CN107800725A - A kind of digital certificate remote online managing device and method - Google Patents

A kind of digital certificate remote online managing device and method Download PDF

Info

Publication number
CN107800725A
CN107800725A CN201711307458.1A CN201711307458A CN107800725A CN 107800725 A CN107800725 A CN 107800725A CN 201711307458 A CN201711307458 A CN 201711307458A CN 107800725 A CN107800725 A CN 107800725A
Authority
CN
China
Prior art keywords
certificate
user
terminal
information
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711307458.1A
Other languages
Chinese (zh)
Other versions
CN107800725B (en
Inventor
刘衍斐
卢煜
周昕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Vimicro Corp
First Research Institute of Ministry of Public Security
Original Assignee
Vimicro Corp
First Research Institute of Ministry of Public Security
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vimicro Corp, First Research Institute of Ministry of Public Security filed Critical Vimicro Corp
Priority to CN201711307458.1A priority Critical patent/CN107800725B/en
Publication of CN107800725A publication Critical patent/CN107800725A/en
Application granted granted Critical
Publication of CN107800725B publication Critical patent/CN107800725B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption

Abstract

The invention discloses a kind of digital certificate remote online managing device and method,The management of digital certificate and a variety of identity identifying and authenticating technologies such as resident identification card certification and living things feature recognition are combined together,Pass through near-field communication,Camera,Microphone,The user's resident identification card information and portrait that the equipment such as finger print acquisition module obtain,Iris,Retina,The biological information such as vocal print and fingerprint,It is comprehensive to determine that using terminal carries out the true identity of the user of certificate operation using a variety of identity identifying and authenticating technologies such as ID card information checking and living things feature recognitions,Certificate operation could be carried out using legal terminal with the user for ensureing only legal,Root certificate correctness corresponding and binding with user,Prevent the problems such as user identity during certificate management is spoofed,Realize the certificate remote online management of safety,Possesses high security,Realize the advantages that flexible.

Description

A kind of digital certificate remote online managing device and method
Technical field
The present invention relates to digital certificate technique field, and in particular to a kind of digital certificate remote online managing device and side Method.
Background technology
Server usually requires to be authenticated the identity of user before service is provided, and may be to follow-up communication number According to protection is encrypted, related resource, services or functionalities could be used with the only legal user of control.And with system not It is disconnected abundant, if numerous application services all each uses a set of own authentication and communications protection mechanism, behaviour will be brought Inconvenient and for security hidden danger on work, it is a kind of conventional security mechanism for solving at present the problem using digital certificate.Pass through Using the digital certificate bound with user, using PKI systems, VPN technologies etc., complexity when user uses can be simplified, improved The security of authentication.And realize that the effective and safe management of certificate is that the basis of all kinds of security functions is realized using certificate, because This is necessary to ensure that the security of certificate management.
To realize the certificate management functions such as the application of certificate and granting, as shown in figure 1, traditional digital certificate management scheme In implementation process it is as follows:During user's using terminal credential application application certificate, call security module generation public and private first Key pair and certificate request request, and certificate request is asked into logical send to certificate management server;Certificate management server is issued Issue licence and give terminal certificate application;Terminal certificate application receives and certificate is issued into security module after certificate, completes certificate Application and dispensing flow path.In order to improve security, when common digital certificate management scheme is implemented would generally will be in terminal it is outer After putting security module taking-up, the management terminal of artificial connection to safety carries out certificate issued, or compares peer by terminal iidentification After formula is realized to the simple authentication of terminal, certificate is provided.
Resident identification card is the legal capacity certificate of China citizen, and domestic all Chinese citizens over 16 one full year of life should Claim resident identification card, and built-in security chip, safety chip use national secret algorithm to current resident identification card, possess and The ability of external world's communication, all information of communication with the outside world all pass through encryption, avoid that identity card is forged, information is distorted Or the security threat such as leakage.And human hand one is opened, has communication interface and the characteristic of encryption safe, carrying out with reference to the current Ministry of Public Security Resident identification card loss report system, for resident identification card participate in remote authentication provide advantage.
The different kind organism feature identification technique such as portrait, iris, retina, vocal print and fingerprint is increasingly mature, currently to portrait, The recognition accuracy of a variety of biological characteristics such as fingerprint can reach the level of commercialization, and start progressively on a large scale in all kinds of clothes Used in business, service of opening an account of such as Alipay, stock trader and operator etc..And the population storehouse that public security organ has built has and covered The information such as the portrait of national citizen, fingerprint, good basic environment is provided to implement living things feature recognition business, herein on Reliable living things feature recognition service can be provided, confirm the original appearance identity of user.
The mode confirmation request legitimacies such as simple identification contrast are used only in existing digital certificate management device and method, do not relate to And the identification content to user itself true identity, therefore when realizing remote certificate management, serious user's body be present The safety problem that part is forged.Particularly when customer volume is big, identity is complicated and certificate remotely provides, because identity is recognized All kinds of safety issues caused by card imperfection happen occasionally, and greatly limit making for certificate management method and device With.
The content of the invention
In view of the shortcomings of the prior art, the present invention is intended to provide a kind of digital certificate remote online managing device and method, Based on a variety of identity recognizing technologies such as residence identity card verifying and living things feature recognition, the user during being issued to certificate request Identification no longer fully relies on simple identification information and carried out than Peer, but by comprehensive to user's resident identification card Veritify and a variety of identity recognizing technologies such as identification to user's different kind organism feature, to complete to identify the Core Feature of certification, prevent Only there is user, terminal, security module or application service and be forged to distort, be also not in certificate be issued to disabled user or Phenomena such as certificate fails to carry out efficient association with user, the security of certificate management will be effectively ensured, reduce certificate and falsely used The possibility that potential safety hazard occurs.
To achieve these goals, the present invention adopts the following technical scheme that:
A kind of digital certificate remote online managing device, including:Terminal password module, terminal certificate application, certificate management Server, identification certificate server, certificate authority and terminal device;
Terminal password module, for key generation, certificate request assembling, digital signature, sign test, encryption and decryption, key and card The storage of book;
Terminal certificate application, including possess the dress for the function of obtaining user's resident identification card information and biological information The device that put, is communicated with certificate management server, the device to be communicated with terminal password module, collection terminal equipment information dress Put;
Certificate management server, including with the device of terminal certificate application communication, judge certificate request legitimacy and with Device, storage and the associate management terminal equipment software and hardware and the device of certificate information of family identity coherence and identification certification clothes The device of business device communication, the device to be communicated with certificate authority;
Identify certificate server, including the device to be communicated with certificate management server, storage user identity card information, biology The device of characteristic information and attribute authentication information, comprehensive ID card information, biological information and the identification of attribute authentication information are recognized Demonstrate,prove the device of subscriber identity information;
Certificate authority, for issuing management customer digital certificate;
Terminal device, to possess the function of reading user's resident identification card and biological information, and terminal can be run Certificate is applied and the terminal device of using terminal crypto module.
Further, the terminal device be wearable terminal, handheld terminal, portable terminal, car-mounted terminal or Terminal.
Further, the user terminal obtains user's resident identification card information by near-field communication.
Further, the biological information includes portrait, iris, retina, vocal print and fingerprint, the terminal device The biological information of user is obtained by camera, microphone, fingerprint identification module.
The method that certificate management is carried out using above-mentioned digital certificate remote online managing device, is comprised the following steps:
User's resident identification card information and biological information are imported identification certificate server by S1 administrative staff;
S2 user carries out certificate management by terminal certificate application, and terminal certificate, which is applied to establish with certificate management server, pacifies It is complete to access connection, confirm the identity legitimacy of certificate management server and ensure the security of subsequent communications;
The application of S3 terminal certificates obtains the resident identification card information and biological information of user, including user's residential identity The information and user's In vivo detection information in safety chip are demonstrate,proved, in infonnation collection process is carried out, need to such as identify certificate server Interaction is participated in, then terminal certificate is applied connects identification certificate server by certificate management server;
S4 terminal certificates are applied and send resident identification card information, biological information to certificate management server;
S5 certificate management servers call identification certificate server, and identification authentication information is verified;
S6 identifies that certificate server combines to the resident identification card information of user and the biological information of user that receive Certification is identified in pre- import information, confirms the correctness of user's resident identification card information, identifies the biological information of user, Judge to identify whether biological information and user identity demonstrate,prove information consistent, if user's resident identification card information it is incorrect or with Biological information recognition result is inconsistent, and the result for representing identification certification is mistake, then jumps to step S15;If user Resident identification card information it is correct and consistent with biological information recognition result, the result for representing identification certification is correct, and The information such as user real identification are obtained, then continue step S7;
The subscriber identity information that S7 certificate management servers storage identification certificate server recognizes, and return to user identity Information is to terminal certificate application;
The application of S8 terminal certificates obtains the user identity letter to be Generated Certificate in terminal device, terminal password module needed for application Breath;
S9 terminal certificate application call terminal password modules, generate public and private key pair and be stored in terminal password module, Input subscriber identity information, the application request of generation user certificate;
S10 terminal certificates are applied and send user certificate application request message to certificate management server;
S11 certificate management servers parse certificate request request message, and public key and user resident are obtained from certificate request ID card information, the correctness of user certificate application is verified using the public key, and will be carried in user certificate application Subscriber identity information carries out the Inspection of uniformity with the subscriber identity information stored in step S7, if check errors, Jump to step S15;If verification is correct, continue step S12;
S12 certificate management servers call certificate authority, input the user certificate received from terminal certificate application Application request, generation obtain user certificate;
The user certificate that S13 certificate management servers obtain from certificate authority, and certificate is sent to terminal certificate Using;
After S14 terminal certificate applications receive certificate, certificate is issued to the storage of terminal password module, and prompt the user with card Book operates successful information, certificate management operation normal termination;
S15 certificate management servers will refuse this certificate operation requests, return to error message to terminal certificate application;
After S16 terminal certificate applications receive the error message of certificate management server return, terminal password module is called, clearly Except the key pair in terminal password module, and certificate operation error message is prompted the user with, certificate management operation exception terminates.
The beneficial effects of the present invention are:By the management of digital certificate and resident identification card certification and living things feature recognition etc. A variety of identity identifying and authenticating technologies are combined together, and pass through the equipment such as near-field communication, camera, microphone, finger print acquisition module The biological information such as the user's resident identification card information and portrait of acquisition, iris, retina, vocal print and fingerprint, it is comprehensive to use ID card information is verified and a variety of identity identifying and authenticating technologies such as living things feature recognition determine that using terminal carries out certificate operation User true identity, to ensure that only legal user could carry out certificate operation using legal terminal, Root certificate correctness corresponding and binding with user, prevent the problems such as user identity during certificate management is spoofed, it is real Now safe certificate remote online management, possesses high security, realizes the advantages that flexible.
Brief description of the drawings
Fig. 1 is the implementation process schematic diagram in existing digital certificate management scheme;
Fig. 2 is the system structure diagram of the present invention;
Fig. 3 is the method flow schematic diagram of the present invention;
Fig. 4 is the implementation process diagram of the embodiment of the present invention 1;
Fig. 5 is the implementation process diagram of the embodiment of the present invention 2;
Fig. 6 is the implementation process diagram of the embodiment of the present invention 3.
Embodiment
Below with reference to accompanying drawing, the invention will be further described, it is necessary to which explanation, following examples are with this technology Premised on scheme, detailed embodiment and specific operating process are given, but protection scope of the present invention is not limited to this Embodiment.
As shown in Fig. 2 a kind of digital certificate remote online managing device, including:Terminal password module, terminal certificate should With, certificate management server, identification certificate server, certificate authority and terminal device;
Terminal password module, for key generation, certificate request assembling, digital signature, sign test, encryption and decryption, key and card The storage of book;
Terminal certificate application, including possess and user is obtained by near-field communication, camera, microphone, fingerprint identification module The device of the function of the human body physiological characteristics such as resident identification card information, portrait, iris, retina, vocal print and fingerprint and certificate pipe Manage the device of server communication, the device to be communicated with terminal password module, collection terminal equipment software and hardware information and user profile Device;
Certificate management server, it is corresponding with the certificate management module in logical construction, including with terminal certificate application communication Device, judge certificate request legitimacy and soft or hard with the device of user identity uniformity, storage and associate management user terminal Part and the device of certificate information, the device to be communicated with identification certificate server, the device to be communicated with certificate authority;
Identify certificate server, it is corresponding with the identification authentication module in logical construction, including with certificate management server The device of communication, the storage user biological such as identity card and portrait, iris, retina, vocal print and fingerprint feature and other users are each The device of generic attribute authentication information, comprehensive ID card information, biological information and attribute authentication information identification certification user's body The device of part information.
Certificate authority, for issuing management customer digital certificate;
User terminal, possess and resident's body is read by way of near-field communication, camera, microphone, fingerprint identification module The human body physiological characteristic information such as part card, user's portrait, iris, retina, vocal print and fingerprint, and terminal certificate application can be run With the terminal device of using terminal crypto module.
As shown in figure 3, the method for certificate management is carried out using above-mentioned digital certificate remote online managing device, including it is as follows Step:
S1 administrative staff are by Human Physiologies such as user's resident identification card, user's portrait, iris, retina, vocal print and fingerprints Characteristic information imports identification certificate server;
S2 user carries out certificate management by terminal certificate application, and terminal certificate is using the certificate management server with backstage Secure access connection is established, the identity legitimacy of certificate management server is confirmed and ensures the security of subsequent communications;
The application of S3 terminal certificates obtains user's resident identification card and different kind organism characteristic information, including user's resident identification card Information and user's In vivo detection in safety chip, in infonnation collection process is carried out, it need to such as identify that certificate server participates in handing over Mutually, then terminal certificate application should be directly connected to or connect backstage certificate server indirectly by certificate management server;
S4 terminal certificates are applied the identification authentication information hair such as the resident identification card information of user, different kind organism characteristic information Deliver to certificate management server;
S5 certificate management servers call backstage identification certificate server, and identification authentication information is verified;
It is pre- that S6 identifies that certificate server combines to the resident identification card information of user and different kind organism characteristic information that receive Certification is identified in import information, confirms the correctness of user's resident identification card information, identifies different kind organism characteristic information, judges Identify whether biological information and user identity demonstrate,prove information consistent, if user's resident identification card information it is incorrect or with biology Feature recognition result is inconsistent, and the result for representing identification certification is mistake, then jumps to step S15;If user's residential identity Card information is correct and consistent with living things feature recognition result, and the result for representing identification certification is correct, and obtains the true body of user The information such as part, then continue step S7;
The subscriber identity information that S7 certificate management servers storage identification certificate server recognizes, and return to user identity Recognition result is to terminal certificate application;
S8 terminal certificates application obtain terminal device, terminal password module, user and other Generate Certificate application needed for Information;
S9 terminal certificate application call terminal password modules, generate public and private key pair and be stored in crypto module, input Subscriber identity information etc., the application request of generation user certificate;
S10 terminal certificates are applied and send user certificate application request message to backstage certificate management server;
S11 certificate management servers parse user certificate application request message, are obtained from user certificate application request public Key and subscriber identity information, the correctness asked using the public key user certificate application are verified, and by user certificate Shen The subscriber identity information carried in please asking carries out the Inspection of uniformity with the subscriber identity information stored in step S7, such as Fruit check errors, then jump to step S15;If verification is correct, continue step S12;
S12 certificate management servers call certificate authority, input the user certificate received from terminal certificate application Application request, generation obtain user certificate;
The user certificate that S13 certificate management servers obtain from certificate authority, and certificate is sent to terminal certificate Using;
After the certificate that S14 terminal certificate applications receive, certificate is issued to the storage of terminal password module, and prompt the user with Certificate operates successful information, certificate management operation normal termination;
S15 certificate management servers will refuse this certificate operation requests, return to error message to terminal certificate application;
After S16 terminal certificate applications receive the error message of certificate management server return, terminal password module is called, clearly Except the key pair in terminal password module, and certificate operation error message is prompted the user with, certificate management operation exception terminates.
Embodiment 1
The equipment and environment of the present embodiment are as follows:
One mobile phone terminal, possesses NFC, camera, terminal built-in encryption chip, installing terminal certificate APP, in APP Preset certificate management server is used for the public key certificate for establishing HTTPS or corresponding root certificate, possesses the communication of mobile wireless network data Ability;
One certificate management server, server possess outer net and intranet environment, can with mobile phone terminal and certificate granting The preset public and private key pair for being used to establish HTTPS connections in the CA system communication servers;
One identification certificate server, possesses identification capability and the communication capacity with certificate management server;
A set of certificate authorization center CA system, possess the ability of issuing customer digital certificate and with certificate management server Communication capacity.
The present embodiment realizes that detailed step is as follows, as shown in Figure 4:
1st, administrative staff import user's resident identification card information after encryption, user's figure information and customer attribute information Certificate management server;
2nd, user carries out certificate management by terminal certificate APP, and terminal certificate application is established and certificate management server HTTPS accesses connection, legal by the certificate validation server identity of certificate management server and ensure the safety of subsequent communications Property;
3rd, terminal certificate APP obtains the encryption information in user's resident identification card chip using NFC, is obtained using camera User's live body figure information;
4th, the identification authentication information such as user's resident identification card information, portrait is sent to certificate management clothes by terminal certificate APP Business device;
5th, certificate management server calls identification certificate server, and identification authentication information is verified;
6th, identify that certificate server using the user profile imported in advance, certification is identified to the information received, confirms to use Whether the correctness of family resident identification card information, the uniformity of user's portrait and resident identification card information and customer attribute information It has been registered for:
6.1) if user's resident identification card information is incorrect, or user's portrait and resident identification card information are inconsistent or use Family attribute information is unregistered, then performs step S14;
If 6.2) user's resident identification card information is correct, user's portrait is consistent with resident identification card information and user property Information is registered, then continues executing with step S7.
7th, the user real identification information that certificate management server storage recognizes, and user profile is returned to terminal certificate APP;
8th, terminal certificate APP calls encryption chip, and public and private key pair is generated by encryption chip, and by public key and user identity Information encapsulation obtains the user certificate application request of P10 (PKCS#10) form;
9th, terminal certificate APP sends certificate request request to certificate management server;
Whether the certificate request request that the 10th, certificate management server judgement receives is correct, including whether request is complete and asks Whether the signature asked is correct etc., and whether the user profile in certificate request is consistent with the subscriber identity information of step 7 kind storage:
10.1) if certificate request request is incorrect, or the user stored in the user profile and step 7 in certificate request Identity information is inconsistent, then performs step 14;
If 10.2) certificate request request user's body that is correct, and being stored in the user profile in certificate request and step 7 Part information is consistent, then continues executing with step 11.
10.3) certificate management server calls certificate granting (CA) center, and user certificate is generated according to request;
11st, certificate management server sends user certificate to terminal certificate APP;
12nd, after terminal certificate APP receives user certificate, certificate is issued to encryption chip, by encryption chip Store Credentials, And certificate operation successful information is prompted the user with, the certificate management operation normal termination of embodiment 1.
13rd, certificate management server refuses this certificate operation requests, returns to error message to terminal certificate APP;
14th, after terminal certificate APP receives error message, call encryption chip, remove encryption chip in key pair, and to User prompts certificate operation error message, and the certificate management operation exception of the present embodiment terminates.
Embodiment 2
The equipment and environment of the present embodiment are as follows:
One terminal, passes through the modes such as circumscribed USB and NFC device, camera, finger print acquisition module and USB The encryption chip of key forms is connected, installing terminal certificate application software, and preset certificate management cloud main frame is used to establish in software HTTPS public key certificate or corresponding root certificate, possess its communication ability;
Two virtual cloud main frames are created in enterprise's private clound, to realize certificate management server and identification certificate server Cloudization deployment, labeled as certificate management cloud main frame and identification cloud main frame, affix one's name to certificate management module and identification respectively Module, two cloud main frames all possess network communications environment, the wherein preset public affairs for being used to establish HTTPS connections of certificate management cloud main frame Private key pair,;
A set of certificate authorization center CA system, possesses the ability with certificate management cloud main-machine communication.
The present embodiment realizes that detailed step is as follows, as shown in Figure 5:
1st, administrative staff believe the resident identification card information after user encryption, user's portrait, finger print information and user property Breath imports identification certification cloud main frame;
2nd, user carries out certificate management by terminal certificate application software, and terminal certificate application software is established and certificate management The HTTPS of cloud main frame accesses connection, legal by the certificate validation cloud host identities of certificate management cloud main frame, and ensures follow-up logical The security of letter;
3rd, terminal certificate application software obtains user's resident identification card information using NFC, uses camera, fingerprint collecting mould Block obtains user's live body portrait, finger print information;
4th, terminal certificate application software sends out the identification authentication information such as user's resident identification card information, user's portrait, fingerprint It is sent to certificate management cloud main frame;
5th, certificate management cloud main frame calls identification certification cloud main frame, and identification authentication information is verified;
6th, identification certification cloud main frame information is identified certification, confirms the correctness of user's resident identification card information, uses Family portrait, whether and customer attribute information consistent with resident identification card information has been registered for the recognition result of fingerprint;
6.1) if user's resident identification card information is incorrect, or the recognition result and residential identity of user's portrait, fingerprint Card information is inconsistent or customer attribute information is unregistered, then performs step 14;
If 6.2) user's resident identification card information is correct, user's portrait, the recognition result of fingerprint and resident identification card are believed Breath is consistent and customer attribute information is registered, then continues executing with step 7;
7th, the subscriber identity information that certificate management cloud main frame storage identification certification cloud main frame recognizes, and user identity is believed Breath is sent to terminal certificate application;
8th, terminal certificate application software calls encryption chip, and public and private key pair is generated by encryption chip, and by public key and use Family identity information encapsulates to obtain user certificate application request with PKCS#10 forms;
9th, terminal certificate application software sends certificate request request to certificate management cloud main frame;
10th, the certificate request that certificate management cloud main frame judges to receive asks whether correct, the user profile in certificate request It is whether consistent with the subscriber identity information of step 7 kind storage;
The 11st, if certificate request request is incorrect, or the user's body stored in the user profile and step 7 in certificate request Part information is inconsistent, then performs step 14;
If the 12nd, certificate request request user identity that is correct, and being stored in the user profile in certificate request and step 7 Information is consistent, then continues executing with step 11
13rd, certificate management cloud main frame calls certificate granting (CA) center, and generation user certificate is asked according to certificate request;
14th, certificate management cloud main frame sends user certificate to terminal certificate application software;
15th, the certificate received is issued to encryption chip by terminal certificate application software, by encryption chip Store Credentials, is completed The remote online management of certificate, the certificate management operating process of embodiment 2 terminate.
16th, certificate management server refuses this certificate operation requests, returns to error message to terminal certificate application software;
17th, after terminal certificate application software receives error message, encrypted card is called, removes the key pair in encrypted card, and Certificate operation error message is prompted the user with, the certificate management operation exception of embodiment 2 terminates.
Embodiment 3
The equipment and environment of the present embodiment are as follows:
One mobile phone terminal, possesses NFC, camera, has inserted the encrypted card of TF card form, installing terminal certificate APP, The public key certificate of preset certificate management server or corresponding root certificate, possess mobile radio network its communication ability in APP;
One certificate management server, server possess outer net and intranet environment, can with mobile phone terminal and certificate granting CA systems communicate, and have disposed the service for possessing two modules of certificate management and identification in server, preset use in server In the public and private key pair for establishing vpn tunneling;
A set of certificate authorization center CA system, possess the ability of issuing customer digital certificate and with certificate management server Communication capacity.
The present embodiment realizes that detailed step is as follows, as shown in Figure 6:
1st, administrative staff import user's resident identification card information after encryption, user's figure information and customer attribute information Certificate management server;
2nd, user carries out certificate management by terminal certificate APP, and terminal certificate application is established and certificate management server SSL VPN access connection, legal by the certificate validation server identity of certificate management server and ensure the peace of subsequent communications Quan Xing;
3rd, terminal certificate APP obtains the encryption information in user's resident identification card chip using NFC, is obtained using camera User's live body figure information;
4th, the identification authentication information such as user's resident identification card information, portrait is sent to certificate management clothes by terminal certificate APP Business device;
5th, the identification authentication module of certificate management server is known using the user profile imported in advance to the information received Not certification, confirm correctness, user's portrait and the uniformity and use of resident identification card information of user's resident identification card information Whether family attribute information has been registered for:
5.1) if user's resident identification card information is incorrect, or user's portrait and resident identification card information are inconsistent or use Family attribute information is unregistered, then performs step 13;
If 5.2) user's resident identification card information is correct, user's portrait is consistent with resident identification card information and user property Information is registered, then continues executing with step 6.
6th, the user real identification information that the certificate management module storage of certificate management server recognizes, and return to user Information gives terminal certificate APP;
7th, terminal certificate APP calls encrypted card, and public and private key pair is generated by encrypted card, and by public key and subscriber identity information Encapsulation obtains the user certificate application request of P10 (PKCS#10) form;
8th, terminal certificate APP sends certificate request request to certificate management server;
9th, whether the certificate request that the certificate management module of certificate management server judges to receive asks correct, including request Whether whether complete and request signature correct etc., the user profile in certificate request whether user's body with step 6 kind storage Part information is consistent;
9.1) if certificate request request is incorrect, or the user stored in the user profile and step 6 in certificate request Identity information is inconsistent, then performs step 13;
If 9.2) certificate request request user's body that is correct, and being stored in the user profile in certificate request and step 6 Part information is consistent, then continues executing with step 10.
10th, the certificate management module of certificate management server calls certificate granting (CA) center, and user is generated according to request Certificate;
11st, certificate management server sends certificate to terminal certificate APP;
12nd, the certificate received is issued to encrypted card by terminal certificate APP, by encrypted card Store Credentials, and is prompted the user with Certificate operates successful information, the certificate management operation normal termination of embodiment 3.
13rd, certificate management server refuses this certificate operation requests, returns to error message to terminal certificate APP;
14th, after terminal certificate APP receives error message, encrypted card is called, removes the key pair in encrypted card, and to user Certificate operation error message is prompted, the certificate management operation exception of embodiment 3 terminates.
For those skilled in the art, technical scheme that can be more than and design, provide various corresponding Change and deform, and all these change and deformation, should be construed as being included within the protection domain of the claims in the present invention.

Claims (5)

  1. A kind of 1. digital certificate remote online managing device, it is characterised in that including:Terminal password module, terminal certificate application, Certificate management server, identification certificate server, certificate authority and terminal device;
    Terminal password module, for key generation, certificate request assembling, digital signature, sign test, encryption and decryption, key and certificate Storage;
    Terminal certificate application, including possess the function of obtaining user's resident identification card information and biological information device, The device that is communicated with certificate management server, the device to be communicated with terminal password module, collection terminal equipment information device;
    Certificate management server, including with the device of terminal certificate application communication, judge certificate request legitimacy and with user's body Device, storage and the associate management terminal equipment software and hardware and the device of certificate information and identification certificate server of part uniformity The device of communication, the device to be communicated with certificate authority;
    Identify certificate server, including the device to be communicated with certificate management server, storage user identity card information, biological characteristic The device of information and attribute authentication information, comprehensive ID card information, biological information and the identification certification of attribute authentication information are used The device of family identity information;
    Certificate authority, for issuing management customer digital certificate;
    Terminal device, to possess the function of reading user's resident identification card and biological information, and terminal certificate can be run Using the terminal device with using terminal crypto module.
  2. 2. digital certificate remote online managing device according to claim 1, it is characterised in that the terminal device is can Wearable terminal, handheld terminal, portable terminal, car-mounted terminal or terminal.
  3. 3. digital certificate remote online managing device according to claim 1, it is characterised in that the user terminal passes through Near-field communication obtains user's resident identification card information.
  4. 4. digital certificate remote online managing device according to claim 1, it is characterised in that the biological information Including portrait, iris, retina, vocal print and fingerprint, the terminal device is obtained by camera, microphone, fingerprint identification module Take the biological information at family.
  5. 5. the method for carrying out certificate management using any described digital certificate remote online managing devices of claim 1-4, its It is characterised by, comprises the following steps:
    User's resident identification card information and biological information are imported identification certificate server by S1 administrative staff;
    S2 user carries out certificate management by terminal certificate application, and terminal certificate is applied establishes safe visit with certificate management server Connection is asked, the identity legitimacy of certificate management server is confirmed and ensures the security of subsequent communications;
    The application of S3 terminal certificates obtains the resident identification card information and biological information of user, including user's resident identification card peace Information and user's In vivo detection information in full chip, in infonnation collection process is carried out, it need to such as identify that certificate server participates in Interaction, then terminal certificate is applied connects identification certificate server by certificate management server;
    S4 terminal certificates are applied and send resident identification card information, biological information to certificate management server;
    S5 certificate management servers call identification certificate server, and identification authentication information is verified;
    S6 identifies that certificate server is combined and led in advance to the resident identification card information of user and the biological information of user that receive Enter information and certification is identified, confirm the correctness of user's resident identification card information, identify the biological information of user, judge Identify whether biological information and user identity demonstrate,prove information consistent, if user's resident identification card information it is incorrect or with biology Characteristic information recognition result is inconsistent, and the result for representing identification certification is mistake, then jumps to step S15;If the residence of user People's ID card information is correct and consistent with biological information recognition result, and the result for representing identification certification is correct, and is obtained The real identity information of user, then continue step S7;
    The identity information for the user that S7 certificate management servers storage identification certificate server recognizes, and return to user identity letter Cease to terminal certificate application;
    The application of S8 terminal certificates obtains the subscriber identity information to be Generated Certificate in terminal device, terminal password module needed for application;
    S9 terminal certificate application call terminal password modules, generate public and private key pair and be stored in terminal password module, input Subscriber identity information after identification, the application request of generation user certificate;
    S10 terminal certificates are applied and send user certificate application request message to certificate management server;
    S11 certificate management servers parse certificate request request message, and public key and user's residential identity are obtained from certificate request Information is demonstrate,proved, the correctness of user certificate application is verified using the public key, and the user that will be carried in user certificate application Identity information carries out the Inspection of uniformity with the subscriber identity information stored in step S7, if check errors, redirects To step S15;If verification is correct, continue step S12;
    S12 certificate management servers call certificate authority, input the user certificate application received from terminal certificate application Request, generation obtain user certificate;
    The user certificate that S13 certificate management servers obtain from certificate authority, and certificate is sent to terminal certificate application;
    After S14 terminal certificate applications receive certificate, certificate is issued to the storage of terminal password module, and prompt the user with certificate behaviour Make successful information, certificate management operation normal termination;
    S15 certificate management servers will refuse this certificate operation requests, return to error message to terminal certificate application;
    After S16 terminal certificate applications receive the error message of certificate management server return, terminal password module is called, is removed eventually The key pair in crypto module is held, and prompts the user with certificate operation error message, certificate management operation exception terminates.
CN201711307458.1A 2017-12-11 2017-12-11 Remote online management device and method for digital certificates Active CN107800725B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711307458.1A CN107800725B (en) 2017-12-11 2017-12-11 Remote online management device and method for digital certificates

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711307458.1A CN107800725B (en) 2017-12-11 2017-12-11 Remote online management device and method for digital certificates

Publications (2)

Publication Number Publication Date
CN107800725A true CN107800725A (en) 2018-03-13
CN107800725B CN107800725B (en) 2023-08-29

Family

ID=61538240

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711307458.1A Active CN107800725B (en) 2017-12-11 2017-12-11 Remote online management device and method for digital certificates

Country Status (1)

Country Link
CN (1) CN107800725B (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108881290A (en) * 2018-07-17 2018-11-23 深圳前海微众银行股份有限公司 Digital certificate application method, system and storage medium based on block chain
CN109618340A (en) * 2018-12-20 2019-04-12 北京握奇智能科技有限公司 A kind of mobile payment security authentication method and device based on net card veritification technology
CN109756339A (en) * 2018-11-30 2019-05-14 航天信息股份有限公司 A kind of method and system carrying out unified certification to the multiple applications of terminal based on real name certificate
CN109802942A (en) * 2018-12-17 2019-05-24 西安电子科技大学 A kind of voiceprint authentication method and system, mobile terminal of secret protection
CN109874141A (en) * 2019-03-14 2019-06-11 公安部第一研究所 A kind of method and device of mobile phone terminal secure accessing information network
CN110048857A (en) * 2019-04-25 2019-07-23 北京华大智宝电子系统有限公司 A kind of Public Key Infrastructure management system, smart card and device systems
CN110213246A (en) * 2019-05-16 2019-09-06 南瑞集团有限公司 A kind of wide area multiple-factor identity authorization system
WO2019179394A1 (en) * 2018-03-22 2019-09-26 华为技术有限公司 Method, terminal, and authentication server for retrieving identity information
CN110321690A (en) * 2019-07-15 2019-10-11 山东浪潮通软信息科技有限公司 A kind of authentication identifying method based on biometric matches
CN110378197A (en) * 2019-05-30 2019-10-25 郑州中软高科信息技术有限公司 A kind of testimony of a witness comparison device based on cloud
CN110730151A (en) * 2018-07-16 2020-01-24 上海铠射信息科技有限公司 Novel method for authorizing use of terminal digital certificate
CN110971649A (en) * 2018-09-28 2020-04-07 南山人寿保险股份有限公司 System for verifying identity and confirming insurance transaction based on block chain
CN111130772A (en) * 2019-12-25 2020-05-08 飞天诚信科技股份有限公司 Terminal equipment and method for managing server certificate
CN111209589A (en) * 2019-12-31 2020-05-29 航天信息股份有限公司 Method and system for dynamic data desensitization based on regional chain
CN111786783A (en) * 2020-07-01 2020-10-16 中国银行股份有限公司 Public key certificate acquisition method and related equipment
CN113922997A (en) * 2021-09-29 2022-01-11 深圳市天视通视觉有限公司 Certificate activation method, device, equipment and storage medium for network camera

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102905260A (en) * 2012-09-18 2013-01-30 北京天威诚信电子商务服务有限公司 Safety and certification system for data transmission of mobile terminal
CN102932149A (en) * 2012-10-30 2013-02-13 武汉理工大学 Integrated identity based encryption (IBE) data encryption system
CN103888442A (en) * 2014-01-13 2014-06-25 黄晓芳 System with integration of visualization biological characteristics and one-time digital signature and method thereof
CN104378210A (en) * 2014-11-26 2015-02-25 成都卫士通信息安全技术有限公司 Cross-trust-domain identity authentication method
CN207939549U (en) * 2017-12-11 2018-10-02 公安部第一研究所 A kind of digital certificate remote online managing device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102905260A (en) * 2012-09-18 2013-01-30 北京天威诚信电子商务服务有限公司 Safety and certification system for data transmission of mobile terminal
CN102932149A (en) * 2012-10-30 2013-02-13 武汉理工大学 Integrated identity based encryption (IBE) data encryption system
CN103888442A (en) * 2014-01-13 2014-06-25 黄晓芳 System with integration of visualization biological characteristics and one-time digital signature and method thereof
CN104378210A (en) * 2014-11-26 2015-02-25 成都卫士通信息安全技术有限公司 Cross-trust-domain identity authentication method
CN207939549U (en) * 2017-12-11 2018-10-02 公安部第一研究所 A kind of digital certificate remote online managing device

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019179394A1 (en) * 2018-03-22 2019-09-26 华为技术有限公司 Method, terminal, and authentication server for retrieving identity information
CN110730151A (en) * 2018-07-16 2020-01-24 上海铠射信息科技有限公司 Novel method for authorizing use of terminal digital certificate
CN108881290A (en) * 2018-07-17 2018-11-23 深圳前海微众银行股份有限公司 Digital certificate application method, system and storage medium based on block chain
CN110971649A (en) * 2018-09-28 2020-04-07 南山人寿保险股份有限公司 System for verifying identity and confirming insurance transaction based on block chain
CN109756339A (en) * 2018-11-30 2019-05-14 航天信息股份有限公司 A kind of method and system carrying out unified certification to the multiple applications of terminal based on real name certificate
CN109802942B (en) * 2018-12-17 2021-06-25 西安电子科技大学 Voiceprint authentication method with privacy protection function
CN109802942A (en) * 2018-12-17 2019-05-24 西安电子科技大学 A kind of voiceprint authentication method and system, mobile terminal of secret protection
CN109618340A (en) * 2018-12-20 2019-04-12 北京握奇智能科技有限公司 A kind of mobile payment security authentication method and device based on net card veritification technology
CN109874141A (en) * 2019-03-14 2019-06-11 公安部第一研究所 A kind of method and device of mobile phone terminal secure accessing information network
CN110048857A (en) * 2019-04-25 2019-07-23 北京华大智宝电子系统有限公司 A kind of Public Key Infrastructure management system, smart card and device systems
CN110048857B (en) * 2019-04-25 2022-03-11 北京华大智宝电子系统有限公司 Public key infrastructure management system, smart card and equipment system
CN110213246A (en) * 2019-05-16 2019-09-06 南瑞集团有限公司 A kind of wide area multiple-factor identity authorization system
CN110213246B (en) * 2019-05-16 2021-11-12 南瑞集团有限公司 Wide-area multi-factor identity authentication system
CN110378197A (en) * 2019-05-30 2019-10-25 郑州中软高科信息技术有限公司 A kind of testimony of a witness comparison device based on cloud
CN110321690A (en) * 2019-07-15 2019-10-11 山东浪潮通软信息科技有限公司 A kind of authentication identifying method based on biometric matches
CN111130772A (en) * 2019-12-25 2020-05-08 飞天诚信科技股份有限公司 Terminal equipment and method for managing server certificate
CN111209589A (en) * 2019-12-31 2020-05-29 航天信息股份有限公司 Method and system for dynamic data desensitization based on regional chain
CN111786783A (en) * 2020-07-01 2020-10-16 中国银行股份有限公司 Public key certificate acquisition method and related equipment
CN111786783B (en) * 2020-07-01 2022-10-21 中国银行股份有限公司 Public key certificate acquisition method and related equipment
CN113922997A (en) * 2021-09-29 2022-01-11 深圳市天视通视觉有限公司 Certificate activation method, device, equipment and storage medium for network camera
CN113922997B (en) * 2021-09-29 2023-06-30 深圳市天视通视觉有限公司 Certificate activation method, device and equipment of network camera and storage medium

Also Published As

Publication number Publication date
CN107800725B (en) 2023-08-29

Similar Documents

Publication Publication Date Title
CN107800725A (en) A kind of digital certificate remote online managing device and method
CN105429760B (en) A kind of auth method and system of the digital certificate based on TEE
CN107241317B (en) Method for identifying identity by biological characteristics, user terminal equipment and identity authentication server
CN207939549U (en) A kind of digital certificate remote online managing device
CN106850201B (en) Intelligent terminal multiple-factor authentication method, intelligent terminal, certificate server and system
CN101374050B (en) Apparatus, system and method for implementing identification authentication
CN106296199A (en) Payment based on living things feature recognition and identity authorization system
CN107113315A (en) Identity authentication method, terminal and server
CN102037706B (en) Method for the temporary personalization of a communication device
CN112953970B (en) Identity authentication method and identity authentication system
CN105939197B (en) A kind of identity identifying method and system
CN106157025A (en) The mobile terminal safety method of payment of identity-based card and system
CN107222373A (en) Control method, system, terminal, FIDO servers and the safety means of smart home
CN104253818B (en) Server, terminal authentication method and server, terminal
CN105873050A (en) Wireless service identity authentication, server and system
CN107426160A (en) Control method, system, terminal, FIDO servers and the safety means of smart home
CN106992956A (en) A kind of methods, devices and systems for realizing inter-device authentication
CN103020822B (en) Financial acquirer's method based on double escape ways
CN109150547A (en) A kind of system and method for the digital asset real name registration based on block chain
JP2009266234A (en) Fingerprint authentication method in human body communication
CN107634834A (en) A kind of trusted identity authentication method based on the more scenes in multiple terminals
CN108429769A (en) Identity identifying method, device, system based on living things feature recognition and storage medium
CN107113613A (en) Server, mobile terminal, real-name network authentication system and method
CN110163998A (en) A kind of intelligent door lock application method of intelligent door lock system and offline authentication
CN109587123A (en) Double factor verification method and certificate server, biometric authentication service device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant