CN105812388A - Managing method and system for user certificate and private key - Google Patents

Managing method and system for user certificate and private key Download PDF

Info

Publication number
CN105812388A
CN105812388A CN201610320149.7A CN201610320149A CN105812388A CN 105812388 A CN105812388 A CN 105812388A CN 201610320149 A CN201610320149 A CN 201610320149A CN 105812388 A CN105812388 A CN 105812388A
Authority
CN
China
Prior art keywords
user
private key
certificate
unique index
grades
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610320149.7A
Other languages
Chinese (zh)
Other versions
CN105812388B (en
Inventor
谭智勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Agricultural Bank of China
Original Assignee
Agricultural Bank of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Agricultural Bank of China filed Critical Agricultural Bank of China
Priority to CN201610320149.7A priority Critical patent/CN105812388B/en
Publication of CN105812388A publication Critical patent/CN105812388A/en
Application granted granted Critical
Publication of CN105812388B publication Critical patent/CN105812388B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a managing method and system for a user certificate and a private key.The method comprises the steps that when certificate request information encrypted by a first public key is acquired, a first random code is generated and sent to a user; the certificate request information sent by the user, a unique user index tag and the first random code are acquired; whether the unique user index tag exists in a database or not is judged, and if not, information used for representing that the unique user index tag is successfully checked is sent to the user; second-level private key data sent by the user, the first random code and a second public key are acquired, wherein the second-level private key data is private key data which is encrypted by symmetric private keys and corresponds to the second public key; the certificate request information, the unique user index tag, the second public key and the second-level private key data are written into an integer request list to be examined and approved.According to the method, the safety of the user private key data is effectively guaranteed.

Description

The management method of a kind of user certificate and private key and system
Technical field
The present invention relates to digital certificate technique field, be specifically related to a kind of suitable in the service end user certificate of cloud computing and lucidification disposal isotype and the management method of private key with system.
Background technology
Along with the development of the science and technology such as computer technology, network technology, virtual computing technology, traditional form of calculation there occurs huge change.Rising gradually with mobile computing and the mobile network's terminal that mobile phone, individual's flat board etc. are representative, cloud computing and lucidification disposal have also been obtained great development.How to ensure the information security of FTP client FTP in cloud computing and lucidification disposal isotype, become the problem that areas of information technology need solution badly.
PKIX (publickeyinfrastructure, hereinafter referred to as PKI) system is the guarantee open network environment lower network relatively generally acknowledged of current industry and information system security is feasible and effective measures.This system utilizes public and private key cryptographic algorithm principle and technology to realize and provide the security service with versatility.Due to client or do not have locally stored ability in cloud computing or lucidification disposal isotype, or not having reliable locally stored ability, therefore locally stored user certificate and private key safety are problematic in that.And due to the particularity of mobile terminal device interface, common USB-KEY (hardware device of a kind of USB interface) equipment of being directly accessed there is also bigger obstacle, so directly applying traditional PKI deployment scheme can there is certain implementation barrier.
Summary of the invention
In view of this, the embodiment of the present invention provides management method and the system of a kind of user certificate and private key, to solve the safety issue of locally stored user certificate and private key.
For achieving the above object, the embodiment of the present invention provides following technical scheme:
A kind of management method of user certificate and private key, including:
Obtain the solicited message that user sends;
When the certificate request information that described solicited message is after adopting the first public key encryption:
Generating and send one group of first random coded after the first encrypted private key to user, described first PKI and the first private key are one group of public private key pair;
Obtain certificate request information that user sends, after described first public key encryption, user's unique index mark and described first random coded;
Judge whether data base exists described user's unique index mark, if it is, export information after described first encrypted private key, failed for characterizing the mark inspection of user's unique index to user;Otherwise to user send after described first encrypted private key, be used for characterizing user's unique index mark and check successful information;
Obtaining that user sends, two grades of private key datas after described first public key encryption, described first random coded and the second PKI, described two grades of private key datas are the private key data corresponding with described second PKI after symmetric key encryption;
Described certificate request information, user's unique index mark, the second PKI and two grades of private key datas are write in copending integer request list.
Preferably, in the management method of above-mentioned user certificate and private key, also include:
Obtain the certificate private key data request information through the first public key encryption that user sends;
Generate and send one group of second random coded after the first encrypted private key to user;
Obtain user's unique index mark that user sends, after described first public key encryption and the second random coded;
Judge whether data base exists described user's unique index mark, if it is, the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded are sent to user;If it does not, send information after the first encrypted private key, that be used for characterizing request operation failure to user.
Preferably, in the management method of above-mentioned user certificate and private key, after the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded are sent to user, also include:
Judge in preset time period, whether to get information that user sends, get the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded for characterizing user, if it does not, again send the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded to user.
Preferably, in the management method of above-mentioned user certificate and private key, after the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded are sent to user, also include:
Judge whether to get the requirement that user sends and carry out the information of certificate private key data encryption key amendment, if it is, continue executing with;
Generate and send one group of the 3rd random coded after the first encrypted private key to user;
Obtaining user's unique index mark that user starts, after described first public key encryption and two grade of the 3rd random coded, described two grades of random codeds are the 3rd random coded after adopting described private key data that described 3rd random coded is encrypted;
Adopt the first private key that described user's unique index after described first public key encryption mark and two grade of the 3rd random coded are decrypted;
Judge whether the user integer corresponding with described user's unique index mark and private key ciphertext, if, adopt described second PKI that described two grade of the 3rd random coded is decrypted, obtain random plaintext, judge that whether described random plaintext is consistent with described 3rd random coded, if consistent, to user send for characterize after the first encrypted private key, verify successful message for characterizing private key for user data encryption key amendment application information;If there is no identify corresponding user's integer and private key ciphertext with described user's unique index or whether described random plaintext is inconsistent with described 3rd random coded, send information after the first encrypted private key, that be used for characterizing request operation failure to user;
Obtain new two grades of private key datas that user sends, after described first public key encryption and described 3rd random coded, described new two grades of private key datas are that user adopts amended symmetric key that private key data is expressly encrypted to obtain, and described private key data expressly adopts former symmetric key that two grades of private key datas are decrypted for user to obtain;
Described new two grades of private key datas are adopted to update described two grades of private key datas.
Preferably, in the management method of above-mentioned user certificate and private key, described user's unique index is designated for that characterize user profile, to have uniqueness data message.
A kind of management system of user certificate and private key, including:
Collecting unit, for obtaining the data message that user sends;
Information transmitting unit, for sending data message to user;
First data processing unit, during for getting the certificate request information after adopting the first public key encryption when described collecting unit, generating and send one group of first random coded after the first encrypted private key by information transmitting unit to user, described first PKI and the first private key are one group of public private key pair;
Second data processing unit, during for getting the certificate request information after described first public key encryption, user's unique index mark and described first random coded when described collecting unit, judge whether data base exists described user's unique index mark, if it is, export information after described first encrypted private key, failed for characterizing the mark inspection of user's unique index by described information transmitting unit to user;Otherwise, by described information transmitting unit to user send after described first encrypted private key, be used for characterizing user's unique index mark and check successful information;
3rd data processing unit, for when described collecting unit gets two grades of private key datas after described first public key encryption, described first random coded and the second PKI, described certificate request information, user's unique index mark, the second PKI and two grades of private key datas are write in copending integer request list, wherein, described two grades of private key datas are the private key data corresponding with described second PKI after symmetric key encryption.
Preferably, in the management system of above-mentioned user certificate and private key, described first data processing unit is additionally operable to:
When described collecting unit gets the user certificate after adopting the first public key encryption and private key data obtains agreement, generate and send one group of second random coded after the first encrypted private key by described information transmitting unit to user;
The management system of described user certificate and private key, also includes:
4th data processing unit, when getting the mark of the user's unique index after described first public key encryption and the second random coded when described collecting unit, judge whether data base exists described user's unique index mark, if it is, the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded are sent to user by described information transmitting unit;If it does not, send information after the first encrypted private key, that be used for characterizing request operation failure by described information transmitting unit to user.
Preferably, in the management system of above-mentioned user certificate and private key, also include:
Judging unit, for when the 4th data processing unit by described information transmitting unit by after described first encrypted private key, the certificate data corresponding with described user's unique index mark, after two grades of private key datas and described second random coded are sent to user, judge whether described collecting unit gets what user sent in preset time period, get after described first encrypted private key for characterizing user, the certificate data corresponding with described user's unique index mark, the information of two grades of private key datas and described second random coded, if not, control described 4th data processing unit again by described information transmitting unit by after described first encrypted private key, the certificate data corresponding with described user's unique index mark, two grades of private key datas and described second random coded are sent to user.
Preferably, in the management system of above-mentioned user certificate and private key, described first data processing unit is additionally operable to:
After the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded are sent to user by described information transmitting unit by the 4th data processing unit, and described collecting unit is when getting the information requiring to carry out certificate private key data encryption key amendment, generates and also send one group of the 3rd random coded after the first encrypted private key by described information transmitting unit to user;
The management system of described user certificate and private key, also includes:
5th data processing unit, for get the mark of the user's unique index after described first public key encryption and two grade of the 3rd random coded when described collecting unit after, adopt the first private key that described user's unique index after described first public key encryption mark and two grade of the 3rd random coded are decrypted;Judge whether the user integer corresponding with described user's unique index mark and private key ciphertext, if, adopt described second PKI that described two grade of the 3rd random coded is decrypted, obtain random plaintext, judge that whether described random plaintext is consistent with described 3rd random coded, if consistent, by described information transmitting unit to user send for characterize after the first encrypted private key, verify successful message for characterizing private key for user data encryption key amendment application information;If there is no identify corresponding user's integer and private key ciphertext with described user's unique index or whether described random plaintext is inconsistent with described 3rd random coded, send information after the first encrypted private key, that be used for characterizing request operation failure by described information transmitting unit to user;Wherein, described two grades of random codeds are the 3rd random coded after adopting described private key data that described 3rd random coded is encrypted;
6th data processing unit, for getting the new two grades of private key datas after described first public key encryption when described collecting unit and after described 3rd random coded, described new two grades of private key datas are adopted to update described two grades of private key datas, wherein, described new two grades of private key datas are that user adopts amended symmetric key that private key data is expressly encrypted to obtain, and described private key data expressly adopts former symmetric key that two grades of private key datas are decrypted for user to obtain.
Preferably, in the management system of above-mentioned user certificate and private key, described user's unique index is designated for that characterize user profile, to have uniqueness data message.
Based on technique scheme, the embodiment of the present invention user certificate provided and the management method of private key and system, in scheme disclosed in the embodiment of the present application, described two grades of private key datas are saved in service end.The generation of symmetric key, the deciphering of two grades of private key datas and the concrete place of use carry out at user side, and user has the symmetric key that two grades of private key datas are decrypted, it is possible to described two grades of private key datas are decrypted and are used.So only have user self could obtain and use the private key data of oneself, be effectively ensured the safety of private key for user data.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, the accompanying drawing used required in embodiment or description of the prior art will be briefly described below, apparently, accompanying drawing in the following describes is only embodiments of the invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to the accompanying drawing provided.
Fig. 1 is the flow chart of the management method of a kind of user certificate and private key disclosed in the embodiment of the present application;
Fig. 2 is the flow chart of the management method of a kind of user certificate and private key disclosed in another embodiment of the application;
Fig. 3 is the flow chart of the management method of a kind of user certificate and private key disclosed in another embodiment of the application;
Fig. 4 is the flow chart of the management method of a kind of user certificate and private key disclosed in another embodiment of the application;
Fig. 5 is the flow chart of the disclosed a kind of user certificate application protocol embodiment corresponding with Fig. 1 of the embodiment of the present application;
Fig. 6 is the flow chart of the disclosed a kind of private key for user data acquisition protocols embodiment corresponding with Fig. 2 of the embodiment of the present application;
Fig. 7 is the flow chart of the disclosed a kind of private key for user data encryption key amendment protocol embodiment corresponding with Fig. 4 of the embodiment of the present application;
Fig. 8 is the structural representation of the management system of a kind of user certificate and private key disclosed in the embodiment of the present application;
Fig. 9 is the structural representation of the management system of a kind of user certificate and private key disclosed in another embodiment of the application.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain under not making creative work premise, broadly fall into the scope of protection of the invention.
It is an object of the invention to provide the management method of a kind of user certificate suitable in cloud computing and Transparent Calculation Model and private key.It is a further object to provide and a kind of obtained agreement suitable in the user certificate application agreement of safety of cloud computing and Transparent Calculation Model, user certificate and private key data.The feature of the management method of user certificate provided by the invention and private key is to be stored in service end after private key for user data encryption (two grades of private key datas), but the generation of private key data, deciphering and use are then at client (user side).
The embodiment of the present application discloses the management method of a kind of user certificate and private key, and the method is applied in RA server, and referring to Fig. 1 to Fig. 4, its idiographic flow may include that
Step S101: obtain the solicited message that user sends;
Step S102: judge the information type of described solicited message;When the certificate request information that described solicited message is after adopting the first public key encryption, perform step S103, when described user request information is the user certificate after adopting the first public key encryption and private key data obtains agreement, perform step S201, when described user request information is the information that the requirement after adopting the first public key encryption carries out certificate private key data encryption key amendment, perform step S401;
Referring to Fig. 1:
Step S103: generating and send one group of first random coded after the first encrypted private key to user, described first PKI and the first private key are one group of public private key pair, performs step S104;
In this step, described RA server produces a new random number (being the first random coded), is sent to user after described random number uses private key (referring to the first private key) encryption of oneself;
Step S104: obtain certificate request information that user sends, after described first public key encryption, user's unique index mark and described first random coded, perform step S105;
The anti-solicited message that Generates Certificate of user, and generate the public private key pair (user side's public private key pair) of oneself, after getting described first random coded, certificate request information, user's unique index mark, the first random coded are sent to RA server after using RA server public key (the first PKI) encryption together;
Step S105: judge whether there is described user's unique index mark in data base, if it is, perform step S106, otherwise performs step S107;
After described RA server receives user's unique index mark that user sends, compare with existing record in the data base of described RA server, if there is no user certificate and the private key ciphertext of activity under this user's unique index identification name of RA server checks, show data base is absent from described user's unique index mark, then forward step S107 to, otherwise, perform step S106, the encrypted private key using oneself sends user's unique index mark and checks that failure is to user, asks operation failure;
Step S106: export information after described first encrypted private key, failed for characterizing the mark inspection of user's unique index to user, perform step S108;
In this step, described RA server is sent to user after the message of user's unique index mark inspection success message is used the encrypted private key of oneself;
Step S107: to user send after described first encrypted private key, be used for characterizing user's unique index mark and check successful information;
Step S108: obtain that user sends, two grades of private key datas after described first public key encryption, described first random coded and the second PKI, described two grades of private key datas are after symmetric key encryption and described second PKI corresponding private key data, perform step S109;
In this step, user encrypts its private key data with the symmetric key (symmetric key) of oneself, by private key data and described first random coded after encryption, oneself user oneself the second PKI together with use the encryption of RA server public key after send RA server to;
Step S109: described certificate request information, user's unique index mark, the second PKI and two grades of private key datas are write in copending integer request list;
In this step, described RA server writes information such as the private key for user data (two grades of private key datas) after certificate request information, user's unique index mark, client public key (the second PKI) and encryption in copending certificate request list together, certainly, after described step S109, described RA server can also pass through user certificate to ask success message is sent to user mode after using the encrypted private key of oneself that user is pointed out.
Referring to Fig. 2, be equivalent to the application and get the execution process after the certificate private key data request information of the first public key encryption that user sends, particularly as follows:
Step S201: generate and send one group of second random coded after the first encrypted private key to user;
In this step, described RA server produces a new random number (the second random coded), and is sent to user after using the encrypted private key of oneself;
Step S202: obtain user's unique index mark that user sends, after described first public key encryption and the second random coded;
In this step, user is sent to RA server after the unique index of oneself being identified and using the encryption of RA server public key together with described second random coded obtained;
Step S203: judge whether there is described user's unique index mark in data base, if it is, perform step S204, otherwise performs step S205;
In this step, the user's unique index received mark is compared by described RA server with existing record in data base.If the valid certificate list of described RA server exists the record that this user's unique index mark is corresponding, then forward step S204 to, otherwise, perform step S205, use the encrypted private key of oneself to send corresponding error messages to user, ask operation failure;
Step S204: the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded are sent to user;
In this step, described RA server is combined the private key data (two grades of private key datas) after certificate data corresponding for this user's unique index mark, encryption and described second random coded, is sent to user after using the encrypted private key of oneself;
Step S205: send information after the first encrypted private key, that be used for characterizing request operation failure to user;
In this step, user accepts certificate and private key data to be sent to RA server after success message uses the encryption of RA server public key.
Referring to Fig. 3, after described step S204, it is also possible to including:
Step S206: judge whether user gets the data sent in step S204, if it does not, perform step S204;
Judge in preset time period, whether to get information that user sends, get the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded for characterizing user.
Referring to Fig. 4:
Step S401: judge whether to get the requirement that user sends and carry out the information of certificate private key data encryption key amendment, if it is, perform step S402;
After scheme in Fig. 4 sets up scheme implementation success in fig. 2, namely described step 401 performs after described step S204;
Step S402: generate and send one group of the 3rd random coded after the first encrypted private key to user, performing step S403;
In this step, described RA server produces a new random number (described 3rd random coded), is sent to user after using the encrypted private key of oneself;
Step S403: obtain user's unique index mark that user starts, after described first public key encryption and two grade of the 3rd random coded, performing step S404, described two grades of random codeds are the 3rd random coded after adopting described private key data that described 3rd random coded is encrypted;
In this step, described 3rd random coded obtained is used the private key data encryption of oneself by user, again the user's unique index of oneself is identified and this ciphertext (using the 3rd random coded after the private key data encryption of user) has unified recycling RA server public key encryption as data set, and be sent to described RA server;
Step S404: adopt the first private key that described user's unique index after described first public key encryption mark and two grade of the 3rd random coded are decrypted, perform step S405;
In this step, described RA server deciphers the mark of the user's unique index after the first public key encryption and two grade of the 3rd random coded with the private key of oneself;
Step S405: judge whether the user integer corresponding with described user's unique index mark and private key ciphertext, if it is, perform step S406, otherwise, performs step S407;
In this step, user's unique index that deciphering obtains is utilized to contrast with existing record in RA server after identifying.If have user certificate and the private key ciphertext of activity under this user's unique index identification name of RA server checks, perform step S406, otherwise perform step S407;
Step S406: adopt described second PKI that described two grade of the 3rd random coded is decrypted, it is thus achieved that random plaintext, it is judged that whether described random plaintext is consistent with described 3rd random coded, if it is, perform step S408, otherwise performs step S407;
In this step, described two grade of the 3rd random coded is decrypted acquisition random number plain text (random plaintext) by the PKI (the second PKI) adopting user, the 3rd random coded that described random number plain text and described RA server are sent to user is contrasted, if the two is identical, perform step S408, otherwise, perform step S407, the encrypted private key using oneself sends private key for user data encryption key amendment application information verification failure to user, asks operation failure;
Step S407: send information after the first encrypted private key, that be used for characterizing request operation failure to user;
Step S408: to user send for characterize after the first encrypted private key, for characterize private key for user data encryption key amendment application information verify successful message, perform step S409;
In this step, described RA server is sent to user after private key for user data encryption key is revised the encrypted private key of application information verification successful message use oneself;
Step S409: obtain new two grades of private key datas that user sends, after described first public key encryption and described 3rd random coded, perform step S410, described new two grades of private key datas are that user adopts amended symmetric key that private key data is expressly encrypted to obtain, and described private key data expressly adopts former symmetric key that two grades of private key datas are decrypted for user to obtain;
In this step, private key data (two grades of private key datas) after encryption is decrypted computing with the symmetric key of oneself by user, obtain private key data expressly, then with oneself amended symmetric key (amended symmetric key), described private key data is expressly encrypted computing again, obtaining new two grades of private key datas, then user sends described RA server to after the new two grades of private key datas obtained are used the encryption of RA server public key together with described 3rd random coded;
Step S410: adopt described new two grades of private key datas to update described two grades of private key datas;
In this step, the described RA server two grades of private key datas before new two grades of private key datas renewal, certainly, after described step S410, described RA server is sent to the mode of user and user is pointed out after can also passing through the encrypted private key successfully modified for private key for user data encryption key message use oneself.
Wherein, in method disclosed in the above embodiments of the present application, described user's unique index is designated for that characterize user profile, to have uniqueness data message.According to the present invention, consider in cloud computing or Transparent Calculation Model FTP client FTP or there is no locally stored ability, or there is no reliable locally stored ability, consider the absolute confidentiality of private key information, so this method is stored in service end user certificate and private key for user information ciphertext (two grades of private key datas).In the present invention private key information ciphertext deposit must using hold private key main body unique identification (for unique index identify) as index, it is achieved deposit in order, inquire about and ask for.The uniqueness of this described user's unique index mark both can be ensured by strict cryptography principle, it is also possible to ensures according to the natural quality that this index identifies.In actual application, a kind of suitable scheme is that certain unique identification directly identifying as user's unique index using applicant's ID (identity number) card No. or being generated out by ID (identity number) card No. identifies as described user's unique index.
Referring to technical scheme disclosed in the above embodiment of the present invention, private key for user data encryption (two grades of private key datas) is saved in service end.The concrete place of the generation of user's public affairs symmetric key, the deciphering of two grades of private key datas and use is in client, and user has the decruption key of two grades of private key datas, it is possible to deciphers and uses final private key data (the second private key).So only have user self could obtain and use the private key data of oneself, so can be effectively ensured the safety of private key for user data.In actual application, a kind of suitable scheme is that the generation of user's public affairs private key data, the deciphering of private key data and the application program of use specifically used user certificate and symmetric key on the client complete.
In such scheme, user obtains agreement (step S201-S205), private key for user data encryption key amendment agreement (step S401-S410) according to suitable in user certificate application agreement (step S101-S109) of safety of cloud computing and Transparent Calculation Model, user certificate and private key data, it is achieved the application of user to user certificate and two grades of private key datas and legal acquisition and amendment.To sum up, the user certificate application agreement of the present invention, user certificate and private key data obtain agreement, private key for user data encryption key amendment agreement has following characteristic:
Agreement to use random coded prevent Replay Attack;
The generation of user certificate and symmetric key all completes in client;
User has the encryption key of oneself, transmits and be stored in server end after private key data is adopted encryption keys;
User has the decruption key of oneself, for adopting oneself decryption key decryption final utilization after obtaining two grades of private key datas from service end.
Just analyze common attack method below and above-mentioned user certificate application agreement, private key for user data acquisition protocols and private key for user data encryption key are revised the attack effect of agreement.
Network intercepting
In the above-mentioned methods, in user key application and access process, the symmetric key information of user encryption oneself private key data not in transmission over networks, and what the propagation of private key data was also transmitted after encryption, thus network intercepting attack invalid.The application information of user is transmitted after both passing through server public key encryption with user's unique index mark, in private key for user data encryption key amendment agreement, the application that sends out of user also passes through private key for user and is encrypted transmission, and listener cannot obtain useful information from intercepting message.
Replay Attack
The random coded every time chosen due to certificate server is different, so later request cannot be completed by the request message above listened to of resetting.
The conjecture sexual violence of symmetric key is attacked
Owing to the protection of oneself private key data is ensured by user by symmetric key algorithm, the violence of this symmetric key is guessed that sexual assault is also important attack type.For this, RA server can consider to increase the checking mechanism to this symmetric key intensity in key application client-side program.If such as adopt password as symmetric key, then length is too short, use user name to do password, use single English word to do password etc. defect to need to avoid password to exist.Have under enough attack resistance strength conditions at the symmetric key of user and the symmetric encipherment algorithm (for example with AES256 AES) of employing, it is believed that it is safe that the conjecture sexual violence of symmetric key is attacked by this agreement.And this protocol family supports that user revises private key data encryption key, improves the safety of agreement further.
Man-in-the-middle attack
Due to the data-message all transmission after server public key is encrypted sent with user orientation server, so assailant cannot utilize Session Hijack acquisition more more effective information than network intercepting method, namely man-in-the-middle attack is safe by this agreement.
Comprehensive above 4 points, the method disclosed in the above embodiments of the present application that illustrates can effectively resist network intercepting, Replay Attack, the conjecture sexual violence attack of symmetric key and man-in-the-middle attack, and namely under existing attack means, this agreement is safe.
The present invention proposes the management method of a kind of user certificate suitable in cloud computing and Transparent Calculation Model and private key, compared with other schemes, and having the main advantage that of the program
First, storing the design of private key for user based on RA server for encrypting, the program without by external key storage device, saving the hardware spending of system, and reduce enforcement complexity while ensureing digital certificate system safety.
Again, the generation of private key data, encryption and decryption oprerations are all completed at user side, effectively reduce the pressure of server, add the extensibility of system.So the private key data of user is expressly only remained in client simultaneously, and accurate is be only remained in the program process of client digital certificate system, improves the safety of system further.
Finally, the safety analysis that user certificate application agreement, private key for user data acquisition protocols and private key for user data encryption key are revised agreement shows, this agreement can effectively resist network intercepting, Replay Attack, symmetric key conjecture sexual violence attack and man-in-the-middle attack, namely under existing attack means, this agreement is safe.
In order to facilitate, user is more detailed understands technical scheme disclosed in the above embodiments of the present application, said method is also illustrated by the application in the way of concrete example, referring to Fig. 5-Fig. 7, Fig. 5 describes safe user certificate application protocol embodiment, and the symbolic significance in figure is as follows: Info is certificate request information;KSFor RA server public key (the first PKI), KS -1For RA privacy key (the first private key), KUFor certificate Requestor's PKI (the second PKI), KU -1For certificate Requestor's private key (the second private key);Na is the random coded that RA server produces;IdUUser's unique index for user identifies;KEUFor the symmetric key of user encryption oneself private key, K`EUFor the new symmetric key of user encryption oneself private key, m1-13For identifying the message of specific protocol step, respectively m1(user certificate request), m2(unique index mark checks successfully), m3(unique index mark checks unsuccessfully), m4(certificate request processes successfully), m5(request of user certificate private key data), m6(certificate request do not examined), m7(unaccepted certificate request), m8(certificate is cancelled), m9(user's unique index identity verification mistake), m10(user certificate private key data request processes successfully), m11(user applies for the amendment request of certificate private key data encryption key), m12(private key for user check errors) and m13(user applies for that the amendment request of certificate private key data encryption key processes successfully), C is the certificate of user, and Hash3 is monodrome hash function.
Assume that now user has got digital certificate disclosed in RA server (the first PKI) from digital certificate system.
Referring to Fig. 5 being described in detail as follows user certificate application each step of agreement:
Step 1, user send { m to RA server1}KSMessage, it is desirable to carry out certificate request;
Step 2, RA server produce random coded Na, and send { Na}KS -1Message is to user;
Step 3, user Generate Certificate solicited message Info, and this solicited message, the user's unique index mark Id of oneselfURa server public key K is used together with NaSGenerate data Data1 after encryption and be sent to RA server:
Data1={Info, IdU, Na}KS
Step 4, RA server receive user's unique index mark Id that user sendsUExisting record (include copending certificate request list, examine unsanctioned certificate request list, valid certificate list and the list of cert cancelled) is compared with oneself data base afterwards.If RA server does not find the situation that user's unique index mark repeats, then forward step 5 to, otherwise send { m3}KSMessage, to user, asks operation failure;
Step 5, RA server send { m2}KSMessage is to user;
Step 6, user are with the symmetric key K of oneselfEUEncrypt its private key data KU -1, with Na and the PKI K of oneselfU -1Use RA server public key K togetherSGenerate data Data2 after encryption and be sent to RA server:
Data2={{KU -1}KEU, KU, Na}KS
Certainly, in the agreement that some are concrete, the standard certificate request in such as ITU-TX.509 international standard has contained KU, it means that the Info information in step 3 has comprised KU, this step can also select not retransmit K in this caseU, namely only send { { KU -1}KEU, Na}KSTo RA server.
Step 7, RA server are certificate request information Info, user's unique index mark IdU, client public key KUPrivate key for user data { K with encryptionU -1}KEUWrite together in copending certificate request list etc. information;
Step 8, RA server send { m4}KSMessage is to user.
If user certificate request generation phase smoothly completes, so service end data base " copending certificate request list " has this user's respective record, the data item such as the private key data including certificate request information, ID and encryption, now this application can be examined by RA server.If examination & approval do not pass through, then directly this record is proceeded to " examining unsanctioned certificate request list ".If examination & approval are by rear, said method can also include: data delivery corresponding for this record to CA server, and the latter utilizes the private key of oneself and this certificate request of certificate issuance to generate user certificate, and certificate data is sent back to RA server;Then RA server is written to the data item such as the private key data of certificate data, ID and encryption in " valid certificate list ".
Referring to Fig. 6 being described in detail as follows private key for user each step of data acquisition protocols:
Step S11, user sends { m to RA server5}KSMessage, it is desirable to carry out certificate private key request of data;
Step S12, RA server produce random coded Na, and send { Na}KS -1Message is to user;
Step S13, user identify the user's unique index of oneself generation data Data3 after using the encryption of RA server public key together with the step S12 random coded obtained and are sent to RA server;
Data3={IdU, Na}KS
Step S14, RA server are by existing record (" copending certificate request list " in the user's unique index mark received and oneself data base, " examine unsanctioned certificate request list ", " valid certificate list " and " list of cert cancelled ") compare.If the valid certificate list of RA server exists the record that this user's unique index mark is corresponding, then forward step S15 to, otherwise return relevant error message { m6}KS -1、{m7}KS -1、{m8}KS -1Or { m9}KS -1To user, request of data failure;
Step S15, RA server are certificate data corresponding for this user's unique index mark with through KEUPrivate key data after encryption is combined, and uses KS -1Data4 be generated to user after encryption:
Data4={C, { KU -1}KEU, Na}KS -1
User sends { m10}KSMessage is to RA server.
Private key for user data encryption key is revised being described in detail as follows of each step of agreement by Fig. 7:
Private key for user data encryption key is revised being described in detail as follows of protocol steps:
Step S21, user sends { m to RA server5}KSMessage, it is desirable to carry out certificate private key request of data;
Step S22, RA server produce random coded Na1, and send { Na1}KS -1Message is to user;
Step S23, user identify the user's unique index of oneself generation data Data5 after using the encryption of RA server public key together with the step S22 random coded obtained and are sent to RA server;
Data5={IdU, Na}KS
Step S24, RA server are by existing record (" copending certificate request list " in the user's unique index mark received and oneself data base, " examine unsanctioned certificate request list ", " valid certificate list " and " list of cert cancelled ") compare.If the valid certificate list of RA server exists the record that this user's unique index mark is corresponding, then forward step S25 to, otherwise return relevant error message { m6}KS -1、{m7}KS -1、{m8}KS -1Or { m9}KS -1To user, request of data failure;
Step S25, RA server are certificate data corresponding for this user's unique index mark with through KEUPrivate key data after encryption is combined, and uses KS -1Data6 be generated to user after encryption:
Data6={C, { KU -1}KEU, Na1}KS -1
Step S26, user send { m to RA server11}KSMessage, it is desirable to carry out certificate private key data encryption key amendment;
Step S27, RA server produce new random coded Na2, and send { Na2}KS -1Message is to user;
This random coded is used the private key data encryption of oneself to obtain random coded ciphertext by step S28, user, then user's unique index mark and random coded ciphertext have been unified recycling K as data setS -1Generate data Data7 after encryption and be sent to RA server;
Data7={IdU, { Na2}KU -1}KS
Step S29, RA server KS -1Deciphering Data7, contrasts with existing record after utilizing user's unique index therein mark.RA server is by existing record (" copending certificate request list " in the user's unique index mark received and oneself data base, " examine unsanctioned certificate request list ", " valid certificate list " and " list of cert cancelled ") compare.If the valid certificate list of RA server is absent from the record that this ID is corresponding, then return relevant error message { m6}KS -1、{m7}KS -1、{m8}KS -1Or { m9}KS -1To user, request of data failure.If there is the record that this ID is corresponding in the valid certificate list of RA server, the second PKI then obtaining user continues decrypted random coding ciphertext acquisition random coded expressly, the random coded being sent to user with RA server contrasts, if the two is identical, forward step S30 to, otherwise return relevant error message { m12}KS -1To user, ask operation failure.
Step S30, RA server send { m13}KS -1Message is to user, it was shown that private key for user data encryption key amendment application information verifies successfully;
Private key data after encryption is decrypted computing with the symmetric key of oneself by step S31, user, obtain private key data expressly, then with oneself amended symmetric key, expressly private key data being encrypted computing again, then user is the new private key data ciphertext obtained, and uses K together with Na2SGenerate data Data8 after encryption and send RA server to;
Data8={{KU -1}K`EU, Na2}KS
Step S32, the RA server private key for user data ciphertext before new private key data ciphertext renewal, namely with { KU -1}K`EUReplace { KU -1}KEU
Step S33, RA server send { m13}KS -1Message is to user.
Be directed to method disclosed in above-described embodiment, disclosed herein as well is a kind of should system in aforementioned manners, referring to Fig. 8, this system includes:
Collecting unit 100, for obtaining the data message that user sends;
Information transmitting unit 200, for sending data message to user;
First data processing unit 300, described first data processing unit 300 is corresponding with step S103, during for getting the certificate request information after adopting the first public key encryption when described collecting unit 100, generating and send one group of first random coded after the first encrypted private key by information transmitting unit 200 to user, described first PKI and the first private key are one group of public private key pair;
Second data processing unit 400, described second data processing unit 400 is corresponding with described step S104-S107, during for getting the certificate request information after described first public key encryption, user's unique index mark and described first random coded when described collecting unit 100, judge whether data base exists described user's unique index mark, if it is, export information after described first encrypted private key, failed for characterizing the mark inspection of user's unique index by described information transmitting unit 200 to user;Otherwise, by described information transmitting unit 200 to user send after described first encrypted private key, be used for characterizing user's unique index mark and check successful information;
3rd data processing unit 500, described 3rd data processing unit 500 is corresponding with step S108-S109, for when described collecting unit 100 gets two grades of private key datas after described first public key encryption, described first random coded and the second PKI, described certificate request information, user's unique index mark, the second PKI and two grades of private key datas are write in copending integer request list, wherein, described two grades of private key datas are after symmetric key encryption and described second PKI corresponding private key data.
Corresponding with said method, corresponding with described step S202, described first data processing unit 300 is additionally operable to:
When described collecting unit 100 gets the user certificate after adopting the first public key encryption and private key data obtains agreement, generate and send one group of second random coded after the first encrypted private key by described information transmitting unit 200 to user;
Referring to Fig. 9, corresponding with step S203-S205 in said method, the management system of described user certificate and private key, also include:
4th data processing unit 600, when getting the mark of the user's unique index after described first public key encryption and the second random coded when described collecting unit 100, judge whether data base exists described user's unique index mark, if it is, the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded are sent to user by described information transmitting unit 200;If it does not, send information after the first encrypted private key, that be used for characterizing request operation failure by described information transmitting unit 200 to user.
Corresponding with step S206 in said method, the management system of described user certificate and private key, also include:
nullJudging unit 700,For when the 4th data processing unit 600 by described information transmitting unit 200 by after described first encrypted private key、The certificate data corresponding with described user's unique index mark、After two grades of private key datas and described second random coded are sent to user,Judge whether described collecting unit 100 gets what user sent in preset time period、Get after described first encrypted private key for characterizing user、The certificate data corresponding with described user's unique index mark、The information of two grades of private key datas and described second random coded,If not,Control described 4th data processing unit 600 again by described information transmitting unit 200 by after described first encrypted private key、The certificate data corresponding with described user's unique index mark、Two grades of private key datas and described second random coded are sent to user.
Corresponding with step S402 in said method, in the management system of above-mentioned user certificate and private key, described first data processing unit 300 is additionally operable to:
After the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded are sent to user by described information transmitting unit 200 by the 4th data processing unit 600, and described collecting unit 100 is when getting the information requiring to carry out certificate private key data encryption key amendment, generates and also send one group of the 3rd random coded after the first encrypted private key by described information transmitting unit 200 to user;
With the management system of user certificate described in said method and private key, also include:
5th data processing unit 800, described 5th data processing unit 800 is corresponding with step S403-S408, for get the mark of the user's unique index after described first public key encryption and two grade of the 3rd random coded when described collecting unit 100 after, adopt the first private key that described user's unique index after described first public key encryption mark and two grade of the 3rd random coded are decrypted;Judge whether the user integer corresponding with described user's unique index mark and private key ciphertext, if, adopt described second PKI that described two grade of the 3rd random coded is decrypted, obtain random plaintext, judge that whether described random plaintext is consistent with described 3rd random coded, if consistent, by described information transmitting unit 200 to user send for characterize after the first encrypted private key, verify successful message for characterizing private key for user data encryption key amendment application information;If there is no identify corresponding user's integer and private key ciphertext with described user's unique index or whether described random plaintext is inconsistent with described 3rd random coded, send information after the first encrypted private key, that be used for characterizing request operation failure by described information transmitting unit 200 to user;Wherein, described two grades of random codeds are the 3rd random coded after adopting described private key data that described 3rd random coded is encrypted;
6th data processing unit 900, described 6th data processing unit 900 is corresponding with described step S409-S410, for getting the new two grades of private key datas after described first public key encryption when described collecting unit 100 and after described 3rd random coded, described new two grades of private key datas are adopted to update described two grades of private key datas, wherein, described new two grades of private key datas are that user adopts amended symmetric key that private key data is expressly encrypted to obtain, and described private key data expressly adopts former symmetric key that two grades of private key datas are decrypted for user to obtain.
For convenience of description, it is divided into various module to be respectively described with function when describing system above.Certainly, the function of each module can be realized in same or multiple softwares and/or hardware when implementing the application.
Each embodiment in this specification all adopts the mode gone forward one by one to describe, between each embodiment identical similar part mutually referring to, what each embodiment stressed is the difference with other embodiments.Especially for system or system embodiment, owing to it is substantially similar to embodiment of the method, so describing fairly simple, relevant part illustrates referring to the part of embodiment of the method.System described above and system embodiment are merely schematic, the wherein said unit illustrated as separating component can be or may not be physically separate, the parts shown as unit can be or may not be physical location, namely may be located at a place, or can also be distributed on multiple NE.Some or all of module therein can be selected according to the actual needs to realize the purpose of the present embodiment scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.
Professional further appreciates that, the unit of each example described in conjunction with the embodiments described herein and algorithm steps, can with electronic hardware, computer software or the two be implemented in combination in, in order to clearly demonstrate the interchangeability of hardware and software, generally describe composition and the step of each example in the above description according to function.These functions perform with hardware or software mode actually, depend on application-specific and the design constraint of technical scheme.Professional and technical personnel specifically can should be used for using different methods to realize described function to each, but this realization is it is not considered that beyond the scope of this invention.
The method described in conjunction with the embodiments described herein or the step of algorithm can directly use the software module that hardware, processor perform, or the combination of the two is implemented.Software module can be placed in any other form of storage medium known in random access memory (RAM), internal memory, read only memory (ROM), electrically programmable ROM, electrically erasable ROM, depositor, hard disk, moveable magnetic disc, CD-ROM or technical field.
It can further be stated that, in this article, the relational terms of such as first and second or the like is used merely to separate an entity or operation with another entity or operating space, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " includes ", " comprising " or its any other variant are intended to comprising of nonexcludability, so that include the process of a series of key element, method, article or equipment not only include those key elements, but also include other key elements being not expressly set out, or also include the key element intrinsic for this process, method, article or equipment.When there is no more restriction, statement " including ... " key element limited, it is not excluded that there is also other identical element in including the process of described key element, method, article or equipment.
Described above to the disclosed embodiments, makes professional and technical personnel in the field be capable of or uses the present invention.The multiple amendment of these embodiments be will be apparent from for those skilled in the art, and generic principles defined herein can without departing from the spirit or scope of the present invention, realize in other embodiments.Therefore, the present invention is not intended to be limited to the embodiments shown herein, and is to fit to the widest scope consistent with principles disclosed herein and features of novelty.

Claims (10)

1. the management method of a user certificate and private key, it is characterised in that including:
Obtain the solicited message that user sends;
When the certificate request information that described solicited message is after adopting the first public key encryption:
Generating and send one group of first random coded after the first encrypted private key to user, described first PKI and the first private key are one group of public private key pair;
Obtain certificate request information that user sends, after described first public key encryption, user's unique index mark and described first random coded;
Judge whether data base exists described user's unique index mark, if it is, export information after described first encrypted private key, failed for characterizing the mark inspection of user's unique index to user;Otherwise to user send after described first encrypted private key, be used for characterizing user's unique index mark and check successful information;
Obtaining that user sends, two grades of private key datas after described first public key encryption, described first random coded and the second PKI, described two grades of private key datas are the private key data corresponding with described second PKI after symmetric key encryption;
Described certificate request information, user's unique index mark, the second PKI and two grades of private key datas are write in copending integer request list.
2. the management method of user certificate according to claim 1 and private key, it is characterised in that also include:
Obtain the certificate private key data request information through the first public key encryption that user sends;
Generate and send one group of second random coded after the first encrypted private key to user;
Obtain user's unique index mark that user sends, after described first public key encryption and the second random coded;
Judge whether data base exists described user's unique index mark, if it is, the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded are sent to user;If it does not, send information after the first encrypted private key, that be used for characterizing request operation failure to user.
3. the management method of user certificate according to claim 2 and private key, it is characterized in that, after the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded are sent to user, also include:
Judge in preset time period, whether to get information that user sends, get the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded for characterizing user, if it does not, again send the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded to user.
4. the management method of user certificate according to claim 2 and private key, it is characterized in that, after the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded are sent to user, also include:
Judge whether to get the requirement that user sends and carry out the information of certificate private key data encryption key amendment, if it is, continue executing with;
Generate and send one group of the 3rd random coded after the first encrypted private key to user;
Obtaining user's unique index mark that user starts, after described first public key encryption and two grade of the 3rd random coded, described two grades of random codeds are the 3rd random coded after adopting described private key data that described 3rd random coded is encrypted;
Adopt the first private key that described user's unique index after described first public key encryption mark and two grade of the 3rd random coded are decrypted;
Judge whether the user integer corresponding with described user's unique index mark and private key ciphertext, if, adopt described second PKI that described two grade of the 3rd random coded is decrypted, obtain random plaintext, judge that whether described random plaintext is consistent with described 3rd random coded, if consistent, to user send for characterize after the first encrypted private key, verify successful message for characterizing private key for user data encryption key amendment application information;If there is no identify corresponding user's integer and private key ciphertext with described user's unique index or whether described random plaintext is inconsistent with described 3rd random coded, send information after the first encrypted private key, that be used for characterizing request operation failure to user;
Obtain new two grades of private key datas that user sends, after described first public key encryption and described 3rd random coded, described new two grades of private key datas are that user adopts amended symmetric key that private key data is expressly encrypted to obtain, and described private key data expressly adopts former symmetric key that two grades of private key datas are decrypted for user to obtain;
Described new two grades of private key datas are adopted to update described two grades of private key datas.
5. the management method of user certificate according to claim 1-4 any one and private key, it is characterised in that described user's unique index is designated for that characterize user profile, to have uniqueness data message.
6. the management system of a user certificate and private key, it is characterised in that including:
Collecting unit, for obtaining the data message that user sends;
Information transmitting unit, for sending data message to user;
First data processing unit, during for getting the certificate request information after adopting the first public key encryption when described collecting unit, generating and send one group of first random coded after the first encrypted private key by information transmitting unit to user, described first PKI and the first private key are one group of public private key pair;
Second data processing unit, during for getting the certificate request information after described first public key encryption, user's unique index mark and described first random coded when described collecting unit, judge whether data base exists described user's unique index mark, if it is, export information after described first encrypted private key, failed for characterizing the mark inspection of user's unique index by described information transmitting unit to user;Otherwise, by described information transmitting unit to user send after described first encrypted private key, be used for characterizing user's unique index mark and check successful information;
3rd data processing unit, for when described collecting unit gets two grades of private key datas after described first public key encryption, described first random coded and the second PKI, described certificate request information, user's unique index mark, the second PKI and two grades of private key datas are write in copending integer request list, wherein, described two grades of private key datas are the private key data corresponding with described second PKI after symmetric key encryption.
7. the management system of user certificate according to claim 6 and private key, it is characterised in that described first data processing unit is additionally operable to:
When described collecting unit gets the user certificate after adopting the first public key encryption and private key data obtains agreement, generate and send one group of second random coded after the first encrypted private key by described information transmitting unit to user;
The management system of described user certificate and private key, also includes:
4th data processing unit, when getting the mark of the user's unique index after described first public key encryption and the second random coded when described collecting unit, judge whether data base exists described user's unique index mark, if it is, the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded are sent to user by described information transmitting unit;If it does not, send information after the first encrypted private key, that be used for characterizing request operation failure by described information transmitting unit to user.
8. the management system of user certificate according to claim 7 and private key, it is characterised in that also include:
Judging unit, for when the 4th data processing unit by described information transmitting unit by after described first encrypted private key, the certificate data corresponding with described user's unique index mark, after two grades of private key datas and described second random coded are sent to user, judge whether described collecting unit gets what user sent in preset time period, get after described first encrypted private key for characterizing user, the certificate data corresponding with described user's unique index mark, the information of two grades of private key datas and described second random coded, if not, control described 4th data processing unit again by described information transmitting unit by after described first encrypted private key, the certificate data corresponding with described user's unique index mark, two grades of private key datas and described second random coded are sent to user.
9. the management system of user certificate according to claim 7 and private key, it is characterised in that described first data processing unit is additionally operable to:
After the certificate data corresponding with described user's unique index mark after described first encrypted private key, two grades of private key datas and described second random coded are sent to user by described information transmitting unit by the 4th data processing unit, and described collecting unit is when getting the information requiring to carry out certificate private key data encryption key amendment, generates and also send one group of the 3rd random coded after the first encrypted private key by described information transmitting unit to user;
The management system of described user certificate and private key, also includes:
5th data processing unit, for get the mark of the user's unique index after described first public key encryption and two grade of the 3rd random coded when described collecting unit after, adopt the first private key that described user's unique index after described first public key encryption mark and two grade of the 3rd random coded are decrypted;Judge whether the user integer corresponding with described user's unique index mark and private key ciphertext, if, adopt described second PKI that described two grade of the 3rd random coded is decrypted, obtain random plaintext, judge that whether described random plaintext is consistent with described 3rd random coded, if consistent, by described information transmitting unit to user send for characterize after the first encrypted private key, verify successful message for characterizing private key for user data encryption key amendment application information;If there is no identify corresponding user's integer and private key ciphertext with described user's unique index or whether described random plaintext is inconsistent with described 3rd random coded, send information after the first encrypted private key, that be used for characterizing request operation failure by described information transmitting unit to user;Wherein, described two grades of random codeds are the 3rd random coded after adopting described private key data that described 3rd random coded is encrypted;
6th data processing unit, for getting the new two grades of private key datas after described first public key encryption when described collecting unit and after described 3rd random coded, described new two grades of private key datas are adopted to update described two grades of private key datas, wherein, described new two grades of private key datas are that user adopts amended symmetric key that private key data is expressly encrypted to obtain, and described private key data expressly adopts former symmetric key that two grades of private key datas are decrypted for user to obtain.
10. the management system of user certificate according to claim 6-9 any one and private key, it is characterised in that described user's unique index is designated for that characterize user profile, to have uniqueness data message.
CN201610320149.7A 2016-05-13 2016-05-13 A kind of management method and system of user certificate and private key Active CN105812388B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610320149.7A CN105812388B (en) 2016-05-13 2016-05-13 A kind of management method and system of user certificate and private key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610320149.7A CN105812388B (en) 2016-05-13 2016-05-13 A kind of management method and system of user certificate and private key

Publications (2)

Publication Number Publication Date
CN105812388A true CN105812388A (en) 2016-07-27
CN105812388B CN105812388B (en) 2018-12-07

Family

ID=56456839

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610320149.7A Active CN105812388B (en) 2016-05-13 2016-05-13 A kind of management method and system of user certificate and private key

Country Status (1)

Country Link
CN (1) CN105812388B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109905243A (en) * 2017-12-11 2019-06-18 航天信息股份有限公司 A kind of method and server of the request of processing updating digital certificate
CN110168554A (en) * 2017-01-06 2019-08-23 微软技术许可有限责任公司 Strong resource identity in cloud mandatory system
CN112948851A (en) * 2021-02-25 2021-06-11 深圳壹账通智能科技有限公司 User authentication method, device, server and storage medium
CN113785294A (en) * 2019-05-02 2021-12-10 大陆汽车有限责任公司 Method and device for transmitting boot code with improved data security
US20220021540A1 (en) * 2018-03-30 2022-01-20 Intel Corporation Key protection for computing platform

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120166576A1 (en) * 2010-08-12 2012-06-28 Orsini Rick L Systems and methods for secure remote storage
CN103583030A (en) * 2011-05-25 2014-02-12 阿尔卡特朗讯公司 Method and apparatus for achieving data security in a distributed cloud computing environment
CN104717217A (en) * 2015-03-18 2015-06-17 电子科技大学 Certifiable security data possession verifying method in cloud storage based on partial delegation
CN104917772A (en) * 2015-06-12 2015-09-16 深圳大学 Access control system for cloud store service platform and access control method thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120166576A1 (en) * 2010-08-12 2012-06-28 Orsini Rick L Systems and methods for secure remote storage
CN103583030A (en) * 2011-05-25 2014-02-12 阿尔卡特朗讯公司 Method and apparatus for achieving data security in a distributed cloud computing environment
CN104717217A (en) * 2015-03-18 2015-06-17 电子科技大学 Certifiable security data possession verifying method in cloud storage based on partial delegation
CN104917772A (en) * 2015-06-12 2015-09-16 深圳大学 Access control system for cloud store service platform and access control method thereof

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110168554A (en) * 2017-01-06 2019-08-23 微软技术许可有限责任公司 Strong resource identity in cloud mandatory system
CN110168554B (en) * 2017-01-06 2023-09-19 微软技术许可有限责任公司 Strong resource identity in cloud escrow system
CN109905243A (en) * 2017-12-11 2019-06-18 航天信息股份有限公司 A kind of method and server of the request of processing updating digital certificate
US20220021540A1 (en) * 2018-03-30 2022-01-20 Intel Corporation Key protection for computing platform
US11757647B2 (en) * 2018-03-30 2023-09-12 Intel Corporation Key protection for computing platform
CN113785294A (en) * 2019-05-02 2021-12-10 大陆汽车有限责任公司 Method and device for transmitting boot code with improved data security
US12013955B2 (en) 2019-05-02 2024-06-18 Continental Automotive Gmbh Method and device for transferring a boot code with improved data security
CN112948851A (en) * 2021-02-25 2021-06-11 深圳壹账通智能科技有限公司 User authentication method, device, server and storage medium

Also Published As

Publication number Publication date
CN105812388B (en) 2018-12-07

Similar Documents

Publication Publication Date Title
CN105812388A (en) Managing method and system for user certificate and private key
US20180212937A1 (en) Method and Device for Communicating Securely between T-Box Device and ECU Device in Internet of Vehicles System
CN108206831B (en) Electronic seal realization method, server, client and readable storage medium
JP2018077893A (en) Policy enforcement with associated data
EP2963958B1 (en) Network device, terminal device and information security improving method
CN113691502B (en) Communication method, device, gateway server, client and storage medium
JP6678457B2 (en) Data security services
CN106060078B (en) User information encryption method, register method and verification method applied to cloud platform
CN109561066A (en) Data processing method and device, terminal and access point computer
CN107294963A (en) A kind of safe encryption method and device of the data based on alliance's block chain
CN109413076A (en) Domain name analytic method and device
CN103595525A (en) Desynchronization resistant lightweight RFID bidirectional authentication protocol
CN102984273B (en) Encryption method, decryption method, encryption device and decryption device of virtual disk and cloud server
CN112332975A (en) Internet of things equipment secure communication method and system
CN105447715A (en) Method and apparatus for anti-theft electronic coupon sweeping by cooperating with third party
CN108737110A (en) A kind of data encryption and transmission method and device for anti-replay-attack
KR20220025155A (en) Data protection and recovery systems and methods
CN114257376B (en) Digital certificate updating method, device, computer equipment and storage medium
Chariton et al. CCSP: A compressed certificate status protocol
CN113610526A (en) Data trust method and device, electronic equipment and storage medium
CN109040134A (en) A kind of design method and relevant apparatus of information encryption
CN105554018A (en) Network real name verification method
CN112118242A (en) Zero trust authentication system
CN105187369A (en) Data access method and data access device
Wesemeyer et al. Extensive security verification of the LoRaWAN key-establishment: Insecurities & patches

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant