CN105812388B - A kind of management method and system of user certificate and private key - Google Patents
A kind of management method and system of user certificate and private key Download PDFInfo
- Publication number
- CN105812388B CN105812388B CN201610320149.7A CN201610320149A CN105812388B CN 105812388 B CN105812388 B CN 105812388B CN 201610320149 A CN201610320149 A CN 201610320149A CN 105812388 B CN105812388 B CN 105812388B
- Authority
- CN
- China
- Prior art keywords
- user
- private key
- data
- certificate
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application provides the management method and system of a kind of user certificate and private key, and method includes: when getting using certificate request information after the first public key encryption: generating and simultaneously sends the first random coded to user;Obtain certificate request information, user's unique index mark and first random coded that user sends;Judge to identify in database with the presence or absence of user's unique index, checks successful information for characterizing user's unique index mark if not, sending to user;Second level private key data, first random coded and the second public key that user sends are obtained, the second level private key data is after symmetric key encryption, corresponding with second public key private key data;The certificate request information, user's unique index mark, the second public key and second level private key data are written in copending integer request list.It is effectively guaranteed the safety of private key for user data through the above scheme.
Description
Technical field
The present invention relates to digital certificate technique fields, and in particular to a kind of suitable for cloud computing and lucidification disposal isotype
The management method and system of server-side user certificate and private key.
Background technique
With the development of the science and technology such as computer technology, network technology, virtual computing technology, traditional form of calculation hair
Huge change is given birth to.It is gradually risen with mobile phone, personal plate etc. for the mobile computing and mobile network's terminal of representative, cloud computing
Great development has also been obtained with lucidification disposal.How the information of in cloud computing and lucidification disposal isotype FTP client FTP is ensured
Safely, the problem of becoming information technology field urgent need to resolve.
Public Key Infrastructure (public key infrastructure, hereinafter referred to as PKI) system is that current industry compares
Generally acknowledged guarantee open network environment lower network and information system security is feasible and effective measures.The system utilizes public and private key
Cryptographic algorithm principle and technology are realized and provide the security service with versatility.Due to moulds such as cloud computing or lucidification disposals
Client is not perhaps locally stored ability or ability is not locally stored reliably in formula, therefore user certificate is locally stored
Book and private key safety are problematic in that.And due to the particularity of mobile terminal device interface, common USB-KEY is (a kind of
The hardware device of USB interface) being directly accessed equipment, there is also biggish obstacles, so directly applying traditional PKI deployment scheme
There can be certain implementation barrier.
Summary of the invention
In view of this, the embodiment of the present invention provides the management method and system of a kind of user certificate and private key, to solve this
The safety issue of ground storage user certificate and private key.
To achieve the above object, the embodiment of the present invention provides the following technical solutions:
A kind of management method of user certificate and private key, comprising:
Obtain the solicited message that user sends;
When the solicited message is using certificate request information after the first public key encryption:
It generates and sends one group of first random coded after the first private key encryption, first public key and first to user
Private key is one group of public private key pair;
Obtain user sends, certificate request information after first public key encryption, user's unique index mark and
First random coded;
Judge to identify in database with the presence or absence of user's unique index, if so, exporting to user through described first
Information after private key encryption, that failure is checked for characterizing user's unique index mark;Otherwise it sends to user through described first
It is after private key encryption, check successful information for characterizing user's unique index mark;
Obtain user sends, second level private key data after first public key encryption, first random coded with
And second public key, the second level private key data are after symmetric key encryption, corresponding with second public key private key data;
The certificate request information, user's unique index mark, the second public key and the write-in of second level private key data is copending
Integer request list in.
Preferably, in the management method of above-mentioned user certificate and private key, further includes:
Obtain the certificate and private key data request information through the first public key encryption that user sends;
It generates and sends one group of second random coded after the first private key encryption to user;
Obtain user's unique index mark that user sends, after first public key encryption and the second random coded;
Judge to identify in database with the presence or absence of user's unique index, if so, will be through first private key encryption
Afterwards, corresponding with user's unique index mark certificate data, second level private key data and second random coded send
To user;If not, sending information after the first private key encryption, for characterizing request operation failure to user.
Preferably, in the management method of above-mentioned user certificate and private key, by it is after first private key encryption, with it is described
User's unique index identifies corresponding certificate data, second level private key data and second random coded and is sent to after user,
Further include:
Judge whether to get in preset time period user's transmission, get through first private key for characterizing user
Certificate data encrypted, corresponding with user's unique index mark, second level private key data and second random coded
Information, if not, again to user send it is after first private key encryption, corresponding with user's unique index mark
Certificate data, second level private key data and second random coded.
Preferably, in the management method of above-mentioned user certificate and private key, by it is after first private key encryption, with it is described
User's unique index identifies corresponding certificate data, second level private key data and second random coded and is sent to after user,
Further include:
Judge whether that the requirement for getting user's transmission carries out the information of certificate and private key data encryption key modification, if
It is to continue to execute;
It generates and sends one group of third random coded after the first private key encryption to user;
It obtains user's unique index mark that user sends, after first public key encryption and second level third is compiled at random
Code, the second level random coded are to carry out encrypted third to the third random coded using the private key data to compile at random
Code;
Using the first private key to it is described after first public key encryption user's unique index mark and second level third with
Machine coding is decrypted;
User's integer corresponding with user's unique index mark and private key ciphertext are judged whether there is, if so, adopting
The second level third random coded is decrypted with second public key, random plaintext is obtained, judges that the random plaintext is
It is no consistent with the third random coded, if unanimously, to user send for characterize it is after the first private key encryption, be used for table
It takes over family private key data encryption key modification application information for use and verifies successful message;If there is no with user's unique index
It identifies corresponding user's integer and private key ciphertext or whether the random plaintext is inconsistent with the third random coded, to user
Send information after the first private key encryption, for characterizing request operation failure;
It obtains user sends, new second level private key data after first public key encryption and the third is compiled at random
Code, the new second level private key data are that user encrypts private key data using modified symmetric key in plain text,
The private key data is that user is decrypted second level private key data using former symmetric key in plain text;
The second level private key data is updated using the new second level private key data.
Preferably, in the management method of above-mentioned user certificate and private key, user's unique index is identified as characterizing
Data information user information, with uniqueness.
A kind of management system of user certificate and private key, comprising:
Acquisition unit, for obtaining the data information of user's transmission;
Information transmitting unit, for sending data information to user;
First data processing unit, for the certificate request after acquisition unit is got using the first public key encryption
When information, generates and one group of first random coded after the first private key encryption, institute are sent to user by information transmitting unit
It states the first public key and the first private key is one group of public private key pair;
Second data processing unit is asked for getting the certificate after first public key encryption when the acquisition unit
When asking information, user's unique index mark and first random coded, judge unique with the presence or absence of the user in database
Index mark, if so, by the information transmitting unit to user output after first private key encryption, for characterizing
User's unique index mark checks the information of failure;Otherwise, it is sent to user through described first by the information transmitting unit
It is after private key encryption, check successful information for characterizing user's unique index mark;
Third data processing unit, for getting the private of the second level after first public key encryption when the acquisition unit
When key data, first random coded and the second public key, by the certificate request information, user's unique index mark, the
Two public keys and second level private key data are written in copending integer request list, wherein the second level private key data is through symmetrical
Key is encrypted, private key data corresponding with second public key.
Preferably, in the management system of above-mentioned user certificate and private key, first data processing unit is also used to:
When the acquisition unit get using after the first public key encryption user certificate and private key data obtain agreement when,
It generates and one group of second random coded after the first private key encryption is sent to user by the information transmitting unit;
The management system of the user certificate and private key, further includes:
4th data processing unit, when the acquisition unit gets the unique rope of user after first public key encryption
When tendering is known with the second random coded, judge to identify in database with the presence or absence of user's unique index, if so, passing through institute
State information transmitting unit by certificate data after first private key encryption, corresponding with user's unique index mark,
Second level private key data and second random coded are sent to user;If not, being sent out by the information transmitting unit to user
Information after the first private key encryption of the warp let-off, for characterizing request operation failure.
Preferably, in the management system of above-mentioned user certificate and private key, further includes:
Judging unit, for that will be added through first private key when the 4th data processing unit by the information transmitting unit
Certificate data after close, corresponding with user's unique index mark, second level private key data and second random coded hair
After giving user, judge the acquisition unit whether get within a preset period of time user's transmission, obtain for characterizing user
Get certificate data after first private key encryption, corresponding with user's unique index mark, second level private key data
With the information of second random coded, sent if not, controlling the 4th data processing unit again by the information
Unit is by certificate data after first private key encryption, corresponding with user's unique index mark, second level private key number
User is sent to according to second random coded.
Preferably, in the management system of above-mentioned user certificate and private key, first data processing unit is also used to:
When the 4th data processing unit by the information transmitting unit by it is after first private key encryption, with it is described
After the corresponding certificate data of user's unique index mark, second level private key data and second random coded are sent to user, and
When the acquisition unit gets the information for requiring to carry out the modification of certificate and private key data encryption key, generates and pass through the information
Transmission unit sends one group of third random coded after the first private key encryption to user;
The management system of the user certificate and private key, further includes:
5th data processing unit, for getting the user after first public key encryption only when the acquisition unit
One index mark and second level third random coded after, using the first private key to the user after first public key encryption only
One index mark and second level third random coded are decrypted;It judges whether there is corresponding with user's unique index mark
User's integer and private key ciphertext are obtained if so, the second level third random coded is decrypted using second public key
Whether consistent with the third random coded random plaintext, judge the random plaintext, if unanimously, sent by the information
Unit to user send for characterize it is after the first private key encryption, for characterize private key for user data encryption key modification apply
The successful message of information checking;If there is no user's integer corresponding with user's unique index mark and private key ciphertext or
Whether the random plaintext is inconsistent with the third random coded, is sent to user through first by the information transmitting unit
Information after private key encryption, for characterizing request operation failure;Wherein, the second level random coded is to use the private key number
Encrypted third random coded is carried out according to the third random coded;
6th data processing unit, for getting the new second level after first public key encryption when the acquisition unit
After private key data and the third random coded, the second level private key data is updated using the new second level private key data, wherein
The new second level private key data is that user encrypts private key data using modified symmetric key in plain text, described
Private key data is that user is decrypted second level private key data using former symmetric key in plain text.
Preferably, in the management system of above-mentioned user certificate and private key, user's unique index is identified as characterizing
Data information user information, with uniqueness.
It based on the above-mentioned technical proposal, can by the management method and system of user certificate provided in an embodiment of the present invention and private key
See, disclosed in the embodiment of the present application in scheme, the second level private key data is stored in server-side.The generation of symmetric key, two
The decryption of grade private key data and the specific place that uses carry out in user terminal, and user, which possesses, is decrypted second level private key data
Symmetric key can be decrypted and use to the second level private key data.Only have user itself that could obtain and use in this way
The safety of private key for user data has been effectively ensured in the private key data of oneself.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is the flow chart of the management method of a kind of user certificate disclosed in the embodiment of the present application and private key;
Fig. 2 is the flow chart of the management method of a kind of user certificate disclosed in another embodiment of the application and private key;
Fig. 3 is the flow chart of the management method of a kind of user certificate disclosed in another embodiment of the application and private key;
Fig. 4 is the flow chart of the management method of a kind of user certificate disclosed in another embodiment of the application and private key;
Fig. 5 is a kind of flow chart of user certificate application protocol embodiment corresponding with Fig. 1 disclosed in the embodiment of the present application;
Fig. 6 is a kind of stream of private key for user data acquisition protocols embodiment corresponding with Fig. 2 disclosed in the embodiment of the present application
Cheng Tu;
Fig. 7 is that a kind of private key for user data encryption key modification agreement corresponding with Fig. 4 disclosed in the embodiment of the present application is real
Apply the flow chart of example;
Fig. 8 is the structural schematic diagram of the management system of a kind of user certificate disclosed in the embodiment of the present application and private key;
Fig. 9 is the structural schematic diagram of the management system of a kind of user certificate disclosed in another embodiment of the application and private key.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
The purpose of the present invention is to provide a kind of user certificates and private key suitable for cloud computing and Transparent Calculation Model
Management method.Another object of the present invention is to provide a kind of users suitable for cloud computing and the safety of Transparent Calculation Model
Certificate request agreement, user certificate and private key data obtain agreement.The management method of user certificate and private key provided by the invention
The characteristics of be that server-side is stored in after private key for user data encryption (second level private key data), but the generation of private key data, decryption
With use then at client (user terminal).
The embodiment of the present application discloses the management method of a kind of user certificate and private key, and this method is applied to RA server
In, referring to Fig. 1 to Fig. 4, detailed process may include:
Step S101: the solicited message that user sends is obtained;
Step S102: judge the information type of the solicited message;When the solicited message is using the first public key encryption
When rear certificate request information, step S103 is executed, the user after user request information is using the first public key encryption
When certificate and private key data obtain agreement, step S201 is executed, after the user request information is using the first public key encryption
Requirement carry out the modification of certificate and private key data encryption key information when, execute step S401;
Referring to Fig. 1:
Step S103: generating and sends one group of first random coded after the first private key encryption to user, and described first
Public key and the first private key are one group of public private key pair, execute step S104;
In this step, the RA server generates a new random number (as the first random coded), will it is described with
Machine number is sent to user after private key (referring to the first private key) encryption using oneself;
Step S104: that user sends, the certificate request information after first public key encryption, the unique rope of user are obtained
Tendering knows and first random coded, executes step S105;
The anti-generation certificate request information of user, and generate the public private key pair (user side's public private key pair) of oneself, when getting
After first random coded, certificate request information, user's unique index mark, the first random coded are used together RA service
RA server is sent to after device public key (the first public key) encryption;
Step S105: judge to identify in database with the presence or absence of user's unique index, if so, executing step
S106, it is no to then follow the steps S107;
After the RA server receives user's unique index mark that user sends, in the database of the RA server
Existing record is compared, if do not have under RA server checks user's unique index identification name movable user certificate and
Private key ciphertext shows that there is no user's unique indexs to identify in database, then goes to step S107, otherwise, executes step
S106 sends user's unique index mark using the private key encryption of oneself and checks that failure news to user, requests operation failure;
Step S106: to user output after first private key encryption, for characterize user's unique index mark inspection
The information of failure is looked into, step S108 is executed;
In this step, the RA server, which identifies user's unique index, checks that the message of success message uses the private of oneself
User is sent to after key encryption;
Step S107: to user send after first private key encryption, for characterize user's unique index mark inspection
Look into successful information;
Step S108: obtain user sends, second level private key data after first public key encryption, described first with
Machine coding and the second public key, the second level private key data are after symmetric key encryption, corresponding with second public key private
Key data execute step S109;
In this step, user encrypts its private key data with the symmetric key (symmetric key) of oneself, by encrypted private key
Data and first random coded, oneself user oneself the second public key be used together the encryption of RA server public key after transmit
Give RA server;
Step S109: the certificate request information, user's unique index mark, the second public key and second level private key data are write
Enter in copending integer request list;
In this step, the RA server is certificate request information, user's unique index mark, client public key (second
Public key) and the information such as encrypted private key for user data (second level private key data) copending certificate request list is written together
In, certainly, after the step S109, the RA server can also be by requesting success message to use oneself user certificate
Private key encryption after be sent to the mode of user user prompted.
Referring to fig. 2, it is equivalent to the certificate and private key request of data through the first public key encryption that the application gets user's transmission
Implementation procedure after information, specifically:
Step S201: generating and sends one group of second random coded after the first private key encryption to user;
In this step, the RA server generates a new random number (the second random coded), and uses oneself
User is sent to after private key encryption;
Step S202: user's unique index mark that user sends, after first public key encryption and second are obtained
Random coded;
In this step, the unique index mark of oneself is used together RA with second random coded obtained by user
RA server is sent to after server public key encryption;
Step S203: judge to identify in database with the presence or absence of user's unique index, if so, executing step
S204, it is no to then follow the steps S205;
In this step, the RA server by the user's unique index received mark with database in it is existing record into
Row compares.If there are user's unique indexs to identify corresponding record in the valid certificate list of the RA server, turn
To step S204, otherwise, step S205 is executed, sends corresponding error messages to user, request using the private key encryption of oneself
Operation failure;
Step S204: by certificate number after first private key encryption, corresponding with user's unique index mark
User is sent to according to, second level private key data and second random coded;
In this step, which is identified corresponding certificate data, encrypted private by the RA server
Key data (second level private key data) and second random coded are combined, and are sent to use after the private key encryption using oneself
Family;
Step S205: information after the first private key encryption, for characterizing request operation failure is sent to user;
In this step, user receives certificate and private key data to send after success message is encrypted using RA server public key
Give RA server.
Referring to Fig. 3, after the step S204, can also include:
Step S206: judging whether user gets the data sent in step S204, if not, executing step S204;
Judge whether to get in preset time period user's transmission, get through first private key for characterizing user
Certificate data encrypted, corresponding with user's unique index mark, second level private key data and second random coded
Information.
Referring to fig. 4:
Step S401: judge whether that the requirement for getting user's transmission carries out the letter of certificate and private key data encryption key modification
Breath, if so, executing step S402;
Scheme in Fig. 4 is established after the scheme implementation success in Fig. 2, i.e., the described step 401 is implemented in the step
After S204;
Step S402: generating and sends one group of third random coded after the first private key encryption to user, executes step
S403;
In this step, the RA server generates a new random number (the third random coded), using oneself
User is sent to after private key encryption;
Step S403: user's unique index mark that user sends, after first public key encryption and second level are obtained
Third random coded, executes step S404, and the second level random coded is to be compiled at random using the private key data to the third
Code carries out encrypted third random coded;
In this step, user encrypts the third random coded of acquisition using the private key data of oneself, then oneself
User's unique index mark and the ciphertext (using the encrypted third random coded of the private key data of user) as data group
Unify and recycled the encryption of RA server public key, and has been sent to the RA server;
Step S404: using the first private key to user's unique index mark and two after first public key encryption
Grade third random coded is decrypted, and executes step S405;
In this step, the RA server decrypts user's unique index mark after the first public key encryption with the private key of oneself
Know and second level third random coded;
Step S405: judging whether there is user's integer corresponding with user's unique index mark and private key ciphertext,
If so, executing step S406, otherwise, step S407 is executed;
In this step, carried out pair after the user's unique index mark obtained using decryption with existing record in RA server
Than.If have movable user certificate and private key ciphertext under RA server checks user's unique index identification name, step is executed
Rapid S406, it is no to then follow the steps S407;
Step S406: being decrypted the second level third random coded using second public key, obtains random plaintext,
Judge whether the random plaintext is consistent with the third random coded, if so, step S408 is executed, it is no to then follow the steps
S407;
In this step, using user public key (the second public key) to the second level third random coded be decrypted acquisition with
In plain text (random plaintext), the third random coded that the random number plain text and the RA server are sent to user is carried out for machine number
Comparison executes step S408 if the two is identical, otherwise, executes step S407, and it is private to send user using the private key encryption of oneself
Key data encryption key modifies application information verification failure news to user, requests operation failure;
Step S407: information after the first private key encryption, for characterizing request operation failure is sent to user;
Step S408: to user send for characterize it is after the first private key encryption, add for characterizing private key for user data
Key modifies application information and verifies successful message, executes step S409;
In this step, private key for user data encryption key modification application information is verified successful message by the RA server
User is sent to after private key encryption using oneself;
Step S409: user sends, new second level private key data after first public key encryption and described the are obtained
Three random codeds, execute step S410, and the new second level private key data is that user uses modified symmetric key to private key number
According to what is encrypted in plain text, the private key data is that user solves second level private key data using former symmetric key in plain text
It is close to obtain;
In this step, user is decrypted encrypted private key data (second level private key data) with the symmetric key of oneself
Operation obtains private key data in plain text, then again with oneself modified symmetric key (modified symmetric key) to the private
Key data clear text carries out cryptographic calculation, obtains new second level private key data, then user is the new second level private key data of acquisition and institute
It states after third random coded is used together the encryption of RA server public key and sends the RA server to;
Step S410: the second level private key data is updated using the new second level private key data;
In this step, second level private key data of the RA server before the update of new second level private key data, certainly, in institute
After stating step S410, the RA server can also be by using the successfully modified message of private key for user data encryption key certainly
The mode that user is sent to after oneself private key encryption prompts user.
Wherein, in method disclosed in the above embodiments of the present application, user's unique index is identified as characterizing user
Data information information, with uniqueness.According to the present invention, it is contemplated that client system in cloud computing or Transparent Calculation Model
System is not perhaps locally stored ability or ability is not locally stored reliably, it is contemplated that the absolute confidentiality of private key information,
So user certificate and private key for user information ciphertext (second level private key data) are stored in server-side by this method.Private key in the present invention
The storage of information ciphertext must be to hold unique identification's (identifying for unique index) of private key main body as indexing, and realization has
Sequence storage is inquired and is asked for.The uniqueness of this user's unique index mark both can by stringent cryptography principle Lai
Guarantee, can also be guaranteed according to the natural quality that the index identifies.In actual application, a kind of suitable scheme is direct
Using applicant's ID card No. as user's unique index mark or by ID card No. generate Lai some uniqueness mark
Know and is identified as user's unique index.
Referring to technical solution disclosed in the above embodiment of the present invention, private key for user data encryption (second level private key data) is saved
In server-side.The generation of user's public affairs symmetric key, the decryption of second level private key data and the specific place used are in client, user
Possess the decruption key of second level private key data, can decrypt and uses final private key data (the second private key).It only uses in this way
Family itself could obtain and using oneself private key data, the safety of private key for user data can be effectively ensured in this way.In reality
Application in, a kind of suitable scheme is the generation of user's public affairs private key data, the decryption of private key data and using on the client
The application program of specifically used user certificate and symmetric key is completed.
In above scheme, user certificate application agreement of the user according to the safety for being suitable for cloud computing and Transparent Calculation Model
It is close that (step S101-S109), user certificate and private key data obtain agreement (step S201-S205), private key for user data encryption
Key modifies agreement (step S401-S410), realize user to user certificate and second level private key data application and legal acquisition and
Modification.To sum up, user certificate application agreement of the invention, user certificate and private key data obtain agreement, private key for user data add
Key, which modifies agreement, has characteristic below:
Random coded is used to prevent Replay Attack in agreement;
The generation of user certificate and symmetric key is completed in client;
User possesses the encryption key of oneself, transmits after private key data is used encryption keys and is stored in server
End;
User possesses the decruption key of oneself, for close using the decryption of oneself after obtaining second level private key data from server-side
Key is decrypted and is finally used.
Just analyze below common attack method to above-mentioned user certificate application agreement, private key for user data acquisition protocols and
The attack effect of private key for user data encryption key modification agreement.
Network intercepting
In the above-mentioned methods, in user key application and access process, the symmetric key of user encryption oneself private key data
Information not in transmission over networks, and what the propagation of private key data was also transmitted after encryption, so network intercepting is attacked
In vain.Application information and user's unique index mark of user is all transmitted after server public key encryption, user
The application that user sends out in private key data encryption key modification agreement also passes through private key for user and carries out encrypted transmission, listener
Useful information can not be obtained in message from listening to.
Replay Attack
Since the random coded that certificate server is chosen every time is different, so the request that can not be listened to by resetting front
Message completes later request.
The conjecture sexual violence of symmetric key is attacked
Since user to the protection of oneself private key data is guaranteed by symmetric key algorithm, to the symmetric key
Violence guesses that sexual assault is also important attack type.For this purpose, RA server can be considered in key application client journey
Increase the checking mechanism to the symmetric key intensity in sequence.Such as if using password as symmetric key when, need to keep away
Exempt from password there are length too short, the defects of doing password using user name, doing password etc. using single English word.With
The symmetric key at family and the symmetric encipherment algorithm (for example, by using AES256 Encryption Algorithm) of use have enough attack resistance intensity items
Under part, it is believed that the agreement is safe to the conjecture sexual violence attack of symmetric key.And this protocol family supports user to repair
Change private key data encryption key, further improves the safety of agreement.
Man-in-the-middle attack
Since the data-message issued with user orientation server is transmitted after server public key encrypts, so attack
Person can not obtain effective informations more more than network intercepting method using Session Hijack, i.e. the agreement is safety to man-in-the-middle attack
's.
In summary 4 points, illustrate that method disclosed in the above embodiments of the present application can effectively resist network intercepting, reset and attack
Hit, the conjecture sexual violence of symmetric key attack and man-in-the-middle attack, i.e., this agreement is safe under existing attack means.
The invention proposes a kind of management method of user certificate and private key suitable for cloud computing and Transparent Calculation Model,
Compared with other schemes, the major advantage of the program is:
Firstly, the design scheme based on RA server for encrypting storage private key for user, the program are deposited without external key
Equipment is stored up, saves the hardware spending of system while guaranteeing digital certificate system safety, and reduce implementation complexity.
Again, the generation of private key data, encrypt and decrypt operation are all completed in user terminal, effectively reduces server
Pressure increases the scalability of system.The private key data of user is only remained in client in plain text so simultaneously, it is accurate for be
It is only remained in the program process of client digital certificate system, further improves the safety of system.
Finally, being repaired to user certificate application agreement, private key for user data acquisition protocols and private key for user data encryption key
The safety analysis for changing agreement shows that the agreement can effectively resist the conjecture sexual violence of network intercepting, Replay Attack, symmetric key
Attack and man-in-the-middle attack, i.e., this agreement is safe under existing attack means.
Technical solution disclosed in the above embodiments of the present application is understood in order to facilitate user is more detailed, and the application is also with tool
The above method is illustrated in body example way, and safe user certificate application agreement is described referring to Fig. 5-Fig. 7, Fig. 5
Embodiment, the symbolic significance in figure are as follows: Info is certificate solicited message;KSFor RA server public key (the first public key), KS -1For
RA privacy key (the first private key), KUFor certificate Requestor's public key (the second public key), KU -1For certificate Requestor's private key (second
Private key);Na is the random coded that RA server generates;IdUIt is identified for user's unique index of user;KEUFor user encryption oneself
The symmetric key of private key, K`EUFor the new symmetric key of user encryption oneself private key, m1-13For identifying specific protocol step
Message, respectively m1(user certificate request), m2(unique index mark checks successfully), m3(unique index mark checks failure),
m4(certificate request is handled successfully), m5(request of user certificate private key data), m6(certificate request that do not examine), m7It (is rejected
Certificate request), m8(certificate has cancelled), m9(user's unique index identity verification mistake), m10(user certificate private key data request
Handle successfully), m11(user applies for certificate and private key data encryption key modification request), m12(private key for user check errors) and m13
(user applies for that the modification request of certificate and private key data encryption key is handled successfully), C is the certificate of user, and Hash3 is monodrome hash
Function.
Assuming that user has got (the first public affairs of digital certificate disclosed in RA server from digital certificate system at this time
Key).
The each step of user certificate application agreement is described in detail as follows referring to Fig. 5:
Step 1, user send { m to RA server1}KSMessage, it is desirable that carry out certificate request;
Step 2, RA server generate random coded Na, and send { Na } KS -1Message is to user;
Step 3, user generate certificate request information Info, and the solicited message, the user's unique index mark of oneself
IdURa server public key K is used together with NaSData Data1 is generated after encryption is sent to RA server:
Data1={ Info, IdU, Na } and KS;
Step 4, RA server receive user's unique index mark Id that user sendsUAfterwards with have note in oneself database
Record is (including copending certificate request list, the unsanctioned certificate request list of examination & approval, valid certificate list and the card cancelled
Book list) it is compared.If RA server does not find the case where user's unique index duplicate identity, step 5 is gone to, it is no
Then send { m3}KSMessage requests operation failure to user;
Step 5, RA server send { m2}KSMessage is to user;
Step 6, user are with oneself symmetric key KEUEncrypt its private key data KU -1, with Na and the public key K of oneselfU -1Together
Use RA server public key KSData Data2 is generated after encryption is sent to RA server:
Data2={ { KU -1}KEU, KU, Na } and KS;
Certainly, in some specific agreements, for example standard certificate request of the ITU-T X.509 in international standard has been wrapped
K is containedU, it means that included K in the Info information in step 3U, this step also can choose no longer in this case
Send KU, i.e., only send { { KU -1}KEU, Na } and KSGive RA server.
Certificate request information Info, user's unique index are identified Id by step 7, RA serverU, client public key KUAnd encryption
Private key for user data { KU -1}KEUEtc. information be written in copending certificate request list together;
Step 8, RA server send { m4}KSMessage is to user.
If user certificate request generation phase smoothly completes, server database " copending certificate request column
User's respective record is had in table ", including data such as certificate request information, user identifier and the private key datas of encryption
, RA server can examine this application at this time.If examination & approval do not pass through, directly the record is transferred to and " is examined not
By certificate request list ".If the above method can also include: that this is recorded corresponding data delivery after examination & approval pass through
To CA server, the latter generates user certificate using the private key and the certificate issuance certificate request of oneself, and certificate data is sent out
Return to RA server;Then RA server is written to the data item such as certificate data, user identifier and the private key data of encryption and " has
Imitate list of cert " in.
The each step of private key for user data acquisition protocols is described in detail as follows referring to Fig. 6:
Step S11, user send { m to RA server5}KSMessage, it is desirable that carry out certificate and private key request of data;
Step S12, RA server generates random coded Na, and sends { Na } KS -1Message is to user;
Step S13, user identifies the user's unique index of oneself and is used together RA with the step S12 random coded obtained
Data Data3, which is generated, after server public key encryption is sent to RA server;
Data3={ IdU, Na } and KS;
Step S14, RA server by the user's unique index received identify and oneself database in it is existing record (" to
The certificate request list of examination & approval ", " examining unsanctioned certificate request list ", " valid certificate list " and " certificate cancelled
List ") it is compared.If there are user's unique indexs to identify corresponding record in the valid certificate list of RA server,
Step S15 is then gone to, relevant error message { m is otherwise returned6}KS -1、{m7}KS -1、{m8}KS -1Or { m9}KS -1To user, number
Fail according to request;
Step S15, RA server is the corresponding certificate data of user's unique index mark and through KEUEncrypted private key
Data are combined, and use KS -1Data4 is generated after encryption to user:
Data4={ C, { KU -1}KEU, Na } and KS -1;
User sends { m10}KSMessage gives RA server.
Fig. 7 is described in detail as follows the private key for user data encryption key modification each step of agreement:
Private key for user data encryption key modification protocol steps are described in detail as follows:
Step S21, user send { m to RA server5}KSMessage, it is desirable that carry out certificate and private key request of data;
Step S22, RA server generates random coded Na1, and sends { Na1 } KS -1Message is to user;
Step S23, user identifies the user's unique index of oneself and is used together RA with the step S22 random coded obtained
Data Data5, which is generated, after server public key encryption is sent to RA server;
Data5={ IdU, Na } and KS;
Step S24, RA server by the user's unique index received identify and oneself database in it is existing record (" to
The certificate request list of examination & approval ", " examining unsanctioned certificate request list ", " valid certificate list " and " certificate cancelled
List ") it is compared.If there are user's unique indexs to identify corresponding record in the valid certificate list of RA server,
Step S25 is then gone to, relevant error message { m is otherwise returned6}KS -1、{m7}KS -1、{m8}KS -1Or { m9}KS -1To user, number
Fail according to request;
Step S25, RA server is the corresponding certificate data of user's unique index mark and through KEUEncrypted private key
Data are combined, and use KS -1Data6 is generated after encryption to user:
Data6={ C, { KU -1}KEU, Na1 } and KS -1;
Step S26, user sends { m to RA server11}KSMessage, it is desirable that carry out certificate and private key data encryption key and repair
Change;
Step S27, RA server generates new random coded Na2, and sends { Na2 } KS -1Message is to user;
Step S28, user encrypts to obtain random coded ciphertext using the private key data of oneself to the random coded, then with
Family unique index mark and random coded ciphertext have been unified as data group recycles KS -1Data Data7 is generated after encryption to send
Give RA server;
Data7={ IdU, { Na2 } KU -1}KS;
Step S29, RA server KS -1Decrypt Data7, using user's unique index therein mark after with existing note
Record compares.RA server is (" copending by record existing in the user's unique index received mark and oneself database
Certificate request list ", " examining unsanctioned certificate request list ", " valid certificate list " and " list of cert cancelled ")
It is compared.If the corresponding record of the user identifier is not present in the valid certificate list of RA server, return relevant
Error message { m6}KS -1、{m7}KS -1、{m8}KS -1Or { m9}KS -1To user, request of data failure.If RA server is effective
There are the corresponding record of the user identifier in list of cert, then the second public key for obtaining user continues decrypted random coding ciphertext and obtains
Obtain random coded in plain text, the random coded for being sent to user with RA server compares, if the two is identical, goes to step
Otherwise S30 returns to relevant error message { m12}KS -1To user, operation failure is requested.
Step S30, RA server sends { m13}KS -1Message shows that private key for user data encryption key modifies Shen to user
It please information checking success;
Step S31, operation is decrypted to encrypted private key data with the symmetric key of oneself in user, obtains private key number
According in plain text, cryptographic calculation then is carried out in plain text to private key data with oneself modified symmetric key again, then user is acquisition
New private key data ciphertext, be used together K with Na2SData Data8 is generated after encryption sends RA server to;
Data8={ { KU -1}K`EU, Na2 } and KS;
Step S32, the private key for user data ciphertext before RA server is updated with new private key data ciphertext uses { KU -1}K`EUReplace { KU -1}KEU;
Step S33, RA server sends { m13}KS -1Message is to user.
It is directed to method disclosed in above-described embodiment, disclosed herein as well is a kind of system using the above method, referring to
Fig. 8, the system include:
Acquisition unit 100, for obtaining the data information of user's transmission;
Information transmitting unit 200, for sending data information to user;
First data processing unit 300, first data processing unit 300 is corresponding with step S103, for working as institute
When stating acquisition unit 100 and getting using certificate request information after the first public key encryption, generates and pass through information transmitting unit
200 send one group of first random coded after the first private key encryption to user, and first public key and the first private key are one group
Public private key pair;
Second data processing unit 400, second data processing unit 400 is corresponding with the step S104-S107,
For getting the certificate request information after first public key encryption, user's unique index mark when the acquisition unit 100
When knowing with first random coded, judge to identify in database with the presence or absence of user's unique index, if so, passing through institute
State information transmitting unit 200 to user output after first private key encryption, for characterize user's unique index mark inspection
Look into the information of failure;Otherwise, after first private key encryption, use is sent to user by the information transmitting unit 200
Successful information is checked in characterization user's unique index mark;
Third data processing unit 500, the third data processing unit 500 is corresponding with step S108-S109, is used for
When the acquisition unit 100 get the second level private key data after first public key encryption, first random coded with
And when the second public key, by the certificate request information, user's unique index mark, the second public key and second level private key data write-in to
In the integer request list of examination & approval, wherein the second level private key data is after symmetric key encryption and second public key
Corresponding private key data.
It corresponds to the above method, corresponding with the step S202, first data processing unit 300 is also used to:
User certificate and private key data after the acquisition unit 100 is got using the first public key encryption obtain agreement
When, it generates and one group of second random coded after the first private key encryption is sent to user by the information transmitting unit 200;
It is corresponding with step S203-S205 in the above method referring to Fig. 9, the management system of the user certificate and private key,
Further include:
4th data processing unit 600, when the acquisition unit 100 gets the user after first public key encryption
When unique index mark and the second random coded, judge to identify in database with the presence or absence of user's unique index, if so,
It will be after first private key encryption, corresponding with user's unique index mark by the information transmitting unit 200
Certificate data, second level private key data and second random coded are sent to user;If not, passing through the information transmitting unit
200 send information after the first private key encryption, for characterizing request operation failure to user.
It is corresponding with step S206 in the above method, the management system of the user certificate and private key, further includes:
Judging unit 700, will be through described by the information transmitting unit 200 for working as the 4th data processing unit 600
Certificate data after first private key encryption, corresponding with user's unique index mark, second level private key data and described second
After random coded is sent to user, judge whether the acquisition unit 100 gets user's transmission, use within a preset period of time
In characterization user get certificate data after first private key encryption, corresponding with user's unique index mark,
The information of second level private key data and second random coded, if not, control the 4th data processing unit 600 leads to again
The information transmitting unit 200 is crossed by card after first private key encryption, corresponding with user's unique index mark
Book data, second level private key data and second random coded are sent to user.
It is corresponding with step S402 in the above method, in the management system of above-mentioned user certificate and private key, first number
It is also used to according to processing unit 300:
When the 4th data processing unit 600 by the information transmitting unit 200 by it is after first private key encryption,
Certificate data corresponding with user's unique index mark, second level private key data and second random coded are sent to user
Afterwards, it when and the acquisition unit 100 gets the information for requiring to carry out the modification of certificate and private key data encryption key, generates and passes through
The information transmitting unit 200 sends one group of third random coded after the first private key encryption to user;
With the management system of user certificate described in the above method and private key, further includes:
5th data processing unit 800, the 5th data processing unit 800 is corresponding with step S403-S408, is used for
It is compiled at random when the acquisition unit 100 gets the mark of user's unique index after first public key encryption with second level third
After code, user's unique index mark after first public key encryption and second level third are compiled at random using the first private key
Code is decrypted;User's integer corresponding with user's unique index mark and private key ciphertext are judged whether there is, if so,
The second level third random coded is decrypted using second public key, random plaintext is obtained, judges the random plaintext
It is whether consistent with the third random coded, if unanimously, sent to user for characterizing by the information transmitting unit 200
It is after the first private key encryption, verify successful message for characterizing private key for user data encryption key modification application information;Such as
Fruit there is no user's integer corresponding with user's unique index mark and private key ciphertext or the random plaintext whether with institute
State that third random coded is inconsistent, by the information transmitting unit 200 to user send it is after the first private key encryption, be used for
The information of characterization request operation failure;Wherein, the second level random coded is random to the third using the private key data
Coding carries out encrypted third random coded;
6th data processing unit 900, the 6th data processing unit 900 is corresponding with the step S409-S410,
For getting the new second level private key data after first public key encryption and the third is random when the acquisition unit 100
After coding, the second level private key data is updated using the new second level private key data, wherein the new second level private key data is to use
Family encrypts private key data using modified symmetric key in plain text, and the private key data is that user uses in plain text
Second level private key data is decrypted in former symmetric key.
For convenience of description, it is divided into various modules when description system above with function to describe respectively.Certainly, implementing this
The function of each module can be realized in the same or multiple software and or hardware when application.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for system or
For system embodiment, since it is substantially similar to the method embodiment, so describing fairly simple, related place is referring to method
The part of embodiment illustrates.System and system embodiment described above is only schematical, wherein the conduct
The unit of separate part description may or may not be physically separated, component shown as a unit can be or
Person may not be physical unit, it can and it is in one place, or may be distributed over multiple network units.It can root
According to actual need that some or all of the modules therein is selected to achieve the purpose of the solution of this embodiment.Ordinary skill
Personnel can understand and implement without creative efforts.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure
And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and
The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These
Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession
Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered
Think beyond the scope of this invention.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor
The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit
Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology
In any other form of storage medium well known in field.
It should also be noted that, herein, relational terms such as first and second and the like are used merely to one
Entity or operation are distinguished with another entity or operation, without necessarily requiring or implying between these entities or operation
There are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant are intended to contain
Lid non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention.
Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention
It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one
The widest scope of cause.
Claims (10)
1. the management method of a kind of user certificate and private key characterized by comprising
Obtain the solicited message that user sends;
When the solicited message is using certificate request information after the first public key encryption:
It generates and sends one group of first random coded after the first private key encryption, first public key and the first private key to user
For one group of public private key pair;
Obtain user sends, certificate request information after first public key encryption, user's unique index mark and described
First random coded;
Judge to identify in database with the presence or absence of user's unique index, if so, exporting to user through first private key
Information encrypted, that failure is checked for characterizing user's unique index mark;Otherwise it sends to user through first private key
It is encrypted, check successful information for characterizing user's unique index mark;
It is described to user send after first private key encryption, for characterize user's unique index mark check successfully letter
After breath, user sends, second level private key data after first public key encryption, first random coded and the are obtained
Two public keys, the second level private key data are after symmetric key encryption, corresponding with second public key private key data;
The certificate request information, user's unique index mark, the second public key and second level private key data are written copending whole
In number request list.
2. the management method of user certificate according to claim 1 and private key, which is characterized in that further include:
Obtain the certificate and private key data request information through the first public key encryption that user sends;
It generates and sends one group of second random coded after the first private key encryption to user;
Obtain user's unique index mark that user sends, after first public key encryption and the second random coded;
Judge in database with the presence or absence of user's unique index identify, if so, by it is after first private key encryption,
Certificate data corresponding with user's unique index mark, second level private key data and second random coded are sent to use
Family;If not, sending information after the first private key encryption, for characterizing request operation failure to user.
3. the management method of user certificate according to claim 2 and private key, which is characterized in that will be through first private key
Certificate data encrypted, corresponding with user's unique index mark, second level private key data and second random coded
It is sent to after user, further includes:
Judge whether to get in preset time period user's transmission, get through first private key encryption for characterizing user
Afterwards, the letter that identifies with user's unique index corresponding certificate data, second level private key data and second random coded
Breath, if not, sending after first private key encryption, corresponding with user's unique index mark card to user again
Book data, second level private key data and second random coded.
4. the management method of user certificate according to claim 2 and private key, which is characterized in that will be through first private key
Certificate data encrypted, corresponding with user's unique index mark, second level private key data and second random coded
It is sent to after user, further includes:
Judge whether that the requirement for getting user's transmission carries out the information of certificate and private key data encryption key modification, if so, after
It is continuous to execute;
It generates and sends one group of third random coded after the first private key encryption to user;
User's unique index mark that user sends, after first public key encryption and second level third random coded are obtained,
The second level random coded is to carry out encrypted third random coded to the third random coded using the private key data;
User's unique index mark after first public key encryption and second level third are compiled at random using the first private key
Code is decrypted;
User's integer corresponding with user's unique index mark and private key ciphertext are judged whether there is, if so, using institute
The second public key is stated the second level third random coded is decrypted, obtain it is random in plain text, judge the random plaintext whether with
The third random coded is consistent, if unanimously, to user send for characterize it is after the first private key encryption, for characterize use
Family private key data encryption key modification application information verifies successful message;It is identified if there is no with user's unique index
Whether corresponding user's integer and private key ciphertext or the random plaintext are inconsistent with the third random coded, send to user
Information after the first private key encryption, for characterizing request operation failure;
Obtain user sends, new second level private key data after first public key encryption and the third random coded, institute
Stating new second level private key data is that user encrypts private key data using modified symmetric key in plain text, the private
Key data clear text is that user is decrypted second level private key data using former symmetric key;
The second level private key data is updated using the new second level private key data.
5. the management method of user certificate according to any one of claims 1-4 and private key, which is characterized in that the use
Family unique index is identified as characterizing user information, data information with uniqueness.
6. the management system of a kind of user certificate and private key characterized by comprising
Acquisition unit, for obtaining the data information of user's transmission;
Information transmitting unit, for sending data information to user;
First data processing unit, for the certificate request information after acquisition unit is got using the first public key encryption
When, it generates and one group of first random coded after the first private key encryption is sent to user by information transmitting unit, described the
One public key and the first private key are one group of public private key pair;
Second data processing unit, for getting the letter of the certificate request after first public key encryption when the acquisition unit
When breath, user's unique index mark and first random coded, judge in database with the presence or absence of user's unique index
Mark, if so, by the information transmitting unit to user output after first private key encryption, for characterizing user
Unique index mark checks the information of failure;Otherwise, it is sent to user through first private key by the information transmitting unit
It is encrypted, check successful information for characterizing user's unique index mark;
Third data processing unit, for user send after first private key encryption, for characterizing the unique rope of user
After the successful information of inspection is known in tendering, when the acquisition unit gets the second level private key number after first public key encryption
When according to, first random coded and the second public key, by the certificate request information, user's unique index mark, second public
Key and second level private key data are written in copending integer request list, wherein the second level private key data is through symmetric key
Private key data encrypted, corresponding with second public key.
7. the management system of user certificate according to claim 6 and private key, which is characterized in that first data processing
Unit is also used to:
When the acquisition unit get using after the first public key encryption user certificate and private key data obtain agreement when, generate
And one group of second random coded after the first private key encryption is sent to user by the information transmitting unit;
The management system of the user certificate and private key, further includes:
4th data processing unit, when the acquisition unit gets user's unique index mark after first public key encryption
When knowing with the second random coded, judge to identify in database with the presence or absence of user's unique index, if so, passing through the letter
Transmission unit is ceased by certificate data after first private key encryption, corresponding with user's unique index mark, second level
Private key data and second random coded are sent to user;It is passed through if not, being sent by the information transmitting unit to user
Information after first private key encryption, for characterizing request operation failure.
8. the management system of user certificate according to claim 7 and private key, which is characterized in that further include:
Judging unit is used for when the 4th data processing unit will be after first private key encryption by the information transmitting unit
, corresponding with user's unique index mark certificate data, second level private key data and second random coded be sent to
After user, judge the acquisition unit whether get within a preset period of time user's transmission, get for characterizing user
Certificate data after first private key encryption, corresponding with user's unique index mark, second level private key data and institute
The information of the second random coded is stated, if not, control the 4th data processing unit is again by the information transmitting unit
By certificate data after first private key encryption, corresponding with user's unique index mark, second level private key data and
Second random coded is sent to user.
9. the management system of user certificate according to claim 7 and private key, which is characterized in that first data processing
Unit is also used to:
When the 4th data processing unit by the information transmitting unit by it is after first private key encryption, with the user
After the corresponding certificate data of unique index mark, second level private key data and second random coded are sent to user, and it is described
When acquisition unit gets the information for requiring to carry out the modification of certificate and private key data encryption key, generates and sent by the information
Unit sends one group of third random coded after the first private key encryption to user;
The management system of the user certificate and private key, further includes:
5th data processing unit, for getting the unique rope of user after first public key encryption when the acquisition unit
After tendering knowledge and second level third random coded, using the first private key to the unique rope of user after first public key encryption
Tendering knowledge and second level third random coded are decrypted;Judge whether there is user corresponding with user's unique index mark
Integer and private key ciphertext are obtained random if so, the second level third random coded is decrypted using second public key
In plain text, whether consistent with the third random coded the random plaintext is judged, if unanimously, passing through the information transmitting unit
To user send for characterize it is after the first private key encryption, for characterize private key for user data encryption key modify application information
Verify successful message;If there is no user's integer corresponding with user's unique index mark and private key ciphertext or described
It is random whether inconsistent with the third random coded in plain text, it is sent to user through the first private key by the information transmitting unit
Information encrypted, for characterizing request operation failure;Wherein, the second level random coded is to use the private key data pair
The third random coded carries out encrypted third random coded;
6th data processing unit, for getting the new second level private key after first public key encryption when the acquisition unit
After data and the third random coded, the second level private key data is updated using the new second level private key data, wherein described
New second level private key data is that user encrypts private key data using modified symmetric key in plain text, the private key
Data clear text is that user is decrypted second level private key data using former symmetric key.
10. according to the management system of user certificate and private key described in claim 6-9 any one, which is characterized in that described
User's unique index is identified as characterizing user information, data information with uniqueness.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610320149.7A CN105812388B (en) | 2016-05-13 | 2016-05-13 | A kind of management method and system of user certificate and private key |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610320149.7A CN105812388B (en) | 2016-05-13 | 2016-05-13 | A kind of management method and system of user certificate and private key |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105812388A CN105812388A (en) | 2016-07-27 |
| CN105812388B true CN105812388B (en) | 2018-12-07 |
Family
ID=56456839
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610320149.7A Active CN105812388B (en) | 2016-05-13 | 2016-05-13 | A kind of management method and system of user certificate and private key |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105812388B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10805080B2 (en) * | 2017-01-06 | 2020-10-13 | Microsoft Technology Licensing, Llc | Strong resource identity in a cloud hosted system |
| CN109905243B (en) * | 2017-12-11 | 2022-06-03 | 航天信息股份有限公司 | Method and server for processing digital certificate updating request |
| US11018871B2 (en) * | 2018-03-30 | 2021-05-25 | Intel Corporation | Key protection for computing platform |
| DE102019206302A1 (en) | 2019-05-02 | 2020-11-05 | Continental Automotive Gmbh | Method and device for transmitting a boot code with improved data security |
| CN112948851A (en) * | 2021-02-25 | 2021-06-11 | 深圳壹账通智能科技有限公司 | User authentication method, device, server and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103583030A (en) * | 2011-05-25 | 2014-02-12 | 阿尔卡特朗讯公司 | Method and apparatus for achieving data security in a distributed cloud computing environment |
| CN104717217A (en) * | 2015-03-18 | 2015-06-17 | 电子科技大学 | Certifiable security data possession verifying method in cloud storage based on partial delegation |
| CN104917772A (en) * | 2015-06-12 | 2015-09-16 | 深圳大学 | Access control system for cloud store service platform and access control method thereof |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| ES2584057T3 (en) * | 2010-08-12 | 2016-09-23 | Security First Corp. | System and method of secure remote data storage |
-
2016
- 2016-05-13 CN CN201610320149.7A patent/CN105812388B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103583030A (en) * | 2011-05-25 | 2014-02-12 | 阿尔卡特朗讯公司 | Method and apparatus for achieving data security in a distributed cloud computing environment |
| CN104717217A (en) * | 2015-03-18 | 2015-06-17 | 电子科技大学 | Certifiable security data possession verifying method in cloud storage based on partial delegation |
| CN104917772A (en) * | 2015-06-12 | 2015-09-16 | 深圳大学 | Access control system for cloud store service platform and access control method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105812388A (en) | 2016-07-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105812388B (en) | A kind of management method and system of user certificate and private key | |
| CN106899410B (en) | A kind of method and device of equipment identities certification | |
| CN106534175B (en) | Open platform authorization identifying system and method based on OAuth agreement | |
| CN102932149B (en) | Integrated identity based encryption (IBE) data encryption system | |
| CN105493435B (en) | Virtual Service provider memory block | |
| CN102932136B (en) | Systems and methods for managing cryptographic keys | |
| CN104980477B (en) | Data access control method and system under cloud storage environment | |
| CN103490881B (en) | Authentication service system, user authentication method, and authentication information processing method and system | |
| Künnemann et al. | YubiSecure? Formal security analysis results for the Yubikey and YubiHSM | |
| CN108476133A (en) | The key carried out by the believable third party in part exchanges | |
| CN106060078B (en) | User information encryption method, register method and verification method applied to cloud platform | |
| CN105574445B (en) | A kind of safety communicating method and device of self-help terminal equipment hardware | |
| CN105933315A (en) | Network service security communication method, device and system | |
| CN101815091A (en) | Cipher providing equipment, cipher authentication system and cipher authentication method | |
| CN110401629A (en) | A kind of method and relevant apparatus of activation authorization | |
| CN109194523A (en) | The multi-party diagnostic model fusion method and system, cloud server of secret protection | |
| CN105447715A (en) | Method and apparatus for anti-theft electronic coupon sweeping by cooperating with third party | |
| CN102984273B (en) | Encryption method, decryption method, encryption device and decryption device of virtual disk and cloud server | |
| CN109347832A (en) | A kind of dynamic data sharing method, terminal device and proxy server | |
| CN107871081A (en) | A kind of computer information safe system | |
| CN106936579A (en) | Cloud storage data storage and read method based on trusted third party agency | |
| CN109150528A (en) | A kind of ammeter data access method, device, equipment and readable storage medium storing program for executing | |
| CN106487786A (en) | A kind of cloud data integrity verification method based on biological characteristic and system | |
| CN106790296A (en) | Domain name records verification method and device | |
| CN104767766A (en) | Web Service interface verification method, Web Service server and client side |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |