CN105553654A - Key information query processing method and device and key information management system - Google Patents
Key information query processing method and device and key information management system Download PDFInfo
- Publication number
- CN105553654A CN105553654A CN201511034818.6A CN201511034818A CN105553654A CN 105553654 A CN105553654 A CN 105553654A CN 201511034818 A CN201511034818 A CN 201511034818A CN 105553654 A CN105553654 A CN 105553654A
- Authority
- CN
- China
- Prior art keywords
- key
- key information
- calculating
- user
- cipher
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a key information query processing method and device and a key information management system. The key information query method comprises the steps that: randomly generating a query session key by a client; generating a first digital envelope according to a public key of a key information server and the query session key; generating a query request according to the first digital envelope and a current user ID of the client, and sending the query request to the key information server; receiving a query result returned by the key information server according to the query request, wherein the query request comprises the user ID and a key information list encrypted according to the query session key; and decrypting the encrypted key information list according to the query session key to obtain a key information list corresponding to the user ID. The key information query method provided by the invention can be used only requiring network support, and can be used for prompting the application of digital certificates to more non-standard Windows environments, thereby having a high application value.
Description
Technical field
The present invention relates to technical field of cryptology, particularly relate to a kind of key information inquiry processing method and device, key information management system.
Background technology
USBKey is a kind of hardware device of USB interface, and its built-in single-chip microcomputer or intelligent card chip, has certain memory space, can store private key and the digital certificate of user, and the public key algorithm utilizing USBKey built-in realizes the certification to user identity.Because private key for user is kept in coded lock, make in theory all cannot read in any way, therefore ensure that the fail safe of user authentication.
Along with the fast development of the various novel computing equipments such as panel computer, smart mobile phone, intelligent watch, USBKey hardware and driving thereof are difficult to adapt to various novel hardware interface, mainboard, operating system environment, and constantly popularizing along with mobile computing, smart mobile phone, intelligent watch etc. all can substitute the storage medium of existing USBKey as digital certificate and private key, but not yet there is corresponding user key management method at present, so just limit applying of mobile digital certificate technology.
Summary of the invention
Based on this, for solving the problems of the prior art, the invention provides a kind of key information inquiry processing method and device, key information management system, various novel hardware interface, mainboard, operating system environment can be adapted to.
For achieving the above object, the embodiment of the present invention is by the following technical solutions:
A kind of key information querying method, comprises the steps:
Client stochastic generation inquiry session key;
According to key information server PKI, described inquiry session secret generating first digital envelope;
According to described first digital envelope and the current user ID generated query request of described client, and described inquiry request is sent to key information server;
Described client receives the Query Result that described key information server returns according to described inquiry request; The cipher key information table that described Query Result comprises described user ID, is encrypted according to described inquiry session key;
The described cipher key information table that described client has been encrypted according to described inquiry session double secret key is decrypted, and obtains the cipher key information table corresponding with described user ID.
A kind of key information processing method, comprises the steps:
Cipher key calculation equipment obtains the computation requests that client generates according to data to be calculated and cipher key information table corresponding to active user ID; Described cipher key information table comprises the user ID, key ID, calculating Protective Key, calculating ID and the computational token that there is corresponding relation; The second digital envelope that described computation requests comprises described user ID, described key ID and generates according to PKI corresponding to described key ID, described calculating ID, described computational token, described data ciphertext to be calculated; Described data ciphertext to be calculated is encrypted described data to be calculated according to described calculating Protective Key by described client and generates;
Described second digital envelope of private key deciphering that described cipher key calculation equipment is corresponding according to described key ID, obtains described data ciphertext to be calculated, described calculating ID, described computational token;
Described cipher key calculation equipment sends to key information server and calculates authorization requests; The 3rd digital envelope that described calculating authorization requests comprises described user ID, described key ID and generates according to key information server PKI, described calculating ID, described computational token;
Described cipher key calculation equipment receives the calculating Authorization result that described key information server feeds back according to described calculating authorization requests; Described calculating Authorization result comprise described user ID, described key ID and according to PKI corresponding to described key ID, calculate ID, the 4th digital envelope that described calculating Protective Key generates;
The private key that described cipher key calculation equipment is corresponding according to described key ID is decrypted described 4th digital envelope, obtains calculating Protective Key;
Described cipher key calculation equipment is decrypted described data ciphertext to be calculated according to described calculating Protective Key, obtains data to be calculated;
The private key that described cipher key calculation equipment is corresponding according to described key ID calculates described data to be calculated, obtains private key result of calculation, and described private key result of calculation is returned to described client.
A kind of key information processing method, comprises the steps:
Key information server receives the calculating authorization requests that cipher key calculation equipment sends; The 3rd digital envelope that described calculating authorization requests comprises user ID, key ID and generates according to key information server PKI, calculating ID, computational token;
Key information server is decrypted the 3rd digital envelope according to key information server private key, obtains described user ID, described key ID, described calculating ID and described computational token;
The cipher key information table that described key information server is corresponding with described user ID according to described user ID, described key ID, described calculating ID and described computational token carries out the matching analysis, the legitimacy of checking client; Described cipher key information table comprises user ID, key ID, calculating ID, computational token and calculates Protective Key;
If be verified, then described key information server sends to described cipher key calculation equipment and calculates Authorization result; Described calculating Authorization result comprise described user ID, described key ID and according to PKI corresponding to described key ID, calculate ID, the 4th digital envelope that described calculating Protective Key generates.
A kind of key information inquiry unit, comprise client, described client comprises:
Inquiry session key production module, for stochastic generation inquiry session key;
First encrypting module, for according to key information server PKI, described inquiry session secret generating first digital envelope;
Inquiry request generation module, for according to described first digital envelope and the current user ID generated query request of described client;
First sending module, for being sent to key information server by described inquiry request;
First receiver module, for receiving the Query Result that described key information server returns according to described inquiry request; The cipher key information table that described Query Result comprises described user ID, is encrypted according to described inquiry session key;
First deciphering module, is decrypted for the described cipher key information table of having encrypted according to described inquiry session double secret key, obtains the cipher key information table corresponding with described user ID.
A kind of key information processing unit, comprise cipher key calculation equipment, described cipher key calculation equipment comprises:
Acquisition module, for obtaining the computation requests that client generates according to data to be calculated and cipher key information table corresponding to active user ID; Described cipher key information table comprises the user ID, key ID, calculating Protective Key, calculating ID and the computational token that there is corresponding relation; The second digital envelope that described computation requests comprises described user ID, described key ID and generates according to PKI corresponding to described key ID, described calculating ID, described computational token, described data ciphertext to be calculated; Described data ciphertext to be calculated is encrypted described data to be calculated according to described calculating Protective Key by described client and generates;
Second deciphering module, for private key deciphering described second digital envelope corresponding according to described key ID, obtains described data ciphertext to be calculated, described calculating ID, described computational token;
Second sending module, calculates authorization requests for sending to key information server; The 3rd digital envelope that described calculating authorization requests comprises described user ID, described key ID and generates according to key information server PKI, described calculating ID, described computational token;
Second receiver module, for receiving the calculating Authorization result that described key information server feeds back according to described calculating authorization requests; Described calculating Authorization result comprise described user ID, described key ID and according to PKI corresponding to described key ID, calculate ID, the 4th digital envelope that described calculating Protective Key generates;
3rd deciphering module, is decrypted described 4th digital envelope for the private key corresponding according to described key ID, obtains calculating Protective Key;
4th deciphering module, for being decrypted described data ciphertext to be calculated according to described calculating Protective Key, obtains data to be calculated;
Computing module, calculates described data to be calculated for the private key corresponding according to described key ID, obtains private key result of calculation,
3rd sending module, for returning to described client by described private key result of calculation.
A kind of key information processing unit, comprise key information server, described key information server comprises:
3rd receiver module, for receiving the calculating authorization requests that cipher key calculation equipment sends; The 3rd digital envelope that described calculating authorization requests comprises described user ID, described key ID and generates according to key information server PKI, described calculating ID, described computational token;
5th deciphering module, for being decrypted the 3rd digital envelope according to key information server private key, obtains described user ID, described key ID, described calculating ID and described computational token;
Authentication module, carries out the matching analysis, the legitimacy of checking client for the cipher key information table corresponding with described user ID according to described user ID, described key ID, described calculating ID and described computational token; Described cipher key information table comprises user ID, key ID, calculating ID, computational token and calculates Protective Key;
4th sending module, for when described authentication module is verified, sends to described cipher key calculation equipment and calculates Authorization result; Described calculating Authorization result comprise described user ID, described key ID and according to PKI corresponding to described key ID, calculate ID, the 4th digital envelope that described calculating Protective Key generates;
4th receiver module, for receiving the inquiry request that client sends;
5th sending module, for sending the Query Result generated according to described inquiry request to client; The cipher key information table that described Query Result comprises user ID and encrypted;
Update module, for after described 4th sending module sends calculating Authorization result to described cipher key calculation equipment, upgrades the cipher key information table that described user ID is corresponding.
The present invention also provides a kind of key information management system, comprises above-mentioned key information inquiry unit and key information processing unit.
Adopt key information querying method provided by the invention and device, key information processing method and device, and key information management system, do not need to revise the code that existing PC holds cipher application, be conducive to the application promoting mobile digital certificate technology.Along with the fast development of the various novel computing equipment such as panel computer, smart mobile phone, USBKey hardware and driving thereof are difficult to adapt to various novel hardware interface, mainboard, operating system environment, and technical scheme provided by the invention only needs network enabled just can use, by the application of digital certificate in more how non-standard Windows environment, high using value can be had.
Accompanying drawing explanation
Fig. 1 is that client, key information server, cipher key calculation equipment, the data related in the present invention send address and result and obtain information interaction schematic diagram between address;
Fig. 2 is the schematic flow sheet of key information querying method of the present invention in embodiment one;
Fig. 3 is the schematic flow sheet of key information processing method of the present invention in embodiment two;
Fig. 4 is the schematic flow sheet of key information processing method of the present invention in embodiment three;
Fig. 5 is the structural representation of key information inquiry unit of the present invention in embodiment four;
Fig. 6 is the structural representation of key information processing unit of the present invention in embodiment five;
Fig. 7 is the structural representation of key information processing unit of the present invention in embodiment six;
Fig. 8 is the structural representation of key information management system of the present invention in embodiment seven.
Embodiment
Below in conjunction with preferred embodiment and accompanying drawing, content of the present invention is described in further detail.Obviously, hereafter described embodiment is only for explaining the present invention, but not limitation of the invention.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.Should be understood that, although adopt term " first ", " second " etc. to describe various information hereinafter, these information should not be limited to these terms, and these terms are only used for the information of same type to be distinguished from each other out.Such as, without departing from the present invention, " first " information also can be called as " second " information, similar, and " second " information also can be called as " first " information.It also should be noted that, for convenience of description, illustrate only part related to the present invention in accompanying drawing but not full content.
Fig. 1 display be that client, key information server (being abbreviated as in Fig. 1 " service end "), cipher key calculation equipment (be abbreviated as in Fig. 1 " calculate end "), the data related in the present invention send address and result and obtain information interaction schematic diagram between address, reflect key information data query stream in the present invention and private key calculated data stream with this.
Fig. 2 is the schematic flow sheet of key information querying method of the present invention in embodiment one, and the key information querying method of the present embodiment one is described from the angle of client.With reference to Fig. 1, Fig. 2, in the present embodiment one, the processing procedure of client comprises the following steps:
Step S110, client stochastic generation inquiry session key;
When user needs to use key information, can client be logged in, send request by this client to the key information server of the key information storing each user, obtain the key information of self.Concrete, user logs in after client carries out key information inquiry, and client can produce an inquiry session key at random.
Step S120, according to key information server PKI, described inquiry session secret generating first digital envelope;
Digital envelope comprises encrypted content and the encrypted key for encrypting this content.Although often use the PKI of recipient to encrypt " encryption key ", this is not necessary, can use the symmetric key of transmit leg and recipient's pre-share to encrypt yet.When recipient receives digital envelope, first with private key or wildcard deciphering, obtain " encryption key ", then by this secret key decryption ciphertext, obtain original text.Digital Envelope Technology uses two-layer encryption system.Therefore, digital envelope can be understood as a kind of technology that a kind of advantage having fully utilized symmetric cryptosystem and asymmetric encryption techniques carries out safe information transmission.Digital envelope had both played the advantage that symmetric encipherment algorithm speed is fast, fail safe is good, had played again rivest, shamir, adelman key management advantage easily.
In the present embodiment, utilize key information server PKI to do digital envelope to inquiry session key, namely according to key information server PKI and inquiry session secret generating first digital envelope, ensure that the privacy of inquiry session key.
Step S130, according to described first digital envelope and the current user ID generated query request of client, and is sent to key information server by described inquiry request;
The user ID that each user has it corresponding, there is one-to-one relationship in user ID and user.After user logs in client, this inquiry request according to current user ID and the first digital envelope generated query request, and is sent to key information server by client, the cipher key information table that the inquiry of request key information server is corresponding with active user ID.
Step S140, client receives the Query Result that described key information server returns according to described inquiry request; The cipher key information table that described Query Result comprises described user ID, is encrypted according to described inquiry session key;
Key information server is after the inquiry request accepting client transmission, and inquire about the cipher key information table corresponding with user ID, and Query Result is returned to client, client receives this Query Result.Wherein, the Query Result cipher key information table that comprises user ID and be encrypted according to inquiry session key.Be encrypted by inquiry session double secret key cipher key information table, effectively can ensure privacy and the fail safe of data.
Step S150, the described cipher key information table that described client has been encrypted according to described inquiry session double secret key is decrypted, and obtains the cipher key information table corresponding with described user ID.
Client utilizes the cipher key information table of having encrypted in inquiry session double secret key Query Result to be decrypted, obtains the cipher key information table corresponding with user ID, so far complete key information query script after receiving the Query Result that key information server returns.
Preferably, for ensureing integrality and the credibility of data, in the Query Result that key information server returns to client, also comprise the digital signature utilizing key information server private key to do user ID and the cipher key information table of having encrypted, i.e. Query Result removing user ID and the key information off-balancesheet of having encrypted, also comprises the first digital signature generated according to key information server private key, user ID and the described cipher key information table of having encrypted.Such client, after accepting Query Result, is first verified the first digital signature according to key information server PKI, is decrypted again, obtains the cipher key information table corresponding with user ID after being verified to the cipher key information table of having encrypted.
In the optional execution mode of one; key information server configures a cipher key information table for each user ID, and this cipher key information table comprises user ID, key ID, digital certificate, calculating ID, computational token, calculating Protective Key, data send address, result obtains address.If the corresponding N number of available key of certain user ID, then have the N line item corresponding with this user ID in cipher key information table, in cipher key information table, the explanation of field of each line item is as following table:
According to the key information querying method that the present embodiment one provides, the key information of user can be stored in key information server, user needs call key information carry out private key calculate time, the key information of self can be obtained from key information server by network.With in conventional art using USBkey compared with private key storage medium, the present embodiment one can adapt to various novel hardware interface, mainboard, operating system environment, can be applied well in multiple non-standard Windows environment, be breached the limitation of traditional USBKey technology.
By key information querying method provided by the invention, client can obtain the cipher key information table corresponding with user ID from key information server, on this basis, the present invention also provides a kind of key information processing method, Fig. 3 is the schematic flow sheet of key information processing method of the present invention in embodiment two, the key information processing method of the present embodiment two is described from the angle calculating end, namely illustrates from the angle of cipher key calculation equipment.With reference to Fig. 1, Fig. 3, in the present embodiment two, the processing procedure of cipher key calculation equipment comprises the following steps:
Step S210, cipher key calculation equipment obtains the computation requests that client generates according to data to be calculated and cipher key information table corresponding to active user ID;
After client gets cipher key information table from key information server, client application API calls the private key of cipher key calculation equipment to carry out private key calculating by this cipher key information table.In the optional execution mode of one, cipher key information table comprises key ID and corresponding digital certificate thereof, therefore client application API directly can call corresponding private key by the key ID in cipher key information table calculates, or client application API (CryptoAPI as Microsoft) obtains corresponding key ID by digital certificate, thus call corresponding private key and calculate.
After client application API determines to need to use the private key corresponding to certain key ID once to calculate, a client line item corresponding in cipher key information table to this key ID locks exclusive operation, below operation involved by each step also all refer to operation to this line item.
Calculate if client application API carries out private key for the private key calling cipher key calculation equipment, then client needs to generate computation requests according to data to be calculated and cipher key information table corresponding to user ID, and sends this computation requests to cipher key calculation equipment.
In the optional execution mode of one, cipher key information table comprises the user ID, key ID, calculating Protective Key, calculating ID and the computational token that there is corresponding relation.The computation requests that client sends comprises: user ID, key ID and the second digital envelope generated according to PKI corresponding to key ID, described calculating ID, described computational token, data ciphertext to be calculated.Wherein, data ciphertext to be calculated is treated calculated data by client according to calculating Protective Key and is encrypted and generates, and ensures the privacy of data to be calculated with this.
Step S220, the private key that cipher key calculation equipment is corresponding according to key ID deciphers the second digital envelope, obtains data ciphertext to be calculated, described calculating ID, described computational token;
After the computation requests that cipher key calculation equipment acquisition client sends, the private key corresponding according to the key ID in computation requests deciphers the second digital envelope, thus obtains corresponding data, comprises data ciphertext to be calculated, calculates ID and computational token.
Step S230, cipher key calculation equipment sends to key information server and calculates authorization requests;
Cipher key calculation equipment is in order to the legitimacy of checking client, the i.e. identity legitimacy of client in verification computation request, send to key information server and calculate authorization requests, wherein, the 3rd digital envelope that authorization requests comprises user ID, key ID and generates according to key information server PKI, described calculating ID, described computational token is calculated.After key information server receives this calculating authorization requests, the legitimacy of client is verified, be specially deciphering the 3rd digital envelope, obtain this 4 item number certificate of user ID, key ID, calculating ID and computational token calculated in authorization requests, then using this 4 item number according to as cipher key information table corresponding to 4 verification condition inquiring user ID, carry out the matching analysis, the record that 4 conditions all mate if can find in this cipher key information table, then show that client is legal, is verified.
Step S240, cipher key calculation equipment receives key information server according to the calculating Authorization result calculating authorization requests feedback;
After being verified, key information server reads in cipher key information table and calculates Protective Key accordingly, and returns calculating Authorization result to cipher key calculation equipment.This calculating Authorization result comprise corresponding user ID, key ID and according to PKI corresponding to key ID, calculate ID, calculate the 4th digital envelope that Protective Key generates, ensure with this privacy calculating Protective Key.
Step S250, the private key that cipher key calculation equipment is corresponding according to key ID is decrypted the 4th digital envelope, obtains calculating Protective Key;
Step S260, cipher key calculation equipment is treated calculated data ciphertext according to calculating Protective Key and is decrypted, and obtains data to be calculated;
Obtain the calculating Authorization result of key information server feedback at cipher key calculation equipment after, private key deciphering the 4th digital envelope utilizing key ID corresponding, obtains and calculates Protective Key.And the data ciphertext to be calculated in utilize this to calculate computation requests that Protective Key sends client is decrypted, thus obtain data to be calculated.
Step S270, the private key that described cipher key calculation equipment is corresponding according to described key ID calculates described data to be calculated, obtains private key result of calculation, and described private key result of calculation is returned to described client.
After acquisition data to be calculated, the private key that cipher key calculation equipment is corresponding according to key ID is treated calculated data and is carried out calculating (namely private key calculates), obtains private key result of calculation.Then this private key result of calculation is returned to client.This private key result of calculation is returned to client application API by client again, and such client application API calculates with regard to the private key completing the private key that once calls cipher key calculation equipment and carry out.
Preferably, the mode that can also be introduced through short-message verification user identity strengthens the fail safe of private key calculating.Concrete, user ID, key ID, calculating ID, when generating computation requests, can be ejected display over the display, and point out user to receive note and in corresponding dialog box, fill in the identifying code in note by client.User ID, key ID, calculating ID and identifying code, when sending calculating authorization requests to key information server, are sent on the cell-phone number of this user ID binding when registering with SMS form by cipher key calculation equipment.User check after receiving note user ID in note, key ID, calculating ID consistent with the ejection displaying contents on display after, the identifying code in note is filled up in the respective dialog frame of client.Cipher key calculation equipment only in certain hour section adduction to after from correct user ID, key ID, calculating ID and the identifying code of client, cipher key calculation equipment just can use private key corresponding to key ID to treat calculated data and calculate, in this way, the fail safe that calculates of effective guarantee private key.
In the optional execution mode of another kind, the mode that can also be introduced through mobile phone A PP (Application, application program) identifying user identity strengthens the fail safe of private key calculating further.Concrete, client, when generating computation requests, user ID, key ID, calculating ID are ejected display over the display with the form of Quick Response Code, and the specific APP pointing out user to open on mobile phone scans this Quick Response Code.Cipher key calculation equipment is when sending calculating authorization requests to key information server, user ID, key ID, calculating ID are sent on the specific APP of this user ID cell-phone number place mobile phone of binding when registering, after the user ID that this specific APP judgement receives from cipher key calculation equipment, key ID, calculating ID are all consistent with the content scanned, prompting user inputs password.After user inputs password, only when this specific APP and the success of cipher key calculation equipment mutual authentication password, cipher key calculation equipment just can use private key corresponding to key ID to treat calculated data and calculate, and further enhancing the fail safe that private key calculates in this way.
In the present embodiment two, in order to improve the safety and reliability of transfer of data between client, key information server, cipher key calculation equipment further, the key information of more associations in cipher key information table, can also be stored.Such as with reference to the cipher key information table provided in embodiment one; outside cipher key information table removing user ID, key ID, calculating ID, computational token and calculating Protective Key in the present embodiment two, also comprise digital certificate corresponding to key ID, data send address and result obtains address.The concrete meaning of each field with reference to embodiment one, no longer can repeat herein.
On this basis, when embodiment above-mentioned steps S210, computation requests can be sent to data and send address by client, and then cipher key calculation equipment just directly can send address acquisition computation requests from data.
In the optional execution mode of one; computation requests can comprise: user ID; key ID; according to PKI corresponding to key ID, data ciphertext to be calculated, calculate ID, computational token, result obtain the second digital envelope that address generates; also comprising and according to calculating Protective Key, the message authentication code that user ID, key ID, the second digital envelope do being calculated, namely comprising the message authentication code according to calculating Protective Key, user ID, key ID, the second digital envelope generation.After the private key that cipher key calculation equipment is corresponding according to key ID deciphers the second digital envelope, data ciphertext to be calculated can be obtained, calculate ID, computational token and result acquisition address.
Compared with above-described computation requests, computation requests in this execution mode introduces result and obtains address and digital signature, improve data integrity and credibility, also improve follow-up reliability and the fail safe of carrying out client side verification and private key calculating further.
In the optional execution mode of one, calculate authorization requests and also comprise the second digital signature generated according to private key corresponding to key ID, user ID, described key ID, the 3rd digital envelope.Concrete, cipher key calculation equipment is in order to the identity legitimacy of client in verification computation request, and send to key information server and calculate authorization requests, calculating authorization requests in this embodiment comprises following 4 parts:
(1) user ID, (2) key ID, (3) according to key information server PKI to the 3rd digital envelope calculating ID, computational token and do, the second digital signature that (4) private key corresponding according to key ID does (1), (2), (3) part.
Its integrality of calculating authorization requests in present embodiment and reliability higher.Key information server is after accepting this calculating authorization requests, by digital certificate authentication second digital signature that key ID is corresponding, after being verified, calculate the 3rd digital envelope in authorization requests with the deciphering of key information server private key, obtain calculating ID and computational token.Then the cipher key information table that key information server is corresponding according to the user ID, key ID, calculating ID and this 4 the condition query user ID of computational token that calculate in authorization requests; carry out the matching analysis; if the record that 4 conditions are all mated can be found in this cipher key information table; then show that client is legal; be verified; after this read the calculating Protective Key in cipher key information table, and return calculating Authorization result to cipher key calculation equipment.
In a kind of Alternate embodiments; calculating Authorization result comprises: user ID; key ID; according to PKI corresponding to key ID, calculate ID, calculate the 4th digital envelope that Protective Key generates, and according to the 3rd digital signature that key information server private key, user ID, key ID, the 4th digital envelope generate.Concrete, calculate the content that Authorization result comprises following 4 parts:
(1) user ID; (2) key ID; (3) the 4th digital envelope that corresponding according to key ID PKI does calculating ID, calculating Protective Key, the 3rd digital signature that (4) do (1), (2), (3) part according to key information server private key.
In this Alternate embodiments, the calculating Authorization result integrality that key information server feeds back to cipher key calculation equipment and reliability higher.After cipher key calculation equipment receives this calculating Authorization result; according to key information server PKI, the 3rd digital signature calculated in Authorization result is verified; after being verified, the private key corresponding according to key ID is decrypted the 4th digital envelope, obtains calculating ID and calculating Protective Key.
Further; calculate in Authorization result and can also add computational token; namely corresponding according to key ID PKI does the 4th digital envelope to calculating ID, computational token and calculating Protective Key; comprise in the data of such key information server feedback and calculate ID and computational token these two can, with each factor calculating change, make data reliability higher.
In a kind of Alternate embodiments; the computation requests received due to cipher key calculation equipment comprises message authentication code; therefore cipher key calculation equipment is according to treating before calculated data ciphertext is decrypted; first according to calculating Protective Key, message authentication code is verified; after being verified; cipher key calculation equipment deciphers data ciphertext to be calculated according to calculating Protective Key again, obtains data to be calculated.
In the optional execution mode of one, cipher key calculation equipment obtains private key checkout result, and when private key result of calculation is returned to client, directly this private key result of calculation is not sent to client, but feed back in the following manner:
First, cipher key calculation equipment is encrypted private key result of calculation according to calculating Protective Key, obtains private key result of calculation ciphertext;
Then, then according to user ID, key ID, calculating ID, private key result of calculation ciphertext generate result of calculation;
Finally, the result that result of calculation is sent in computation requests by cipher key calculation equipment obtains address, and client obtains address from result and obtains result of calculation and be decrypted, and just can obtain private key result of calculation.
Preferably, the 4th digital signature that the private key corresponding according to key ID does user ID, key ID, calculating ID and private key result of calculation ciphertext can also be comprised in result of calculation, to ensure integrality and the credibility of data.After client obtains result of calculation from result acquisition address; by the 4th digital signature in the digital certificate authentication result of calculation that key ID is corresponding; after being verified; client deciphers the private key result of calculation ciphertext in result of calculation again with the calculating Protective Key that key ID is corresponding, thus obtains private key result of calculation.
Fig. 4 is the schematic flow sheet of key information processing method of the present invention in embodiment three, and the key information processing method of the present embodiment three is described from the angle of service end, namely illustrates from the angle of key information server.With reference to Fig. 1, Fig. 4, in the present embodiment three, the processing procedure of key information server comprises the following steps:
Step S310, key information server receives the calculating authorization requests that cipher key calculation equipment sends;
When carrying out private key and calculating, cipher key calculation equipment is in order to the legitimacy of checking client, send to key information server and calculate authorization requests, wherein, calculate the 3rd digital envelope that authorization requests comprises user ID, key ID and generates according to key information server PKI, calculating ID, computational token, key information server receives this and calculates authorization requests.
Step S320, key information server is decrypted the 3rd digital envelope according to key information server private key, obtains described user ID, described key ID, described calculating ID and described computational token;
After key information server receives the calculating authorization requests of cipher key calculation equipment transmission, according to key information server private key, the 3rd digital envelope calculated in authorization requests is decrypted, obtain corresponding data, comprise this four item numbers certificate of user ID, key ID, calculating ID and computational token.
Step S330, the cipher key information table that key information server is corresponding with user ID according to user ID, key ID, calculating ID and computational token carries out the matching analysis, the legitimacy of checking client;
After key information server obtains this 4 item number certificate of user ID, key ID, calculating ID and computational token calculated in authorization requests, using this 4 item number according to as cipher key information table corresponding to 4 verification condition inquiring user ID, carry out the matching analysis, if the record that 4 conditions are all mated can be found in this cipher key information table, then show that client is legal, is verified.
Step S340, if be verified, then described key information server sends to described cipher key calculation equipment and calculates Authorization result.
After being verified, key information server reads in cipher key information table and calculates Protective Key accordingly, and returns calculating Authorization result to cipher key calculation equipment.This calculating Authorization result comprise corresponding user ID, key ID and according to PKI corresponding to key ID, calculate ID, calculate the 4th digital envelope that Protective Key generates, ensure with this privacy calculating Protective Key.
In the present embodiment three, in order to improve the safety and reliability of transfer of data between key information server, cipher key calculation equipment further, the key information of more associations in cipher key information table, can also be stored.Such as with reference to the cipher key information table provided in embodiment one; outside cipher key information table removing user ID, key ID and calculating Protective Key in the present embodiment three; also comprise and calculate ID, computational token; the digital certificate that key ID is corresponding, also can comprise data in addition and send address and result acquisition address.The concrete meaning of each field with reference to embodiment one, no longer can repeat herein.In the optional execution mode of one, calculate authorization requests and also comprise: the second digital signature generated according to private key corresponding to key ID, described user ID, described key ID, the 3rd digital envelope, ensures integrality and the credibility of data with this.
In the optional execution mode of one, key information server is before carrying out the matching analysis, and before namely verifying the legitimacy of client, first corresponding according to key ID digital certificate is verified the second digital signature, after being verified of the second digital signature, according to key information server private key, the 3rd digital envelope is decrypted again, obtain user ID, key ID, calculate ID and computational token, after this key information server can according to described user ID, described key ID, described calculating ID and the described computational token cipher key information table corresponding with user ID carry out the matching analysis, namely according to the user ID calculated in authorization requests, key ID, calculate ID and cipher key information table corresponding to this 4 condition query user ID of computational token, if the record that this 4 conditions are all mated can be found in this cipher key information table, then show that client is legal, be verified, after this calculating Protective Key in cipher key information table is read, and return calculating Authorization result to cipher key calculation equipment.
In the optional execution mode of one; calculating Authorization result comprises: user ID; key ID; according to PKI corresponding to key ID, calculate ID, calculate the 4th digital envelope that Protective Key generates, and according to the 3rd digital signature that key information server private key, user ID, key ID, the 4th digital envelope generate.Concrete principle can refer to the description in embodiment two, no longer repeats herein.
Preferably, key information server upgrades the cipher key information table that user ID is corresponding after sending calculating Authorization result to cipher key calculation equipment.Such as; key information server is after successfully returning once calculating Authorization result; immediately according to the user ID calculated in Authorization result and key ID; upgrade the corresponding record of this user ID cipher key information table; need during renewal to lock exclusive operation to this line item, update method makes a living into brand-new calculating ID, computational token, calculating Protective Key.
Further; calculate in Authorization result and can also add computational token; namely corresponding according to key ID PKI does the 4th digital envelope to calculating ID, computational token and calculating Protective Key; comprise multiple with each factor calculating change in the data of such key information server feedback; not easily be forged, make data reliability higher.
Preferably, client after being successfully completed a private key calculating, or after mistake appears in a private key calculating, all can upgrade local cipher key information table by the key information querying method provided in embodiment one.Need during renewal all to lock exclusive operation to all records relating to renewal.
Comprehensive above content, adopts key information querying method provided by the invention, key information processing method, does not need to revise the code that existing PC holds cipher application, is conducive to the application promoting mobile digital certificate technology.Along with the fast development of the various novel computing equipment such as panel computer, smart mobile phone, USBKey hardware and driving thereof are difficult to adapt to various novel hardware interface, mainboard, operating system environment, and technical scheme provided by the invention only needs network enabled just can use, by the application of digital certificate in more how non-standard Windows environment, high using value can be had.
According to the key information querying method of the invention described above, the present invention also provides a kind of key information inquiry unit, is described in detail to key information inquiry unit of the present invention below in conjunction with accompanying drawing and preferred embodiment.
Fig. 5 is the structural representation of key information inquiry unit of the present invention in embodiment four.As shown in Figure 5, the key information inquiry unit in this embodiment comprises client 1000, and client 1000 comprises:
Inquiry session key production module 110, for stochastic generation inquiry session key;
First encrypting module 120, for according to key information server PKI, described inquiry session secret generating first digital envelope;
Inquiry request generation module 130, for according to described first digital envelope and the current user ID generated query request of described client;
First sending module 140, for being sent to key information server by described inquiry request;
First receiver module 150, for receiving the Query Result that described key information server returns according to described inquiry request; The cipher key information table that described Query Result comprises described user ID, is encrypted according to described inquiry session key;
First deciphering module 160, is decrypted for the described cipher key information table of having encrypted according to described inquiry session double secret key, obtains the cipher key information table corresponding with described user ID.
Key information inquiry unit in the present embodiment four can perform the key information querying method that the embodiment of the present invention one provides, and possesses the corresponding functional module of manner of execution and beneficial effect, no longer repeats herein.
The present invention also provides a kind of key information processing unit, and Fig. 6 is the structural representation of key information processing unit of the present invention in embodiment five.As shown in Figure 6, key information processing unit comprises cipher key calculation equipment 2000, and cipher key calculation equipment 2000 comprises:
Acquisition module 210, for obtaining the computation requests that client generates according to data to be calculated and cipher key information table corresponding to active user ID; Described cipher key information table comprises the user ID, key ID, calculating Protective Key, calculating ID and the computational token that there is corresponding relation; The second digital envelope that described computation requests comprises described user ID, described key ID and generates according to PKI corresponding to described key ID, described calculating ID, described computational token, described data ciphertext to be calculated; Described data ciphertext to be calculated is encrypted described data to be calculated according to described calculating Protective Key by described client and generates;
Second deciphering module 220, for private key deciphering described second digital envelope corresponding according to described key ID, obtains described data ciphertext to be calculated, described calculating ID, described computational token;
Second sending module 230, calculates authorization requests for sending to key information server; The 3rd digital envelope that described calculating authorization requests comprises described user ID, described key ID and generates according to key information server PKI, described calculating ID, described computational token;
Second receiver module 240, for receiving the calculating Authorization result that described key information server feeds back according to described calculating authorization requests; Described calculating Authorization result comprise described user ID, described key ID and according to PKI corresponding to described key ID, calculate ID, the 4th digital envelope that described calculating Protective Key generates;
3rd deciphering module 250, is decrypted described 4th digital envelope for the private key corresponding according to described key ID, obtains calculating Protective Key;
4th deciphering module 260, for being decrypted described data ciphertext to be calculated according to described calculating Protective Key, obtains data to be calculated;
Computing module 270, calculates described data to be calculated for the private key corresponding according to described key ID, obtains private key result of calculation,
3rd sending module 280, for returning to described client by described private key result of calculation.
Key information processing unit in the present embodiment five can perform the key information processing method that the embodiment of the present invention two provides, and possesses the corresponding functional module of manner of execution and beneficial effect, no longer repeats herein.
Fig. 7 is the structural representation of key information processing unit of the present invention in embodiment six.As shown in Figure 6, key information processing unit comprises key information server 3000, and key information server 3000 comprises:
3rd receiver module 310, for receiving the calculating authorization requests that cipher key calculation equipment sends; The 3rd digital envelope that described calculating authorization requests comprises described user ID, described key ID and generates according to key information server PKI, described calculating ID, described computational token;
5th deciphering module 320, for being decrypted the 3rd digital envelope according to key information server private key, obtains described user ID, described key ID, described calculating ID and described computational token;
Authentication module 330, carries out the matching analysis, the legitimacy of checking client for the cipher key information table corresponding with described user ID according to described user ID, described key ID, described calculating ID and described computational token; Described cipher key information table comprises user ID, key ID, calculating ID, computational token and calculates Protective Key;
4th sending module 340, for when described authentication module is verified, sends to described cipher key calculation equipment and calculates Authorization result; Described calculating Authorization result comprise described user ID, described key ID and according to PKI corresponding to described key ID, calculate ID, the 4th digital envelope that described calculating Protective Key generates;
4th receiver module 350, for receiving the inquiry request that client sends;
5th sending module 360, for sending the Query Result generated according to described inquiry request to client; The cipher key information table that described Query Result comprises user ID and encrypted;
Update module 370, for after described 4th sending module sends calculating Authorization result to described cipher key calculation equipment, upgrades the cipher key information table that described user ID is corresponding.
Key information processing unit in the present embodiment six can perform key information querying method that the embodiment of the present invention one provides and the key information processing method that embodiment three provides, possess the corresponding functional module of manner of execution and beneficial effect, no longer repeat herein.
The present invention also provides a kind of key information management system, and Fig. 8 is the structural representation of key information management system of the present invention in embodiment seven.As shown in Figure 8, the key information inquiry unit in this embodiment comprises the key information processing unit of key information processing unit in the key information inquiry unit of above-described embodiment four, embodiment five and embodiment six.This key information management system can perform key information querying method, the key information processing method that the embodiment of the present invention provides, and possesses the corresponding functional module of manner of execution and beneficial effect.
Each technical characteristic of the above embodiment can combine arbitrarily, for making description succinct, the all possible combination of each technical characteristic in above-described embodiment is not all described, but, as long as the combination of these technical characteristics does not exist contradiction, be all considered to be the scope that this specification is recorded.
The above embodiment only have expressed several execution mode of the present invention, and it describes comparatively concrete and detailed, but can not therefore be construed as limiting the scope of the patent.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection range of patent of the present invention should be as the criterion with claims.
Claims (20)
1. a key information querying method, is characterized in that, comprises the steps:
Client stochastic generation inquiry session key;
According to key information server PKI, described inquiry session secret generating first digital envelope;
According to described first digital envelope and the current user ID generated query request of described client, and described inquiry request is sent to key information server;
Described client receives the Query Result that described key information server returns according to described inquiry request; The cipher key information table that described Query Result comprises described user ID, is encrypted according to described inquiry session key;
The described cipher key information table that described client has been encrypted according to described inquiry session double secret key is decrypted, and obtains the cipher key information table corresponding with described user ID.
2. key information querying method according to claim 1, is characterized in that, described Query Result also comprises the first digital signature generated according to key information server private key, described user ID and the described cipher key information table of having encrypted; Described client, before being decrypted the described cipher key information table of having encrypted, also comprises the step verified described first digital signature according to described key information server PKI.
3. a key information processing method, is characterized in that, comprises the steps:
Cipher key calculation equipment obtains the computation requests that client generates according to data to be calculated and cipher key information table corresponding to active user ID; Described cipher key information table comprises the user ID, key ID, calculating Protective Key, calculating ID and the computational token that there is corresponding relation; The second digital envelope that described computation requests comprises described user ID, described key ID and generates according to PKI corresponding to described key ID, described calculating ID, described computational token, described data ciphertext to be calculated; Described data ciphertext to be calculated is encrypted described data to be calculated according to described calculating Protective Key by described client and generates;
Described second digital envelope of private key deciphering that described cipher key calculation equipment is corresponding according to described key ID, obtains described data ciphertext to be calculated, described calculating ID, described computational token;
Described cipher key calculation equipment sends to key information server and calculates authorization requests; The 3rd digital envelope that described calculating authorization requests comprises described user ID, described key ID and generates according to key information server PKI, described calculating ID, described computational token;
Described cipher key calculation equipment receives the calculating Authorization result that described key information server feeds back according to described calculating authorization requests; The 4th digital envelope that described calculating Authorization result comprises described user ID, described key ID and generates according to PKI corresponding to described key ID, described calculating ID, described calculating Protective Key;
The private key that described cipher key calculation equipment is corresponding according to described key ID is decrypted described 4th digital envelope, obtains calculating Protective Key;
Described cipher key calculation equipment is decrypted described data ciphertext to be calculated according to described calculating Protective Key, obtains data to be calculated;
The private key that described cipher key calculation equipment is corresponding according to described key ID calculates described data to be calculated, obtains private key result of calculation, and described private key result of calculation is returned to described client.
4. key information processing method according to claim 3, is characterized in that, also comprises:
Also comprise digital certificate corresponding to described key ID in described cipher key information table, data send address and result obtains address.
5. key information processing method according to claim 4, is characterized in that, described computation requests is sent to data and sends address by described client, and described cipher key calculation equipment sends computation requests described in address acquisition from described data.
6. key information processing method according to claim 4, is characterized in that,
Described computation requests comprises: described user ID; described key ID; the second digital envelope that address generates is obtained, according to the message authentication code that described calculating Protective Key, described user ID, described key ID, the second digital envelope generate according to PKI corresponding to described key ID, described data ciphertext to be calculated, described calculating ID, described computational token, described result.
The private key that described cipher key calculation equipment is corresponding according to described key ID deciphers the second digital envelope, obtains described data ciphertext to be calculated, described calculating ID, described computational token and described result and obtains address.
7. key information processing method according to claim 6, is characterized in that,
Described calculating authorization requests also comprises: the second digital signature generated according to private key corresponding to described key ID, described user ID, described key ID, the 3rd digital envelope.
8. key information processing method according to claim 6, is characterized in that,
Described calculating Authorization result comprises: described user ID, described key ID, according to the 4th digital envelope that PKI corresponding to described key ID, described calculating ID, described calculating Protective Key generate, according to the 3rd digital signature that key information server private key, described user ID, described key ID, the 4th digital envelope generate;
Described cipher key calculation equipment is verified described 3rd digital signature according to key information server PKI, and after being verified, the private key corresponding according to described key ID is decrypted the 3rd digital envelope, obtains described calculating ID and described calculating Protective Key.
9. key information processing method according to claim 6; it is characterized in that; before described cipher key calculation equipment to be decrypted described data ciphertext to be calculated according to described calculating Protective Key, described cipher key calculation equipment is verified described message authentication code according to described calculating Protective Key.
10. key information processing method according to claim 8 or claim 9, is characterized in that, the process that described private key result of calculation returns to described client comprised:
Described cipher key calculation equipment is encrypted described private key result of calculation according to described calculating Protective Key, obtains private key result of calculation ciphertext;
Described cipher key calculation equipment generates result of calculation according to described user ID, described key ID, described calculating ID, described private key result of calculation ciphertext;
Described result of calculation is sent to described result and obtains address by described cipher key calculation equipment, and described client obtains address from described result and obtains described result of calculation and be decrypted, and obtains described private key result of calculation.
11. key information processing methods according to claim 10, it is characterized in that, in described result of calculation, also comprise the 4th digital signature that private key, described user ID, described key ID, described calculating ID and the described private key result of calculation ciphertext corresponding according to described key ID generate.
12. 1 kinds of key information processing methods, is characterized in that, comprise the steps:
Key information server receives the calculating authorization requests that cipher key calculation equipment sends; The 3rd digital envelope that described calculating authorization requests comprises user ID, key ID and generates according to key information server PKI, calculating ID, computational token;
Key information server is decrypted the 3rd digital envelope according to key information server private key, obtains described user ID, described key ID, described calculating ID and described computational token;
The cipher key information table that described key information server is corresponding with described user ID according to described user ID, described key ID, described calculating ID and described computational token carries out the matching analysis, the legitimacy of checking client; Described cipher key information table comprises user ID, key ID, calculating ID, computational token and calculates Protective Key;
If be verified, then described key information server sends to described cipher key calculation equipment and calculates Authorization result; The 4th digital envelope that described calculating Authorization result comprises described user ID, described key ID and generates according to PKI corresponding to described key ID, described calculating ID, described calculating Protective Key.
13. key information processing methods according to claim 12, is characterized in that,
Also comprise the digital certificate corresponding with described key ID in described cipher key information table, described calculating authorization requests also comprises the second digital signature generated according to private key corresponding to described key ID, described user ID, described key ID, the 3rd digital envelope.
14. key information processing methods according to claim 12, is characterized in that, the digital certificate that described key information server is corresponding according to described key ID is verified described second digital signature; Again the 3rd digital envelope is decrypted after being verified of the second digital signature.
15. key information processing methods according to claim 13 or 14; it is characterized in that; described calculating Authorization result comprises: described user ID; described key ID; according to the 4th digital envelope that PKI corresponding to described key ID, described calculating ID, described calculating Protective Key generate, according to the 3rd digital signature that key information server private key, described user ID, described key ID, the 4th digital envelope generate.
16. key information processing methods according to claim 12, is characterized in that, described key information server upgrades the cipher key information table that described user ID is corresponding after sending calculating Authorization result to described cipher key calculation equipment.
17. 1 kinds of key information inquiry units, is characterized in that, comprise client, and described client comprises:
Inquiry session key production module, for stochastic generation inquiry session key;
First encrypting module, for according to key information server PKI, described inquiry session secret generating first digital envelope;
Inquiry request generation module, for according to described first digital envelope and the current user ID generated query request of described client;
First sending module, for being sent to key information server by described inquiry request;
First receiver module, for receiving the Query Result that described key information server returns according to described inquiry request; The cipher key information table that described Query Result comprises described user ID, is encrypted according to described inquiry session key;
First deciphering module, is decrypted for the described cipher key information table of having encrypted according to described inquiry session double secret key, obtains the cipher key information table corresponding with described user ID.
18. 1 kinds of key information processing unit, is characterized in that, comprise cipher key calculation equipment, and described cipher key calculation equipment comprises:
Acquisition module, for obtaining the computation requests that client generates according to data to be calculated and cipher key information table corresponding to active user ID; Described cipher key information table comprises the user ID, key ID, calculating Protective Key, calculating ID and the computational token that there is corresponding relation; The second digital envelope that described computation requests comprises described user ID, described key ID and generates according to PKI corresponding to described key ID, described calculating ID, described computational token, described data ciphertext to be calculated; Described data ciphertext to be calculated is encrypted described data to be calculated according to described calculating Protective Key by described client and generates;
Second deciphering module, for private key deciphering described second digital envelope corresponding according to described key ID, obtains described data ciphertext to be calculated, described calculating ID, described computational token;
Second sending module, calculates authorization requests for sending to key information server; The 3rd digital envelope that described calculating authorization requests comprises described user ID, described key ID and generates according to key information server PKI, described calculating ID, described computational token;
Second receiver module, for receiving the calculating Authorization result that described key information server feeds back according to described calculating authorization requests; The 4th digital envelope that described calculating Authorization result comprises described user ID, described key ID and generates according to PKI corresponding to described key ID, described calculating ID, described calculating Protective Key;
3rd deciphering module, is decrypted described 4th digital envelope for the private key corresponding according to described key ID, obtains calculating Protective Key;
4th deciphering module, for being decrypted described data ciphertext to be calculated according to described calculating Protective Key, obtains data to be calculated;
Computing module, calculates described data to be calculated for the private key corresponding according to described key ID, obtains private key result of calculation,
3rd sending module, for returning to described client by described private key result of calculation.
19. 1 kinds of key information processing unit, is characterized in that, comprise key information server, and described key information server comprises:
3rd receiver module, for receiving the calculating authorization requests that cipher key calculation equipment sends; The 3rd digital envelope that described calculating authorization requests comprises described user ID, described key ID and generates according to key information server PKI, described calculating ID, described computational token;
5th deciphering module, for being decrypted the 3rd digital envelope according to key information server private key, obtains described user ID, described key ID, described calculating ID and described computational token;
Authentication module, carries out the matching analysis, the legitimacy of checking client for the cipher key information table corresponding with described user ID according to described user ID, described key ID, described calculating ID and described computational token; Described cipher key information table comprises user ID, key ID, calculating ID, computational token and calculates Protective Key;
4th sending module, for when described authentication module is verified, sends to described cipher key calculation equipment and calculates Authorization result; The 4th digital envelope that described calculating Authorization result comprises described user ID, described key ID and generates according to PKI corresponding to described key ID, described calculating ID, described calculating Protective Key;
4th receiver module, for receiving the inquiry request that client sends;
5th sending module, for sending the Query Result generated according to described inquiry request to client; The cipher key information table that described Query Result comprises user ID and encrypted;
Update module, for after described 4th sending module sends calculating Authorization result to described cipher key calculation equipment, upgrades the cipher key information table that described user ID is corresponding.
20. 1 kinds of key information management system, is characterized in that, comprise key information inquiry unit according to claim 17, key information processing unit according to claim 18 and key information processing unit according to claim 19.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511034818.6A CN105553654B (en) | 2015-12-31 | 2015-12-31 | Key information processing method and device, key information management system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511034818.6A CN105553654B (en) | 2015-12-31 | 2015-12-31 | Key information processing method and device, key information management system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105553654A true CN105553654A (en) | 2016-05-04 |
| CN105553654B CN105553654B (en) | 2019-09-03 |
Family
ID=55832597
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201511034818.6A Active CN105553654B (en) | 2015-12-31 | 2015-12-31 | Key information processing method and device, key information management system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105553654B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106789018A (en) * | 2016-12-20 | 2017-05-31 | 百富计算机技术(深圳)有限公司 | Secret key remote acquisition methods and device |
| CN106972928A (en) * | 2017-04-11 | 2017-07-21 | 北京奇艺世纪科技有限公司 | A kind of fort machine private key management method, apparatus and system |
| CN106992859A (en) * | 2017-04-11 | 2017-07-28 | 北京奇艺世纪科技有限公司 | A kind of fort machine private key management method and device |
| CN107347058A (en) * | 2016-05-06 | 2017-11-14 | 阿里巴巴集团控股有限公司 | Data ciphering method, data decryption method, apparatus and system |
| CN108270566A (en) * | 2016-12-30 | 2018-07-10 | 航天信息股份有限公司 | A kind of database table construction method for time stamp server |
| CN109525394A (en) * | 2017-09-18 | 2019-03-26 | 万事达卡国际股份有限公司 | System and method for authenticating internet message |
| CN111600879A (en) * | 2020-05-14 | 2020-08-28 | 杭州海康威视数字技术股份有限公司 | Data output/acquisition method and device and electronic equipment |
| CN112052458A (en) * | 2020-07-28 | 2020-12-08 | 华控清交信息科技(北京)有限公司 | Information processing method, device, equipment and medium |
| CN112970224A (en) * | 2018-11-02 | 2021-06-15 | 三星电子株式会社 | Anti-theft token management system |
| CN113111365A (en) * | 2021-04-22 | 2021-07-13 | 广州市人心网络科技有限公司 | Envelope encryption-based online psychological consultation privacy data protection method, storage medium and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080052521A1 (en) * | 2002-03-21 | 2008-02-28 | Ntt Docomo Inc. | Hierarchical identity-based encryption and signature schemes |
| CN101465728A (en) * | 2008-12-17 | 2009-06-24 | 成都市华为赛门铁克科技有限公司 | Method, system and device for distributing cipher key |
| CN101640590A (en) * | 2009-05-26 | 2010-02-03 | 深圳市安捷信联科技有限公司 | Method for obtaining a secret key for identifying cryptographic algorithm and cryptographic center thereof |
| CN102694650A (en) * | 2012-06-13 | 2012-09-26 | 苏州大学 | Secret key generating method based on identity encryption |
-
2015
- 2015-12-31 CN CN201511034818.6A patent/CN105553654B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080052521A1 (en) * | 2002-03-21 | 2008-02-28 | Ntt Docomo Inc. | Hierarchical identity-based encryption and signature schemes |
| CN101465728A (en) * | 2008-12-17 | 2009-06-24 | 成都市华为赛门铁克科技有限公司 | Method, system and device for distributing cipher key |
| CN101640590A (en) * | 2009-05-26 | 2010-02-03 | 深圳市安捷信联科技有限公司 | Method for obtaining a secret key for identifying cryptographic algorithm and cryptographic center thereof |
| CN102694650A (en) * | 2012-06-13 | 2012-09-26 | 苏州大学 | Secret key generating method based on identity encryption |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107347058A (en) * | 2016-05-06 | 2017-11-14 | 阿里巴巴集团控股有限公司 | Data ciphering method, data decryption method, apparatus and system |
| CN106789018A (en) * | 2016-12-20 | 2017-05-31 | 百富计算机技术(深圳)有限公司 | Secret key remote acquisition methods and device |
| CN106789018B (en) * | 2016-12-20 | 2019-10-08 | 百富计算机技术(深圳)有限公司 | Secret key remote acquisition methods and device |
| CN108270566A (en) * | 2016-12-30 | 2018-07-10 | 航天信息股份有限公司 | A kind of database table construction method for time stamp server |
| CN106972928B (en) * | 2017-04-11 | 2020-07-28 | 北京奇艺世纪科技有限公司 | Bastion machine private key management method, device and system |
| CN106992859A (en) * | 2017-04-11 | 2017-07-28 | 北京奇艺世纪科技有限公司 | A kind of fort machine private key management method and device |
| CN106992859B (en) * | 2017-04-11 | 2020-06-19 | 北京奇艺世纪科技有限公司 | Bastion machine private key management method and device |
| CN106972928A (en) * | 2017-04-11 | 2017-07-21 | 北京奇艺世纪科技有限公司 | A kind of fort machine private key management method, apparatus and system |
| CN109525394A (en) * | 2017-09-18 | 2019-03-26 | 万事达卡国际股份有限公司 | System and method for authenticating internet message |
| CN109525394B (en) * | 2017-09-18 | 2022-03-15 | 万事达卡国际股份有限公司 | System and method for authenticating network messages |
| CN112970224A (en) * | 2018-11-02 | 2021-06-15 | 三星电子株式会社 | Anti-theft token management system |
| US11870888B2 (en) | 2018-11-02 | 2024-01-09 | Samsung Electronics Co., Ltd | Immobilizer token management system |
| CN111600879A (en) * | 2020-05-14 | 2020-08-28 | 杭州海康威视数字技术股份有限公司 | Data output/acquisition method and device and electronic equipment |
| CN111600879B (en) * | 2020-05-14 | 2023-02-17 | 杭州海康威视数字技术股份有限公司 | Data output/acquisition method and device and electronic equipment |
| CN112052458A (en) * | 2020-07-28 | 2020-12-08 | 华控清交信息科技(北京)有限公司 | Information processing method, device, equipment and medium |
| CN112052458B (en) * | 2020-07-28 | 2024-02-23 | 华控清交信息科技(北京)有限公司 | Information processing method, device, equipment and medium |
| CN113111365A (en) * | 2021-04-22 | 2021-07-13 | 广州市人心网络科技有限公司 | Envelope encryption-based online psychological consultation privacy data protection method, storage medium and system |
| CN113111365B (en) * | 2021-04-22 | 2024-04-09 | 广州市人心网络科技有限公司 | Online psychological consultation privacy data protection method, storage medium and system based on envelope encryption |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105553654B (en) | 2019-09-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105553654A (en) | Key information query processing method and device and key information management system | |
| CN101789865B (en) | Dedicated server used for encryption and encryption method | |
| CN105162772A (en) | IoT equipment authentication and key agreement method and device | |
| CN110519046B (en) | Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD | |
| CN103699920B (en) | RF identification mutual authentication method based on elliptic curve | |
| CN109728906B (en) | Anti-quantum-computation asymmetric encryption method and system based on asymmetric key pool | |
| CN113067699B (en) | Data sharing method and device based on quantum key and computer equipment | |
| CN113067823B (en) | Mail user identity authentication and key distribution method, system, device and medium | |
| CN101815091A (en) | Cipher providing equipment, cipher authentication system and cipher authentication method | |
| CN103684766A (en) | Private key protection method and system for terminal user | |
| CN111404664B (en) | Quantum secret communication identity authentication system and method based on secret sharing and multiple mobile devices | |
| CN112565265B (en) | Authentication method, authentication system and communication method between terminal devices of Internet of things | |
| CN108764912B (en) | Payment method and device based on short message verification code | |
| CN110138548B (en) | Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol | |
| CN109921905B (en) | Anti-quantum computation key negotiation method and system based on private key pool | |
| CN106411926A (en) | Data encryption communication method and system | |
| CN110380859B (en) | Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol | |
| CN110519226B (en) | Quantum communication server secret communication method and system based on asymmetric key pool and implicit certificate | |
| CN101631305A (en) | Encryption method and system | |
| CN109684129B (en) | Data backup recovery method, storage medium, encryption machine, client and server | |
| CN103108245B (en) | A kind of intelligent television pays cipher key system and method for payment based on intelligent television | |
| CN104200154A (en) | Identity based installation package signing method and identity based installation package signing device | |
| CN110176989B (en) | Quantum communication service station identity authentication method and system based on asymmetric key pool | |
| CN110365472B (en) | Quantum communication service station digital signature method and system based on asymmetric key pool pair | |
| CN114154181A (en) | Privacy calculation method based on distributed storage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 510000 Guangdong city of Guangzhou province Yuexiu District ho Yin Road No. 101 building 3A room 18 Applicant after: GUANGDONG AUTHENTICATION TECHNOLOGY CO., LTD. Applicant after: Age of security Polytron Technologies Inc Address before: 510000 Guangdong city of Guangzhou province Yuexiu District ho Yin Road No. 101 building 3A room 18 Applicant before: GUANGDONG AUTHENTICATION TECHNOLOGY CO., LTD. Applicant before: Guangdong Certificate Authority Center Co., Ltd. |
|
| COR | Change of bibliographic data | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |