CN103729588A - Signature method of signature device - Google Patents
Signature method of signature device Download PDFInfo
- Publication number
- CN103729588A CN103729588A CN201310724219.1A CN201310724219A CN103729588A CN 103729588 A CN103729588 A CN 103729588A CN 201310724219 A CN201310724219 A CN 201310724219A CN 103729588 A CN103729588 A CN 103729588A
- Authority
- CN
- China
- Prior art keywords
- instruction
- signature
- key
- application
- byte
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The invention discloses a signature method of a signature device and belongs to the technical field of information security. The signature method includes that an application opening command, a container opening command, a key pair generating command and a signature command which are issued by an upper computer are received through the signature device to complete the whole process of signature; through operations on receiving the container opening command and the key pair generating command, a signature key associated with a main body is placed in a designated container; when the signature command is received, the signature key associated with the main body is used in the signature operations, so that association between the main body and the signature key is strengthened, abuse of identity and authorization can be effectively prevented, and security of the signature can be enhanced.
Description
Technical field
The invention belongs to field of information security technology, relate in particular to a kind of endorsement method of signature device.
Background technology
At present, along with being widely used of signature device (as USBKey), the degree of safety of the endorsement method of signature device must cause more attention rate.In the endorsement method of existing signature device, with being most widely used of the endorsement method based on SM2 algorithm (ellipse curve public key cipher algorithm), in this endorsement method, need pre-service to produce a signature pre-service result (being commonly referred to Z value) being associated with the SM2 PKI of main body name and main body, in the case of reality general, produce the parameter (being commonly referred to UserID) of this Z value normally by the relevant information of the outside input of USBKey, then according to parameter UserID, calculate Z value.Like this, key that is used as signature just can associated multiple UserID, namely can associated multiple main bodys.
Main body is normally used for an entity in identification information system, as a main frame, and an account, a people, a role etc.It is normally this entity partitioning by infosystem, and by this main body and a PKI binding, forms certificate, is used to the Authentication and authorization management of infosystem.If user is using USBKey to do to produce key when with the operation of signature, arbitrarily the UserID in specified information system, may cause the abuse of identity and mandate, and then cause the dangerous of endorsement method.
Summary of the invention
The endorsement method of a kind of signature device that the present invention proposes, can solve the security hidden trouble that in prior art, signature application exists.
The technical scheme that the present invention takes is as follows: a kind of endorsement method of signature device, comprising: device power, initialized step; The step of the instruction that equipment reception host computer issues; Equipment judges the type of the instruction receiving, and according to the type of described instruction, carries out command adapted thereto operation, and to host computer, returns to the step of response message.
The type that judges described instruction when equipment when opening application instruction, is opened the application corresponding with described Apply Names on equipment according to the described Apply Names comprising in application instruction of opening, and to host computer, returns and opens application responds message;
The type that judges described instruction when equipment is when opening container instruction, according to the described application identities comprising in container instruction of opening, determine current application, according to the described Container Name comprising in container instruction of opening, open the specified containers corresponding with described Container Name under current application, to host computer, return and open container response message;
Whether the type that judges described instruction when equipment when producing key to instruction, stores signature pre-service result in the default memory block of judgement, be first to remove described signature pre-service result in default memory block to carry out and generate the right operation of key; Otherwise directly carry out, generate the right operation of key; The right operation of described generation key is specially: according to described generation key, the application identities comprising in instruction and container identification are determined to the specified containers under current application, according to described generation key, the key information comprising in instruction is created to public and private key file structure in specified containers, according to described generation key, the file identification comprising in instruction and recording mechanism are filled to the key pair that obtains generation to the presupposed information in described public and private key file structure, to host computer, return and produce key to response message;
When equipment judges that the type of described instruction is signature command, according to the application identities comprising in described signature command and container identification, determine the specified containers under current application, in the default memory block of judgement, whether store signature pre-service result, directly to obtain described signature pre-service result, otherwise obtain file identification and recording mechanism according to the right file structure of the key in specified containers, according to the file identification obtaining and recording mechanism, from the log file corresponding with described file identification, obtain record data corresponding with described recording mechanism, according to the PKI of cipher key pair and described record data, calculate a signature pre-service result and store default memory block into,
According to the private key of the cipher key pair in described signature pre-service result, specified containers, the data to be signed that comprise in described signature command are calculated to signature result, to host computer, return to signature response message.
Described method also comprises: the type that judges described instruction when equipment is when testing PIN instruction, from the described PIN of testing instruction, obtain PIN sign, application identities and PIN code, according to described PIN sign, determine registrant's identity, according to described application identities, determine current application, and verify that whether described PIN code is correct, according to described registrant's identity, current logging status to be set, to host computer return state code be the first preset value test PIN response message, otherwise be other values to host computer return state code, test PIN response message.
Described method also comprises: when equipment judges the type of described instruction, be while creating log file instruction, according to the application identities comprising in the instruction of described establishment log file, determine current application, according to the log file information comprising in the instruction of described establishment log file, under current application, create a log file, to host computer, return and create log file response message.
Described method also comprises: the type that judges described instruction when equipment is when writing recording instruction, according to the application identities comprising in said write recording instruction, determine current application, according to the filename comprising in said write recording instruction, under current application, find a log file, according to the side-play amount comprising in said write recording instruction, the record data to be written that comprise in said write recording instruction are written to the appropriate address in described log file, to host computer, return and write recording responses message.
Preferably, when equipment judges the type of described instruction, be while creating log file instruction, also comprise and confirm that current logging status is the step of keeper's logging status.
Preferably, the type that judges described instruction when equipment when opening container instruction or producing key to instruction or signature command, also comprises and confirms that current logging status is the step of user's logging status.
The beneficial effect that adopts technique scheme to reach: the endorsement method of the signature device that the present invention proposes has been strengthened the association between main body and signature key, can effectively prevent the abuse of identity and mandate, strengthens the security of signature.
Accompanying drawing explanation
Fig. 1 is the endorsement method process flow diagram of a kind of signature device of providing of the embodiment of the present invention 2.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Based on the embodiment in the present invention, those skilled in the art, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
Embodiment 1
The present embodiment provides a kind of endorsement method of signature device, wherein equipment can be USBKey equipment, also can be that other can do the equipment of signing, the record data of mentioning in the present embodiment can contrast the parameter UserID mentioning in background technology and understand, the signature pre-service result of mentioning in the present embodiment can contrast the Z value of mentioning in background technology to be understood, and this endorsement method comprises:
Step 1: device power, initialization;
Step 2: equipment receives the instruction that host computer issues;
Step 3: equipment judges the type of the instruction receiving, carries out command adapted thereto operation according to the type of described instruction, and returns to response message to host computer;
This step specifically comprises: the type that judges described instruction when equipment is when opening application instruction, according to the described Apply Names comprising in application instruction of opening, open the application corresponding with described Apply Names on equipment, to host computer, return and open application responds message;
The type that judges described instruction when equipment is when opening container instruction, according to the described application identities comprising in container instruction of opening, determine current application, according to the described Container Name comprising in container instruction of opening, open the specified containers corresponding with described Container Name under current application, to host computer, return and open container response message;
Whether the type that judges described instruction when equipment when producing key to instruction, stores signature pre-service result in the default memory block of judgement, be first to remove described signature pre-service result in default memory block to carry out and generate the right operation of key; Otherwise directly carry out, generate the right operation of key; The right operation of described generation key is specially: according to described generation key, the application identities comprising in instruction and container identification are determined to the specified containers under current application, according to described generation key, the key information comprising in instruction is created to public and private key file structure in specified containers, according to described generation key, the file identification comprising in instruction and recording mechanism are filled to the key pair that obtains generation to the presupposed information in described public and private key file structure, to host computer, return and produce key to response message;
When equipment judges that the type of described instruction is signature command, according to the application identities comprising in described signature command and container identification, determine the specified containers under current application, in the default memory block of judgement, whether store signature pre-service result, directly to obtain described signature pre-service result, otherwise obtain file identification and recording mechanism according to the right file structure of the key in specified containers, according to the file identification obtaining and recording mechanism, from the log file corresponding with described file identification, obtain record data corresponding with described recording mechanism, according to the PKI of cipher key pair and described record data, calculate a signature pre-service result and store default memory block into,
According to the private key of the cipher key pair in described signature pre-service result, specified containers, the data to be signed that comprise in described signature command are calculated to signature result, to host computer, return to signature response message.
The endorsement method that the present embodiment proposes, receive open container instruction and produce key during to instruction operation the signature key associated with main body is put in specified containers, when receiving signature command the signature operation of doing use the described signature key associated with main body, thereby strengthened the association between main body and signature key, can effectively prevent the abuse of identity and mandate, strengthen the security of signature.
Embodiment 2
The present embodiment provides a kind of endorsement method of signature device, wherein equipment can be USBKey equipment, also can be that other can do the equipment of signing, the record data of mentioning in the present embodiment can contrast the parameter UserID mentioning in background technology to be understood, and the signature pre-service result of mentioning in the present embodiment can contrast the Z value of mentioning in background technology and understand.
The endorsement method that the present embodiment proposes has comprised record data management process and signature process, as shown in Figure 1, the wherein inter-process flow process of step 8-18 equipment when to be keeper manage log file or record data, step 19-30 is that user uses equipment to do the inter-process flow process that produces key equipment when with signature operation, and the method comprises:
Step 1: device power, initialization;
Step 2: equipment receives the instruction that host computer issues;
Step 3: equipment judges the type of the instruction receiving, if open application instruction, perform step 4, if test PIN instruction, perform step 6, if create log file instruction, perform step 10, if write recording instruction, perform step 13, if open container instruction, perform step 15, if produce key, instruction is performed step to 18, if signature command performs step 21;
Concrete in the present embodiment, according to the 1st and the 2nd of the instruction receiving the byte decision instruction type, the instruction receiving when the 1st and the 2nd byte is 0,x80 26 is to open application instruction, the instruction receiving when the 1st and the 2nd byte is 80 18 is to test PIN instruction, the instruction receiving when the 1st and the 2nd byte is 0,x80 30 is to create log file instruction, the instruction receiving when the 1st and the 2nd byte is 0x80 3A is to write recording instruction, the instruction receiving when the 1st and the 2nd byte is 0,x80 42 is to open container instruction, the instruction receiving when the 1st and the 2nd byte is 0,x80 70 is to produce key to instruction, the instruction receiving when the 1st and the 2nd byte is 0,x80 74 is signature command.
Step 4: open an application on equipment according to opening the Apply Names comprising in application instruction;
This step specifically comprises:
Step 4-1: obtain a length value according to the 5th and the 6th byte opening application instruction, whether the length that judges the 6th byte data field data afterwards conforms to this length value, be to perform step 4-2, otherwise generate, comprise opening application responds message and performing step 5 of status code;
Preferably, the status code value comprising in application responds message of opening that this step generates is the second preset value, and for example the second preset value is 0x6700.
Step 4-2: according to the described data field data title that is applied, open application corresponding with this Apply Names on equipment;
Further, when there is not the application corresponding with this Apply Names on equipment, generate comprise status code open application responds message, and this status code value is the 3rd preset value, for example the 3rd preset value is 0x6A8B.Or on the equipment finding existing application of opening and equipment do not support to open simultaneously multiple application generate comprise status code open application responds message, and this status code value is the 4th preset value, for example the 4th preset value is 0x6A90.
That for example: the application instruction of opening receiving is 80 26 00 00 00000C Application1, opens is applied as Application1.
Step 5: return and open application responds message to host computer, then return to step 2.
Concrete, when step 4 is correct while carrying out this step returns comprise status code and response data open application responds message, and the status code SW1SW2 value comprising is the first preset value, for example the first preset value is 0x9000; The response data comprising is specially the attribute information of application, as apply lower establishment file and container authority, apply supported maximum number of containers, apply supported maximum certificate quantity, apply supported maximum number of files and attribute information such as application ID etc.; When step 4 occur in the process of implementation this step when wrong return comprise status code open application instruction response message, and the status code SW1SW2 value comprising is other values.For example, other values comprise 0x6700,0x6A8B, 0x6A90 etc.
Step 6: obtain PINID, application ID and PIN code from test PIN instruction;
This step specifically comprises:
Step 6-1: obtain PINID according to the 4th byte testing PIN instruction, according to 5-7 byte, obtain a length value, whether the length that judges the 7th byte data field data afterwards conforms to this length value, be to perform step 6-2, otherwise generate, comprise testing PIN response message and performing step 9 of status code;
Preferably, the status code value comprising in PIN response message of testing that this step generates is the second preset value, and for example the second preset value is 0x6700.
Step 6-2: ID and PIN code are applied from described data field data according to the first preset structure.
Concrete, described the first preset structure is: apply ID(2 byte)+PIN code (16 bytes).
Step 7: determine registrant's identity according to PINID, ID determines current application according to application, and verifies that whether PIN code is correct, is to perform step 8, otherwise execution step 9;
Preferably, when PINID value is 0x00, registrant's identity is keeper, and when PINID value is 0x01, registrant's identity is user.
Further, when being the application of not opening according to the definite current application of application ID, generating and comprise testing PIN response message and performing step 9 of status code; Preferably, this status code value is the 5th preset value, and for example the 5th preset value is 0x698A.
Step 8: current logging status is set according to registrant's identity;
Concrete, when registrant's identity arranges current logging status during for keeper, be keeper's logging status, when registrant's identity arranges current logging status during for user, be user's logging status.
For example, the checking PIN instruction receiving is 80 18 00 00 000,012 0,100 31 32 33 34 35 36 37 38 31 32 33 34 35 36 37 38, according to this instruction, determine that registrant's identity is for keeper, the application ID obtaining from instruction is 0x0100, PIN code is 31 32 33 34 35 36 37 38 31 32 33 34 35 36 37 38, current logging status is set when checking PIN code is correct for keeper's login.
Step 9: return and test PIN response message to host computer, then return to step 2.
Concrete, when step 6-step 8 is correct while carrying out this step returns comprise status code test PIN response message, and the status code SW1SW2 value comprising is the first preset value, for example the first preset value is 0x9000; When step 6-step 8 occur in the process of implementation when wrong that this step is returned to test the status code SW1SW2 value comprising in PIN response message be other values.For example, other values comprise 0x6700,0x698A etc.
Step 10: judge whether current logging status is keeper's logging status, is to perform step 11, otherwise returns to the status code of not supporting, returns to step 2;
Step 11: determine current application according to creating the application ID comprising in log file instruction, create a log file according to creating the log file information comprising in log file instruction under current application;
This step specifically comprises:
Step 11-1: according to the 3rd and the 4th of the instruction of described establishment log file the byte ID that is applied, ID determines current application according to this application;
Further, if can not find application according to application ID on equipment, generate the establishment log file response message that comprises status code, preferred, the value of described status code SW1SW2 is the 6th preset value, and for example the 6th preset value is 0x6A88.
Step 11-2: obtain a length value according to the 5th of the instruction of described establishment log file the to the 7th byte, whether the length that judges the 7th the data field data after byte conforms to this length value, be to carry out next step, otherwise generate the establishment log file response message that comprises status code;
Preferably, in this step, the value of SW1SW2 is the second preset value, and for example the second preset value is 0x6700.
Step 11-3: obtain the log file information that will create according to the second preset structure from described data field data;
Described log file information comprises: filename, file size, read right sign and write permission sign.Described the second preset structure is: filename (32 bytes)+file size (4 bytes)+read right sign (4 bytes)+write permission sign (4 bytes).Preferably, 32 byte 0 covers of filename less than; It is readable that read right is designated 10000000 expressions, and write permission is designated 10000000 signs and can writes.
Step 11-4: create log file according to log file information under current application.
Further, this step can also comprise according to the filename in log file information judging under current application whether had file of the same name, is to generate the establishment log file response message that comprises status code, otherwise creates log file under current application; Preferably, in this step, the value of SW1SW2 is the 7th preset value, and for example the 7th preset value is 0x6A92.
For example: the establishment log file instruction receiving is: 80 30 1001 00002C useridrecordfile1 000,000,000,000,000,000,000,000,000,000 00,010,000 10,000,000 10000000; The log file creating according to this instruction is useridrecordfile1, and this log file be one readable, can written document.
Step 12: return and create log file response message to host computer, then return to step 2.
Concrete, the status code SW1SW2 value comprising in the establishment log file response message that this step is returned when the correct execution of step 11 is the first preset value, for example the first preset value is 0x9000, in the data field of establishment log file response message, goes back include file name and file ID; The status code SW1SW2 comprising in the establishment log file response message that this step is returned when makeing mistakes in step 11 implementation is taken as other values, for example: other values comprise 0x6700,0x6A88,0x6A92 etc.
Step 13: determine current application according to writing the application ID comprising in recording instruction, according to writing the filename comprising in recording instruction, under current application, find a log file, according to writing the side-play amount comprising in instruction, by writing the record data to be written that comprise in recording instruction, be written to the appropriate address in this log file;
This step specifically comprises:
Step 13-1: according to the 5th and the 6th of said write recording instruction the byte ID that is applied, ID determines current application according to this application;
Step 13-2: obtain a length value according to the 7th and the 8th of said write recording instruction the byte, whether the length that judges the 8th the data field data after byte conforms to this length value, to carry out next step, otherwise generate comprise status code write recording responses message;
Preferably, in this step, the value of SW1SW2 is the second preset value, and for example the second preset value is 0x6700.
Step 13-3: obtain side-play amount, filename and record data to be written according to the 3rd preset structure from described data field data;
Concrete, described the 3rd preset structure is: length (2 bytes)+record data to be written of side-play amount (2 bytes)+filename length (2 bytes)+filename+record data to be written.
Further, this step can also comprise the process of the filename comprising in the 3rd preset structure and record data to be written length separately being verified according to the length of the filename length in the 3rd preset structure and record data to be written.When there is the situation of size error, generate comprise status code write recording responses message; Preferably, in this step, the value of SW1SW2 is the second preset value, and for example the second preset value is 0x6700.
Step 13-4: find a log file according to filename under current application, determine in log file according to side-play amount and a writing address described record data to be written are write to this writing address.
Concrete, according to this writing address, can determine the recording mechanism of record data.For example, writing address is 0000, and corresponding recording mechanism is 1.
Further, this step can also comprise:
The first step: judging under current application whether have the log file corresponding with this filename according to filename, is to carry out second step, otherwise generate comprise status code write recording responses message; Preferably, in this step, the value of SW1SW2 is the 8th preset value, and for example the 8th preset value is 0x6A93.
Second step: judge whether side-play amount exceeds the size of described log file, be generate comprise status code write recording responses message, otherwise determine an assigned address in log file, described record data to be written are write to this assigned address.Preferably, in this step, the value of SW1SW2 is the 9th preset value, and for example the 9th preset value is 0x6B00.
For example: the recording instruction that writes of receiving is 80 3A 00 00 000,029 0,100 0,000 1100 useridrecordfile1 1,000 1234567812345678, record data 1234567812345678 is write to the position that in log file useridrecordfile1, offset address is 0000.
Step 14: return and write recording responses message to host computer, then return to step 2.
For example: this step is returned while carrying out the status code SW1SW2 value comprising in recording responses message that writes is the first preset value when step 13 is correct, and for example the first preset value is 0x9000, write in the data field of recording responses message and also comprise recording mechanism; The status code SW1SW2 comprising in recording responses message that writes that this step is returned when makeing mistakes in step 13 implementation is taken as other values, for example: other values comprise 0x6700,0x6A93,0x6B00 etc.
Step 15: judge whether current logging status is user's logging status, is to perform step 16, otherwise returns to the status code of not supporting, returns to step 2;
Step 16: determine current application according to opening the application ID comprising in container instruction, open the specified containers under current application according to opening the Container Name comprising in container instruction;
This step specifically comprises:
Step 16-1: obtain a length value according to the 5th to the 7th byte opening container instruction, whether the length that judges the 7th byte data field data afterwards conforms to this length value, to carry out next step, otherwise generate comprise status code open container response message, execution step 17;
Preferably, the value of status code SW1SW2 is the second preset value described in this step, and for example the second preset value is 6700.
Step 16-2: ID and Container Name are applied from described data field data according to the 4th preset structure;
Concrete, described the 4th preset structure is: application ID+ Container Name;
Step 16-3: ID determines current application according to application, finds specified containers according to Container Name under current application, opens specified containers;
Further, if can not find application according to application ID on equipment, generate comprise status code open container response message, preferred, the value of described status code SW1SW2 is the 6th preset value, for example the 6th preset value is 0x6A88.If can not find specified containers according to Container Name under current application, generate comprise status code open container response message, preferred, the value of described status code SW1SW2 is the tenth preset value, for example the tenth preset value is 0x6A91.
The container of mentioning in the present embodiment be one for deposit unsymmetrical key to the object logic of session key.
For example: the container instruction of opening receiving is 80 42 00 00 00000C 0100 Container1 0002, opening application ID is the specified containers Container1 under 0100.
Step 17: return and open container response message to host computer, then return to step 2.
Concrete, when step 16 is correct while carrying out this step returns comprise status code and response data open container response message, and the status code SW1SW2 value comprising is the first preset value, the response data comprising is specially Container ID; When step 16 occur in the process of implementation this step when wrong return comprise status code open container response message, and the status code SW1SW2 comprising is taken as other values.For example, other values are 0x6700,0x6A88 and 0x6A91.
Step 18: judge whether current logging status is user's logging status, is to perform step 19, otherwise returns to the status code of not supporting, returns to step 2;
Step 19: the application ID comprising in instruction and Container ID are determined to the specified containers under current application according to producing key, according to producing key, the key information comprising in instruction is created to public and private key file structure in specified containers, according to producing key, the file ID comprising in instruction and recording mechanism are filled to the key pair that obtains generation to the presupposed information in described public and private key file structure;
Specifically comprising of this step:
Step 19-1: the 5th of instruction the to the 7th byte obtained to a length value according to producing key, whether the length that judges the 7th byte data field data afterwards conforms to this length value, to carry out next step, otherwise generate comprise status code open container response message;
Preferably, length value is preset length described in this step, and the value of for example preset length is 8, and the value of described status code SW1SW2 is the second preset value, and for example the second preset value is 0x6700.
Step 19-2: ID, Container ID, key information, file ID and recording mechanism are applied from described data field data according to the 5th preset structure;
Concrete, described the 5th preset structure is: apply ID(2 byte)+Container ID (2 bytes)+key information (4 bytes)+file ID (2 bytes)+recording mechanism (2 bytes); Described key information comprises that the right position of generation key is long.
Step 19-3: determine the specified containers under current application according to application ID and Container ID, according to producing key, the key information comprising in instruction is created to public and private key file structure in specified containers;
Further, if can not find application according to application ID on equipment, generate the generation key that comprises status code to response message, preferred, the value of described status code SW1SW2 is the 6th preset value, and for example the 6th preset value is 0x6A88.If can not find specified containers according to Container ID under current application, generate the generation key that comprises status code to response message, preferred, the value of described status code SW1SW2 is the 11 preset value, for example the 11 preset value is 0x6A94.
Concrete, described public and private key file structure is as follows:
Step 19-4: the presupposed information in described public and private key file structure is filled to the key pair that obtains generation according to described file ID and recording mechanism.
Concrete, described presupposed information comprises uidRecordFID and uidRecordNo.
For example, the generation key receiving is 80 70 00 00 00000C 0,100 0,100 000 10,000 1,001 0100 to instruction, and the presupposed information comprising in the right file structure of the key of generation is: uidRecordFID=1001, uidRecordNo=0100.
Further, before above-mentioned steps 19-2, also comprise: judge whether described generation key meets the 5th preset structure to the data field data of instruction, to perform step the key pair of 19-2 to step 19-4 generation SM2 type, otherwise generate the key pair of other types, the key of other types to and corresponding endorsement method not within the scope of the invention, at this, do not describe in detail.
Preferably, before above-mentioned steps 19, can also comprise: in the default memory block of judgement, whether storing signature pre-service result, is that the described signature pre-service result of first removing in default memory block performs step 19 again; Otherwise directly perform step 19.And the signature pre-service result store calculating in step 19 is arrived to default memory block.
Step 20: return and produce key to response message to host computer, then return to step 2.
Concrete, when step 19 is correct while carrying out, this step is returned to the generation key that comprises status code and response data to response message, and the status code SW1SW2 value comprising is the first preset value, and the response data comprising is specially the key of generation to related data; When mistake appears in step 19 in the process of implementation, this step is returned to the generation key that comprises status code to response message, and the status code SW1SW2 comprising is taken as other values.For example, other values are 0x6700,0x6A88 and 0x6A94.
Step 21: judge whether current logging status is user's logging status, is to perform step 22, otherwise returns to the status code of not supporting, returns to step 2;
Step 22: determine the specified containers under current application according to the application ID comprising in signature command and Container ID, according to the right file structure of the key in specified containers, obtain file ID and recording mechanism, according to the file ID obtaining and recording mechanism, from log file, obtain record data, according to cipher key pair PKI and described record data, calculate a signature pre-service result, according to signature pre-service result, cipher key pair private key, the data to be signed that comprise in signature command are calculated to signature result;
This step specifically comprises:
Step 22-1: obtain a length value according to the 5th of signature command the to the 7th byte, judge whether the length of the 7th byte data field data afterwards conforms to this length value, be to carry out next step, otherwise generate the signature response message that comprises status code;
Preferably, the value of described status code SW1SW2 is the second preset value, and for example the second preset value is 0x6700.
Step 22-2: ID, Container ID and data to be signed are applied from described data field data according to the 6th preset structure;
Concrete, described the 6th preset structure is: application ID+ Container ID+data to be signed;
Step 22-3: determine the specified containers under current application according to application ID and Container ID, from specified containers, obtain key pair, according to the right file structure of key, obtain file ID and recording mechanism, according to the file ID obtaining and recording mechanism, from log file, obtain record data;
Concrete, according to file ID, find a log file, according to recording mechanism, can in this log file, read record data.
Further, if can not find application according to application ID on equipment, generate the signature response message that comprises status code, preferred, the value of this status code SW1SW2 is the 6th preset value, and for example the 6th preset value is 6A88.If can not find specified containers according to Container ID under current application, generate the signature response message that comprises status code, preferred, the value of this status code SW1SW2 is the 11 preset value, for example the 11 preset value is 6A94; If obtain from specified containers less than key pair, generate the signature response message that comprises status code, preferred, the value of described status code SW1SW2 is the 12 preset value, for example the 12 preset value is 6A95.If can not find corresponding with it log file or obtain less than corresponding with it record data according to file ID and recording mechanism, generate the signature response message that comprises status code, preferred, described status code value is the 13 preset value.
Step 22-4: calculate a signature pre-service result according to the PKI of cipher key pair and the described record data that obtain, according to the private key of signature pre-service result, cipher key pair, described data to be signed are calculated to signature result.
For example, the signature command receiving is: 80 74 03 00 000,024 01,000,100 12345678123456781234567812345678.
Preferably, in above-mentioned steps 22, can also comprise: in the default memory block of judgement, whether store signature pre-service result, to obtain described signature pre-service result, otherwise obtain file identification and recording mechanism according to the right file structure of the key in specified containers, according to the file identification obtaining and recording mechanism, from the log file corresponding with described file identification, obtain record data corresponding with described recording mechanism, according to cipher key pair PKI and described record data, calculate a signature pre-service result and store default memory block into.
Step 23: return to signature response message to host computer, then return to step 2.
It should be noted that, before above-mentioned steps 22, also comprising: whether the 3rd byte that judges signature command is default value, is to perform step 22 execution SM2 signatures, otherwise carries out other algorithm signatures, other algorithms are signed not within the scope of the invention, at this, do not describe in detail.Preferably, described default value is 0x03.
Concrete, when step 22 is correct while carrying out, this step is returned to the signature response message that comprises status code and response data, and the status code SW1SW2 value comprising is the first preset value, and the response data comprising is specially signature result; When mistake appears in step 22 in the process of implementation, this step is returned to the signature response message that comprises status code, and the status code SW1SW2 comprising is taken as other values.For example, other values are 0x6700,0x6A88,0x6A94 and 0x6A95.
The endorsement method of the signature device that the present embodiment proposes, may be summarized to be: first, the management function of infosystem possesses the distribution function of initializing of USBKey, at initial phase, in USBKey, create log file and preserve the record data of user's related application, after initialization completes, USBKey enters the application stage.
When user applies for certificate, in USBKey, generate key to rear, automatic mark with indicated with key associated record data, when signature operation, use.
When signature, use and specified with key, the record data that are associated are calculated to Z value, thereby complete the preprocessing function of endorsement method, complete signature.
What in the present embodiment, mention is preferably implementation of one, the implementation of embodiment 1 relatively, it is registrant's identity that the endorsement method of the present embodiment further defines main body, when logining, keeper can complete the establishment of record data, when user's login is signed, by opening application instruction, open container instruction, produce key instruction and signature command are completed to whole signature process, can reach equally association between strengthening main body and signature key, effectively prevent identity and mandate abuse, strengthen the effect of the security of signing.The ID mentioning in the present embodiment does same understanding with the sign of mentioning in embodiment 1.
The above; only for preferably embodiment of the present invention, but protection scope of the present invention is not limited to this, is anyly familiar with those skilled in the art in technical scope disclosed by the invention; the variation that can expect easily or replacement, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claim.
Claims (19)
1. an endorsement method for signature device, is characterized in that, comprising:
Device power, initialized step;
The step of the instruction that equipment reception host computer issues;
Equipment judges the type of the instruction receiving, and according to the type of described instruction, carries out command adapted thereto operation, and to host computer, returns to the step of response message;
The type that judges described instruction when equipment when opening application instruction, is opened the application corresponding with described Apply Names on equipment according to the described Apply Names comprising in application instruction of opening, to host computer return comprise application identities open application responds message;
The type that judges described instruction when equipment is when opening container instruction, according to the described application identities comprising in container instruction of opening, determine current application, according to the described Container Name comprising in container instruction of opening, open the specified containers corresponding with described Container Name under current application, to host computer return comprise container identification open container response message;
Whether the type that judges described instruction when equipment when producing key to instruction, stores signature pre-service result in the default memory block of judgement, be first to remove described signature pre-service result in default memory block to carry out and generate the right operation of key; Otherwise directly carry out, generate the right operation of key; The right operation of described generation key is specially: according to described generation key, the application identities comprising in instruction and container identification are determined to the specified containers under current application, according to described generation key, the key information comprising in instruction is created to public and private key file structure in specified containers, according to described generation key, the file identification comprising in instruction and recording mechanism are filled to the key pair that obtains generation to the presupposed information in described public and private key file structure, to host computer, return and produce key to response message;
When equipment judges that the type of described instruction is signature command, according to the application identities comprising in described signature command and container identification, determine the specified containers under current application, in the default memory block of judgement, whether store signature pre-service result, directly to obtain described signature pre-service result, otherwise obtain file identification and recording mechanism according to the right file structure of the key in specified containers, according to the file identification obtaining and recording mechanism, from the log file corresponding with described file identification, obtain record data corresponding with described recording mechanism, according to the PKI of cipher key pair and described record data, calculate a signature pre-service result and store default memory block into,
According to the private key of the cipher key pair in described signature pre-service result, specified containers, the data to be signed that comprise in described signature command are calculated to signature result, to host computer, return to signature response message.
2. method according to claim 1, it is characterized in that, described method also comprises: the type that judges described instruction when equipment is when testing PIN instruction, from the described PIN of testing instruction, obtain PIN sign, application identities and PIN code, according to described PIN sign, determine registrant's identity, according to described application identities, determine current application, and verify that whether described PIN code is correct, according to described registrant's identity, current logging status to be set, to host computer return state code be the first preset value test PIN response message, otherwise be other values to host computer return state code, test PIN response message.
3. method according to claim 2, is characterized in that, describedly from the described PIN of testing instruction, obtains PIN sign, application identities and PIN code, is specially:
A1: obtain PIN sign according to the 4th of the described PIN of testing instruction the byte, according to the 5th to the 7th byte, obtain a length value, whether the length that judges the 7th byte data field data afterwards conforms to this length value, to carry out a2, otherwise generate status code be the second preset value test PIN response message;
A2: sign and PIN code are applied from described data field data according to the first preset structure.
4. method according to claim 3, is characterized in that, described the first preset structure is: the PIN code of application identities+16 of a 2 bytes byte.
5. method according to claim 1, it is characterized in that, described method also comprises: when equipment judges the type of described instruction, be while creating log file instruction, according to the application identities comprising in the instruction of described establishment log file, determine current application, according to the log file information comprising in the instruction of described establishment log file, under current application, create a log file, to host computer, return and create log file response message.
6. method according to claim 5, it is characterized in that, describedly according to the application identities comprising in the instruction of described establishment log file, determine current application, according to the log file information comprising in the instruction of described establishment log file, under current application, create a log file, be specially:
B1: according to the 3rd and the 4th of the instruction of described establishment log file the byte sign that is applied, determine current application according to described application identities;
B2: obtain a length value according to the 5th of the instruction of described establishment log file the to the 7th byte, whether the length that judges the 7th the data field data after byte conforms to this length value, being to carry out b3, is the establishment log file response message of the second preset value otherwise generate status code;
B3: obtain the log file information that will create according to the second preset structure from described data field data;
B4: create log file according to described log file information under current application.
7. method according to claim 6, is characterized in that, described the second preset structure is: the write permission sign of+4 bytes of read right sign of file size+4 byte of filename+4 of a 32 bytes byte.
8. method according to claim 5, is characterized in that, when equipment judges the type of described instruction, is while creating log file instruction, also comprises and confirms that current logging status is the step of keeper's logging status.
9. method according to claim 1, it is characterized in that, described method also comprises: the type that judges described instruction when equipment is when writing recording instruction, according to the application identities comprising in said write recording instruction, determine current application, according to the filename comprising in said write recording instruction, under current application, find a log file, according to the side-play amount comprising in said write recording instruction, the record data to be written that comprise in said write recording instruction are written to the appropriate address in described log file, to host computer, return and write recording responses message.
10. method according to claim 9, it is characterized in that, describedly according to the application identities comprising in said write recording instruction, determine current application, according to the filename comprising in said write recording instruction, under current application, find a log file, according to the side-play amount comprising in said write recording instruction, the record data to be written that comprise in said write recording instruction are written to the appropriate address in described log file, are specially:
C1: according to the 5th and the 6th of said write recording instruction the byte sign that is applied, determine current application according to described application identities;
C2: obtain a length value according to the 7th and the 8th of said write recording instruction the byte, whether the length that judges the 8th the data field data after byte conforms to this length value, to carry out c3, otherwise generate status code be the second preset value write recording responses message;
C3: obtain side-play amount, filename and record data to be written according to the 3rd preset structure from described data field data;
C4: find a log file according to described filename under current application, determine in described log file according to described side-play amount and a writing address described record data to be written are write to said write address.
11. methods according to claim 10, is characterized in that, described the 3rd preset structure is: the length+record data to be written of the record data to be written of filename length+filename+2 byte of side-play amount+2 of a 2 bytes byte.
12. methods according to claim 1, it is characterized in that, described in described basis, open the Apply Names comprising in application instruction and open the application corresponding with described Apply Names on equipment, comprise: according to described the 5th and the 6th byte opening application instruction, obtain a length value, whether the length that judges the 6th byte data field data afterwards conforms to this length value, if conform to according to the described data field data title that is applied, open application corresponding with described Apply Names on equipment, otherwise what generate status code and be the second preset value opens application responds message.
13. methods according to claim 1, it is characterized in that, described in described basis, open the application identities comprising in container instruction and determine current application, according to the described Container Name comprising in container instruction of opening, open the specified containers corresponding with described Container Name under current application, comprising:
A1: obtain a length value according to described the 5th to the 7th byte opening container instruction, whether the length that judges the 7th byte data field data afterwards conforms to this length value, to carry out A2, otherwise generate status code be the second preset value open container response message;
A2: sign and Container Name are applied from described data field data according to the 4th preset structure;
A3: determine current application according to application identities, find specified containers according to Container Name under current application, open specified containers.
14. methods according to claim 13, is characterized in that, described the 4th preset structure is: application identities+Container Name.
15. methods according to claim 1, it is characterized in that, describedly according to described generation key, the application identities comprising in instruction and container identification are determined to the specified containers under current application, according to described generation key, the key information comprising in instruction is created to public and private key file structure in specified containers, according to described generation key, the file identification comprising in instruction and recording mechanism are filled to the key pair that obtains generation to the presupposed information in described public and private key file structure, comprising:
B1: the 5th of instruction the to the 7th byte obtained to a length value according to described generation key, whether the length that judges the 7th byte data field data afterwards conforms to this length value, to carry out B2, otherwise generate status code be the second preset value open container response message;
B2: sign, container identification, key information, file identification and recording mechanism are applied from described data field data according to the 5th preset structure;
B3: determine the specified containers under current application according to described application identities and described container identification, according to described generation key, the key information comprising in instruction is created to public and private key file structure in specified containers;
B4: the presupposed information in described public and private key file structure is filled and obtained key pair according to described file identification and described recording mechanism.
16. methods according to claim 15, is characterized in that, described the 5th preset structure is: the recording mechanism of file identification+2 byte of key information+2 byte of container identification+4 byte of application identities+2 of a 2 bytes byte; Described key information comprises that the right position of generation key is long.
17. methods according to claim 1, it is characterized in that, describedly according to the application identities comprising in described signature command and container identification, determine the specified containers under current application, according to the right file structure of the key in specified containers, obtain file identification and recording mechanism, according to the file identification obtaining and recording mechanism, from the log file corresponding with described file identification, obtain record data corresponding with described recording mechanism, according to the PKI of cipher key pair and described record data, calculate a signature pre-service result, according to described signature pre-service result, the private key of cipher key pair calculates signature result to the data to be signed that comprise in described signature command, comprise:
C1: obtaining a length value according to the 5th of described signature command the to the 7th byte, judge whether the length of the 7th byte data field data afterwards conforms to this length value, is to carry out C2, is the signature response message of the second preset value otherwise generate status code;
C2: sign, container identification and data to be signed are applied from described data field data according to the 6th preset structure;
C3: determine the specified containers under current application according to application identities and container identification, from specified containers, obtain key pair, according to the right file structure of key, obtain file identification and recording mechanism, according to the file identification obtaining and recording mechanism, from log file, obtain record data;
C4: calculate a signature pre-service result according to the PKI of cipher key pair and the described record data that obtain, according to the private key of signature pre-service result, cipher key pair, described data to be signed are calculated to signature result.
18. methods according to claim 17, is characterized in that, described the 6th preset structure is: application identities+container identification+data to be signed.
19. methods according to claim 1, is characterized in that, the type that judges described instruction when equipment when opening container instruction or producing key to instruction or signature command, also comprises and confirms that current logging status is the step of user's logging status.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310724219.1A CN103729588B (en) | 2013-12-25 | 2013-12-25 | A kind of endorsement method of signature device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310724219.1A CN103729588B (en) | 2013-12-25 | 2013-12-25 | A kind of endorsement method of signature device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103729588A true CN103729588A (en) | 2014-04-16 |
| CN103729588B CN103729588B (en) | 2016-04-06 |
Family
ID=50453659
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310724219.1A Active CN103729588B (en) | 2013-12-25 | 2013-12-25 | A kind of endorsement method of signature device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103729588B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106603238A (en) * | 2015-10-20 | 2017-04-26 | 飞天诚信科技股份有限公司 | Multi-digital-certificate issuing system and equipment, and working methods thereof |
| CN112511297A (en) * | 2020-11-30 | 2021-03-16 | 郑州信大捷安信息技术股份有限公司 | Method and system for updating key pair and digital certificate |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100310077A1 (en) * | 2007-12-03 | 2010-12-09 | Beijing Senselock Software Technology Co., Ltd. | Method for generating a key pair and transmitting a public key or request file of a certificate in security |
| CN102006165A (en) * | 2010-11-11 | 2011-04-06 | 西安理工大学 | Ring signature method for anonymizing information based on multivariate public key cryptography |
| CN102761420A (en) * | 2012-08-08 | 2012-10-31 | 飞天诚信科技股份有限公司 | Security certification method |
| CN103235911A (en) * | 2013-04-27 | 2013-08-07 | 飞天诚信科技股份有限公司 | Signature method |
-
2013
- 2013-12-25 CN CN201310724219.1A patent/CN103729588B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100310077A1 (en) * | 2007-12-03 | 2010-12-09 | Beijing Senselock Software Technology Co., Ltd. | Method for generating a key pair and transmitting a public key or request file of a certificate in security |
| CN102006165A (en) * | 2010-11-11 | 2011-04-06 | 西安理工大学 | Ring signature method for anonymizing information based on multivariate public key cryptography |
| CN102761420A (en) * | 2012-08-08 | 2012-10-31 | 飞天诚信科技股份有限公司 | Security certification method |
| CN103235911A (en) * | 2013-04-27 | 2013-08-07 | 飞天诚信科技股份有限公司 | Signature method |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106603238A (en) * | 2015-10-20 | 2017-04-26 | 飞天诚信科技股份有限公司 | Multi-digital-certificate issuing system and equipment, and working methods thereof |
| CN106603238B (en) * | 2015-10-20 | 2019-06-18 | 飞天诚信科技股份有限公司 | A kind of multi-digital certificate signs and issues system, certificate management end, issue apparatus and its working method |
| CN112511297A (en) * | 2020-11-30 | 2021-03-16 | 郑州信大捷安信息技术股份有限公司 | Method and system for updating key pair and digital certificate |
| CN112511297B (en) * | 2020-11-30 | 2022-03-11 | 郑州信大捷安信息技术股份有限公司 | Method and system for updating key pair and digital certificate |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103729588B (en) | 2016-04-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103081399B (en) | Authenticating device and system | |
| CN102215488B (en) | Smart phone digital certificate application method and system | |
| CN101018127B (en) | Remote access system, gateway, client device, program, and storage medium | |
| CN105554035B (en) | A kind of electronic lock system and its control method | |
| CN107273760A (en) | One kind is based on many CA application authentication methods of block chain | |
| CN111182521B (en) | Internet of things terminal machine card binding, network access authentication and service authentication method and device | |
| CN107430658B (en) | Security software certification and verifying | |
| CN101841525A (en) | Secure access method, system and client | |
| CN107257284B (en) | Method and device for carrying out virtual card transaction | |
| CN103269271A (en) | Method and system for back-upping private key in electronic signature token | |
| CN103346885B (en) | A kind of Activiation method of token device | |
| CN110401615A (en) | A kind of identity identifying method, device, equipment, system and readable storage medium storing program for executing | |
| CN106921496A (en) | A kind of digital signature method and system | |
| CN107133512B (en) | POS terminal control method and device | |
| CN106161442A (en) | A kind of system control user login method | |
| CN112150682A (en) | Intelligent access control card, intelligent door lock terminal and intelligent access control card identification method | |
| CN107911224A (en) | The continuous card method and system of universal embedded integrated circuit card | |
| CN103326864A (en) | Electronic tag anti-fake authentication method | |
| CN103516524A (en) | Security authentication method and system | |
| CN105933118A (en) | Communication method and system, PCI password card and remote management medium | |
| CN103729588B (en) | A kind of endorsement method of signature device | |
| CN104702566A (en) | Use authorization method and use authorization device for virtual equipment | |
| CN111435389A (en) | Power distribution terminal operation and maintenance tool safety protection system | |
| CN108599935A (en) | Key generation method, device and offline key generation device | |
| CN104852806A (en) | Method for realizing signature based on secret key type |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |