CN105024824A - Method for generating and verifying credible label based on asymmetrical encryption algorithm and system - Google Patents

Abstract

The invention provides a method and system for generating and verifying a credible label based on an asymmetrical encryption algorithm. The credible label is generated according to credible label original information, a label identifier, a commodity identifier, the public key information of the asymmetrical encryption algorithm, digital certificate information, digital signature information and credible time stamp or credible identity time stamp information. When the credible label needs to be used or verified, the credible label generation time and the validity and integrity of content are ensured by verification of the credible time stamp or credible identity time stamp information in the credible label; the identity of a credible label owner is authenticated by verification of the validity of a digital certificate in the credible label or the legality of a public key; the integrity of credible label content is determined by verification of the digital signature in the credible label; and an anti-counterfeiting function of a commodity is implemented by verification of the uniqueness of the label identifier and the uniqueness of the commodity identifier.

Description

Based on the generation of the credible label of rivest, shamir, adelman and verification method and system

Technical field

The present invention relates to cryptography, computer network security and product false proof field, specifically, The present invention gives a kind of generation of the credible label based on rivest, shamir, adelman and verification method and system.

Background technology

Rivest, shamir, adelman is a kind of time slot scrambling of key.Rivest, shamir, adelman needs two keys: public-key cryptography (publickey) and private cipher key (private key).Public-key cryptography and private cipher key are a pair, if be encrypted data with public-key cryptography, only had and could decipher with corresponding private cipher key; If be encrypted data with private cipher key, so only had and could decipher with corresponding public-key cryptography.Because encryption and decryption use two different keys, this algorithm is called rivest, shamir, adelman.

The cryptographic system (Identity-Based Cryptograph is called for short IBC) of identity-based mark is a kind of asymmetrical public key cryptography system.The Objective Concept Shamir of id password proposed in 1984, and its main viewpoint is the not certificate of necessity in system, uses the mark of user if name, IP address, E-mail address, phone number etc. are as PKI.The private key of user is calculated according to system master key and user ID by key generation centre (Key Generate Center is called for short KGC).The PKI of user is uniquely determined by user ID, thus user does not need third party to ensure the authenticity of PKI.

Conbined public or double key CPK (Combined Public Key) is a kind of universal method become by existing public key system based on the public key system identified, by setting up the framework of science, many algorithms is combined dexterously, achieve the secret generating based on mark, the digital signature based on mark and cipher key change can be supported.The well-known information security of China and cryptographist Nan Xianghao teach the conception proposing CPK combined public-key scheme in 1999, and the externally formal announcement in 2003.

PKI (Public Key Infrastructure) i.e. " PKIX ", that a kind of PKI concept and technology are implemented and provide the security infrastructure with universality of security service, it is a kind of key management platform following written standards, it can provide encryption and the cryptographic service such as digital signature and necessary key and certificate management system for all-network application, in simple terms, PKI is exactly the infrastructure providing security service utilizing PKI theory and technology to set up.PKI technology is the core of information security technology, is also key and the basic technology of ecommerce.

PKI technology adopts certificate management PKI, by third-party trusted authorities-CA (Certificate Authority) authentication center, other identification informations of the PKI of user and user is bundled, the identity of authentication of users on the internet.At present, general way adopts the digital certificate be based upon on PKI basis, by the digital information that will transmit being encrypted and signing, and confidentiality, authenticity, integrality and non-repudiation that guarantee information is transmitted, thus the safe transmission of guarantee information.PKI is based on public key algorithm and technology, for Internet communication provides the infrastructure of security service, is the aggregate creating, issue, manage, nullify all softwares involved by public key certificate, hardware.Its core element is digital certificate, and core executor is ca authentication mechanism.

The basic comprising parts such as the necessary authoritative digital certificate authentication center of tool (CA) of complete PKI system, digital certificate storehouse, cipher key backup and recovery system, certificate calcellation system, application interface (API), build PKI and also will set about building round this five big systems.The basic technology of PKI comprises encryption, digital signature, data integrity mechanism, digital envelope, dual digital signature etc.Typical case, complete, an effective PKI application system at least should have with lower part:

Public key certificate manages.

The issue of blacklist and management.

The backup of key and recovery.

Automatic more new key.

Automatic management history key.

Support cross-certification.

Digital signature, also public key digital signature is claimed, refer to and be attached to one group of specific symbol in a certain electronic document or code, it utilizes mathematical method and cryptographic algorithm carry out key message extraction to this electronic document and are encrypted and are formed, for identification issuer identity and sign originator to the accreditation of electronic document, and person can be received be used for verifying whether this electronic document is tampered or forges in transmitting procedure.Digital signing operations detailed process is as follows: transmit leg does digital digest to signed e-file (claiming electronic message in Electronic Signature Law) with hash algorithm, again asymmetric encryption is done to digital digest signature private key, namely digital signature is done, be the PKI of above signature and e-file original text and signing certificate is added together form signature result and send to debit afterwards, treat that debit verifies.After recipient receives data, first the public key decryptions digital signature of transmit leg is used, derive digital digest, and same hash algorithm is done to e-file original text, obtain a new digital digest, the cryptographic Hash that two are made a summary is carried out results contrast, if result is identical, signature is verified, otherwise it is invalid to sign.

Digital certificate, be again " digital ID card ", " digital ID ", provided by authentication center and authenticated center CA digital signature, comprise a kind of e-file of public-key cryptography owner and public-key cryptography relevant information, can be used for proving the true identity of digital certificate holder.The simplest certificate comprises the digital signature of public-key cryptography, title and a certificate authority.Generally also comprise the effective time of key in certificate, the title of licence issuing authority (certificate authority), the information such as the sequence number of this certificate, the form of certificate follows ITUT X.509 international standard.

HASH, i.e. hash, also claim Hash, not only the input of random length (but also being called preliminary mapping, pre-image), by HASH algorithm, be transformed into the output of regular length, this output is exactly HASH value (also known as digital digest).This conversion is a kind of compressing mapping, and namely the space of hash HASH value is usually much smaller than the space of input, and different inputs may generate identical output, but can not carry out unique determination input value from hashed value.

Trusted timestamp be by authoritative trusted timestamp service centre according to international time one of stabbing that standard " RFC3161 " signs and issues can prove electronic message (e-file) a time point be that existed, complete, can verify, possesses the electronic certificate of legal effect, trusted timestamp is mainly used in e-file anti-tamper and deny afterwards, determines the correct time that e-file produces.Trusted timestamp (time-stamp) is a voucher document formed after encryption, and it comprises three parts:

(1) digital digest (digest) of the file that need add timestamp;

(2) trusted timestamp server receives the date and time of file;

(3) digital signature (generating according to (1) and (2) content) of trusted timestamp server.

X.500 be the directory standard defined by international standard committee ISO (Internetional Standards Organization), include from X.501 to a series of catalogue data service such as X.509.Agreement for X.500 client computer and server communication is DAP (Directory Access Protocol).X.500 there is important effect to PKI, it define the scheme of data storage and access in PKI system, use at the LIST SERVER access entrance place of PKI system standardized method to complete the memory access of the data structure such as certificate and certificate revocation list.

LDAP (Lightweight Directory Access Protocol) is the simple version produced in X.500 standard base, it is a subset of X.500 directory access protocol DAP in standard, simplify complete X.500 practical function, and extend the support to ICP/IP protocol system.

Quick Response Code, also known as two-dimensional bar code, the chequered with black and white graphic recording data symbol information that distributes in plane (two-dimensional directional) according to certain rules with certain specific geometric figure, coding utilizes the concept of " 0 ", " 1 " bit stream forming computer-internal logical foundations dexterously, the geometrical body using several corresponding with binary system, to represent word numerical information, is processed to realize information automatically by image input device or photoelectric scanning device automatically identifying and reading.It has some general character of barcode technology: often kind of code system has its specific character set; Each character occupies certain width; There is certain verifying function etc.Also have simultaneously and the features such as change are rotated to the information automatic identification function of different rows and processing graphics.Conventional code system has: Data Matrix, MaxiCode, Aztec, QR Code, Vericode, PDF417, Ultracode, Code 49, Code 16K etc.

Error correction coding: on demand by code word data sequence piecemeal, and according to the code word of error-correction level and piecemeal, produce error correction code word, and error correction code word is joined after code word data sequence, becomes a new sequence.

When Quick Response Code specification and error-correction level are determined, in fact it can hold code word sum and error correcting code number of words also just determine, such as: version 10, when error-correction level is H, altogether can hold 346 code words, wherein 224 error correction code words.In other words in two-dimension code area, the code word of about 1/3 is redundancy.For these 224 error correction code words, it can correct 112 substitute mistake (as confuse right and wrongs) or 224 refuse read error (cannot read or cannot decoding), such error correction capability is: 112/346=32.4%

RFID (Radio Frequency Identification), i.e. radio-frequency (RF) identification, also known as electronic tag, is a kind of contactless automatic identification technology.It is by the specific target of radio signals identification, and the data that read-write is relevant, and do not need recognition system and this target to have machinery or optical contact.Each RFID label tag has unique electronic code.

NFC (Near Field Communication), i.e. wireless near field communication is initiated by PHILIPS Co., combined the wireless technology promoted mainly by the well-known manufacturer such as Nokia, Sony.NFC is developed by non-contact radio-frequency identification (RFID) and the Technology Integration that interconnects, combining induction card reader, induction type card and point-to-point function on one chip, can carry out identifying and exchanges data with compatible equipment in short distance.This technology is the simple merging of RFID technique and network technology at first, and developed into a kind of short-distance wireless communication technology now, developing state is quite rapid.

Credible label described in this patent refers to limited storage space, and carry the graphical label of anti-tamper and anti-repudiation information, digital label or chip tag, the information carried in this label has carried out signature authentication or encryption by asymmetric encryption techniques method, its form of expression can be Quick Response Code, RFID label tag, NFC label, electronic tag, chip tag, sensor tag etc.

Along with the development of computer security technique, rivest, shamir, adelman is at home and abroad widely used.But the technology of this maturation is never used to the safety issue properly settling the label such as Quick Response Code or NFC, the problem of one of them essence is because the intrinsic information storage space of the labels such as Quick Response Code, RFID label tag or NFC label is extremely limited, cannot comprise for ensureing safe complete digital certificate, digital signature, timestamp again while the more raw information of carrying, or other asymmetric encryption information, therefore the distribution problem of described authorization information can not be solved, just described asymmetric encryption techniques cannot be applied.In this patent, we have proposed the method properly settling described distribution problem.

Traditional anti-counterfeiting technology comprises Laser Holographic Counterfeit-proof Technique, chemical ink anti-counterfeiting technology, latent image anti-counterfeiting technology, micro anti-counterfeiting technology etc.These existing technology do not possess uniqueness and exclusivity, are easily replicated thus cannot to realize truly false proof.Also occurred that some are by realizing false proof technological means to Quick Response Code or radio-frequency (RF) tag encryption at present, but the encryption of anti-counterfeiting information of the prior art is realized by the privately owned technology of publisher, therefore different publishers needs to verify with different equipment or software, cause Authentication devices or software cannot generalization, and fail safe also can not be guaranteed, thus the promotion and application of these anti-counterfeiting technologies are made to be subject to great restriction.

Summary of the invention

The object of the present invention is to provide a kind of generation of credible label and verification method and system, be intended to solve prior art poor stability, realize complicated, the problems such as cost is high, poor universality.

Propose in the present invention directly digital certificate to be embedded to realize the distribution problem of certificate in credible label, therefore authentication module can obtain the digital certificate of credible label owner easily, thus utilizes digital signature to realize the anti-tamper object of label substance.In addition, according to the different purposes of digital certificate, CA can specify the different terms of validity when signing and issuing digital certificate.When after digital certificate expires, CA will no longer ensure the authenticity of its content information, and therefore expired digital certificate is invalid, incredible.For some reason, to leak as private key for user or the identity of the user initiative that changes abolishes former certificate, thus digital certificate lost efficacy to cause CA to announce.These factors constrain the term of validity of credible label.This patent introduces Digital Time-stamp in credible label, is used for proving the Production Time of credible label, thus efficiently solves this defect.Because digital signature and timestamp can guarantee information integrality thus reach anti-tamper object, therefore in specific implementation, the anti-tamper of content such as the network address of label raw information, tag identifier and commodity sign, authentication server can be realized by digital signature and timestamp simultaneously, also can respectively by both one of realize.

Credible label owner needs the digital certificate for oneself to pay the annual fee of great number every year, therefore in order to reduce the cost of credible label owner, proposes the scheme exempting from digital certificate in the present invention, or the unsymmetrical key using label owner oneself to generate.The public-key cryptography of credible label owner and private cipher key can be generated by three kinds of approach: 1) generate public-key cryptography and private cipher key by the key generation centre (KGC) of IBC, can using the identify label of credible label owner if the information such as Business Name, IP address, E-mail address, phone number are as public-key cryptography; 2) public-key cryptography and private cipher key is generated by the key generation centre of CPK, can using the identify label of credible label owner if the information such as Business Name, IP address, E-mail address, phone number be as the user ID generating key; 3) public-key cryptography and private cipher key is generated by unsymmetrical key Core Generator, and public-key cryptography and identity information are kept in the public-key cryptography storehouse in this locality or high in the clouds, by whether there is the validity that the disclosure key verifies public-key cryptography in retrieval public-key cryptography storehouse.In order to prevent credible label substance to be tampered, private cipher key, relevant parameter that credible label owner utilizes above-mentioned three kinds of methods to generate, and the content of signature algorithm to credible label is signed.Because by the signature that private cipher key obtains, can only could be verified by corresponding public-key cryptography, thus ensure that authenticity and the non repudiation of owner's identity of credible label.

In order to simplify generation and the checking of credible label, and conveniently do not have the credible label owner of digital certificate to generate credible label, this patent proposes trusted identity timestamp on the basis of trusted timestamp.Be with the different characteristic of traditional trusted timestamp, trusted identity timestamp adds identity information, is namely made up of four parts:

(1) digital digest (digest) of the file that need add timestamp;

(2) identity information through certification of the owner of the file that need add timestamp;

(3) trusted timestamp server receives the date and time of file;

(4) digital signature (according to (1), (2) and (3) content generates) of trusted timestamp server.

Compared with trusted timestamp, trusted identity timestamp not only can be used for e-file anti-tamper and deny afterwards, determines the correct time that e-file produces, and can verify the trusted identity of e-file owner.Therefore, trusted identity timestamp is not only applicable to credible label, is applicable to the e-file of other form yet, as electronic contract, and electronic insurance policy, electronic invoice etc.

In order to save the expense of credible label and solve the defect of credible label intrinsic information limited space, can with the network storage address of label information element (network address etc. as label raw information, digital certificate, digital signature, tag identifier, commodity sign, public key information, timestamp, authentication server) or the complete content replacing label information element for the Query Information of Query Database, obtained the complete content of label information element when verifying label by web download or Query Database, or directly verify beyond the clouds.

Because digital signature and timestamp can guarantee information integrality thus reach anti-tamper object, therefore in specific implementation, the anti-tamper of label information element (network address etc. as label raw information, digital certificate, digital signature, tag identifier, commodity sign, public key information, timestamp, authentication server) content can be realized by digital signature and timestamp simultaneously, also can respectively by both one of realize.

As shown in Figure 5, when high-resolution patterned credible label the first impression, republish with copying and printing time, because printed resolution is lower than the output resolution ratio required by credible label graphic, therefore can produce information dropout.Therefore, be replicated to prevent the credible label of graphic form, can by adjusting resolution and the printed dimensions of the credible label generated, the picture making the credible label obtained after republishing or copying or the digital information that comprises different, thus by the picture that compares verified label or whether consistent with the information of the credible label of the first impression of the preserving object reaching credible label anti-copying of digital information comprised; Also can by adjusting resolution and the printed dimensions of the credible label generated, although the label making the first impression obtain creates the loss of information or the mistake of information, but still can correctly be distinguished by error correction, but lose more information by the label copying the described first impression or introduce more mistake, to such an extent as to exceeded the error correcting capability of credible label to such an extent as to cannot correctly distinguish, thus reach the object of credible label anti-copying; In order to avoid duplicator to evade the loss of printing information by amplifying the method for credible label graphic, the dimension information of the credible label of the first impression can be comprised in credible label, and digital signature is carried out to prevent from being tampered to described size, when verifying credible label, by the dimension information comprised in the printed dimensions of more current credible label and label, realize the object of credible label anti-copying.

Specifically, the present invention discloses a kind of generation and verification method of the credible label based on rivest, shamir, adelman, comprises the following steps:

Step one: raw information is set to credible tag format;

Step 2: credible tag encryption protocol module is set;

Step 3: according to raw information and the believable credible label of credible tag encryption protocol module generation encryption of credible tag format;

Step 4: when verifying credible label, by verifying credible tag encryption protocol module, determines integrality and the non-repudiation of credible label raw information, and the authenticity of credible label owner identity and non repudiation;

Described credible tag encryption protocol module comprises digital certificate information and digital signature information; Can beacon in step 4 checking

When signing cryptographic protocol module, by verifying that the validity of the digital certificate information in credible label examines credible label owner

Identity, determined the integrality of credible label raw information by the digital signature information verifying in credible label.

Based on generation and the verification method of the credible label of rivest, shamir, adelman, comprise the following steps:

Step one: raw information is set to credible tag format;

Step 2: credible tag encryption protocol module is set;

Step 3: according to raw information and the believable credible label of credible tag encryption protocol module generation encryption of credible tag format;

Step 4: when verifying credible label, by verifying credible tag encryption protocol module, determines integrality and the non-repudiation of credible label raw information, and the authenticity of credible label owner identity and non repudiation;

Described credible tag encryption protocol module comprises digital certificate information, digital signature information, trusted timestamp or credible

Identity timestamp information; When step 4 verifies credible tag encryption protocol module, by verifying the numeral in credible label

The identity of the credible label owner of validity certification of certificate information, true by verifying the digital signature information in credible label

The integrality of the raw information of fixed credible label, by verifying trusted timestamp in credible label or trusted identity time

Stamp information guarantees the integrality of credible label rise time and content.

Based on generation and the verification method of the credible label of rivest, shamir, adelman, comprise the following steps:

Step one: raw information is set to credible tag format;

Step 2: credible tag encryption protocol module is set;

Step 3: according to raw information and the believable credible label of credible tag encryption protocol module generation encryption of credible tag format;

Step 4: when verifying credible label, by verifying credible tag encryption protocol module, determines integrality and the non-repudiation of credible label raw information, and the authenticity of credible label owner identity and non repudiation;

Described credible tag encryption protocol module comprises trusted identity timestamp information; At the credible tag encryption protocol module of checking

Time, by verifying the trusted identity timestamp information in credible label, guarantee the complete of credible label rise time and content

Whole property, and the identity of the credible label owner of certification.

Based on generation and the verification method of the credible label of rivest, shamir, adelman, comprise the following steps:

Step one: raw information is set to credible tag format;

Step 2: credible tag encryption protocol module is set;

Step 3: according to raw information and the believable credible label of credible tag encryption protocol module generation encryption of credible tag format;

Step 4: when verifying credible label, by verifying credible tag encryption protocol module, determines integrality and the non-repudiation of credible label raw information, and the authenticity of credible label owner identity and non repudiation;

Described cryptographic protocol module comprises public key information and digital signature information;

When verifying credible tag encryption protocol module, examine the true of label owner identity by checking public key information

Property and non repudiation, determine the integrality of credible label raw information by the digital signature information verifying in credible label

And non repudiation.

Based on generation and the verification method of the credible label of rivest, shamir, adelman, comprise the following steps:

Step one: raw information is set to credible tag format;

Step 2: credible tag encryption protocol module is set;

Step 3: according to raw information and the believable credible label of credible tag encryption protocol module generation encryption of credible tag format;

Step 4: when verifying credible label, by verifying credible tag encryption protocol module, determines integrality and the non-repudiation of credible label raw information, and the authenticity of credible label owner identity and non repudiation;

Described credible tag encryption protocol module comprises public key information, digital signature information, trusted timestamp or credible

Identity timestamp information;

When verifying credible tag encryption protocol module, examine the true of label owner identity by checking public key information

Property and non repudiation, determine the integrality of credible label raw information by the digital signature information verifying in credible label

And non repudiation, can beacon by verifying that trusted timestamp in credible label or trusted identity timestamp information are guaranteed

Sign the integrality of rise time and content.

Public key information in described credible label, the identity according to the credible label owner of following method validation:

If A. public-key cryptography and private cipher key are generated by the key generation centre of identity-based id password system (IBC), then described public key information comprises the parameter information of public-key cryptography and certifying signature, or comprise the network address information storing public key information, or comprise for the Query Information of inquiry packet containing the database of public key information; If the digital signature authentication in credible label is passed through, then prove that public-key cryptography is legal, the identity also just demonstrating credible label owner is credible;

If B. public-key cryptography and private cipher key are generated by the key generation centre of Conbined public or double key management system (CPK), then described public key information comprises PKI matrix and mapping algorithm, or comprise the network address information storing public key information, or comprise for the Query Information of inquiry packet containing the database of public key information; If the digital signature authentication in credible label is passed through, then the entity identification comprised in attestation-signatures is legal, and the identity also just demonstrating credible label owner is credible;

If C. public-key cryptography is the common key not comprising identification information, and be not included in digital certificate, then described public key information comprises public-key cryptography, or comprise the network address information storing public key information, or comprise for the Query Information of inquiry packet containing the database of public-key cryptography, the public-key cryptography storehouse of inquiry in this locality or cloud server is needed when verifying public-key cryptography legitimacy

If the digital signature authentication existed in public-key cryptography storehouse in described public-key cryptography and credible label is passed through, then think that the identity of credible label owner is credible, otherwise insincere;

If the private cipher key that public-key cryptography is corresponding has leaked or lost efficacy, then in the public-key cryptography storehouse in local or high in the clouds, delete corresponding public key information; Signature or cryptographic algorithm can be included in public key information, also can be stored in this locality or high in the clouds;

If D. public-key cryptography is included in the digital certificate of signature, the identity of certification is credible label owner uses the method for described C; If public-key cryptography is included in the digital certificate that authentication center CA signs and issues, then described public key information comprises digital certificate information, or comprise the network address information storing digital certificate information, or comprise for the Query Information of inquiry packet containing the database of digital certificate information, if digital certificate authentication passes through, and the digital signature authentication in credible label is passed through, then the identity of credible label owner is credible, otherwise insincere.

Described trusted identity timestamp, to from the precise date of authoritative time source and time by trusted identity time stamp server, according to the digital digest that credible label raw information generates, through the identity information of the credible label owner of examination & verification, carry out digital signature and generate.

If credible label is a kind of graphical label, because output resolution ratio=image resolution ratio ÷ output image size, so by adjusting the resolution of credible label and the printed dimensions of credible label that generate, make the output resolution ratio of requirement higher than the output resolution ratio of actual printing equipment, the picture making the credible label obtained after republishing or copying or the digital information difference comprised, thus by the picture that compares verified label or whether consistent with the information of the credible label of the first impression of the preserving object reaching credible label anti-copying of digital information comprised,

If credible label has error correcting capability, then can adjust the graphics resolution of credible label and the printed dimensions of credible label, make the output resolution ratio of requirement higher than the output resolution ratio of actual printing equipment, therefore each printing all will introduce new misprint, make the mistake produced during the first impression not exceed level of error correction set by credible label, therefore still correctly can be distinguished by successful correction; But when again being printed by the credible label graphic copying the first impression, because introduce more misprint thus exceed the level of error correction set by credible label, therefore this credible label copied cannot correctly be distinguished, thus realize the anti-copying of credible label;

If credible label is a kind of graphical label of anti-copying, then can comprise label sizes information in the label, when verifying credible label, determine whether graphical label is replicated and revises by the size of nominal in the full-size(d) of comparison current Graphics label and label.

Comprise credible tag identifier in the raw information of described credible label, be one for identifying unique coding of a credible label;

Comprise commodity sign in the raw information of described credible label, be one for identifying unique coding of commodity;

If a credible label can be replicated, then need when each credible label comprising credible tag identifier is verified first, record checking event information in authentication module or background server, thus evade same credible label and be reused, in addition in order to realize the repeatedly fake certification to commodity, need on these part commodity, use multiple credible label with the Unique Product mark of these commodity, wherein each credible label has the commodity sign of these identical part commodity and tag identifier unique separately, in addition, because these are credible, label can be replicated, so each credible label is secret (as increased cover layer) before checking first,

If a credible label is not reproducible (as chip tag has unique not reproducible ID, then can using the part of this information as tag identifier or tag identifier, thus ensure uniqueness and the non-reproduction of this credible label), so namely the label comprising certain part commodity sign may be used for the false proof of these part commodity, and do not need to do any secrecy processing to this credible label before verifying first;

If the tag identifier of a credible label is not reproducible and other content of label can be written, then this label can record and reclaim after commodity are used in background program, then re-write false proof for another part commodity of new commodity sign, thus reduce false proof cost;

If do not wish that credible label is reused, then credible label and commodity can be made to bind, when commodity are used, credible tags from merchandise peeled off and destroyed.

The effective storage life of this label can be comprised in the raw information of described credible label, when verifying credible label, whether simultaneous verification current time is in the effective storage life of this label, if current time is not in the effective storage life of this label, then this credible label is insincere.

If comprise digital certificate information in credible label, then, when being verified, in display module, show digital certificate information, thus facilitate verifier to understand the identity information of credible label owner and the issuer information of digital certificate;

If comprise timestamp information in credible label, then when being verified in display module Presentation Time Stamp information, thus facilitate verifier to understand the rise time of credible label;

If comprise trusted identity timestamp in credible label, then show trusted identity timestamp information when being verified, thus facilitate verifier to understand the rise time of credible label, and the identity information of credible label owner;

If successful acquisition is to the time t2 that this is verified and positional information P2, and the time t1 of good authentication last time and positional information P1, then calculate displacement R=(P2 – P1) and the time difference T=(t2 – t1) of twice checking, and obtain speed V=R/T, if the value of speed V exceedes the early warning speed (as 100 kilometers per hour) of setting, then produce warning information at display module or high in the clouds, represent during this checking and checking last time, verify that label runs more than the speed of V, according to the actual conditions of verified label and the size of speed V, can detect whether verified label is replicated to a certain extent.

A. described credible label comprise following one of at least:

A. complete digital certificate content;

B. the partial content of digital certificate;

C. the network storage address of digital certificate;

D. digital certificate library information;

E. digital certificate LIST SERVER information;

F. complete digital certificate chains;

G. the network storage address of digital certificate chains;

H. the Query Information of the database of digital certificate or digital certificate chains is contained for inquiry packet;

I. complete digital signature;

J. the network storage address of digital signature;

K. for the Query Information of inquiry packet containing the database of digital signature;

L. complete public key information;

M. the network storage address of public key information;

N. for the Query Information of inquiry packet containing the database of public key information;

O. the tag identifier of credible label;

P. the commodity sign of credible label;

Q. the term of validity of credible label;

R. complete credible label raw information;

S. the HASH value of credible label raw information;

T. the network storage address of credible label raw information;

U. for the Query Information of inquiry packet containing the database of raw information;

V. the identity information of credible label owner;

W. the network address of credible label authentication server;

If B. described credible label comprises the network storage address of digital certificate or digital certificate chains, by web download digital certificate when verifying credible tag encryption protocol module;

If C. described credible label comprises the information of digital certificate storehouse or LIST SERVER, then by web download or enquiring digital certificate when verifying credible tag encryption protocol module;

If D. described credible label comprises the network storage address of public key information, by web download public key information when verifying credible tag encryption protocol module;

If E. described credible label comprises the network storage address of digital signature, then by web download digital signature when verifying credible tag encryption protocol module;

If F. described credible label comprises the network storage address of trusted timestamp or trusted identity timestamp, then by web download trusted timestamp or trusted identity timestamp when verifying credible tag encryption protocol module;

If comprise the identity information of credible label owner in G. described credible label raw information, then can verify that whether the identity of credible label owner is credible further by the identity information in comparison credible label raw information, the identity information in digital certificate, the identity information in trusted identity timestamp when verifying credible label;

Download and the checking of H. described credible label information may operate in this locality of authentication module, also may operate in high in the clouds;

I. described raw information can be expressly, also can through encryption;

J. described raw information can be label original contents, or the HASH value of original contents, or the network storage address of original contents, or for the Query Information of inquiry packet containing the database of original contents;

If K. described credible label has full stop represent that raw information terminates, then can credible tag encryption protocol module be placed on after this full stop;

L. described credible label is the form of printing or electronics;

M. described credible label is Quick Response Code, or self-defining pattern, or RFID label tag, or NFC label, or electronic tag, chip tag, or sensor tag.

An Antiforge system for credible label, comprises unsymmetrical key or digital certificate generating center, credible tag encryption protocol module storage server, the generation of credible label and Authentication devices and credible label authentication server, it is characterized in that:

Unsymmetrical key or digital certificate generating center, generate digital certificate or unsymmetrical key for giving credible label owner; Credible tag encryption protocol module storage server, for storing the credible tag encryption protocol module information of credible label owner, comprise public key information, or digital certificate information, or digital signature information, or trusted timestamp or trusted identity timestamp information;

Credible label authentication server, for the details of the checking event and anti-counterfeit commodities that record credible label, also may be used for the authentication module performing credible label, realizes high in the clouds checking;

Generation and the Authentication devices of credible label comprise:

Trusted timestamp generation module, generates digital digest according to credible label substance, and to described trusted timestamp server application trusted timestamp, and described trusted timestamp is inputted credible tag generation module;

Trusted identity timestamp generation module, generates digital digest according to credible label raw information, and to described trusted identity time stamp server application trusted identity timestamp, and described trusted identity timestamp is inputted credible tag generation module;

The tag identifier generation module of credible label, for each label generates unique tag identifier;

The commodity sign generation module of credible label, for every part commodity generate unique commodity sign;

Unsymmetrical key generation module, for label owner generates oneself private cipher key and public-key cryptography;

Credible tag generation module, according to credible label raw information or tag identifier or commodity sign or the label term of validity or public key information or digital certificate information or digital signature information or trusted timestamp or trusted identity timestamp information, generate credible label;

Credible tag readable degree module, extracts the digital certificate information be verified in credible label, and is outputted to digital certificate authentication module; Extract the digital signature be verified in credible label, and outputted to digital signature authentication module; Extract the trusted timestamp be verified in credible label, and outputted to trusted timestamp authentication module; Extract the trusted identity timestamp be verified in credible label, and outputted to trusted identity timestamp verification module; Extract the tag identifier be verified in credible label, and outputted to tag identifier authentication module; Extract the commodity sign be verified in credible label, and outputted to commodity sign authentication module;

Digital certificate authentication module, checking digital certificate information confirms the authenticity of credible label owner identity;

Digital signature authentication module, certifying digital signature confirms the integrality of credible label substance;

Trusted timestamp authentication module, checking trusted timestamp confirms the integrality of credible label substance and the rise time of credible label;

Trusted identity timestamp verification module, the trusted identity timestamp described in checking confirms the integrality of credible label substance, the rise time of credible label, and the authenticity of credible label owner identity;

The tag identifier authentication module of credible label, inquire about this tag identifier in local or credible label authentication server and whether have checking record, if verify first, then on this locality or authentication server, record the information of this checking event, otherwise return the checking event information existed;

The commodity sign authentication module of credible label, this locality or credible label authentication server is recorded this checking event information of this commodity sign, and returns the checking event information existed;

Credible label the result display module, the digital certificate information after display is verified, or credible label rise time, or verify event information and merchandise news accordingly.

Credible tag encryption protocol module storage server is X.500 LIST SERVER, or ldap directory server, or Web server, or ftp server, or dns server, or cloud storage server;

Credible label authentication server has the data server recording credible label checking event, commodity purchasing event, commodity details;

Credible label authentication server can perform credible label authentication module (comprising digital certificate authentication module or digital signature authentication module or trusted timestamp authentication module or trusted identity timestamp verification module or tag identifier authentication module or commodity sign authentication module etc.), thus realizes the high in the clouds checking of credible label.

Compared with prior art, tool has the following advantages and beneficial effect in the present invention:

(1) the credible label that the present invention generates can distribute the digital certificate of credible label owner easily, and can realize off-line verification;

(2) the present invention utilizes timestamp effectively to extend the useful life of credible label, even if the digital certificate of credible label owner lost efficacy, but the credible label made before Certificate Revocation still can continue to use;

(3) the present invention embeds trusted identity timestamp information in credible label, not only ensure that integrality and the non repudiation of credible label, and also ensure that the genuine and believable of credible label owner identity.Therefore, credible label owner need not go to apply for digital certificate to generate credible label, thus reduces costs.And also can support the credible label of off-line verification;

(4) the present invention uses the key based on mark to replace digital certificate, thus eliminates the expense applying for and safeguard digital certificate;

(5) the present invention adds unique credible tag identifier in credible label, thus avoids same credible label to be reused;

(6) the present invention adds unique commodity sign in credible label, and guarantees same commodity use identical commodity sign, thus realizes the repeatedly fake certification to same commodity;

(7) the present invention is by recycling not reproducible credible label, thus can reduce false proof cost;

(8) the present invention adds the term of validity of credible label in credible label, thus it is ageing that credible label is provided with;

(9) the present invention can show digital certificate information in credible label the result display module, credible label rise time information, and the identity information of credible label owner, the proving time first of commodity, the information of tracing to the source in detail such as the production of commodity and logistics;

(10) the present invention is by utilizing the network storage address of label information element (as label raw information, digital certificate, digital signature, tag identifier, commodity sign, public key information etc.) or replacing the complete content of label information element for the Query Information of Query Database, achieve the object of saving credible label expense, thus make technical scheme of the present invention ideally solve the less defect in some label intrinsic information space;

(11) the present invention is by adjusting the resolution of patterned credible label and the size of output pattern that generate, the picture making the credible label obtained after republishing or copying or the digital information comprised different from the credible label that the first impression obtains, or the credible label making the credible label of the first impression correctly distinguish and copy cannot be distinguished, thus reaches the object of patterned credible label anti-copying; And in credible label, contain the dimension information of graphical label, thus prevent the figure of credible label be exaggerated copy.

In particular, the present invention is in order to realize the goal of the invention of simply distributing the digital certificate of credible label owner, in the generation adopted and verification method and system, when generating credible label, directly the digital certificate of label owner is embedded credible label, not only solve credential distribution problem, and the off-line verification of credible label can be realized.In order to make credible label can comprise more raw information, can the digital certificate content of an embedded part, or the network storage address of digital certificate, or for the Query Information of enquiring digital certificate database, thus realize the distribution of digital certificate.

The present invention is in order to solve the Problem of Failure of digital certificate, in the generation adopted and verification method and system, trusted timestamp is introduced when generating credible label, anti-tamper and while denying at the credible label of guarantee afterwards, also determine the correct time of credible forming label.Therefore, when digital certificate expired or lost efficacy time, can verify that whether credible label still credible according to the Production Time of credible label.Such as, although digital certificate is expired, credible label generates in the term of validity of digital certificate, and so credible label is still credible.

In order to reduce the cost of credible label owner and simplify the object of credible label anti-counterfeit, in the generation adopted and verification method and system, propose a kind of novel trusted timestamp with identity information.Compared with trusted timestamp, trusted identity timestamp is through to be signed and issued after applicant's identity is examined at authoritative time-stamping service center.Therefore, trusted identity timestamp be one can prove e-file be through the applicant that examines a time point just existed, complete, can verify, the valid electronic certificate of tool.After credible label owner applies for trusted identity timestamp, when not possessing digital certificate, still can generate believable credible label.

The cost that the present invention applies for reduce or remit credible label owner and safeguards digital certificate, in the generation adopted and verification method and system, when generating credible label, digital certificate information is replaced with the public key information of label owner, namely directly public key information, or the network storage address of public key information, or be embedded in credible label for the Query Information of inquiry packet containing the database of public key information.By the identify label in checking public-key cryptography or signature, or whether retrieval public-key cryptography is present in the validity verifying public-key cryptography in the public-key cryptography storehouse in this locality or high in the clouds, and verifies the identity information of credible label owner.

The present invention reuses in order to avoid credible label, in the generation adopted and verification method and system, a unique tag identifier is added in each credible label, and to verifying that event carries out record first on authentication server, comprise checking Time To Event, the IP address of verifier, the geographical location information etc. residing for verifier.

The present invention is in order to realize the repeatedly fake certification to same commodity, and in the generation adopted and verification method and system, for the multiple credible label that same commodity use arranges identical commodity sign, and this commodity sign is that these part commodity are exclusive.

The present invention is in order to reduce the use cost of credible label, in the generation adopted and verification method and system, if the tag identifier of credible label is not reproducible (as RFID has not revisable unique electronic code, this coding can be used as the mark of credible label or a part for credible tag identifier), then when after merchandise sales, can reclaim and after revising the database of authentication server, reuse this credible label, thus realize recycling.

The present invention has certain ageing to meet the credible label of some application scenarios requirement, in the generation adopted and verification method and system, adds term of validity information, thus ensure that credible label can only be verified in this term of validity in credible label.

The present invention conveniently verifier uses credible label, in the generation adopted and verification method and system, the identity information of the owner of credible label, digital certificate information, the credible label rise time, the proving time first of commodity, the details such as the production of commodity and logistics are presented at authentication module, thus guarantee that credible label verifier understands the relevant information of credible label and commodity in detail.

The present invention is by utilizing the network storage address of label information element (as label raw information, digital certificate, digital signature, tag identifier, commodity sign, public key information etc.) or replacing the complete content of label information element for the Query Information of Query Database, achieve the object of saving credible label expense, thus make technical scheme of the present invention ideally solve the less defect in some credible label intrinsic information space.

The present invention is replicated to prevent the credible label of graphic form, can by adjusting resolution and the printed dimensions of the credible label generated, the picture making the credible label obtained after republishing or copying or the digital information that comprises different, thus by the picture that compares verified label or whether consistent with the information of the credible label of the first impression of the preserving object reaching credible label anti-copying of digital information comprised; Also can by adjusting resolution and the printed dimensions of the credible label generated, although the label making the first impression obtain creates the loss of information or the mistake of information, but still can correctly be distinguished by error correction, but lose more information by the label copying the described first impression or introduce more mistake, to such an extent as to exceeded the error correcting capability of credible label to such an extent as to cannot correctly distinguish, thus reach the object of credible label anti-copying; In order to avoid duplicator to evade the loss of printing information by amplifying the method for credible label graphic, the dimension information of the credible label of the first impression can be comprised in credible label, and digital signature is carried out to prevent from being tampered to described size, when verifying credible label, by the dimension information comprised in the printed dimensions of more current credible label and label, realize the object of credible label anti-copying.

Accompanying drawing explanation

Fig. 1 is the building-block of logic that the present invention adopts generation based on the anti-tamper credible two-dimension code of the information that is applied to of PKI and verification method and system

Fig. 2 is the present invention's generation of credible two-dimension code of adopting the information that is applied to of trusted identity timestamp anti-tamper and the building-block of logic of verification method and system

Fig. 3 is that the present invention adopts and is applied to the generation of the credible label of commodity counterfeit prevention and the building-block of logic of verification method and system based on PKI

Fig. 4 be the present invention adopt trusted identity timestamp be applied to the generation of the credible label of commodity counterfeit prevention and the building-block of logic of verification method and system

Fig. 5 be the present invention adopt public-key cryptography be applied to the generation of the credible label of commodity counterfeit prevention and the building-block of logic of verification method and system

Fig. 6 is that the present invention adopts and is applied to the generation of the credible label of commodity counterfeit prevention and the building-block of logic of verification method and system based on IBC or CPK

Fig. 7 is that the present invention realizes the schematic diagram of anti-copying by the output resolution ratio of the credible label of adjustment figure

Embodiment

User can be allowed to confirm integrality and the non-repudiation of the raw information that credible label comprises by adopting technical scheme of the present invention.In order to make technical scheme of the present invention easy to understand more, combining concrete diagram for credible two-dimension code below and being further elaborated.

According to Fig. 1, specific embodiment of the invention scheme () is as described below:

Step one: authentication center CA is that Quick Response Code service provider generates digital certificate;

Step 2: Quick Response Code service provider generates digital signature by Digital Signature module, time stamp server is Quick Response Code rise time stamp;

Step 3: two-dimensional code generation module is according to Quick Response Code raw information, digital certificate information, timestamp and digital signature, and suitable generation parameter, generates Quick Response Code;

Step 4: when using or verify Quick Response Code, correctly distinguished Quick Response Code by two dimension code reading module, is extracted information wherein, and is outputted to timestamp verification module, digital certificate authentication module and digital signature authentication module;

Step 5: timestamp verification module acquisition time from reading information stabs information and to its checking, if the verification passes, then show Quick Response Code content intact, otherwise Quick Response Code is insincere;

Step 6: digital certificate authentication module obtains digital certificate information from reading information, and the identity confirming Quick Response Code service provider is verified to it;

If A. digital certificate is legal and still in the term of validity, then think that the identity of Quick Response Code service provider is credible;

If B. although digital certificate is legal but cancelled, but the rise time of timestamp is early than the digital certificate revocation time, and the reason of cancelling of certificate is that then the identity of Quick Response Code service provider is credible, and the reason of cancelling pointing out digital certificate is certificate expired because certificate expired;

If C. although digital certificate is legal but cancelled, but the rise time of timestamp is early than the digital certificate revocation time, and the reason of cancelling of certificate is because certificate private key is divulged a secret, then Quick Response Code service provider identity still has lower confidence level, needs clearly to point out the reason of cancelling of digital certificate to be that certificate private key is divulged a secret to user.

Step 7: digital signature authentication module obtains digital signature and verifies it from reading information, if the verification passes, then this Quick Response Code is not tampered or forges, and the content in Quick Response Code is credible, otherwise insincere.

User can be allowed whether to confirm to have puted up the commodity of credible label from real commodity production manufacturer by adopting technical scheme of the present invention.In order to make technical scheme of the present invention easy to understand more, be further elaborated below in conjunction with concrete diagram.

According to Fig. 3, specific embodiment of the invention scheme (two) is as described below:

Step one: authentication center CA is that commodity production manufacturer generates digital certificate; Tag identifier generation module generating labels identifies; Commodity sign generation module generates commodity sign;

Step 2: the digital certificate that commodity production manufacturer obtains described step one, raw information (comprise commerical batches, the commodity production time, production site, Corporation web site etc.), tag identifier and commodity sign input digital signature generation module to be to generate digital signature; Generate digital digest according to raw information, tag identifier and commodity sign and stab to the time stamp server application time;

Step 3: credible tag generation module is according to raw information, tag identifier, commodity sign, digital signature, digital certificate and timestamp, and suitable generation parameter, generates credible label;

Step 4: in use or when verifying credible label, by credible tag readable degree module, credible label is correctly distinguished, extract information wherein, and outputted to tag identifier authentication module, commodity sign authentication module, digital certificate authentication module, digital signature authentication module and timestamp verification module;

Step 5: timestamp verification module acquisition time from reading information stabs information and verifies it, if the verification passes, then show that credible label is complete, otherwise credible label is insincere and terminate whole proof procedure, then in credible label the result display module prompt time stamp authentication failed;

Step 6: digital certificate authentication module obtains digital certificate information from reading information, and it is verified, if authentication failed, credible label is insincere, and terminate whole proof procedure, then in credible label the result display module, point out digital certificate authentication failure, meet following three kinds of situations and can think that the identity of credible label owner (i.e. commodity production manufacturer) is credible:

If A. digital certificate is legal and still in the term of validity, then think that the identity of commodity production manufacturer is credible;

If B. although digital certificate is legal but cancelled, but the rise time of timestamp is early than the digital certificate revocation time, and the reason of cancelling of certificate is because certificate expired, then the identity of commodity production manufacturer is credible, and the reason of cancelling pointing out digital certificate in the result display module is certificate expired;

If C. although digital certificate is legal but cancelled, but the rise time of timestamp is early than the digital certificate revocation time, and the reason of cancelling of certificate is because certificate private key is divulged a secret, then the identity of commodity production manufacturer still has lower confidence level, needs clearly to point out the reason of cancelling of digital certificate to be that certificate private key is divulged a secret to user in the result display module.

Step 7: digital signature authentication module obtains digital signature and verifies it from reading information, if the verification passes, then this credible label is not tampered or forges, content in credible label is credible, otherwise label substance is insincere and terminate whole proof procedure, in credible label the result display module, then point out digital signature authentication failure;

Step 8: tag identifier authentication module obtains tag identifier from reading information, inquire about this tag identifier in credible label authentication server and whether have checking record, if there is no record, on authentication server, then record information (comprise proving time, verifier facility information used, geographical position etc. that the IP address of verifier, verifier are residing when verifying) of this checking event, and continue the checking of credible label; If there is record, and credible label is reproducible, then leap to step 10;

Step 9: commodity sign authentication module obtains commodity sign from reading information, whether had checking record, if do not have record, then on authentication server, record the information of this checking event if in credible label authentication server, inquiring about this commodity sign;

Step 10: credible label the result display module reads the result that also display label identity verification module and commodity sign authentication module return, if credible label is not reproducible, then shows proving time and merchandise news first; If credible label is reproducible, and this checking is the checking first after buying commodity, and the not tag identifier of this credible label and the checking record of commodity sign on authentication server, then these commodity come from the production firm having described digital certificate, otherwise show that this credible label obtains by copying, and judge that these commodity are fakement; Verify first if this checking is buy after commodity non-, and on authentication server not this credible label checking record but identical goods mark checking record, then show that these commodity come from the production firm having described digital certificate, and buy in this commodity sign corresponding verify time of recording first, otherwise show that this credible label to obtain and these commodity are fakement by copying.

According to Fig. 4, specific embodiment of the invention scheme (three) is as described below:

Step one: tag identifier generation module generating labels identifies; Commodity sign generation module generates commodity sign; Identity information according to label raw information, tag identifier and commodity sign and commodity production manufacturer generates digital digest, and file an application to trusted identity time-stamping service center, after the identity of commodity production manufacturer is examined at trusted identity time-stamping service center, according to described digital digest, through the identity information of examination & verification, and sign from the precise date/time of authoritative time source, generate trusted identity timestamp;

Step 2: credible tag generation module is according to the identity information of raw information, tag identifier, commodity sign, production firm and trusted identity timestamp, and suitable generation parameter, generates credible label;

Step 3: when using and verify credible label, by credible tag readable degree module, credible label is correctly distinguished, extract information wherein, and outputted to tag identifier authentication module, commodity sign authentication module and trusted identity timestamp verification module;

Step 4: trusted identity timestamp verification module obtains trusted identity timestamp information and verifies it from reading information, if the verification passes, then show that credible label is complete, otherwise credible label is insincere and terminate whole proof procedure, then in credible label the result display module, point out trusted identity timestamp authentication failed;

Step 5: tag identifier authentication module obtains tag identifier from reading information, inquire about this tag identifier in credible label authentication server and whether there is checking record, if there is no record, on authentication server, then record information (comprise proving time, verifier facility information used, geographical position etc. that the IP address of verifier, verifier are residing when verifying) of this checking event, and continue the checking of credible label; If there is record, and credible label is reproducible, then leap to step 7;

Step 6: commodity sign authentication module obtains commodity sign from reading information, inquires about this commodity sign and whether there is checking record in credible label authentication server, if do not have record, then on authentication server, records the information of this checking event;

Step 7: credible label the result display module reads the result that also display label identity verification module and commodity sign authentication module return, if credible label is not reproducible, then shows proving time and merchandise news first; If credible label is reproducible, and this checking is the checking first after buying commodity, and the not tag identifier of this credible label and the checking record of commodity sign on authentication server, then these commodity come from production firm corresponding to identity information described in trusted identity timestamp, otherwise show that this credible label obtains by copying, and judge that these commodity are fakement; Verify first if this checking is buy after commodity non-, and on authentication server not this credible label checking record but identical goods mark checking record, then show that these commodity come from production firm corresponding to identity information described in trusted identity timestamp, and buy in this commodity sign corresponding verify time of recording first, otherwise show that this credible label to obtain and these commodity are fakement by copying.

According to Fig. 5, specific embodiment of the invention scheme (four) is as described below:

Step one: commodity production manufacturer generates private cipher key and the public-key cryptography of oneself by unsymmetrical key generation module, and the identity information of public key information and production firm is updated to public key information storehouse, generated the tag identifier of credible label by tag identifier generation module, generated the commodity sign of credible label by commodity sign generation module;

Step 2: the public-key cryptography that commodity production manufacturer obtains described step one, raw information (comprise commerical batches, the commodity production time, production site, Corporation web site etc.), tag identifier and commodity sign input digital signature generation module to be to generate digital signature;

Step 3: credible tag generation module is according to credible label raw information, tag identifier, commodity sign, public key information, digital signature, and suitable generation parameter, generates credible label;

Step 4: in use or when verifying credible label, by credible tag readable degree module, credible label is correctly distinguished, extract information wherein, and outputted to public-key cryptography authentication module, digital signature authentication module, tag identifier authentication module and commodity sign authentication module;

Step 5: public-key cryptography authentication module obtains public key information from reading information, and in public-key cryptography storehouse, inquire about whether there is the disclosure key, if existed, then think that the disclosure key is legal, otherwise terminate proof procedure and assert that these commodity are fakement.

Step 6: digital signature authentication module obtains digital signature and verifies it from reading information, if the verification passes, then this credible label is not tampered or forges, and the content in credible label is credible, otherwise terminates proof procedure and assert that these commodity are fakement;

Step 7: tag identifier authentication module obtains tag identifier from reading information, inquire about this tag identifier in credible label authentication server and whether there is checking record, if there is no record, on authentication server, then record information (comprise proving time, verifier facility information used, geographical position etc. that the IP address of verifier, verifier are residing when verifying) of this checking event, and continue the checking of credible label; If there is record, and credible label is reproducible, then leap to step 9;

Step 8: the commodity sign authentication module of credible label obtains commodity sign from reading information, in credible label authentication server, inquire about this commodity sign whether there is checking record, if there is no record, on authentication server, then record the information of this checking event, otherwise the checking event information existed is exported to credible label the result display module;

Step 9: credible label the result display module reads and shows the result that the tag identifier authentication module of credible label and commodity sign authentication module return, if credible label is not reproducible, then shows proving time and merchandise news first; If credible label is reproducible, and this checking is the checking first after buying commodity, and the not tag identifier of this credible label and the checking record of commodity sign on authentication server, then these commodity come from the production firm having the disclosure key, otherwise show that this credible label obtains by copying, and judge that these commodity are fakement; Verify first if this checking is buy after commodity non-, and on authentication server not this credible label record but identical goods mark record, then show that these commodity come from the production firm having the disclosure key, and buy in this commodity sign corresponding verify time of recording first, otherwise show that this credible label to obtain and these commodity are fakement by copying.

According to Fig. 6, specific embodiment of the invention scheme (five) is as described below:

Step one: be that commodity production manufacturer generates private cipher key and public-key cryptography by IBC or CPK key generation centre, is generated the tag identifier of credible label, is generated the commodity sign of credible label by commodity sign generation module by tag identifier generation module;

Step 2: the public key information that commodity production manufacturer obtains described step one, raw information (comprise commerical batches, the commodity production time, production site, Corporation web site etc.), tag identifier and commodity sign input digital signature generation module to be to generate digital signature;

Step 3: credible tag generation module is according to credible label raw information, tag identifier, commodity sign, public key information, digital signature, and suitable generation parameter, generates credible label;

Step 4: in use or when verifying credible label, correctly distinguished credible label by credible tag readable degree module, is extracted information wherein, and is outputted to digital signature authentication module, tag identifier authentication module and commodity sign authentication module;

Step 5: digital signature authentication module obtains digital signature and verifies it from reading information, if the verification passes, then this credible label is not tampered or forges, and the content in credible label is credible, otherwise terminates proof procedure and assert that these commodity are fakement;

Step 6: tag identifier authentication module obtains tag identifier from reading information, inquire about this tag identifier in credible label authentication server and whether there is checking record, if there is no record, on authentication server, then record information (comprise proving time, verifier facility information used, geographical position etc. that the IP address of verifier, verifier are residing when verifying) of this checking event, and continue the checking of credible label; If there is record, and credible label is reproducible, then leap to step 8;

Step 7: the commodity sign authentication module of credible label obtains commodity sign from reading information, in credible label authentication server, inquire about this commodity sign whether there is checking record, if there is no record, on authentication server, then record the information of this checking event, otherwise the checking event information existed is exported to credible label the result display module;

Step 8: credible label the result display module reads and shows the result that the tag identifier authentication module of credible label and commodity sign authentication module return, if credible label is not reproducible, then shows proving time and merchandise news first; If credible label is reproducible, and this checking is the checking first after buying commodity, and the not tag identifier of this credible label and the checking record of commodity sign on authentication server, then these commodity come from the production firm having the disclosure key, otherwise show that this credible label obtains by copying, and judge that these commodity are fakement; Verify first if this checking is buy after commodity non-, and on authentication server not this credible label record but identical goods mark record, then show that these commodity come from the production firm having the disclosure key, and buy in this commodity sign corresponding verify time of recording first, otherwise show that this credible label to obtain and these commodity are fakement by copying.

More than show and describe general principle of the present invention and principal character and advantage.The technical staff of the industry should understand; the present invention is not restricted to the described embodiments; what describe in above-described embodiment and specification just illustrates principle of the present invention; without departing from the spirit and scope of the present invention; the present invention also has various change, and these changes all fall in the claimed scope of the invention.Application claims protection range is defined by appending claims.

Claims (14)

1., based on generation and the verification method of the credible label of rivest, shamir, adelman, comprise the following steps:

Step one: raw information is set to credible tag format;

Step 2: credible tag encryption protocol module is set;

Step 3: according to raw information and the believable credible label of credible tag encryption protocol module generation encryption of credible tag format;

Step 4: when verifying credible label, by verifying credible tag encryption protocol module, determines integrality and the non-repudiation of credible label raw information, and the authenticity of credible label owner identity and non repudiation;

Described credible tag encryption protocol module comprises digital certificate information and digital signature information; When step 4 verifies credible tag encryption protocol module, by verifying that the validity of the digital certificate information in credible label examines the identity of credible label owner, determined the integrality of credible label raw information by the digital signature information verifying in credible label.

2., based on generation and the verification method of the credible label of rivest, shamir, adelman, comprise the following steps:

Step one: raw information is set to credible tag format;

Step 2: credible tag encryption protocol module is set;

Step 3: according to raw information and the believable credible label of credible tag encryption protocol module generation encryption of credible tag format;

Step 4: when verifying credible label, by verifying credible tag encryption protocol module, determines integrality and the non-repudiation of credible label raw information, and the authenticity of credible label owner identity and non repudiation;

Described credible tag encryption protocol module comprises digital certificate information, digital signature information, trusted timestamp or trusted identity timestamp information; When step 4 verifies credible tag encryption protocol module, by verifying the identity of the credible label owner of the validity certification of the digital certificate information in credible label, the integrality of the raw information of credible label is determined, by verifying that trusted timestamp in credible label or trusted identity timestamp information guarantee the integrality of credible label rise time and content by the digital signature information verifying in credible label.

3., based on generation and the verification method of the credible label of rivest, shamir, adelman, comprise the following steps:

Step one: raw information is set to credible tag format;

Step 2: credible tag encryption protocol module is set;

Step 3: according to raw information and the believable credible label of credible tag encryption protocol module generation encryption of credible tag format;

Step 4: when verifying credible label, by verifying credible tag encryption protocol module, determines integrality and the non-repudiation of credible label raw information, and the authenticity of credible label owner identity and non repudiation;

Described credible tag encryption protocol module comprises trusted identity timestamp information; When verifying credible tag encryption protocol module, by verifying the trusted identity timestamp information in credible label, guarantee the integrality of credible label rise time and content, and the identity of the credible label owner of certification.

4., based on generation and the verification method of the credible label of rivest, shamir, adelman, comprise the following steps:

Step one: raw information is set to credible tag format;

Step 2: credible tag encryption protocol module is set;

Step 3: according to raw information and the believable credible label of credible tag encryption protocol module generation encryption of credible tag format;

Step 4: when verifying credible label, by verifying credible tag encryption protocol module, determines integrality and the non-repudiation of credible label raw information, and the authenticity of credible label owner identity and non repudiation;

Described cryptographic protocol module comprises public key information and digital signature information;

When verifying credible tag encryption protocol module, examine authenticity and the non repudiation of label owner identity by checking public key information, determined integrality and the non repudiation of credible label raw information by the digital signature information verifying in credible label.

5., based on generation and the verification method of the credible label of rivest, shamir, adelman, comprise the following steps:

Step one: raw information is set to credible tag format;

Step 2: credible tag encryption protocol module is set;

Step 3: according to raw information and the believable credible label of credible tag encryption protocol module generation encryption of credible tag format;

Step 4: when verifying credible label, by verifying credible tag encryption protocol module, determines integrality and the non-repudiation of credible label raw information, and the authenticity of credible label owner identity and non repudiation;

Described credible tag encryption protocol module comprises public key information, digital signature information, trusted timestamp or trusted identity timestamp information;

When verifying credible tag encryption protocol module, authenticity and the non repudiation of label owner identity is examined by checking public key information, integrality and the non repudiation of credible label raw information is determined, by verifying that trusted timestamp in credible label or trusted identity timestamp information guarantee the integrality of credible label rise time and content by the digital signature information verifying in credible label.

6. the generation of the credible label based on rivest, shamir, adelman according to claim 4 or 5 and verification method, is characterized in that: the public key information in described credible label, the identity according to the credible label owner of following method validation:

If A. public-key cryptography and private cipher key are generated by the key generation centre of identity-based id password system (IBC), then described public key information comprises the parameter information of public-key cryptography and certifying signature, or comprise the network address information storing public key information, or comprise for the Query Information of inquiry packet containing the database of public key information;

If the digital signature authentication in credible label is passed through, then prove that public-key cryptography is legal, the identity also just demonstrating credible label owner is credible;

If B. public-key cryptography and private cipher key are generated by the key generation centre of Conbined public or double key management system (CPK), then described public key information comprises PKI matrix and mapping algorithm, or comprise the network address information storing public key information, or comprise for the Query Information of inquiry packet containing the database of public key information; If the digital signature authentication in credible label is passed through, then the entity identification comprised in attestation-signatures is legal, and the identity also just demonstrating credible label owner is credible;

If C. public-key cryptography is the common key not comprising identification information, and be not included in digital certificate, then described public key information comprises public-key cryptography, or comprise the network address information storing public key information, or comprise for the Query Information of inquiry packet containing the database of public key information, the public-key cryptography storehouse of inquiry in this locality or cloud server is needed when verifying public-key cryptography legitimacy

If the digital signature authentication existed in public-key cryptography storehouse in described public key information and credible label is passed through, then think that the identity of credible label owner is credible, otherwise insincere;

If the private cipher key that public-key cryptography is corresponding has leaked or lost efficacy, then in the public-key cryptography storehouse in local or high in the clouds, delete corresponding public key information; Signature or cryptographic algorithm can be included in public key information, also can be stored in this locality or high in the clouds;

If D. public-key cryptography is included in the digital certificate of signature, the identity of certification is credible label owner uses the method for described C; If public-key cryptography is included in the digital certificate that authentication center CA signs and issues, then described public key information comprises digital certificate information, or comprise the network address information storing digital certificate information, or comprise for the Query Information of inquiry packet containing the database of digital certificate information, if digital certificate authentication passes through, and the digital signature authentication in credible label is passed through, then the identity of credible label owner is credible, otherwise insincere.

7. the generation of the credible label based on rivest, shamir, adelman according to Claims 2 or 3 and verification method, it is characterized in that: described trusted identity timestamp, to from the precise date of authoritative time source and time by trusted identity time stamp server, according to the digital digest that credible label raw information generates, through the identity information of the credible label owner of examination & verification, carry out digital signature and generate.

8., according to generation and the verification method of the described credible label based on rivest, shamir, adelman arbitrary in claim 1-5, it is characterized in that:

If credible label is a kind of graphical label, then by adjusting resolution and the graphic printing size of the credible label generated, the picture making the credible label obtained after republishing or copying or the digital information that comprises different, thus by the picture that compares verified label or the digital information that comprises whether with picture or the consistent object reaching credible label anti-copying of digital information of the credible label of the first impression of preserving;

If credible label has error correcting capability, then by resolution and the graphic printing size of the credible label graphic of adjustment, the mistake that the first impression is introduced is within the scope of the error correcting capability of credible label, and make the mistake of again printing introducing of the credible label graphic by copying the first impression exceed the error correcting capability of credible label, thus the credible label realizing the first impression can correctly be distinguished, and the credible label of copying and printing cannot correctly be distinguished;

If credible label is a kind of graphical label of anti-copying, then comprise the dimension information of label printing figure in the label, when verifying credible label, determine whether graphical label is replicated by the size of nominal in the full-size(d) of comparison current Graphics label and label.

9., according to generation and the verification method of the described credible label based on rivest, shamir, adelman arbitrary in claim 1-5, it is characterized in that:

Comprise credible tag identifier in the raw information of described credible label, be one for identifying unique coding of a credible label;

Comprise commodity sign in the raw information of described credible label, be one for identifying unique coding of commodity;

If a credible label can be replicated, then need when each credible label comprising credible tag identifier is verified first, record checking event information in authentication module or background server, these part commodity use one or more credible label with the Unique Product mark of these commodity, wherein each credible label has the commodity sign of these identical part commodity and tag identifier unique separately, and each credible label is secret before checking first;

If a credible label is not reproducible, do not need to do any secrecy processing to this credible label before verifying first;

If the tag identifier of a credible label is not reproducible and other content of label can be written, then this label can record and reclaim after commodity are used in background program, then re-writes false proof for another part commodity of new commodity sign.

10., according to generation and the verification method of the described credible label based on rivest, shamir, adelman arbitrary in claim 1-5, it is characterized in that:

The effective storage life of this label is comprised in the raw information of described credible label, when verifying credible label, whether simultaneous verification current time is in the effective storage life of this label, if current time is not in the effective storage life of this label, then this credible label is insincere.

11., according to the generation of the described credible label based on rivest, shamir, adelman arbitrary in claim 1-5 and verification method, is characterized in that:

If comprise digital certificate information in credible label, then, when being verified, in display module, show digital certificate information, thus facilitate verifier to understand the identity information of credible label owner and the issuer information of digital certificate;

If comprise timestamp information in credible label, then when being verified in display module Presentation Time Stamp information, thus

Verifier is facilitated to understand the rise time of credible label;

If comprise trusted identity timestamp in credible label, then show trusted identity timestamp information when being verified, thus facilitate verifier to understand the rise time of credible label, and the identity information of credible label owner;

If successful acquisition is to the time t2 that this is verified and positional information P2, and the time t1 of good authentication last time and positional information P1, then calculate displacement R=(P2 – P1) and the time difference T=(t2 – t1) of twice checking, and obtain speed V=R/T, if the value of speed V exceedes the early warning speed of setting, then produce warning information at display module.

12., according to the generation of the described credible label based on rivest, shamir, adelman arbitrary in claim 1-5 and verification method, is characterized in that:

A. described credible label comprise following one of at least:

A. complete digital certificate content;

B. the partial content of digital certificate;

C. the network storage address of digital certificate;

D. digital certificate library information;

E. digital certificate LIST SERVER information;

F. complete digital certificate chain information;

G. the network storage address of digital certificate chains;

H. the Query Information of the database of digital certificate or digital certificate chains is contained for inquiry packet;

I. complete digital signature;

J. the network storage address of digital signature;

K. for the Query Information of inquiry packet containing the database of digital signature;

L. complete public key information;

M. the network storage address of public key information;

N. for the Query Information of inquiry packet containing the database of public key information;

O. the tag identifier of credible label;

P. the commodity sign of credible label;

Q. the term of validity of credible label;

R. complete credible label raw information;

S. the HASH value of credible label raw information;

T. the network storage address of credible label raw information;

U. for the Query Information of inquiry packet containing the database of raw information;

V. the identity information of credible label owner;

W. the network address of credible label authentication server;

If B. described credible label comprises the network storage address of digital certificate or digital certificate chains, by web download digital certificate when verifying credible tag encryption protocol module;

If C. described credible label comprises the information of digital certificate storehouse or LIST SERVER, then by web download or enquiring digital certificate when verifying credible tag encryption protocol module;

If D. described credible label comprises the network storage address of public key information, by web download public key information when verifying credible tag encryption protocol module;

If E. described credible label comprises the network storage address of digital signature, then by web download digital signature when verifying credible tag encryption protocol module;

If F. described credible label comprises the network storage address of trusted timestamp or trusted identity timestamp, then by web download trusted timestamp or trusted identity timestamp when verifying credible tag encryption protocol module;

If comprise the identity information of credible label owner in G. described credible label raw information, then can verify that whether the identity of credible label owner is credible further by the identity information in comparison credible label raw information, the identity information in digital certificate, the identity information in trusted identity timestamp when verifying credible label;

Download and the checking of H. described credible label information may operate in this locality of authentication module, also may operate in high in the clouds;

I. described raw information can be expressly, also can through encryption;

J. described raw information can be label original contents, or the HASH value of original contents, or the network storage address of original contents, or for the Query Information of inquiry packet containing the database of original contents;

If K. described credible label has full stop represent that raw information terminates, then can credible tag encryption protocol module be placed on after this full stop;

L. described credible label is the form of printing or electronics;

M. described credible label is Quick Response Code, or self-defining pattern, or RFID label tag, or NFC label, or electronic tag, or chip tag, or sensor tag.

The Antiforge system of 13. 1 kinds of credible labels, comprises unsymmetrical key or digital certificate generating center, credible tag encryption protocol module storage server, the generation of credible label and Authentication devices and credible label authentication server, it is characterized in that:

Unsymmetrical key or digital certificate generating center, generate digital certificate or unsymmetrical key for giving credible label owner;

Credible tag encryption protocol module storage server, for storing the credible tag encryption protocol module information of credible label owner, comprise public key information, or digital certificate information, or digital signature information, or trusted timestamp or trusted identity timestamp information;

Credible label authentication server, for the details of the checking event and anti-counterfeit commodities that record credible label, also may be used for the authentication module performing credible label, realizes high in the clouds checking;

Generation and the Authentication devices of credible label comprise:

Trusted timestamp generation module, generates digital digest according to credible label substance, and to described trusted timestamp server application trusted timestamp, and described trusted timestamp is inputted credible tag generation module;

Trusted identity timestamp generation module, generates digital digest according to credible label raw information, and to described trusted identity time stamp server application trusted identity timestamp, and described trusted identity timestamp is inputted credible tag generation module;

The tag identifier generation module of credible label, for each label generates unique tag identifier;

The commodity sign generation module of credible label, for every part commodity generate unique commodity sign;

Unsymmetrical key generation module, for label owner generates oneself private cipher key and public-key cryptography;

Credible tag generation module, according to credible label raw information or tag identifier or commodity sign or the label term of validity or public key information or digital certificate information or digital signature information or trusted timestamp or trusted identity timestamp information, generate credible label;

Credible tag readable degree module, extracts the digital certificate information be verified in credible label, and is outputted to digital certificate authentication module; Extract the digital signature be verified in credible label, and outputted to digital signature authentication module; Extract the trusted timestamp be verified in credible label, and outputted to trusted timestamp authentication module; Extract the trusted identity timestamp be verified in credible label, and outputted to trusted identity timestamp verification module; Extract the tag identifier be verified in credible label, and outputted to tag identifier authentication module; Extract the commodity sign be verified in credible label, and outputted to commodity sign authentication module;

Digital certificate authentication module, checking digital certificate information confirms the authenticity of credible label owner identity;

Digital signature authentication module, certifying digital signature confirms the integrality of credible label substance;

Trusted timestamp authentication module, checking trusted timestamp confirms the integrality of credible label substance and the rise time of credible label;

Trusted identity timestamp verification module, the trusted identity timestamp described in checking confirms the integrality of credible label substance, the rise time of credible label, and the authenticity of credible label owner identity;

The tag identifier authentication module of credible label, inquire about this tag identifier in local or credible label authentication server and whether have checking record, if verify first, then on this locality or authentication server, record the information of this checking event, otherwise return the checking event information existed;

The commodity sign authentication module of credible label, this locality or credible label authentication server is recorded this checking event information of this commodity sign, and returns the checking event information existed;

Credible label the result display module, the digital certificate information after display is verified, or credible label rise time, or verify event information and merchandise news accordingly.

The Antiforge system of 14. a kind of credible labels according to claim 13, is characterized in that:

Credible tag encryption protocol module storage server is X.500 LIST SERVER, or ldap directory server, or Web server, or ftp server, or dns server, or cloud storage server;

Credible label authentication server has the data server recording credible label checking event, commodity purchasing event, commodity details;

Credible label authentication server can perform credible label authentication module thus realize the high in the clouds checking of credible label.