Summary of the invention
The purpose of this invention is to provide a kind of IBE data encryption system based on the media digital certificate, it is borrowed in the media digital certificate, makes Windows system and the application thereof of not supporting the IBE cryptographic algorithm can use the IBE technology to carry out the encryption of data, deciphering.
Here said media digital certificate is a digital certificate (as RSA or ECC encrypted digital certificate) that meets the encryption purposes of X509 standard, it is not to be signed and issued by third party's certificate verification mechanism or special CA system, but signed and issued by the private key from the root ca certificate of signing that user's (utilizing client utility) oneself generates, and the subject (Subject Name) by the certificate signed and issued corresponding with this user's identify label (or include identification information, as addresses of items of mail, identification card number etc.).Although the public and private key of the root ca certificate of signing certainly that each user oneself generates is to having nothing in common with each other, but their subject is all identical with issuer name (Issuer Name), has fixing specific names, and (Serial Nuumber) is all identical for their sequence number, such as, all be hash (HASH) the value generation by subject.This kind only plays bridge, instrumentality by the digital certificate that user oneself (by the private key of self-generating CA certificate) signs and issues between encryption application software and IBE encrypting module in the IBE ciphering process, be not to use as a common digital certificate, therefore, be referred to as the media digital certificate in the present invention.Because the digital certificate that this user oneself signs and issues only plays instrumentality in ciphering process, therefore, even if it is not public believable, do not influence the fail safe that IBE encrypts yet.
To achieve these goals, the technical solution adopted in the present invention is:
A kind of IBE data encryption system based on the media digital certificate comprises as the lower part:
IBE CSP: registration provides certain type of certain asymmetric cryptographic algorithm (as RSA) (as RSA Full, or Type 1, Class1) Windows cryptographic services supplier (Cryptographic Service Provider, CSP), it finishes key storage and the cipher key operation relevant with IBE by the expansion interface function, other Password Operations and calculation function are provided by the CryptoSPI interface function, to convert corresponding data ciphering and deciphering computing based on IBE based on the data ciphering and deciphering computing of registration indication asymmetric cryptographic algorithm (as RSA) to, its CSP by the same type that directly calls a Windows and carry (such as, the Microsoft Strong Cryptographic Provider of RSAFull type) finishes other cipher key operation and computing.Particularly, when application system is called IBE CSP and is carried out cipher key operation and data encryption, decrypt operation by CryptoAPI, IBE CSP judges that whether it be the cipher key operation relevant with IBE or data encryption, decrypt operation, if, then by himself finishing relevant operation and computing; Otherwise it finishes relevant operation and computing by the CSP that the CryptoSPI interface directly calls the same type that a Windows carries, and the CSP of the same type that this Windows carries is called the related CSP of IBE.
IBE key management client: its major function comprises from signing generation and the signature of root ca certificate, the generation of media digital certificate and signature, the obtaining and storage etc. of IBE key.Transmit leg (i.e. encryption side) in enciphered data, it is responsible for producing recipient's IBE PKI (IBE Public Key) and preserving it based on recipient's (i.e. deciphering side) identify label, and the media digital certificate that generates the identify label correspondence, use for encrypting application software; Owner's (being the enciphered data recipient) for identify label, it is responsible for producing corresponding media digital certificate according to identify label, obtain the corresponding IBE private key (IBE Private Key) of sign from the IBE key server, and the IBE key is saved among the IBE CSP (IBE Key Pair), use for encrypting application software.
IBE key server (IBE Key Server): be responsible for that the identify label owner is carried out identity and differentiate, verify that it is the real owner of sign, for sign produces the IBE private key and by escape way private key returned to the sign owner.
The IBE client is installed software: be responsible for installation and the setting of IBE CSP and IBE key management client.In installation process, IBE client installation software carries out following modification to the registration table of Windows:
Will
The default CSP that sets in the value of the sub-key (subkey) that the CSP type of IBE CSP correspondence under HKEY_LOCAL_MACHINE->Software->Microsoft->Cryptography->Defaults->Provider Types (as Type 001, i.e. RSA Full) is corresponding is set at IBE CSP of the present invention.
Described asymmetric cryptographic algorithm refers to the asymmetric cryptographic algorithm support of X509 certificate, that can be used for symmetric key or data ciphering and deciphering, include but not limited to RSA, ECC algorithm;
The described specific CSP type of described asymmetric cryptographic algorithm refers to provide a specific CSP type of described asymmetric cryptographic algorithm cryptographic function, includes but not limited to the present defined CSP type of Windows;
Described IBE CSP expansion interface function is the interface function that is specifically designed to IBE key storage operation that defines outside the CryptoSPI interface function;
The digital certificate of the encryption purposes that described media digital certificate is a kind of X509 of meeting standard, it is signed and issued by a private key from the root ca certificate of signing of user's IBE key management client oneself generation, and the subject of the certificate of being signed and issued is corresponding with this user's identify label;
Described subject from the root ca certificate of signing is identical with the issuer name, have fixing specific names, and this sequence number of signing root ca certificate certainly has fixed value;
The transmit leg of described enciphered data is the encryption side of data, and the recipient of described enciphered data is the deciphering side of enciphered data.
The transmit leg user of described enciphered data can be by starting IBE key management client, enter the function of obtaining recipient's media digital certificate, input recipient's identify label is (as addresses of items of mail, identification card number etc.), generate, sign and issue and preserve the media digital certificate of recipient's identify label correspondence by IBE key management client, and the IBE PKI that generates and preserve the recipient, be specially:
Import recipient's identify label the transmit leg user after, IBE key management client is pressed following works:
A1. in the issuing organization root certificate store of being trusted of local certificate repository, check whether to have to have the root ca certificate of the signature certainly particular topic name, that be used for signing and issuing the media digital certificate, if do not have, change steps A 3 over to; Otherwise, change next step over to;
A2. check further whether this root ca certificate of signing certainly has private key, if having, change steps A 4 over to; Otherwise, delete this root ca certificate of signing certainly, change next step then over to;
A3. calling the related CSP of IBE (the RSA Full Type C SP that carries as a Windows) by CryptoAPI, to produce the key of a corresponding asymmetric cryptographic algorithm (as RSA) right, and based on this key to generate one from the signature the CA digital certificate, the subject of this CA certificate is identical with the issuer name, has predefined specific names, certificate serial number is produced by hash (HASH) value of subject and issuer name, generate from signature root CA digital certificate, after signature is finished, this is put into the issuing organization root certificate store of being trusted of local certificate repository from the root CA digital certificate of signing, change next step afterwards over to;
A4. by CryptoAPI call key that the related CSP of IBE produces a corresponding asymmetric cryptographic algorithm to (as RSA key to), and based on this key to generating a digital certificate to be signed, the identification information that includes the recipient in the subject of this certificate, the issuer subject for the root ca certificate of signing certainly of signing and issuing the media digital certificate by name, and the sequence number of certificate (Serial Number) is by HASH (hash) the value generation of subject and issuer name, the Key Usage of certificate (key purposes) is set to Key Encipherment (secret key encryption), signs and generates a media digital certificate with treat the signature digital certificate from the private key of root ca certificate of signing then;
A5. call the certificate management DLL (dynamic link library) that Windows provides, this media digital certificate of just having signed and issued is put into other people certificate store of local certificate repository, and by corresponding (as API) automatically or manually means this certificate is put into the particular certificate memory block (in the address list as the Outlook respective user) of application-specific;
A6. based on recipient's identify label and IBE the IBE PKI that parameter generates the recipient is disclosed;
A7. call the expansion interface of IBE CSP, the IBE PKI that steps A 6 is produced deposits among the IBE CSP, except the IBE PKI, also has the PKI of the media digital certificate that produces in the steps A 4 in the calling interface parameter.
In the above steps A 7, after IBE CSP receives IBE PKI storage request by expansion interface (namely the self defined interface that does not define among a former CryptoSPI), operate as follows:
Be that this IBE PKI is created a nonvolatil IBE PKI object in storage mediums such as hard disk, PKI and this PKI HASH (hash) value of the media digital certificate submitted in IBE PKI, the calling interface is saved in the IBE PKI object.
Be saved in the IBE PKI object by PKI and hashed value thereof with the media digital certificate, can the IBE PKI is related with the PKI of media digital certificate, all cipher key operation, data encryption computings relevant with this media digital certificate PKI later on, IBE CSP will use the IBE PKI of this PKI correspondence to carry out.In the present invention, the shadow PKI that is called this IBE PKI with IBE PKI media digital certificate corresponding, that be associated PKI.
The owner of described identify label (being the enciphered data recipient), by starting IBE key management client, enter and obtain my media digital certificate functionality, import my identification information, can obtain the media digital certificate corresponding with identify label, and the IBE key corresponding with identify label is right, and by IBE key management client with the IBE key to being saved among the IBE CSP.
After the owner of identify label used IBE key management client to import its identification information, acquisition request media digital certificate, IBE key management client and IBE key server carried out work by following flow process:
B1.IBE key management client connects the IBE key server in the mode (as SSL) of safety, and the IBE private key of User Identity correspondence is obtained in application;
The B2.IBE key server requires that client is carried out identity and differentiates;
B3.IBE key management client is submitted user's identity documents (Credential) to, as identity digital certificate, user name/password etc., carries out identity and differentiates;
The B4.IBE key server verifies that by predefined mode the user is the owner of identify label really after finishing client user's identity being differentiated;
B5. if user identity is differentiated and the identify label home authentication passes, then the IBE key server produces the corresponding IBE private key of sign for the user, and by escape way the IBE private key is turned back to IBE key management client, otherwise, return error message;
B6.IBE key management client is extracted relevant information after receiving user IBE private key from the IBE private key, produce corresponding IBE PKI, then, changes next step over to;
B7.IBE key management client checks whether to have to have the root ca certificate of the signature certainly particular topic name, that be used for signing and issuing the media digital certificate in the issuing organization root certificate store of being trusted of local certificate repository, if do not have, change step B9 over to; Otherwise, change next step over to;
B8.IBE key management client checks further whether this root ca certificate of signing certainly has private key, if having, changes step B10 over to; Otherwise, delete this root ca certificate of signing certainly, change next step then over to;
B9.IBE key management client by CryptoAPI call key that the related CSP of IBE (type that carries as a Windows is the CSP of RSA Full) produces a corresponding asymmetric cryptographic algorithm to (as RSA key to), and based on this key to generate one from the signature the CA digital certificate, the subject of this CA certificate is identical with the issuer name, has predefined specific names, certificate serial number is produced by hash (HASH) value of subject and issuer name, generate from signature root CA digital certificate, after signature is finished, this is put into the issuing organization root certificate store of being trusted of local certificate repository from the root CA digital certificate of signing, change next step afterwards over to;
B10.IBE key management client by CryptoAPI call key that the related CSP of IBE produces a corresponding asymmetric cryptographic algorithm to (as RSA key to), and based on this key to generating a digital certificate to be signed, the subject of this certificate includes recipient's identify label, the issuer subject from the root ca certificate of signing by name, and the sequence number of certificate is by hash (HASH) the value generation of subject and issuer name, the key purposes of certificate (Key Usage) is set to secret key encryption (Key Encipherment), use from the private key of the root ca certificate of signing then and treat the signature digital certificate signature, generate a media digital certificate, afterwards, change next step over to;
B11.IBE key management client is by invoke extensions CSP interface, with the IBE key that obtains in the preceding step to depositing among the IBE CSP, during the invoke extensions interface, except providing the IBE key right, the PKI of the media digital certificate that the cryptographic key containers sign also is provided simultaneously and has has just signed and issued, the IBE key changes next step over to after preserving success;
B12. if in my certificate store of local certificate repository media digital certificate previous generation, corresponding with same identify label is arranged, then IBE key management client is removed this certificate, changes next step then over to;
The certificate management interface of B13.IBE key management client call Windows, the media digital certificate that produces just signing deposits in my certificate store of local certificate repository, and the CSP of certificate private key storage is set to IBE CSP of the present invention, the type of the CSP of private key storage is set to the CSP type (as RSA Full) of IBE CSP registration, the cryptographic key containers of private key sign be set to step B11 invoke extensions interface in IBE CSP, preserves user IBE key to the time cryptographic key containers that provides identify, the key purposes of private key is set to Key Exchange (cipher key change).
In the above step B4, IBE key server checking user is that the owner's of identify label mode includes but not limited to really: send the checking of checking mail to the E-mail address, confirm that the applicant is the owner of mailbox, perhaps send the checking short-message verification to the mobile communication mobile phone number, confirm that the applicant is the owner of phone number, perhaps the user is exactly user's identify label at the account name of IBE key server, perhaps the user has imported its identify label and its during create account user and has this sign and verify by other means on the IBE key server, perhaps the user uses letter of identity login key server, and this identification information etc. of user is arranged in the letter of identity.
In the above step B11, IBE CSP operates after receiving and preserving the right request of IBE key as follows:
B11.1. in storage medium, create a nonvolatil IBE cryptographic key containers, the cryptographic key containers sign of importing when its cryptographic key containers is designated the invoke extensions interface, then with the IBE key to being stored in this cryptographic key containers, the right purposes of this key is Key Exchange, and further the PKI of the media digital certificate submitted in the calling interface and hash (HASH) value thereof is deposited in this IBE cryptographic key containers (thereby with IBE key pair related with the PKI of the media digital certificate of submitting to);
B11.2. directly call the related CSP of IBE by CryptoSPI, produce a nonvolatil cryptographic key containers (as the RSA key container) therein, and in this cryptographic key containers, produce a purposes be Key Exchange permanent key to (as RSA key to);
B11.3. the sign of the cryptographic key containers that step B8.2 is produced in the related CSP of IBE is saved in the IBE cryptographic key containers that step B8.1 produces (thereby the cryptographic key containers that produces among IBE cryptographic key containers and the related CSP of this IBE is related), returns then.
Cryptographic key containers among the related CSP of the IBE that produces among the above step B11.2 is called the shadow cryptographic key containers of the IBE cryptographic key containers that produces among the step B11.1.In the present invention, each IBE cryptographic key containers, no matter it is interim in the internal memory, still forever preserve on the storage medium, it is right no matter whether to include the IBE key, it has a shadow cryptographic key containers that produce, that be associated among corresponding, the related CSP of IBE with it, and they have same life cycle (this point can be seen in describing in the back).If it is right to include an IBE key in the IBE cryptographic key containers, the key that a Key Exchange purposes then will be arranged in its shadow cryptographic key containers to (as RSA key to), it is right to be referred to as the right shadow key of corresponding IBE key in the present invention, but it is not right to the key of corresponding media digital certificate with the IBE key, also with the IBE key to there not being direct relation.
Step B13 in front, by media digital certificate private key is related with an IBE cryptographic key containers, operation, cryptographic calculation that all are relevant with this media digital certificate private key, the IBE private key that IBE CSP will call this private key correspondence carries out.
After the sign owner successfully produces the media digital certificate corresponding with identify label by IBE key management client, can use and encrypt the enciphered data that the application software deciphering receives.
In above process, adopted specific mode to arrange the subject of certificate, issuer name and certificate serial number, its reason is, in the data encryption based on digital certificate, after transmit leg is finished data encryption, can be with the subject of recipient's digital certificate, issuer name and certificate serial number are put in the enciphered data (more precisely encrypted symmetric key in) with the form of PKCS7 defined.And recipient's encryption software just is being based on this subject, issuer name and certificate serial number information finds corresponding digital certificate and use this certificate to be kept among the CSP in my certificate store of local certificate repository private key and finishes the data deciphering.Therefore, want correctly data decryption, the media digital certificate that belongs to the recipient that transmit leg produces and the subject that receives the media digital certificate that oneself generates, issuer name and certificate serial number must be identical, the key of certificate to must be identical (but the key of certificate to can be different) in the present invention.Subject, the issuer name of accomplishing the media digital certificate that both sides produce are identical, can arrange one by the mode of identify label generation subject, regulation issuer specific title (namely sign and issue CA and have specific subject) by name; In order to make certificate serial number identical, the agreement certificate serial number is produced by HASH (hash) value of subject and issuer name.
IBE CSP will call the interface function by the CryptoSPI interface by following different situations and carry out respective handling:
Situation 1: for the operation of obtaining cryptographic key containers handle (handle) by interface function CPAcquireContext, do following processing respectively according to the cryptographic key containers sign of importing in the interface interchange:
If the cryptographic key containers sign of input is pointed to a permanent IBE cryptographic key containers, whether the value of then further judging the input parameter dwFlags of interface function in calling is zero or CRYPT_SILENT or CRYPT_DELETEKEYSET, if be not then to return and make mistakes; Otherwise, whether the value of judging dwFlags again is CRYPT_DELETEKEYSET, if, then earlier by corresponding shadow cryptographic key containers among the related CSP of interface function CPAcquireContext deletion IBE that directly calls the related CSP of IBE, then, it is right that the cryptographic key containers of importing in the delete interface identifies permanent IBE cryptographic key containers and IBE key thereof pointed, last return result; Otherwise, in internal memory, create an IBE cryptographic key containers object earlier, the IBE key that obtains then in the cryptographic key containers sign permanent IBE cryptographic key containers pointed is right, corresponding shadow PKI and this shadow PKI hashed value, generate corresponding data object, and these data objects are saved in the IBE cryptographic key containers object of firm generation in (namely being associated with) internal memory, wherein the right purposes of IBE key is Key Exchange, and then obtain the handle of shadow cryptographic key containers corresponding among the related CSP of IBE by the interface function CPAcquireContext that calls the related CSP of IBE, and with the IBE cryptographic key containers object association of just having created in the handle of the shadow cryptographic key containers that returns and the internal memory, at last the handle of the shadow cryptographic key containers handle as cryptographic key containers is returned.
If the cryptographic key containers of input sign is not to point to a permanent IBE cryptographic key containers, whether the value of then further judging input parameter dwFlags in the input interface is CRYPT_DELETEKEYSET, if, then use identical input parameter directly to call the CPAcquireContext interface function of the related CSP of IBE, finish relevant operation, then operating result is returned; Otherwise, in internal memory, create an IBE cryptographic key containers object earlier, use identical input interface parameter then, directly call the interface function CPAcquireContext of the related CSP of IBE, obtain the handle of corresponding cryptographic key containers, this cryptographic key containers is also referred to as in the internal memory shadow cryptographic key containers (even if it not with any IBE key to related) of the IBE cryptographic key containers of just having created, then with the IBE cryptographic key containers object association of just having created in the handle of the cryptographic key containers that returns and the internal memory, at last the handle of the cryptographic key containers that the returns handle as cryptographic key containers is returned.
Situation 2: for obtain the operation to handle of the key preserved in the cryptographic key containers by interface function CPGetUserKey, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers object of having created in the internal memory, if not, return and make mistakes; Otherwise, check further whether IBE cryptographic key containers pointed includes an IBE key to object, if, then by calling the interface function CPGetUserKey of the related CSP of IBE, obtain shadow key in the corresponding shadow cryptographic key containers to the key handle of the key of Key Exchange purposes (be to), then, with the shadow key that returns to the IBE key in handle and the IBE cryptographic key containers to object association, afterwards the shadow key is returned as the right handle of key handle; Otherwise, use identical input interface parameter, finish relevant operation by the interface function CPGetUserKey that directly calls the related CSP of IBE, and the key that returns is returned handle.
Situation 3: for the key import operation that imports PKI by interface function CPImportKey, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, check further whether this PKI (as by this PKI hashed value) is corresponding with a permanent IBE cryptographic key containers or permanent IBE PKI object, check namely whether the PKI that imports is the shadow PKI of an IBE PKI, if, then in internal memory, create an IBE PKI object, and with this IBE PKI object, the hashed value of shadow PKI and this shadow PKI is saved in the IBE cryptographic key containers of the cryptographic key containers handle indication of importing in (namely being associated with) interface, and then by calling the interface function CPImportKey of the related CSP of IBE, the PKI that will import imports in the shadow cryptographic key containers corresponding among the related CSP of IBE, and will call the IBE PKI object association of just having created in the key handle of PKI of the importing of returning and the internal memory, afterwards the handle of this key handle as the key that imports returned; Otherwise, use identical input interface parameter, finish relevant operation by the interface function CPImportKey that directly calls the related CSP of IBE, and will call the key handle that returns and return.
Situation 4: for the key import operation that imports symmetric key by interface function CPImportKey, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, further check whether the decruption key handle of importing in the interface points to an IBE key in the corresponding IBE cryptographic key containers to object, if, then use this IBE key to the IBE private key in the object earlier, decipher encrypted symmetric key, and then import in the corresponding shadow cryptographic key containers among the related CSP of IBE by the symmetric key that the interface function CPImportKey that calls the related CSP of IBE will import, the key handle that will call the key of the importing of returning then returns; Otherwise, use identical input interface parameter, finish the importing of symmetric key by the interface function CPImportKey that directly calls the related CSP of IBE, and the key handle that will call the key of the importing of returning returns.
Situation 5: for the operation by interface function CPExportKey key derivation, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, check further whether the handle that is exported key points to an IBE PKI object among the IBE CSP, if, the shadow PKI of then deriving this IBE PKI correspondence; Otherwise, further check again whether the handle that is exported key points to an IBE key among the IBE CSP to object, if then forbid deriving; Otherwise, further check to be used for whether the handle that is exported the encryption key that key is encrypted is pointed to an IBE PKI object or IBE key to object again, if, then the key that will derive by corresponding interface function is earlier derived from the related CSP of IBE with the plaintext form, be decrypted into again expressly after perhaps deriving ciphertext earlier, and then the key that will derive with corresponding IBE public key encryption, return results; Otherwise, using identical interface input parameter, the interface function CPExportKey that directly calls the related CSP of IBE finishes relevant operation.
Situation 6: for the operation of carrying out data encryption by interface function CPEncrypt, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, check further whether the encryption key handle points to IBE PKI object in the IBE cryptographic key containers or IBE key to object, if, use corresponding IBE public key encryption data, return encrypted result then; Otherwise, using identical input interface parameter, the interface function CPEncrypt that directly calls the related CSP of IBE finishes relevant operation.
Situation 7: for the data decryption oprerations by interface function CPDecrypt, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, check that further whether decruption key handle key object pointed is that an IBE key in the IBE cryptographic key containers is right, if, then use the right private key data decryption of this IBE key, return decrypted result then; Otherwise, using identical interface input parameter, the interface function CPEncrypt that directly calls the related CSP of IBE finishes relevant operation.
Situation 8: for the operation of obtaining key parameter by interface function CPGetKeyParam, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise further whether the key handle that will inquire about of inspection points to an IBE PKI object or IBE key to object, if according to this IBE PKI object or IBE key the shadow PKI of object correspondence has been returned related parameter; Otherwise, using identical input interface parameter, the interface function CPGetKeyParam that directly calls the related CSP of IBE finishes relevant operation.
Situation 9: for the operation that key parameter is set by interface function CPSetKeyParam, whether the key handle that inspection will arrange parameter points to IBE PKI object in the IBE cryptographic key containers or IBE key to object, if, the relevant operation of refusal; Otherwise, using identical input interface parameter, the interface function CPSetKeyParam that directly calls the related CSP of IBE finishes relevant operation.
Situation 10: for the operation that copies key by interface function DuplicateKey, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, use identical input interface parameter earlier, the interface function DuplicateKey that calls the related CSP of IBE copies the operation of key, after calling successfully, whether the key handle that reexamines the key that will copy points to one in the current I BE cryptographic key containers IBE PKI object of creating in internal memory, if, then in internal memory, copy this IBE PKI object, and will call and return when the related CSP of IBE carries out the phase-key replication operation, the handle of the key object after copying and the I BE PKI object association that copied just now return this key object handle then as the key object handle after copying; Otherwise, further whether the inspection key handle that will copy points to IBE key in the IBE cryptographic key containers to object again, if, the handle of that the interface function DuplicateKey that then will call the related CSP of IBE returns when carrying out the phase-key replication operation, the key object after copying and this IBE key return the handle of this key object handle as the key object after copying then to object association; Otherwise, the operating result that calls the interface function DuplicateKey of the related CSP of IBE is directly returned.
Situation 11: for the operation that discharges the key handle by interface function DestroyKey, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, use identical input interface parameter earlier, the interface function DestroyKey that calls the related CSP of IBE discharges the operation of key handle, after calling successfully, reexamine the key handle that will discharge whether point in the current I BE cryptographic key containers, an IBE PKI object of in internal memory, creating, if, then discharge this IBE PKI object and key handle thereof, and the return success; Otherwise further the IBE key that whether points in the IBE cryptographic key containers of the inspection key handle that will discharge is right again, if, then discharge this key handle, and the return success; Otherwise, directly return the operating result of the interface function DestroyKey that calls the related CSP of IBE.
Situation 12: for discharge the operation of encrypting context (Context) by interface function CPReleaseContext, also namely discharge the operation of cryptographic key containers handle, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, the interface function CPReleaseContext that calls the related CSP of IBE earlier discharges the encryption context of corresponding shadow cryptographic key containers, discharge all key objects that current I BE cryptographic key containers is created then in internal memory, and current I BE cryptographic key containers object, return success afterwards.
Situation 13: call for other interface functions, check earlier whether the cryptographic key containers handle of importing in the interface points to the effective I BE cryptographic key containers of having created in the internal memory, if not, return and make mistakes; Otherwise, use identical input parameter, by calling the same-interface function of the related CSP of IBE, finish relevant operation.
In above operation, IBE CSP is not its Various types of data object, to object, PKI object etc., produces independent object handle as cryptographic key containers object, key, but directly use among the related CSP handle of corresponding shadow data object, as the handle of its data object.Certainly, IBE CSP also can be its Various types of data object generation and safeguards independent data object handle, safeguards a key handle map table then, the mapping relations among the preservation IBE CSP between the handle of the handle of Various types of data object and its shadow data object; When the interface function that calls the related CSP of IBE as IBE CSP carries out relevant operation, use the handle (if need carry out the handle conversion) of the shadow data object after corresponding, the mapping.
When using IBE to carry out encryption of blocks of data (mainly being symmetric key), need to preserve the required random parameters of deciphering in the enciphered data.If the asymmetric arithmetic that IBE CSP registration provides is RSA, then since the length of an IBE encrypted data chunk less than the length of rsa encryption data block, in order to make the border of IBE data encrypted piece and the boundary alignment of rsa encryption data block, can behind one or more IBE encrypted data chunks, add random string.
Based on IBE encryption system of the present invention, the data encryption process of data encryption side (transmit leg) is as follows:
C1. transmit leg based on the encryption software of digital certificate when transmitting data encryption, in local certificate repository, or the particular certificate memory block of application-specific (in the address list as Outlook), search (such as the addresses of items of mail according to the recipient) and point out the digital certificate of user selective reception side, if the media digital certificate corresponding with receiving the other side's identify label arranged in the certificate repository, then after the transmit leg user has selected this certificate, encryption software will call IBE CSP automatically by CryptoAPI, the PKI of use media digital certificate is finished the encryption of data, and IBECSP can use corresponding IBE PKI to finish relevant operation; If the media digital certificate of no party then changes step C2 in the certificate repository.
C2. transmit leg starts IBE key management client, enters the function of obtaining recipient's media digital certificate, and input the other side's identify label after management tool is pointed out successfully, reenters step C1.
The recipient's of enciphered data data decrypting process is as follows:
D1. after the enciphered data recipient receives enciphered data, use and encrypt application software (as Outlook) data decryption.Can be (by the subject of certificate in my certificate store of local certificate repository if encrypt application software, issuer, certificate serial number, these information are kept in the enciphered message of symmetric key) find the corresponding media numeral digital certificate of the digital certificate that uses when encrypting (but same certificate not necessarily, because the certificate key is to not necessarily identical), and the information of this certificate in local certificate repository indicates the private key of this certificate in IBE CSP, then application software can be called IBE CSP by CryptoAPI, request is deciphered data with the private key of media digital certificate correspondence, and IBE CSP will use corresponding IBE private key to finish relevant decryption oprerations; If the recipient encrypts application software can't can not find the data encryption correspondence in my certificate store of local certificate repository media digital certificate, perhaps found, but decryption oprerations reports that private key does not exist, and then changes step D2 over to.
The recipient of D2 enciphered data starts IBE key management client, enters to obtain my media digital certificate functionality, and the input identification information after management tool is pointed out successfully, reenters step D1.
Characteristics of the present invention and novelty are: solved the technological difficulties of using the IBE technology in the operating system of not supporting the IBE encryption technology, application system, its innovative point is that with the media digital certificate be bridge, and a kind of IBE CSP realizes data encryption and deciphering based on IBE in conjunction with exploitation.