CN102255729B - IBE (Internet Booking Engine) data encryption system based on medium digital certificate - Google Patents
IBE (Internet Booking Engine) data encryption system based on medium digital certificate Download PDFInfo
- Publication number
- CN102255729B CN102255729B CN 201110189108 CN201110189108A CN102255729B CN 102255729 B CN102255729 B CN 102255729B CN 201110189108 CN201110189108 CN 201110189108 CN 201110189108 A CN201110189108 A CN 201110189108A CN 102255729 B CN102255729 B CN 102255729B
- Authority
- CN
- China
- Prior art keywords
- ibe
- key
- csp
- containers
- handle
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 37
- 238000000034 method Methods 0.000 claims abstract description 15
- 230000008569 process Effects 0.000 claims abstract description 12
- 230000006870 function Effects 0.000 claims description 105
- 230000008676 import Effects 0.000 claims description 26
- 230000008859 change Effects 0.000 claims description 25
- 238000000151 deposition Methods 0.000 claims description 8
- 238000007689 inspection Methods 0.000 claims description 8
- 230000008520 organization Effects 0.000 claims description 8
- 230000004048 modification Effects 0.000 claims description 4
- 238000012986 modification Methods 0.000 claims description 4
- 230000010076 replication Effects 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 238000006243 chemical reaction Methods 0.000 claims description 2
- 238000012217 deletion Methods 0.000 claims description 2
- 230000037430 deletion Effects 0.000 claims description 2
- 238000009795 derivation Methods 0.000 claims description 2
- 238000009434 installation Methods 0.000 claims description 2
- 238000011900 installation process Methods 0.000 claims description 2
- 238000012545 processing Methods 0.000 claims description 2
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 claims description 2
- 238000012163 sequencing technique Methods 0.000 claims 2
- 238000007599 discharging Methods 0.000 claims 1
- 230000009977 dual effect Effects 0.000 claims 1
- 238000005516 engineering process Methods 0.000 description 19
- 238000012795 verification Methods 0.000 description 7
- 238000011161 development Methods 0.000 description 4
- TVZRAEYQIKYCPH-UHFFFAOYSA-N 3-(trimethylsilyl)propane-1-sulfonic acid Chemical compound C[Si](C)(C)CCCS(O)(=O)=O TVZRAEYQIKYCPH-UHFFFAOYSA-N 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000005314 correlation function Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to an IBE (Internet Booking Engine) data encryption system based on a medium digital certificate, and comprises four components: an IBE CSP (Cryptographic Service Provider), an IBE key management client, an IBE key server and an IBE client installing software, wherein the IBE CSP is the core and key of the IBE data encryption system. The IBE data encryption system is used for enabling the system and the application which do not support an IBE encryption process to utilize the IBE process to encrypt and decrypt. In the IBE data encryption system, the medium digital certificate is taken as a bridge, an asymmetric key algorithm which is supported by RSA (Rivest Shamir Adleman), ECC (Elliptic Curves Cryptography) or other X509 certificate is provided by a register, but actually a Windows CSP of the IBE algorithm is realized, the data encryption and decryption operations based on the RSA, ECC or other asymmetric key algorithms are automatically converted into the corresponding data encryption and decryption operations based on the IBE algorithm.
Description
Technical field
The invention belongs to the data encryption technology field, be a kind of IBE based on the media digital certificate (Identity Based Encryption: based on the encryption of identify label) data encryption system, particularly make system, the application of not supporting the IBE encryption technology can use the IBE technology to carry out data encryption and deciphering.
Background technology
In the public key encryption system, PKI (Public Key) is used for the encryption of data and the checking of digital signature, and private key (Private Key) is used for deciphering and the digital signature of data.In order to improve the efficient of data encryption, deciphering, in the practical application of using the public key encryption technology, when a direction the opposing party sends encryption, transmit leg is encrypted data with the symmetric key that produces at random earlier usually, and then use recipient's PKI that the symmetric key that produces at random is encrypted, afterwards, transmit leg with data encrypted and the symmetric-key after encrypting send to the recipient together; After the recipient receives enciphered data and encrypted symmetric key, with the symmetric key of own private key enabling decryption of encrypted, use the symmetric key data decryption after deciphering then earlier.
Can see from the above description, a side will send enciphered data to the opposing party in public key architecture, must obtain the other side's PKI earlier, therefore, the owner of PKI (being the recipient of enciphered data) needs to issue its PKI by certain secure way, so that other people (or entity) can use its PKI to send enciphered data to it.In public key architecture, in order to address this problem, people have proposed Public Key Infrastructure (Public Key Infrastructure, PKI) safe practice system.In the PKI system, (Certification Authority CA) signs and issues digital certificate (Digital Certificate) as believable third party and carries out the issue of user's (entity) PKI by a digital certificate authentication center.The digital certificate that CA signs and issues also includes other identity informations of holder of certificate except the PKI that comprises the holder of certificate, as name, affiliated tissue, e-mail address etc.Certificate uses its private key to carry out data signature by CA, to guarantee credibility, the fail safe of information in the certificate.Digital certificate is divided into encrypted certificate and letter of identity, the encrypting and decrypting of the former user data, the discriminating of latter's user identity, digital signature and signature verification sometimes again.Like this, in the PKI system, a side will send enciphered data to the opposing party, and transmit leg needs to obtain by certain approach (as the open certificate directory service from CA) earlier (encryption) digital certificate of recipient, extracts recipient's PKI then from digital certificate.The most frequently used public key algorithm of digital certificate is RSA and DSA algorithm at present, and extensive ECC (the Elliptic Curve Cryptography) algorithm of paying attention to of up-to-date acquisition.RSA, ECC digital certificate both can be used for data encryption and deciphering, can be used for digital signature and signature verification again; The DSA digital certificate only is used for digital signature and signature verification.RSA, DSA digital certificate are all supported in present most operating system, application, support the application of ECC digital certificate also to begin to occur.
In the PKI system, send enciphered data, must obtain right (encryption) digital certificate in advance, this is not a nothing the matter for many domestic consumers, this also is the comparison distinct issues that the PKI technical system exists in actual applications, for sort this problem out, people proposed based on identify label encryption (Identity Based Encryption, IBE).IBE also is a kind of public key encryption technology.When using IBE to transmit data encryption, transmit leg need not to obtain in advance recipient's digital certificate, but only need know a sign (as identification card number, e-mail address etc.) of unique identification the other side identity in advance, just can carry out data encryption (similarly based on this identification in conjunction with one group of open parameter then, normally earlier with the symmetric key encryption data that produce at random, the symmetric key that produces at random with the IBE public key encryption then).Here, identify label and one group of open parameter have just constituted the IBE PKI, (but everybody usually abbreviates identify label as PKI in actual applications).After the recipient receives data, use the private key of own identify label correspondence to get final product data decryption (in fact strict, private key also is to disclose parameter and calculate private information by identify label by a group to constitute).The private key of recipient's identify label correspondence is produced by an IBE key server (Key Server).The recipient will obtain the IBE private key of own identify label correspondence, need earlier to finish identity at the IBE key server and differentiate and prove that it is that (identity is differentiated and can be realized by the identity digital certificate for the owner of respective identity sign, or other is kept fit part identification method and realizes), obtain its IBE private key by escape way from the IBE key server afterwards, and private key is preserved safely for use in the future.The IBE key server can be issued one group of open parameter by secured fashion, so that anyone calculates the corresponding IBE PKI (carrying out data encryption) of certain sign with it.
IBE encrypts its unique advantage, it is encrypted for data transmit and has brought convenience, but also there are distinct issues in actual applications in the IBE technology: present operating system (as Windows) and application software (as Outlook) are not mostly supported the IBE encryption technology, on the contrary, RSA public key algorithm and RSA digital certificate are all supported in present most of operating systems and application.The present invention makes by media digital certificate (as media RSA or ECC digital certificate) exactly and can use the IBE technology to carry out the encryption of data, deciphering in not supporting the Windows environment of IBE technology (or other operating systems), using, its key technology is that external registration of exploitation provides RSA, ECC algorithm (or other asymmetric cryptographic algorithms), but inner IBE CSP (the Cryptographic Service Provider: cryptographic services supplier) that in fact realizes the IBE algorithm.
The function of data encryption in the Windows system, deciphering mainly realizes by CryptoAPI and CSP, wherein CryptoAPI is an encryption API, CSP is the place of really finishing key storage, operation and computing, and CSP provides correlation function by the CryptoSPI interface.Application program is used CSP by calling CryptoAPI.There is the CSP of number of different types in the Windows system to support different key algorithms and purposes, as Class1 (Type 1, i.e. RSA Full), type 3 (Type 3, i.e. DSS Signature), (Type 12 for Class1 2, be RSA Schannel), and that the CSP of each type can have is a plurality of.As, the CSP of Class1 is used for data encryption, the deciphering based on RSA Algorithm, signature, signature verification, Microsoft Strong Cryptographic Provider, Microsoft Enhanced Cryptographic Provider that the Windows system carries are exactly the CSP of Class1, and Microsoft Strong Cryptographic Provider is default (default) CSP of Class1; The CSP of type 3 is used for signature, the signature verification based on the DSA algorithm, and the Microsoft Base DSS Cryptographic Provider that the Windows system carries is exactly the CSP of such type; The CSP of Class1 2 can be used for the client validation of SSL3.0 and TLS1.0, and the Microsoft RSA SChannel Cryptographic Provider that the Windows system carries is exactly such CSP.
Summary of the invention
The purpose of this invention is to provide a kind of IBE data encryption system based on the media digital certificate, it is borrowed in the media digital certificate, makes Windows system and the application thereof of not supporting the IBE cryptographic algorithm can use the IBE technology to carry out the encryption of data, deciphering.
Here said media digital certificate is a digital certificate (as RSA or ECC encrypted digital certificate) that meets the encryption purposes of X509 standard, it is not to be signed and issued by third party's certificate verification mechanism or special CA system, but signed and issued by the private key from the root ca certificate of signing that user's (utilizing client utility) oneself generates, and the subject (Subject Name) by the certificate signed and issued corresponding with this user's identify label (or include identification information, as addresses of items of mail, identification card number etc.).Although the public and private key of the root ca certificate of signing certainly that each user oneself generates is to having nothing in common with each other, but their subject is all identical with issuer name (Issuer Name), has fixing specific names, and (Serial Nuumber) is all identical for their sequence number, such as, all be hash (HASH) the value generation by subject.This kind only plays bridge, instrumentality by the digital certificate that user oneself (by the private key of self-generating CA certificate) signs and issues between encryption application software and IBE encrypting module in the IBE ciphering process, be not to use as a common digital certificate, therefore, be referred to as the media digital certificate in the present invention.Because the digital certificate that this user oneself signs and issues only plays instrumentality in ciphering process, therefore, even if it is not public believable, do not influence the fail safe that IBE encrypts yet.
To achieve these goals, the technical solution adopted in the present invention is:
A kind of IBE data encryption system based on the media digital certificate comprises as the lower part:
IBE CSP: registration provides certain type of certain asymmetric cryptographic algorithm (as RSA) (as RSA Full, or Type 1, Class1) Windows cryptographic services supplier (Cryptographic Service Provider, CSP), it finishes key storage and the cipher key operation relevant with IBE by the expansion interface function, other Password Operations and calculation function are provided by the CryptoSPI interface function, to convert corresponding data ciphering and deciphering computing based on IBE based on the data ciphering and deciphering computing of registration indication asymmetric cryptographic algorithm (as RSA) to, its CSP by the same type that directly calls a Windows and carry (such as, the Microsoft Strong Cryptographic Provider of RSAFull type) finishes other cipher key operation and computing.Particularly, when application system is called IBE CSP and is carried out cipher key operation and data encryption, decrypt operation by CryptoAPI, IBE CSP judges that whether it be the cipher key operation relevant with IBE or data encryption, decrypt operation, if, then by himself finishing relevant operation and computing; Otherwise it finishes relevant operation and computing by the CSP that the CryptoSPI interface directly calls the same type that a Windows carries, and the CSP of the same type that this Windows carries is called the related CSP of IBE.
IBE key management client: its major function comprises from signing generation and the signature of root ca certificate, the generation of media digital certificate and signature, the obtaining and storage etc. of IBE key.Transmit leg (i.e. encryption side) in enciphered data, it is responsible for producing recipient's IBE PKI (IBE Public Key) and preserving it based on recipient's (i.e. deciphering side) identify label, and the media digital certificate that generates the identify label correspondence, use for encrypting application software; Owner's (being the enciphered data recipient) for identify label, it is responsible for producing corresponding media digital certificate according to identify label, obtain the corresponding IBE private key (IBE Private Key) of sign from the IBE key server, and the IBE key is saved among the IBE CSP (IBE Key Pair), use for encrypting application software.
IBE key server (IBE Key Server): be responsible for that the identify label owner is carried out identity and differentiate, verify that it is the real owner of sign, for sign produces the IBE private key and by escape way private key returned to the sign owner.
The IBE client is installed software: be responsible for installation and the setting of IBE CSP and IBE key management client.In installation process, IBE client installation software carries out following modification to the registration table of Windows:
Will
The default CSP that sets in the value of the sub-key (subkey) that the CSP type of IBE CSP correspondence under HKEY_LOCAL_MACHINE->Software->Microsoft->Cryptography->Defaults->Provider Types (as Type 001, i.e. RSA Full) is corresponding is set at IBE CSP of the present invention.
Described asymmetric cryptographic algorithm refers to the asymmetric cryptographic algorithm support of X509 certificate, that can be used for symmetric key or data ciphering and deciphering, include but not limited to RSA, ECC algorithm;
The described specific CSP type of described asymmetric cryptographic algorithm refers to provide a specific CSP type of described asymmetric cryptographic algorithm cryptographic function, includes but not limited to the present defined CSP type of Windows;
Described IBE CSP expansion interface function is the interface function that is specifically designed to IBE key storage operation that defines outside the CryptoSPI interface function;
The digital certificate of the encryption purposes that described media digital certificate is a kind of X509 of meeting standard, it is signed and issued by a private key from the root ca certificate of signing of user's IBE key management client oneself generation, and the subject of the certificate of being signed and issued is corresponding with this user's identify label;
Described subject from the root ca certificate of signing is identical with the issuer name, have fixing specific names, and this sequence number of signing root ca certificate certainly has fixed value;
The transmit leg of described enciphered data is the encryption side of data, and the recipient of described enciphered data is the deciphering side of enciphered data.
The transmit leg user of described enciphered data can be by starting IBE key management client, enter the function of obtaining recipient's media digital certificate, input recipient's identify label is (as addresses of items of mail, identification card number etc.), generate, sign and issue and preserve the media digital certificate of recipient's identify label correspondence by IBE key management client, and the IBE PKI that generates and preserve the recipient, be specially:
Import recipient's identify label the transmit leg user after, IBE key management client is pressed following works:
A1. in the issuing organization root certificate store of being trusted of local certificate repository, check whether to have to have the root ca certificate of the signature certainly particular topic name, that be used for signing and issuing the media digital certificate, if do not have, change steps A 3 over to; Otherwise, change next step over to;
A2. check further whether this root ca certificate of signing certainly has private key, if having, change steps A 4 over to; Otherwise, delete this root ca certificate of signing certainly, change next step then over to;
A3. calling the related CSP of IBE (the RSA Full Type C SP that carries as a Windows) by CryptoAPI, to produce the key of a corresponding asymmetric cryptographic algorithm (as RSA) right, and based on this key to generate one from the signature the CA digital certificate, the subject of this CA certificate is identical with the issuer name, has predefined specific names, certificate serial number is produced by hash (HASH) value of subject and issuer name, generate from signature root CA digital certificate, after signature is finished, this is put into the issuing organization root certificate store of being trusted of local certificate repository from the root CA digital certificate of signing, change next step afterwards over to;
A4. by CryptoAPI call key that the related CSP of IBE produces a corresponding asymmetric cryptographic algorithm to (as RSA key to), and based on this key to generating a digital certificate to be signed, the identification information that includes the recipient in the subject of this certificate, the issuer subject for the root ca certificate of signing certainly of signing and issuing the media digital certificate by name, and the sequence number of certificate (Serial Number) is by HASH (hash) the value generation of subject and issuer name, the Key Usage of certificate (key purposes) is set to Key Encipherment (secret key encryption), signs and generates a media digital certificate with treat the signature digital certificate from the private key of root ca certificate of signing then;
A5. call the certificate management DLL (dynamic link library) that Windows provides, this media digital certificate of just having signed and issued is put into other people certificate store of local certificate repository, and by corresponding (as API) automatically or manually means this certificate is put into the particular certificate memory block (in the address list as the Outlook respective user) of application-specific;
A6. based on recipient's identify label and IBE the IBE PKI that parameter generates the recipient is disclosed;
A7. call the expansion interface of IBE CSP, the IBE PKI that steps A 6 is produced deposits among the IBE CSP, except the IBE PKI, also has the PKI of the media digital certificate that produces in the steps A 4 in the calling interface parameter.
In the above steps A 7, after IBE CSP receives IBE PKI storage request by expansion interface (namely the self defined interface that does not define among a former CryptoSPI), operate as follows:
Be that this IBE PKI is created a nonvolatil IBE PKI object in storage mediums such as hard disk, PKI and this PKI HASH (hash) value of the media digital certificate submitted in IBE PKI, the calling interface is saved in the IBE PKI object.
Be saved in the IBE PKI object by PKI and hashed value thereof with the media digital certificate, can the IBE PKI is related with the PKI of media digital certificate, all cipher key operation, data encryption computings relevant with this media digital certificate PKI later on, IBE CSP will use the IBE PKI of this PKI correspondence to carry out.In the present invention, the shadow PKI that is called this IBE PKI with IBE PKI media digital certificate corresponding, that be associated PKI.
The owner of described identify label (being the enciphered data recipient), by starting IBE key management client, enter and obtain my media digital certificate functionality, import my identification information, can obtain the media digital certificate corresponding with identify label, and the IBE key corresponding with identify label is right, and by IBE key management client with the IBE key to being saved among the IBE CSP.
After the owner of identify label used IBE key management client to import its identification information, acquisition request media digital certificate, IBE key management client and IBE key server carried out work by following flow process:
B1.IBE key management client connects the IBE key server in the mode (as SSL) of safety, and the IBE private key of User Identity correspondence is obtained in application;
The B2.IBE key server requires that client is carried out identity and differentiates;
B3.IBE key management client is submitted user's identity documents (Credential) to, as identity digital certificate, user name/password etc., carries out identity and differentiates;
The B4.IBE key server verifies that by predefined mode the user is the owner of identify label really after finishing client user's identity being differentiated;
B5. if user identity is differentiated and the identify label home authentication passes, then the IBE key server produces the corresponding IBE private key of sign for the user, and by escape way the IBE private key is turned back to IBE key management client, otherwise, return error message;
B6.IBE key management client is extracted relevant information after receiving user IBE private key from the IBE private key, produce corresponding IBE PKI, then, changes next step over to;
B7.IBE key management client checks whether to have to have the root ca certificate of the signature certainly particular topic name, that be used for signing and issuing the media digital certificate in the issuing organization root certificate store of being trusted of local certificate repository, if do not have, change step B9 over to; Otherwise, change next step over to;
B8.IBE key management client checks further whether this root ca certificate of signing certainly has private key, if having, changes step B10 over to; Otherwise, delete this root ca certificate of signing certainly, change next step then over to;
B9.IBE key management client by CryptoAPI call key that the related CSP of IBE (type that carries as a Windows is the CSP of RSA Full) produces a corresponding asymmetric cryptographic algorithm to (as RSA key to), and based on this key to generate one from the signature the CA digital certificate, the subject of this CA certificate is identical with the issuer name, has predefined specific names, certificate serial number is produced by hash (HASH) value of subject and issuer name, generate from signature root CA digital certificate, after signature is finished, this is put into the issuing organization root certificate store of being trusted of local certificate repository from the root CA digital certificate of signing, change next step afterwards over to;
B10.IBE key management client by CryptoAPI call key that the related CSP of IBE produces a corresponding asymmetric cryptographic algorithm to (as RSA key to), and based on this key to generating a digital certificate to be signed, the subject of this certificate includes recipient's identify label, the issuer subject from the root ca certificate of signing by name, and the sequence number of certificate is by hash (HASH) the value generation of subject and issuer name, the key purposes of certificate (Key Usage) is set to secret key encryption (Key Encipherment), use from the private key of the root ca certificate of signing then and treat the signature digital certificate signature, generate a media digital certificate, afterwards, change next step over to;
B11.IBE key management client is by invoke extensions CSP interface, with the IBE key that obtains in the preceding step to depositing among the IBE CSP, during the invoke extensions interface, except providing the IBE key right, the PKI of the media digital certificate that the cryptographic key containers sign also is provided simultaneously and has has just signed and issued, the IBE key changes next step over to after preserving success;
B12. if in my certificate store of local certificate repository media digital certificate previous generation, corresponding with same identify label is arranged, then IBE key management client is removed this certificate, changes next step then over to;
The certificate management interface of B13.IBE key management client call Windows, the media digital certificate that produces just signing deposits in my certificate store of local certificate repository, and the CSP of certificate private key storage is set to IBE CSP of the present invention, the type of the CSP of private key storage is set to the CSP type (as RSA Full) of IBE CSP registration, the cryptographic key containers of private key sign be set to step B11 invoke extensions interface in IBE CSP, preserves user IBE key to the time cryptographic key containers that provides identify, the key purposes of private key is set to Key Exchange (cipher key change).
In the above step B4, IBE key server checking user is that the owner's of identify label mode includes but not limited to really: send the checking of checking mail to the E-mail address, confirm that the applicant is the owner of mailbox, perhaps send the checking short-message verification to the mobile communication mobile phone number, confirm that the applicant is the owner of phone number, perhaps the user is exactly user's identify label at the account name of IBE key server, perhaps the user has imported its identify label and its during create account user and has this sign and verify by other means on the IBE key server, perhaps the user uses letter of identity login key server, and this identification information etc. of user is arranged in the letter of identity.
In the above step B11, IBE CSP operates after receiving and preserving the right request of IBE key as follows:
B11.1. in storage medium, create a nonvolatil IBE cryptographic key containers, the cryptographic key containers sign of importing when its cryptographic key containers is designated the invoke extensions interface, then with the IBE key to being stored in this cryptographic key containers, the right purposes of this key is Key Exchange, and further the PKI of the media digital certificate submitted in the calling interface and hash (HASH) value thereof is deposited in this IBE cryptographic key containers (thereby with IBE key pair related with the PKI of the media digital certificate of submitting to);
B11.2. directly call the related CSP of IBE by CryptoSPI, produce a nonvolatil cryptographic key containers (as the RSA key container) therein, and in this cryptographic key containers, produce a purposes be Key Exchange permanent key to (as RSA key to);
B11.3. the sign of the cryptographic key containers that step B8.2 is produced in the related CSP of IBE is saved in the IBE cryptographic key containers that step B8.1 produces (thereby the cryptographic key containers that produces among IBE cryptographic key containers and the related CSP of this IBE is related), returns then.
Cryptographic key containers among the related CSP of the IBE that produces among the above step B11.2 is called the shadow cryptographic key containers of the IBE cryptographic key containers that produces among the step B11.1.In the present invention, each IBE cryptographic key containers, no matter it is interim in the internal memory, still forever preserve on the storage medium, it is right no matter whether to include the IBE key, it has a shadow cryptographic key containers that produce, that be associated among corresponding, the related CSP of IBE with it, and they have same life cycle (this point can be seen in describing in the back).If it is right to include an IBE key in the IBE cryptographic key containers, the key that a Key Exchange purposes then will be arranged in its shadow cryptographic key containers to (as RSA key to), it is right to be referred to as the right shadow key of corresponding IBE key in the present invention, but it is not right to the key of corresponding media digital certificate with the IBE key, also with the IBE key to there not being direct relation.
Step B13 in front, by media digital certificate private key is related with an IBE cryptographic key containers, operation, cryptographic calculation that all are relevant with this media digital certificate private key, the IBE private key that IBE CSP will call this private key correspondence carries out.
After the sign owner successfully produces the media digital certificate corresponding with identify label by IBE key management client, can use and encrypt the enciphered data that the application software deciphering receives.
In above process, adopted specific mode to arrange the subject of certificate, issuer name and certificate serial number, its reason is, in the data encryption based on digital certificate, after transmit leg is finished data encryption, can be with the subject of recipient's digital certificate, issuer name and certificate serial number are put in the enciphered data (more precisely encrypted symmetric key in) with the form of PKCS7 defined.And recipient's encryption software just is being based on this subject, issuer name and certificate serial number information finds corresponding digital certificate and use this certificate to be kept among the CSP in my certificate store of local certificate repository private key and finishes the data deciphering.Therefore, want correctly data decryption, the media digital certificate that belongs to the recipient that transmit leg produces and the subject that receives the media digital certificate that oneself generates, issuer name and certificate serial number must be identical, the key of certificate to must be identical (but the key of certificate to can be different) in the present invention.Subject, the issuer name of accomplishing the media digital certificate that both sides produce are identical, can arrange one by the mode of identify label generation subject, regulation issuer specific title (namely sign and issue CA and have specific subject) by name; In order to make certificate serial number identical, the agreement certificate serial number is produced by HASH (hash) value of subject and issuer name.
IBE CSP will call the interface function by the CryptoSPI interface by following different situations and carry out respective handling:
Situation 1: for the operation of obtaining cryptographic key containers handle (handle) by interface function CPAcquireContext, do following processing respectively according to the cryptographic key containers sign of importing in the interface interchange:
If the cryptographic key containers sign of input is pointed to a permanent IBE cryptographic key containers, whether the value of then further judging the input parameter dwFlags of interface function in calling is zero or CRYPT_SILENT or CRYPT_DELETEKEYSET, if be not then to return and make mistakes; Otherwise, whether the value of judging dwFlags again is CRYPT_DELETEKEYSET, if, then earlier by corresponding shadow cryptographic key containers among the related CSP of interface function CPAcquireContext deletion IBE that directly calls the related CSP of IBE, then, it is right that the cryptographic key containers of importing in the delete interface identifies permanent IBE cryptographic key containers and IBE key thereof pointed, last return result; Otherwise, in internal memory, create an IBE cryptographic key containers object earlier, the IBE key that obtains then in the cryptographic key containers sign permanent IBE cryptographic key containers pointed is right, corresponding shadow PKI and this shadow PKI hashed value, generate corresponding data object, and these data objects are saved in the IBE cryptographic key containers object of firm generation in (namely being associated with) internal memory, wherein the right purposes of IBE key is Key Exchange, and then obtain the handle of shadow cryptographic key containers corresponding among the related CSP of IBE by the interface function CPAcquireContext that calls the related CSP of IBE, and with the IBE cryptographic key containers object association of just having created in the handle of the shadow cryptographic key containers that returns and the internal memory, at last the handle of the shadow cryptographic key containers handle as cryptographic key containers is returned.
If the cryptographic key containers of input sign is not to point to a permanent IBE cryptographic key containers, whether the value of then further judging input parameter dwFlags in the input interface is CRYPT_DELETEKEYSET, if, then use identical input parameter directly to call the CPAcquireContext interface function of the related CSP of IBE, finish relevant operation, then operating result is returned; Otherwise, in internal memory, create an IBE cryptographic key containers object earlier, use identical input interface parameter then, directly call the interface function CPAcquireContext of the related CSP of IBE, obtain the handle of corresponding cryptographic key containers, this cryptographic key containers is also referred to as in the internal memory shadow cryptographic key containers (even if it not with any IBE key to related) of the IBE cryptographic key containers of just having created, then with the IBE cryptographic key containers object association of just having created in the handle of the cryptographic key containers that returns and the internal memory, at last the handle of the cryptographic key containers that the returns handle as cryptographic key containers is returned.
Situation 2: for obtain the operation to handle of the key preserved in the cryptographic key containers by interface function CPGetUserKey, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers object of having created in the internal memory, if not, return and make mistakes; Otherwise, check further whether IBE cryptographic key containers pointed includes an IBE key to object, if, then by calling the interface function CPGetUserKey of the related CSP of IBE, obtain shadow key in the corresponding shadow cryptographic key containers to the key handle of the key of Key Exchange purposes (be to), then, with the shadow key that returns to the IBE key in handle and the IBE cryptographic key containers to object association, afterwards the shadow key is returned as the right handle of key handle; Otherwise, use identical input interface parameter, finish relevant operation by the interface function CPGetUserKey that directly calls the related CSP of IBE, and the key that returns is returned handle.
Situation 3: for the key import operation that imports PKI by interface function CPImportKey, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, check further whether this PKI (as by this PKI hashed value) is corresponding with a permanent IBE cryptographic key containers or permanent IBE PKI object, check namely whether the PKI that imports is the shadow PKI of an IBE PKI, if, then in internal memory, create an IBE PKI object, and with this IBE PKI object, the hashed value of shadow PKI and this shadow PKI is saved in the IBE cryptographic key containers of the cryptographic key containers handle indication of importing in (namely being associated with) interface, and then by calling the interface function CPImportKey of the related CSP of IBE, the PKI that will import imports in the shadow cryptographic key containers corresponding among the related CSP of IBE, and will call the IBE PKI object association of just having created in the key handle of PKI of the importing of returning and the internal memory, afterwards the handle of this key handle as the key that imports returned; Otherwise, use identical input interface parameter, finish relevant operation by the interface function CPImportKey that directly calls the related CSP of IBE, and will call the key handle that returns and return.
Situation 4: for the key import operation that imports symmetric key by interface function CPImportKey, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, further check whether the decruption key handle of importing in the interface points to an IBE key in the corresponding IBE cryptographic key containers to object, if, then use this IBE key to the IBE private key in the object earlier, decipher encrypted symmetric key, and then import in the corresponding shadow cryptographic key containers among the related CSP of IBE by the symmetric key that the interface function CPImportKey that calls the related CSP of IBE will import, the key handle that will call the key of the importing of returning then returns; Otherwise, use identical input interface parameter, finish the importing of symmetric key by the interface function CPImportKey that directly calls the related CSP of IBE, and the key handle that will call the key of the importing of returning returns.
Situation 5: for the operation by interface function CPExportKey key derivation, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, check further whether the handle that is exported key points to an IBE PKI object among the IBE CSP, if, the shadow PKI of then deriving this IBE PKI correspondence; Otherwise, further check again whether the handle that is exported key points to an IBE key among the IBE CSP to object, if then forbid deriving; Otherwise, further check to be used for whether the handle that is exported the encryption key that key is encrypted is pointed to an IBE PKI object or IBE key to object again, if, then the key that will derive by corresponding interface function is earlier derived from the related CSP of IBE with the plaintext form, be decrypted into again expressly after perhaps deriving ciphertext earlier, and then the key that will derive with corresponding IBE public key encryption, return results; Otherwise, using identical interface input parameter, the interface function CPExportKey that directly calls the related CSP of IBE finishes relevant operation.
Situation 6: for the operation of carrying out data encryption by interface function CPEncrypt, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, check further whether the encryption key handle points to IBE PKI object in the IBE cryptographic key containers or IBE key to object, if, use corresponding IBE public key encryption data, return encrypted result then; Otherwise, using identical input interface parameter, the interface function CPEncrypt that directly calls the related CSP of IBE finishes relevant operation.
Situation 7: for the data decryption oprerations by interface function CPDecrypt, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, check that further whether decruption key handle key object pointed is that an IBE key in the IBE cryptographic key containers is right, if, then use the right private key data decryption of this IBE key, return decrypted result then; Otherwise, using identical interface input parameter, the interface function CPEncrypt that directly calls the related CSP of IBE finishes relevant operation.
Situation 8: for the operation of obtaining key parameter by interface function CPGetKeyParam, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise further whether the key handle that will inquire about of inspection points to an IBE PKI object or IBE key to object, if according to this IBE PKI object or IBE key the shadow PKI of object correspondence has been returned related parameter; Otherwise, using identical input interface parameter, the interface function CPGetKeyParam that directly calls the related CSP of IBE finishes relevant operation.
Situation 9: for the operation that key parameter is set by interface function CPSetKeyParam, whether the key handle that inspection will arrange parameter points to IBE PKI object in the IBE cryptographic key containers or IBE key to object, if, the relevant operation of refusal; Otherwise, using identical input interface parameter, the interface function CPSetKeyParam that directly calls the related CSP of IBE finishes relevant operation.
Situation 10: for the operation that copies key by interface function DuplicateKey, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, use identical input interface parameter earlier, the interface function DuplicateKey that calls the related CSP of IBE copies the operation of key, after calling successfully, whether the key handle that reexamines the key that will copy points to one in the current I BE cryptographic key containers IBE PKI object of creating in internal memory, if, then in internal memory, copy this IBE PKI object, and will call and return when the related CSP of IBE carries out the phase-key replication operation, the handle of the key object after copying and the I BE PKI object association that copied just now return this key object handle then as the key object handle after copying; Otherwise, further whether the inspection key handle that will copy points to IBE key in the IBE cryptographic key containers to object again, if, the handle of that the interface function DuplicateKey that then will call the related CSP of IBE returns when carrying out the phase-key replication operation, the key object after copying and this IBE key return the handle of this key object handle as the key object after copying then to object association; Otherwise, the operating result that calls the interface function DuplicateKey of the related CSP of IBE is directly returned.
Situation 11: for the operation that discharges the key handle by interface function DestroyKey, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, use identical input interface parameter earlier, the interface function DestroyKey that calls the related CSP of IBE discharges the operation of key handle, after calling successfully, reexamine the key handle that will discharge whether point in the current I BE cryptographic key containers, an IBE PKI object of in internal memory, creating, if, then discharge this IBE PKI object and key handle thereof, and the return success; Otherwise further the IBE key that whether points in the IBE cryptographic key containers of the inspection key handle that will discharge is right again, if, then discharge this key handle, and the return success; Otherwise, directly return the operating result of the interface function DestroyKey that calls the related CSP of IBE.
Situation 12: for discharge the operation of encrypting context (Context) by interface function CPReleaseContext, also namely discharge the operation of cryptographic key containers handle, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, the interface function CPReleaseContext that calls the related CSP of IBE earlier discharges the encryption context of corresponding shadow cryptographic key containers, discharge all key objects that current I BE cryptographic key containers is created then in internal memory, and current I BE cryptographic key containers object, return success afterwards.
Situation 13: call for other interface functions, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, use identical input parameter, by calling the same-interface function of the related CSP of IBE, finish relevant operation.
In above operation, IBE CSP is not its Various types of data object, to object, PKI object etc., produces independent object handle as cryptographic key containers object, key, but directly use among the related CSP handle of corresponding shadow data object, as the handle of its data object.Certainly, IBE CSP also can be its Various types of data object generation and safeguards independent data object handle, safeguards a key handle map table then, the mapping relations among the preservation IBE CSP between the handle of the handle of Various types of data object and its shadow data object; When the interface function that calls the related CSP of IBE as IBE CSP carries out relevant operation, use the handle (if need carry out the handle conversion) of the shadow data object after corresponding, the mapping.
When using IBE to carry out encryption of blocks of data (mainly being symmetric key), need to preserve the required random parameters of deciphering in the enciphered data.If the asymmetric arithmetic that IBE CSP registration provides is RSA, then since the length of an IBE encrypted data chunk less than the length of rsa encryption data block, in order to make the border of IBE data encrypted piece and the boundary alignment of rsa encryption data block, can behind one or more IBE encrypted data chunks, add random string.
Based on IBE encryption system of the present invention, the data encryption process of data encryption side (transmit leg) is as follows:
C1. transmit leg based on the encryption software of digital certificate when transmitting data encryption, in local certificate repository, or the particular certificate memory block of application-specific (in the address list as Outlook), search (such as the addresses of items of mail according to the recipient) and point out the digital certificate of user selective reception side, if the media digital certificate corresponding with receiving the other side's identify label arranged in the certificate repository, then after the transmit leg user has selected this certificate, encryption software will call IBE CSP automatically by CryptoAPI, the PKI of use media digital certificate is finished the encryption of data, and IBECSP can use corresponding IBE PKI to finish relevant operation; If the media digital certificate of no party then changes step C2 in the certificate repository.
C2. transmit leg starts IBE key management client, enters the function of obtaining recipient's media digital certificate, and input the other side's identify label after management tool is pointed out successfully, reenters step C1.
The recipient's of enciphered data data decrypting process is as follows:
D1. after the enciphered data recipient receives enciphered data, use and encrypt application software (as Outlook) data decryption.Can be (by the subject of certificate in my certificate store of local certificate repository if encrypt application software, issuer, certificate serial number, these information are kept in the enciphered message of symmetric key) find the corresponding media numeral digital certificate of the digital certificate that uses when encrypting (but same certificate not necessarily, because the certificate key is to not necessarily identical), and the information of this certificate in local certificate repository indicates the private key of this certificate in IBE CSP, then application software can be called IBE CSP by CryptoAPI, request is deciphered data with the private key of media digital certificate correspondence, and IBE CSP will use corresponding IBE private key to finish relevant decryption oprerations; If the recipient encrypts application software can't can not find the data encryption correspondence in my certificate store of local certificate repository media digital certificate, perhaps found, but decryption oprerations reports that private key does not exist, and then changes step D2 over to.
The recipient of D2 enciphered data starts IBE key management client, enters to obtain my media digital certificate functionality, and the input identification information after management tool is pointed out successfully, reenters step D1.
Characteristics of the present invention and novelty are: solved the technological difficulties of using the IBE technology in the operating system of not supporting the IBE encryption technology, application system, its innovative point is that with the media digital certificate be bridge, and a kind of IBE CSP realizes data encryption and deciphering based on IBE in conjunction with exploitation.
Description of drawings
Fig. 1 is overall system structure figure of the present invention.
Embodiment
The invention will be further described below in conjunction with accompanying drawing and implementation.
The structure of system of the present invention as shown in Figure 1, the IBE key server among the figure, IBE key management client, IBE CSP, the IBE client is installed software and is belonged to the bright content of we.The function of each several part of the present invention and workflow are described in the summary of the invention in front, and its specific embodiments is described below.
The IBE key server be one based on the service system of C/S model, its client namely is IBE key management client.The IBE key server can use common development of information system technology, and as C/C++ or C# .Net or J2EE open language mention environment, and relevant database development technology; The generation of its IBE key realizes that with reference to the RFC5091 standard IBE key generates and both can realize, also can realize with hardware in software.The information interaction of IBE key server and IBE key management client can adopt existing security information encrypted tunnel technology, as SSL etc.
A user will obtain private key from the IBE key server, needs to be registered as the user at IBE key device earlier; After getting the Green Light, the user can use its identity documents (as user name/password, digital certificate) login IBE its identify label of system register (can be a plurality of); The identify label of registration is verified as through certain mode and belongs to this registered user after all, and this user can use IBE key management client login IBE key server to obtain the IBE private key of its identify label correspondence.The realization of functions such as user's registration, user identity discriminating, the checking of identify label belongingness, similar with the realization of common customer information control system, need not further special instruction.
IBE key management client can be used the C/C++ exploitation.Client is to the modification of registration table, and to the generation of media digital certificate (as media RSA or ECC certificate), sign and issue and the certificate deposit operation, the corresponding interface that can use Windows to provide is realized.
The exploitation of IBE CSP can be undertaken by CSP development technique standard, flow process and the instrument that Microsoft provides.IBE CSP of the present invention is except the interface function of realizing the CryptoSPI definition, also expanded definition be used for depositing IBE PKI, the right interface function of IBE key, these expansion interfaces except deposit the IBE PKI, the IBE key is external, and is also that they are related with the PKI of corresponding media digital certificate.The possible interface shape of these two interface functions is as follows:
IBE_PublicKeySt is a structure of depositing the IBE PKI, Cert_PublicKeySt is a structure of depositing media certificate PKI, its inside has sign to indicate the type of corresponding asymmetric cryptographic algorithm, KeyPairSt is one and deposits the right structure of IBE key, pszContainer is an input parameter, deposits the sign of IBE cryptographic key containers.
For depositing right the calling of IBE key, IBE CSP will create a nonvolatil IBE cryptographic key containers, it is right to deposit this IBE key, the right purposes of this key is cipher key change (Key Exchange), and also deposit PKI and the PKI hashed value of corresponding media digital certificate in the cryptographic key containers, this hash can be used for judging certain PKI whether with the IBE cryptographic key containers in the IBE key to corresponding.
For depositing calling of IBE PKI, IBE CSP also creates a nonvolatil IBE PKI object (these are different with common CSP) in storage mediums such as hard disk, be used for depositing this I BE PKI, and deposit PKI and the hashed value thereof of corresponding media digital certificate simultaneously, be used for judging whether certain PKI is corresponding with the IBE PKI of IBE PKI object later.
In order to safeguard each data object that IBE CSP creates (as cryptographic key containers, key to, PKI etc.) and handle thereof in internal memory, IBE CSP safeguards that a global table (can be static table, or dynamic table, as dynamic link table), this table has been preserved all data objects that IBE CSP safeguards (pointer) and corresponding handle thereof.Like this, just can find corresponding data objects by object handle.Similarly, each cryptographic key containers has also been safeguarded a table, preserves (association) data object and the corresponding handle thereof preserved in this cryptographic key containers in the table.Following field is arranged: object type in each data object; Object handle; Father's data object pointer (as for key to object, his father's data object is exactly its place cryptographic key containers object).
For the realization of other operation logics of IBE CSP, function and related data structures, be not difficult to accomplish according to the description of aforementioned summary of the invention.
For the IBE client software is installed, can be adopted with the corresponding SDK of Microsoft and development interface and realize, such as the modification to registration table, to the operation of certificate repository, can realize by the corresponding interface that calls Windows; And for the operation that the media digital certificate is stored in the particular certificate memory block of particular encryption application software, can encrypt methods such as the relevant interface realization that application software provides by calling.
For the involved relevant flow process of the relevant assembly of encryption system (module), can realize according to the associated description in the summary of the invention.
For other aspects that technology realizes, for the technology developer of association area, be self-explantory.
Claims (10)
1. IBE data encryption system based on the media digital certificate, this system is made up of following four parts:
IBE CSP: a registration provides the Windows CSP of the particular type of certain asymmetric cryptographic algorithm, it finishes the storage operation of IBE key by the expansion interface function, other Password Operations and calculation function are provided by the CryptoSPI interface function, wherein, for the data ciphering and deciphering computing based on described asymmetric cryptographic algorithm, it converts thereof into corresponding data ciphering and deciphering computing based on IBE, and for other cipher key operation and crypto-operation, it finishes corresponding operation and computing by the CSP that CryptoSPI directly calls the same type that a Windows carries, and the CSP of the same type that this Windows carries is called the related CSP of IBE;
IBE key management client: be responsible for generation and signature from the root CA digital certificate of signing, the generation of media digital certificate and signature, the obtaining and storing of IBE key; At the transmit leg of enciphered data, it is responsible for being kept in the local computer system based on recipient's identify label generation recipient's IBE PKI and with it, and the media digital certificate that generates the identify label correspondence, uses for encrypting application software; Owner for identify label, be the enciphered data recipient, it is responsible for producing corresponding media digital certificate according to identify label, obtains the corresponding IBE private key of sign from the IBE key server, and the IBE key is used for encrypting application software being saved among the IBE CSP;
IBE key server: be responsible for that the identify label owner is carried out identity and differentiate, verify that it is the real owner of identify label, for identifying the owner who produces the IBE private key and the IBE private key is returned to identify label by escape way;
The IBE client is installed software: be responsible for installation and the setting of IBE CSP and IBE key management client;
Described asymmetric cryptographic algorithm refers to the asymmetric cryptographic algorithm support of X509 certificate, that can be used for symmetric key or data ciphering and deciphering;
The described specific CSP type of described asymmetric cryptographic algorithm refers to provide a specific CSP type of described asymmetric cryptographic algorithm cryptographic function;
The expansion interface function of described IBE CSP is the interface function that is specifically designed to IBE key storage operation that defines outside the CryptoSPI interface function;
The digital certificate of the encryption purposes that described media digital certificate is a kind of X509 of meeting standard, it is signed and issued by a private key from the root ca certificate of signing of user's IBE key management client oneself generation, and the subject of the certificate of being signed and issued is corresponding with this user's identify label;
Described subject from the root ca certificate of signing is identical with the issuer name, have fixing specific names, and this sequence number of signing root ca certificate certainly has fixed value;
The transmit leg of described enciphered data is the encryption side of data, and the recipient of described enciphered data is the deciphering side of enciphered data.
2. a kind of IBE data encryption system based on the media digital certificate according to claim 1 is characterized in that: the IBE client is installed software registration table to Windows in installation process and is carried out following modification:
With HKEY_LOCAL_MACHINE-〉Software-〉Microsoft-〉Cryptography-〉Defaults-〉the default CSP that sets in the value of the corresponding sub-key of CSP type of IBE CSP correspondence under the Provider Types is set at IBE CSP.
3. a kind of IBE data encryption system based on the media digital certificate according to claim 1, it is characterized in that: after the enciphered data transmit leg starts IBE key management client, enters the function of obtaining recipient's media digital certificate and import recipient's identify label, IBE key management client will generate, sign and issue and preserve the media digital certificate of recipient's identify label correspondence by following flow process, generate and preserve the IBE PKI of recipient's identify label correspondence:
The 1st step. in the issuing organization root certificate store of being trusted of local certificate repository, check whether to have to have the described root ca certificate of signing the certainly particular topic name, that be used for signing and issuing the media digital certificate, if do not have, changed for the 3rd step over to; Otherwise, change next step over to;
The 2nd step. check further whether this root ca certificate of signing certainly has private key, if having, changed for the 4th step over to; Otherwise, delete this root ca certificate of signing certainly, change next step then over to;
The 3rd step. it is right to call key of the related CSP generation of IBE by CryptoAPI, and based on this key to generating one from the root CA digital certificate of signing, the subject of this CA certificate is identical with the issuer name, has predefined specific names, certificate serial number is produced by the hashed value of subject and issuer name, after the generation of signature root CA digital certificate, signature are finished, this is put into the issuing organization root certificate store of being trusted of local certificate repository from the root CA digital certificate of signing, change next step afterwards over to;
The 4th step. it is right to call key of the related CSP generation of IBE by CryptoAPI, and based on this key to generating a digital certificate to be signed, the identification information that includes the recipient in the subject of this certificate, issuer described subject from the root ca certificate of signing by name, and certificate serial number is by the hashed value generation of subject and issuer name, the key purposes of certificate is set to secret key encryption, treats the signature digital certificate signature with described private key from the root ca certificate of signing then and generates a media digital certificate;
The 5th step. call the certificate management DLL (dynamic link library) that Windows provides, this media digital certificate of just having signed and issued is put into other people certificate store of local certificate repository, and this certificate is put in the particular certificate memory block of application-specific by corresponding automatic or manual means;
The 6th step. based on recipient's identify label and the open parameter generation of IBE recipient's IBE PKI;
The 7th step. call the expansion interface of IBE CSP, the IBE PKI that the 6th step was produced deposits among the IBE CSP, except the IBE PKI, also has the PKI of the media digital certificate that generates in the 4th step in the calling interface parameter;
In above step, be to generate the IBE PKI earlier or generate the media digital certificate earlier, its sequencing is inessential.
4. a kind of IBE data encryption system based on the media digital certificate according to claim 3, it is characterized in that: when IBE key management client deposited the IBE PKI in IBE CSP by described the 7th step with the expansion interface of IBECSP, IBE CSP expansion interface function carried out relevant operation as follows:
For this IBE PKI is created a nonvolatil IBE PKI object in storage medium, the IBE PKI that provides in the interface is saved in this IBE PKI object, PKI and this PKI hashed value with the media digital certificate submitted in the calling interface also is kept in this permanent IBE PKI object simultaneously, makes that this permanent IBE PKI object is related, corresponding with the PKI of the media digital certificate of input;
Described PKI with IBE PKI media digital certificate corresponding, that be associated is called the shadow PKI of corresponding IBE PKI.
5. a kind of IBE data encryption system based on the media digital certificate according to claim 1, it is characterized in that: as the owner of identify label, be the enciphered data recipient, start IBE key management client, enter obtain my media digital certificate functionality and import my identification information after, IBE key management client and IBE key server are by following flow process, generate the media digital certificate corresponding with identify label, it is right to produce the IBE key corresponding with identify label, and with the IBE key to being saved among the IBE CSP:
Step 1.IBE key management client connects the IBE key server in the mode of safety, and the IBE private key of User Identity correspondence is obtained in application;
Step 2.IBE key server requires that client is carried out identity and differentiates;
Step 3.IBE key management client is submitted to user's identity documents to carry out identity and is differentiated;
Step 4.IBE key server verifies that by predefined mode the user is the owner of identify label really after finishing client user's identity being differentiated;
Step 5. is if user identity is differentiated and the identify label home authentication passes, and then the IBE key server produces the corresponding IBE private key of sign for the user, and by escape way the IBE private key is turned back to IBE key management client, otherwise, return error message;
Step 6.IBE key management client is extracted relevant information after receiving user IBE private key from the IBE private key, produce corresponding IBE PKI, then, changes next step over to;
Step 7.IBE key management client checks whether to have to have the described root ca certificate of signing the certainly particular topic name, that be used for signing and issuing the media digital certificate in the issuing organization root certificate store of being trusted of local certificate repository, if do not have, change step 9 over to; Otherwise, change next step over to;
Step 8.IBE key management client checks further whether this root ca certificate of signing certainly has private key, if having, changes step 10 over to; Otherwise, delete this root ca certificate of signing certainly, change next step then over to;
It is right that step 9.IBE key management client is called key of the related CSP generation of IBE by CryptoAPI, and based on this key to generating one from the root CA digital certificate of signing, the subject of this CA certificate is identical with the issuer name, has predefined specific names, certificate serial number is produced by the hashed value of subject and issuer name, after the generation of signature root CA digital certificate, signature are finished, this is put into the issuing organization root certificate store of being trusted of local certificate repository from the root CA digital certificate of signing, change next step afterwards over to;
It is right that step 10.IBE key management client is called key of the related CSP generation of IBE by CryptoAPI, and based on this key to generating a digital certificate to be signed, the subject of this digital certificate includes recipient's identify label, issuer described subject from the root ca certificate of signing by name, and certificate serial number is produced by subject and issuer name hashed value, the key purposes of certificate is set to secret key encryption, use described private key from the root ca certificate of signing to treat the signing certificate signature then, generate a media digital certificate, afterwards, change next step over to;
Step 11.IBE key management client is by invoke extensions CSP interface, with the IBE key that obtains in the preceding step to depositing among the IBE CSP, during the invoke extensions interface, except providing the IBE key external, the PKI of the media digital certificate that the cryptographic key containers sign also is provided simultaneously and has has just signed and issued, this PKI is called the right shadow PKI of described IBE key, and the IBE key changes next step over to after preserving success;
Step 12. is if having media digital certificate previous generation, corresponding with same identify label in my certificate store of local certificate repository, then IBE key management client is removed this certificate, changes next step then over to;
The certificate management interface of step 13.IBE key management client call Windows, the media digital certificate that produces just signing deposits in my certificate store of local certificate repository, and the CSP of certificate private key storage is set to the IBE CSP described in the claim 1, the type of the CSP of private key storage is set to the CSP type of IBE CSP correspondence, the cryptographic key containers of private key sign is set to step 11 invoke extensions interface, in IBE CSP, preserve user IBE key to the time cryptographic key containers sign that provides, the key purposes of private key is set to cipher key change;
In above step, be generate earlier the IBE key to or generate the media digital certificate earlier, its sequencing is inessential.
6. a kind of IBE data encryption system based on the media digital certificate according to claim 5, it is characterized in that: when IBE key management client by described step 11 call the IBECSP expansion interface preserve the IBE key to the time, IBE CSP expansion interface carries out relevant operation as follows:
The first step. in storage medium, create a nonvolatil IBE cryptographic key containers, the cryptographic key containers sign of importing when its cryptographic key containers is designated the invoke extensions interface, then with the IBE key that provides in the interface to being stored in this cryptographic key containers, this key is cipher key change to purposes, and PKI and the hashed value thereof with the media digital certificate submitted in the calling interface is deposited in this IBE cryptographic key containers further, makes this cryptographic key containers and IBE key wherein pair related with the PKI of the media digital certificate of importing;
Second step. directly call the related CSP of IBE by CryptoSPI, produce a nonvolatil cryptographic key containers therein, the shadow cryptographic key containers that is called the IBE cryptographic key containers of first step establishment, producing a purposes then in this shadow cryptographic key containers is that cipher key change, nonvolatil key are right, and it is right to be called the right shadow key of corresponding IBE key;
The 3rd step. second sign that goes on foot the cryptographic key containers that produces is saved in the IBE cryptographic key containers of first step generation, thereby the shadow cryptographic key containers that produces among the related CSP of this IBE is associated with the IBE cryptographic key containers that the first step produces, return then.
7. a kind of IBE data encryption system based on the media digital certificate according to claim 1, it is characterized in that: described IBE CSP calls the interface function by the CryptoSPI interface by following different situations and carries out respective handling:
Situation 1: for the operation of obtaining the cryptographic key containers handle by interface function CPAcquireContext, do following processing respectively according to the cryptographic key containers sign of importing in the interface interchange:
If the cryptographic key containers sign of input is pointed to a permanent IBE cryptographic key containers, whether the value of then further judging the input parameter dwFlags of interface function in calling is zero or CRYPT_SILENT or CRYPT_DELETEKEYSET, if be not then to return and make mistakes; Otherwise, whether the value of judging dwFlags again is CRYPT_DELETEKEYSET, if, then earlier by corresponding shadow cryptographic key containers among the related CSP of interface function CPAcquireContext deletion IBE that directly calls the related CSP of IBE, then, it is right that the cryptographic key containers of importing in the delete interface identifies permanent IBE cryptographic key containers and IBE key thereof pointed, last return result; Otherwise, in internal memory, create an IBE cryptographic key containers object earlier, the IBE key that obtains then in the cryptographic key containers sign permanent IBE cryptographic key containers pointed is right, corresponding shadow PKI and this PKI hashed value, generate corresponding data object, and these data objects are saved in, be associated with in the IBE cryptographic key containers object that has just produced in the internal memory, wherein the right purposes of IBE key is cipher key change, obtain the handle of shadow cryptographic key containers corresponding among the related CSP of IBE then by the interface function CPAcquireContext that directly calls the related CSP of IBE, and with the IBE cryptographic key containers object association of just having created in the handle of the shadow cryptographic key containers that returns and the internal memory, at last the handle of the shadow cryptographic key containers handle as cryptographic key containers is returned;
If the cryptographic key containers of input sign is not to point to a permanent IBE cryptographic key containers, whether the value of then further judging input parameter dwFlags in the input interface is CRYPT_DELETEKEYSET, if, then use identical input parameter directly to call the CPAcquireContext interface function of the related CSP of IBE, finish relevant operation, then operating result is returned; Otherwise, in internal memory, create an IBE cryptographic key containers object earlier, use identical input interface parameter then, directly call the interface function CPAcquireContext of the related CSP of IBE, obtain the handle of corresponding cryptographic key containers, this cryptographic key containers is also referred to as the shadow cryptographic key containers of the IBE cryptographic key containers of just having created in the internal memory equally, then with the IBE cryptographic key containers object association of just having created in the handle of the shadow cryptographic key containers that returns and the internal memory, at last the handle of the shadow cryptographic key containers that the returns handle as cryptographic key containers is returned;
Situation 2: for obtain the operation to handle of the key preserved in the cryptographic key containers by interface function CPGetUserKey, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers object of having created in the internal memory, if not, return and make mistakes; Otherwise, check further whether IBE cryptographic key containers pointed includes an IBE key to object, if, then by calling the interface function CPGetUserKey of the related CSP of IBE, obtain the right key handle of shadow key in the corresponding shadow cryptographic key containers, the cipher key change purposes, then, with the shadow key that returns to the IBE key in handle and the IBE cryptographic key containers to object association, afterwards the shadow key that returns is returned as the right handle of key handle; Otherwise, use identical input interface parameter, finish relevant operation by the interface function CPGetUserKey that directly calls the related CSP of IBE, and will call the key that returns handle is returned;
Situation 3: for the key import operation that imports PKI by interface function CPImportKey, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, further the hashed value by this importing PKI checks whether this PKI is corresponding with a permanent IBE cryptographic key containers or permanent IBE PKI object, check namely whether the PKI that imports is the shadow PKI of an IBE PKI, if, then in internal memory, create an IBE PKI object, and with this IBE PKI object, the PKI that imports and the hashed value of this PKI are preserved, be associated with in the IBE cryptographic key containers of the cryptographic key containers handle indication of importing in the interface, and then by calling the interface function CPImportKey of the related CSP of IBE, the PKI that will import imports in the shadow cryptographic key containers corresponding among the related CSP of IBE, and will call the IBE PKI object association of just having created in the key handle of PKI of the importing of returning and the internal memory, afterwards the handle of this key handle as the PKI that imports returned; Otherwise, use identical input interface parameter, finish relevant operation by the interface function CPImportKey that directly calls the related CSP of IBE, and will call the key handle that returns and return;
Situation 4: for the key import operation that imports symmetric key by interface function CPImportKey, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, further check whether the decruption key handle of importing in the interface points to an IBE key in the corresponding IBE cryptographic key containers to object, if, then use this IBE key to the IBE private key in the object earlier, decipher encrypted symmetric key, and then import in the corresponding shadow cryptographic key containers among the related CSP of IBE by the symmetric key that the interface function CPImportKey that calls the related CSP of IBE will import, the key handle that will call the symmetric key of the importing of returning then returns; Otherwise, use identical input interface parameter, finish the importing of symmetric key by the interface function CPImportKey that directly calls the related CSP of IBE, and the key handle that will call the symmetric key of the importing of returning returns;
Situation 5: for the operation by interface function CPExportKey key derivation, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, check further whether the handle that is exported key points to an IBE PKI object among the IBE CSP, if, the shadow PKI of then deriving this IBE PKI correspondence; Otherwise, further check again whether the handle that is exported key points to an IBE key among the IBE CSP to object, if then forbid deriving; Otherwise, further check to be used for whether the handle that is exported the encryption key that key is encrypted is pointed to an IBE PKI object or IBE key to object again, if, then the key that will derive by corresponding interface function is earlier derived from the related CSP of IBE with the plaintext form, be decrypted into again expressly after perhaps first ciphertext derives, and then the key that will derive with corresponding IBE public key encryption, return results; Otherwise, using identical interface input parameter, the interface function CPExportKey that directly calls the related CSP of IBE finishes relevant operation;
Situation 6: for the operation of carrying out data encryption by interface function CPEncrypt, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, check further whether the encryption key handle points to IBE PKI object in the IBE cryptographic key containers or IBE key to object, if, use corresponding IBE public key encryption data, return encrypted result then; Otherwise, using identical input interface parameter, the interface function CPEncrypt that directly calls the related CSP of IBE finishes relevant operation;
Situation 7: for the data decryption oprerations by interface function CPDecrypt, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, check that further whether decruption key handle key object pointed is that an IBE key in the IBE cryptographic key containers is right, if, then use the right private key data decryption of this IBE key, return decrypted result then; Otherwise, using identical interface input parameter, the interface function CPEncrypt that directly calls the related CSP of IBE finishes relevant operation;
Situation 8: for the operation of obtaining key parameter by interface function CPGetKeyParam, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise further whether the key handle that will inquire about of inspection points to an IBE PKI object or IBE key to object, if according to this IBE PKI object or IBE key the shadow PKI of object correspondence has been returned related parameter; Otherwise, using identical input interface parameter, the interface function CPGetKeyParam that directly calls the related CSP of IBE finishes relevant operation;
Situation 9: for the operation that key parameter is set by interface function CPSetKeyParam, whether the key handle that inspection will arrange parameter points to IBE PKI object in the IBE cryptographic key containers or IBE key to object, if, the relevant operation of refusal; Otherwise, using identical input interface parameter, the interface function CPSetKeyParam that directly calls the related CSP of IBE finishes relevant operation;
Situation 10: for the operation that copies key by interface function DuplicateKey, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, use identical input interface parameter earlier, the interface function DuplicateKey that calls the related CSP of IBE copies the operation of key, after calling successfully, whether the key handle that reexamines the key that will copy points to one in the current I BE cryptographic key containers IBE PKI object of creating in internal memory, if, then in internal memory, copy this IBE PKI object, and will call and return when the related CSP of IBE carries out the phase-key replication operation, the handle of the key object after copying with copied just now after IBE PKI object association, then this key object handle is returned as the key object handle after copying; Otherwise, further whether the inspection key handle that will copy points to IBE key in the IBE cryptographic key containers to object again, if, the handle of that the interface function DuplicateKey that then will call the related CSP of IBE returns when carrying out the phase-key replication operation, the key object after copying and this IBE key return the handle of this key object handle as the key object after copying then to object association; Otherwise, the operating result that calls the interface function DuplicateKey of the related CSP of IBE is directly returned;
Situation 11: for the operation that discharges the key handle by interface function DestroyKey, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, use identical input interface parameter earlier, the interface function DestroyKey that calls the related CSP of IBE discharges the operation of key handle, after calling successfully, reexamine the key handle that will discharge whether point in the current I BE cryptographic key containers, an IBE PKI object of in internal memory, creating, if, then discharge this IBE PKI object and key handle thereof, and the return success; Otherwise further the IBE key that whether points in the IBE cryptographic key containers of the inspection key handle that will discharge is right again, if, then discharge this key handle, and the return success; Otherwise, directly return the operating result of the interface function DestroyKey that calls the related CSP of IBE;
Situation 12: encrypt contextual operation for discharging by interface function CPReleaseContext, namely discharge the operation of cryptographic key containers handle, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, the interface function CPReleaseContext that calls the related CSP of IBE earlier discharges the encryption context of corresponding shadow cryptographic key containers, discharge all key objects that current I BE cryptographic key containers is created then in internal memory, and current I BE cryptographic key containers object, return success afterwards;
Situation 13: call for other interface functions, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, use identical input parameter, by calling the same-interface function of the related CSP of IBE, finish relevant operation.
8. a kind of IBE data encryption system based on the media digital certificate according to claim 1, it is characterized in that: IBE CSP adopts one of following dual mode, safeguards the handle of its Various types of data object:
Mode 1:IBE CSP is not that its Various types of data object produces independent object handle, but directly uses the handle of corresponding shadow data object among the related CSP of IBE, as the handle of himself data object;
Mode 2:IBE CSP produces for its Various types of data object and safeguards independent data object handle, safeguards a key handle map table then, preserves the mapping relations between the handle of the handle of Various types of data object among the IBE CSP and its shadow data object in the table; When the interface function that calls the related CSP of IBE as IBE CSP carries out relevant operation, if need carry out the handle conversion, then in calling, uses interface function handle corresponding, the shadow data object after shining upon.
9. a kind of IBE data encryption system based on the media digital certificate according to claim 1 is characterized in that: when described IBE CSP carries out data or secret key encryption at use IBE algorithm, the required random parameters of deciphering is stored in the encrypted data chunk; Further, if the asymmetric cryptographic algorithm that the media digital certificate adopts is RSA Algorithm, then in order to make the border of IBE data encrypted piece and the boundary alignment of rsa encryption data block, behind one or more IBE encrypted data chunks, add the random bytes string.
10. a kind of IBE data encryption system based on the media digital certificate according to claim 1, it is characterized in that: based on IBE Password Operations and the computing module of CSP interface realization, be IBE CSP, or IBE Password Operations and computing module of realizing based on Public key Cryptography Standards 11 interface specifications, this interface that expansion is arranged based on IBE Password Operations and the computing module of Public key Cryptography Standards11 be used for the IBE public-key cryptography to or the importing of IBE PKI, and they are associated with PKI on the corresponding media digital certificate, and this will convert accordingly data encryption and decrypt operation based on IBE to based on the data encryption of the corresponding asymmetric cryptographic algorithm of media digital certificate and decrypt operation based on the IBE Password Operations of Public key Cryptography Standards 11 and computing module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110189108 CN102255729B (en) | 2011-07-07 | 2011-07-07 | IBE (Internet Booking Engine) data encryption system based on medium digital certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110189108 CN102255729B (en) | 2011-07-07 | 2011-07-07 | IBE (Internet Booking Engine) data encryption system based on medium digital certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102255729A CN102255729A (en) | 2011-11-23 |
| CN102255729B true CN102255729B (en) | 2013-07-10 |
Family
ID=44982736
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201110189108 Expired - Fee Related CN102255729B (en) | 2011-07-07 | 2011-07-07 | IBE (Internet Booking Engine) data encryption system based on medium digital certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102255729B (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102801532B (en) * | 2012-09-14 | 2015-07-08 | 江苏先安科技有限公司 | Method for associating and verifying multiple digital certificates |
| CN102932149B (en) * | 2012-10-30 | 2015-04-01 | 武汉理工大学 | Integrated identity based encryption (IBE) data encryption system |
| CN103067892B (en) * | 2012-12-21 | 2015-06-03 | 深圳一卡通新技术有限公司 | Short message transmission method using watermark |
| CN103095694A (en) * | 2013-01-09 | 2013-05-08 | 深圳市文鼎创数据科技有限公司 | Control method and device for digital certificate |
| CN103078743B (en) * | 2013-01-15 | 2015-07-08 | 武汉理工大学 | E-mail IBE (Internet Booking Engine) encryption realizing method |
| CN103117861B (en) * | 2013-01-31 | 2015-04-08 | 武汉理工大学 | Pseudo RSA (Rivest Shamir Adleman) based method for transmitting IBE key information (identity based encryption) in IBE |
| CN103368746B (en) * | 2013-07-24 | 2016-02-24 | 飞天诚信科技股份有限公司 | A kind of endorsement method |
| CN104753676A (en) * | 2013-12-31 | 2015-07-01 | 北龙中网(北京)科技有限责任公司 | Identity verifying method and device for mobile application developer |
| GB2537876A (en) * | 2015-04-29 | 2016-11-02 | Advanced Risc Mach Ltd | Error protection key generation method and system |
| CN106059760B (en) * | 2016-07-12 | 2019-03-19 | 武汉理工大学 | A kind of cryptographic system from user terminal crypto module calling system private key |
| CN107729760B (en) * | 2017-10-09 | 2022-01-04 | 惠州Tcl移动通信有限公司 | CSP implementation method based on Android system and intelligent terminal |
| CN110691060B (en) * | 2018-07-06 | 2022-08-09 | 武汉信安珞珈科技有限公司 | Method and system for realizing remote equipment password service based on CSP interface |
| CN112580061B (en) * | 2019-09-27 | 2023-04-07 | 科大国盾量子技术股份有限公司 | Calling method of quantum encryption and decryption application interface and related equipment |
| CN111124956B (en) * | 2019-11-22 | 2023-03-07 | 海光信息技术股份有限公司 | Container protection method, processor, operating system and computer equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101483518A (en) * | 2009-02-20 | 2009-07-15 | 北京天威诚信电子商务服务有限公司 | Customer digital certificate private key management method and system |
| CN101931529A (en) * | 2010-08-09 | 2010-12-29 | 中兴通讯股份有限公司 | Data encryption method, data decryption method and nodes |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005004382A1 (en) * | 2003-07-08 | 2005-01-13 | Fujitsu Limited | Encryption/decryption device |
-
2011
- 2011-07-07 CN CN 201110189108 patent/CN102255729B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101483518A (en) * | 2009-02-20 | 2009-07-15 | 北京天威诚信电子商务服务有限公司 | Customer digital certificate private key management method and system |
| CN101931529A (en) * | 2010-08-09 | 2010-12-29 | 中兴通讯股份有限公司 | Data encryption method, data decryption method and nodes |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102255729A (en) | 2011-11-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102255729B (en) | IBE (Internet Booking Engine) data encryption system based on medium digital certificate | |
| JP4593533B2 (en) | System and method for updating keys used for public key cryptography | |
| CN107483212B (en) | Method for generating digital signature by cooperation of two parties | |
| CN102307096B (en) | Data cryption system for Pseudo-Rivest, Shamir and Adleman (RSA)-key-based recently public key cryptography algorithm | |
| CN110011781B (en) | Homomorphic encryption method and medium for transaction amount encryption and supporting zero knowledge proof | |
| US6553493B1 (en) | Secure mapping and aliasing of private keys used in public key cryptography | |
| CN100561916C (en) | A kind of method and system that upgrades authenticate key | |
| US9704159B2 (en) | Purchase transaction system with encrypted transaction information | |
| CN103560882B (en) | A kind of elliptic curve cipher system based on mark | |
| CN110545279A (en) | block chain transaction method, device and system with privacy and supervision functions | |
| US20040165728A1 (en) | Limiting service provision to group members | |
| CN108696360A (en) | A kind of CA certificate distribution method and system based on CPK keys | |
| US20140013110A1 (en) | Non-hierarchical infrastructure for managing twin-security keys of physical persons or of elements (igcp/pki) | |
| CN101771699A (en) | Method and system for improving SaaS application security | |
| CN102075544A (en) | Encryption system, encryption method and decryption method for local area network shared file | |
| CN110597836B (en) | Information inquiry request response method and device based on block chain network | |
| CN103532704A (en) | E-mail IBE (identity based encryption) system aiming at OWA (outlook web access) | |
| CN106059760B (en) | A kind of cryptographic system from user terminal crypto module calling system private key | |
| CN110061957A (en) | Data encryption, decryption method, user terminal, server and data management system | |
| Saranya et al. | Cloud based efficient authentication for mobile payments using key distribution method | |
| CN104717232A (en) | Cryptosystem facing to group | |
| WO2023184858A1 (en) | Timestamp generation method and apparatus, and electronic device and storage medium | |
| CN103078743A (en) | E-mail IBE (Internet Booking Engine) encryption realizing method | |
| CN113159762A (en) | Block chain transaction method based on Paillier and game theory | |
| CN109120399A (en) | A kind of data ciphering method based on asymmetric encryption, decryption method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING ITRUSCHINA CO., LTD. Effective date: 20121214 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| C53 | Correction of patent for invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Long Yihong Inventor after: Tang Zhihong Inventor before: Long Yihong |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: LONG YIHONG TO: LONG YIHONG TANG ZHIHONG |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20121214 Address after: 430070 Hubei Province, Wuhan city Hongshan District Luoshi Road No. 122 Applicant after: Wuhan University of Technology Applicant after: Beijing iTrusChina Co., Ltd. Address before: 430070 Hubei Province, Wuhan city Hongshan District Luoshi Road No. 122 Applicant before: Wuhan University of Technology |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130710 Termination date: 20180707 |