CN107800725A - A kind of digital certificate remote online managing device and method - Google Patents
A kind of digital certificate remote online managing device and method Download PDFInfo
- Publication number
- CN107800725A CN107800725A CN201711307458.1A CN201711307458A CN107800725A CN 107800725 A CN107800725 A CN 107800725A CN 201711307458 A CN201711307458 A CN 201711307458A CN 107800725 A CN107800725 A CN 107800725A
- Authority
- CN
- China
- Prior art keywords
- certificate
- user
- terminal
- information
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
Abstract
The invention discloses a kind of digital certificate remote online managing device and method,The management of digital certificate and a variety of identity identifying and authenticating technologies such as resident identification card certification and living things feature recognition are combined together,Pass through near-field communication,Camera,Microphone,The user's resident identification card information and portrait that the equipment such as finger print acquisition module obtain,Iris,Retina,The biological information such as vocal print and fingerprint,It is comprehensive to determine that using terminal carries out the true identity of the user of certificate operation using a variety of identity identifying and authenticating technologies such as ID card information checking and living things feature recognitions,Certificate operation could be carried out using legal terminal with the user for ensureing only legal,Root certificate correctness corresponding and binding with user,Prevent the problems such as user identity during certificate management is spoofed,Realize the certificate remote online management of safety,Possesses high security,Realize the advantages that flexible.
Description
Technical field
The present invention relates to digital certificate technique field, and in particular to a kind of digital certificate remote online managing device and side
Method.
Background technology
Server usually requires to be authenticated the identity of user before service is provided, and may be to follow-up communication number
According to protection is encrypted, related resource, services or functionalities could be used with the only legal user of control.And with system not
It is disconnected abundant, if numerous application services all each uses a set of own authentication and communications protection mechanism, behaviour will be brought
Inconvenient and for security hidden danger on work, it is a kind of conventional security mechanism for solving at present the problem using digital certificate.Pass through
Using the digital certificate bound with user, using PKI systems, VPN technologies etc., complexity when user uses can be simplified, improved
The security of authentication.And realize that the effective and safe management of certificate is that the basis of all kinds of security functions is realized using certificate, because
This is necessary to ensure that the security of certificate management.
To realize the certificate management functions such as the application of certificate and granting, as shown in figure 1, traditional digital certificate management scheme
In implementation process it is as follows:During user's using terminal credential application application certificate, call security module generation public and private first
Key pair and certificate request request, and certificate request is asked into logical send to certificate management server;Certificate management server is issued
Issue licence and give terminal certificate application;Terminal certificate application receives and certificate is issued into security module after certificate, completes certificate
Application and dispensing flow path.In order to improve security, when common digital certificate management scheme is implemented would generally will be in terminal it is outer
After putting security module taking-up, the management terminal of artificial connection to safety carries out certificate issued, or compares peer by terminal iidentification
After formula is realized to the simple authentication of terminal, certificate is provided.
Resident identification card is the legal capacity certificate of China citizen, and domestic all Chinese citizens over 16 one full year of life should
Claim resident identification card, and built-in security chip, safety chip use national secret algorithm to current resident identification card, possess and
The ability of external world's communication, all information of communication with the outside world all pass through encryption, avoid that identity card is forged, information is distorted
Or the security threat such as leakage.And human hand one is opened, has communication interface and the characteristic of encryption safe, carrying out with reference to the current Ministry of Public Security
Resident identification card loss report system, for resident identification card participate in remote authentication provide advantage.
The different kind organism feature identification technique such as portrait, iris, retina, vocal print and fingerprint is increasingly mature, currently to portrait,
The recognition accuracy of a variety of biological characteristics such as fingerprint can reach the level of commercialization, and start progressively on a large scale in all kinds of clothes
Used in business, service of opening an account of such as Alipay, stock trader and operator etc..And the population storehouse that public security organ has built has and covered
The information such as the portrait of national citizen, fingerprint, good basic environment is provided to implement living things feature recognition business, herein on
Reliable living things feature recognition service can be provided, confirm the original appearance identity of user.
The mode confirmation request legitimacies such as simple identification contrast are used only in existing digital certificate management device and method, do not relate to
And the identification content to user itself true identity, therefore when realizing remote certificate management, serious user's body be present
The safety problem that part is forged.Particularly when customer volume is big, identity is complicated and certificate remotely provides, because identity is recognized
All kinds of safety issues caused by card imperfection happen occasionally, and greatly limit making for certificate management method and device
With.
The content of the invention
In view of the shortcomings of the prior art, the present invention is intended to provide a kind of digital certificate remote online managing device and method,
Based on a variety of identity recognizing technologies such as residence identity card verifying and living things feature recognition, the user during being issued to certificate request
Identification no longer fully relies on simple identification information and carried out than Peer, but by comprehensive to user's resident identification card
Veritify and a variety of identity recognizing technologies such as identification to user's different kind organism feature, to complete to identify the Core Feature of certification, prevent
Only there is user, terminal, security module or application service and be forged to distort, be also not in certificate be issued to disabled user or
Phenomena such as certificate fails to carry out efficient association with user, the security of certificate management will be effectively ensured, reduce certificate and falsely used
The possibility that potential safety hazard occurs.
To achieve these goals, the present invention adopts the following technical scheme that:
A kind of digital certificate remote online managing device, including:Terminal password module, terminal certificate application, certificate management
Server, identification certificate server, certificate authority and terminal device;
Terminal password module, for key generation, certificate request assembling, digital signature, sign test, encryption and decryption, key and card
The storage of book;
Terminal certificate application, including possess the dress for the function of obtaining user's resident identification card information and biological information
The device that put, is communicated with certificate management server, the device to be communicated with terminal password module, collection terminal equipment information dress
Put;
Certificate management server, including with the device of terminal certificate application communication, judge certificate request legitimacy and with
Device, storage and the associate management terminal equipment software and hardware and the device of certificate information of family identity coherence and identification certification clothes
The device of business device communication, the device to be communicated with certificate authority;
Identify certificate server, including the device to be communicated with certificate management server, storage user identity card information, biology
The device of characteristic information and attribute authentication information, comprehensive ID card information, biological information and the identification of attribute authentication information are recognized
Demonstrate,prove the device of subscriber identity information;
Certificate authority, for issuing management customer digital certificate;
Terminal device, to possess the function of reading user's resident identification card and biological information, and terminal can be run
Certificate is applied and the terminal device of using terminal crypto module.
Further, the terminal device be wearable terminal, handheld terminal, portable terminal, car-mounted terminal or
Terminal.
Further, the user terminal obtains user's resident identification card information by near-field communication.
Further, the biological information includes portrait, iris, retina, vocal print and fingerprint, the terminal device
The biological information of user is obtained by camera, microphone, fingerprint identification module.
The method that certificate management is carried out using above-mentioned digital certificate remote online managing device, is comprised the following steps:
User's resident identification card information and biological information are imported identification certificate server by S1 administrative staff;
S2 user carries out certificate management by terminal certificate application, and terminal certificate, which is applied to establish with certificate management server, pacifies
It is complete to access connection, confirm the identity legitimacy of certificate management server and ensure the security of subsequent communications;
The application of S3 terminal certificates obtains the resident identification card information and biological information of user, including user's residential identity
The information and user's In vivo detection information in safety chip are demonstrate,proved, in infonnation collection process is carried out, need to such as identify certificate server
Interaction is participated in, then terminal certificate is applied connects identification certificate server by certificate management server;
S4 terminal certificates are applied and send resident identification card information, biological information to certificate management server;
S5 certificate management servers call identification certificate server, and identification authentication information is verified;
S6 identifies that certificate server combines to the resident identification card information of user and the biological information of user that receive
Certification is identified in pre- import information, confirms the correctness of user's resident identification card information, identifies the biological information of user,
Judge to identify whether biological information and user identity demonstrate,prove information consistent, if user's resident identification card information it is incorrect or with
Biological information recognition result is inconsistent, and the result for representing identification certification is mistake, then jumps to step S15;If user
Resident identification card information it is correct and consistent with biological information recognition result, the result for representing identification certification is correct, and
The information such as user real identification are obtained, then continue step S7;
The subscriber identity information that S7 certificate management servers storage identification certificate server recognizes, and return to user identity
Information is to terminal certificate application;
The application of S8 terminal certificates obtains the user identity letter to be Generated Certificate in terminal device, terminal password module needed for application
Breath;
S9 terminal certificate application call terminal password modules, generate public and private key pair and be stored in terminal password module,
Input subscriber identity information, the application request of generation user certificate;
S10 terminal certificates are applied and send user certificate application request message to certificate management server;
S11 certificate management servers parse certificate request request message, and public key and user resident are obtained from certificate request
ID card information, the correctness of user certificate application is verified using the public key, and will be carried in user certificate application
Subscriber identity information carries out the Inspection of uniformity with the subscriber identity information stored in step S7, if check errors,
Jump to step S15;If verification is correct, continue step S12;
S12 certificate management servers call certificate authority, input the user certificate received from terminal certificate application
Application request, generation obtain user certificate;
The user certificate that S13 certificate management servers obtain from certificate authority, and certificate is sent to terminal certificate
Using;
After S14 terminal certificate applications receive certificate, certificate is issued to the storage of terminal password module, and prompt the user with card
Book operates successful information, certificate management operation normal termination;
S15 certificate management servers will refuse this certificate operation requests, return to error message to terminal certificate application;
After S16 terminal certificate applications receive the error message of certificate management server return, terminal password module is called, clearly
Except the key pair in terminal password module, and certificate operation error message is prompted the user with, certificate management operation exception terminates.
The beneficial effects of the present invention are:By the management of digital certificate and resident identification card certification and living things feature recognition etc.
A variety of identity identifying and authenticating technologies are combined together, and pass through the equipment such as near-field communication, camera, microphone, finger print acquisition module
The biological information such as the user's resident identification card information and portrait of acquisition, iris, retina, vocal print and fingerprint, it is comprehensive to use
ID card information is verified and a variety of identity identifying and authenticating technologies such as living things feature recognition determine that using terminal carries out certificate operation
User true identity, to ensure that only legal user could carry out certificate operation using legal terminal,
Root certificate correctness corresponding and binding with user, prevent the problems such as user identity during certificate management is spoofed, it is real
Now safe certificate remote online management, possesses high security, realizes the advantages that flexible.
Brief description of the drawings
Fig. 1 is the implementation process schematic diagram in existing digital certificate management scheme;
Fig. 2 is the system structure diagram of the present invention;
Fig. 3 is the method flow schematic diagram of the present invention;
Fig. 4 is the implementation process diagram of the embodiment of the present invention 1;
Fig. 5 is the implementation process diagram of the embodiment of the present invention 2;
Fig. 6 is the implementation process diagram of the embodiment of the present invention 3.
Embodiment
Below with reference to accompanying drawing, the invention will be further described, it is necessary to which explanation, following examples are with this technology
Premised on scheme, detailed embodiment and specific operating process are given, but protection scope of the present invention is not limited to this
Embodiment.
As shown in Fig. 2 a kind of digital certificate remote online managing device, including:Terminal password module, terminal certificate should
With, certificate management server, identification certificate server, certificate authority and terminal device;
Terminal password module, for key generation, certificate request assembling, digital signature, sign test, encryption and decryption, key and card
The storage of book;
Terminal certificate application, including possess and user is obtained by near-field communication, camera, microphone, fingerprint identification module
The device of the function of the human body physiological characteristics such as resident identification card information, portrait, iris, retina, vocal print and fingerprint and certificate pipe
Manage the device of server communication, the device to be communicated with terminal password module, collection terminal equipment software and hardware information and user profile
Device;
Certificate management server, it is corresponding with the certificate management module in logical construction, including with terminal certificate application communication
Device, judge certificate request legitimacy and soft or hard with the device of user identity uniformity, storage and associate management user terminal
Part and the device of certificate information, the device to be communicated with identification certificate server, the device to be communicated with certificate authority;
Identify certificate server, it is corresponding with the identification authentication module in logical construction, including with certificate management server
The device of communication, the storage user biological such as identity card and portrait, iris, retina, vocal print and fingerprint feature and other users are each
The device of generic attribute authentication information, comprehensive ID card information, biological information and attribute authentication information identification certification user's body
The device of part information.
Certificate authority, for issuing management customer digital certificate;
User terminal, possess and resident's body is read by way of near-field communication, camera, microphone, fingerprint identification module
The human body physiological characteristic information such as part card, user's portrait, iris, retina, vocal print and fingerprint, and terminal certificate application can be run
With the terminal device of using terminal crypto module.
As shown in figure 3, the method for certificate management is carried out using above-mentioned digital certificate remote online managing device, including it is as follows
Step:
S1 administrative staff are by Human Physiologies such as user's resident identification card, user's portrait, iris, retina, vocal print and fingerprints
Characteristic information imports identification certificate server;
S2 user carries out certificate management by terminal certificate application, and terminal certificate is using the certificate management server with backstage
Secure access connection is established, the identity legitimacy of certificate management server is confirmed and ensures the security of subsequent communications;
The application of S3 terminal certificates obtains user's resident identification card and different kind organism characteristic information, including user's resident identification card
Information and user's In vivo detection in safety chip, in infonnation collection process is carried out, it need to such as identify that certificate server participates in handing over
Mutually, then terminal certificate application should be directly connected to or connect backstage certificate server indirectly by certificate management server;
S4 terminal certificates are applied the identification authentication information hair such as the resident identification card information of user, different kind organism characteristic information
Deliver to certificate management server;
S5 certificate management servers call backstage identification certificate server, and identification authentication information is verified;
It is pre- that S6 identifies that certificate server combines to the resident identification card information of user and different kind organism characteristic information that receive
Certification is identified in import information, confirms the correctness of user's resident identification card information, identifies different kind organism characteristic information, judges
Identify whether biological information and user identity demonstrate,prove information consistent, if user's resident identification card information it is incorrect or with biology
Feature recognition result is inconsistent, and the result for representing identification certification is mistake, then jumps to step S15;If user's residential identity
Card information is correct and consistent with living things feature recognition result, and the result for representing identification certification is correct, and obtains the true body of user
The information such as part, then continue step S7;
The subscriber identity information that S7 certificate management servers storage identification certificate server recognizes, and return to user identity
Recognition result is to terminal certificate application;
S8 terminal certificates application obtain terminal device, terminal password module, user and other Generate Certificate application needed for
Information;
S9 terminal certificate application call terminal password modules, generate public and private key pair and be stored in crypto module, input
Subscriber identity information etc., the application request of generation user certificate;
S10 terminal certificates are applied and send user certificate application request message to backstage certificate management server;
S11 certificate management servers parse user certificate application request message, are obtained from user certificate application request public
Key and subscriber identity information, the correctness asked using the public key user certificate application are verified, and by user certificate Shen
The subscriber identity information carried in please asking carries out the Inspection of uniformity with the subscriber identity information stored in step S7, such as
Fruit check errors, then jump to step S15;If verification is correct, continue step S12;
S12 certificate management servers call certificate authority, input the user certificate received from terminal certificate application
Application request, generation obtain user certificate;
The user certificate that S13 certificate management servers obtain from certificate authority, and certificate is sent to terminal certificate
Using;
After the certificate that S14 terminal certificate applications receive, certificate is issued to the storage of terminal password module, and prompt the user with
Certificate operates successful information, certificate management operation normal termination;
S15 certificate management servers will refuse this certificate operation requests, return to error message to terminal certificate application;
After S16 terminal certificate applications receive the error message of certificate management server return, terminal password module is called, clearly
Except the key pair in terminal password module, and certificate operation error message is prompted the user with, certificate management operation exception terminates.
Embodiment 1
The equipment and environment of the present embodiment are as follows:
One mobile phone terminal, possesses NFC, camera, terminal built-in encryption chip, installing terminal certificate APP, in APP
Preset certificate management server is used for the public key certificate for establishing HTTPS or corresponding root certificate, possesses the communication of mobile wireless network data
Ability;
One certificate management server, server possess outer net and intranet environment, can with mobile phone terminal and certificate granting
The preset public and private key pair for being used to establish HTTPS connections in the CA system communication servers;
One identification certificate server, possesses identification capability and the communication capacity with certificate management server;
A set of certificate authorization center CA system, possess the ability of issuing customer digital certificate and with certificate management server
Communication capacity.
The present embodiment realizes that detailed step is as follows, as shown in Figure 4:
1st, administrative staff import user's resident identification card information after encryption, user's figure information and customer attribute information
Certificate management server;
2nd, user carries out certificate management by terminal certificate APP, and terminal certificate application is established and certificate management server
HTTPS accesses connection, legal by the certificate validation server identity of certificate management server and ensure the safety of subsequent communications
Property;
3rd, terminal certificate APP obtains the encryption information in user's resident identification card chip using NFC, is obtained using camera
User's live body figure information;
4th, the identification authentication information such as user's resident identification card information, portrait is sent to certificate management clothes by terminal certificate APP
Business device;
5th, certificate management server calls identification certificate server, and identification authentication information is verified;
6th, identify that certificate server using the user profile imported in advance, certification is identified to the information received, confirms to use
Whether the correctness of family resident identification card information, the uniformity of user's portrait and resident identification card information and customer attribute information
It has been registered for:
6.1) if user's resident identification card information is incorrect, or user's portrait and resident identification card information are inconsistent or use
Family attribute information is unregistered, then performs step S14;
If 6.2) user's resident identification card information is correct, user's portrait is consistent with resident identification card information and user property
Information is registered, then continues executing with step S7.
7th, the user real identification information that certificate management server storage recognizes, and user profile is returned to terminal certificate
APP;
8th, terminal certificate APP calls encryption chip, and public and private key pair is generated by encryption chip, and by public key and user identity
Information encapsulation obtains the user certificate application request of P10 (PKCS#10) form;
9th, terminal certificate APP sends certificate request request to certificate management server;
Whether the certificate request request that the 10th, certificate management server judgement receives is correct, including whether request is complete and asks
Whether the signature asked is correct etc., and whether the user profile in certificate request is consistent with the subscriber identity information of step 7 kind storage:
10.1) if certificate request request is incorrect, or the user stored in the user profile and step 7 in certificate request
Identity information is inconsistent, then performs step 14;
If 10.2) certificate request request user's body that is correct, and being stored in the user profile in certificate request and step 7
Part information is consistent, then continues executing with step 11.
10.3) certificate management server calls certificate granting (CA) center, and user certificate is generated according to request;
11st, certificate management server sends user certificate to terminal certificate APP;
12nd, after terminal certificate APP receives user certificate, certificate is issued to encryption chip, by encryption chip Store Credentials,
And certificate operation successful information is prompted the user with, the certificate management operation normal termination of embodiment 1.
13rd, certificate management server refuses this certificate operation requests, returns to error message to terminal certificate APP;
14th, after terminal certificate APP receives error message, call encryption chip, remove encryption chip in key pair, and to
User prompts certificate operation error message, and the certificate management operation exception of the present embodiment terminates.
Embodiment 2
The equipment and environment of the present embodiment are as follows:
One terminal, passes through the modes such as circumscribed USB and NFC device, camera, finger print acquisition module and USB
The encryption chip of key forms is connected, installing terminal certificate application software, and preset certificate management cloud main frame is used to establish in software
HTTPS public key certificate or corresponding root certificate, possess its communication ability;
Two virtual cloud main frames are created in enterprise's private clound, to realize certificate management server and identification certificate server
Cloudization deployment, labeled as certificate management cloud main frame and identification cloud main frame, affix one's name to certificate management module and identification respectively
Module, two cloud main frames all possess network communications environment, the wherein preset public affairs for being used to establish HTTPS connections of certificate management cloud main frame
Private key pair,;
A set of certificate authorization center CA system, possesses the ability with certificate management cloud main-machine communication.
The present embodiment realizes that detailed step is as follows, as shown in Figure 5:
1st, administrative staff believe the resident identification card information after user encryption, user's portrait, finger print information and user property
Breath imports identification certification cloud main frame;
2nd, user carries out certificate management by terminal certificate application software, and terminal certificate application software is established and certificate management
The HTTPS of cloud main frame accesses connection, legal by the certificate validation cloud host identities of certificate management cloud main frame, and ensures follow-up logical
The security of letter;
3rd, terminal certificate application software obtains user's resident identification card information using NFC, uses camera, fingerprint collecting mould
Block obtains user's live body portrait, finger print information;
4th, terminal certificate application software sends out the identification authentication information such as user's resident identification card information, user's portrait, fingerprint
It is sent to certificate management cloud main frame;
5th, certificate management cloud main frame calls identification certification cloud main frame, and identification authentication information is verified;
6th, identification certification cloud main frame information is identified certification, confirms the correctness of user's resident identification card information, uses
Family portrait, whether and customer attribute information consistent with resident identification card information has been registered for the recognition result of fingerprint;
6.1) if user's resident identification card information is incorrect, or the recognition result and residential identity of user's portrait, fingerprint
Card information is inconsistent or customer attribute information is unregistered, then performs step 14;
If 6.2) user's resident identification card information is correct, user's portrait, the recognition result of fingerprint and resident identification card are believed
Breath is consistent and customer attribute information is registered, then continues executing with step 7;
7th, the subscriber identity information that certificate management cloud main frame storage identification certification cloud main frame recognizes, and user identity is believed
Breath is sent to terminal certificate application;
8th, terminal certificate application software calls encryption chip, and public and private key pair is generated by encryption chip, and by public key and use
Family identity information encapsulates to obtain user certificate application request with PKCS#10 forms;
9th, terminal certificate application software sends certificate request request to certificate management cloud main frame;
10th, the certificate request that certificate management cloud main frame judges to receive asks whether correct, the user profile in certificate request
It is whether consistent with the subscriber identity information of step 7 kind storage;
The 11st, if certificate request request is incorrect, or the user's body stored in the user profile and step 7 in certificate request
Part information is inconsistent, then performs step 14;
If the 12nd, certificate request request user identity that is correct, and being stored in the user profile in certificate request and step 7
Information is consistent, then continues executing with step 11
13rd, certificate management cloud main frame calls certificate granting (CA) center, and generation user certificate is asked according to certificate request;
14th, certificate management cloud main frame sends user certificate to terminal certificate application software;
15th, the certificate received is issued to encryption chip by terminal certificate application software, by encryption chip Store Credentials, is completed
The remote online management of certificate, the certificate management operating process of embodiment 2 terminate.
16th, certificate management server refuses this certificate operation requests, returns to error message to terminal certificate application software;
17th, after terminal certificate application software receives error message, encrypted card is called, removes the key pair in encrypted card, and
Certificate operation error message is prompted the user with, the certificate management operation exception of embodiment 2 terminates.
Embodiment 3
The equipment and environment of the present embodiment are as follows:
One mobile phone terminal, possesses NFC, camera, has inserted the encrypted card of TF card form, installing terminal certificate APP,
The public key certificate of preset certificate management server or corresponding root certificate, possess mobile radio network its communication ability in APP;
One certificate management server, server possess outer net and intranet environment, can with mobile phone terminal and certificate granting
CA systems communicate, and have disposed the service for possessing two modules of certificate management and identification in server, preset use in server
In the public and private key pair for establishing vpn tunneling;
A set of certificate authorization center CA system, possess the ability of issuing customer digital certificate and with certificate management server
Communication capacity.
The present embodiment realizes that detailed step is as follows, as shown in Figure 6:
1st, administrative staff import user's resident identification card information after encryption, user's figure information and customer attribute information
Certificate management server;
2nd, user carries out certificate management by terminal certificate APP, and terminal certificate application is established and certificate management server
SSL VPN access connection, legal by the certificate validation server identity of certificate management server and ensure the peace of subsequent communications
Quan Xing;
3rd, terminal certificate APP obtains the encryption information in user's resident identification card chip using NFC, is obtained using camera
User's live body figure information;
4th, the identification authentication information such as user's resident identification card information, portrait is sent to certificate management clothes by terminal certificate APP
Business device;
5th, the identification authentication module of certificate management server is known using the user profile imported in advance to the information received
Not certification, confirm correctness, user's portrait and the uniformity and use of resident identification card information of user's resident identification card information
Whether family attribute information has been registered for:
5.1) if user's resident identification card information is incorrect, or user's portrait and resident identification card information are inconsistent or use
Family attribute information is unregistered, then performs step 13;
If 5.2) user's resident identification card information is correct, user's portrait is consistent with resident identification card information and user property
Information is registered, then continues executing with step 6.
6th, the user real identification information that the certificate management module storage of certificate management server recognizes, and return to user
Information gives terminal certificate APP;
7th, terminal certificate APP calls encrypted card, and public and private key pair is generated by encrypted card, and by public key and subscriber identity information
Encapsulation obtains the user certificate application request of P10 (PKCS#10) form;
8th, terminal certificate APP sends certificate request request to certificate management server;
9th, whether the certificate request that the certificate management module of certificate management server judges to receive asks correct, including request
Whether whether complete and request signature correct etc., the user profile in certificate request whether user's body with step 6 kind storage
Part information is consistent;
9.1) if certificate request request is incorrect, or the user stored in the user profile and step 6 in certificate request
Identity information is inconsistent, then performs step 13;
If 9.2) certificate request request user's body that is correct, and being stored in the user profile in certificate request and step 6
Part information is consistent, then continues executing with step 10.
10th, the certificate management module of certificate management server calls certificate granting (CA) center, and user is generated according to request
Certificate;
11st, certificate management server sends certificate to terminal certificate APP;
12nd, the certificate received is issued to encrypted card by terminal certificate APP, by encrypted card Store Credentials, and is prompted the user with
Certificate operates successful information, the certificate management operation normal termination of embodiment 3.
13rd, certificate management server refuses this certificate operation requests, returns to error message to terminal certificate APP;
14th, after terminal certificate APP receives error message, encrypted card is called, removes the key pair in encrypted card, and to user
Certificate operation error message is prompted, the certificate management operation exception of embodiment 3 terminates.
For those skilled in the art, technical scheme that can be more than and design, provide various corresponding
Change and deform, and all these change and deformation, should be construed as being included within the protection domain of the claims in the present invention.
Claims (5)
- A kind of 1. digital certificate remote online managing device, it is characterised in that including:Terminal password module, terminal certificate application, Certificate management server, identification certificate server, certificate authority and terminal device;Terminal password module, for key generation, certificate request assembling, digital signature, sign test, encryption and decryption, key and certificate Storage;Terminal certificate application, including possess the function of obtaining user's resident identification card information and biological information device, The device that is communicated with certificate management server, the device to be communicated with terminal password module, collection terminal equipment information device;Certificate management server, including with the device of terminal certificate application communication, judge certificate request legitimacy and with user's body Device, storage and the associate management terminal equipment software and hardware and the device of certificate information and identification certificate server of part uniformity The device of communication, the device to be communicated with certificate authority;Identify certificate server, including the device to be communicated with certificate management server, storage user identity card information, biological characteristic The device of information and attribute authentication information, comprehensive ID card information, biological information and the identification certification of attribute authentication information are used The device of family identity information;Certificate authority, for issuing management customer digital certificate;Terminal device, to possess the function of reading user's resident identification card and biological information, and terminal certificate can be run Using the terminal device with using terminal crypto module.
- 2. digital certificate remote online managing device according to claim 1, it is characterised in that the terminal device is can Wearable terminal, handheld terminal, portable terminal, car-mounted terminal or terminal.
- 3. digital certificate remote online managing device according to claim 1, it is characterised in that the user terminal passes through Near-field communication obtains user's resident identification card information.
- 4. digital certificate remote online managing device according to claim 1, it is characterised in that the biological information Including portrait, iris, retina, vocal print and fingerprint, the terminal device is obtained by camera, microphone, fingerprint identification module Take the biological information at family.
- 5. the method for carrying out certificate management using any described digital certificate remote online managing devices of claim 1-4, its It is characterised by, comprises the following steps:User's resident identification card information and biological information are imported identification certificate server by S1 administrative staff;S2 user carries out certificate management by terminal certificate application, and terminal certificate is applied establishes safe visit with certificate management server Connection is asked, the identity legitimacy of certificate management server is confirmed and ensures the security of subsequent communications;The application of S3 terminal certificates obtains the resident identification card information and biological information of user, including user's resident identification card peace Information and user's In vivo detection information in full chip, in infonnation collection process is carried out, it need to such as identify that certificate server participates in Interaction, then terminal certificate is applied connects identification certificate server by certificate management server;S4 terminal certificates are applied and send resident identification card information, biological information to certificate management server;S5 certificate management servers call identification certificate server, and identification authentication information is verified;S6 identifies that certificate server is combined and led in advance to the resident identification card information of user and the biological information of user that receive Enter information and certification is identified, confirm the correctness of user's resident identification card information, identify the biological information of user, judge Identify whether biological information and user identity demonstrate,prove information consistent, if user's resident identification card information it is incorrect or with biology Characteristic information recognition result is inconsistent, and the result for representing identification certification is mistake, then jumps to step S15;If the residence of user People's ID card information is correct and consistent with biological information recognition result, and the result for representing identification certification is correct, and is obtained The real identity information of user, then continue step S7;The identity information for the user that S7 certificate management servers storage identification certificate server recognizes, and return to user identity letter Cease to terminal certificate application;The application of S8 terminal certificates obtains the subscriber identity information to be Generated Certificate in terminal device, terminal password module needed for application;S9 terminal certificate application call terminal password modules, generate public and private key pair and be stored in terminal password module, input Subscriber identity information after identification, the application request of generation user certificate;S10 terminal certificates are applied and send user certificate application request message to certificate management server;S11 certificate management servers parse certificate request request message, and public key and user's residential identity are obtained from certificate request Information is demonstrate,proved, the correctness of user certificate application is verified using the public key, and the user that will be carried in user certificate application Identity information carries out the Inspection of uniformity with the subscriber identity information stored in step S7, if check errors, redirects To step S15;If verification is correct, continue step S12;S12 certificate management servers call certificate authority, input the user certificate application received from terminal certificate application Request, generation obtain user certificate;The user certificate that S13 certificate management servers obtain from certificate authority, and certificate is sent to terminal certificate application;After S14 terminal certificate applications receive certificate, certificate is issued to the storage of terminal password module, and prompt the user with certificate behaviour Make successful information, certificate management operation normal termination;S15 certificate management servers will refuse this certificate operation requests, return to error message to terminal certificate application;After S16 terminal certificate applications receive the error message of certificate management server return, terminal password module is called, is removed eventually The key pair in crypto module is held, and prompts the user with certificate operation error message, certificate management operation exception terminates.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711307458.1A CN107800725B (en) | 2017-12-11 | 2017-12-11 | Remote online management device and method for digital certificates |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711307458.1A CN107800725B (en) | 2017-12-11 | 2017-12-11 | Remote online management device and method for digital certificates |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107800725A true CN107800725A (en) | 2018-03-13 |
CN107800725B CN107800725B (en) | 2023-08-29 |
Family
ID=61538240
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711307458.1A Active CN107800725B (en) | 2017-12-11 | 2017-12-11 | Remote online management device and method for digital certificates |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107800725B (en) |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108881290A (en) * | 2018-07-17 | 2018-11-23 | 深圳前海微众银行股份有限公司 | Digital certificate application method, system and storage medium based on block chain |
CN109618340A (en) * | 2018-12-20 | 2019-04-12 | 北京握奇智能科技有限公司 | A kind of mobile payment security authentication method and device based on net card veritification technology |
CN109756339A (en) * | 2018-11-30 | 2019-05-14 | 航天信息股份有限公司 | A kind of method and system carrying out unified certification to the multiple applications of terminal based on real name certificate |
CN109802942A (en) * | 2018-12-17 | 2019-05-24 | 西安电子科技大学 | A kind of voiceprint authentication method and system, mobile terminal of secret protection |
CN109874141A (en) * | 2019-03-14 | 2019-06-11 | 公安部第一研究所 | A kind of method and device of mobile phone terminal secure accessing information network |
CN110048857A (en) * | 2019-04-25 | 2019-07-23 | 北京华大智宝电子系统有限公司 | A kind of Public Key Infrastructure management system, smart card and device systems |
CN110213246A (en) * | 2019-05-16 | 2019-09-06 | 南瑞集团有限公司 | A kind of wide area multiple-factor identity authorization system |
WO2019179394A1 (en) * | 2018-03-22 | 2019-09-26 | 华为技术有限公司 | Method, terminal, and authentication server for retrieving identity information |
CN110321690A (en) * | 2019-07-15 | 2019-10-11 | 山东浪潮通软信息科技有限公司 | A kind of authentication identifying method based on biometric matches |
CN110378197A (en) * | 2019-05-30 | 2019-10-25 | 郑州中软高科信息技术有限公司 | A kind of testimony of a witness comparison device based on cloud |
CN110730151A (en) * | 2018-07-16 | 2020-01-24 | 上海铠射信息科技有限公司 | Novel method for authorizing use of terminal digital certificate |
CN110971649A (en) * | 2018-09-28 | 2020-04-07 | 南山人寿保险股份有限公司 | System for verifying identity and confirming insurance transaction based on block chain |
CN111130772A (en) * | 2019-12-25 | 2020-05-08 | 飞天诚信科技股份有限公司 | Terminal equipment and method for managing server certificate |
CN111209589A (en) * | 2019-12-31 | 2020-05-29 | 航天信息股份有限公司 | Method and system for dynamic data desensitization based on regional chain |
CN111786783A (en) * | 2020-07-01 | 2020-10-16 | 中国银行股份有限公司 | Public key certificate acquisition method and related equipment |
CN113922997A (en) * | 2021-09-29 | 2022-01-11 | 深圳市天视通视觉有限公司 | Certificate activation method, device, equipment and storage medium for network camera |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102905260A (en) * | 2012-09-18 | 2013-01-30 | 北京天威诚信电子商务服务有限公司 | Safety and certification system for data transmission of mobile terminal |
CN102932149A (en) * | 2012-10-30 | 2013-02-13 | 武汉理工大学 | Integrated identity based encryption (IBE) data encryption system |
CN103888442A (en) * | 2014-01-13 | 2014-06-25 | 黄晓芳 | System with integration of visualization biological characteristics and one-time digital signature and method thereof |
CN104378210A (en) * | 2014-11-26 | 2015-02-25 | 成都卫士通信息安全技术有限公司 | Cross-trust-domain identity authentication method |
CN207939549U (en) * | 2017-12-11 | 2018-10-02 | 公安部第一研究所 | A kind of digital certificate remote online managing device |
-
2017
- 2017-12-11 CN CN201711307458.1A patent/CN107800725B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102905260A (en) * | 2012-09-18 | 2013-01-30 | 北京天威诚信电子商务服务有限公司 | Safety and certification system for data transmission of mobile terminal |
CN102932149A (en) * | 2012-10-30 | 2013-02-13 | 武汉理工大学 | Integrated identity based encryption (IBE) data encryption system |
CN103888442A (en) * | 2014-01-13 | 2014-06-25 | 黄晓芳 | System with integration of visualization biological characteristics and one-time digital signature and method thereof |
CN104378210A (en) * | 2014-11-26 | 2015-02-25 | 成都卫士通信息安全技术有限公司 | Cross-trust-domain identity authentication method |
CN207939549U (en) * | 2017-12-11 | 2018-10-02 | 公安部第一研究所 | A kind of digital certificate remote online managing device |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019179394A1 (en) * | 2018-03-22 | 2019-09-26 | 华为技术有限公司 | Method, terminal, and authentication server for retrieving identity information |
CN110730151A (en) * | 2018-07-16 | 2020-01-24 | 上海铠射信息科技有限公司 | Novel method for authorizing use of terminal digital certificate |
CN108881290A (en) * | 2018-07-17 | 2018-11-23 | 深圳前海微众银行股份有限公司 | Digital certificate application method, system and storage medium based on block chain |
CN110971649A (en) * | 2018-09-28 | 2020-04-07 | 南山人寿保险股份有限公司 | System for verifying identity and confirming insurance transaction based on block chain |
CN109756339A (en) * | 2018-11-30 | 2019-05-14 | 航天信息股份有限公司 | A kind of method and system carrying out unified certification to the multiple applications of terminal based on real name certificate |
CN109802942B (en) * | 2018-12-17 | 2021-06-25 | 西安电子科技大学 | Voiceprint authentication method with privacy protection function |
CN109802942A (en) * | 2018-12-17 | 2019-05-24 | 西安电子科技大学 | A kind of voiceprint authentication method and system, mobile terminal of secret protection |
CN109618340A (en) * | 2018-12-20 | 2019-04-12 | 北京握奇智能科技有限公司 | A kind of mobile payment security authentication method and device based on net card veritification technology |
CN109874141A (en) * | 2019-03-14 | 2019-06-11 | 公安部第一研究所 | A kind of method and device of mobile phone terminal secure accessing information network |
CN110048857A (en) * | 2019-04-25 | 2019-07-23 | 北京华大智宝电子系统有限公司 | A kind of Public Key Infrastructure management system, smart card and device systems |
CN110048857B (en) * | 2019-04-25 | 2022-03-11 | 北京华大智宝电子系统有限公司 | Public key infrastructure management system, smart card and equipment system |
CN110213246A (en) * | 2019-05-16 | 2019-09-06 | 南瑞集团有限公司 | A kind of wide area multiple-factor identity authorization system |
CN110213246B (en) * | 2019-05-16 | 2021-11-12 | 南瑞集团有限公司 | Wide-area multi-factor identity authentication system |
CN110378197A (en) * | 2019-05-30 | 2019-10-25 | 郑州中软高科信息技术有限公司 | A kind of testimony of a witness comparison device based on cloud |
CN110321690A (en) * | 2019-07-15 | 2019-10-11 | 山东浪潮通软信息科技有限公司 | A kind of authentication identifying method based on biometric matches |
CN111130772A (en) * | 2019-12-25 | 2020-05-08 | 飞天诚信科技股份有限公司 | Terminal equipment and method for managing server certificate |
CN111209589A (en) * | 2019-12-31 | 2020-05-29 | 航天信息股份有限公司 | Method and system for dynamic data desensitization based on regional chain |
CN111786783A (en) * | 2020-07-01 | 2020-10-16 | 中国银行股份有限公司 | Public key certificate acquisition method and related equipment |
CN111786783B (en) * | 2020-07-01 | 2022-10-21 | 中国银行股份有限公司 | Public key certificate acquisition method and related equipment |
CN113922997A (en) * | 2021-09-29 | 2022-01-11 | 深圳市天视通视觉有限公司 | Certificate activation method, device, equipment and storage medium for network camera |
CN113922997B (en) * | 2021-09-29 | 2023-06-30 | 深圳市天视通视觉有限公司 | Certificate activation method, device and equipment of network camera and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN107800725B (en) | 2023-08-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107800725A (en) | A kind of digital certificate remote online managing device and method | |
CN105429760B (en) | A kind of auth method and system of the digital certificate based on TEE | |
CN107241317B (en) | Method for identifying identity by biological characteristics, user terminal equipment and identity authentication server | |
CN207939549U (en) | A kind of digital certificate remote online managing device | |
CN106850201B (en) | Intelligent terminal multiple-factor authentication method, intelligent terminal, certificate server and system | |
CN101374050B (en) | Apparatus, system and method for implementing identification authentication | |
CN106296199A (en) | Payment based on living things feature recognition and identity authorization system | |
CN107113315A (en) | Identity authentication method, terminal and server | |
CN102037706B (en) | Method for the temporary personalization of a communication device | |
CN112953970B (en) | Identity authentication method and identity authentication system | |
CN105939197B (en) | A kind of identity identifying method and system | |
CN106157025A (en) | The mobile terminal safety method of payment of identity-based card and system | |
CN107222373A (en) | Control method, system, terminal, FIDO servers and the safety means of smart home | |
CN104253818B (en) | Server, terminal authentication method and server, terminal | |
CN105873050A (en) | Wireless service identity authentication, server and system | |
CN107426160A (en) | Control method, system, terminal, FIDO servers and the safety means of smart home | |
CN106992956A (en) | A kind of methods, devices and systems for realizing inter-device authentication | |
CN103020822B (en) | Financial acquirer's method based on double escape ways | |
CN109150547A (en) | A kind of system and method for the digital asset real name registration based on block chain | |
JP2009266234A (en) | Fingerprint authentication method in human body communication | |
CN107634834A (en) | A kind of trusted identity authentication method based on the more scenes in multiple terminals | |
CN108429769A (en) | Identity identifying method, device, system based on living things feature recognition and storage medium | |
CN107113613A (en) | Server, mobile terminal, real-name network authentication system and method | |
CN110163998A (en) | A kind of intelligent door lock application method of intelligent door lock system and offline authentication | |
CN109587123A (en) | Double factor verification method and certificate server, biometric authentication service device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |