CN106789025A - Private key log-off method based on public key management system - Google Patents

Private key log-off method based on public key management system Download PDF

Info

Publication number
CN106789025A
CN106789025A CN201611259650.3A CN201611259650A CN106789025A CN 106789025 A CN106789025 A CN 106789025A CN 201611259650 A CN201611259650 A CN 201611259650A CN 106789025 A CN106789025 A CN 106789025A
Authority
CN
China
Prior art keywords
chip
key
private key
public
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611259650.3A
Other languages
Chinese (zh)
Inventor
余智文
何宇坤
刘钰琴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CHINA INFORMATION SECURITY INDUSTRY PARK
Original Assignee
CHINA INFORMATION SECURITY INDUSTRY PARK
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CHINA INFORMATION SECURITY INDUSTRY PARK filed Critical CHINA INFORMATION SECURITY INDUSTRY PARK
Priority to CN201611259650.3A priority Critical patent/CN106789025A/en
Publication of CN106789025A publication Critical patent/CN106789025A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of private key log-off method based on public key management system, the private key of user and the seed key and combinational algorithm that calculate public key are stored in the non-volatile storage space of chip, and destruction program is set in non-volatile storage space.When needing to nullify the certificate of certain user, KMC builds private communication transmission channel with the chip of user, it is long-range to send the non-volatile storage space that instruction activation destruction program destroys chip, so as to destroy the private key of user, fundamentally ensure that the letter of identity of user is not used by infringement, prevent user from suffering Information Security Risk.

Description

Private key log-off method based on public key management system
Technical field
The present invention relates to technical field of security authentication, and in particular to a kind of private key log-off side based on public key management system Method.
Background technology
As network and information-based application are continued to develop, safety problem turns into the emphasis in network and information work, protects The authentication techniques for demonstrate,proving transaction security are one of major domains of information technology, and industry is badly in need of realizing safety certification and sets up what is trusted The network system, to be proved for network trading provides distinctive, be responsible for property prove, the service such as digital signature.By long-term hair Exhibition, at present popular two kinds of Verification Systems in the world:One is the certification system realized based on Public Key Infrastructure (PKI) technology System;Two is the Verification System realized based on mark (IBE) algorithm.
The process of managing digital certificate under PKI (Public Key Infrastructure, PKIX) system For:The public key and private key of user are drawn by asymmetric arithmetic, private key for user is saved in the chip of user, public key is sent to CA (Certificate Authority, certificate management authority), CA are using the technological means of digital signature ID and user Public key is bound, and is encrypted (digital signature) to the public key of binding ID with the private key of CA, ultimately forms the numeral of user Certificate.
Under PKI systems user need cancellation of doucment need to CA propose revocation request, CA will in time revocation certificate It is put into the CRL (Certificate Revocation List certificate revocation lists) for publishing, certificate is just considered as losing Effect, the revocation request of period user is also needed to by RA's at different levels (Registration Authority register approving authority) Examine.But the certificate failed under PKI systems is not meant to be used, if the person of stealing secret information steals is canceled digital card The private key of the user A of book, still can carry out signatures with the private key of A.CRL does not possess forced termination user A carries out digital label The ability of name activity.Text document is sent to user B, and encloses the certificate of A, if B ignores CRL were checked, or CA would be not The new CRL of issue upgrade in time (if CA fairly frequently updates CRL, then the cost of CA operations will be improved, but can be handle The loss reduction that revoked certificate is likely to result in.Conversely, reduce CRL renewal frequency, CA save this respect cost while, Increase revoked certificate due to without issue in time so that the risk that sustains a loss of user), then B just still can A certificate into This part of illegal signature of checking of work(, and will be considered that A really to this part of file signature.
So under PKI public key management system systems, there is very big Information Security Risk in the cancellation of certificate, one is CA It is that the information for having nullified certificate does not have forced termination digital signature mobility, digital certificate is not destroyed substantially corresponding close Private key, also can be normal signature sign test;Two is that CRL is checked if user ignores, or CA does not upgrade issue in time newly CRL, then user can be caused to fail to know that other side's identity has failed in time, may there is the risk that sustains a loss in user;Three It is that frequent updating CRL can cause the operation cost of CA to improve.
The content of the invention
For the imperfection of prior art, it is an object of the invention to provide a kind of key note based on public key management system Pin method, to increase the security of private key log-off.
To achieve these goals, the technical scheme that the present invention takes:
A kind of private key log-off method based on public key management system, including step:
Using random number and application SM2 algorithm generation private keys during chip initiation, and public key is calculated with private key;
The private key that will be generated stores the non-volatile storage space in chip by hardware protection pattern, and the public key that will be calculated is passed To KMC;
The public key that KMC preserves each chip forms list of public keys, and mark with HASH function pair chips is entered Row is calculated, storage location of the numerical value that gained is made a summary as public key in list of public keys;
KMC generates public private key pair, and the public private key pair generated using the public private key pair and chip initiation is built With the communication transmission passage of chip;
In the non-volatile storage space of chip, destruction program is set;
After being connected to private key log-off order, KMC by the communication transmission passage between respective chip, to this Chip sends instruction, activates the destruction program in the chip, the private key that destruction is stored in non-volatile storage space.
Compared with prior art, the beneficial effects of the present invention are:
Certain user certificate (user's public affairs is nullified when needing termination disabled user to be engaged in correlated activation using crypto carrier (chip) The seed key and algorithm and the private key of user of key) when, this method, KMC builds special communications with chip Passage, directly remotely sends the data that instruction activation destruction program destroys the non-volatile storage space of chip, is led to destruction user Private key and public key calculation, fundamentally ensure network of relation and information system exempt from the letter of identity of card user not by Infringement is used, and effectively prevents validated user from suffering the risk of information security injury.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of private key log-off method of the present invention based on public key management system.
Specific embodiment
ID authentication public key management system is the Conbined public or double key algorithm based on mark, and the mathematics using elliptic curve cipher is special Property, the public, combinatorial matrix of private key seed key is built, and the generation based on the public of mark, private key pair is realized by mapping algorithm. Private key is generated by KMC (Key Manage Center, KMC), and distribution is issued each entity user and preserved, public key then with The seed key and algorithm of public key be also distributed to user's preservation matrix form announcement, make it is any with per family can according to other side mark obtain Obtain corresponding public key.
When validated user initiative revoke certificates or when needing the certificate of kick out user, (carrier is lost or other Reason), as shown in figure 1, key of the invention (certificate) cancellation method is comprised the following steps.
With the private key of generating random number SM2 algorithms when step s101, chip (crypto carrier) are initialized, and calculated with private key Public key, private key is stored in non-volatile storage space by chip hardware protected mode;Public key is transmitted to KMC, key pipe Reason center is calculated with the mark (sequence number) of HASH function pair chips, and the numerical optimization of gained summary is chosen and arranged as public key The storage positioning of the public key in table.The same calculation method of KMC generates public, private key to logical for being built with chip Letter transmission channel.KMC utilizes the private key of the public key and KMC generated during chip initiation to be sent out to chip Go out to set up communication transmission passage (with reference to GM/T 0022-2014IPSec VPN technologies specification) instruction.Mapping algorithm generation is public and private Key pair, specifically, using the sequence number of the chip for dispatching from the factory an as ID, a pair of public affairs is generated using this ID and using mapping algorithm Private key.
In the public key response key management of private key and KMC that step s102, chip are generated with chip initiation The heart sets up the instruction of private communication transmission channel.The public key that will be generated is bundled with the sequence number of chip, forms public key row Table, KMC is deposited in by list of public keys, it is possible to list of public keys is hidden with hash function.
The key that step s103, KMC and chip complete private communication transmission channel encryption is exchanged, and is set up Private communication transmission channel, and in the non-volatile storage space setting destruction program of chip.
Step s104, be connected to private key log-off instruction after, KMC is sent with private communication transmission channel to chip Activate the instruction of destruction program.
Step s105, the destruction program of chip destroy the private key of the user for being stored in non-volatile storage space.
After the data of the private key of public key and user of the KMC for being stored in non-volatile storage space are destroyed, make Be forced to terminate to be logged in including network insertion, information system for the chip holder of cryptographic technique carrier, etc. digital signature/sign test The activities of the related ID authentication system, the Network and information system for effectively reducing authentication system guarantee is exempted from accordingly Invasion and the risk attacked, are to build the important technical that autonomous controllable Networks and information security is ensured.
When public key ID change or private key lose, leakage or during doubtful leakage, if be continuing with may for certificate More serious influence is caused, then needs to nullify the certificate of certain user.After being connected to certificate revocation instruction, KMC builds Private communication transmission channel between respective chip, by the communication transmission passage, instruction is sent to corresponding chip, activation Destruction program in the chip, destroys program and destroys the non-volatile storage space of the chip, so as to destroy the private key of user With the calculation of public key, make the key to cannot be practical, fundamentally ensure that the letter of identity of user is not used by infringement.
Used as a preferred embodiment, KMC builds special communications with chip by key agreement Passage, cipher key agreement process in accordance with《GM/T 0022-2014IPSec VPN technologies specifications》The IKE of regulation.
Above-listed detailed description is directed to illustrating for possible embodiments of the present invention, and the embodiment simultaneously is not used to limit this hair Bright the scope of the claims, all equivalence enforcements or change without departing from carried out by the present invention are intended to be limited solely by the scope of the claims of this case.

Claims (3)

1. a kind of private key log-off method based on public key management system, it is characterised in that including step:
Using random number and application SM2 algorithm generation private keys during chip initiation, and public key is calculated with private key;
The private key that will be generated stores the non-volatile storage space in chip by hardware protection pattern, and the public key that will be calculated is transmitted to close Key administrative center;
The public key that KMC preserves each chip forms list of public keys, and is counted with the mark of HASH function pair chips Calculate, storage location of the numerical value that gained is made a summary as public key in list of public keys;
KMC generates public private key pair, and the public private key pair generated using the public private key pair and chip initiation is built and core The communication transmission passage of piece;
In the non-volatile storage space of chip, destruction program is set;
After being connected to private key log-off order, KMC by the communication transmission passage between respective chip, to the chip Instruction is sent, the destruction program in the chip, the private key that destruction is stored in non-volatile storage space is activated.
2. the private key log-off method based on public key management system according to claim 1, it is characterised in that also including step Suddenly:
KMC is hidden positioning by HASH function pair list of public keys.
3. the private key log-off method based on public key management system according to claim 2, it is characterised in that
KMC is built and the communication transmission passage between chip using SM2 algorithms and by key agreement, key association The IKE that business's process specifies in accordance with GM/T 0022-2014IPSec VPN technologies specifications.
CN201611259650.3A 2016-12-30 2016-12-30 Private key log-off method based on public key management system Pending CN106789025A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611259650.3A CN106789025A (en) 2016-12-30 2016-12-30 Private key log-off method based on public key management system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611259650.3A CN106789025A (en) 2016-12-30 2016-12-30 Private key log-off method based on public key management system

Publications (1)

Publication Number Publication Date
CN106789025A true CN106789025A (en) 2017-05-31

Family

ID=58954684

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611259650.3A Pending CN106789025A (en) 2016-12-30 2016-12-30 Private key log-off method based on public key management system

Country Status (1)

Country Link
CN (1) CN106789025A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050246532A1 (en) * 2004-04-30 2005-11-03 Yi-Sheng Wang Secure communication system and method
CN101686127A (en) * 2008-09-24 2010-03-31 北京创原天地科技有限公司 Novel USBKey secure calling method and USBKey device
CN101882194A (en) * 2009-05-04 2010-11-10 同方股份有限公司 Mobile storage device with remote self-destruction function
CN102868526A (en) * 2012-08-17 2013-01-09 上海华申智能卡应用系统有限公司 Method and system for protecting smart card or universal serial bus (USB) key
CN105915511A (en) * 2016-04-13 2016-08-31 深圳市融钞科技有限公司 Wireless communication method based on VPDN private network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050246532A1 (en) * 2004-04-30 2005-11-03 Yi-Sheng Wang Secure communication system and method
CN101686127A (en) * 2008-09-24 2010-03-31 北京创原天地科技有限公司 Novel USBKey secure calling method and USBKey device
CN101882194A (en) * 2009-05-04 2010-11-10 同方股份有限公司 Mobile storage device with remote self-destruction function
CN102868526A (en) * 2012-08-17 2013-01-09 上海华申智能卡应用系统有限公司 Method and system for protecting smart card or universal serial bus (USB) key
CN105915511A (en) * 2016-04-13 2016-08-31 深圳市融钞科技有限公司 Wireless communication method based on VPDN private network

Similar Documents

Publication Publication Date Title
WO2021179449A1 (en) Mimic defense system based on certificate identity authentication, and certificate issuing method
AU2016287728B2 (en) Confidential authentication and provisioning
EP2204008B1 (en) Credential provisioning
CN110069918B (en) Efficient double-factor cross-domain authentication method based on block chain technology
CN102271037B (en) Based on the key protectors of online key
CN103684766B (en) A kind of private key protection method of terminal use and system
CN109660485A (en) A kind of authority control method and system based on the transaction of block chain
CN109687965B (en) Real-name authentication method for protecting user identity information in network
CN110084068A (en) Block catenary system and data processing method for block catenary system
CN101515319B (en) Cipher key processing method, cipher key cryptography service system and cipher key consultation method
KR102177794B1 (en) Distributed device authentication protocol in internet of things blockchain environment
CN110050437A (en) The device and method of distributed certificate registration
CN104767731A (en) Identity authentication protection method of Restful mobile transaction system
CN101686128A (en) Novel usbkey external authentication method and Usbkey device
CN106953732B (en) Key management system and method for chip card
CN103067160A (en) Method and system of generation of dynamic encrypt key of encryption secure digital memory card (SD)
CN101686127A (en) Novel USBKey secure calling method and USBKey device
Yang et al. DAA-TZ: an efficient DAA scheme for mobile devices using ARM TrustZone
CN101610150A (en) Third party's digital signature method and data transmission system
CN113051540A (en) Application program interface safety grading treatment method
CN101118579B (en) Verification permissive method and system
CN106992978A (en) Network safety managing method and server
Schleiffer et al. Secure key management-a key feature for modern vehicle electronics
CN104253692B (en) Key management method and device based on SE
KR20200016506A (en) Method for Establishing Anonymous Digital Identity

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170531