CN103729588B - A kind of endorsement method of signature device - Google Patents
A kind of endorsement method of signature device Download PDFInfo
- Publication number
- CN103729588B CN103729588B CN201310724219.1A CN201310724219A CN103729588B CN 103729588 B CN103729588 B CN 103729588B CN 201310724219 A CN201310724219 A CN 201310724219A CN 103729588 B CN103729588 B CN 103729588B
- Authority
- CN
- China
- Prior art keywords
- instruction
- signature
- application
- comprised
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of endorsement method of signature device, belong to field of information security technology.The method be receive that host computer issues by signature device open application instruction, open container instruction, produce double secret key instruction and signature command completes whole signature process, wherein, receive open container instruction and produce double secret key instruction time operate the signature key with body association be put in specified containers, when receiving signature command do signature operation and use signature key that is described and body association, thus reach the association enhanced between main body and signature key, effectively can prevent the abuse of identity and mandate, strengthen the security of signature.
Description
Technical field
The invention belongs to field of information security technology, particularly relate to a kind of endorsement method of signature device.
Background technology
At present, along with widely using of signature device (as USBKey), the degree of safety of the endorsement method of signature device must cause more attention rate.In the endorsement method of existing signature device, with being most widely used of the endorsement method based on SM2 algorithm (ellipse curve public key cipher algorithm), the signature pre-processed results (being commonly referred to Z value) that the SM2 PKI needing pre-service to produce and main body name and main body in this endorsement method is associated, when reality general, the parameter (being commonly referred to UserID) producing this Z value, normally by the information that the input of USBKey outside is relevant, then calculates Z value according to parameter UserID.Like this, a key being used as signature just can associate multiple UserID, namely can associate multiple main body.
Main body is normally used for an entity in identification information system, as a main frame, and an account, a people, a role etc.It is normally this entity partitioning by infosystem, and this main body and a PKI is bound, and forms certificate, is used to the Authentication and authorization management of infosystem.If user is when using USBKey to do the operation producing double secret key and signature, and the UserID in any specified information system, may cause the abuse of identity and mandate, and then cause the dangerous of endorsement method.
Summary of the invention
The endorsement method of a kind of signature device that the present invention proposes, can solve the security hidden trouble that in prior art, signature application exists.
The technical scheme that the present invention takes is as follows: a kind of endorsement method of signature device, comprising: device power, initialized step; Equipment receives the step of the instruction that host computer issues; Equipment judges the type of the instruction received, and performs command adapted thereto operation, and return the step of response message to host computer according to the type of described instruction.
When equipment judging the type of described instruction as opening application instruction, opening the application corresponding with described Apply Names on equipment according to the described Apply Names comprised in application instruction of opening, returning to host computer and open application response message;
When equipment judges the type of described instruction as opening container instruction, the application identities determination current application comprised in container instruction is opened according to described, open the specified containers corresponding with described Container Name under current application according to the described Container Name comprised in container instruction of opening, return to host computer and open container response message;
When equipment judges the type of described instruction as producing double secret key instruction, judge to preset in memory block whether store signature pre-processed results, be, the described signature pre-processed results first removed in default memory block performs the operation generating double secret key again; Otherwise directly perform the operation generating double secret key; The operation of described generation double secret key is specially: according to the specified containers under the application identities comprised in the instruction of described generation double secret key and container identification determination current application, in specified containers, public and private key file structure is created according to the key information comprised in the instruction of described generation double secret key, presupposed information in described public and private key file structure is filled to the double secret key obtaining generating according to the file identification comprised in the instruction of described generation double secret key and recording mechanism, return to host computer and produce double secret key response message;
When the type that equipment judges described instruction is signature command, according to the specified containers under the application identities comprised in described signature command and container identification determination current application, judge to preset in memory block whether store signature pre-processed results, then directly obtain described signature pre-processed results, otherwise obtain file identification and recording mechanism according to the file structure of the double secret key in specified containers, from the log file corresponding with described file identification, record data corresponding with described recording mechanism are obtained according to the file identification obtained and recording mechanism, calculate a signature pre-processed results according to the PKI of cipher key pair and described record data and be stored into default memory block,
Private key according to the cipher key pair in described signature pre-processed results, specified containers calculates signature result to the data to be signed comprised in described signature command, returns signature response message to host computer.
Described method also comprises: when equipment judges the type of described instruction as testing PIN instruction, PIN mark, application identities and PIN code is obtained from the described PIN of testing instruction, registrant's identity is determined according to described PIN mark, according to described application identities determination current application, and verify that whether described PIN code is correct, that current logged-on status is set according to described registrant's identity, to host computer return state code be the first preset value test PIN response message, otherwise to host computer return state code be other values test PIN response message.
Described method also comprises: when equipment judges the type of described instruction as creating log file instruction, according to the application identities determination current application comprised in the instruction of described establishment log file, under current application, create a log file according to the log file information comprised in the instruction of described establishment log file, return to host computer and create log file response message.
Described method also comprises: when equipment judges the type of described instruction as write recording instruction, according to the application identities determination current application comprised in said write recording instruction, under current application, a log file is found according to the filename comprised in said write recording instruction, according to the side-play amount comprised in said write recording instruction, the record data to be written comprised in said write recording instruction are written to the appropriate address in described log file, return write recording responses message to host computer.
Preferably, when equipment judging the type of described instruction as creating log file instruction, also comprising and confirming that current logged-on status is the step of keeper's logging status.
Preferably, when equipment judges the type of described instruction as opening container instruction or producing double secret key instruction or signature command, also comprise and confirm that current logged-on status is the step of user's logging status.
Adopt the beneficial effect that technique scheme reaches: the endorsement method of the signature device that the present invention proposes enhances the association between main body and signature key, effectively can prevent the abuse of identity and mandate, strengthens the security of signature.
Accompanying drawing explanation
Fig. 1 is the endorsement method process flow diagram of a kind of signature device that the embodiment of the present invention 2 provides.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those skilled in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Embodiment 1
Present embodiments provide a kind of endorsement method of signature device, wherein equipment can be USBKey equipment, also can be that other can do the equipment of signing, the record data mentioned in the present embodiment can contrast the parameter UserID mentioned in background technology and understand, the signature pre-processed results mentioned in the present embodiment can contrast the Z value mentioned in background technology and understand, and this endorsement method comprises:
Step 1: device power, initialization;
Step 2: equipment receives the instruction that host computer issues;
Step 3: equipment judges the type of the instruction received, performs command adapted thereto operation according to the type of described instruction, and returns response message to host computer;
This step specifically comprises: when equipment judges the type of described instruction as opening application instruction, open the application corresponding with described Apply Names on equipment according to the described Apply Names comprised in application instruction of opening, return to host computer and open application response message;
When equipment judges the type of described instruction as opening container instruction, the application identities determination current application comprised in container instruction is opened according to described, open the specified containers corresponding with described Container Name under current application according to the described Container Name comprised in container instruction of opening, return to host computer and open container response message;
When equipment judges the type of described instruction as producing double secret key instruction, judge to preset in memory block whether store signature pre-processed results, be, the described signature pre-processed results first removed in default memory block performs the operation generating double secret key again; Otherwise directly perform the operation generating double secret key; The operation of described generation double secret key is specially: according to the specified containers under the application identities comprised in the instruction of described generation double secret key and container identification determination current application, in specified containers, public and private key file structure is created according to the key information comprised in the instruction of described generation double secret key, presupposed information in described public and private key file structure is filled to the double secret key obtaining generating according to the file identification comprised in the instruction of described generation double secret key and recording mechanism, return to host computer and produce double secret key response message;
When the type that equipment judges described instruction is signature command, according to the specified containers under the application identities comprised in described signature command and container identification determination current application, judge to preset in memory block whether store signature pre-processed results, then directly obtain described signature pre-processed results, otherwise obtain file identification and recording mechanism according to the file structure of the double secret key in specified containers, from the log file corresponding with described file identification, record data corresponding with described recording mechanism are obtained according to the file identification obtained and recording mechanism, calculate a signature pre-processed results according to the PKI of cipher key pair and described record data and be stored into default memory block,
Private key according to the cipher key pair in described signature pre-processed results, specified containers calculates signature result to the data to be signed comprised in described signature command, returns signature response message to host computer.
The endorsement method that the present embodiment proposes, receive open container instruction and produce double secret key instruction time operate the signature key with body association be put in specified containers, when receiving signature command do signature operation and use signature key that is described and body association, thus the association enhanced between main body and signature key, effectively can prevent the abuse of identity and mandate, strengthen the security of signature.
Embodiment 2
Present embodiments provide a kind of endorsement method of signature device, wherein equipment can be USBKey equipment, also can be that other can do the equipment of signing, the record data mentioned in the present embodiment can contrast the parameter UserID mentioned in background technology and understand, and the signature pre-processed results mentioned in the present embodiment can contrast the Z value mentioned in background technology and understand.
The endorsement method that the present embodiment proposes contains record data management processes and signature process, as shown in Figure 1, wherein step 8-18 is that keeper is to log file or the internal processes recording equipment when data manage, step 19-30 is that user uses equipment to do the internal processes of equipment when producing double secret key and signature operation, and the method comprises:
Step 1: device power, initialization;
Step 2: equipment receives the instruction that host computer issues;
Step 3: equipment judges the type of the instruction received, if open application instruction then perform step 4, if test PIN instruction then perform step 6, if create log file instruction then perform step 10, if write recording instruction then performs step 13, if open container instruction then perform step 15, if produce double secret key instruction then perform step 18, if signature command then performs step 21;
Concrete in the present embodiment, according to the 1st and the 2nd byte decision instruction type of the instruction received, application instruction is opened in the instruction then received when the 1st and the 2nd byte is 0x8026, PIN instruction is tested in the instruction then received when the 1st and the 2nd byte is 8018, the instruction then received when the 1st and the 2nd byte is 0x8030 creates log file instruction, the instruction then received when the 1st and the 2nd byte is 0x803A is write recording instruction, container instruction is opened in the instruction then received when the 1st and the 2nd byte is 0x8042, the instruction then received when the 1st and the 2nd byte is 0x8070 produces double secret key instruction, the instruction then received when the 1st and the 2nd byte is 0x8074 is signature command.
Step 4: open an application on equipment according to opening the Apply Names comprised in application instruction;
This step specifically comprises:
Step 4-1: the 5th and the 6th byte according to opening application instruction obtains a length value, judge whether the length of the data field data after the 6th byte conforms to this length value, be perform step 4-2, otherwise generation comprise opening application response message and performing step 5 of status code;
Preferably, what this step generated opens the status code value comprised in application response message is the second preset value, and such as the second preset value is 0x6700.
Step 4-2: to be applied title according to described data field data, to open application corresponding with this Apply Names on equipment;
Further, when equipment not existing the application corresponding with this Apply Names, generate comprise status code open application response message, and this status code value is the 3rd preset value, and such as the 3rd preset value is 0x6A8B.Or existing application of opening on the equipment found and equipment do not support to open simultaneously multiple application then generate comprise status code open application response message, and this status code value is the 4th preset value, and such as the 4th preset value is 0x6A90.
Such as: the application instruction of opening received is 8026000000000CApplication1, then that opens is applied as Application1.
Step 5: return to host computer and open application response message, then return step 2.
Concrete, when step 4 correctly performs this step return comprise status code and response data open application response message, and the status code SW1SW2 value comprised is the first preset value, and such as the first preset value is 0x9000; The response data comprised is specially the attribute information of application, as apply lower establishment file and container authority, apply supported maximum number of containers, apply supported maximum certificate quantity, apply supported maximum number of files and attribute information such as application ID etc.; When there is mistake in the process of implementation in step 4 this step return comprise status code open application instruction response message, and the status code SW1SW2 value comprised is other values.Such as, other values comprise 0x6700,0x6A8B, 0x6A90 etc.
Step 6: obtain PINID, application ID and PIN code from testing PIN instruction;
This step specifically comprises:
Step 6-1: the 4th byte according to testing PIN instruction obtains PINID, a length value is obtained according to 5-7 byte, judge whether the length of the data field data after the 7th byte conforms to this length value, be perform step 6-2, otherwise generation comprise testing PIN response message and performing step 9 of status code;
Preferably, the status code value comprised in PIN response message of testing that this step generates is the second preset value, and such as the second preset value is 0x6700.
Step 6-2: to be applied from described data field data ID and PIN code according to the first preset structure.
Concrete, described first preset structure is: apply ID(2 byte)+PIN code (16 bytes).
Step 7: determine registrant's identity according to PINID, determines current application according to application ID, and verifies that whether PIN code is correct, is perform step 8, otherwise performs step 9;
Preferably, when PINID value is 0x00, then registrant's identity is keeper, and when PINID value is 0x01, then registrant's identity is user.
Further, then generate when being the application of not opening according to the current application determined of application ID and comprise testing PIN response message and performing step 9 of status code; Preferably, this status code value is the 5th preset value, and such as the 5th preset value is 0x698A.
Step 8: current logged-on status is set according to registrant's identity;
Concrete, when registrant's identity is for arranging current logged-on status for keeper's logging status during keeper, when registrant's identity is for arranging current logged-on status for user's logging status during user.
Such as, the checking PIN instruction received is 80180000000012010031323334353637383132333435363738, then determine that registrant's identity is for keeper according to this instruction, the application ID obtained from instruction is 0x0100, PIN code is 31323334353637383132333435363738, when verifying that PIN code arranges current logged-on status for keeper's login time correct.
Step 9: return to host computer and test PIN response message, then return step 2.
Concrete, when step 6-step 8 correctly performs this step return comprise status code test PIN response message, and the status code SW1SW2 value comprised is the first preset value, and such as the first preset value is 0x9000; What when mistake appears in step 6-step 8 in the process of implementation, this step returned tests the status code SW1SW2 value comprised in PIN response message is other values.Such as, other values comprise 0x6700,0x698A etc.
Step 10: judge whether current logged-on status is keeper's logging status, is perform step 11, otherwise return the status code do not supported, return step 2;
Step 11: determine current application according to creating the application ID comprised in log file instruction, creates a log file according to creating the log file information comprised in log file instruction under current application;
This step specifically comprises:
Step 11-1: to be applied ID according to the 3rd and the 4th byte of described establishment log file instruction, to determine current application according to this application ID;
Further, if can not find application according to application ID on equipment, then generate the establishment log file response message comprising status code, preferably, the value of described status code SW1SW2 is the 6th preset value, and such as the 6th preset value is 0x6A88.
Step 11-2: the 5th to the 7th byte according to the instruction of described establishment log file obtains a length value, judge whether the length of the data field data after the 7th byte conforms to this length value, be perform next step, otherwise generate the establishment log file response message comprising status code;
Preferably, in this step, the value of SW1SW2 is the second preset value, and such as the second preset value is 0x6700.
Step 11-3: obtain the log file information that will create according to the second preset structure from described data field data;
Described log file information comprises: filename, file size, read right mark and write permission mark.Described second preset structure is: filename (32 bytes)+file size (4 bytes)+read right mark (4 bytes)+write permission mark (4 bytes).Preferably, filename is less than 32 byte 0 covers; It is readable that read right is designated 10000000 expressions, and write permission is designated 10000000 marks and can writes.
Step 11-4: create log file according to log file information under current application.
Further, this step can also comprise judge current application according to the filename in log file information under whether there is file of the same name, be generate the establishment log file response message comprising status code, otherwise create log file under current application; Preferably, in this step, the value of SW1SW2 is the 7th preset value, and such as the 7th preset value is 0x6A92.
Such as: the establishment log file instruction received is: 80,301,001,000,02C,use,rid,rec,ord,fil,e10,000,000,000,000,000,000,000,000 00000000100001000000010000000; The log file then created according to this instruction is useridrecordfile1, and this log file be one readable, can written document.
Step 12: return to host computer and create log file response message, then return step 2.
Concrete, the status code SW1SW2 value comprised in the establishment log file response message that this step returns when step 11 correctly performs is the first preset value, such as the first preset value is 0x9000, creates in the data field of log file response message and goes back include file name and file ID; The status code SW1SW2 comprised in the establishment log file response message that this step returns when makeing mistakes in step 11 implementation is taken as other values, such as: other values comprise 0x6700,0x6A88,0x6A92 etc.
Step 13: the application ID according to comprising in write recording instruction determines current application, filename according to comprising in write recording instruction finds a log file under current application, according to the side-play amount comprised in write instruction, the record data to be written comprised are written to the appropriate address in this log file in write recording instruction;
This step specifically comprises:
Step 13-1: to be applied ID according to the 5th and the 6th byte of said write recording instruction, to determine current application according to this application ID;
Step 13-2: the 7th and the 8th byte according to said write recording instruction obtains a length value, judge whether the length of the data field data after the 8th byte conforms to this length value, be perform next step, otherwise generate the write recording responses message comprising status code;
Preferably, in this step, the value of SW1SW2 is the second preset value, and such as the second preset value is 0x6700.
Step 13-3: obtain side-play amount, filename and record data to be written according to the 3rd preset structure from described data field data;
Concrete, described 3rd preset structure is: length (2 bytes)+record data to be written of side-play amount (2 bytes)+filename length (2 bytes)+filename+record data to be written.
Further, this step can also comprise the process verified the filename comprised in the 3rd preset structure and record data to be written length separately according to the length of the filename length in the 3rd preset structure and record data to be written.When there is the situation of size error, generate the write recording responses message comprising status code; Preferably, in this step, the value of SW1SW2 is the second preset value, and such as the second preset value is 0x6700.
Step 13-4: find a log file according to filename under current application, determines a writing address according to side-play amount in log file, and described record data to be written are write this writing address.
Concrete, can determine according to this writing address the recording mechanism recording data.Such as, writing address is 0000, and corresponding recording mechanism is 1.
Further, this step can also comprise:
The first step: whether there is the log file corresponding with this filename under judging current application according to filename, is perform second step, otherwise generate the write recording responses message comprising status code; Preferably, in this step, the value of SW1SW2 is the 8th preset value, and such as the 8th preset value is 0x6A93.
Second step: judge whether side-play amount exceeds the size of described log file, is, generates the write recording responses message comprising status code, otherwise in log file, determines an assigned address, and described record data to be written are write this assigned address.Preferably, in this step, the value of SW1SW2 is the 9th preset value, and such as the 9th preset value is 0x6B00.
Such as: the write recording instruction received is 80,3A0,000,000,029,010,000,001,100,use,rid,rec,ord,fil,e11,000,123,456,781 2345678, then record data 1234567812345678 being write offset address in log file useridrecordfile1 is the position of 0000.
Step 14: return write recording responses message to host computer, then return step 2.
Such as: the status code SW1SW2 value comprised in the write recording responses message that this step returns when step 13 correctly performs is the first preset value, and such as the first preset value is 0x9000, write in the data field of recording responses message and also comprise recording mechanism; The status code SW1SW2 comprised in the write recording responses message that this step returns when makeing mistakes in step 13 implementation is taken as other values, such as: other values comprise 0x6700,0x6A93,0x6B00 etc.
Step 15: judge whether current logged-on status is user's logging status, is perform step 16, otherwise return the status code do not supported, return step 2;
Step 16: determine current application according to opening the application ID comprised in container instruction, opens specified containers under current application according to opening the Container Name comprised in container instruction;
This step specifically comprises:
Step 16-1: the 5th to the 7th byte according to opening container instruction obtains a length value, judge whether the length of the data field data after the 7th byte conforms to this length value, perform next step, otherwise generate comprise status code open container response message, perform step 17;
Preferably, the value of status code SW1SW2 described in this step is the second preset value, and such as the second preset value is 6700.
Step 16-2: to be applied from described data field data ID and Container Name according to the 4th preset structure;
Concrete, described 4th preset structure is: application ID+ Container Name;
Step 16-3: determine current application according to application ID, find specified containers according to Container Name under current application, open specified containers;
Further, if can not find application according to application ID on equipment, then generate comprise status code open container response message, preferably, the value of described status code SW1SW2 is the 6th preset value, and such as the 6th preset value is 0x6A88.If can not find specified containers according to Container Name under current application, then generate comprise status code open container response message, preferably, the value of described status code SW1SW2 is the tenth preset value, and such as the tenth preset value is 0x6A91.
The container mentioned in the present embodiment be one for depositing unsymmetrical key to the object logic with session key.
Such as: the container instruction of opening received is 8042000000000C0100Container10002, then opening application ID is specified containers Container1 under 0100.
Step 17: return to host computer and open container response message, then return step 2.
Concrete, when step 16 correctly performs this step return comprise status code and response data open container response message, and the status code SW1SW2 value comprised is the first preset value, and the response data comprised is specially Container ID; When there is mistake in the process of implementation in step 16 this step return comprise status code open container response message, and the status code SW1SW2 comprised is taken as other values.Such as, other values are 0x6700,0x6A88 and 0x6A91.
Step 18: judge whether current logged-on status is user's logging status, is perform step 19, otherwise return the status code do not supported, return step 2;
Step 19: according to the specified containers under the application ID comprised in the instruction of generation double secret key and Container ID determination current application, in specified containers, creating public and private key file structure according to producing the key information comprised in double secret key instruction, the presupposed information in described public and private key file structure being filled to the double secret key obtaining generating according to the file ID comprised in the instruction of generation double secret key and recording mechanism;
Specifically comprising of this step:
Step 19-1: the 5th to the 7th byte according to producing double secret key instruction obtains a length value, judge whether the length of the data field data after the 7th byte conforms to this length value, perform next step, otherwise generate comprise status code open container response message;
Preferably, length value described in this step is preset length, and the value of such as preset length is 8, and the value of described status code SW1SW2 is the second preset value, and such as the second preset value is 0x6700.
Step 19-2: to be applied from described data field data ID, Container ID, key information, file ID and recording mechanism according to the 5th preset structure;
Concrete, described 5th preset structure is: apply ID(2 byte)+Container ID (2 bytes)+key information (4 bytes)+file ID (2 bytes)+recording mechanism (2 bytes); It is long that described key information comprises the position generating double secret key.
Step 19-3: according to the specified containers under application ID and Container ID determination current application, creates public and private key file structure according to producing the key information comprised in double secret key instruction in specified containers;
Further, if can not find application according to application ID on equipment, then generate the generation double secret key response message comprising status code, preferably, the value of described status code SW1SW2 is the 6th preset value, and such as the 6th preset value is 0x6A88.If can not find specified containers according to Container ID under current application, then generate the generation double secret key response message comprising status code, preferably, the value of described status code SW1SW2 is the 11 preset value, and such as the 11 preset value is 0x6A94.
Concrete, described public and private key file structure is as follows:
Step 19-4: the presupposed information in described public and private key file structure is filled to the double secret key obtaining generating according to described file ID and recording mechanism.
Concrete, described presupposed information comprises uidRecordFID and uidRecordNo.
Such as, the generation double secret key instruction received is 8070000000000C010001000001000010010100, and the presupposed information comprised in the file structure of the double secret key of generation is: uidRecordFID=1001, uidRecordNo=0100.
Further, also comprise before above-mentioned steps 19-2: judge whether the data field data of described generation double secret key instruction meet the 5th preset structure, perform the double secret key that step 19-2 to step 19-4 generates SM2 type, otherwise generate the double secret key of other types, the double secret key of other types and the endorsement method of correspondence, not within the scope of the invention, do not describe in detail at this.
Preferably, can also comprise before above-mentioned steps 19: judge to preset in memory block whether store signature pre-processed results, be that the described signature pre-processed results first removed in default memory block performs step 19 again; Otherwise directly perform step 19.And the signature pre-processed results calculated in step 19 is stored into default memory block.
Step 20: return to host computer and produce double secret key response message, then return step 2.
Concrete, when step 19 correctly performs, this step returns the generation double secret key response message comprising status code and response data, and the status code SW1SW2 value comprised is the first preset value, and the response data comprised is specially the double secret key related data of generation; When mistake appears in step 19 in the process of implementation, this step returns the generation double secret key response message comprising status code, and the status code SW1SW2 comprised is taken as other values.Such as, other values are 0x6700,0x6A88 and 0x6A94.
Step 21: judge whether current logged-on status is user's logging status, is perform step 22, otherwise return the status code do not supported, return step 2;
Step 22: according to the specified containers under the application ID comprised in signature command and Container ID determination current application, file ID and recording mechanism is obtained according to the file structure of the double secret key in specified containers, record data are obtained from log file according to the file ID obtained and recording mechanism, calculate a signature pre-processed results according to cipher key pair PKI and described record data, according to signature pre-processed results, cipher key pair private key, signature result is calculated to the data to be signed comprised in signature command;
This step specifically comprises:
Step 22-1: the 5th to the 7th byte according to signature command obtains a length value, judges whether the length of the data field data after the 7th byte conforms to this length value, is perform next step, otherwise generate the signature response message comprising status code;
Preferably, the value of described status code SW1SW2 is the second preset value, and such as the second preset value is 0x6700.
Step 22-2: to be applied from described data field data ID, Container ID and data to be signed according to the 6th preset structure;
Concrete, described 6th preset structure is: application ID+ Container ID+data to be signed;
Step 22-3: according to the specified containers under application ID and Container ID determination current application, double secret key is obtained from specified containers, obtain file ID and recording mechanism according to the file structure of double secret key, from log file, obtain record data according to the file ID obtained and recording mechanism;
Concrete, find a log file according to file ID, record data can be read according to recording mechanism in this log file.
Further, if can not find application according to application ID on equipment, then generate the signature response message comprising status code, preferably, the value of this status code SW1SW2 is the 6th preset value, and such as the 6th preset value is 6A88.If can not find specified containers according to Container ID under current application, then generate the signature response message comprising status code, preferably, the value of this status code SW1SW2 is the 11 preset value, and such as the 11 preset value is 6A94; If obtain from specified containers less than double secret key, then generate the signature response message comprising status code, preferably, the value of described status code SW1SW2 is the 12 preset value, and such as the 12 preset value is 6A95.If can not find log file corresponding with it according to file ID and recording mechanism or obtain less than record data corresponding with it, then generate the signature response message comprising status code, preferably, described status code value is the 13 preset value.
Step 22-4: calculate a signature pre-processed results according to the PKI of cipher key pair and the described record data of acquisition, the private key according to signature pre-processed results, cipher key pair calculates signature result to described data to be signed.
Such as, the signature command received is: 807403000000240100010012345678123456781234567812345678.
Preferably, can also comprise in above-mentioned steps 22: judge to preset in memory block whether store signature pre-processed results, obtain described signature pre-processed results, otherwise obtain file identification and recording mechanism according to the file structure of the double secret key in specified containers, obtain record data corresponding with described recording mechanism according to the file identification obtained and recording mechanism from the log file corresponding with described file identification, calculate a signature pre-processed results according to cipher key pair PKI and described record data and be stored into default memory block.
Step 23: return signature response message to host computer, then return step 2.
It should be noted that, also comprise before above-mentioned steps 22: whether the 3rd byte judging signature command is default value, is perform step 22 and perform SM2 signature, otherwise perform other algorithms and sign, other algorithms signature, not within the scope of the invention, does not describe in detail at this.Preferably, described default value is 0x03.
Concrete, when step 22 correctly performs, this step returns the signature response message comprising status code and response data, and the status code SW1SW2 value comprised is the first preset value, and the response data comprised is specially signature result; When mistake appears in step 22 in the process of implementation, this step returns the signature response message comprising status code, and the status code SW1SW2 comprised is taken as other values.Such as, other values are 0x6700,0x6A88,0x6A94 and 0x6A95.
The endorsement method of the signature device that the present embodiment proposes, may be summarized to be: first, the management function of infosystem possesses the distribution function of initializing of USBKey, at initial phase, log file is created to preserve the record data of the related application of user in USBKey, after initialization completes, USBKey enters the application stage.
When user applies for certificate, generate double secret key in USBKey after, automatic mark with specify of associating with double secret key and record data, use during operation to be signed.
When signing, using the specified record data be associated with double secret key to calculate Z value, thus completing the preprocessing function of endorsement method, completing signature.
It is mentioned that one preferably implementation in the present embodiment, the implementation of relative embodiment 1, the endorsement method of the present embodiment further defines main body and registrant's identity, the establishment of record data can be completed when keeper logs in, when user's login is signed, by opening application instruction, open container instruction, produce double secret key instruction and signature command completes whole signature process, the association between strengthening main body and signature key can be reached equally, effectively prevent the abuse of identity and mandate, strengthen the effect of the security of signing.The ID mentioned in the present embodiment does same understanding with the mark mentioned in embodiment 1.
The above; be only the present invention's preferably embodiment, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in technical scope disclosed by the invention; the change that can expect easily or replacement, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claim.
Claims (19)
1. an endorsement method for signature device, is characterized in that, comprising:
Device power, initialized step;
Equipment receives the step of the instruction that host computer issues;
Equipment judges the type of the instruction received, and performs command adapted thereto operation, and return the step of response message to host computer according to the type of described instruction;
When equipment judges the type of described instruction as opening application instruction, open the application corresponding with described Apply Names on equipment according to the described Apply Names comprised in application instruction of opening, to host computer return comprise application identities open application response message;
When equipment judges the type of described instruction as opening container instruction, the application identities determination current application comprised in container instruction is opened according to described, open the specified containers corresponding with described Container Name under current application according to the described Container Name comprised in container instruction of opening, to host computer return comprise container identification open container response message;
When equipment judges the type of described instruction as producing double secret key instruction, judge to preset in memory block whether store signature pre-processed results, be, the described signature pre-processed results first removed in default memory block performs the operation generating double secret key again; Otherwise directly perform the operation generating double secret key; The operation of described generation double secret key is specially: according to the specified containers under the application identities comprised in the instruction of described generation double secret key and container identification determination current application, in specified containers, public and private key file structure is created according to the key information comprised in the instruction of described generation double secret key, presupposed information in described public and private key file structure is filled to the double secret key obtaining generating according to the file identification comprised in the instruction of described generation double secret key and recording mechanism, return to host computer and produce double secret key response message;
When the type that equipment judges described instruction is signature command, according to the specified containers under the application identities comprised in described signature command and container identification determination current application, judge to preset in memory block whether store signature pre-processed results, then directly obtain described signature pre-processed results, otherwise obtain file identification and recording mechanism according to the file structure of the double secret key in specified containers, from the log file corresponding with described file identification, record data corresponding with described recording mechanism are obtained according to the file identification obtained and recording mechanism, calculate a signature pre-processed results according to the PKI of cipher key pair and described record data and be stored into default memory block,
Private key according to the cipher key pair in described signature pre-processed results, specified containers calculates signature result to the data to be signed comprised in described signature command, returns signature response message to host computer.
2. method according to claim 1, it is characterized in that, described method also comprises: when equipment judges the type of described instruction as testing PIN instruction, PIN mark is obtained from the described PIN of testing instruction, application identities and PIN code, registrant's identity is determined according to described PIN mark, according to described application identities determination current application, and verify that whether described PIN code is correct, that current logged-on status is set according to described registrant's identity, to host computer return state code be the first preset value test PIN response message, otherwise to host computer return state code be other values test PIN response message.
3. method according to claim 2, is characterized in that, describedly from the described PIN of testing instruction, obtains PIN mark, application identities and PIN code, is specially:
A1: obtain PIN mark according to the 4th byte of the described PIN of testing instruction, a length value is obtained according to the 5th to the 7th byte, judge whether the length of the data field data after the 7th byte conforms to this length value, perform a2, otherwise generate status code be the second preset value test PIN response message;
A2: be applied from described data field data according to the first preset structure and identify and PIN code.
4. method according to claim 3, is characterized in that, described first preset structure is: the PIN code of application identities+16 bytes of 2 bytes.
5. method according to claim 1, it is characterized in that, described method also comprises: when equipment judges the type of described instruction as creating log file instruction, according to the application identities determination current application comprised in the instruction of described establishment log file, under current application, create a log file according to the log file information comprised in the instruction of described establishment log file, return to host computer and create log file response message.
6. method according to claim 5, it is characterized in that, the described application identities determination current application according to comprising in the instruction of described establishment log file, creates a log file according to the log file information comprised in the instruction of described establishment log file, is specially under current application:
B1: to be applied mark according to the 3rd and the 4th byte of described establishment log file instruction, according to described application identities determination current application;
B2: the 5th to the 7th byte according to the instruction of described establishment log file obtains a length value, judge whether the length of the data field data after the 7th byte conforms to this length value, be perform b3, otherwise generate the establishment log file response message that status code is the second preset value;
B3: obtain the log file information that will create according to the second preset structure from described data field data;
B4: create log file according to described log file information under current application.
7. method according to claim 6, is characterized in that, described second preset structure is: the write permission mark of read right mark+4 bytes of file size+4 bytes of filename+4 bytes of 32 bytes.
8. method according to claim 5, is characterized in that, when equipment judging the type of described instruction as creating log file instruction, also comprising and confirming that current logged-on status is the step of keeper's logging status.
9. method according to claim 1, it is characterized in that, described method also comprises: when equipment judges the type of described instruction as write recording instruction, according to the application identities determination current application comprised in said write recording instruction, under current application, a log file is found according to the filename comprised in said write recording instruction, according to the side-play amount comprised in said write recording instruction, the record data to be written comprised in said write recording instruction are written to the appropriate address in described log file, return write recording responses message to host computer.
10. method according to claim 9, it is characterized in that, the described application identities determination current application according to comprising in said write recording instruction, under current application, a log file is found according to the filename comprised in said write recording instruction, according to the side-play amount comprised in said write recording instruction, the record data to be written comprised in said write recording instruction are written to the appropriate address in described log file, are specially:
C1: to be applied mark according to the 5th and the 6th byte of said write recording instruction, according to described application identities determination current application;
C2: the 7th and the 8th byte according to said write recording instruction obtains a length value, judge whether the length of the data field data after the 8th byte conforms to this length value, perform c3, otherwise generate status code be the second preset value write recording responses message;
C3: obtain side-play amount, filename and record data to be written according to the 3rd preset structure from described data field data;
C4: find a log file according to described filename under current application, determines a writing address according to described side-play amount in described log file, by described record data write said write address to be written.
11. methods according to claim 10, is characterized in that, described 3rd preset structure is: the length+record data to be written of the record data to be written of filename length+filename+2 bytes of side-play amount+2 bytes of 2 bytes.
12. methods according to claim 1, it is characterized in that, open the Apply Names comprised in application instruction described in described basis and open the application corresponding with described Apply Names on equipment, comprise: obtain a length value according to described the 5th and the 6th byte opening application instruction, judge whether the length of the data field data after the 6th byte conforms to this length value, if conform to, to be applied title according to described data field data, open application corresponding with described Apply Names on equipment, otherwise generate status code be the second preset value open application response message.
13. methods according to claim 1, it is characterized in that, open the application identities determination current application comprised in container instruction described in described basis, open the specified containers corresponding with described Container Name under current application according to the described Container Name comprised in container instruction of opening, comprising:
A1: obtain a length value according to described the 5th to the 7th byte opening container instruction, judge whether the length of the data field data after the 7th byte conforms to this length value, perform A2, otherwise generate status code be the second preset value open container response message;
A2: be applied from described data field data according to the 4th preset structure and identify and Container Name;
A3: according to application identities determination current application, find specified containers according to Container Name under current application, open specified containers.
14. methods according to claim 13, is characterized in that, described 4th preset structure is: application identities+Container Name.
15. methods according to claim 1, it is characterized in that, specified containers under described application identities according to comprising in the instruction of described generation double secret key and container identification determination current application, in specified containers, public and private key file structure is created according to the key information comprised in the instruction of described generation double secret key, presupposed information in described public and private key file structure is filled to the double secret key obtaining generating according to the file identification comprised in the instruction of described generation double secret key and recording mechanism, comprising:
B1: the 5th to the 7th byte according to the instruction of described generation double secret key obtains a length value, judge whether the length of the data field data after the 7th byte conforms to this length value, perform B2, otherwise generate status code be the second preset value open container response message;
B2: to be applied from described data field data mark, container identification, key information, file identification and recording mechanism according to the 5th preset structure;
B3: according to the specified containers under described application identities and described container identification determination current application, create public and private key file structure according to the key information comprised in the instruction of described generation double secret key in specified containers;
B4: according to described file identification and described recording mechanism, filling is carried out to the presupposed information in described public and private key file structure and obtain double secret key.
16. methods according to claim 15, is characterized in that, described 5th preset structure is: the recording mechanism of file identification+2 bytes of key information+2 bytes of container identification+4 bytes of application identities+2 bytes of 2 bytes; It is long that described key information comprises the position generating double secret key.
17. methods according to claim 1, it is characterized in that, specified containers under described application identities according to comprising in described signature command and container identification determination current application, file identification and recording mechanism is obtained according to the file structure of the double secret key in specified containers, from the log file corresponding with described file identification, record data corresponding with described recording mechanism are obtained according to the file identification obtained and recording mechanism, a signature pre-processed results is calculated according to the PKI of cipher key pair and described record data, according to described signature pre-processed results, the private key of cipher key pair calculates signature result to the data to be signed comprised in described signature command, comprise:
C1: the 5th to the 7th byte according to described signature command obtains a length value, judges whether the length of the data field data after the 7th byte conforms to this length value, is perform C2, otherwise the signature response message generating that status code is the second preset value;
C2: to be applied from described data field data mark, container identification and data to be signed according to the 6th preset structure;
C3: according to the specified containers under application identities and container identification determination current application, double secret key is obtained from specified containers, obtain file identification and recording mechanism according to the file structure of double secret key, from log file, obtain record data according to the file identification obtained and recording mechanism;
C4: calculate a signature pre-processed results according to the PKI of cipher key pair and the described record data of acquisition, the private key according to signature pre-processed results, cipher key pair calculates signature result to described data to be signed.
18. methods according to claim 17, is characterized in that, described 6th preset structure is: application identities+container identification+data to be signed.
19. methods according to claim 1, is characterized in that, when equipment judges the type of described instruction as opening container instruction or producing double secret key instruction or signature command, also comprise and confirm that current logged-on status is the step of user's logging status.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310724219.1A CN103729588B (en) | 2013-12-25 | 2013-12-25 | A kind of endorsement method of signature device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310724219.1A CN103729588B (en) | 2013-12-25 | 2013-12-25 | A kind of endorsement method of signature device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103729588A CN103729588A (en) | 2014-04-16 |
| CN103729588B true CN103729588B (en) | 2016-04-06 |
Family
ID=50453659
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310724219.1A Active CN103729588B (en) | 2013-12-25 | 2013-12-25 | A kind of endorsement method of signature device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103729588B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106603238B (en) * | 2015-10-20 | 2019-06-18 | 飞天诚信科技股份有限公司 | A kind of multi-digital certificate signs and issues system, certificate management end, issue apparatus and its working method |
| CN112511297B (en) * | 2020-11-30 | 2022-03-11 | 郑州信大捷安信息技术股份有限公司 | Method and system for updating key pair and digital certificate |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102006165A (en) * | 2010-11-11 | 2011-04-06 | 西安理工大学 | Ring signature method for anonymizing information based on multivariate public key cryptography |
| CN102761420A (en) * | 2012-08-08 | 2012-10-31 | 飞天诚信科技股份有限公司 | Security certification method |
| CN103235911A (en) * | 2013-04-27 | 2013-08-07 | 飞天诚信科技股份有限公司 | Signature method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101170407B (en) * | 2007-12-03 | 2011-01-12 | 北京深思洛克软件技术股份有限公司 | A method for securely generating secret key pair and transmitting public key or certificate application file |
-
2013
- 2013-12-25 CN CN201310724219.1A patent/CN103729588B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102006165A (en) * | 2010-11-11 | 2011-04-06 | 西安理工大学 | Ring signature method for anonymizing information based on multivariate public key cryptography |
| CN102761420A (en) * | 2012-08-08 | 2012-10-31 | 飞天诚信科技股份有限公司 | Security certification method |
| CN103235911A (en) * | 2013-04-27 | 2013-08-07 | 飞天诚信科技股份有限公司 | Signature method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103729588A (en) | 2014-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101018127B (en) | Remote access system, gateway, client device, program, and storage medium | |
| CN102420902B (en) | A kind of method of classification management over right of using functions and mobile terminal | |
| CN105554035B (en) | A kind of electronic lock system and its control method | |
| US20080189772A1 (en) | Method for generating digital fingerprint using pseudo random number code | |
| CN103248491B (en) | A kind of backup method of electronic signature token private key and system | |
| CN101841525A (en) | Secure access method, system and client | |
| CN104104652A (en) | Man-machine identification method, network service access method and corresponding equipment | |
| CN110401615A (en) | A kind of identity identifying method, device, equipment, system and readable storage medium storing program for executing | |
| CN105632002B (en) | A kind of multiple confirmation method for safely carrying out of identification and running fix based on Internet of Things | |
| CN103685244A (en) | Differentiated authentication method and differentiated authentication device | |
| CN106161442A (en) | A kind of system control user login method | |
| CN112150682A (en) | Intelligent access control card, intelligent door lock terminal and intelligent access control card identification method | |
| CN107133512B (en) | POS terminal control method and device | |
| CN103326864A (en) | Electronic tag anti-fake authentication method | |
| CN103729588B (en) | A kind of endorsement method of signature device | |
| CN106657098A (en) | Authentication method, apparatus and system for logging in Linux operating system | |
| CN107707356B (en) | A kind of mobile device secure binding method and application system based on two dimensional code identification | |
| CN107145531A (en) | The user management method of distributed file system and distributed file system | |
| CN101594350A (en) | The verifying E-mail password system and method | |
| CN103838997A (en) | Single-chip microcomputer password verification method and device | |
| CN107508835A (en) | A kind of verification method of account, device and computer-readable recording medium | |
| CN107566048B (en) | A method of two step of optical module, which is carried out, using data-interface demonstrate,proves | |
| CN106330950A (en) | Method and system for accessing encrypted information, and adapter | |
| CN109995763A (en) | A kind of fingerprint head encryption method and system based on cloud lock | |
| CN103281188A (en) | Method and system for backing up private key in electronic signature token |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |