CN102523095A - User digital certificate remote update method with intelligent card protection function - Google Patents
User digital certificate remote update method with intelligent card protection function Download PDFInfo
- Publication number
- CN102523095A CN102523095A CN2012100081531A CN201210008153A CN102523095A CN 102523095 A CN102523095 A CN 102523095A CN 2012100081531 A CN2012100081531 A CN 2012100081531A CN 201210008153 A CN201210008153 A CN 201210008153A CN 102523095 A CN102523095 A CN 102523095A
- Authority
- CN
- China
- Prior art keywords
- smart card
- digital certificate
- operating system
- certificate
- device operating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to a user digital certificate remote update method with an intelligent card protection function. Intelligent card equipment can remotely send out a user digital certificate upgrade request to a certification authority (CA) on online through a local terminal. After the CA receives the request, a digital certificate is reissued to a user of the intelligent card equipment. The intelligent card equipment uses the reissued user digital certificate to update a certificate in a card to complete a certificate update process. The method provided by the invention fully utilizes the cryptographic computation function of the intelligent card equipment. A special intelligent card operating system command is used for completing the operation of safely exporting a key new user public key in the update process and safely importing a new user certificate in an intelligent card. Therefore, man-in-the-middle attacks in the CA communication process can be resisted and the online update process of the user digital certificate is enabled to be more safe and reliable. Moreover, the user digital certificate remote update method with the intelligent card protection function is simple and convenient to realize, the realization cost is low and the application scope is wider.
Description
Technical field
The present invention relates to the network information security technology field, particularly the Public Key Infrastructure(PKI) technical field specifically is meant a kind of customer digital certificate method for remote updating with smart card protection.
Background technology
PKIX---PKI utilizes the PKI theory and technology to solve a cover system of open internet network information security demand, and it supports authentication, the integrality of transmission of messages and storage and confidentiality, and the non-repudiation of operation.The core of PKI system is an authentication center---CA, and it is a trusted third party independently, its Core Feature is to issue and managing digital certificate for the applicant.The digital signature of essential information, client public key and CA that can comprise user's essential information, certificate in the digital certificate.
Smart card is the security terminal equipment of a kind of built-in with CPU, memory and cipher code arithmetic assisting processor, and it has multiple encapsulation appearance forrns, like the bank card of standard, the cipher key of USB interface and the T-Flash clip pin key that can on mobile phone, use.Smart card can provide safe calculating and storage environment, can communicate through input/output interface and external entity, can accomplish data encrypting and deciphering and calculate and digital signature, and inner data of preserving also can long preservation even without externally fed.Through blocking special purpose operating system---the COS that loads, can accomplish the application function of a lot of complicacies, one of them critical function is exactly the carrier as digital certificate, the life cycle management of participating certificate.
The applying digital certificate download system of at present common use smart card comprises: smart card device, local terminal and CA.It is as shown in Figure 1 that its applying digital certificate is downloaded flow process.
The problem of this method is to exist the possibility of man-in-the-middle attack.So-called man-in-the-middle attack be meant assailant intercept communication both sides' communication data and correct in the dark, and this modification is transparent to communicating pair.Because smart card device must be transmitted data through the local terminal when upgrading customer digital certificate, this has just created convenience for implementing assailant's man-in-the-middle attack through the local terminal, comprises following 2 points specifically:
The one, the application certificate request is given birth in the local terminal.Comprise in the request with the digital signature of original private key for user new PKI; This digital signature is that the local terminal sends new PKI to smart card and calculated by smart card; And existing smart card operating system is to check whether the PKI that the local terminal passes into is consistent with its inner new PKI that produces; So have the security breaches of local terminal, and this forgery can't detect at the CA end with the PKI of the forging request of Generating Certificate.
The 2nd, CA generates behind the digital certificate and to be verified by the local terminal and to write smart card device again.The digital certificate of checking intelligent card subscriber can't guarantee that the PKI that this certificate and smartcard internal are preserved is complementary in the local terminal, the possibility that exists certificate before writing smart card, to be replaced.
Summary of the invention
The objective of the invention is to have overcome above-mentioned shortcoming of the prior art; Provide a kind of and can resist man-in-the-middle attack, overcome the existing above-mentioned safety problem of customer digital certificate update method of prior art, safer; Effectively; And implementation is easy, realizes with low costly, and range of application has the customer digital certificate method for remote updating of smart card protection comparatively widely.
In order to realize above-mentioned purpose; The update system that is applied to this update method comprises smart card; The local terminal of connection of intelligent card and the authentication center that connects described local terminal, the customer digital certificate method for remote updating with smart card protection of the present invention may further comprise the steps:
(1) instruction of fetch equipment digital certificate is sent to described smart card in described local terminal;
(2) described smart card response reading command, and to described local terminal Returning equipment digital certificate data;
(3) described local terminal is sent to described smart card and is produced public private key pair instruction and the instruction of signature derivation PKI;
(4) described smart card produces public private key pair and is saved in the interim public and private key file in smart card, uses device private that the new client public key in the interim PKI file is carried out digital signature;
(5) described smart card returns new client public key and digital signature to described local terminal;
(6) the described local terminal new client public key that will from smart card, obtain uses device private that the digital signature that new client public key calculates is formed the request of renewal customer digital certificate with the apparatus figure certificate;
(7) request of upgrading customer digital certificate is sent in described local terminal to described authentication center;
(8) after described authentication center receives and upgrades certificate request, the apparatus figure certificate in the described solicited message is verified,, then got into step (9), not through then getting into step (13) if pass through;
(9) described authentication center uses the equipment PKI in the apparatus figure certificate that the digital signature in the solicited message is verified, if through then getting into step (10), not through then getting into step (13);
(10) described authentication center sends the checking importing digital certificate instruction that comprises the new customer digital certificate that authentication center signs and issues through described local terminal to described smart card;
(11) described smart card is verified the digital certificate that imports in intelligent card, if pass through, then gets into step (12), if do not pass through, then abandons the digital certificate that imports;
(12) described smart card upgrades customer digital certificate and corresponding public and private key;
(13) described authentication center refusal renewal request.
This has in the customer digital certificate method for remote updating of smart card protection, is built-in with smart card device operating system in the described smart card, and described step (4) specifically may further comprise the steps:
(41) according to the private key file sign of appointment in the described generation public private key pair instruction input parameter, described smart card device operating system is searched the device private file in smart card, if find, then get into step (42), if do not find, then gets into step (46);
(42) whether there is effective private key data in the private key file that described smart card device operating system inspection is found,, then gets into step (43),, then get into step (46) if do not exist if exist;
(43) based on the PKI file identification of appointment in the described generation public private key pair instruction input parameter; Described smart card device operating system is searched the interim PKI file of preserving new client public key in smart card, if find, then get into step (44); If do not find, then get into step (46);
(44) whether there is effective public key data in the interim PKI file that described smart card device operating system inspection is found,, then gets into step (45),, then get into step (46) if do not exist if exist;
(45) described smart card device operating system uses device private that the client public key in the described interim PKI file is carried out digital signature, and gets into step (5);
(46) described smart card device operating system is carried out fault processing.
This has in the customer digital certificate method for remote updating of smart card protection; Described smart card returns new client public key and digital signature to the local terminal, is specially: the digital signature that described smart card device operating system is exported new client public key and used device private that new client public key is done to described local terminal.
This has in the customer digital certificate method for remote updating of smart card protection, and described authentication center has authentication center's database, and described authentication center verifies the apparatus figure certificate in the solicited message, specifically may further comprise the steps:
(81) described digital certificate is searched by described authentication center in described authentication center database, if find, then gets into step (82), if do not find, then gets into step (13);
(82) digital signature in the described digital certificate of public key verifications of use authentication center self of described authentication center if checking is passed through, then gets into step (9), if do not pass through, then gets into step (13).
This has in the customer digital certificate method for remote updating of smart card protection, is built-in with smart card device operating system in the described smart card, and described step (11) specifically may further comprise the steps:
(111) based on authentication center's PKI file identification of appointment in the described checking importing digital certificate instruction input parameter; Described smart card device operating system is searched authentication center's PKI file in smart card, if find, then get into step (112); If do not find, then get into step (117);
(112) whether there is effective public key data in the PKI file that described smart card device operating system inspection is found,, then gets into step (113),, then get into step (117) if do not exist if exist;
(113) based on the interim PKI file identification of appointment in the described checking importing digital certificate instruction input parameter; Described smart card device operating system is searched the interim PKI file of preserving new client public key in smart card; If find; Then get into step (114),, then get into step (117) if do not find;
(114) whether there is effective public key data in the interim PKI file that described smart card device operating system inspection is found,, then gets into step (115),, then get into step (117) if do not exist if exist;
(115) described smart card device operating system uses the interior authentication center of smart card PKI that the signature in the new customer digital certificate that imports is verified, if pass through, then gets into step (116), if do not pass through, then gets into step (117);
(116) described smart card device operating system in smart card, compare in the described new customer digital certificate client public key whether with card in PKI in the interim PKI file identical, if identical, then get into step (12), as if inequality, then get into step (117);
(117) described smart card device operating system is carried out fault processing.
This has in the customer digital certificate method for remote updating of smart card protection, and described smart card upgrades customer digital certificate and corresponding public and private key, is specially:
Described smart card device operating system uses the new customer digital certificate of importing and the public and private key in the interim public and private key file to upgrade original customer digital certificate and the public and private key of user in the smart card, and removes the content of interim public and private key file.
Adopted the customer digital certificate method for remote updating with smart card protection of this invention; Wherein smart card device can be initiated the renewal request of customer digital certificate by remote online through the local terminal to CA; After CA receives request, again for the user of smart card device signs and issues digital certificate, afterwards; The customer digital certificate that smart card device usefulness is signed and issued again is neocaine internal evidence book more, accomplishes whole certificate update flow process.Method provided by the present invention makes full use of the cryptographic calculations function of smart card device; Use the instruction of special intelligent card operation system more in the new technological process crucial new client public key safety derive with new user certificate safety import operation and in smart card, accomplish; Thereby can resist with the CA communication process in man-in-the-middle attack; Overcome existing safety problem in the prior art, make that customer digital certificate online updating process is more safe and reliable.And the implementation of the customer digital certificate method for remote updating with smart card protection of the present invention is easy, realizes with low costly, and range of application is also comparatively extensive.
Description of drawings
Fig. 1 is that applying digital certificate common in the prior art is downloaded schematic flow sheet.
Fig. 2 is the flow chart of steps with customer digital certificate method for remote updating of smart card protection of the present invention.
Fig. 3 is applied to the update system sketch map with customer digital certificate method for remote updating of smart card protection of the present invention.
Fig. 4 is the high-level schematic functional block diagram of the smart card device operating system that smart card device moved among the present invention.
Fig. 5 is the schematic flow sheet of customer digital certificate method for remote updating in practical application with smart card protection of the present invention.
Fig. 6 derives the instruction manipulation flow chart for the customer digital certificate method for remote updating public key signature in practical application with smart card protection of the present invention.
Fig. 7 imports the operational flowchart of instruction for the customer digital certificate method for remote updating digital certificate checking in practical application with smart card protection of the present invention.
Embodiment
In order more to be expressly understood technology contents of the present invention, the special following examples of lifting specify.
In one embodiment, be applied to have the update system of the customer digital certificate method for remote updating of smart card protection, as shown in Figure 3, comprise smart card, the local terminal of connection of intelligent card and the CA of authentication center that connects described local terminal.Customer digital certificate method for remote updating with smart card protection of the present invention, as shown in Figure 2, may further comprise the steps:
(1) instruction of fetch equipment digital certificate is sent to described smart card in described local terminal;
(2) described smart card response reading command, and to described local terminal Returning equipment digital certificate data;
(3) described local terminal is sent to described smart card and is produced public private key pair instruction and the instruction of signature derivation PKI;
(4) described smart card produces public private key pair and is saved in the interim public and private key file in smart card, uses device private that the new client public key in the interim PKI file is carried out digital signature;
(5) described smart card returns new client public key and digital signature to described local terminal;
(6) the described local terminal new client public key that will from smart card, obtain uses device private that the digital signature that new client public key calculates is formed the request of renewal customer digital certificate with the apparatus figure certificate;
(7) request of upgrading customer digital certificate is sent in described local terminal to described authentication center;
(8) after described authentication center receives and upgrades certificate request, the apparatus figure certificate in the described solicited message is verified,, then got into step (9), not through then getting into step (13) if pass through;
(9) described authentication center uses the equipment PKI in the apparatus figure certificate that the digital signature in the solicited message is verified, if through then getting into step (10), not through then getting into step (13);
(10) described authentication center sends the checking importing digital certificate instruction that comprises the new customer digital certificate that authentication center signs and issues through described local terminal to described smart card;
(11) described smart card is verified the digital certificate that imports in intelligent card, if pass through, then gets into step (12), if do not pass through, then abandons the digital certificate that imports;
(12) described smart card upgrades customer digital certificate and corresponding public and private key;
(13) described authentication center refusal renewal request.
In a kind of more preferably execution mode, be built-in with smart card device operating system in the described smart card, described step (4) specifically may further comprise the steps:
(41) according to the private key file sign of appointment in the described generation public private key pair instruction input parameter, described smart card device operating system is searched the device private file in smart card, if find, then get into step (42), if do not find, then gets into step (46);
(42) whether there is effective private key data in the private key file that described smart card device operating system inspection is found,, then gets into step (43),, then get into step (46) if do not exist if exist;
(43) based on the PKI file identification of appointment in the described generation public private key pair instruction input parameter; Described smart card device operating system is searched the interim PKI file of preserving new client public key in smart card, if find, then get into step (44); If do not find, then get into step (46);
(44) whether there is effective public key data in the interim PKI file that described smart card device operating system inspection is found,, then gets into step (45),, then get into step (46) if do not exist if exist;
(45) described smart card device operating system uses device private that the client public key in the described interim PKI file is carried out digital signature, and gets into step (5);
(46) described smart card device operating system is carried out fault processing.
In a kind of further preferred embodiment, described smart card returns new client public key and digital signature to the local terminal, is specially:
The digital signature that described smart card device operating system is exported new client public key and used device private that new client public key is done to described local terminal.
More preferably in the execution mode, described authentication center has authentication center's database at another kind, and described authentication center verifies the apparatus figure certificate in the solicited message, specifically may further comprise the steps:
(81) described digital certificate is searched by described authentication center in described authentication center database, if find, then gets into step (82), if do not find, then gets into step (13);
(82) digital signature in the described digital certificate of public key verifications of use authentication center self of described authentication center if checking is passed through, then gets into step (9), if do not pass through, then gets into step (13).
In another kind of further preferred embodiment, be built-in with smart card device operating system in the described smart card, described step (11) specifically may further comprise the steps:
(111) based on authentication center's PKI file identification of appointment in the described checking importing digital certificate instruction input parameter; Described smart card device operating system is searched authentication center's PKI file in smart card, if find, then get into step (112); If do not find, then get into step (117);
(112) whether there is effective public key data in the PKI file that described smart card device operating system inspection is found,, then gets into step (113),, then get into step (117) if do not exist if exist;
(113) based on the interim PKI file identification of appointment in the described checking importing digital certificate instruction input parameter; Described smart card device operating system is searched the interim PKI file of preserving new client public key in smart card; If find; Then get into step (114),, then get into step (117) if do not find;
(114) whether there is effective public key data in the interim PKI file that described smart card device operating system inspection is found,, then gets into step (115),, then get into step (117) if do not exist if exist;
(115) described smart card device operating system uses the interior authentication center of smart card PKI that the signature in the new customer digital certificate that imports is verified, if pass through, then gets into step (116), if do not pass through, then gets into step (117);
(116) described smart card device operating system in smart card, compare in the described new customer digital certificate client public key whether with card in PKI in the interim PKI file identical, if identical, then get into step (12), as if inequality, then get into step (117);
(117) described smart card device operating system is carried out fault processing.
In a kind of preferred execution mode; Described smart card upgrades customer digital certificate and corresponding public and private key; Be specially: described smart card device operating system uses the new customer digital certificate of importing and the public and private key in the interim public and private key file to upgrade original customer digital certificate and the public and private key of user in the smart card, and removes the content of interim public and private key file.
In an application of the invention, the customer digital certificate update system of using among the present invention with smart card protection, as shown in Figure 3, comprising: smart card device, local terminal and CA.
Wherein, smart card device can be a standard intelligent card, also can be USB interface cipher key or the SD card cipher key that has encapsulated safety chip.Its function is to generate the new public private key pair of user and derive new client public key with the smart card device private key signature, when receiving the new customer digital certificate that CA returns, it is carried out verification, and interior public and private key of user and the digital certificate of preserving of neocaine passed through then in verification.
The local terminal can be the smart mobile phone that has the PC of smart card reader or have the SD card reader.It is used to set up the communication port between smart card device and the CA, and uses the data organization customer digital certificate of deriving in the smart card device to upgrade request.
CA is an authentication center; Be responsible for handling certificate request, the certificate management service is provided, be used for after receiving customer digital certificate renewal request; Solicited message is carried out verification, and verification is signed and issued new digital certificate and is sent to smart card device through the local terminal for the smart card device user through the back.
Wherein, operation has smart card device operating system in the smart card device, and this system is as shown in Figure 4, comprises communication module, command process module, document management module and public key algorithm module.Through these several modules, smart card device can be carried out public key signature and derive instruction and digital certificate checking importing instruction.Communication module is handled the data interaction between smart card device and local terminal, can support T=0 agreement or the communication protocol in the SD calliper model in the ISO7816-3 standard.Command process module is carried out the various instructions that meet the smart card operating system instruction set that send the local terminal, comprises that special-purpose client public key signature is derived instruction and the customer digital certificate checking imports instruction.Document management module is managed the also access control rule of execute file to key and the certificate data that will preserve in the smart card.The public key algorithm module is used for accomplishing public key algorithm computings such as public private key pair generation, private key digital signature and public key signature checking.
Smart card had been pre-installed following data before carrying out the online updating customer digital certificate: smart card card digital certificate and corresponding public and private key, CA PKI, customer digital certificate and corresponding public and private key.
As shown in Figure 5, in practical application, customer digital certificate method for remote updating of the present invention may further comprise the steps:
Step 501: the instruction of fetch equipment digital certificate is sent to smart card in the local terminal;
Step 502: smart card response reading command, Returning equipment digital certificate data;
Step 503: the local terminal is sent to smart card and is produced public private key pair instruction and the instruction of signature derivation PKI;
Step 504: smart card produces public private key pair and is saved in the interim public and private key file and uses in order to subsequent step in card, use device private that the new client public key in the interim PKI file is carried out digital signature;
Step 505: smart card returns new client public key and digital signature is given the local terminal;
Step 506: the new client public key that the local terminal will obtain from smart card, digital signature and the request of apparatus figure certificate composition renewal customer digital certificate of using device private that new client public key is calculated; Apparatus figure certificate and public and private key are produced by CA, when smart card personalization, in security context, import smart card and bind with smart card, apparatus figure certificate and can be kept in the CA database with the corresponding relation of smart card.Be kept at the initial number certificate that also has the intelligent card subscriber that CA signs and issues in the CA database simultaneously, this certificate is also bound with smart card.Because the local terminal can't obtain device private, so its digital signature in can't forged request information;
Step 507: the request that customer digital certificate will be upgraded in the local terminal sends to CA;
Step 508:CA at first will verify the apparatus figure certificate in the solicited message after receiving and upgrading certificate request; Promptly in database, search earlier this digital certificate; Re-use the digital signature in self the public key verifications digital certificate; Checking is to belong to this CA territory through the smart card that initiation request then is described, can continue next procedure, otherwise refusal upgrades request;
Step 509:CA uses the equipment PKI in the apparatus figure certificate that the digital signature in the solicited message is verified; The smart card that checking is bound from the apparatus figure certificate through the client public key of then explaining in the solicited message really; Can sign and issue new user certificate for this user, otherwise refusal upgrades request;
Step 510: send the instruction of checking importing digital certificate through the local terminal to smart card, contain the new customer digital certificate that CA signs and issues in the instruction;
Step 511: the smart card digital certificate that checking imports in card; Checking is through explaining that then this digital certificate is to be signed and issued by CA, and corresponding this upgrade customer digital certificate request, can continue next procedure; Otherwise the digital certificate of abandoning importing; Because proof procedure is in smart card, to carry out, the local terminal is can not interfere certificate verification result as the passage of digital certificate transmission data, so can prevent man-in-the-middle attack;
Step 512: smart card upgrades customer digital certificate and corresponding public and private key, has so far accomplished the more new technological process of customer digital certificate.
In above-mentioned customer digital certificate method for remote updating, in the step 504, derive the operation of instructing for public key signature, as shown in Figure 6, specifically comprise following key step:
Step 601: according to the private key file sign of appointment in the instruction input parameter, smart card device operating system is searched the device private file in card, just continue subsequent step if find, otherwise gets into fault processing;
Step 602: whether have effective private key data in the private key file that the inspection of smart card device operating system is found, check promptly whether the private key parameter is complete.If private key effectively then continue subsequent step, otherwise get into fault processing;
Step 603: according to the PKI file identification of appointment in the instruction input parameter, smart card device operating system is searched the interim PKI file of preserving new client public key in card, just continue subsequent step if find, otherwise gets into fault processing;
Step 604: whether have effective public key data in the interim PKI file that the inspection of smart card device operating system is found, check promptly whether the PKI parameter is complete.If PKI effectively then continue subsequent step, otherwise get into fault processing;
Step 605: smart card device operating system uses device private that the client public key in the interim PKI file that is about to derive is carried out digital signature;
Step 606: smart card device operating system is exported the digital signature that new client public key and device private are done new client public key.
In above-mentioned customer digital certificate method for remote updating, in the step 511, checking imports the operation of instruction for digital certificate, and is as shown in Figure 7, comprises following key step:
Step 701: according to the CA PKI file identification of appointment in the instruction input parameter, smart card device operating system is searched CA PKI file in card, just continue subsequent step if find, otherwise gets into fault processing;
Step 702: whether have effective public key data in the PKI file that the inspection of smart card device operating system is found, check promptly whether the PKI parameter is complete.If PKI effectively then continue subsequent step, otherwise get into fault processing;
Step 703: according to the interim PKI file identification of appointment in the instruction input parameter, smart card device operating system is searched the interim PKI file of preserving new client public key in card, just continue subsequent step if find, otherwise gets into fault processing;
Step 704: whether have effective public key data in the interim PKI file that the inspection of smart card device operating system is found, check promptly whether the PKI parameter is complete.If PKI effectively then continue subsequent step, otherwise get into fault processing;
Step 705: use in the card CA PKI that the signature in the new customer digital certificate that imports is verified, if checking through continue subsequent step, otherwise get into fault processing;
Step 706: whether the client public key of comparison in the new customer digital certificate be with the PKI in the PKI file is identical in the card temporarily, if compare successfully then continue subsequent step, otherwise the entering fault processing in card;
Step 707: new customer digital certificate that use to import and the public and private key in the interim public and private key file be original customer digital certificate and the public and private key of user in the neocaine more, and removes the content of interim public and private key file.
In order to prevent when smart card device is communicated by letter with CA, to carry out man-in-the-middle attack through the local terminal; The renewal digital certificate request that must accomplish to forge the local terminal can't be through the checking of CA, and the renewal digital certificate request-reply that the CA that forges of local terminal returns can't be through the checking of smart card device.
Solution provided by the invention is that the crucial solicited message of upgrading in the digital certificate request is produced by smart card; Promptly in card, use device private that new client public key is carried out digital signature; Because device private does not go out smart card device, cheats CA so the local terminal can't forge a signature.The new customer digital certificate that returns of CA verifies that the local terminal can't influence proof procedure by smart card device in card on the other hand.
It is thus clear that; Customer digital certificate update method provided by the invention use the instruction of special intelligent card operation system more in the new technological process crucial new client public key safety derive and the completion in card of new user certificate safety import operation; Can resist with the CA communication process in man-in-the-middle attack, make that customer digital certificate online updating process is more safe and reliable.
Adopted the customer digital certificate method for remote updating with smart card protection of this invention; Wherein smart card device can be initiated the renewal request of customer digital certificate by remote online through the local terminal to CA; After CA receives request, again for the user of smart card device signs and issues digital certificate, afterwards; The customer digital certificate that smart card device usefulness is signed and issued again is neocaine internal evidence book more, accomplishes whole certificate update flow process.Method provided by the present invention makes full use of the cryptographic calculations function of smart card device; Use the instruction of special intelligent card operation system more in the new technological process crucial new client public key safety derive with new user certificate safety import operation and in smart card, accomplish; Thereby can resist with the CA communication process in man-in-the-middle attack; Overcome existing safety problem in the prior art, make that customer digital certificate online updating process is more safe and reliable.And the implementation of the customer digital certificate method for remote updating with smart card protection of the present invention is easy, realizes with low costly, and range of application is also comparatively extensive.
In this specification, the present invention is described with reference to its certain embodiments.But, still can make various modifications and conversion obviously and not deviate from the spirit and scope of the present invention.Therefore, specification and accompanying drawing are regarded in an illustrative, rather than a restrictive.
Claims (6)
1. one kind has the customer digital certificate method for remote updating that smart card is protected; The update system that is applied to this update method comprises smart card; The local terminal of connection of intelligent card and the authentication center that connects described local terminal is characterized in that, described method may further comprise the steps:
(1) instruction of fetch equipment digital certificate is sent to described smart card in described local terminal;
(2) described smart card response reading command, and to described local terminal Returning equipment digital certificate data;
(3) described local terminal is sent to described smart card and is produced public private key pair instruction and the instruction of signature derivation PKI;
(4) described smart card produces public private key pair and is saved in the interim public and private key file in smart card, uses device private that the new client public key in the interim PKI file is carried out digital signature;
(5) described smart card returns new client public key and digital signature to described local terminal;
(6) the described local terminal new client public key that will from smart card, obtain uses device private that the digital signature that new client public key calculates is formed the request of renewal customer digital certificate with the apparatus figure certificate;
(7) request of upgrading customer digital certificate is sent in described local terminal to described authentication center;
(8) after described authentication center receives and upgrades certificate request, the apparatus figure certificate in the described solicited message is verified,, then got into step (9), not through then getting into step (13) if pass through;
(9) described authentication center uses the equipment PKI in the apparatus figure certificate that the digital signature in the solicited message is verified, if through then getting into step (10), not through then getting into step (13);
(10) described authentication center sends the checking importing digital certificate instruction that comprises the new customer digital certificate that authentication center signs and issues through described local terminal to described smart card;
(11) described smart card is verified the digital certificate that imports in intelligent card, if pass through, then gets into step (12), if do not pass through, then abandons the digital certificate that imports;
(12) described smart card upgrades customer digital certificate and corresponding public and private key;
(13) described authentication center refusal renewal request.
2. the customer digital certificate method for remote updating with smart card protection according to claim 1 is characterized in that be built-in with smart card device operating system in the described smart card, described step (4) specifically may further comprise the steps:
(41) according to the private key file sign of appointment in the described generation public private key pair instruction input parameter, described smart card device operating system is searched the device private file in smart card, if find, then get into step (42), if do not find, then gets into step (46);
(42) whether there is effective private key data in the private key file that described smart card device operating system inspection is found,, then gets into step (43),, then get into step (46) if do not exist if exist;
(43) based on the PKI file identification of appointment in the described generation public private key pair instruction input parameter; Described smart card device operating system is searched the interim PKI file of preserving new client public key in smart card, if find, then get into step (44); If do not find, then get into step (46);
(44) whether there is effective public key data in the interim PKI file that described smart card device operating system inspection is found,, then gets into step (45),, then get into step (46) if do not exist if exist;
(45) described smart card device operating system uses device private that the client public key in the described interim PKI file is carried out digital signature, and gets into step (5);
(46) described smart card device operating system is carried out fault processing.
3. the customer digital certificate method for remote updating with smart card protection according to claim 2 is characterized in that described smart card returns new client public key and digital signature to the local terminal, is specially:
The digital signature that described smart card device operating system is exported new client public key and used device private that new client public key is done to described local terminal.
4. the customer digital certificate method for remote updating with smart card protection according to claim 1; It is characterized in that; Described authentication center has authentication center's database, and described authentication center verifies the apparatus figure certificate in the solicited message, specifically may further comprise the steps:
(81) described digital certificate is searched by described authentication center in described authentication center database, if find, then gets into step (82), if do not find, then gets into step (13);
(82) digital signature in the described digital certificate of public key verifications of use authentication center self of described authentication center if checking is passed through, then gets into step (9), if do not pass through, then gets into step (13).
5. the customer digital certificate method for remote updating with smart card protection according to claim 1 is characterized in that be built-in with smart card device operating system in the described smart card, described step (11) specifically may further comprise the steps:
(111) based on authentication center's PKI file identification of appointment in the described checking importing digital certificate instruction input parameter; Described smart card device operating system is searched authentication center's PKI file in smart card, if find, then get into step (112); If do not find, then get into step (117);
(112) whether there is effective public key data in the PKI file that described smart card device operating system inspection is found,, then gets into step (113),, then get into step (117) if do not exist if exist;
(113) based on the interim PKI file identification of appointment in the described checking importing digital certificate instruction input parameter; Described smart card device operating system is searched the interim PKI file of preserving new client public key in smart card; If find; Then get into step (114),, then get into step (117) if do not find;
(114) whether there is effective public key data in the interim PKI file that described smart card device operating system inspection is found,, then gets into step (115),, then get into step (117) if do not exist if exist;
(115) described smart card device operating system uses the interior authentication center of smart card PKI that the signature in the new customer digital certificate that imports is verified, if pass through, then gets into step (116), if do not pass through, then gets into step (117);
(116) described smart card device operating system in smart card, compare in the described new customer digital certificate client public key whether with card in PKI in the interim PKI file identical, if identical, then get into step (12), as if inequality, then get into step (117);
(117) described smart card device operating system is carried out fault processing.
6. the customer digital certificate method for remote updating with smart card protection according to claim 5 is characterized in that, described smart card upgrades customer digital certificate and corresponding public and private key, is specially:
Described smart card device operating system uses the new customer digital certificate of importing and the public and private key in the interim public and private key file to upgrade original customer digital certificate and the public and private key of user in the smart card, and removes the content of interim public and private key file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210008153.1A CN102523095B (en) | 2012-01-12 | 2012-01-12 | User digital certificate remote update method with intelligent card protection function |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210008153.1A CN102523095B (en) | 2012-01-12 | 2012-01-12 | User digital certificate remote update method with intelligent card protection function |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102523095A true CN102523095A (en) | 2012-06-27 |
| CN102523095B CN102523095B (en) | 2015-04-15 |
Family
ID=46293898
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210008153.1A Active CN102523095B (en) | 2012-01-12 | 2012-01-12 | User digital certificate remote update method with intelligent card protection function |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102523095B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103973647A (en) * | 2013-01-31 | 2014-08-06 | 华为终端有限公司 | Application access method and equipment |
| WO2016177052A1 (en) * | 2015-08-21 | 2016-11-10 | 中兴通讯股份有限公司 | User authentication method and apparatus |
| CN107070667A (en) * | 2017-06-07 | 2017-08-18 | 国民认证科技(北京)有限公司 | Identity identifying method, user equipment and server |
| CN107645382A (en) * | 2017-10-10 | 2018-01-30 | 飞天诚信科技股份有限公司 | A kind of identity marking equipment and its method of work |
| CN108900305A (en) * | 2018-06-28 | 2018-11-27 | 公安部第三研究所 | More certificate issuances and verification method based on intelligent and safe chip |
| CN108964917A (en) * | 2017-05-17 | 2018-12-07 | 北京安软天地科技有限公司 | A kind of user self-help formula digital certificate telesecurity management method |
| CN111201762A (en) * | 2017-08-17 | 2020-05-26 | 西门子交通有限责任公司 | Method for securely replacing a first manufacturer certificate that has been introduced into a device |
| CN113079037A (en) * | 2021-03-23 | 2021-07-06 | 中国联合网络通信集团有限公司 | Method and system for remotely updating authentication application certificate |
| CN114449521A (en) * | 2021-12-29 | 2022-05-06 | 华为技术有限公司 | Communication method and communication device |
| CN114900309A (en) * | 2021-03-29 | 2022-08-12 | 北京格瑞空间科技有限公司 | Method for corresponding user identity identification of information application system to block chain account |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040034773A1 (en) * | 2002-08-19 | 2004-02-19 | Balabine Igor V. | Establishing authenticated network connections |
| CN101136743A (en) * | 2006-08-31 | 2008-03-05 | 普天信息技术研究院 | Digital certificate updating method and system |
| CN101651540A (en) * | 2008-08-12 | 2010-02-17 | 中国移动通信集团公司 | Method, device and system for updating digital certificate |
| CN101931532A (en) * | 2009-09-08 | 2010-12-29 | 北京握奇数据系统有限公司 | Telecommunication smart card-based digital certificate management method and telecommunication smart card |
-
2012
- 2012-01-12 CN CN201210008153.1A patent/CN102523095B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040034773A1 (en) * | 2002-08-19 | 2004-02-19 | Balabine Igor V. | Establishing authenticated network connections |
| CN101136743A (en) * | 2006-08-31 | 2008-03-05 | 普天信息技术研究院 | Digital certificate updating method and system |
| CN101651540A (en) * | 2008-08-12 | 2010-02-17 | 中国移动通信集团公司 | Method, device and system for updating digital certificate |
| CN101931532A (en) * | 2009-09-08 | 2010-12-29 | 北京握奇数据系统有限公司 | Telecommunication smart card-based digital certificate management method and telecommunication smart card |
Non-Patent Citations (1)
| Title |
|---|
| 胡永涛等: "《一种基于PKI技术的远程安全发证方法》", 《第26次全国计算机安全学术交流会论文集》 * |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103973647A (en) * | 2013-01-31 | 2014-08-06 | 华为终端有限公司 | Application access method and equipment |
| WO2016177052A1 (en) * | 2015-08-21 | 2016-11-10 | 中兴通讯股份有限公司 | User authentication method and apparatus |
| CN108964917A (en) * | 2017-05-17 | 2018-12-07 | 北京安软天地科技有限公司 | A kind of user self-help formula digital certificate telesecurity management method |
| CN107070667A (en) * | 2017-06-07 | 2017-08-18 | 国民认证科技(北京)有限公司 | Identity identifying method, user equipment and server |
| CN107070667B (en) * | 2017-06-07 | 2020-08-04 | 国民认证科技(北京)有限公司 | Identity authentication method |
| CN111201762B (en) * | 2017-08-17 | 2022-10-21 | 西门子交通有限责任公司 | Method for securely replacing a first manufacturer certificate that has been introduced into a device |
| CN111201762A (en) * | 2017-08-17 | 2020-05-26 | 西门子交通有限责任公司 | Method for securely replacing a first manufacturer certificate that has been introduced into a device |
| CN107645382A (en) * | 2017-10-10 | 2018-01-30 | 飞天诚信科技股份有限公司 | A kind of identity marking equipment and its method of work |
| CN108900305A (en) * | 2018-06-28 | 2018-11-27 | 公安部第三研究所 | More certificate issuances and verification method based on intelligent and safe chip |
| CN108900305B (en) * | 2018-06-28 | 2021-06-04 | 公安部第三研究所 | Multi-certificate issuing and verifying method based on intelligent security chip |
| CN113079037A (en) * | 2021-03-23 | 2021-07-06 | 中国联合网络通信集团有限公司 | Method and system for remotely updating authentication application certificate |
| CN113079037B (en) * | 2021-03-23 | 2022-12-02 | 中国联合网络通信集团有限公司 | Method and system for remotely updating authentication application certificate |
| CN114900309A (en) * | 2021-03-29 | 2022-08-12 | 北京格瑞空间科技有限公司 | Method for corresponding user identity identification of information application system to block chain account |
| CN114449521A (en) * | 2021-12-29 | 2022-05-06 | 华为技术有限公司 | Communication method and communication device |
| WO2023125293A1 (en) * | 2021-12-29 | 2023-07-06 | 华为技术有限公司 | Communication method and communication apparatus |
| CN114449521B (en) * | 2021-12-29 | 2024-01-02 | 华为技术有限公司 | Communication method and communication device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102523095B (en) | 2015-04-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102523095B (en) | User digital certificate remote update method with intelligent card protection function | |
| US20190165947A1 (en) | Signatures for near field communications | |
| EP3474209A1 (en) | Storing blockchain private keys in a sim card | |
| CN108377272B (en) | Method and system for managing terminal of Internet of things | |
| CN100533459C (en) | Data safety reading method and safety storage apparatus thereof | |
| CN111431719A (en) | Mobile terminal password protection module, mobile terminal and password protection method | |
| CN109460966A (en) | Contract signing method, apparatus and terminal device based on requesting party's classification | |
| US8495383B2 (en) | Method for the secure storing of program state data in an electronic device | |
| EP3780484B1 (en) | Cryptographic operation and working key creation method and cryptographic service platform and device | |
| CN103259667A (en) | Method and system for eID authentication on mobile terminal | |
| CN111209558B (en) | Internet of things equipment identity authentication method and system based on block chain | |
| CN101300808A (en) | Method and arrangement for secure autentication | |
| US9065806B2 (en) | Internet based security information interaction apparatus and method | |
| CN104408371A (en) | Implementation method of high security application system based on trusted execution environment | |
| CN110290134A (en) | A kind of identity identifying method, device, storage medium and processor | |
| CN110381075B (en) | Block chain-based equipment identity authentication method and device | |
| CN111131416A (en) | Business service providing method and device, storage medium and electronic device | |
| CN103914913A (en) | Intelligent card application scene recognition method and system | |
| CN108449315A (en) | Ask calibration equipment, method and the computer readable storage medium of legitimacy | |
| CN102710611A (en) | Network security authentication method and system | |
| JP2016539605A (en) | Method in network security and system in network security | |
| CN108011719A (en) | A kind of endorsement method, device and digital signature system | |
| CN113946877A (en) | Data security calculation method, system, computer equipment, storage medium and terminal | |
| WO2015055120A1 (en) | Device for secure information exchange | |
| CN106559386B (en) | A kind of authentication method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C53 | Correction of patent of invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Xu Yixin Inventor after: Yao Jingjing Inventor after: Peng Chaohui Inventor after: Xing Qin Inventor after: Tang Jiahua Inventor before: Xu Yixin Inventor before: Yao Jingjing |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: XU YIXIN YAO JINGJING TO: XU YIXIN YAO JINGJING PENG ZHAOHUI XING QIN TANGJIAHUA |
|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |