CN105184725A - Network mapping document generated based on electronic legal identity document entity - Google Patents
Network mapping document generated based on electronic legal identity document entity Download PDFInfo
- Publication number
- CN105184725A CN105184725A CN201510627695.0A CN201510627695A CN105184725A CN 105184725 A CN105184725 A CN 105184725A CN 201510627695 A CN201510627695 A CN 201510627695A CN 105184725 A CN105184725 A CN 105184725A
- Authority
- CN
- China
- Prior art keywords
- certificate
- network mapping
- information
- network
- entity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to the technical field of identity documents, and particularly relates to a network mapping document generated based on an electronic legal identity document entity. Content of the network mapping document comprises basic personal information, biometric information, document anti-counterfeiting information, additional factor information and a digital signature which are generated in an irreversible mapping transformation mode, and the mapping transformation comprises digital transformation and/or cryptographic transformation. On the basis of the existing electronic legal identity document and related database resources and the like, the problem of current network legal identity management in China can be solved.
Description
Technical field
The present invention relates to identity document technical field, what be specifically related to is a kind of network mapping certificate generated based on electronic legislative identity certificate entity card.
Background technology
In society, in order to realize reliable Identity Management at legal perspective, the qualification that government department gives or authorizes according to law or power and the legal capacity certificate such as I.D., passport issued, for a long time for ensureing civil rights, safeguard civil order, safeguarding national security etc. has played great function.
Along with the fast development of Internet technology, society to the cyberspace degree of depth extend, a networked society become a reality society important component part.Internet also changed dramatically in the behavior of people while bringing earth-shaking change to people's life, the behavior only occurred in society before receiving and dispatching mail, social activity, shopping, bank transaction etc. and business occur in cyberspace rapidly and obtain high speed development.At numerous areas, network industry is done honest work to present and is surmounted, replaces, and even overturns the gesture of traditional business.Meanwhile, we also progressively recognize that traditional identity management method is no longer applicable in cyberspace, due to lack effective legal capacity control measures cause network break laws and commit crime take place frequently, serious threat is to civil rights, social stability and national security.Therefore, the network legal Identity Management way studying and defining unified standard is imperative.
For solving the legal Identity Management problem of network, progressively having there is the techniques and methods differed from one another in present industry, mainly comprises following several solution.
One, electronic legislative identity certificate carries personal digital certificate function.This solution, first require that electronic legislative identity certificate possesses the ability of carrying personal digital certificate, secondly the personal digital certificate bound with electronic legislative identity certificate is signed and issued while certificate holder signs and issues electronic legislative identity certificate by issuing authority, and namely the electronic ID card (eID) that current most European Union member countries sign and issue is adopt this solution.Under examination pattern at the scene, holder proves oneself legal capacity by showing electronic legislative identity certificate material object; Under network examination pattern, the personal digital certificate that holder is carried by showing electronic legislative identity certificate, proves oneself legal capacity in remote online mode, and possesses the legal effect of view of the scene mode equivalent.The program had both solved Verify Your Identity questions under line, and also solve a legal capacity certification difficult problem on line, be relatively perfect, perfect technology path simultaneously in theory.For the country of directly signing and issuing the electronic legislative identity certificate carrying personal digital certificate, this scheme is disposable solves identity problem of management on line, under line, and yes selects preferably.But the legal certificate of electronics that Certification of Second Generation, E-Passport, electronics round trip card, electronics home return permit, electronics Taiwan compatriot certificate and electronics continent card etc. do not carry personal digital certificate been has has been signed and issued by China, and the amount of signing and issuing is very large, and only Certification of Second Generation has just exceeded 1,400,000,000.If present stage of china adopts this solution, just first must carry out upgrading correcting to Certification of Second Generation, E-Passport, electronics round trip card, electronics home return permit, electronics Taiwan compatriot certificate and electronics continent card etc., this is obviously unrealistic.
Two, outside electronic legislative identity certificate, personal digital certificate is signed and issued separately.This solution, do not require that electronic legislative identity certificate possesses the ability of carrying personal digital certificate, but personal digital certificate is mounted on USBKey or other hardware media such as mobile phone, bank card, its issuing authority both can be the government bodies of signing and issuing electronic legislative identity certificate, also can be third party commercial undertaking, as the digital certificate ISP etc. of regulation in " People's Republic of China's law of electronic signature ".The most obvious feature of this scheme is, personal digital certificate and the legal certificate picture of electronics are independent mutually, electronic legislative identity certificate is only for proving holder legal capacity under view of the scene pattern, and personal digital certificate is used for remote online certification possessor identity under network examination pattern.Its maximum shortcoming is also this.Because personal digital certificate and the legal certificate picture of electronics are independent mutually, citizen need use different identity documents for different identity examination scene, so not only can make troubles to the use of citizen, more can cause difficulty to signing and issuing of certificate.China within 10 years, has employed huge Administrative resource in the past and financial resources, material resources just achieve 1,300,000,000 people's staff Certification of Second Generation substantially, again employing countries ' power for the whole people sign and issue personal digital certificate is infeasible substantially, if sign and issue personal digital certificate by commercial undertaking, not only economic input is very huge, Period of popularization reaches even 10 years several years, and its legal effect and authority also itself cannot have been mentioned in the same breath with legal capacity certificate simultaneously.
Three, other solutions.When not having the legal Identity Management solution of unification, specification, ripe network, each businessman, for implementing national network system of real name policy, has explored panoramic network ID authentication measure.In early days, businessman requires that user initiatively inputs the information such as ID (identity number) card No. and name, user inputs any system and just what accepts, found that the authenticity of the information such as the ID (identity number) card No. that the very difficult user of guarantee inputs and name, such as, ox is exactly typical example with the name panic buying train ticket of " celebrating rich steamed stuffed bun ".Afterwards, for solving Similar Problems, businessman upgrades to authentication mode, wherein one of means are exactly the identification card number of user's input and name etc. are submitted to the third-party institutions such as national citizenship number inquiry service centring system examine, and there is the information of this people and every terms of information coupling is then verified in Third party system.The mode of information comparison information that what this means adopted is is verified, can identify the identity information that falseness is made up out, but the true identity information that None-identified is falsely used.Reason is very simple, and ID (identity number) card No. and other personal information depart from this carrier of I.D., and itself is only just a string character, and whether third party's checking system can only exist the information of this people in resolution system, but can not solve " real name and real people " problem.Again afterwards, subscriber authentication measure obtains further improvement, and user is required to provide bank's card number, telephone number, even the photo etc. of my hand-held I.D., with further identity verification.These supplementary meanss, implement the invigoration effect really served to a certain degree to system of real name, but verification the verifying results is constantly upgraded along with identity fraud means and offset gradually, and the thing followed is but the sharply decline with Consumer's Experience that improves constantly of authentication cost.Cause the basic reason of result like this to be, these aided verification means are not based on rigorous rule and flow process, and the just pro forma checking of solution, cannot reach the equal authenticity by legal certificate verification identity in actual life.
Chinese patent CN1339894A provides a kind of proof of identification and preparation method thereof, and in identity certification production process, first licence issuing authority constructs first information bag, and first information handbag draws together identity information and biological information; Then select a kind of asymmetric key algorithm, with private key, digital authentication is carried out to first information bag, generate the second packets of information; Finally the second packets of information that authentication generates is stored in media, makes proof of identification.But this invention also could not solve the identity information that falseness is made up out that can identify of above-mentioned existence, but the problem of true identity information that None-identified is falsely used.
Summary of the invention
In order to overcome defect of the prior art, the invention provides a kind of network mapping certificate generated based on electronic legislative identity certificate entity card, based on existing electronic legislative identity certificate and relevant database resource etc. thereof, propose safe and reliable, economy and facility, meet the legal identity management schemes of network of China's actual conditions, solve the legal Identity Management difficult problem of the current network faced of China.
The present invention is achieved through the following technical solutions: a kind of network mapping certificate generated based on electronic legislative identity certificate entity card, described network mapping certificate comprises the individual essential information, biological information, certificate false proof information, additional element information and the digital signature that are generated by irreversible mapping transformation mode.
Further, described electronic legislative identity certificate comprises electronics China second-generation identity card, E-Passport, electronics round trip card, electronics home return permit, electronics Taiwan compatriot certificate and electronics continent card.
Further, described individual essential information comprises name, sex, address, date of birth and passport NO..
Further, described biological information comprises face photograph, fingerprint iris and DNA information.
Further, described certificate false proof information comprises physical security information and digital anti-counterfeiting information.
Further, described additional element information comprises mapping certificate sequence number, the term of validity, issuer and holder information.
Further, described digital signature is utilize signature digital certificate to sign the signed data obtained to individual essential information, biological information, certificate false proof information and additional element information, and described signed data must be attached in network mapping certificate e-file and issue in the lump.
Further, described mapping transformation comprises is mathematic(al) manipulation or cryptographic transformation.
Further, described network mapping certificate comprises network mapping certificate revocation list, described network mapping certificate revocation list signed and issued revocation list when entity certificate loses efficacy in the very first time, by network mapping certificate information sync fail corresponding for the entity certificate information of inefficacy.
Compared with prior art, superior effect is that the present invention proposes to set up a set of legal identity management system of network being core with electronic legislative identity certificate network mapping certificate, the legal capacity management system corresponding with society is set up in cyberspace, prove that by using legal capacity certificate in actual life the pattern of identity and flow process are transplanted to cyberspace, play the legal effect of legal capacity certificate in society application equivalence, solve cyberspace legal capacity management problems.
The invention solves the technical barrier that the electronic legislative identity certificate not carrying personal digital certificate cannot directly apply to the legal Identity Management of network; Relative to the panoramic network ID authentication mode that existing support people information storehouse is derivative on the market at present, the present invention no longer rests on the form comparison aspect of personal information, real solution legal capacity certification " real name and real people " problem, effectively prevent subjectivity and non-subjective error problem that artifact causes; The architectural framework that maintenance of the present invention is identical with legal capacity management system in society, maintain legal capacity certificate and prove the authentic and valid core element large with testimony of a witness homogeneity two of holder legal capacity certificate, online, the off the net integral application of the electronic legislative identity certificates such as Certification of Second Generation is realized by network mapping certificate technology, not only enhance law, regulation, administrative rule universalities such as " People's Republic of China's residential identity demonstrations ", meet the existing common cognition of the public and custom simultaneously, be easy to accept and popularity.
Accompanying drawing explanation
Fig. 1 is based on the network of electronic legislative identity certificate network mapping certificate legal identity management system composition structural representation in the present invention;
Fig. 2 forms schematic diagram for the system directly signed and issued mechanism provided network mapping certificate verification to serve by network mapping certificate in the present invention;
Fig. 3 is the system composition schematic diagram that in the present invention, network traffic system completes the service of network mapping certificate verification voluntarily;
Fig. 4 is the schematic diagram signed and issued with manage of network mapping certificate in the present invention;
Fig. 5 is the verifying logic relation schematic diagram of network mapping certificate in the present invention;
Fig. 6 is the method step schematic diagram mapping certificate based on electronic legislative identity certificate entity card generating network of the present invention.
Embodiment
In the present invention, " network mapping certificate " refers in particular to: for adapting to the legal Identity Management needs of network, authority office is that the electronic legislative identity certificate possessor of not carrying personal digital certificate function signs and issues, and proves the optional network specific digit file of legal identity document holder legal capacity for cyberspace.Network mapping certificate is that electronic legislative identity certificate maps in the one of cyberspace, and subsistence logic binding relationship in kind with electronic legislative identity certificate, plays the act of law of the equivalence in society with electronic legislative identity certificate in cyberspace.
Above-mentioned electronic legislative identity certificate, comprises electronic resident card, E-Passport, come and go Hongkong and Macro's pass, electronics Hongkong and Macro resident of ground resident comes and goes the electronic legislative identity certificate that in the ground pass and electronics, ground resident comes and goes on the conventional meanings such as the Taiwan pass in the interior ground pass, the contact of electronics Taiwan Compatriots in electronics.Wherein, electronic resident card, i.e. Chinese current No.2 residence card, hereinafter referred to as Certification of Second Generation; Ground resident comes and goes Hongkong and Macro's pass in electronics, demonstrate,proves hereinafter referred to as electronics round trip; The ground pass in electronics Hongkong and Macro resident dealing, hereinafter referred to as electronics home return permit; The electronics Taiwan residents dealing continent pass, hereinafter referred to as electronics Taiwan compatriot certificate; Electronics mainlander comes and goes the Taiwan pass, demonstrate,proves hereinafter referred to as electronics continent.
Above-mentioned electronic legislative identity certificate does not all carry personal digital certificate function, can not directly apply to the legal Identity Management of network.Above-mentioned digital certificate, refers to the electron underwriting authentication certificate of definition in " People's Republic of China's law of electronic signature ", the public key digital certificate namely defined in PKI technical system.
Below in conjunction with accompanying drawing, the specific embodiment of the invention is described in further detail.
As shown in Figures 4 and 5, illustrate a kind of network mapping certificate generated based on electronic legislative identity certificate entity card provided by the invention, comprise the individual essential information, biological information, certificate false proof information, additional element information and the digital signature that are generated by irreversible mapping transformation, described electronic legislative identity certificate comprises electronics China second-generation identity card, E-Passport, electronics round trip card, electronics home return permit, electronics Taiwan compatriot certificate and electronics continent card.Described electronic legislative identity certificate all comprises individual essential information, biological information and certificate false proof information, but the individual essential information that different certificate stores, biological information and certificate false proof information are different, therefore, the network mapping certificate that different legal capacity certificate generates also can be different.Described individual essential information comprises name, sex, address, date of birth and passport NO..Described biological information comprises face photograph, fingerprint etc.Described certificate false proof information comprises physical security information and digital anti-counterfeiting information.Described additional element information comprises mapping certificate sequence number, the term of validity, issuer and holder information.Described digital signature comprises signed data, and described signed data is be attached to the signed data issued in the lump in network mapping certificate e-file, and it is mathematic(al) manipulation or cryptographic transformation that described mapping transformation comprises.Described network mapping certificate comprises network mapping certificate revocation list, described network mapping certificate revocation list for sign and issue revocation list in the very first time, by the network mapping certificate information sync fail corresponding to entity certificate information of losing efficacy.
As shown in Figure 6, the invention provides a kind of method mapping certificate based on electronic legislative identity certificate entity card generating network, comprise the following steps:
Step 1) card information carrying breath extraction step, comprise the upper information recorded of legal electronic identity documents entity card, be divided into the individual essential information based on name, sex, date of birth and passport NO., biological information based on photograph, fingerprint image and fingerprint template, the certificate false proof characteristic information based on physical security, digital anti-counterfeiting; From the information that legal capacity certificate entity card is recorded, extract content, described card information carrying breath is derived from and reads information that electronic legislative identity certificate mode obtains or be derived from electronic legislative identity certificate making and the information signed and issued database and obtain;
Step 2) mapping transformation step, by step 1) the card information carrying that extracts breath through mapping transformation, form the factor data deposited in network mapping certificate, make and sign and issue network mapping certificate;
Step 3) signature step, comprise step 2) described in map the factor data that certificate deposits, after the sequence number of additional mappings certificate, the term of validity, issuer, possessor's relevant information, sign and issue organization network with network mapping certificate and map certificate signature digital certificate signature, complete network mapping certificate and sign and issue;
Step 4) network mapping certificate revocation list signs and issues step, comprise when the entity certificate bound associated by network mapping certificate lost efficacy because nullifying, reporting the loss reason, network mapping certificate is signed and issued mechanism and is signed and issued revocation list in the very first time, by network mapping certificate sync fail corresponding for the entity certificate of inefficacy;
Step 5) signature digital certificate, network mapping certificate and network mapping certificate revocation list issuing steps, comprise network mapping certificate signature digital certificate, network mapping certificate, network mapping certificate revocation list, use when being all network mapping certificate verification mechanism validates network mapping certificate, network mapping certificate is signed and issued mechanism's network-oriented and is mapped certificate verification mechanism or subsystem real-time release.
Wherein, described mapping transformation is mathematic(al) manipulation or cryptographic transformation.Wherein, described signed data is attached in network mapping certificate e-file and issues in the lump, for verifying the authenticity and integrity of network mapping certificate self.Wherein, the factor data deposited in described network mapping certificate is for being derived from legal capacity certificate card information carrying breath; Described mapping transformation is irreversible conversion, by factor data can not backstepping come to testify information carrying breath original text; Described factor data is provided with the protection personal information of possessor and the step of privacy when publishing; Described factor data support is by the certification of network remote safety on line, and described network remote safety on line verification process comprises the method for the anti-bypass attack of setting, anti-man-in-the-middle attack, preventing playback attack and anti-eavesdrop.Wherein, step 4) comprise described network mapping certificate revocation list, sign and issue organization network with network mapping certificate map certificate signature digital certificate signature and upgrade, when occurring promptly to upgrade when entity certificate lost efficacy, the network mapping certificate term of validity is no more than the term of validity of correspondent entity certificate, when described entity certificate is naturally expired, described network mapping certificate is naturally expired, need not confirm that it lost efficacy by signing and issuing revocation list.Wherein, step 5) comprise the network mapping certificate that described network mapping certificate possessor can download oneself, and initiatively show in verification process.
The present invention proposes to set up a set of legal identity management system of network being core with electronic legislative identity certificate network mapping certificate, its basic thought is, the legal capacity management system corresponding with society is set up in cyberspace, prove that by using legal capacity certificate in actual life the pattern of identity and flow process are transplanted to cyberspace, play the legal effect of legal capacity certificate in society application equivalence, solve cyberspace legal capacity management problems.
As shown in Figure 1, a kind of legal identity management system of network based on electronic legislative identity certificate network mapping certificate provided by the invention, comprises the network mapping certificate carrying out information transmission and checking alternately and signs and issues mechanism, network mapping certificate verification mechanism, network traffic system and network mapping certificate possessor.
Described network mapping certificate is signed and issued mechanism and is comprised the specialized agency that legal capacity certificate signs and issues mechanism and government or relevant departments' mandate, described network mapping certificate is signed and issued mechanism and is signed and issued network mapping certificate according to national policy to legal capacity certificate possessor, and described electronic legislative identity certificate comprises China second-generation identity card, E-Passport, electronics round trip card, electronics home return permit, electronics Taiwan compatriot certificate and electronics continent card; The network mapping certificate that mechanism signs and issues to network mapping certificate possessor and network mapping certificate verification mechanism real-time release signed and issued by described network mapping certificate, described network mapping certificate verification mechanism carries out certification to network mapping certificate key element, comprises certificate entity authentication, the certification of testimony of a witness homogeneity and essential information and veritifies.
Described certificate entity authentication comprises the certified side of requirement Terminal Server Client on RF read-write equipment, shows entity electronic legal capacity certificate, described network mapping certificate verification mechanism or subsystem are in conjunction with certificate entity authentication key element and entity electronic legal capacity certificate to the response of challenge instruction, and whether what judge that certified side shows is entity electronic legal capacity certificate that network mapping certificate is bound;
The certification of described testimony of a witness homogeneity comprises the biological attribute data gathering the certified side of Terminal Server Client, the comparison of pre-defined rule is carried out with the factor data of testimony of a witness homogeneity certification, judge whether certified side is network mapping certificate holder in due course, determine according to the biological characteristic type that the factor data of testimony of a witness homogeneity certification identifies, described biological attribute data comprises face photograph, fingerprint iris and DNA information; Described essential information is veritified to comprise and is veritified key element by essential information, examines operation system and comprises whether belonging to network mapping certificate holder in due course by the personal information of manual input acquisition.
When the legal capacity certificate entity certificate corresponding to network mapping certificate is canceled or reports the loss, mechanism signed and issued by described network mapping certificate must sign and issue network mapping certificate revocation list, to network mapping certificate verification mechanism real-time release.Described network mapping certificate verification mechanism provides the service of network mapping certificate verification, described network mapping certificate verification mechanism can by providing third party's independent agency of the service for checking credentials, directly provide the network mapping certificate of the service for checking credentials to sign and issue mechanism and the network traffic system that completes the service for checking credentials is voluntarily born.Artificial network traffic system client held by described network mapping certificate, described network traffic system client signs and issues mechanism's log on from network mapping certificate and maps certificate, prove the legal capacity of oneself with network mapping certificate to network traffic system, participate in the business with system of real name requirement.Described network traffic system is the operation system with system of real name requirement, and such as Web bank and Taobao run a shop.Described network mapping certificate sign and issue mechanism be responsible for network mapping certificate sign digital certificate issuance, network mapping certificate revocation list sign and issue and network mapping certificate signature digital certificate, network mapping certificate, network mapping certificate revocation list external issue.The legal identity management system of described network comprises the interworking mode between network mapping certificate possessor, network traffic system and network mapping certificate verification mechanism or subsystem, described interworking mode comprises network mapping certificate possessor and selects a certain business of network traffic system, carries out normal interactive operation; When operation system requires certification client's legal capacity, network mapping certificate possessor shows oneself network mapping certificate or its mark to operation system; Network traffic system sends the request of network mapping certificate verification to network mapping certificate verification mechanism or subsystem, and described checking request comprises network mapping certificate or its mark; Described network mapping certificate verification mechanism or subsystem accept the network mapping certificate verification request that network traffic system is submitted to, perform the operation of network mapping certificate verification, confirm whether distant client is network mapping certificate holder in due course; Network mapping certificate verification mechanism or subsystem by network mapping certificate verification result feedback to network traffic system, described network traffic system determines whether continue subsequent network service interaction according to network mapping certificate verification result, when whether described confirmation distant client is network mapping certificate holder in due course, network mapping certificate verification mechanism or subsystem and possessor are directly or to carry out remote authentication by operation system mutual.
A kind of legal identity management system of network based on electronic legislative identity certificate network mapping certificate provided by the invention, is described in detail as follows:
One, mechanism signed and issued by network mapping certificate, can be that mechanism signed and issued by legal capacity certificate, and mechanism signed and issued by Chinese legal certificate is in most cases public security organ, the specialized agency that Ye Nengshi government or relevant departments are authorized.
The major responsibility of this mechanism, first be sign and issue network mapping certificate according to policy to legal capacity certificate possessors such as China second-generation identity card, E-Passport, electronics round trip card, electronics home return permit, electronics Taiwan compatriot certificate and electronics continent cards, and the network mapping certificate that network-oriented mapping certificate possessor and network mapping certificate verification mechanism real-time release are signed and issued; Secondly, when the legal capacity certificate entity certificate corresponding to network mapping certificate is canceled or reports the loss situation, this mechanism is also responsible for signing and issuing network mapping certificate revocation list, and network-oriented maps certificate verification mechanism real-time release.
Network mapping certificate verification mechanism, its major responsibility is to provide the service of network mapping certificate verification.
Network traffic system, usually also referred to as XX website, is the relying party of legal capacity, i.e. some service needed certification client legal capacity, as issuing bank's account, applying for electronic addresses of items of mail under system of real name condition, offer microblog account, Taobao runs a shop.At present, the client's legal capacity authentication method by administrative accreditation is mainly signed in face, and the mode of namely manually checking client's Certification of Second Generation legal capacity certificate in operation system outlet face to face by business personnel confirms client's legal capacity.After the legal identity management system of network of network traffic system access based on electronic legislative identity certificate network mapping certificate, the network mapping certificate verification service provided by network mapping certificate verification mechanism remote online mode can confirm client's legal capacity.
Network mapping certificate possessor, i.e. network traffic system client, sign and issue mechanism's log on from network mapping certificate and map certificate, and prove the legal capacity of oneself to network traffic system with network mapping certificate, participates in the related service with system of real name requirement.
Network mapping certificate verification is served, and both provided by third party's independent agency, also directly can sign and issue mechanism by network mapping certificate provides, and can also be completed voluntarily by network traffic system.For ease of understanding and statement, hereafter will network mapping certificate verification service logic independently embody.
For the situation signed and issued mechanism by network mapping certificate and provide network mapping certificate verification to serve, as shown in Figure 2, network mapping certificate and revocation list are issued and are presented as internal process.
For the situation being completed the service of network mapping certificate verification by network traffic system voluntarily, as shown in Figure 3,3., 4., 5. walking of network mapping certificate verification flow process is presented as internal process.
Two, the signing and issuing and related service of network mapping certificate.
Network mapping certificate sign and issue and related service primarily of network mapping certificate sign and issue mechanism be responsible for, its concrete service logic is as shown in Figure 4.Said related service, comprises sign digital certificate issuance, network mapping certificate revocation list of network mapping certificate and signs and issues, and network mapping certificate signature digital certificate, network mapping certificate, network mapping certificate revocation list external issue etc.
1, network mapping certificate signs and issues administrative authorization and digital certificate issuance of signing.
Mechanism signed and issued by network mapping certificate, first must meet the law of China, rules and regulations obtain government or relevant departments and authorize, guarantee the statutory force of signed and issued network mapping certificate; Secondly, sign and issue and represent network mapping certificate and sign and issue mechanism's authoritative network mapping certificate signature digital certificate.
2, network mapping certificate is signed and issued.
Network mapping certificate is signed and issued, and be most crucial based on the legal identity management system of network of electronic legislative identity certificate network mapping certificate and most important link, concrete operations comprise:
(1) card carries information extraction.Described card information carrying breath, the i.e. upper information recorded of legal capacity certificate entity card, be divided into name, sex, date of birth, passport NO. individual essential information; Face photograph and fingerprint bio characteristic information; And physical security, the large class of digital anti-counterfeiting certificate false proof characteristic information 3.Network mapping certificate is signed and issued in making, from legal capacity certificate card information carrying breath, extract content, and in concrete extraction card information carrying breath, which content needs to determine with corresponding strategies according to actual needs.Card information carrying breath both can directly obtain by reading electronic legislative identity certificate, also by electronic legislative identity certificate making, sign and issue database and obtain.
(2) mapping transformation.The card information carrying breath being about to extract forms the process of the factor data deposited in network mapping certificate through particular transform.Mapping transformation can be mathematic(al) manipulation also can be cryptographic transformation, and detailed process and method need to determine with corresponding strategies according to actual needs.
The key element deposited in network mapping certificate, possesses following several features generally: one is be derived from legal capacity certificate card information carrying breath; Two be conversion should be irreversible, namely by factor data can not backstepping come to testify information carrying breath original text; Three is publish to reveal possessor's personal information and privacy; Four is support by the certification of network remote safety on line, and verification process possesses anti-bypass attack, man-in-the-middle attack, Replay Attack and anti-eavesdrop ability.Dissimilar mapping certificate key element is generated: name, sex, date of birth, passport NO. individual essential information generate essential information and veritify key element after mapping transformation, whether belong to network mapping certificate holder in due course for examining operation system by the personal information that other approach obtain after dissimilar card information carrying breath mapping transformation; Whether face photograph, fingerprint bio characteristic information generate testimony of a witness homogeneity elements of certificate after mapping transformation, be network mapping certificate holder in due course for the certified side of certification; Physical security, digital anti-counterfeiting certificate false proof characteristic information, generate certificate entity authentication key element after mapping transformation, whether illustrates the electronic legislative identity certificate bound associated by network mapping certificate online in kind for the certified side of certification.
(3) sign.Above-mentioned mapping certificate factor data, after the relevant information of additional mappings certificate sequence number, the term of validity, issuer, possessor, signs and issues organization network with network mapping certificate and maps certificate signature digital certificate signature, complete network mapping certificate and sign and issue.Signed data must be attached in network mapping certificate e-file and issue in the lump, for verifying authenticity, the integrality of network mapping certificate self.
3, network mapping certificate revocation list is signed and issued.
The entity certificate bound associated by the network mapping certificate, such as, because nullifying, when reporting the loss inefficacy, network mapping certificate is signed and issued mechanism and signed and issued revocation list in the very first time, by network mapping certificate sync fail corresponding for the entity certificate that lost efficacy.Network mapping certificate revocation list, signs and issues organization network with network mapping certificate and maps certificate signature digital certificate signature and regular update, when occurring promptly to upgrade when entity certificate lost efficacy.The network mapping certificate term of validity should not exceed the term of validity of correspondent entity certificate, and therefore the naturally expired network mapping certificate of entity certificate is also naturally expired, need not confirm that it lost efficacy to this by signing and issuing revocation list.
4, signature digital certificate, network mapping certificate, network mapping certificate revocation list are issued.
Network mapping certificate signature digital certificate, network mapping certificate, network mapping certificate revocation list, need when being network mapping certificate verification mechanism validates network mapping certificate to use, therefore mechanism signed and issued by network mapping certificate needs network-oriented to map certificate verification mechanism or subsystem real-time release.Certainly, network mapping certificate possessor also can download oneself network mapping certificate, initiatively shows in verification process.
Three, network mapping certificate verification.
Network mapping certificate verification, except network mapping certificate is signed and issued, based on another core of the legal identity management system of network and the important content of electronic legislative identity certificate network mapping certificate, it is mutual that system level relates between network mapping certificate possessor, network traffic system, network mapping certificate verification mechanism or subsystem, as shown in Figure 1, Figure 2, shown in Fig. 3, idiographic flow comprises following content:
One) network mapping certificate possessor, selects a certain business of network traffic system, carries out normal interactive operation;
Two) when operation system requires certification client's legal capacity, network mapping certificate possessor shows oneself network mapping certificate or its mark to operation system;
Three) network traffic system sends the request of network mapping certificate verification to network mapping certificate verification mechanism or subsystem, wherein containing network mapping certificate or its mark;
Four) network mapping certificate verification mechanism or subsystem accept the network mapping certificate verification request that network traffic system is submitted to, perform the operation of network mapping certificate verification, confirm whether distant client is network mapping certificate holder in due course.Said process, network mapping certificate verification mechanism or subsystem need with possessor directly or to carry out remote authentication by operation system mutual;
Five) network mapping certificate verification mechanism or subsystem by network mapping certificate verification result feedback to network traffic system;
Six) network traffic system determines whether continue subsequent network service interaction according to network mapping certificate verification result.
Wherein four) described in, network mapping certificate verification mechanism or subsystem complete network mapping certificate verification substantive operations, and be the core link of above-mentioned flow process, as shown in Figure 5, this process is divided into following two parts to concrete logic:
1, authenticity, the validation verification of network mapping certificate.
(1) network mapping certificate and signature digital certificate, revocation list is obtained
Organization network signed and issued by network mapping certificate, and to map certificate signature digital certificate be that the trust of native system is basic, need confirm to get from secure and trusted to obtain and appropriate management.
Network traffic system submits to the network mapping certificate verification request of network mapping certificate verification mechanism or subsystem, and a kind of checking request is for comprising network mapping certificate, and another kind of checking request uniquely can retrieve for comprising the specific identifier that specified network maps certificate.If network mapping certificate verification mechanism or subsystem, what receive is network mapping certificate itself, and this network mapping certificate can be used to carry out subsequent verification operations; If what receive is network mapping certificate identifier, need first from network mapping certificate catalogue, to retrieve this network mapping certificate.
Verification system, by resolving network mapping certificate related content, accurately can navigate to the issuer digital certificate of this network mapping certificate, and namely the network mapping certificate revocation list that organization network maps certificate signature digital certificate and correspondence signed and issued by network mapping certificate.
(2) authenticity, the validation verification of network mapping certificate
The final purpose of network mapping certificate verification, be veritify key element by its certificate entity authentication key element, testimony of a witness homogeneity elements of certificate and essential information comprised to confirm terminal client legal capacity, network mapping certificate is authentic and valid is the prerequisite reaching this object.
Network mapping certificate authenticity and validation verification, comprising:
1) be by checking the network mapping certificate term of validity, confirming the validity;
2) be use network mapping certificate signature digital certificate authentication to map certificate signed data, confirm the authenticity and integrity mapping certificate self;
3) be use network mapping certificate signature digital certificate authentication to map certificate revocation list signed data, confirm the authenticity and integrity mapping certificate revocation list;
4) be check that whether map certificate sequence number is included within revocation list, confirms to map certificate validity.
Above-mentioned four aspects, any one authentication failed, it is invalid that mapping certificate is all considered as.
2, network mapping certificate factor authentication.
After confirming that network mapping certificate is true, effective, network mapping certificate verification mechanism or subsystem just resolve comprised key element from mapping certificate, and require needing the key element of certification to implement certification according to practical business, this process network map certificate verification mechanism or subsystem need with possessor directly or to carry out remote authentication by operation system mutual.
(1) certificate entity authentication.The certified side of this process entails Terminal Server Client shows entity electronic legal capacity certificate on RF read-write equipment, network mapping certificate verification mechanism or subsystem are in conjunction with certificate entity authentication key element and entity electronic legal capacity certificate to the response of challenge instruction, and whether what judge that certified side shows is entity electronic legal capacity certificate that network mapping certificate is bound.
(2) testimony of a witness homogeneity certification.This process gathers the certified side's biological attribute data of Terminal Server Client, and carries out the comparison of pre-defined rule with testimony of a witness homogeneity elements of certificate data, judges whether certified side is network mapping certificate holder in due course.Biological attribute data mentioned here, specifically face photograph or fingerprint or other biological feature, determine according to the biological characteristic type that testimony of a witness homogeneity elements of certificate identifies, the collection of remote biometric characteristic preferably adds vivo identification function.
(3) essential information is veritified.This process veritifies key element by essential information, examines operation system and whether belongs to network mapping certificate holder in due course by the personal information of manual input or the acquisition of other approach.
The present invention is not limited to above-mentioned embodiment, and when not deviating from flesh and blood of the present invention, the thinkable any distortion of those skilled in the art, improvement, replacement all fall into protection scope of the present invention.
Claims (9)
1. the network mapping certificate generated based on electronic legislative identity certificate entity card, it is characterized in that, described network mapping certificate comprises the individual essential information, biological information, certificate false proof information, additional element information and the digital signature that are generated by irreversible mapping transformation.
2. according to claim 1 based on the network mapping certificate that electronic legislative identity certificate entity card generates, it is characterized in that, described electronic legislative identity certificate comprises electronics China second-generation identity card, E-Passport, electronics round trip card, electronics home return permit, electronics Taiwan compatriot certificate and electronics continent card.
3. according to claim 1 or 2, demonstrate,prove the network mapping certificate generated based on electronic legislative identity certificate entity, it is characterized in that, described individual essential information comprises name, sex, address, date of birth and passport NO..
4. according to claim 1 or 2, demonstrate,prove the network mapping certificate generated based on electronic legislative identity certificate entity, it is characterized in that, described biological information comprises photograph, fingerprint, iris and DNA information.
5. according to claim 1 or 2, demonstrate,prove the network mapping certificate generated based on electronic legislative identity certificate entity, it is characterized in that, described certificate false proof information comprises physical security information and digital anti-counterfeiting information.
6. according to claim 1 based on the network mapping certificate that electronic legislative identity certificate entity card generates, it is characterized in that, described additional element information comprises mapping certificate sequence number, the term of validity, issuer and holder information.
7. according to claim 1 based on the network mapping certificate that electronic legislative identity certificate entity card generates, it is characterized in that, described digital signature is utilize signature digital certificate to sign the signed data obtained to individual essential information, biological information, certificate false proof information and additional element information, and described signed data is attached in network mapping certificate e-file and issues in the lump.
8., according to claim 1 based on the network mapping certificate that electronic legislative identity certificate entity card generates, it is characterized in that, it is mathematic(al) manipulation and/or cryptographic transformation that described mapping transformation comprises.
9. according to claim 1 based on the network mapping certificate that electronic legislative identity certificate entity card generates, it is characterized in that, described network mapping certificate comprises network mapping certificate revocation list, described network mapping certificate revocation list signed and issued revocation list when entity certificate loses efficacy in the very first time, by network mapping certificate information sync fail corresponding for the entity certificate information of inefficacy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510627695.0A CN105184725A (en) | 2015-09-28 | 2015-09-28 | Network mapping document generated based on electronic legal identity document entity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510627695.0A CN105184725A (en) | 2015-09-28 | 2015-09-28 | Network mapping document generated based on electronic legal identity document entity |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105184725A true CN105184725A (en) | 2015-12-23 |
Family
ID=54906781
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510627695.0A Pending CN105184725A (en) | 2015-09-28 | 2015-09-28 | Network mapping document generated based on electronic legal identity document entity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105184725A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107231233A (en) * | 2016-03-24 | 2017-10-03 | 卓望数码技术(深圳)有限公司 | A kind of coding method of user identity and system |
| CN107945080A (en) * | 2016-10-13 | 2018-04-20 | 杭州悉尔科技有限公司 | A kind of electronic identity card awarding method and system based on biological identification technology |
| CN110135137A (en) * | 2019-05-08 | 2019-08-16 | 北京科蓝软件系统股份有限公司 | A kind of mobile device-based network identity validation method and device |
| CN110619225A (en) * | 2019-09-04 | 2019-12-27 | 无锡市公安局 | Practitioner electronic identity card generation method suitable for dynamic public security management and control |
| CN110876144A (en) * | 2018-08-30 | 2020-03-10 | 华为技术有限公司 | Mobile application method, device and system of identity certificate |
| CN111192183A (en) * | 2019-12-25 | 2020-05-22 | 北京中盾安信科技发展有限公司 | Certificate network identity management method based on electronic identity certificate network mapping |
| CN111209598A (en) * | 2019-12-25 | 2020-05-29 | 北京中盾安信科技发展有限公司 | Method for generating network mapping certificate based on electronic identity certificate entity card |
| CN111209279A (en) * | 2019-12-25 | 2020-05-29 | 北京中盾安信科技发展有限公司 | Method for removing identification of network mapping certificate |
| CN111222115A (en) * | 2019-12-25 | 2020-06-02 | 北京中盾安信科技发展有限公司 | Interaction method for network mapping certificate holder, system and verification mechanism |
| CN111222105A (en) * | 2019-12-25 | 2020-06-02 | 北京中盾安信科技发展有限公司 | Network mapping certificate issuing method |
| CN111222171A (en) * | 2019-12-25 | 2020-06-02 | 北京中盾安信科技发展有限公司 | Authenticity validity verification method of network mapping certificate |
| CN113992380A (en) * | 2021-10-22 | 2022-01-28 | 厦门中盾安信科技有限公司 | Credible employee certificate authentication method and system based on network mapping certificate |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN201657022U (en) * | 2010-04-23 | 2010-11-24 | 朱杰 | Network type identity document check system |
| CN102402703A (en) * | 2011-11-02 | 2012-04-04 | 山东电力集团公司烟台供电公司 | Power asset supervision method and supervision system based on electronic identity card |
| CN202854842U (en) * | 2012-08-16 | 2013-04-03 | 深圳华视电子读写设备有限公司 | Self-service device for electronic certificate handling |
-
2015
- 2015-09-28 CN CN201510627695.0A patent/CN105184725A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN201657022U (en) * | 2010-04-23 | 2010-11-24 | 朱杰 | Network type identity document check system |
| CN102402703A (en) * | 2011-11-02 | 2012-04-04 | 山东电力集团公司烟台供电公司 | Power asset supervision method and supervision system based on electronic identity card |
| CN202854842U (en) * | 2012-08-16 | 2013-04-03 | 深圳华视电子读写设备有限公司 | Self-service device for electronic certificate handling |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107231233A (en) * | 2016-03-24 | 2017-10-03 | 卓望数码技术(深圳)有限公司 | A kind of coding method of user identity and system |
| CN107945080A (en) * | 2016-10-13 | 2018-04-20 | 杭州悉尔科技有限公司 | A kind of electronic identity card awarding method and system based on biological identification technology |
| CN110876144A (en) * | 2018-08-30 | 2020-03-10 | 华为技术有限公司 | Mobile application method, device and system of identity certificate |
| CN110876144B (en) * | 2018-08-30 | 2023-07-11 | 华为技术有限公司 | Mobile application method, device and system for identity certificate |
| CN110135137A (en) * | 2019-05-08 | 2019-08-16 | 北京科蓝软件系统股份有限公司 | A kind of mobile device-based network identity validation method and device |
| CN110619225B (en) * | 2019-09-04 | 2023-04-14 | 无锡市公安局 | Electronic identity card generation method suitable for public security dynamic management and control of employees |
| CN110619225A (en) * | 2019-09-04 | 2019-12-27 | 无锡市公安局 | Practitioner electronic identity card generation method suitable for dynamic public security management and control |
| CN111209598A (en) * | 2019-12-25 | 2020-05-29 | 北京中盾安信科技发展有限公司 | Method for generating network mapping certificate based on electronic identity certificate entity card |
| CN111222115A (en) * | 2019-12-25 | 2020-06-02 | 北京中盾安信科技发展有限公司 | Interaction method for network mapping certificate holder, system and verification mechanism |
| CN111222105A (en) * | 2019-12-25 | 2020-06-02 | 北京中盾安信科技发展有限公司 | Network mapping certificate issuing method |
| CN111222171A (en) * | 2019-12-25 | 2020-06-02 | 北京中盾安信科技发展有限公司 | Authenticity validity verification method of network mapping certificate |
| CN111209279A (en) * | 2019-12-25 | 2020-05-29 | 北京中盾安信科技发展有限公司 | Method for removing identification of network mapping certificate |
| CN111192183A (en) * | 2019-12-25 | 2020-05-22 | 北京中盾安信科技发展有限公司 | Certificate network identity management method based on electronic identity certificate network mapping |
| CN113992380A (en) * | 2021-10-22 | 2022-01-28 | 厦门中盾安信科技有限公司 | Credible employee certificate authentication method and system based on network mapping certificate |
| CN113992380B (en) * | 2021-10-22 | 2024-04-05 | 厦门中盾安信科技有限公司 | Trusted employee certificate authentication method and system based on network mapping certificate |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105357176A (en) | Network legal identity management system based on electronic legal identity card network mapping certificate | |
| CN105184725A (en) | Network mapping document generated based on electronic legal identity document entity | |
| CN105162606A (en) | Method for generating network mapping document based on entity document of electronic legal identity document | |
| US12008561B2 (en) | System for verification of pseudonymous credentials for digital identities with managed access to personal data on trust networks | |
| CN107943996B (en) | Learning calendar query method and device based on block chain | |
| CN102959559B (en) | For the method producing certificate | |
| CN103679436B (en) | A kind of electronic contract security system and method based on biological information identification | |
| US9167428B2 (en) | Method and system for authenticating entities by means of terminals | |
| CN105074721A (en) | Method for signing electronic documents with an analog-digital signature with additional verification | |
| CN109727032A (en) | A kind of alliance's block chain access control method of identity-based id password | |
| CN110490004A (en) | Processing method, client, computer equipment and the medium of Electronic Signature file | |
| CN105554018B (en) | Genuine cyber identification verification method | |
| CN107425969A (en) | A kind of employee's physical examination information authentication method based on block chain technology | |
| CN103179096A (en) | Website unique identification achieving method and authentication method based on favicon expansion | |
| Srinivas et al. | Lightweight security protocols for blockchain technology | |
| CN111931230A (en) | Data authorization method and device, storage medium and electronic device | |
| Shakila et al. | Design and analysis of digital certificate verification and validation using blockchain-based technology | |
| Fdhila et al. | Challenges and opportunities of blockchain for auditable processes in the healthcare sector | |
| CN102769606B (en) | A kind of network digital identity identifying method based on gene certificate | |
| CN115760514A (en) | Family-based mutual-help system for aged people based on block chain and time bank | |
| CN101127063A (en) | Creature certificate generation system and method | |
| CN105429986B (en) | A kind of system of genuine cyber identification verifying and secret protection | |
| Fathiyana et al. | An integration of national identity towards single identity number with blockchain | |
| CN111222105A (en) | Network mapping certificate issuing method | |
| Sasso et al. | A proposal for a unified identity card for use in an academic federation environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination |