CN104580250A - System and method for authenticating credible identities on basis of safety chips - Google Patents
System and method for authenticating credible identities on basis of safety chips Download PDFInfo
- Publication number
- CN104580250A CN104580250A CN201510044405.XA CN201510044405A CN104580250A CN 104580250 A CN104580250 A CN 104580250A CN 201510044405 A CN201510044405 A CN 201510044405A CN 104580250 A CN104580250 A CN 104580250A
- Authority
- CN
- China
- Prior art keywords
- platform
- trusted
- key
- certificate
- authentication server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
- H04L9/0833—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
Abstract
The invention provides a system and a method for authenticating credible identities on the basis of safety chips. The method includes allowing a credible authentication server and a credible terminal to apply for platform certificates from the same credible third party; allowing the credible authentication server to add the credible terminal into registered terminal lists of the credible authentication server after the platform certificates are successfully applied, storing the corresponding certificate of the credible terminal and allowing the credible authentication server to add new users into registered user lists; allowing the users on the credible terminal to access the corresponding server after the credibility of platforms is authenticated and the identities of the users are authenticated. The credibility of the platforms is bidirectionally authenticated by the credible authentication server and the credible terminal. The identities of the users are authenticated so that the authenticity of the identities of the users can be verified. The platform certificates comprise platform identity certificates and platform encryption certificates. The system and the method have the advantages that the credibility of the platforms is authenticated by the aid of the safety chips, so that the authenticity of the identities of the authentication server and the terminal and the safety of the platforms can be mutually confirmed by the authentication server and the terminal, and the safety of user identity authentication procedures can be guaranteed.
Description
Technical field
The present invention relates to a kind of system and method carrying out trusted identity certification based on safety chip, particularly relate to a kind of system and method carrying out trusted identity certification based on safety chip being applicable to information security field.
Background technology
Along with the development of computer technology and the continuous change of related application demand, the problem of computer security and information security aspect is more and more outstanding.Common authentication has nothing to do with platform often, and user can carry out authentication in any terminal, and owing to not verifying Terminal security, this is just brought potential safety hazard the user of the enterprising line operate of terminal.The continuous progress of reliable computing technology and safety chip technology proposes new approaches for solving information security issue.
Trust computing is a kind of information system security new technology, comprises all many-sides such as reliable hardware, trusted software, trustable network and trust computing application.Trust computing main Connotation emphasizes expecting of entity behavior, and the safety of system is with reliable.The basic thought of trust computing is, in computer systems, which, first set up a root of trust, the credibility of root of trust is guaranteed jointly by physical security, technical security and Administrative Security; Set up a trust chain afterwards, to hardware platform from root of trust, to operating system, then to application, one-level measures certification one-level, and one-level trusts one-level, this trust extension to whole computer system, thus guarantees the credible of whole computer system.
Safety chip adopts reliable computing technology, SOC technology, and internal structure mainly comprises microprocessor, volatile memory, nonvolatile memory, hardware encryption algorithm engine etc.; Safety chip storage inside dispatch from the factory distribution time the EK certificate that issues and Association Identity certificate; The core keys such as EK key, storage master key never go out chip, ensure that the safe storage of key and confidential data; The core operations such as secret generating, encrypting and decrypting, digital signature and checking complete safely and efficiently at chip internal.Safe storage adopts trusted technology to carry out protection to key and sensitive data to store; Complete platform by report mechanism and user identity proves, set up believable identity system; The key management functions of safety chip comprises the generation, storage, renewal, destruction etc. of key.In addition, the function of safety chip also comprises credible tolerance, generating random number, data encrypting and deciphering etc.
Summary of the invention
The technical problem to be solved in the present invention is to provide a kind of user can carry out trusted identity certification system and method when any terminal carries out authentication operation.
The technical solution used in the present invention is as follows: a kind of system of carrying out trusted identity certification based on safety chip, is characterized in that, comprise be mounted with safety chip respectively authentic authentication server, trusted terminal and trusted third party; Described trusted third party is used for signing and issuing, verify and cancelling of platform credential; Described authentic authentication server, for managing trusted terminal and user profile, provides the interpolation of trusted terminal and user, certification and deletion; User is by described trusted terminal access respective service; Described platform credential comprises platform identity certificate and platform encrypted certificate.
Based on the above-mentioned trusted identity authentication method carrying out trusted identity Verification System, its method step is:
Step one, authentic authentication server and trusted terminal are to same trusted third party application platform credential;
After step 2, described platform credential application success, described trusted terminal is joined oneself registered terminals list by described authentic authentication server, stores the corresponding certificate of trusted terminal, and authentic authentication server adds new user to registered user's list simultaneously;
Step 3, user in trusted terminal, by accessing respective server after platform credible certification and authenticating user identification; Described platform credible certification is the two-way authentication between authentic authentication server and trusted terminal; Described authenticating user identification is used for the authenticity of identifying user identity.
As preferably, the application method step of described platform identity certificate is:
A1, application end create platform identity key, the request of Generating Certificate; Described certificate request comprises symmetric key to the encryption of certificate request content and the PKI of trusted third party to the encryption of described symmetric key; Described certificate request content comprises the PKI of User Identity information and platform identity key;
A2, trusted third party use its private key to decipher and obtain described symmetric key after receiving certificate request, the symmetric key decryption that recycling obtains obtains the request content of certificate; Trusted third party audits certificate request content, audit by after utilize its private key to application end sign and issue platform identity certificate;
A3, trusted third party generate symmetric key and are encrypted application end platform identity certificate, and recycling applies for that the PKI of end EK key sends to application end after being encrypted this symmetric key;
A4, application end receive described in steps A 3 two enciphered datas that trusted third party beams back, and utilize the private key deciphering symmetric key wherein of EK key, and the certificate utilizing this symmetric key decryption to encrypt obtain platform identity certificate.
As preferably, the application method step of described platform encrypted certificate is:
B1, the request of application end generating platform encrypted certificate, the data that the PKI that certificate request comprises result that symmetric key encrypts structure TCM_PEK_PROOF and trusted third party is encrypted this symmetric key;
After B2, trusted third party receive certificate request, obtain symmetric key with the deciphering of its private key, recycle the plaintext that this symmetric key obtains certificate request; Trusted third party creates the platform encryption key of a unsymmetrical key as application end according to the identify label in TCM_PEK_PROOF structure;
B3, trusted third party create a symmetric key, with the symmetric key encryption platform encryption key that this creates, the symmetric key of this establishment of public key encryption of the EK key of recycling application end, and the symmetric key created described in this after the platform key after encryption and encryption is sent to application end;
B4, its private key of trusted third party sign and issue platform encrypted certificate, and produce symmetric key this platform encrypted certificate is encrypted, this symmetric key of public key encryption of recycling application end EK key, sends to application end by the symmetric key data after the certificate after described symmetric key encryption and encryption;
B5, application end utilize the symmetric key described in private key decryption step B3 of EK key, utilize this symmetric key decryption platform encryption key, and are encrypted protection with the private key of storage master key to platform encryption key;
B6, application end utilize the symmetric key described in private key decryption step B4 of EK key, utilize the encrypted certificate of this symmetric key decryption to obtain platform encrypted certificate.
As preferably, described step 2 also comprises, there is new trusted terminal after the application platform credential success of same trusted third party, described authentic authentication server adds described new trusted terminal to registered terminals list, store the corresponding certificate of trusted terminal, authentic authentication server adds new user to registered user's list simultaneously.
As preferably, the concrete grammar step of described trusted identity certification is:
C1, trusted terminal select a random number A to send to authentic authentication server;
C2, authentic authentication server select a random number B, authentic authentication server carries out tolerance to own components and obtains measurement results and metrology event daily record, by random number B, measurement results and metrology event daily record, and the result after utilizing the private key of himself platform identity key to sign, send to trusted terminal together with platform identity certificate and platform encrypted certificate;
C3, the trusted terminal platform identity certificate by trusted third party's checking authentic authentication server and the validity of platform encrypted certificate, and the integrality of data is verified, be proved to be successful, think that the identity of authentic authentication server is real; The metrology event daily record that trusted terminal provides according to authentic authentication server re-starts calculating, by result of calculation compared with the measurement results received to determine the trusted status of certificate server; After authentic authentication server proves its platform credible, trusted terminal is carried out tolerance to own components and is obtained measurement results and metrology event daily record, by random number, measurement results and metrology event daily record, and the result after utilizing the private key of himself platform identity key to sign, send to authentic authentication server together with platform identity certificate, platform encrypted certificate;
C4, authentic authentication server verify the validity of trusted terminal platform identity certificate and platform encrypted certificate by trusted third party, and verify the integrality of data, are proved to be successful, think that trusted terminal identities is real; The event metrics logs that authentic authentication server provides according to trusted terminal re-starts calculating, by result of calculation compared with the measurement results received to determine the trusted status of trusted terminal; After trusted terminal proves its platform credible, now then think that trusted terminal and authentic authentication server believe the authenticity of the other side's identity and the fail safe of platform each other; Authentic authentication server sends platform credible successful authentication result to trusted terminal;
C5, user carry out authentication in trusted terminal, produce random number, and with the PKI of authentic authentication server platform encryption key, username and password is encrypted, the private key pair encryption result of self platform identity key is signed, and the result after encryption and signature is sent to authentic authentication server;
C6, authentic authentication server are deciphered and are verified the data signed for, the correctness of last authentication of users name and password.
Compared with prior art, the invention has the beneficial effects as follows: utilize safety chip to carry out the credible certification of platform, make certificate server and terminal can confirm mutually the authenticity of the other side's identity and the fail safe of platform, guarantee the safety of authenticating user identification process.
Accompanying drawing explanation
Fig. 1 is the principle schematic of the present invention's wherein embodiment.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
Arbitrary feature disclosed in this specification (comprising any accessory claim, summary and accompanying drawing), unless specifically stated otherwise, all can be replaced by other equivalences or the alternative features with similar object.That is, unless specifically stated otherwise, each feature is an example in a series of equivalence or similar characteristics.
As shown in Figure 1, a kind of system of carrying out trusted identity certification based on safety chip, comprises authentic authentication server, trusted terminal and trusted third party three functional entitys of being mounted with safety chip respectively; Described trusted third party is used for signing and issuing, verify and cancelling of platform credential; Described authentic authentication server, for managing trusted terminal and user profile, provides the interpolation of trusted terminal and user, certification and deletion; User is by described trusted terminal access respective service.
Based on the above-mentioned trusted identity authentication method carrying out trusted identity Verification System, its method step is:
Step one, authentic authentication server and trusted terminal are to same trusted third party application platform credential; In this specific embodiment, described platform credential comprises platform identity certificate and platform encrypted certificate.
After step 2, described platform credential application success, described trusted terminal is joined oneself registered terminals list by described authentic authentication server, stores the corresponding certificate of trusted terminal, and adds user to registered users list; There is new trusted terminal after the application platform credential success of same trusted third party, described authentic authentication server adds described new trusted terminal to registered terminals list, store the corresponding certificate of trusted terminal, authentic authentication server adds new user to registered user's list simultaneously.
Step 3, user in trusted terminal, by accessing respective server after platform credible certification and authenticating user identification; Described platform credible certification is the two-way authentication between authentic authentication server and trusted terminal; Described authenticating user identification is used for the authenticity of identifying user identity.
In the authentication method of this specific embodiment, authentic authentication server and trusted terminal must submit platform credential application to trusted third party, platform identity certificate and platform encrypted certificate is signed and issued after its application being audited by trusted third party, the platform registered under same trusted third party represents in same inter-trust domain, and the authentic authentication server only in same inter-trust domain and trusted terminal just can complete the authentication of platform; After authentic authentication server and trusted terminal get respective platform credential respectively, trusted terminal joins in the registered terminals list of oneself by authentic authentication server; User uses corresponding service must carry out in trusted terminal, only can proceed the authentication of user after terminal and authentic authentication server complete platform credible certification, can access corresponding service after authenticating user identification success.Platform credible certification between authentic authentication server and trusted terminal includes platform identity certification and platform security certification, only have passed the secure and trusted of the equipment guarantee user usage platform of platform credible certification.
Utilize safety chip to carry out the credible certification of platform, make certificate server and terminal can confirm mutually the authenticity of the other side's identity and the fail safe of platform, guarantee the safety of authenticating user identification process.
In this specific embodiment, all built-in safety chip of trusted third party, authentic authentication server and trusted terminal is credible password module TCM safety chip.TCM safety chip have employed double certificate mechanism, comprise platform identity certificate and platform encrypted certificate, platform identity certificate is for proving platform identity, and platform encrypted certificate is used for encryption and decryption data, therefore needs to apply for platform identity certificate and platform encrypted certificate during platform registration simultaneously.In this stage, authentic authentication server and trusted terminal all apply for platform credential as application end to trusted third party.
In this specific embodiment, the application method step of platform identity certificate is:
A1, application end create platform identity key, the request of Generating Certificate; Described certificate request comprises two parts, symmetric key to the encryption of certificate request content and the PKI of trusted third party to the encryption of described symmetric key; Described certificate request content comprises the PKI of User Identity information and platform identity key;
A2, trusted third party use its private key to decipher and obtain described symmetric key after receiving certificate request, the symmetric key decryption that recycling obtains obtains the request content of certificate; Trusted third party audits certificate request content, audit by after utilize its private key to application end sign and issue platform identity certificate;
A3, trusted third party generate symmetric key and are encrypted application end platform identity certificate, and recycling applies for that the PKI of end EK key sends to application end after being encrypted this symmetric key;
A4, application end receive described in steps A 3 two enciphered datas that trusted third party beams back, and first utilize the private key deciphering symmetric key wherein of EK key, recycle the certificate that this symmetric key decryption encrypted and obtain platform identity certificate.
The application method step of platform encrypted certificate is:
B1, the request of application end generating platform encrypted certificate, certificate request comprises two parts content, the data that the PKI of the result that symmetric key is encrypted structure TCM_PEK_PROOF and trusted third party is encrypted this symmetric key;
After B2, trusted third party receive certificate request, obtain symmetric key with the deciphering of its private key, recycle the plaintext that this symmetric key obtains certificate request; Trusted third party creates the platform encryption key of a unsymmetrical key as application end according to the identify label in TCM_PEK_PROOF structure;
B3, trusted third party create a symmetric key, with the symmetric key encryption platform encryption key that this creates, the symmetric key of this establishment of public key encryption of the EK key of recycling application end, and the symmetric key created described in this after the platform key after encryption and encryption is sent to application end;
B4, its private key of trusted third party sign and issue platform encrypted certificate, and produce symmetric key this platform encrypted certificate is encrypted, this symmetric key of public key encryption of recycling application end EK key, sends to application end by the symmetric key data after the certificate after described symmetric key encryption and encryption;
B5, application end utilize the symmetric key described in private key decryption step B3 of EK key, utilize this symmetric key decryption platform encryption key, and are encrypted protection with the private key of storage master key to platform encryption key;
B6, application end utilize the symmetric key described in private key decryption step B4 of EK key, utilize the encrypted certificate of this symmetric key decryption to obtain platform encrypted certificate.
Trusted identity certification is divided into platform credible certification and authenticating user identification two parts.Platform credible certification is the two-way authentication between authentic authentication server and trusted terminal, and for the fail safe of the authenticity and platform of guaranteeing both sides' identity, authenticating user identification is used for the authenticity of identifying user identity.
In this specific embodiment, the concrete grammar step of trusted identity certification is:
C1, trusted terminal select a random number A to send to authentic authentication server;
C2, authentic authentication server select a random number B, authentic authentication server carries out tolerance to own components and obtains measurement results and metrology event daily record, by random number B, measurement results and metrology event daily record, and the result after utilizing the private key of himself platform identity key to sign, send to trusted terminal together with platform identity certificate and platform encrypted certificate;
C3, the trusted terminal platform identity certificate by trusted third party's checking authentic authentication server and the validity of platform encrypted certificate, and the integrality of data is verified, be proved to be successful, think that the identity of authentic authentication server is real; The metrology event daily record that trusted terminal provides according to authentic authentication server re-starts calculating, by result of calculation compared with the measurement results received to determine the trusted status of certificate server; After authentic authentication server proves its platform credible, trusted terminal is carried out tolerance to own components and is obtained measurement results and metrology event daily record, by random number, measurement results and metrology event daily record, and the result after utilizing the private key of himself platform identity key to sign, send to authentic authentication server together with platform identity certificate, platform encrypted certificate;
C4, authentic authentication server verify the validity of trusted terminal platform identity certificate and platform encrypted certificate by trusted third party, and verify the integrality of data, are proved to be successful, think that trusted terminal identities is real; The event metrics logs that authentic authentication server provides according to trusted terminal re-starts calculating, by result of calculation compared with the measurement results received to determine the trusted status of trusted terminal; After trusted terminal proves its platform credible, now then think that trusted terminal and authentic authentication server believe the authenticity of the other side's identity and the fail safe of platform each other; Authentic authentication server sends platform credible successful authentication result to trusted terminal;
C5, user carry out authentication in trusted terminal, produce random number, and with the PKI of authentic authentication server platform encryption key, username and password is encrypted, the private key pair encryption result of self platform identity key is signed, and the result after encryption and signature is sent to authentic authentication server;
C6, authentic authentication server are deciphered and are verified the data signed for, the correctness of last authentication of users name and password.
Claims (6)
1. carry out a system for trusted identity certification based on safety chip, it is characterized in that, comprise be mounted with safety chip respectively authentic authentication server, trusted terminal and trusted third party; Described trusted third party is used for signing and issuing, verify and cancelling of platform credential; Described authentic authentication server, for managing trusted terminal and user profile, provides the interpolation of trusted terminal and user, certification and deletion; User is by described trusted terminal access respective service.
2., based on the trusted identity authentication method carrying out trusted identity Verification System according to claim 1, its method step is:
Step one, authentic authentication server and trusted terminal are to same trusted third party application platform credential;
After step 2, described platform credential application success, described trusted terminal is joined oneself registered terminals list by described authentic authentication server, stores the corresponding certificate of trusted terminal, and authentic authentication server adds new user to registered user's list simultaneously;
Step 3, user in trusted terminal, by accessing respective server after platform credible certification and authenticating user identification; Described platform credible certification is the two-way authentication between authentic authentication server and trusted terminal; Described authenticating user identification is used for the authenticity of identifying user identity;
Described platform credential comprises platform identity certificate and platform encrypted certificate.
3. trusted identity authentication method according to claim 2, the application method step of described platform identity certificate is:
A1, application end create platform identity key, the request of Generating Certificate; Described certificate request comprises symmetric key to the encryption of certificate request content and the PKI of trusted third party to the encryption of described symmetric key; Described certificate request content comprises the PKI of User Identity information and platform identity key;
A2, trusted third party use its private key to decipher and obtain described symmetric key after receiving certificate request, the symmetric key decryption that recycling obtains obtains the request content of certificate; Trusted third party audits certificate request content, audit by after utilize its private key to application end sign and issue platform identity certificate;
A3, trusted third party generate symmetric key and are encrypted application end platform identity certificate, and recycling applies for that the PKI of end EK key sends to application end after being encrypted this symmetric key;
A4, application end receive described in steps A 3 two enciphered datas that trusted third party beams back, and utilize the private key deciphering symmetric key wherein of EK key, and the certificate utilizing this symmetric key decryption to encrypt obtain platform identity certificate.
4. the trusted identity authentication method according to Claims 2 or 3, the application method step of described platform encrypted certificate is:
B1, the request of application end generating platform encrypted certificate, the data that the PKI that certificate request comprises result that symmetric key encrypts structure TCM_PEK_PROOF and trusted third party is encrypted this symmetric key;
After B2, trusted third party receive certificate request, obtain symmetric key with the deciphering of its private key, recycle the plaintext that this symmetric key obtains certificate request; Trusted third party creates the platform encryption key of a unsymmetrical key as application end according to the identify label in TCM_PEK_PROOF structure;
B3, trusted third party create a symmetric key, with the symmetric key encryption platform encryption key that this creates, the symmetric key of this establishment of public key encryption of the EK key of recycling application end, and the symmetric key created described in this after the platform key after encryption and encryption is sent to application end;
B4, its private key of trusted third party sign and issue platform encrypted certificate, and produce symmetric key this platform encrypted certificate is encrypted, this symmetric key of public key encryption of recycling application end EK key, sends to application end by the symmetric key data after the certificate after described symmetric key encryption and encryption;
B5, application end utilize the symmetric key described in private key decryption step B3 of EK key, utilize this symmetric key decryption platform encryption key, and are encrypted protection with the private key of storage master key to platform encryption key;
B6, application end utilize the symmetric key described in private key decryption step B4 of EK key, utilize the encrypted certificate of this symmetric key decryption to obtain platform encrypted certificate.
5. trusted identity authentication method according to claim 2, described step 2 also comprises, there is new trusted terminal after the application platform credential success of same trusted third party, described authentic authentication server adds described new trusted terminal to registered terminals list, store the corresponding certificate of trusted terminal, authentic authentication server adds new user to registered user's list simultaneously.
6. trusted identity authentication method according to claim 2, the concrete grammar step of described trusted identity certification is:
C1, trusted terminal select a random number A to send to authentic authentication server;
C2, authentic authentication server select a random number B, authentic authentication server carries out tolerance to own components and obtains measurement results and metrology event daily record, by random number B, measurement results and metrology event daily record, and the result after utilizing the private key of himself platform identity key to sign, send to trusted terminal together with platform identity certificate and platform encrypted certificate;
C3, the trusted terminal platform identity certificate by trusted third party's checking authentic authentication server and the validity of platform encrypted certificate, and the integrality of data is verified, be proved to be successful, think that the identity of authentic authentication server is real; The metrology event daily record that trusted terminal provides according to authentic authentication server re-starts calculating, by result of calculation compared with the measurement results received to determine the trusted status of certificate server; After authentic authentication server proves its platform credible, trusted terminal is carried out tolerance to own components and is obtained measurement results and metrology event daily record, by random number, measurement results and metrology event daily record, and the result after utilizing the private key of himself platform identity key to sign, send to authentic authentication server together with platform identity certificate, platform encrypted certificate;
C4, authentic authentication server verify the validity of trusted terminal platform identity certificate and platform encrypted certificate by trusted third party, and verify the integrality of data, are proved to be successful, think that trusted terminal identities is real; The event metrics logs that authentic authentication server provides according to trusted terminal re-starts calculating, by result of calculation compared with the measurement results received to determine the trusted status of trusted terminal; After trusted terminal proves its platform credible, now then think that trusted terminal and authentic authentication server believe the authenticity of the other side's identity and the fail safe of platform each other; Authentic authentication server sends platform credible successful authentication result to trusted terminal;
C5, user carry out authentication in trusted terminal, produce random number, and with the PKI of authentic authentication server platform encryption key, username and password is encrypted, the private key pair encryption result of self platform identity key is signed, and the result after encryption and signature is sent to authentic authentication server;
C6, authentic authentication server are deciphered and are verified the data signed for, the correctness of last authentication of users name and password.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510044405.XA CN104580250A (en) | 2015-01-29 | 2015-01-29 | System and method for authenticating credible identities on basis of safety chips |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510044405.XA CN104580250A (en) | 2015-01-29 | 2015-01-29 | System and method for authenticating credible identities on basis of safety chips |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104580250A true CN104580250A (en) | 2015-04-29 |
Family
ID=53095430
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510044405.XA Pending CN104580250A (en) | 2015-01-29 | 2015-01-29 | System and method for authenticating credible identities on basis of safety chips |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104580250A (en) |
Cited By (42)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106056793A (en) * | 2016-06-08 | 2016-10-26 | 广州广电运通金融电子股份有限公司 | Card reading system and card reading method |
| CN106130982A (en) * | 2016-06-28 | 2016-11-16 | 北京万协通信息技术有限公司 | Intelligent household appliance remote control method based on PKI system |
| CN106127016A (en) * | 2016-07-18 | 2016-11-16 | 浪潮集团有限公司 | A kind of operating system user logs in system and the implementation method of authentic authentication |
| CN106789059A (en) * | 2016-11-10 | 2017-05-31 | 中国电子科技集团公司第二十八研究所 | A kind of long-range two-way access control system and method based on trust computing |
| CN106790307A (en) * | 2017-03-28 | 2017-05-31 | 联想(北京)有限公司 | Network safety managing method and server |
| CN106789032A (en) * | 2017-01-16 | 2017-05-31 | 西安电子科技大学 | The single password tripartite authentication method of privacy sharing between server and mobile device |
| CN106886920A (en) * | 2017-02-16 | 2017-06-23 | 湖北大学 | Based on the shared bicycle Secure Billing method that home is proved |
| CN106921673A (en) * | 2017-03-28 | 2017-07-04 | 联想(北京)有限公司 | Network safety managing method and server |
| CN106919846A (en) * | 2015-12-25 | 2017-07-04 | 中国科学院上海高等研究院 | A kind of message-oriented middleware processing method and system |
| CN106992976A (en) * | 2017-03-24 | 2017-07-28 | 联想(北京)有限公司 | Network safety managing method and server |
| CN107046539A (en) * | 2017-04-07 | 2017-08-15 | 山东中创软件商用中间件股份有限公司 | The method to set up and device of a kind of application secure access |
| CN107294710A (en) * | 2017-06-30 | 2017-10-24 | 浪潮(北京)电子信息产业有限公司 | A kind of key migration method and device of vTPM2.0 |
| CN107483191A (en) * | 2017-08-16 | 2017-12-15 | 济南浪潮高新科技投资发展有限公司 | A kind of SM2 algorithm secret keys segmentation signature system and method |
| CN108390866A (en) * | 2018-02-06 | 2018-08-10 | 南京航空航天大学 | Trusted remote method of proof based on the two-way anonymous authentication of dual-proxy |
| CN108550036A (en) * | 2018-03-20 | 2018-09-18 | 中国银联股份有限公司 | A kind of method, terminal and device for establishing security infrastructure |
| CN108632251A (en) * | 2018-03-28 | 2018-10-09 | 杭州电子科技大学 | Authentic authentication method based on cloud computing data service and its Encryption Algorithm |
| CN108696349A (en) * | 2017-03-31 | 2018-10-23 | 英特尔公司 | The trusted third party that credible performing environment is used as proving to provide privacy |
| CN108924147A (en) * | 2018-07-17 | 2018-11-30 | 中国联合网络通信集团有限公司 | Method, server and the communication terminal that communication terminal digital certificate is signed and issued |
| CN109274647A (en) * | 2018-08-27 | 2019-01-25 | 杭州创谐信息技术股份有限公司 | Distributed credible memory exchanges method and system |
| CN109284999A (en) * | 2017-07-20 | 2019-01-29 | 上海方付通商务服务有限公司 | Business confirmation method and system based on mobile network's terminal |
| CN109729523A (en) * | 2017-10-31 | 2019-05-07 | 华为技术有限公司 | A kind of method and apparatus of terminal networking certification |
| CN109922027A (en) * | 2017-12-13 | 2019-06-21 | 中国移动通信集团公司 | A kind of trusted identity authentication method, terminal and storage medium |
| CN109951276A (en) * | 2019-03-04 | 2019-06-28 | 北京工业大学 | Embedded device remote identity authentication method based on TPM |
| CN110036597A (en) * | 2016-12-09 | 2019-07-19 | 微软技术许可有限责任公司 | Private cipher key is securely distributed for what is used by insincere code |
| CN110299996A (en) * | 2018-03-22 | 2019-10-01 | 阿里巴巴集团控股有限公司 | Authentication method, equipment and system |
| CN110752934A (en) * | 2019-10-28 | 2020-02-04 | 江苏大周基业智能科技有限公司 | Network identity interactive authentication method under topological structure |
| CN111435911A (en) * | 2019-01-14 | 2020-07-21 | 海南自贸区图灵区块链科技有限公司 | Online multi-party security data processing method and device |
| CN111512608A (en) * | 2017-09-27 | 2020-08-07 | 华为技术有限公司 | Trusted execution environment based authentication protocol |
| CN106992978B (en) * | 2017-03-28 | 2020-08-25 | 联想(北京)有限公司 | Network security management method and server |
| CN111641615A (en) * | 2020-05-20 | 2020-09-08 | 深圳市今天国际物流技术股份有限公司 | Distributed identity authentication method and system based on certificate |
| CN111723347A (en) * | 2020-06-01 | 2020-09-29 | 清华大学 | Identity authentication method and device, electronic equipment and storage medium |
| CN112328326A (en) * | 2020-11-16 | 2021-02-05 | 北京智芯微电子科技有限公司 | Embedded operating system trusted starting method based on security chip and master control system |
| CN112673591A (en) * | 2018-06-01 | 2021-04-16 | R·特格德 | System and method for providing authorized third parties with secure key escrow access to a secret public ledger |
| CN113364583A (en) * | 2021-05-31 | 2021-09-07 | 山东中科好靓科技有限公司 | Remote verification method based on decentralized network |
| CN113422683A (en) * | 2021-03-04 | 2021-09-21 | 上海数道信息科技有限公司 | Edge cloud cooperative data transmission method, system, storage medium and terminal |
| CN113556230A (en) * | 2020-04-24 | 2021-10-26 | 华控清交信息科技(北京)有限公司 | Data security transmission method, certificate correlation method, server, system and medium |
| CN113783846A (en) * | 2021-08-16 | 2021-12-10 | 可信计算科技(无锡)有限公司 | Trusted data transmission system and method |
| CN113904856A (en) * | 2021-10-15 | 2022-01-07 | 广州威戈计算机科技有限公司 | Authentication method, switch and authentication system |
| CN114374559A (en) * | 2016-06-18 | 2022-04-19 | 英特尔公司 | Platform attestation and registration for servers |
| CN114650140A (en) * | 2020-12-21 | 2022-06-21 | 国民科技(深圳)有限公司 | Mobile terminal, server, and method of executing electronic signature |
| WO2023160166A1 (en) * | 2022-02-28 | 2023-08-31 | 华为技术有限公司 | Trusted computing method, chip, and server |
| CN113904856B (en) * | 2021-10-15 | 2024-04-23 | 广州威戈计算机科技有限公司 | Authentication method, switch and authentication system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102427449A (en) * | 2011-11-04 | 2012-04-25 | 北京工业大学 | Trusted mobile storage method based on security chips |
| CN102694776A (en) * | 2011-03-23 | 2012-09-26 | 国民技术股份有限公司 | Authentication system and method based on dependable computing |
| CN102957535A (en) * | 2011-08-19 | 2013-03-06 | 国民技术股份有限公司 | Communication method and communication system for trusted computing platform and electronic certificate authentication system |
| US20130333005A1 (en) * | 2012-06-07 | 2013-12-12 | Sk Planet Co., Ltd. | Cloud service system based on enhanced security function and method for supporting the same |
-
2015
- 2015-01-29 CN CN201510044405.XA patent/CN104580250A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102694776A (en) * | 2011-03-23 | 2012-09-26 | 国民技术股份有限公司 | Authentication system and method based on dependable computing |
| CN102957535A (en) * | 2011-08-19 | 2013-03-06 | 国民技术股份有限公司 | Communication method and communication system for trusted computing platform and electronic certificate authentication system |
| CN102427449A (en) * | 2011-11-04 | 2012-04-25 | 北京工业大学 | Trusted mobile storage method based on security chips |
| US20130333005A1 (en) * | 2012-06-07 | 2013-12-12 | Sk Planet Co., Ltd. | Cloud service system based on enhanced security function and method for supporting the same |
Non-Patent Citations (1)
| Title |
|---|
| 国家密码管理局: ""可信计算密码支撑平台功能与接口规范"", 《国家密码管理局》 * |
Cited By (63)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106919846A (en) * | 2015-12-25 | 2017-07-04 | 中国科学院上海高等研究院 | A kind of message-oriented middleware processing method and system |
| CN106919846B (en) * | 2015-12-25 | 2020-03-24 | 中国科学院上海高等研究院 | Message middleware processing method and system |
| CN106056793A (en) * | 2016-06-08 | 2016-10-26 | 广州广电运通金融电子股份有限公司 | Card reading system and card reading method |
| CN114374559A (en) * | 2016-06-18 | 2022-04-19 | 英特尔公司 | Platform attestation and registration for servers |
| CN106130982B (en) * | 2016-06-28 | 2019-07-12 | 北京万协通信息技术有限公司 | Intelligent household appliance remote control method based on PKI system |
| CN106130982A (en) * | 2016-06-28 | 2016-11-16 | 北京万协通信息技术有限公司 | Intelligent household appliance remote control method based on PKI system |
| CN106127016A (en) * | 2016-07-18 | 2016-11-16 | 浪潮集团有限公司 | A kind of operating system user logs in system and the implementation method of authentic authentication |
| CN106127016B (en) * | 2016-07-18 | 2018-08-17 | 浪潮集团有限公司 | A kind of operating system user logs in the system and implementation method of authentic authentication |
| CN106789059A (en) * | 2016-11-10 | 2017-05-31 | 中国电子科技集团公司第二十八研究所 | A kind of long-range two-way access control system and method based on trust computing |
| CN110036597A (en) * | 2016-12-09 | 2019-07-19 | 微软技术许可有限责任公司 | Private cipher key is securely distributed for what is used by insincere code |
| CN106789032A (en) * | 2017-01-16 | 2017-05-31 | 西安电子科技大学 | The single password tripartite authentication method of privacy sharing between server and mobile device |
| CN106886920A (en) * | 2017-02-16 | 2017-06-23 | 湖北大学 | Based on the shared bicycle Secure Billing method that home is proved |
| CN106992976B (en) * | 2017-03-24 | 2020-08-25 | 联想(北京)有限公司 | Network security management method and server |
| CN106992976A (en) * | 2017-03-24 | 2017-07-28 | 联想(北京)有限公司 | Network safety managing method and server |
| CN106790307A (en) * | 2017-03-28 | 2017-05-31 | 联想(北京)有限公司 | Network safety managing method and server |
| CN106921673A (en) * | 2017-03-28 | 2017-07-04 | 联想(北京)有限公司 | Network safety managing method and server |
| CN106992978B (en) * | 2017-03-28 | 2020-08-25 | 联想(北京)有限公司 | Network security management method and server |
| CN108696349A (en) * | 2017-03-31 | 2018-10-23 | 英特尔公司 | The trusted third party that credible performing environment is used as proving to provide privacy |
| CN107046539A (en) * | 2017-04-07 | 2017-08-15 | 山东中创软件商用中间件股份有限公司 | The method to set up and device of a kind of application secure access |
| CN107294710A (en) * | 2017-06-30 | 2017-10-24 | 浪潮(北京)电子信息产业有限公司 | A kind of key migration method and device of vTPM2.0 |
| CN107294710B (en) * | 2017-06-30 | 2020-12-04 | 浪潮(北京)电子信息产业有限公司 | Key migration method and device for vTPM2.0 |
| CN109284999A (en) * | 2017-07-20 | 2019-01-29 | 上海方付通商务服务有限公司 | Business confirmation method and system based on mobile network's terminal |
| CN107483191B (en) * | 2017-08-16 | 2020-04-14 | 浪潮集团有限公司 | SM2 algorithm key segmentation signature system and method |
| CN107483191A (en) * | 2017-08-16 | 2017-12-15 | 济南浪潮高新科技投资发展有限公司 | A kind of SM2 algorithm secret keys segmentation signature system and method |
| CN111512608B (en) * | 2017-09-27 | 2021-09-07 | 华为技术有限公司 | Trusted execution environment based authentication protocol |
| US11336641B2 (en) | 2017-09-27 | 2022-05-17 | Huawei Technologies Co., Ltd. | Security enhanced technique of authentication protocol based on trusted execution environment |
| CN111512608A (en) * | 2017-09-27 | 2020-08-07 | 华为技术有限公司 | Trusted execution environment based authentication protocol |
| CN109729523A (en) * | 2017-10-31 | 2019-05-07 | 华为技术有限公司 | A kind of method and apparatus of terminal networking certification |
| US11432150B2 (en) | 2017-10-31 | 2022-08-30 | Huawei Technologies Co., Ltd. | Method and apparatus for authenticating network access of terminal |
| CN109922027A (en) * | 2017-12-13 | 2019-06-21 | 中国移动通信集团公司 | A kind of trusted identity authentication method, terminal and storage medium |
| CN108390866B (en) * | 2018-02-06 | 2020-10-02 | 南京航空航天大学 | Trusted remote certification method and system based on double-agent bidirectional anonymous authentication |
| CN108390866A (en) * | 2018-02-06 | 2018-08-10 | 南京航空航天大学 | Trusted remote method of proof based on the two-way anonymous authentication of dual-proxy |
| CN108550036A (en) * | 2018-03-20 | 2018-09-18 | 中国银联股份有限公司 | A kind of method, terminal and device for establishing security infrastructure |
| CN108550036B (en) * | 2018-03-20 | 2022-09-23 | 中国银联股份有限公司 | Method, terminal and device for establishing security infrastructure |
| CN110299996B (en) * | 2018-03-22 | 2022-07-01 | 阿里巴巴集团控股有限公司 | Authentication method, equipment and system |
| CN110299996A (en) * | 2018-03-22 | 2019-10-01 | 阿里巴巴集团控股有限公司 | Authentication method, equipment and system |
| CN108632251B (en) * | 2018-03-28 | 2020-09-01 | 杭州电子科技大学 | Credible authentication method based on cloud computing data service and encryption algorithm thereof |
| CN108632251A (en) * | 2018-03-28 | 2018-10-09 | 杭州电子科技大学 | Authentic authentication method based on cloud computing data service and its Encryption Algorithm |
| CN112673591A (en) * | 2018-06-01 | 2021-04-16 | R·特格德 | System and method for providing authorized third parties with secure key escrow access to a secret public ledger |
| CN112673591B (en) * | 2018-06-01 | 2021-12-31 | R·特格德 | System and method for providing authorized third parties with secure key escrow access to a secret public ledger |
| CN108924147A (en) * | 2018-07-17 | 2018-11-30 | 中国联合网络通信集团有限公司 | Method, server and the communication terminal that communication terminal digital certificate is signed and issued |
| CN108924147B (en) * | 2018-07-17 | 2021-10-26 | 中国联合网络通信集团有限公司 | Communication terminal digital certificate issuing method, server and communication terminal |
| CN109274647B (en) * | 2018-08-27 | 2021-08-10 | 杭州创谐信息技术股份有限公司 | Distributed trusted memory exchange method and system |
| CN109274647A (en) * | 2018-08-27 | 2019-01-25 | 杭州创谐信息技术股份有限公司 | Distributed credible memory exchanges method and system |
| CN111435911B (en) * | 2019-01-14 | 2023-02-17 | 海南自贸区图灵区块链科技有限公司 | Online multi-party security data processing method and device |
| CN111435911A (en) * | 2019-01-14 | 2020-07-21 | 海南自贸区图灵区块链科技有限公司 | Online multi-party security data processing method and device |
| CN109951276B (en) * | 2019-03-04 | 2021-12-03 | 北京工业大学 | Embedded equipment remote identity authentication method based on TPM |
| CN109951276A (en) * | 2019-03-04 | 2019-06-28 | 北京工业大学 | Embedded device remote identity authentication method based on TPM |
| CN110752934A (en) * | 2019-10-28 | 2020-02-04 | 江苏大周基业智能科技有限公司 | Network identity interactive authentication method under topological structure |
| CN113556230A (en) * | 2020-04-24 | 2021-10-26 | 华控清交信息科技(北京)有限公司 | Data security transmission method, certificate correlation method, server, system and medium |
| CN111641615A (en) * | 2020-05-20 | 2020-09-08 | 深圳市今天国际物流技术股份有限公司 | Distributed identity authentication method and system based on certificate |
| CN111723347B (en) * | 2020-06-01 | 2023-06-06 | 清华大学 | Identity authentication method, identity authentication device, electronic equipment and storage medium |
| CN111723347A (en) * | 2020-06-01 | 2020-09-29 | 清华大学 | Identity authentication method and device, electronic equipment and storage medium |
| CN112328326B (en) * | 2020-11-16 | 2022-01-14 | 北京智芯微电子科技有限公司 | Embedded operating system trusted starting method based on security chip and master control system |
| CN112328326A (en) * | 2020-11-16 | 2021-02-05 | 北京智芯微电子科技有限公司 | Embedded operating system trusted starting method based on security chip and master control system |
| CN114650140A (en) * | 2020-12-21 | 2022-06-21 | 国民科技(深圳)有限公司 | Mobile terminal, server, and method of executing electronic signature |
| CN113422683A (en) * | 2021-03-04 | 2021-09-21 | 上海数道信息科技有限公司 | Edge cloud cooperative data transmission method, system, storage medium and terminal |
| CN113364583A (en) * | 2021-05-31 | 2021-09-07 | 山东中科好靓科技有限公司 | Remote verification method based on decentralized network |
| CN113783846A (en) * | 2021-08-16 | 2021-12-10 | 可信计算科技(无锡)有限公司 | Trusted data transmission system and method |
| CN113783846B (en) * | 2021-08-16 | 2023-09-19 | 德威可信(北京)科技有限公司 | Trusted data transmission system and method |
| CN113904856A (en) * | 2021-10-15 | 2022-01-07 | 广州威戈计算机科技有限公司 | Authentication method, switch and authentication system |
| CN113904856B (en) * | 2021-10-15 | 2024-04-23 | 广州威戈计算机科技有限公司 | Authentication method, switch and authentication system |
| WO2023160166A1 (en) * | 2022-02-28 | 2023-08-31 | 华为技术有限公司 | Trusted computing method, chip, and server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104580250A (en) | System and method for authenticating credible identities on basis of safety chips | |
| US11139951B2 (en) | Blockchain system and data processing method for blockchain system | |
| US11349675B2 (en) | Tamper-resistant and scalable mutual authentication for machine-to-machine devices | |
| KR100962399B1 (en) | Method for providing anonymous public key infrastructure and method for providing service using the same | |
| CN102577229B (en) | Key certification in one round trip | |
| CN103051453B (en) | A kind of mobile terminal network affaris safety trade system based on digital certificate and method | |
| US8555072B2 (en) | Attestation of computing platforms | |
| CN101212293B (en) | Identity authentication method and system | |
| CN103856478B (en) | A kind of certificate issuance of trustable network, authentication method and corresponding equipment | |
| CN102594558B (en) | Anonymous digital certificate system and verification method of trustable computing environment | |
| CN104753881A (en) | WebService security certification access control method based on software digital certificate and timestamp | |
| CN109257328B (en) | Safe interaction method and device for field operation and maintenance data | |
| JPH06223041A (en) | Rarge-area environment user certification system | |
| US20140013110A1 (en) | Non-hierarchical infrastructure for managing twin-security keys of physical persons or of elements (igcp/pki) | |
| CN101395624A (en) | Verification of electronic signatures | |
| CN106027503A (en) | Cloud storage data encryption method based on TPM | |
| CN103248491B (en) | A kind of backup method of electronic signature token private key and system | |
| CN103078742A (en) | Generation method and system of digital certificate | |
| CN101488851B (en) | Method and apparatus for signing identity verification certificate in trusted computing | |
| CN106790045A (en) | One kind is based on cloud environment distributed virtual machine broker architecture and data integrity support method | |
| CN104012036A (en) | Combined digital certificate | |
| CN103560887A (en) | Intelligent terminal remote attestation method and system | |
| CN114697038A (en) | Quantum attack resistant electronic signature method and system | |
| CN108418692B (en) | On-line writing method of authentication certificate | |
| CN110855442A (en) | PKI (public key infrastructure) technology-based inter-device certificate verification method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150429 |