CN107800725B - Remote online management device and method for digital certificates - Google Patents

Remote online management device and method for digital certificates Download PDF

Info

Publication number
CN107800725B
CN107800725B CN201711307458.1A CN201711307458A CN107800725B CN 107800725 B CN107800725 B CN 107800725B CN 201711307458 A CN201711307458 A CN 201711307458A CN 107800725 B CN107800725 B CN 107800725B
Authority
CN
China
Prior art keywords
certificate
user
terminal
information
management server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711307458.1A
Other languages
Chinese (zh)
Other versions
CN107800725A (en
Inventor
刘衍斐
卢煜
周昕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhongdun Security Technology Development Co ltd
First Research Institute of Ministry of Public Security
Original Assignee
Beijing Zhongdun Security Technology Development Co ltd
First Research Institute of Ministry of Public Security
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhongdun Security Technology Development Co ltd, First Research Institute of Ministry of Public Security filed Critical Beijing Zhongdun Security Technology Development Co ltd
Priority to CN201711307458.1A priority Critical patent/CN107800725B/en
Publication of CN107800725A publication Critical patent/CN107800725A/en
Application granted granted Critical
Publication of CN107800725B publication Critical patent/CN107800725B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a digital certificate remote on-line management device and a method, which combine the management of a digital certificate with a plurality of identity recognition authentication technologies such as resident identity card authentication, biological feature recognition and the like, and through the near field communication, camera, microphone, fingerprint acquisition module and other equipment, the resident identity card information of a user, the biological feature information such as a person's image, iris, retina, voiceprint, fingerprint and the like are acquired, the identity of the user who uses a terminal to perform certificate operation is determined by comprehensively using the identity card information authentication, biological feature recognition and other identity recognition authentication technologies, so that only the legal user can perform certificate operation by using the legal terminal, the correctness of the correspondence and binding of the certificate and the user is ensured, the problem that the user identity is used as a certificate in the certificate management process is avoided, the safe remote on-line management is realized, and the device has the advantages of high safety, flexibility and convenience.

Description

Remote online management device and method for digital certificates
Technical Field
The invention relates to the technical field of digital certificates, in particular to a device and a method for remotely and online managing digital certificates.
Background
The server typically needs to authenticate the identity of the user before providing the service and possibly cryptographically protect subsequent communication data to control that only legitimate users can use the relevant resources, services or functions. With the continuous abundance of systems, if a set of own identity authentication and communication protection mechanisms are used by numerous application services, operational inconvenience and hidden danger in safety will be brought, and the use of digital certificates is a common security mechanism for solving the problem at present. By using the digital certificate bound with the user, the complexity of the user during use can be simplified and the safety of identity authentication can be improved by using a PKI system, VPN technology and the like. The realization of effective security management of certificates is the basis for realizing various security functions by using the certificates, so that the security of the certificate management needs to be ensured.
In order to implement certificate management functions such as application and issuing of certificates, as shown in fig. 1, the implementation process in the conventional digital certificate management scheme is as follows: when a user applies for a certificate by using a terminal certificate application program, firstly, a security module is called to generate a public and private key pair and a certificate application request, and the certificate application request is sent to a certificate management server; the certificate management server issues a certificate to a terminal certificate application; and after receiving the certificate, the terminal certificate application issues the certificate to the security module to complete the application and issuing process of the certificate. In order to improve security, when a common digital certificate management scheme is implemented, an external security module in a terminal is usually taken out and then is manually connected to a secure management terminal to issue a certificate, or the terminal is simply authenticated in a mode of comparing terminal identification with peer-to-peer mode and then issues the certificate.
The resident identity card is legal identity card of the citizens in China, the resident identity card should be claimed by the citizens in China who are all over sixteen years old, the current resident identity card is already provided with a built-in security chip, the security chip uses a national encryption algorithm, the security chip has the capability of communicating with the outside, and all information communicated with the outside is encrypted, so that the security threats such as counterfeiting, information tampering or leakage of the identity card are avoided. The characteristics of one hand, communication interface and encryption safety are combined with the resident identification card loss reporting system which is being carried out by the current public security department, so that favorable conditions are provided for the resident identification card to participate in remote authentication.
Various biological feature recognition technologies such as figures, irises, retinas, voiceprints and fingerprints are increasingly mature, the recognition accuracy of various biological features such as figures, fingerprints can reach commercial level at present, and the recognition accuracy can be gradually used in various services such as payment treasures, security dealers, operators and the like in a large scale. The built population library of the public security organ has the information of figures, fingerprints and the like which cover national citizens, provides a good basic environment for implementing the biological feature recognition service, and can provide reliable biological feature recognition service on the basis to confirm the true identity of the user.
The prior digital certificate management device and method only confirm the validity of the request by using modes such as simple identification comparison and the like, and do not relate to the identification content of the true identity of the user, so that when the remote certificate management is realized, the serious safety problem of counterfeiting the user identity exists. Particularly, when the conditions of large user quantity, complex identity, remote certificate issuing and the like are faced, various security problems caused by imperfect identity authentication occur, and the use of the certificate management method and device is limited to a great extent.
Disclosure of Invention
Aiming at the defects of the prior art, the invention aims to provide a remote online management device and method for digital certificates, which are based on various identity recognition technologies such as resident identity card verification and biological feature recognition, the user identity recognition in the certificate application issuing process is not carried out by means of simple identity information comparison and the like, the core function of recognition and authentication is completed by integrating various identity recognition technologies such as verification of the resident identity card of the user and recognition of various biological features of the user, the phenomenon that the user, a terminal, a security module or application service is falsified and tampered is prevented, the phenomenon that the certificate is issued to an illegal user or the certificate cannot be effectively associated with the user is avoided, the security of certificate management is effectively ensured, and the possibility that potential safety hazards such as falsification of the certificate are reduced.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
a digital certificate remote on-line management apparatus, comprising: the terminal comprises a terminal password module, a terminal certificate application, a certificate management server, an identification authentication server, a certificate authority center and terminal equipment;
the terminal cipher module is used for key generation, certificate request assembly, digital signature, signature verification, encryption and decryption, and key and certificate storage;
the terminal certificate application comprises a device with the functions of acquiring the resident identification card information and the biological characteristic information of the user, a device communicated with a certificate management server, a device communicated with a terminal password module and a device for collecting the information of terminal equipment;
the certificate management server comprises a device for communicating with a terminal certificate application, a device for judging the validity of a certificate request and the consistency with the identity of a user, a device for storing and associating and managing software and hardware of terminal equipment and certificate information, a device for communicating with an identification authentication server and a device for communicating with a certificate authority;
the identification authentication server comprises a device for communicating with the certificate management server, a device for storing user identity card information, biological characteristic information and attribute authentication information, and a device for integrating the identity card information, the biological characteristic information and the attribute authentication information to identify and authenticate the user identity information;
the certificate authority center is used for issuing and managing a user digital certificate;
the terminal equipment is provided with a function of reading the resident identification card and the biological characteristic information of the user, and can run a terminal certificate application and use a terminal password module.
Further, the terminal device is a wearable terminal, a handheld terminal, a portable terminal, a vehicle-mounted terminal or a computer terminal.
Further, the user terminal obtains the information of the resident identification card of the user through near field communication.
Further, the biological characteristic information comprises a portrait, an iris, a retina, a voiceprint and a fingerprint, and the terminal equipment obtains the biological characteristic information of the user through a camera, a microphone and a fingerprint identification module.
The method for managing the digital certificate by using the remote online management device of the digital certificate comprises the following steps:
s1, a manager imports the resident identification card information and the biological characteristic information of the user into an identification authentication server;
s2, the user performs certificate management through a terminal certificate application, the terminal certificate application establishes a secure access connection with a certificate management server, and confirms the identity legitimacy of the certificate management server and ensures the security of subsequent communication;
s3, the terminal certificate application acquires resident identification card information and biological characteristic information of the user, wherein the resident identification card information and the biological characteristic information comprise information in a resident identification card security chip of the user and user living body detection information, and if an identification authentication server is required to participate in interaction in the information collection process, the terminal certificate application is connected with the identification authentication server through a certificate management server;
s4, the terminal certificate application sends resident identification card information and biological characteristic information to a certificate management server;
s5, the certificate management server calls an identification authentication server to verify the identification authentication information;
s6, the identification authentication server performs identification authentication on the received resident identification card information of the user and the biological characteristic information of the user in combination with the pre-imported information, confirms the correctness of the resident identification card information of the user, identifies the biological characteristic information of the user, judges whether the identification biological characteristic information is consistent with the user identification card information, and if the resident identification card information of the user is incorrect or inconsistent with the biological characteristic information identification result, indicates that the identification authentication result is incorrect, and jumps to step S15; if the resident identification card information of the user is correct and consistent with the biological characteristic information identification result, the identification authentication result is correct, and information such as the true identity of the user is obtained, and the step S7 is continued;
s7, the certificate management server stores the user identity information identified by the identification authentication server, and returns the user identity information to the terminal certificate application;
s8, the terminal certificate application acquires user identity information required by the generation of a certificate application in the terminal equipment and the terminal password module;
s9, the terminal certificate application calls a terminal password module, generates a public and private key pair and stores the public and private key pair in the terminal password module, inputs user identity information and generates a user certificate application request;
s10, the terminal certificate application sends a user certificate application request message to a certificate management server;
s11, the certificate management server analyzes the certificate application request message, acquires a public key and user resident identification card information from the certificate application, uses the public key to check the correctness of the user certificate application, compares and checks the consistency of the user identification information carried in the user certificate application and the user identification information stored in the step S7, and jumps to the step S15 if the verification is wrong; if the verification is correct, continuing to step S12;
s12, the certificate management server calls a certificate authority center, inputs a user certificate application request received from a terminal certificate application, and generates and obtains a user certificate;
s13, the certificate management server obtains a user certificate from a certificate authority and sends the certificate to a terminal certificate application;
s14, after the terminal certificate application receives the certificate, issuing the certificate to a terminal password module for storage, and prompting the user of successful certificate operation information, wherein the certificate management operation is normally finished;
s15, the certificate management server refuses the certificate operation request, and returns error information to the terminal certificate application;
s16, after receiving error information returned by the certificate management server, the terminal certificate application calls the terminal cryptographic module, clears the key pair in the terminal cryptographic module, prompts the user of certificate operation error information, and the certificate management operation is abnormally ended.
The invention has the beneficial effects that: the management of the digital certificate is combined with various identity recognition authentication technologies such as resident identity card authentication, biological feature recognition and the like, and the real identity of the user who uses the terminal to perform the certificate operation is determined by comprehensively using the various identity recognition authentication technologies such as identity card information authentication, biological feature recognition and the like through the user resident identity card information and the biological feature information such as figures, irises, retinas, voiceprints, fingerprints and the like acquired by devices such as near field communication, cameras, microphones, fingerprint acquisition modules and the like, so that the certificate operation can be performed only by using the legal terminal by using the legal user, the correctness of the correspondence and binding of the certificate and the user is established, the problem that the user identity is impersonated in the certificate management process is solved, the safe remote on-line management of the certificate is realized, and the digital certificate management system has the advantages of high safety, flexibility and convenience.
Drawings
FIG. 1 is a schematic diagram of an implementation process in a prior art digital certificate management scheme;
FIG. 2 is a schematic diagram of a system architecture according to the present invention;
FIG. 3 is a schematic flow chart of the method of the present invention;
FIG. 4 is a schematic flow chart of the embodiment 1 of the present invention;
FIG. 5 is a schematic flow chart of embodiment 2 of the present invention;
fig. 6 is a schematic flow chart of embodiment 3 of the present invention.
Detailed Description
The present invention will be further described with reference to the accompanying drawings, wherein the following examples are provided on the premise of the present technical solution, and detailed embodiments and specific operation procedures are given, but the scope of the present invention is not limited to the examples.
As shown in fig. 2, a remote on-line management device for digital certificates includes: the terminal comprises a terminal password module, a terminal certificate application, a certificate management server, an identification authentication server, a certificate authority center and terminal equipment;
the terminal cipher module is used for key generation, certificate request assembly, digital signature, signature verification, encryption and decryption, and key and certificate storage;
the terminal certificate application comprises a device with the functions of acquiring the physiological characteristics of a user body such as resident identification card information, a portrait, an iris, a retina, a voiceprint, a fingerprint and the like of the user through near field communication, a camera, a microphone and a fingerprint identification module, a device for communicating with a certificate management server, a device for communicating with a terminal password module and a device for collecting software and hardware information and user information of terminal equipment;
the certificate management server corresponds to the certificate management module in the logic structure and comprises a device for communicating with a terminal certificate application, a device for judging the validity of a certificate request and consistency with the identity of a user, a device for storing and associating management software and hardware of the user terminal and certificate information, a device for communicating with an identification authentication server and a device for communicating with a certificate authority;
the identification authentication server corresponds to the identification authentication module in the logic structure and comprises a device for communicating with the certificate management server, a device for storing the biological characteristics of the user such as an identity card, a portrait, an iris, a retina, a voiceprint, a fingerprint and other various attribute authentication information of the user, and a device for identifying and authenticating the identity information of the user by integrating the identity card information, the biological characteristic information and the attribute authentication information.
The certificate authority center is used for issuing and managing a user digital certificate;
the user terminal is provided with a terminal device which can read physiological characteristic information of human bodies such as resident identification cards, user figures, irises, retinas, voiceprints, fingerprints and the like through a mode of near field communication, a camera, a microphone and a fingerprint identification module, and can run a terminal certificate application and use a terminal password module.
As shown in fig. 3, the method for performing certificate management by using the remote online digital certificate management device comprises the following steps:
s1, a manager imports human physiological characteristic information such as a user resident identification card, a user portrait, an iris, a retina, a voiceprint, a fingerprint and the like into an identification authentication server;
s2, the user performs certificate management through a terminal certificate application, the terminal certificate application establishes a secure access connection with a background certificate management server, and confirms the identity legitimacy of the certificate management server and ensures the security of subsequent communication;
s3, the terminal certificate application acquires the user resident identification card and various biological characteristic information, including information in a user resident identification card security chip and user living body detection, and if the authentication server needs to be identified to participate in interaction in the information collection process, the terminal certificate application is connected with a background authentication server directly or indirectly through a certificate management server;
s4, the terminal certificate application sends identification authentication information such as resident identification card information, various biological characteristic information and the like of the user to a certificate management server;
s5, the certificate management server calls a background identification authentication server to verify the identification authentication information;
s6, the identification authentication server performs identification authentication on the received resident identification card information of the user and various biological characteristic information combined with the pre-imported information, confirms the correctness of the resident identification card information of the user, identifies various biological characteristic information, judges whether the identification biological characteristic information is consistent with the user identification card information, and if the resident identification card information of the user is incorrect or inconsistent with the biological characteristic identification result, indicates that the identification authentication result is incorrect, and jumps to step S15; if the resident identification card information of the user is correct and consistent with the biological characteristic identification result, the identification authentication result is correct, and the information such as the true identity of the user is obtained, the step S7 is continued;
s7, the certificate management server stores the user identity information identified by the identification authentication server, and returns a user identity identification result to the terminal certificate application;
s8, the terminal certificate application acquires terminal equipment, a terminal password module, a user and other information required for generating a certificate application;
s9, the terminal certificate application calls a terminal password module, generates a public and private key pair, stores the public and private key pair in the password module, inputs user identity information and the like, and generates a user certificate application request;
s10, the terminal certificate application sends a user certificate application request message to a background certificate management server;
s11, the certificate management server analyzes the user certificate application request message, acquires a public key and user identity information from the user certificate application request, uses the public key to check the correctness of the user certificate application request, compares and checks the consistency of the user identity information carried in the user certificate application request with the user identity information stored in the step S7, and jumps to the step S15 if the verification is wrong; if the verification is correct, continuing to step S12;
s12, the certificate management server calls a certificate authority center, inputs a user certificate application request received from a terminal certificate application, and generates and obtains a user certificate;
s13, the certificate management server obtains a user certificate from a certificate authority and sends the certificate to a terminal certificate application;
s14, after the terminal certificate applies the received certificate, issuing the certificate to a terminal password module for storage, and prompting successful information of certificate operation to the user, wherein the certificate management operation is normally finished;
s15, the certificate management server refuses the certificate operation request, and returns error information to the terminal certificate application;
s16, after receiving error information returned by the certificate management server, the terminal certificate application calls the terminal cryptographic module, clears the key pair in the terminal cryptographic module, prompts the user of certificate operation error information, and the certificate management operation is abnormally ended.
Example 1
The apparatus and environment of this embodiment are as follows:
the mobile phone terminal is provided with NFC and a camera, an encryption chip is arranged in the terminal, a terminal certificate APP is installed in the terminal, a certificate management server is preset in the APP and used for establishing a public key certificate or a corresponding root certificate of HTTPS, and the mobile phone terminal has the data communication capability of a mobile wireless network;
the certificate management server is provided with an external network environment and an internal network environment, and can be preset with a public and private key pair for establishing HTTPS connection in a mobile phone terminal and a CA system communication server in certificate authorization;
an identification authentication server having an identification capability and a communication capability with a certificate management server;
a set of certificate authority CA systems has the ability to issue digital certificates for users and the ability to communicate with a certificate management server.
The implementation of this embodiment is detailed as follows, as shown in fig. 4:
1. the manager imports the encrypted user resident identification card information, user portrait information and user attribute information into a certificate management server;
2. the user carries out certificate management through a terminal certificate APP, the terminal certificate application establishes HTTPS access connection with a certificate management server, and confirms that the identity of the server is legal and ensures the safety of subsequent communication through the certificate of the certificate management server;
3. the terminal certificate APP acquires encrypted information in a resident identification card chip of a user by using NFC, and acquires living body portrait information of the user by using a camera;
4. the terminal certificate APP sends identification authentication information such as user resident identification card information, portrait and the like to a certificate management server;
5. the certificate management server calls an identification authentication server to verify the identification authentication information;
6. the identification authentication server utilizes the pre-imported user information to carry out identification authentication on the received information, and confirms whether the correctness of the resident identification card information of the user, the consistency of the portrait of the user and the resident identification card information and the attribute information of the user are registered or not:
6.1 If the resident identification card information of the user is incorrect, or the figure of the user is inconsistent with the resident identification card information or the attribute information of the user is not registered, executing the step S14;
6.2 If the resident identification card information of the user is correct, the figure of the user is consistent with the resident identification card information and the attribute information of the user is registered, the step S7 is continued.
7. The certificate management server stores the identified user true identity information and returns the user information to the terminal certificate APP;
8. the terminal certificate APP calls an encryption chip, a public and private key pair is generated by the encryption chip, and the public key and user identity information are packaged to obtain a user certificate application request in a P10 (PKCS#10) format;
9. the terminal certificate APP sends a certificate application request to a certificate management server;
10. the certificate management server judges whether the received certificate application request is correct, including whether the request is complete, whether the signature of the request is correct, and the like, and whether the user information in the certificate application is consistent with the user identity information stored in the step 7:
10.1 If the certificate application request is incorrect or the user information in the certificate application is inconsistent with the user identity information stored in step 7, step 14 is performed;
10.2 If the certificate application request is correct and the user information in the certificate application is consistent with the user identity information stored in step 7, step 11 is continued.
10.3 A Certificate Authority (CA) center is called by the certificate management server, and a user certificate is generated according to the request;
11. the certificate management server sends a user certificate to a terminal certificate APP;
12. after receiving the user certificate, the terminal certificate APP issues the certificate to the encryption chip, the encryption chip stores the certificate, and prompts the user for successful certificate operation information, and the certificate management operation of embodiment 1 is normally ended.
13. The certificate management server refuses the certificate operation request and returns error information to the terminal certificate APP;
14. after receiving the error information, the terminal certificate APP calls the encryption chip, clears the key pair in the encryption chip, and prompts the user of the certificate operation error information, and the certificate management operation of the embodiment is abnormally ended.
Example 2
The apparatus and environment of this embodiment are as follows:
the computer terminal is connected with NFC equipment, the camera, the fingerprint acquisition module and the encryption chip in the USB key form in an external USB mode and the like, terminal certificate application software is installed, a certificate management cloud host is preset in the software for establishing a public key certificate or a corresponding root certificate of HTTPS, and the computer terminal has data communication capability;
creating two virtual cloud hosts in an enterprise private cloud to realize clouding deployment of a certificate management server and an identification authentication server, wherein the two virtual cloud hosts are marked as a certificate management cloud host and an identification cloud host, respectively deploying a certificate management module and an identification module, and are provided with a network communication environment, wherein the certificate management cloud hosts are preset with public and private key pairs for establishing HTTPS connection;
a set of certificate authority CA systems has the capability of communicating with a certificate management cloud host.
The implementation of this embodiment is detailed as follows, as shown in fig. 5:
1. the manager imports the encrypted resident identification card information, user portrait, fingerprint information and user attribute information of the user into the identification authentication cloud host;
2. the user carries out certificate management through terminal certificate application software, the terminal certificate application software establishes HTTPS access connection with a certificate management cloud host, and confirms that the identity of the cloud host is legal through the certificate of the certificate management cloud host, and ensures the safety of subsequent communication;
3. the terminal certificate application software acquires the resident identification card information of the user by using NFC, and acquires the living body figure and fingerprint information of the user by using a camera and a fingerprint acquisition module;
4. the terminal certificate application software sends the identification authentication information such as the resident identification card information of the user, the portrait of the user, the fingerprint and the like to the certificate management cloud host;
5. the certificate management cloud host calls an identification authentication cloud host, and verifies the identification authentication information;
6. the identification authentication cloud host carries out identification authentication on the information to confirm whether the correctness of resident identification card information of the user, the identification result of the user portrait and the fingerprint are consistent with the resident identification card information or not and whether the attribute information of the user is registered or not;
6.1 If the resident identification card information of the user is incorrect, or the identification result of the human figure and the fingerprint of the user is inconsistent with the resident identification card information or the attribute information of the user is not registered, executing the step 14;
6.2 If the resident identification card information of the user is correct, the identification result of the human figure and the fingerprint of the user is consistent with the resident identification card information and the attribute information of the user is registered, continuing to execute the step 7;
7. the certificate management cloud host stores the user identity information identified by the identification authentication cloud host and sends the user identity information to the terminal certificate application;
8. the terminal certificate application software calls an encryption chip, a public and private key pair is generated by the encryption chip, and the public key and user identity information are packaged in a PKCS#10 format to obtain a user certificate application request;
9. the terminal certificate application software sends a certificate application request to a certificate management cloud host;
10. the certificate management cloud host judges whether the received certificate application request is correct or not, and whether the user information in the certificate application is consistent with the user identity information stored in the step 7;
11. if the certificate application request is incorrect or the user information in the certificate application is inconsistent with the user identity information stored in the step 7, executing the step 14;
12. if the request for the certificate application is correct and the user information in the certificate application is consistent with the user identity information stored in step 7, step 11 is continued
13. The certificate management cloud host invokes a Certificate Authority (CA) center to generate a user certificate according to a certificate application request;
14. the certificate management cloud host sends a user certificate to the terminal certificate application software;
15. the terminal certificate application software issues the received certificate to the encryption chip, the encryption chip stores the certificate, the remote on-line management of the certificate is completed, and the certificate management operation flow of embodiment 2 is ended.
16. The certificate management server refuses the certificate operation request, returns error information to the terminal certificate application software;
17. after receiving the error information, the terminal certificate application software calls the encryption card, clears the key pair in the encryption card, and prompts the user of certificate operation error information, and the certificate management operation of embodiment 2 is abnormally ended.
Example 3
The apparatus and environment of this embodiment are as follows:
the mobile phone terminal is provided with NFC, a camera, an encryption card in the form of a TF card inserted, a terminal certificate APP installed, a public key certificate or a corresponding root certificate of a certificate management server preset in the APP, and the mobile phone terminal has the data communication capability of a mobile wireless network;
the certificate management server is provided with an external network environment and an internal network environment, can communicate with the mobile phone terminal and a CA system in certificate authorization, is provided with a service with two modules of certificate management and identity identification, and is preset with a public-private key pair for establishing a VPN tunnel;
a set of certificate authority CA systems has the ability to issue digital certificates for users and the ability to communicate with a certificate management server.
The implementation of this embodiment is detailed as follows, as shown in fig. 6:
1. the manager imports the encrypted user resident identification card information, user portrait information and user attribute information into a certificate management server;
2. the user carries out certificate management through a terminal certificate APP, the terminal certificate application establishes SSL VPN access connection with a certificate management server, and confirms that the identity of the server is legal and ensures the safety of subsequent communication through the certificate of the certificate management server;
3. the terminal certificate APP acquires encrypted information in a resident identification card chip of a user by using NFC, and acquires living body portrait information of the user by using a camera;
4. the terminal certificate APP sends identification authentication information such as user resident identification card information, portrait and the like to a certificate management server;
5. the identification and authentication module of the certificate management server utilizes the pre-imported user information to carry out identification and authentication on the received information, and confirms whether the correctness of the resident identification card information of the user, the consistency of the portrait of the user and the resident identification card information and the attribute information of the user are registered or not:
5.1 If the resident identification card information of the user is incorrect, or the figure of the user is inconsistent with the resident identification card information or the attribute information of the user is not registered, executing the step 13;
5.2 If the resident identification card information of the user is correct, the figure of the user is consistent with the resident identification card information and the attribute information of the user is registered, the step 6 is continued to be executed.
6. The certificate management module of the certificate management server stores the identified user true identity information and returns the user information to the terminal certificate APP;
7. the terminal certificate APP calls an encryption card, a public and private key pair is generated by the encryption card, and the public key and user identity information are packaged to obtain a user certificate application request in a P10 (PKCS#10) format;
8. the terminal certificate APP sends a certificate application request to a certificate management server;
9. the certificate management module of the certificate management server judges whether the received certificate application request is correct, including whether the request is complete, whether the signature of the request is correct, and the like, and whether the user information in the certificate application is consistent with the user identity information stored in the step 6;
9.1 If the certificate application request is incorrect or the user information in the certificate application is inconsistent with the user identity information stored in the step 6, executing the step 13;
9.2 If the certificate application request is correct and the user information in the certificate application is consistent with the user identity information stored in step 6, step 10 is continued.
10. The certificate management module of the certificate management server calls a Certificate Authority (CA) center to generate a user certificate according to the request;
11. the certificate management server sends a certificate to a terminal certificate APP;
12. the terminal certificate APP issues the received certificate to the encryption card, stores the certificate by the encryption card, and prompts the user for successful information of the certificate operation, and the certificate management operation of embodiment 3 ends normally.
13. The certificate management server refuses the certificate operation request and returns error information to the terminal certificate APP;
14. after receiving the error information, the terminal certificate APP calls the encryption card, clears the key pair in the encryption card, and prompts the user for the certificate operation error information, and the certificate management operation of embodiment 3 is abnormally ended.
Various modifications and variations of the present invention will be apparent to those skilled in the art in light of the foregoing teachings and are intended to be included within the scope of the following claims.

Claims (4)

1. A method for managing certificates by using a digital certificate remote on-line management device is characterized in that:
the digital certificate remote on-line management device comprises: the terminal comprises a terminal password module, a terminal certificate application, a certificate management server, an identification authentication server, a certificate authority center and terminal equipment;
the terminal cipher module is used for key generation, certificate request assembly, digital signature, signature verification, encryption and decryption, and key and certificate storage;
the terminal certificate application comprises a device with the functions of acquiring the resident identification card information and the biological characteristic information of the user, a device communicated with a certificate management server, a device communicated with a terminal password module and a device for collecting the information of terminal equipment;
the certificate management server comprises a device for communicating with a terminal certificate application, a device for judging the validity of a certificate request and the consistency with the identity of a user, a device for storing and associating and managing software and hardware of terminal equipment and certificate information, a device for communicating with an identification authentication server and a device for communicating with a certificate authority;
the identification authentication server comprises a device for communicating with the certificate management server, a device for storing user identity card information, biological characteristic information and attribute authentication information, and a device for integrating the identity card information, the biological characteristic information and the attribute authentication information to identify and authenticate the user identity information;
the certificate authority center is used for issuing and managing a user digital certificate;
the terminal equipment is provided with a function of reading resident identification cards and biological characteristic information of users, and can run terminal certificate application and use a terminal password module;
the method comprises the following steps:
s1, a manager imports the resident identification card information and the biological characteristic information of the user into an identification authentication server;
s2, the user performs certificate management through a terminal certificate application, the terminal certificate application establishes a secure access connection with a certificate management server, and confirms the identity legitimacy of the certificate management server and ensures the security of subsequent communication;
s3, the terminal certificate application acquires resident identification card information and biological characteristic information of the user, wherein the resident identification card information and the biological characteristic information comprise information in a resident identification card security chip of the user and user living body detection information, and if an identification authentication server is required to participate in interaction in the information collection process, the terminal certificate application is connected with the identification authentication server through a certificate management server;
s4, the terminal certificate application sends resident identification card information and biological characteristic information to a certificate management server;
s5, the certificate management server calls an identification authentication server to verify the identification authentication information;
s6, the identification authentication server performs identification authentication on the received resident identification card information of the user and the biological characteristic information of the user in combination with the pre-imported information, confirms the correctness of the resident identification card information of the user, identifies the biological characteristic information of the user, judges whether the identification biological characteristic information is consistent with the user identification card information, and if the resident identification card information of the user is incorrect or inconsistent with the biological characteristic information identification result, indicates that the identification authentication result is incorrect, and jumps to step S15; if the resident identification card information of the user is correct and consistent with the biological characteristic information identification result, the identification authentication result is correct, and the true identity information of the user is obtained, continuing to step S7;
s7, the certificate management server stores the identity information of the user identified by the identification authentication server, and returns the user identity information to the terminal certificate application;
s8, the terminal certificate application acquires user identity information required by the generation of a certificate application in the terminal equipment and the terminal password module;
s9, the terminal certificate application calls a terminal password module, generates a public and private key pair and stores the public and private key pair in the terminal password module, inputs the identified user identity information, and generates a user certificate application request;
s10, the terminal certificate application sends a user certificate application request message to a certificate management server;
s11, the certificate management server analyzes the certificate application request message, acquires a public key and user resident identification card information from the certificate application, uses the public key to check the correctness of the user certificate application, compares and checks the consistency of the user identification information carried in the user certificate application and the user identification information stored in the step S7, and jumps to the step S15 if the verification is wrong; if the verification is correct, continuing to step S12;
s12, the certificate management server calls a certificate authority center, inputs a user certificate application request received from a terminal certificate application, and generates and obtains a user certificate;
s13, the certificate management server obtains a user certificate from a certificate authority and sends the certificate to a terminal certificate application;
s14, after the terminal certificate application receives the certificate, issuing the certificate to a terminal password module for storage, and prompting the user of successful certificate operation information, wherein the certificate management operation is normally finished;
s15, the certificate management server refuses the certificate operation request, and returns error information to the terminal certificate application;
s16, after receiving error information returned by the certificate management server, the terminal certificate application calls the terminal cryptographic module, clears the key pair in the terminal cryptographic module, prompts the user of certificate operation error information, and the certificate management operation is abnormally ended.
2. The method of claim 1, wherein the terminal device is a wearable terminal, a handheld terminal, a portable terminal, a vehicle mounted terminal, or a computer terminal.
3. The method according to claim 1, wherein the user terminal obtains the user resident identification card information through near field communication.
4. The method of claim 1, wherein the biometric information includes a portrait, an iris, a retina, a voiceprint, and a fingerprint, and the terminal device obtains the biometric information of the user through a camera, a microphone, and a fingerprint recognition module.
CN201711307458.1A 2017-12-11 2017-12-11 Remote online management device and method for digital certificates Active CN107800725B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711307458.1A CN107800725B (en) 2017-12-11 2017-12-11 Remote online management device and method for digital certificates

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711307458.1A CN107800725B (en) 2017-12-11 2017-12-11 Remote online management device and method for digital certificates

Publications (2)

Publication Number Publication Date
CN107800725A CN107800725A (en) 2018-03-13
CN107800725B true CN107800725B (en) 2023-08-29

Family

ID=61538240

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711307458.1A Active CN107800725B (en) 2017-12-11 2017-12-11 Remote online management device and method for digital certificates

Country Status (1)

Country Link
CN (1) CN107800725B (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110300083B (en) * 2018-03-22 2021-02-12 华为技术有限公司 Method, terminal and verification server for acquiring identity information
CN110730151A (en) * 2018-07-16 2020-01-24 上海铠射信息科技有限公司 Novel method for authorizing use of terminal digital certificate
CN108881290B (en) * 2018-07-17 2021-04-23 深圳前海微众银行股份有限公司 Block chain based digital certificate use method, system and storage medium
TWM576692U (en) * 2018-09-28 2019-04-11 南山人壽保險股份有限公司 System for identity verification and insurance transaction confirmation based on blockchain
CN109756339A (en) * 2018-11-30 2019-05-14 航天信息股份有限公司 A kind of method and system carrying out unified certification to the multiple applications of terminal based on real name certificate
CN109802942B (en) * 2018-12-17 2021-06-25 西安电子科技大学 Voiceprint authentication method with privacy protection function
CN109618340A (en) * 2018-12-20 2019-04-12 北京握奇智能科技有限公司 A kind of mobile payment security authentication method and device based on net card veritification technology
CN109874141A (en) * 2019-03-14 2019-06-11 公安部第一研究所 A kind of method and device of mobile phone terminal secure accessing information network
CN110048857B (en) * 2019-04-25 2022-03-11 北京华大智宝电子系统有限公司 Public key infrastructure management system, smart card and equipment system
CN110213246B (en) * 2019-05-16 2021-11-12 南瑞集团有限公司 Wide-area multi-factor identity authentication system
CN110378197A (en) * 2019-05-30 2019-10-25 郑州中软高科信息技术有限公司 A kind of testimony of a witness comparison device based on cloud
CN110321690A (en) * 2019-07-15 2019-10-11 山东浪潮通软信息科技有限公司 A kind of authentication identifying method based on biometric matches
CN111130772B (en) * 2019-12-25 2022-12-20 飞天诚信科技股份有限公司 Terminal equipment and method for managing server certificate
CN111209589A (en) * 2019-12-31 2020-05-29 航天信息股份有限公司 Method and system for dynamic data desensitization based on regional chain
CN111914228A (en) * 2020-06-29 2020-11-10 中信银行股份有限公司 Online opening method and device of security shield, terminal equipment, server and medium
CN111786783B (en) * 2020-07-01 2022-10-21 中国银行股份有限公司 Public key certificate acquisition method and related equipment
CN113922997B (en) * 2021-09-29 2023-06-30 深圳市天视通视觉有限公司 Certificate activation method, device and equipment of network camera and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102905260A (en) * 2012-09-18 2013-01-30 北京天威诚信电子商务服务有限公司 Safety and certification system for data transmission of mobile terminal
CN102932149A (en) * 2012-10-30 2013-02-13 武汉理工大学 Integrated identity based encryption (IBE) data encryption system
CN103888442A (en) * 2014-01-13 2014-06-25 黄晓芳 System with integration of visualization biological characteristics and one-time digital signature and method thereof
CN104378210A (en) * 2014-11-26 2015-02-25 成都卫士通信息安全技术有限公司 Cross-trust-domain identity authentication method
CN207939549U (en) * 2017-12-11 2018-10-02 公安部第一研究所 A kind of digital certificate remote online managing device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102905260A (en) * 2012-09-18 2013-01-30 北京天威诚信电子商务服务有限公司 Safety and certification system for data transmission of mobile terminal
CN102932149A (en) * 2012-10-30 2013-02-13 武汉理工大学 Integrated identity based encryption (IBE) data encryption system
CN103888442A (en) * 2014-01-13 2014-06-25 黄晓芳 System with integration of visualization biological characteristics and one-time digital signature and method thereof
CN104378210A (en) * 2014-11-26 2015-02-25 成都卫士通信息安全技术有限公司 Cross-trust-domain identity authentication method
CN207939549U (en) * 2017-12-11 2018-10-02 公安部第一研究所 A kind of digital certificate remote online managing device

Also Published As

Publication number Publication date
CN107800725A (en) 2018-03-13

Similar Documents

Publication Publication Date Title
CN107800725B (en) Remote online management device and method for digital certificates
CN110213246B (en) Wide-area multi-factor identity authentication system
TWI667585B (en) Method and device for safety authentication based on biological characteristics
CN105429760B (en) A kind of auth method and system of the digital certificate based on TEE
CN108551455B (en) Configuration method and device of smart card
CN107070667B (en) Identity authentication method
CN107241317B (en) Method for identifying identity by biological characteristics, user terminal equipment and identity authentication server
CN111931144B (en) Unified safe login authentication method and device for operating system and service application
KR101918827B1 (en) Payment verification system, method and apparatus
US20080305769A1 (en) Device Method & System For Facilitating Mobile Transactions
CN105868970B (en) authentication method and electronic equipment
KR101724401B1 (en) Certification System for Using Biometrics and Certification Method for Using Key Sharing and Recording medium Storing a Program to Implement the Method
CN109920100B (en) Unlocking method and system of intelligent lock
CN109063438A (en) A kind of data access method, device, local data secure access equipment and terminal
CN104660412A (en) Password-less security authentication method and system for mobile equipment
CN109150547A (en) A kind of system and method for the digital asset real name registration based on block chain
CN107733636A (en) Authentication method and Verification System
CN107634834A (en) A kind of trusted identity authentication method based on the more scenes in multiple terminals
CN207939549U (en) A kind of digital certificate remote online managing device
CN114329394A (en) Multiple identity authentication method, device, terminal and storage medium for rail transit crew
WO2022042745A1 (en) Key management method and apparatus
CN112073967B (en) Method and device for downloading identity certificate of mobile phone shield equipment and electronic equipment
CN110995661B (en) Network card platform
CN110516427B (en) Terminal user identity authentication method and device, storage medium and computer equipment
CN115967581A (en) Login verification method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant