according to steps A, calculate the hashed value of the file record that obtains;
Step F. the value of record hashed value field in the hashed value calculated in the step e and the associated record information attribute value is compared, if equate, then in the chain data structure, do not distort corresponding to this associated record of sign in the node data structure of this associated record, otherwise, be designated and distort;
The associated record that step G. obtains with step C is checking and related evidence obtaining object, further carries out described record authentication and association from step 2 to step 7 process of collecting evidence, complete after, be transferred to steps A;
Step H. checks that whether comprising record in the associated record information attribute value that obtains in the steps A obtains the URL(uniform resource locator) field, if do not have, changes step J over to; Otherwise, change next step over to;
Agreement, method and address that step I. utilizes this record to obtain the URL(uniform resource locator) field to provide, obtain corresponding associated record, if obtain failure, then in the chain data structure, obtain the reason of failure corresponding to sign in the node data structure of the record of current authenticating evidence obtaining, change steps A then over to; Otherwise, change step L over to;
The value of " the record class sign " field in the associated record information attribute value that step J. obtains according to steps A finds the configuration information of corresponding record class in recording configuration information;
Step K. the content with " record searching key " field in the associated record information attribute value of obtaining in the steps A is querying condition, the record queries, the acquisition methods that from recording configuration information, obtain with step J, from this locality or far-end database of record, inquire about, obtain corresponding associated record, if obtain failure, then in the chain data structure, obtain the reason of failure corresponding to sign in the node data of the record of current authenticating evidence obtaining, change steps A then over to; Otherwise, change next step over to;
Step L. creates the node data structure in the chain data structure, the information of the associated record that obtains is kept in this node data structure, and in the node data structure of the record correspondence of current authenticating evidence obtaining, a link of pointing to this associated record node data structure is set, namely in returning checking and evidence obtaining result's chain data structure, increase record node linking to the associated record node of collecting evidence from current authenticating;
Step M. uses the algorithm that " hashing algorithm " field provides in the associated record information attribute value, by the record field order that the record hash calculated field list field in the associated record information attribute value provides, the associated record that obtains is carried out the hash computing;
Step M is calculated the hashed value of the associated record that obtains to step N. and the value of the record hashed value field in the associated record information attribute value compares, if equate, then identifying this record in the chain data structure in the node data structure of this associated record correspondence does not distort, otherwise, be designated and distort;
Step O. is authentication and association evidence obtaining object with the associated record that obtains in step I or the step K, further carries out described record authentication and association evidence obtaining process from step 2 to step 7, complete after, change steps A over to.
10. according to claim 9 a kind of based on the related electronic evidence evidence-obtaining system of signing of electronical record, it is characterized in that: in described step K, record checking and evidence obtaining module are obtained the associated record of correspondence as follows from database of record:
Determine database of record in this locality or far-end according to recording configuration information, if at far-end, utilize and provide vlan query protocol VLAN, method and address in the recording configuration information, the content of record searching key field in the associated record information attribute value is converted into corresponding querying condition, from far-end record data library inquiry, obtain corresponding record; Otherwise, content with the record searching key field is querying condition, in conjunction with the description of corresponding relation between the record class that provides in the recording configuration information and the local recordings database table, and database table between the description of incidence relation, form concrete data base querying request, connect the local data library lookup, obtain corresponding associated record.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110142667 CN102195781B (en) | 2011-05-30 | 2011-05-30 | Electronic evidence obtaining system based on electronic record correlated signature |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110142667 CN102195781B (en) | 2011-05-30 | 2011-05-30 | Electronic evidence obtaining system based on electronic record correlated signature |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102195781A CN102195781A (en) | 2011-09-21 |
| CN102195781B true CN102195781B (en) | 2013-07-10 |
Family
ID=44603208
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201110142667 Expired - Fee Related CN102195781B (en) | 2011-05-30 | 2011-05-30 | Electronic evidence obtaining system based on electronic record correlated signature |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102195781B (en) |
Families Citing this family (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102624698B (en) * | 2012-01-17 | 2014-12-03 | 武汉理工大学 | Evidence management and service system for electronic records |
| CN102841590A (en) * | 2012-09-17 | 2012-12-26 | 深圳众里飞扬科技有限公司 | Law enforcement recording system, law enforcement recording device and law enforcement recording method |
| CN102929789B (en) * | 2012-09-21 | 2016-06-08 | 曙光信息产业(北京)有限公司 | Record organization method and record organization structure |
| WO2014194471A1 (en) * | 2013-06-04 | 2014-12-11 | 安世盾信息技术(北京)有限公司 | Database evidence collection method and apparatus |
| CN103530359A (en) * | 2013-10-12 | 2014-01-22 | 深圳警翼数码科技有限公司 | Information automatic correlation method and system |
| CN107070665B (en) * | 2017-04-28 | 2018-06-12 | 北京海泰方圆科技股份有限公司 | A kind of method and device of digital signature |
| CN107145574A (en) * | 2017-05-05 | 2017-09-08 | 恒生电子股份有限公司 | database data processing method, device and storage medium and electronic equipment |
| CN109446205B (en) * | 2017-08-28 | 2021-03-16 | 中国电信股份有限公司 | Device and method for judging data state and device and method for updating data |
| CN107454106B (en) * | 2017-09-15 | 2018-07-06 | 北京海泰方圆科技股份有限公司 | A kind of method and device of Information Authentication |
| CN108521332A (en) * | 2018-04-09 | 2018-09-11 | 深圳市大恒数据安全科技有限责任公司 | A kind of electronic data demonstrate,proves correlating method admittedly |
| CN108710658B (en) * | 2018-05-11 | 2021-12-03 | 创新先进技术有限公司 | Data record storage method and device |
| CN109391628B (en) * | 2018-11-20 | 2021-12-24 | 北京天威诚信电子商务服务有限公司 | Service data curing method and device and electronic equipment |
| CN110008719B (en) * | 2019-03-11 | 2021-02-12 | 新华三信息安全技术有限公司 | File processing method and device, and file detection method and device |
| CN109977698A (en) * | 2019-03-26 | 2019-07-05 | 山东浪潮通软信息科技有限公司 | A kind of framework method of anti-repudiation |
| CN111539000B (en) * | 2020-04-17 | 2022-06-28 | 福建福昕软件开发股份有限公司 | Method, system and device for simplifying electronic signature process based on PDF document |
| CN112597443A (en) * | 2020-12-25 | 2021-04-02 | 中国人民解放军总医院 | Method for defining original text in electronic signature |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1823513A (en) * | 2003-07-17 | 2006-08-23 | 国际商业机器公司 | Method and system for stepping up to certificate-based authentication without breaking an existing ssl session |
| CN1855086A (en) * | 2005-04-25 | 2006-11-01 | 北京中网安达信息安全科技有限公司 | System and method for analyzing and abstracting data evidence |
| CN101369276A (en) * | 2008-09-28 | 2009-02-18 | 杭州电子科技大学 | Evidence obtaining method for Web browser caching data |
| CN101395599A (en) * | 2006-03-02 | 2009-03-25 | 微软公司 | Generation of electronic signatures |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050228999A1 (en) * | 2004-04-09 | 2005-10-13 | Arcot Systems, Inc. | Audit records for digitally signed documents |
-
2011
- 2011-05-30 CN CN 201110142667 patent/CN102195781B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1823513A (en) * | 2003-07-17 | 2006-08-23 | 国际商业机器公司 | Method and system for stepping up to certificate-based authentication without breaking an existing ssl session |
| CN1855086A (en) * | 2005-04-25 | 2006-11-01 | 北京中网安达信息安全科技有限公司 | System and method for analyzing and abstracting data evidence |
| CN101395599A (en) * | 2006-03-02 | 2009-03-25 | 微软公司 | Generation of electronic signatures |
| CN101369276A (en) * | 2008-09-28 | 2009-02-18 | 杭州电子科技大学 | Evidence obtaining method for Web browser caching data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102195781A (en) | 2011-09-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102195781B (en) | Electronic evidence obtaining system based on electronic record correlated signature | |
| CN109409122B (en) | File storage method, electronic device and storage medium | |
| Zafar et al. | A survey of cloud computing data integrity schemes: Design challenges, taxonomy and future trends | |
| US11888974B1 (en) | Secret sharing information management and security system | |
| Zhang et al. | CIPPPA: Conditional identity privacy-preserving public auditing for cloud-based WBANs against malicious auditors | |
| Ahmad et al. | Secure and transparent audit logs with BlockAudit | |
| CN110321735B (en) | Business handling method, system and storage medium based on zero knowledge certification | |
| CN106341493A (en) | Entity rights oriented digitalized electronic contract signing method | |
| Awadallah et al. | An integrated architecture for maintaining security in cloud computing based on blockchain | |
| Accorsi | Safe-keeping digital evidence with secure logging protocols: State of the art and challenges | |
| Miao et al. | Decentralized and privacy-preserving public auditing for cloud storage based on blockchain | |
| Accorsi | A secure log architecture to support remote auditing | |
| Accorsi | Log data as digital evidence: What secure logging protocols have to offer? | |
| Chen et al. | Towards usable cloud storage auditing | |
| Gulati et al. | Self-sovereign dynamic digital identities based on blockchain technology | |
| CN115811422A (en) | Medical data sharing method and system based on block chain | |
| Jia et al. | PROCESS: Privacy-preserving on-chain certificate status service | |
| US11301823B2 (en) | System and method for electronic deposit and authentication of original electronic information objects | |
| CN104394166A (en) | Certificate anti-fake authentication system and method for mobile terminal under cloud environment | |
| Dwivedi et al. | Design of secured blockchain based decentralized authentication protocol for sensor networks with auditing and accountability | |
| US7853793B2 (en) | Trusted signature with key access permissions | |
| Jamil et al. | Secure provenance using an authenticated data structure approach | |
| Zhang et al. | Efficient integrity verification scheme for medical data records in cloud-assisted wireless medical sensor networks | |
| Xia et al. | An improved privacy preserving construction for data integrity verification in cloud storage | |
| Homoliak et al. | Aquareum: A centralized ledger enhanced with blockchain and trusted computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130710 Termination date: 20160530 |