CN106789025A - Private key log-off method based on public key management system - Google Patents
Private key log-off method based on public key management system Download PDFInfo
- Publication number
- CN106789025A CN106789025A CN201611259650.3A CN201611259650A CN106789025A CN 106789025 A CN106789025 A CN 106789025A CN 201611259650 A CN201611259650 A CN 201611259650A CN 106789025 A CN106789025 A CN 106789025A
- Authority
- CN
- China
- Prior art keywords
- chip
- key
- private key
- public
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of private key log-off method based on public key management system, the private key of user and the seed key and combinational algorithm that calculate public key are stored in the non-volatile storage space of chip, and destruction program is set in non-volatile storage space.When needing to nullify the certificate of certain user, KMC builds private communication transmission channel with the chip of user, it is long-range to send the non-volatile storage space that instruction activation destruction program destroys chip, so as to destroy the private key of user, fundamentally ensure that the letter of identity of user is not used by infringement, prevent user from suffering Information Security Risk.
Description
Technical field
The present invention relates to technical field of security authentication, and in particular to a kind of private key log-off side based on public key management system
Method.
Background technology
As network and information-based application are continued to develop, safety problem turns into the emphasis in network and information work, protects
The authentication techniques for demonstrate,proving transaction security are one of major domains of information technology, and industry is badly in need of realizing safety certification and sets up what is trusted
The network system, to be proved for network trading provides distinctive, be responsible for property prove, the service such as digital signature.By long-term hair
Exhibition, at present popular two kinds of Verification Systems in the world:One is the certification system realized based on Public Key Infrastructure (PKI) technology
System;Two is the Verification System realized based on mark (IBE) algorithm.
The process of managing digital certificate under PKI (Public Key Infrastructure, PKIX) system
For:The public key and private key of user are drawn by asymmetric arithmetic, private key for user is saved in the chip of user, public key is sent to
CA (Certificate Authority, certificate management authority), CA are using the technological means of digital signature ID and user
Public key is bound, and is encrypted (digital signature) to the public key of binding ID with the private key of CA, ultimately forms the numeral of user
Certificate.
Under PKI systems user need cancellation of doucment need to CA propose revocation request, CA will in time revocation certificate
It is put into the CRL (Certificate Revocation List certificate revocation lists) for publishing, certificate is just considered as losing
Effect, the revocation request of period user is also needed to by RA's at different levels (Registration Authority register approving authority)
Examine.But the certificate failed under PKI systems is not meant to be used, if the person of stealing secret information steals is canceled digital card
The private key of the user A of book, still can carry out signatures with the private key of A.CRL does not possess forced termination user A carries out digital label
The ability of name activity.Text document is sent to user B, and encloses the certificate of A, if B ignores CRL were checked, or CA would be not
The new CRL of issue upgrade in time (if CA fairly frequently updates CRL, then the cost of CA operations will be improved, but can be handle
The loss reduction that revoked certificate is likely to result in.Conversely, reduce CRL renewal frequency, CA save this respect cost while,
Increase revoked certificate due to without issue in time so that the risk that sustains a loss of user), then B just still can A certificate into
This part of illegal signature of checking of work(, and will be considered that A really to this part of file signature.
So under PKI public key management system systems, there is very big Information Security Risk in the cancellation of certificate, one is CA
It is that the information for having nullified certificate does not have forced termination digital signature mobility, digital certificate is not destroyed substantially corresponding close
Private key, also can be normal signature sign test;Two is that CRL is checked if user ignores, or CA does not upgrade issue in time newly
CRL, then user can be caused to fail to know that other side's identity has failed in time, may there is the risk that sustains a loss in user;Three
It is that frequent updating CRL can cause the operation cost of CA to improve.
The content of the invention
For the imperfection of prior art, it is an object of the invention to provide a kind of key note based on public key management system
Pin method, to increase the security of private key log-off.
To achieve these goals, the technical scheme that the present invention takes:
A kind of private key log-off method based on public key management system, including step:
Using random number and application SM2 algorithm generation private keys during chip initiation, and public key is calculated with private key;
The private key that will be generated stores the non-volatile storage space in chip by hardware protection pattern, and the public key that will be calculated is passed
To KMC;
The public key that KMC preserves each chip forms list of public keys, and mark with HASH function pair chips is entered
Row is calculated, storage location of the numerical value that gained is made a summary as public key in list of public keys;
KMC generates public private key pair, and the public private key pair generated using the public private key pair and chip initiation is built
With the communication transmission passage of chip;
In the non-volatile storage space of chip, destruction program is set;
After being connected to private key log-off order, KMC by the communication transmission passage between respective chip, to this
Chip sends instruction, activates the destruction program in the chip, the private key that destruction is stored in non-volatile storage space.
Compared with prior art, the beneficial effects of the present invention are:
Certain user certificate (user's public affairs is nullified when needing termination disabled user to be engaged in correlated activation using crypto carrier (chip)
The seed key and algorithm and the private key of user of key) when, this method, KMC builds special communications with chip
Passage, directly remotely sends the data that instruction activation destruction program destroys the non-volatile storage space of chip, is led to destruction user
Private key and public key calculation, fundamentally ensure network of relation and information system exempt from the letter of identity of card user not by
Infringement is used, and effectively prevents validated user from suffering the risk of information security injury.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of private key log-off method of the present invention based on public key management system.
Specific embodiment
ID authentication public key management system is the Conbined public or double key algorithm based on mark, and the mathematics using elliptic curve cipher is special
Property, the public, combinatorial matrix of private key seed key is built, and the generation based on the public of mark, private key pair is realized by mapping algorithm.
Private key is generated by KMC (Key Manage Center, KMC), and distribution is issued each entity user and preserved, public key then with
The seed key and algorithm of public key be also distributed to user's preservation matrix form announcement, make it is any with per family can according to other side mark obtain
Obtain corresponding public key.
When validated user initiative revoke certificates or when needing the certificate of kick out user, (carrier is lost or other
Reason), as shown in figure 1, key of the invention (certificate) cancellation method is comprised the following steps.
With the private key of generating random number SM2 algorithms when step s101, chip (crypto carrier) are initialized, and calculated with private key
Public key, private key is stored in non-volatile storage space by chip hardware protected mode;Public key is transmitted to KMC, key pipe
Reason center is calculated with the mark (sequence number) of HASH function pair chips, and the numerical optimization of gained summary is chosen and arranged as public key
The storage positioning of the public key in table.The same calculation method of KMC generates public, private key to logical for being built with chip
Letter transmission channel.KMC utilizes the private key of the public key and KMC generated during chip initiation to be sent out to chip
Go out to set up communication transmission passage (with reference to GM/T 0022-2014IPSec VPN technologies specification) instruction.Mapping algorithm generation is public and private
Key pair, specifically, using the sequence number of the chip for dispatching from the factory an as ID, a pair of public affairs is generated using this ID and using mapping algorithm
Private key.
In the public key response key management of private key and KMC that step s102, chip are generated with chip initiation
The heart sets up the instruction of private communication transmission channel.The public key that will be generated is bundled with the sequence number of chip, forms public key row
Table, KMC is deposited in by list of public keys, it is possible to list of public keys is hidden with hash function.
The key that step s103, KMC and chip complete private communication transmission channel encryption is exchanged, and is set up
Private communication transmission channel, and in the non-volatile storage space setting destruction program of chip.
Step s104, be connected to private key log-off instruction after, KMC is sent with private communication transmission channel to chip
Activate the instruction of destruction program.
Step s105, the destruction program of chip destroy the private key of the user for being stored in non-volatile storage space.
After the data of the private key of public key and user of the KMC for being stored in non-volatile storage space are destroyed, make
Be forced to terminate to be logged in including network insertion, information system for the chip holder of cryptographic technique carrier, etc. digital signature/sign test
The activities of the related ID authentication system, the Network and information system for effectively reducing authentication system guarantee is exempted from accordingly
Invasion and the risk attacked, are to build the important technical that autonomous controllable Networks and information security is ensured.
When public key ID change or private key lose, leakage or during doubtful leakage, if be continuing with may for certificate
More serious influence is caused, then needs to nullify the certificate of certain user.After being connected to certificate revocation instruction, KMC builds
Private communication transmission channel between respective chip, by the communication transmission passage, instruction is sent to corresponding chip, activation
Destruction program in the chip, destroys program and destroys the non-volatile storage space of the chip, so as to destroy the private key of user
With the calculation of public key, make the key to cannot be practical, fundamentally ensure that the letter of identity of user is not used by infringement.
Used as a preferred embodiment, KMC builds special communications with chip by key agreement
Passage, cipher key agreement process in accordance with《GM/T 0022-2014IPSec VPN technologies specifications》The IKE of regulation.
Above-listed detailed description is directed to illustrating for possible embodiments of the present invention, and the embodiment simultaneously is not used to limit this hair
Bright the scope of the claims, all equivalence enforcements or change without departing from carried out by the present invention are intended to be limited solely by the scope of the claims of this case.
Claims (3)
1. a kind of private key log-off method based on public key management system, it is characterised in that including step:
Using random number and application SM2 algorithm generation private keys during chip initiation, and public key is calculated with private key;
The private key that will be generated stores the non-volatile storage space in chip by hardware protection pattern, and the public key that will be calculated is transmitted to close
Key administrative center;
The public key that KMC preserves each chip forms list of public keys, and is counted with the mark of HASH function pair chips
Calculate, storage location of the numerical value that gained is made a summary as public key in list of public keys;
KMC generates public private key pair, and the public private key pair generated using the public private key pair and chip initiation is built and core
The communication transmission passage of piece;
In the non-volatile storage space of chip, destruction program is set;
After being connected to private key log-off order, KMC by the communication transmission passage between respective chip, to the chip
Instruction is sent, the destruction program in the chip, the private key that destruction is stored in non-volatile storage space is activated.
2. the private key log-off method based on public key management system according to claim 1, it is characterised in that also including step
Suddenly:
KMC is hidden positioning by HASH function pair list of public keys.
3. the private key log-off method based on public key management system according to claim 2, it is characterised in that
KMC is built and the communication transmission passage between chip using SM2 algorithms and by key agreement, key association
The IKE that business's process specifies in accordance with GM/T 0022-2014IPSec VPN technologies specifications.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611259650.3A CN106789025A (en) | 2016-12-30 | 2016-12-30 | Private key log-off method based on public key management system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611259650.3A CN106789025A (en) | 2016-12-30 | 2016-12-30 | Private key log-off method based on public key management system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106789025A true CN106789025A (en) | 2017-05-31 |
Family
ID=58954684
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611259650.3A Pending CN106789025A (en) | 2016-12-30 | 2016-12-30 | Private key log-off method based on public key management system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106789025A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050246532A1 (en) * | 2004-04-30 | 2005-11-03 | Yi-Sheng Wang | Secure communication system and method |
CN101686127A (en) * | 2008-09-24 | 2010-03-31 | 北京创原天地科技有限公司 | Novel USBKey secure calling method and USBKey device |
CN101882194A (en) * | 2009-05-04 | 2010-11-10 | 同方股份有限公司 | Mobile storage device with remote self-destruction function |
CN102868526A (en) * | 2012-08-17 | 2013-01-09 | 上海华申智能卡应用系统有限公司 | Method and system for protecting smart card or universal serial bus (USB) key |
CN105915511A (en) * | 2016-04-13 | 2016-08-31 | 深圳市融钞科技有限公司 | Wireless communication method based on VPDN private network |
-
2016
- 2016-12-30 CN CN201611259650.3A patent/CN106789025A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050246532A1 (en) * | 2004-04-30 | 2005-11-03 | Yi-Sheng Wang | Secure communication system and method |
CN101686127A (en) * | 2008-09-24 | 2010-03-31 | 北京创原天地科技有限公司 | Novel USBKey secure calling method and USBKey device |
CN101882194A (en) * | 2009-05-04 | 2010-11-10 | 同方股份有限公司 | Mobile storage device with remote self-destruction function |
CN102868526A (en) * | 2012-08-17 | 2013-01-09 | 上海华申智能卡应用系统有限公司 | Method and system for protecting smart card or universal serial bus (USB) key |
CN105915511A (en) * | 2016-04-13 | 2016-08-31 | 深圳市融钞科技有限公司 | Wireless communication method based on VPDN private network |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021179449A1 (en) | Mimic defense system based on certificate identity authentication, and certificate issuing method | |
AU2016287728B2 (en) | Confidential authentication and provisioning | |
EP2204008B1 (en) | Credential provisioning | |
CN110069918B (en) | Efficient double-factor cross-domain authentication method based on block chain technology | |
CN102271037B (en) | Based on the key protectors of online key | |
CN103684766B (en) | A kind of private key protection method of terminal use and system | |
CN109660485A (en) | A kind of authority control method and system based on the transaction of block chain | |
CN109687965B (en) | Real-name authentication method for protecting user identity information in network | |
CN110084068A (en) | Block catenary system and data processing method for block catenary system | |
CN101515319B (en) | Cipher key processing method, cipher key cryptography service system and cipher key consultation method | |
KR102177794B1 (en) | Distributed device authentication protocol in internet of things blockchain environment | |
CN110050437A (en) | The device and method of distributed certificate registration | |
CN104767731A (en) | Identity authentication protection method of Restful mobile transaction system | |
CN101686128A (en) | Novel usbkey external authentication method and Usbkey device | |
CN106953732B (en) | Key management system and method for chip card | |
CN103067160A (en) | Method and system of generation of dynamic encrypt key of encryption secure digital memory card (SD) | |
CN101686127A (en) | Novel USBKey secure calling method and USBKey device | |
Yang et al. | DAA-TZ: an efficient DAA scheme for mobile devices using ARM TrustZone | |
CN101610150A (en) | Third party's digital signature method and data transmission system | |
CN113051540A (en) | Application program interface safety grading treatment method | |
CN101118579B (en) | Verification permissive method and system | |
CN106992978A (en) | Network safety managing method and server | |
Schleiffer et al. | Secure key management-a key feature for modern vehicle electronics | |
CN104253692B (en) | Key management method and device based on SE | |
KR20200016506A (en) | Method for Establishing Anonymous Digital Identity |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170531 |