CN108173648A - Security processing method, equipment and storage medium based on private key escrow - Google Patents
Security processing method, equipment and storage medium based on private key escrow Download PDFInfo
- Publication number
- CN108173648A CN108173648A CN201711481070.3A CN201711481070A CN108173648A CN 108173648 A CN108173648 A CN 108173648A CN 201711481070 A CN201711481070 A CN 201711481070A CN 108173648 A CN108173648 A CN 108173648A
- Authority
- CN
- China
- Prior art keywords
- ciphertext
- client
- private key
- response
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Abstract
A kind of security processing method, equipment and medium based on private key escrow, the method for one embodiment include:The signature request that client is sent is received, signature response is returned to client, carries the five, the 6th cipher generating parameters;It receives the third ciphertext that client is sent and obtains request, carry the 6th client key that client is generated according to the 6th cipher generating parameter and CUSTOMER ID;Third ciphertext is returned to client and obtains response, carries the third ciphertext extracted from the 5th private key ciphertext encrypted result of storage;Receive the third ciphertext decryption response that client returns, carry the third decrypted result that third ciphertext is decrypted in client, digital signature after private key ciphertext is decrypted based on third decrypted result, private key ciphertext is encrypted according to the 6th client key and obtains the 6th private key ciphertext encrypted result, by the 6th cipher generating parameter and the 6th private key ciphertext decrypted result associated storage.This embodiment scheme improves the safety of security processing.
Description
Technical field
The present invention relates to technical field of network security, more particularly to a kind of security processing side based on private key escrow
Method, computer equipment and computer storage media.
Background technology
It is Web bank, online working, online with the emergence of development and the E-Government e-commerce of Internet technology
The business such as shopping have stepped into public life, and continuous promptly change and progress.It is being related to many key industry
When business operation and the transmission of sensitive information, usually using digital signature technology, realize the integrity verification to data, it is anti-tamper with
And the safeguard protections such as resisting denying.At present, mechanism and enterprise customer are mainly preserved using equipment such as intelligent code key, intellective IC cards
Private key is signed, however the equipment such as intelligent code key, intellective IC card are generally taken care of by special messenger, every time using needs
Applied, flow is cumbersome, and use is constant, and increasing with mobile context, and the hardware device based on PC ends is difficult to meet need
It asks.
Invention content
Based on this, the embodiment of the present application be designed to provide a kind of security processing method based on private key escrow,
Computer equipment and computer storage media.
A kind of security processing method based on private key escrow, including step:
Receive the mechanism private key Shen that server-side is forwarded in the mechanism private key escrow request for receiving the transmission of the first client
Please information, mechanism private key escrow request carries the mechanism private key application information;
The first processing request is sent to the server-side, and receives the server-side and is returned based on the described first processing request
First processing response, it is described first processing response carry first key generation parameter;
Parameter and CUSTOMER ID are generated according to the first key and generate the first client key, and to the server-side
The first confirmation message is sent, first confirmation message carries first client key.
A kind of security processing method based on private key escrow, including step:
Signature request is sent to server-side;
Receive the signature response that the server-side returns, the signature response carries the 5th cipher generating parameter and the 6th close
Key generates parameter;
5th client key is generated according to the 5th cipher generating parameter and CUSTOMER ID, it is close according to the described 6th
Key generates parameter and the CUSTOMER ID generates the 6th client key, and send third ciphertext to the server-side and obtain
Request, the third ciphertext obtain request and carry the 6th client key;
It receives the third ciphertext that the server-side returns and obtains response, the third ciphertext obtains response and carries from storage
The third ciphertext extracted in 5th private key ciphertext encrypted result;
The third ciphertext is decrypted and obtains third decrypted result, and the decryption of third ciphertext is sent to the server-side
Response, the third ciphertext decryption response carry the third decrypted result.
A kind of security processing method based on private key escrow, including step:
The signature request that client is sent is received, signature response is returned to the client according to the signature request, it is described
Signature response carries the 5th cipher generating parameter and the 6th cipher generating parameter;
It receives the third ciphertext that the client is sent and obtains request, the third ciphertext obtains request and carries the client
The 6th client key that end is generated according to the 6th cipher generating parameter and the CUSTOMER ID;
Third ciphertext is returned to the client and obtains response, and the third ciphertext obtains the carried in response from storage
The third ciphertext extracted in five private key ciphertext encrypted results;
The third ciphertext decryption response that the client returns is received, the third ciphertext decryption response carries the client
The third decrypted result that third ciphertext is decrypted is held, and private key ciphertext is being decrypted based on the third decrypted result
Afterwards, it is digitally signed, and private key ciphertext is encrypted according to the 6th client key, obtain the 6th private key ciphertext and add
It is close as a result, and by the 6th cipher generating parameter and the 6th private key ciphertext decrypted result associated storage.
A kind of security processing method based on private key escrow, including step:
It is private to receive the mechanism that server-side is forwarded in the mechanism trustship private key authorization requests for receiving the transmission of the first client
Key authorization requests information;
Second processing request is sent, and receive the clothes to the server-side based on the mechanism private key authorization requests information
End group be engaged in the second processing response of second processing request return, the second processing response carries the generation of the second key and joins
Number and third cipher generating parameter;
Second client key is generated according to second cipher generating parameter and CUSTOMER ID, it is close according to the third
Key generates parameter and CUSTOMER ID generation third client key, and sends the acquisition of the first ciphertext to the server-side and ask
It asks;
It receives the first ciphertext that the server-side returns and obtains response, first ciphertext obtains response and carries based on storage
The first ciphertext for determining of the second private key ciphertext encrypted result;
First ciphertext is decrypted according to second client key, obtains the first decrypted result, and to institute
It states server-side and sends the decryption response of the first ciphertext, the first ciphertext decryption response carries first decrypted result.
A kind of security processing method based on private key escrow, including step:
Application is sent to server-side and obtains private key authorization requests, and the application for receiving server-side return obtains private key mandate and rings
Should, the application obtains private key authorization response and also carries the 4th cipher generating parameter;
4th client key is generated according to the 4th cipher generating parameter and CUSTOMER ID, and to the service
End sends the second ciphertext and obtains request, and second ciphertext obtains request and also carries the 4th client key;
It receives the second ciphertext that the server-side returns and obtains response, the second ciphertext obtains the private carried in response from storage
The second ciphertext extracted in key ciphertext mandate encrypted result;
Second ciphertext is decrypted, obtains the second decrypted result, and the second ciphertext solution is sent to the server-side
Close response, the second ciphertext decryption response carry second decrypted result.
A kind of security processing method based on private key escrow, including step:
When receiving mechanism trustship private key authorization requests, to client forwarding mechanism private key authorization requests information;
The second processing request that the client is sent is received, asks to return to the client according to the second processing
Second processing responds, and the second processing response carries the second cipher generating parameter, third cipher generating parameter;
It receives the first ciphertext that the client is sent and obtains request, first ciphertext obtains request and carries according to
Third cipher generating parameter and the third client key of CUSTOMER ID generation;
Return to the first ciphertext to the client and obtain response, first ciphertext obtain response carry based on storage the
The first ciphertext that two private key ciphertext encrypted results determine;
The first ciphertext decryption response that the client returns is received, the first ciphertext decryption response carries the client
The first decrypted result that first ciphertext is decrypted is held, and private key is being decrypted based on first decrypted result
After ciphertext, based on treating that private key ciphertext is encrypted in authorized user's public key, private key ciphertext mandate encrypted result is obtained, and according to institute
It states third client key the private key ciphertext is encrypted, obtains third private key ciphertext encrypted result;The third is close
Key generates parameter and the third private key ciphertext decrypted result associated storage.
A kind of security processing method based on private key escrow, including step:
It receives the application that client is sent and obtains private key authorization requests, returning to application to the client obtains private key mandate
Response, the application obtain private key authorization response and carry the 4th cipher generating parameter;
The second ciphertext acquisition request that the client obtains the transmission of private key authorization response according to the application is received, it is described
Second ciphertext obtains request and carries the client is generated according to the 4th cipher generating parameter and CUSTOMER ID the
Four client keys;
The second ciphertext is returned to the client and obtains response, and second ciphertext obtains the private carried in response from storage
The second ciphertext extracted in key ciphertext mandate encrypted result;
The second ciphertext decryption response that the client returns is received, the second ciphertext decryption response carries the client
The second decrypted result that second ciphertext is decrypted is held, and private key is being decrypted based on second decrypted result
After ciphertext, Authorization result is obtained, and private key ciphertext is encrypted according to the 4th client key, it is close to obtain the 4th private key
Literary encrypted result;By the 4th cipher generating parameter and the 4th private key ciphertext decrypted result associated storage.
Based on the scheme of embodiment as described above, by the signature private key trustship of mechanism in server-side, and each time into
Row signature authorizes, obtains mandate when security correlated digital security processes, and the private key based on server-side trustship is close
Text, client cooperateed with server-side complete the signature, mandate, obtain licensing process, and each time completion signature, authorize,
It obtains on the basis of authorizing, client further generates new client key, and server-side is based further on the new client
Key generates new private key ciphertext encrypted result, and realizes the update to the private key ciphertext encrypted result of storage accordingly so that every
The private key ciphertext encrypted result for participating in and using every time of the primary user for be required for during security processing client is all
It is different, it can prevent server-side backstage personnel from retaining private key ciphertext to pretend to be user's signature, so as to further improve number
The safety of safe handling.
Description of the drawings
Fig. 1 is the schematic diagram of the application environment of the application scheme of one embodiment;
Fig. 2 is the flow diagram of the security processing method based on private key escrow in one embodiment;
Fig. 3 is the flow diagram of the security processing method based on private key escrow in another embodiment;
Fig. 4 is the flow diagram of the security processing method based on private key escrow in another embodiment;
Fig. 5 is the flow diagram of the security processing method based on private key escrow in another embodiment;
Fig. 6 is the flow diagram of the security processing method based on private key escrow in another embodiment;
Fig. 7 is the flow diagram of the security processing method based on private key escrow in another embodiment;
Fig. 8 is the interaction flow schematic diagram of the processing of the security based on private key escrow in a specific example;
Fig. 9 is the interaction flow schematic diagram of the processing of the security based on private key escrow in another specific example;
Figure 10 is the interaction flow schematic diagram of the processing of the security based on private key escrow in another specific example;
Figure 11 is the interaction flow schematic diagram of the processing of the security based on private key escrow in another specific example.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the object, technical solution and advantage for making the application are more clearly understood
The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, and
It is not used in restriction the application.
The schematic diagram of application environment that Fig. 1 is related to for application scheme in one embodiment, reference Fig. 1, the present embodiment
Scheme is related to first terminal 101, second terminal 102 and server-side 103, further relates to cipher machine 104 in some embodiments,
It may also relate to 105 and the 4th terminal 106 of third terminal in other embodiments.First terminal 101, second terminal 102, third
Terminal 105, the 4th terminal 106 are with server-side 102 by network connection, and cipher machine 104 is only connect with server-side 103, at some
In embodiment, cipher machine 104 may be set to be a part for server-side 103.Cipher machine 103 is to generate encrypted private
Key ciphertext simultaneously exports, imports encrypted private key ciphertext and sign, and can only communicate with server-side 102.First terminal
101st, second terminal 102,105 and the 4th terminal 106 of third terminal can be specifically the equipment such as terminal console, mobile terminal,
Can be others can with or need by private key escrow to initiated during server-side 103 private key escrow or private key licensing process or
It is to be verified during private key escrow is applied for or will be to being awarded in the private key of 103 trustship of server-side to server-side 103
Power or from server-side 103 obtain server-side 103 storage private key mandate or be to make when needing to be digitally signed
The equipment signed with the private key of 103 trustship of server-side, mobile terminal can be specifically mobile phone, tablet computer, notebook electricity
At least one of brain etc., server-side 103 can be with the server clusters that independent server or multiple servers form come real
It is existing.
In some embodiments of application scheme, initiated with first terminal 101 by private key escrow to server-side 103
Process, second terminal 102 are to use the private key of 103 trustship of server-side to be signed, third terminal 105 is in application private key
It is verified during trustship or will be to being authorized in the private key of 103 trustship of server-side to server-side 103 and the 4th
For terminal 106 is to obtain the mandate of the private key of the storage of server-side 103 from server-side 103, first terminal 101, second terminal
102nd, 105 and the 4th terminal 106 of third terminal can be respectively different terminal devices or refer to same terminal to set
It is standby, only different functions is realized under different technology scenes.
In some embodiments, first terminal 101 can be initiated by webpage, APP applications or other application forms
By private key escrow to server-side 103 or the process of application organization's trustship private key mandate, submit mechanism trustship private available for handler
Key application, the trustship private key mandate of user application organization.Second terminal 102 can pass through webpage, APP applications or other application forms
The private key in 103 trustship of server-side to be used to sign.In some specific examples, first terminal 101 and second terminal 102
Can be same terminal, you can be integrated in identical webpage, APP applications or other application form, with initiate by
Private key escrow is signed to server-side 103, initiation application organization trustship private key authorized person using the private key of server-side trustship
Process.
In some embodiments, third terminal 105 can by APP application come complete mechanism trustship private key application and
Other users is authorized to use the process of mechanism trustship private key, there is the generation of SM2 keys and calculation function, it is true available for legal representative
Recognize mechanism trustship private key application and other users is authorized to use mechanism trustship private key.4th terminal 106 can pass through another APP
Using other users (juridical-person represent user) obtaining means trustship private key mandate is completed, there is certificate request, together
When there is cipher generating parameter (such as SM2 keys generate) and calculation function.In some specific examples, third terminal 105 and
Identical APP can be installed, i.e. legal representative can be completed mechanism trustship private key application and be awarded by the APP in four terminals 106
Power other users can obtain machine using the process of mechanism trustship private key rather than the other users of legal representative by the APP
Structure trustship private key mandate.
It is appreciated that in other specific example, can also be completed by webpage or identical APP all
The above-mentioned processing procedure performed by first terminal 101, second terminal 102,105 and the 4th terminal 106 of third terminal is needed, such as
It initiates private key escrow or private key licensing process, verified during private key escrow is applied for, in 103 trustship of server-side
Private key authorized to server-side 103, obtained from server-side 103 server-side 103 storage private key mandate, needing to carry out
It is signed etc. during digital signature using the private key of 103 trustship of server-side.
Fig. 2 shows the flow diagrams of the security processing method based on private key escrow in one embodiment, should
Embodiment is illustrated by taking the processing procedure of terminal as an example, as shown in Fig. 2, the method in the embodiment includes step S201 extremely
Step S204.
Step S201:Signature request is sent to server-side.
Wherein, which can be based on its used terminal hair by any facility personnel with signature permission
Go out, can should be the legal representative of mechanism with the facility personnel of signature permission or determine to mechanism private key escrow with highest
Determine the account of the personnel of permission or obtain to authorize the other staff of mechanism with signing using private key.It should
The data to be signed signed can be carried in signature request.
Step S202:The signature response that the server-side returns is received, the signature response carries the 5th key generation ginseng
Number and the 6th cipher generating parameter.
5th cipher generating parameter, the 6th cipher generating parameter can be that any terminal can be used to generation client key
Parameter, the 5th cipher generating parameter, the 6th cipher generating parameter in a specific example can be randomly generated random
Number.
In one embodiment, which can also carry the 7th certificate parameter.7th certificate parameter with for
The user of terminal is inputted, and when receiving the information of terminal transmission in order to next step server-side, can be verified.This
Seven certificate parameters can be any parameter that can be verified, such as the random number that generates at random, and the form of the random number can be with
It is unlimited, the number that can be randomly generated, Chinese character, character string or a combination thereof etc. any possible form.
Step S203:5th client key is generated according to the 5th cipher generating parameter and CUSTOMER ID, according to
6th cipher generating parameter and the CUSTOMER ID generate the 6th client key, and send the to the server-side
Three ciphertexts obtain request, and the third ciphertext obtains request and carries the 6th client key.
5th client key is generated according to the 5th cipher generating parameter and CUSTOMER ID, is generated and joined according to the 6th key
The mode that number and CUSTOMER ID generate the 6th client key is unlimited, such as can use cipher key derivation function KDF, Hash letter
Number etc. generates the 5th client key.
In a specific example, the 5th client key is generated according to the 5th cipher generating parameter and CUSTOMER ID
Step can include:5th client private key is generated according to the 5th cipher generating parameter and CUSTOMER ID, and according to described the
Five client private keys derive the 5th client public key.At this point, the 5th client key includes the 5th client public key.According to
The step of 6th cipher generating parameter and CUSTOMER ID generate six client keys can include:It is generated according to the 6th key
Parameter and CUSTOMER ID generate the 6th client private key, and derive the 6th client public affairs according to the 6th client private key
Key.At this point, the 6th client key includes the 6th client public key.
In one embodiment, in the case of also carrying the 7th certificate parameter in above-mentioned signature response, to server-side
Before sending the acquisition request of third ciphertext, step can also be included:Obtain the 8th certificate parameter input by user.It is at this point, above-mentioned
Third ciphertext is obtained in request, also carries the 8th certificate parameter.Input in terminal user is correct, and the 8th tests
Demonstrate,proving parameter should be identical with above-mentioned 7th certificate parameter.
Step S204:It receives the third ciphertext that the server-side returns and obtains response, the third ciphertext obtains response and takes
The third ciphertext that band is extracted from the 5th private key ciphertext encrypted result of storage.
In one embodiment, it is true that fiveth private key ciphertext encrypted result of any possible mode based on storage may be used
Fixed third ciphertext can be the 5th to storage for being based on SM2 cipher modes and obtain the 5th private key ciphertext encrypted result
Private key ciphertext encrypted result is split as C1, C2 and C3 according to SM2 ciphertext forms, and using C1 as the third ciphertext.
The present embodiment does not limit for the mode that specifically third ciphertext is decrypted.It is decrypted and responded based on the third ciphertext
Third decrypted result is carried, whether correct, so as to fulfill client and clothes if can analyze the third decrypted result in order to server-side
Business end cooperates to complete the signature process.
In one embodiment, the method for the present embodiment can also include the following steps S211 to step S213, to complete
The trustship of mechanism private key.
Step 211:Receive the machine that server-side is forwarded in the mechanism private key escrow request for receiving the transmission of the first client
Structure private key application information, the mechanism private key escrow request carry the mechanism private key application information.
In some embodiments, the first client of transmitting mechanism private key escrow request, the method with performing the embodiment
Client can be different client, initiated if desired for the handler of mechanism for initiating private key escrow by the first client
The mechanism private key escrow request.Wherein, the mechanism private key application information can include the relevant information of mechanism (such as enterprise)
(such as mechanism ID) can also include the relevant information of handler.Server-side is receiving the mechanism private key application information
Afterwards, the relevant information based on mechanism (such as mechanism ID) can have with the legal representative of obtaining means or to mechanism private key escrow
The account of the personnel of highest authorization decision, and the mechanism private key application information is forwarded to legal representative or to mechanism private key support
The corresponding client of account of personnel of the pipe with highest authorization decision, i.e., the client where when the present embodiment method performs.
Step S212:The first processing request is sent, and receive the server-side and be based at described first to the server-side
The first processing response that reason request returns, the first processing response carry first key generation parameter.
Wherein, first key generation parameter can be the parameter that any client can be used to generation client key.
In one specific example, first key generation parameter can be a random number.
In one embodiment, the first certificate parameter, first certificate parameter can also be included in the first processing response
It is inputted with for the user of terminal, when receiving the information of terminal transmission in order to next step server-side, can be tested
Card.First certificate parameter can be any parameter that can be verified, the random number such as generated at random, the shape of the random number
Formula can be unlimited, the number that can be randomly generated, Chinese character, character string or a combination thereof etc. any possible form.
Step S213:Parameter and CUSTOMER ID are generated according to first key and generate the first client key, and to described
Server-side sends the first confirmation message, and first confirmation message carries first client key.
The CUSTOMER ID can be the PIN code (Personal for the terminal for performing the present embodiment method
Identification Number, personal recognition code), which can voluntarily be read or by end from terminal
The user at end is inputted.
According to first key generate parameter and CUSTOMER ID generate the first client key mode it is unlimited, such as can be with
The first client key is generated with cipher key derivation function KDF, hash function etc..It, can be according in a specific example
One cipher generating parameter and CUSTOMER ID generate the first client private key, and derive the according to first client private key
One client public key.At this point, above-mentioned first client key includes first client public key.
In one embodiment, in the case of further including the first certificate parameter in the above-mentioned first processing response, to institute
Before stating server-side the first confirmation message of transmission, step can also be included:Obtain the second certificate parameter input by user.At this point,
In above-mentioned first confirmation message, second certificate parameter is also carried.It is correct in terminal user's input, second verification
Parameter should be identical with above-mentioned first certificate parameter.
In one embodiment, before above-mentioned the first confirmation message of transmission to server-side, step can also be included:
It signs to first confirmation message.So as to by the signature of client, can further confirm that this first
Confirmation message is through client user (legal representative of such as mechanism or the people to mechanism private key escrow with highest authorization decision
Member) mandate send out, improve the first confirmation message non repudiation, to further improve safety.
In a specific example, above-mentioned first confirmation message can also carry the second client digital certificate.
In one embodiment, the scheme of the present embodiment can also include the following steps S221 to step S225, to complete
The mandate of trustship private key.
Step S221:Server-side is received to forward in the mechanism trustship private key authorization requests for receiving the transmission of the first client
Mechanism private key authorization requests information.
In some embodiments, the first client of transmitting mechanism trustship private key authorization requests, with performing the embodiment
The client of method can be different client, lead to if desired for the handler for the mechanism for initiating mechanism trustship private key authorization requests
It crosses the first client and initiates the mechanism trustship private key authorization requests.Server-side is receiving the mechanism trustship private key authorization requests
Afterwards, the relevant information based on mechanism (such as mechanism ID) can have with the legal representative of obtaining means or to mechanism private key escrow
The account of the personnel of highest authorization decision, and to legal representative or to personnel of the mechanism private key escrow with highest authorization decision
The corresponding client of account (client where when i.e. the present embodiment method performs) forwarding mechanism private key authorization message.
Step S222:Second processing request is sent to the server-side based on the mechanism private key authorization requests information, and
The second processing response that the server-side is returned based on second processing request is received, the second processing response carries second
Cipher generating parameter.
Wherein, which can be the parameter that any client can be used to generation client key.
In one specific example, which can be a random number.
In one embodiment, third certificate parameter, the third certificate parameter can also be included in second processing response
It is inputted with for the user of terminal, when receiving the information of terminal transmission in order to next step server-side, can be tested
Card.The third certificate parameter can be any parameter that can be verified, the random number such as generated at random, the shape of the random number
Formula can be unlimited, the number that can be randomly generated, Chinese character, character string or a combination thereof etc. any possible form.
Step S223:Second client key is generated according to the second cipher generating parameter and CUSTOMER ID, and to service
End sends the first ciphertext and obtains request.
The CUSTOMER ID can be the PIN code for the terminal for performing the present embodiment method, which can be voluntarily from end
It reads or is inputted by the user of terminal in end.
The mode that the second client key is generated according to the second cipher generating parameter and CUSTOMER ID is unlimited, such as can be with
The second client key is generated with cipher key derivation function KDF, hash function etc..It is close according to second in a specific example
Key generates parameter and CUSTOMER ID generates the second client private key, and derive the second client according to the second client private key
Public key.At this point, the second client key includes the second client public key.
In one embodiment, in the case of further including third certificate parameter in the response of above-mentioned second processing, to institute
Before stating server-side transmission the first ciphertext acquisition request, step can also be included:Obtain the 4th certificate parameter input by user.This
When, above-mentioned first ciphertext is obtained in request, also carries the 4th certificate parameter.Input in terminal user is correct,
4th certificate parameter should be identical with above-mentioned third certificate parameter.
Step S224:It receives the first ciphertext that the server-side returns and obtains response, first ciphertext obtains response and takes
The first ciphertext that band is determined based on the second private key ciphertext encrypted result of storage.
In one embodiment, it is true that second private key ciphertext encrypted result of any possible mode based on storage may be used
The first fixed ciphertext can be second to storage for being based on SM2 cipher modes and obtain the second private key ciphertext encrypted result
Private key ciphertext encrypted result is split as C1, C2 and C3 according to SM2 ciphertext forms, and using C1 as first ciphertext.
Step S225:First ciphertext is decrypted according to second client key, obtains the first decryption knot
Fruit, and the decryption response of the first ciphertext is sent to the server-side, the first ciphertext decryption response carries the first decryption knot
Fruit.
The present embodiment does not limit for the mode that specifically the first ciphertext is decrypted.It is decrypted and responded based on first ciphertext
The first decrypted result is carried, whether correct, so as to fulfill client and clothes if can analyze first decrypted result in order to server-side
The mandate for cooperating to complete the trustship private key at business end.
On the other hand, in one embodiment, above-mentioned second processing response can also carry third cipher generating parameter;One
The random number that the third cipher generating parameter in a specific example can also be randomly generated.
At this point, before above-mentioned transmission the first ciphertext acquisition request to the server-side, step can also be included:According to
Three cipher generating parameters and CUSTOMER ID generation third client key.According to third cipher generating parameter and CUSTOMER ID
The mode for generating third client key is unlimited, such as can generate third visitor with cipher key derivation function KDF, hash function etc.
Family end key.In a specific example, third client key is generated according to third cipher generating parameter and CUSTOMER ID
The step of can include:According to the third cipher generating parameter and CUSTOMER ID generation third client private key, and according to
The third client private key derives third client public key.It is public that the third client key includes the third client
Key.
At this point, the first ciphertext described above, which obtains request, also carries the third client key.
Wherein, above-mentioned second processing response, which carries, treats authorized user's certificate.In another embodiment, it is sent out to server-side
Before sending the acquisition request of the first ciphertext, step can also be included:Request is obtained to the first ciphertext to sign.
In one embodiment, the method in the present embodiment further includes following step S231 to step S234, to be used
The mandate of trustship private key.
Step S231:Application is sent to server-side and obtains private key authorization requests, and the application for receiving server-side return obtains
Private key authorization response.
It, can be by needing to apply for that the mandate of acquisition trustship private key, needs subsequently can adequate services in a specific example
User's (waiting to authorize) of the mechanism that the private key of end storage is signed initiates this application acquisition private key mandate by client please
It asks, this application, which obtains private key authorization requests, can carry the relevant information for treating authorized user.
In one embodiment, this application, which obtains private key authorization response, can also include the 5th certificate parameter.5th tests
Card parameter is inputted with for the user of terminal, can when receiving the information of terminal transmission in order to next step server-side
It is verified.5th certificate parameter can be any parameter that can be verified, the random number such as generated at random, this is random
Several forms can be unlimited, the number that can be randomly generated, Chinese character, character string or a combination thereof etc. any possible form.
In one embodiment, this application, which obtains private key authorization response, can also carry the 4th cipher generating parameter.This
Four cipher generating parameters can be the parameter that any client can be used to generation client key.It, should in a specific example
4th cipher generating parameter can be a random number.
Step S232:Private key authorization response is obtained according to application and sends the acquisition request of the second ciphertext to server-side.
In one embodiment, above-mentioned application obtain private key authorization response in also carry five certificate parameters when, to
Before the server-side sends the acquisition request of the second ciphertext, step can also be included:Obtain the 6th certificate parameter input by user.
At this point, above-mentioned second ciphertext is obtained in request, the 6th certificate parameter is also carried.In the correct situation of the input of terminal user
Under, the 6th certificate parameter should be identical with above-mentioned 5th certificate parameter.
In one embodiment, the feelings of the 4th cipher generating parameter are also carried in above-mentioned application obtains private key authorization response
Under condition, before the acquisition request of the second ciphertext is sent to server-side, step can also be included:It is generated and joined according to the 4th key
Number and CUSTOMER ID generate the 4th client key.At this point, second ciphertext, which obtains request, also carries the 4th visitor
Family end key.The CUSTOMER ID can be the PIN code for the terminal for performing the present embodiment method, which can read from terminal
It takes or is inputted by the user of terminal.
The mode that the 4th client key is generated according to the 4th cipher generating parameter and CUSTOMER ID is unlimited, such as can be with
The 4th client key is generated with cipher key derivation function KDF, hash function etc..It is close according to the 4th in a specific example
The step of key generation parameter and CUSTOMER ID generate four client keys can include:According to the 4th cipher generating parameter and
CUSTOMER ID generates the 4th client private key, and derives the 4th client public key according to the 4th client private key.At this point, the
Four client keys include the 4th client public key.
Step S233:It receives the second ciphertext that server-side returns and obtains response, the second ciphertext is obtained in response and carried from depositing
The second ciphertext extracted in the private key ciphertext mandate encrypted result of storage.
In one embodiment, it is true that private key ciphertext mandate encrypted result of any possible mode based on storage may be used
Fixed second ciphertext, can be close to the private key of storage for being based on SM2 cipher modes and obtain private key ciphertext mandate encrypted result
Text authorizes encrypted result to be split as C1, C2 and C3 according to SM2 ciphertext forms, and using C1 as second ciphertext.
Step S234:Second ciphertext is decrypted, obtains the second decrypted result, and the is sent to the server-side
The decryption response of two ciphertexts, the second ciphertext decryption response carry second decrypted result.
The present embodiment does not limit for the mode that specifically the second ciphertext is decrypted.It is decrypted and responded based on second ciphertext
The second decrypted result is carried, whether correct, so as to fulfill client and clothes if can analyze second decrypted result in order to server-side
Business end cooperates to complete the process that this application obtains private key mandate.
Fig. 3 shows the flow diagram of the security processing method based on private key escrow in another embodiment,
The embodiment is illustrated by taking the processing procedure of server-side 103 as an example.As shown in figure 3, in the embodiment based on private key support
The security processing method of pipe includes step S301 to step S304.
Step S301:The signature request that client is sent is received, is returned and signed to the client according to the signature request
Response, the signature response carry the 5th cipher generating parameter and the 6th cipher generating parameter.
Wherein, the client for sending out the signature request can be visitor used in any facility personnel with signature permission
Family end can should be the legal representative of mechanism or have highest to mechanism private key escrow with the facility personnel of signature permission
It the account of the personnel of authorization decision or obtains and authorizes the other staff of mechanism with signing using private key.
The data to be signed signed can be carried in the signature request.
5th cipher generating parameter, the 6th cipher generating parameter can be that any terminal can be used to generation client key
Parameter, the 5th cipher generating parameter, the 6th cipher generating parameter in a specific example can be randomly generated random
Number.
In one embodiment, which can also carry the 7th certificate parameter.7th certificate parameter with for
The user of terminal is inputted, and when receiving the information of terminal transmission in order to next step server-side, can be verified.This
Seven certificate parameters can be any parameter that can be verified, such as the random number that generates at random, and the form of the random number can be with
It is unlimited, the number that can be randomly generated, Chinese character, character string or a combination thereof etc. any possible form.
Step S302:It receives the third ciphertext that client is sent and obtains request, the third ciphertext obtains request and carries visitor
The 6th client key that family end is generated according to the 6th cipher generating parameter and the CUSTOMER ID.
Client generates the 5th client key, according to the 6th key according to the 5th cipher generating parameter and CUSTOMER ID
Generate parameter and CUSTOMER ID generate the 6th client key mode it is unlimited, such as can use cipher key derivation function KDF,
Hash function etc. generates the 5th client key.
In a specific example, client generates the 5th client according to the 5th cipher generating parameter and CUSTOMER ID
The step of key, can include:According to the 5th cipher generating parameter and CUSTOMER ID the 5th client private key of generation, and according to
5th client private key derives the 5th client public key.At this point, the 5th client key includes the 5th client public key.Root
The step of generating six client keys according to the 6th cipher generating parameter and CUSTOMER ID can include:It is given birth to according to the 6th key
The 6th client private key is generated, and the 6th client public affairs are derived according to the 6th client private key into parameter and CUSTOMER ID
Key.At this point, the 6th client key includes the 6th client public key.
In one embodiment, in the case of also carrying the 7th certificate parameter in above-mentioned signature response, at this point, described
Three ciphertexts obtain request and also carry the 8th certificate parameter input by user.At this point, the method for the present embodiment can also include step:
Verify the consistency of the 8th certificate parameter and the 7th certificate parameter.It is correct in terminal user's input, it should
8th certificate parameter should be identical with above-mentioned 7th certificate parameter.
Step S303:Third ciphertext is returned to the client and obtains response, and third ciphertext, which obtains, to be carried in response from depositing
The third ciphertext extracted in 5th private key ciphertext encrypted result of storage.
In one embodiment, it is true that fiveth private key ciphertext encrypted result of any possible mode based on storage may be used
Fixed third ciphertext can be the 5th to storage for being based on SM2 cipher modes and obtain the 5th private key ciphertext encrypted result
Private key ciphertext encrypted result is split as C1, C2 and C3 according to SM2 ciphertext forms, and using C1 as the third ciphertext.
Step S304:The third ciphertext decryption response that client returns is received, the third ciphertext decryption response carries institute
The third decrypted result that third ciphertext is decrypted in client is stated, and private is being decrypted based on the third decrypted result
It after key ciphertext, is digitally signed, and private key ciphertext is encrypted according to the 6th client key, obtain the 6th private key ciphertext
Encrypted result, and by the 6th cipher generating parameter and the 6th private key ciphertext decrypted result associated storage.The private key ciphertext can
To be the private key ciphertext parsed to the 5th private key ciphertext encrypted result.
The present embodiment does not limit for the mode that specifically third ciphertext is decrypted.It is decrypted and responded based on the third ciphertext
Third decrypted result is carried, it is whether correct that server-side can analyze the third decrypted result, so as to fulfill client and server-side
The application process for cooperating to complete the trustship private key mandate.In addition, when being digitally signed, it can in one embodiment
To be after private key ciphertext and data to be signed are sent to cipher machine, to be signed by cipher machine, digital signature result is obtained.
Wherein, the associated storage to the 6th cipher generating parameter and the 6th private key ciphertext decrypted result here, Ke Yishi
The update of fiveth private key ciphertext encrypted result and its corresponding cipher generating parameter stored to server-side.I.e. server-side is not
The 5th private key ciphertext encrypted result and its corresponding cipher generating parameter are stored again, but store associated 6th key generation ginseng
Number and the 6th private key ciphertext decrypted result, so that it is guaranteed that after signing each time, the server-side always use based on terminal
The participation at family generates new private key ciphertext encrypted result, it is ensured that used private key ciphertext encryption when server-side is signed every time
As a result it is all different, it can prevent server-side backstage personnel from retaining private key ciphertext to pretend to be user's signature, further improve number
The safety of safe handling.
In one embodiment, the method for the present embodiment can also include the following steps S311 to step S315, to complete
The trustship of mechanism private key.
Step S311:When receiving mechanism private key escrow request, mechanism private key application information is forwarded to the client,
The mechanism private key application information is carried in mechanism private key escrow request.
In some embodiments, the client of transmitting mechanism private key escrow request, the mechanism private key application with receiving forwarding
The client of information can be different client, pass through the first client if desired for the handler for the mechanism for initiating private key escrow
Initiate the mechanism private key escrow request.Server-side is after the mechanism private key application information is received, the relevant information based on mechanism
(such as mechanism ID) can have the account of the personnel of highest authorization decision with the legal representative of obtaining means or to mechanism private key escrow
Number, and the mechanism private key application information is forwarded to legal representative or there is the people of highest authorization decision to mechanism private key escrow
The corresponding client of account of member.
Step S312:The first processing request that the client is sent is received, is asked according to the first processing to the client
End returns to the first processing response, and the first processing response carries first key generation parameter.
Wherein, first key generation parameter can be the parameter that any client can be used to generation client key.
In one specific example, first key generation parameter can be a random number.
In one embodiment, the first certificate parameter, first certificate parameter can also be included in the first processing response
It is inputted with for the user of terminal, when receiving the information of terminal transmission in order to next step server-side, can be tested
Card.First certificate parameter can be any parameter that can be verified, the random number such as generated at random, the shape of the random number
Formula can be unlimited, the number that can be randomly generated, Chinese character, character string or a combination thereof etc. any possible form.
Step S313:The first confirmation message that the client is sent is received, the first confirmation message carries the client
Parameter and the first client key of CUSTOMER ID generation are generated based on the first key.
Client can be used any possible mode to generate parameter and CUSTOMER ID generation first according to first key
Client key, such as generate the first client key with cipher key derivation function KDF, hash function.In a specific example
In, client can generate parameter according to first key and CUSTOMER ID generates the first client private key, and according to the first visitor
Family end private key derives the first client public key.The first client key can include first client public key at this time.Wherein
The CUSTOMER ID can be the PIN code of terminal 101, which can be that client is obtained from the terminal device at place, also may be used
Be by client user input.
In one embodiment, in the case where the above-mentioned first processing response further includes the first certificate parameter, above-mentioned first
In confirmation message, the second certificate parameter input by user of client is also carried.Correct situation is inputted in the user of client
Under, which should be identical with above-mentioned first certificate parameter.
In the case, before next step S314 is entered, step can also be included:Verify second certificate parameter
With the consistency of first certificate parameter.And in the case where verifying the second certificate parameter and the first certificate parameter unanimous circumstances, then
Into next step S304, otherwise failure information is returned to client or directly exit current process flow.
In one example, in the case where client has and signs to the first confirmation message, can also further exist
Verify the validity of the signature of first confirmation message.The mode of the validity of specific verification signature, may be used any
Possible mode carries out.
In a specific example, first confirmation message can also carry the second client digital certificate.At this point, clothes
Business end can pass through the validity of the signature of second the first confirmation message of client digital certificate authentication.
Step S314:Private key ciphertext is obtained, and the private key ciphertext is encrypted based on first client key,
Obtain the first private key ciphertext encrypted result.
Private key ciphertext can be obtained in one specific example from cipher machine 104.First client key is close to the private key
The mode that text is encrypted may be used any possible mode and carry out.
Step S315:First key is generated into parameter, the first private key ciphertext encrypted result associated storage.
In one embodiment, the scheme of the present embodiment can also include the following steps S321 to step S325, to complete
The mandate of trustship private key.
Step S321:When receiving mechanism trustship private key authorization requests, to the private key mandate of client forwarding mechanism
Solicited message.
In some embodiments, the client of transmitting mechanism trustship private key authorization requests, the mechanism private key with receiving forwarding
The client of authorization requests information can be different client, if desired for the mechanism for initiating mechanism trustship private key authorization requests
Handler initiates the mechanism trustship private key authorization requests by the first client.Server-side is awarded receiving the mechanism trustship private key
After power request, the relevant information (such as mechanism ID) based on mechanism can be with the legal representative of obtaining means or to mechanism private key support
The account of personnel of the pipe with highest authorization decision, and there is highest authorization decision to legal representative or to mechanism private key escrow
Personnel the corresponding client of account (client for receiving the mechanism private key authorization requests information of forwarding) forwarding mechanism it is private
Key authorization message.
Step S322:The second processing request that the client is sent is received, is asked according to the second processing to described
Client returns to second processing response, and the second processing response carries the second cipher generating parameter.
Wherein, which can be the parameter that any client can be used to generation client key.
In one specific example, which can be a random number.
In one embodiment, third certificate parameter, the third certificate parameter can also be included in second processing response
It is inputted with for the user of terminal, when receiving the information of terminal transmission in order to next step server-side, can be tested
Card.The third certificate parameter can be any parameter that can be verified, the random number such as generated at random, the shape of the random number
Formula can be unlimited, the number that can be randomly generated, Chinese character, character string or a combination thereof etc. any possible form.
Step S323:It receives the first ciphertext that the client is sent and obtains request.
In one embodiment, in the case where the response of above-mentioned second processing further includes third certificate parameter, above-mentioned first
Ciphertext is obtained in request, also carries the 4th certificate parameter input by user of client.It is correct in user's input of client
In the case of, the 4th certificate parameter should be identical with above-mentioned third certificate parameter.
Therefore, in the case, before next step S324 is entered, step can also be included:Verify that the described 4th tests
Demonstrate,prove the consistency of parameter and the third certificate parameter.And verifying the 4th certificate parameter feelings consistent with the 3rd 1 certificate parameter
Under condition, next step S324 is entered back into, otherwise return to failure information to client or directly exits current process flow.
In one example, second processing response, which also carries, treats authorized user's certificate.In another example, the present embodiment
Method further include step:Verify that first ciphertext obtains the validity of the signature of request.Specific verification is signed effective
The mode of property, may be used any possible mode and carries out.
Step S324:The first ciphertext is returned to the client and obtains response, and first ciphertext obtains response and carries base
In the first ciphertext that the second private key ciphertext encrypted result of storage determines.
In one embodiment, any possible mode may be used and obtain the second private key ciphertext encryption knot based on storage
The first ciphertext that fruit determines can be to storage for being based on SM2 cipher modes and obtain the second private key ciphertext encrypted result
Second private key ciphertext encrypted result is split as C1, C2 and C3 according to SM2 ciphertext forms, and using C1 as first ciphertext.
Step S325:The first ciphertext decryption response that client returns is received, the decryption response of the first ciphertext carries the second visitor
The first decrypted result that first ciphertext is decrypted in family end, and it is close decrypting private key based on the first decrypted result
Wen Hou based on treating that private key ciphertext is encrypted in authorized user's public key, obtains private key ciphertext mandate encrypted result.The private key ciphertext
It can be the private key ciphertext parsed to the second private key ciphertext encrypted result.
Specifically based on the second client key, to mode that the first ciphertext is decrypted, the present embodiment does not limit.
The first decrypted result is carried in the decryption response of one ciphertext, whether server-side can analyze first decrypted result correct, so as to fulfill
The mandate for cooperating to complete the trustship private key of client and server-side.
On the other hand, in one embodiment, second processing response can also carry third cipher generating parameter;One
The random number that the third cipher generating parameter in specific example can also be randomly generated.
At this point, first ciphertext, which obtains request, also carries the client according to third cipher generating parameter and user's knowledge
The third client key of other code generation.Client generates third client according to third cipher generating parameter and CUSTOMER ID
The mode of key is unlimited, such as can generate third client key with cipher key derivation function KDF, hash function etc..One
In a specific example, client generates third client private key according to the third cipher generating parameter and CUSTOMER ID, and
Third client public key is derived according to the third client private key.The third client key includes the third client
Hold public key.
At this point, the first ciphertext described above, which obtains request, also carries the third client key.And the present embodiment method
It can also include step:
Private key ciphertext is encrypted according to third client key, obtains third private key ciphertext encrypted result;
By the third cipher generating parameter and the third private key ciphertext decrypted result associated storage.
Wherein, the associated storage to third cipher generating parameter, third private key ciphertext encrypted result here, can be pair
The update of the second stored cipher generating parameter of server-side and the second private key ciphertext encrypted result.I.e. server-side is no longer deposited
Store up the second cipher generating parameter, the second private key ciphertext encrypted result incidence relation, but store the generation of associated third key
Parameter, third private key ciphertext encrypted result, so that it is guaranteed that after handling each time, the ginseng of the server-side always user based on terminal
With generating new private key ciphertext encrypted result, it is ensured that when server-side performs licensing process every time, used private key ciphertext encryption
As a result it is all different, it can prevent server-side backstage personnel from retaining private key ciphertext to pretend to be user's signature, so as to further improve
The safety of security processing.
In one embodiment, the method in the present embodiment further includes following step S331 to step S334, so that juridical-person
The user of representative obtains the mandate using trustship private key.
Step S331:It receives the application that the client is sent and obtains private key authorization requests, Shen is returned to the client
It please obtain private key authorization response.
It, can be by needing to apply for the mandate of acquisition trustship private key, needing subsequently use server-side in one specific example
The user's (waiting to authorize) for the mechanism that the private key of storage is signed initiates this application by client and obtains private key authorization requests,
This application, which is obtained in private key authorization requests, can carry the relevant information for treating authorized user.
In one embodiment, this application, which obtains private key authorization response, can also include the 5th certificate parameter.5th tests
Card parameter is inputted with for the user of terminal, can when receiving the information of terminal transmission in order to next step server-side
It is verified.5th certificate parameter can be any parameter that can be verified, the random number such as generated at random, this is random
Several forms can be unlimited, the number that can be randomly generated, Chinese character, character string or a combination thereof etc. any possible form.
In one embodiment, this application, which obtains private key authorization response, can also carry the 4th cipher generating parameter.This
Four cipher generating parameters can be the parameter that any client can be used to generation client key.It, should in a specific example
4th cipher generating parameter can be a random number.
Step S332:Receive the second ciphertext acquisition request that client obtains the transmission of private key authorization response according to application.
In one embodiment, it is described when also carrying five certificate parameters during above-mentioned application obtains private key authorization response
Second ciphertext obtains request and also carries the 6th certificate parameter input by user.Correct in terminal user's input, this
Six certificate parameters should be identical with above-mentioned 5th certificate parameter.
In one embodiment, the feelings of the 4th cipher generating parameter are also carried in above-mentioned application obtains private key authorization response
Under condition, which, which obtains, also carries client according to the 4th cipher generating parameter and CUSTOMER ID life in request
Into the 4th client key.
The mode that client generates the 4th client key according to the 4th cipher generating parameter and CUSTOMER ID is unlimited, example
The 4th client key such as can be generated with cipher key derivation function KDF, hash function.In a specific example, client
End generates the 4th client private key according to the 4th cipher generating parameter and CUSTOMER ID, and according to the 4th client
Private key derives the 4th client public key.At this point, the 4th client key includes the 4th client public key.
Step S333:The second ciphertext is returned to the client and obtains response, and the second ciphertext is obtained in response and carried from depositing
The second ciphertext extracted in the private key ciphertext mandate encrypted result of storage.
In one embodiment, it may be used any possible mode is determined based on private key ciphertext mandate encrypted result
Two ciphertexts can be that the mandate of private key ciphertext is encrypted for being based on SM2 cipher modes and obtain private key ciphertext mandate encrypted result
As a result C1, C2 and C3 are split as according to SM2 ciphertext forms, and using C1 as second ciphertext.
Step S334:The second ciphertext decryption response that the client returns is received, the second ciphertext decryption response is taken
With the second decrypted result that second ciphertext is decrypted in the client, and based on second decrypted result
After decrypting private key ciphertext, Authorization result is obtained.
The present embodiment does not limit for the mode that specifically the second ciphertext is decrypted.It is decrypted and responded based on second ciphertext
Carry the second decrypted result, it is whether correct that server-side can analyze second decrypted result, so as to fulfill client and server-side
The application process for cooperating to complete the trustship private key mandate.
Wherein, it is responded in the authorized application of trustship private key and carries the 4th cipher generating parameter, the second ciphertext obtains request and carries
In the case of 4th client key, after private key ciphertext is decrypted based on the second decrypted result, step can also be included:
Private key ciphertext is encrypted according to the 4th client key, obtains the 4th private key ciphertext encrypted result;It should
Private key ciphertext can be the private key ciphertext that private key ciphertext mandate encrypted result is decrypted.
By the 4th cipher generating parameter and the 4th private key ciphertext decrypted result associated storage.
Here the associated storage to the 4th cipher generating parameter, the 4th private key ciphertext decrypted result can be to service
The update of end stored private key ciphertext encrypted result and its corresponding cipher generating parameter.So that it is guaranteed that there is new user
After being authorized, the participation of the server-side always user based on terminal generates new private key ciphertext encrypted result, it is ensured that server-side
Used private key ciphertext encrypted result is all different after being handled every time, prevents server-side backstage personnel from retaining private key ciphertext
Pretend to be user's signature, so as to further improve the safety of security processing.
Fig. 4 shows the flow diagram of the security processing method based on private key escrow of another embodiment, the reality
Applying example is illustrated by taking the processing procedure of terminal as an example, as shown in figure 4, the method in the embodiment includes step S401 to step
Rapid S405.
Step S401:Server-side is received to forward in the mechanism trustship private key authorization requests for receiving the transmission of the first client
Mechanism private key authorization requests information.
Step S402:Second processing request is sent to the server-side based on the mechanism private key authorization requests information, and
The second processing response that the server-side is returned based on second processing request is received, the second processing response carries second
Cipher generating parameter and third cipher generating parameter.Second processing response in one specific example also carries third verification ginseng
Number.
Step S403:Second client key is generated according to second cipher generating parameter and CUSTOMER ID, according to
The third cipher generating parameter and CUSTOMER ID generation third client key, and send first to the server-side
Ciphertext obtains request, and first ciphertext obtains request and carries the third client key.
In one specific example, in the case where second processing responds and carries third certificate parameter, sent to server-side
Before first ciphertext obtains request, step is further included:Obtain the 4th certificate parameter input by user.The first ciphertext, which obtains, at this time asks
It asks and also carries the 4th certificate parameter.
Step S404:It receives the first ciphertext that the server-side returns and obtains response, first ciphertext obtains response and takes
The first ciphertext that band is determined based on the second private key ciphertext encrypted result of storage.
Step S405:The first ciphertext is decrypted according to the second client key, obtains the first decrypted result, and to clothes
End the first ciphertext of transmission of being engaged in decrypts response, the first ciphertext decryption response the first decrypted result of carrying.
Other technical characteristics in the present embodiment can be identical with the technical characteristic in embodiment as described above.
Fig. 5 shows the flow diagram of the security processing method based on private key escrow of another embodiment, the reality
Applying example is illustrated by taking the processing procedure of server-side as an example, as shown in figure 5, the method in the embodiment includes step S501 extremely
Step S505.
Step S501:When receiving mechanism trustship private key authorization requests, to client forwarding mechanism private key authorization requests
Information.
Step S502:The second processing request that client is sent is received, is asked to return to the to client according to second processing
Two processing responses, second processing response carry the second cipher generating parameter, third cipher generating parameter.
Step S503:It receives the first ciphertext that the client is sent and obtains request, first ciphertext obtains request and takes
The third client key generated with the client based on the third cipher generating parameter and CUSTOMER ID.
Step S504:The first ciphertext is returned to the client and obtains response, and first ciphertext obtains response and carries base
In the first ciphertext that the second private key ciphertext encrypted result of storage determines.
Step S505:The first ciphertext decryption response that client returns is received, the first ciphertext decryption response carries institute
The first decrypted result that first ciphertext is decrypted in client is stated, and private is being decrypted based on the first decrypted result
After key ciphertext, based on treating that private key ciphertext is encrypted in authorized user's public key, private key ciphertext mandate encrypted result is obtained, and according to
The private key ciphertext is encrypted in the third client key, obtains third private key ciphertext encrypted result;By the third
Cipher generating parameter and the third private key ciphertext decrypted result associated storage.The private key ciphertext can be to the second private key ciphertext
The private key ciphertext that encrypted result is decrypted.
Other technical characteristics in the present embodiment can be identical with the technical characteristic in embodiment as described above.
Fig. 6 shows the flow diagram of the security processing method based on private key escrow of another embodiment, the reality
Applying example is illustrated by taking the processing procedure of terminal as an example, as shown in fig. 6, the method in the embodiment includes step S601 to step
Rapid S604.
Step S601:Application is sent to server-side and obtains private key authorization requests, and the application for receiving server-side return obtains
Private key authorization response, the application obtain private key authorization response and also carry the 4th cipher generating parameter.
Step S602:4th client key is generated according to four cipher generating parameters and CUSTOMER ID, and to service
End sends the second ciphertext and obtains request, and the second ciphertext obtains request and also carries the 4th client key.
Step S603:It receives the second ciphertext that the server-side returns and obtains response, the second ciphertext obtains to be carried in response
The second ciphertext extracted from the private key ciphertext mandate encrypted result of storage.
Step S604:Second ciphertext is decrypted, obtains the second decrypted result, and the is sent to the server-side
The decryption response of two ciphertexts, the second ciphertext decryption response carry second decrypted result.
Other technical characteristics in the present embodiment can be identical with the technical characteristic in embodiment as described above.
Fig. 7 shows the flow diagram of the security processing method based on private key escrow of another embodiment, the reality
Applying example is illustrated by taking the processing procedure of server-side as an example, as shown in fig. 7, the method in the embodiment includes step S701 extremely
Step S704.
Step S701:It receives the application that client is sent and obtains private key authorization requests, returning to application to the client obtains
Private key authorization response is taken, the application obtains private key authorization response and carries the 4th cipher generating parameter.
Step S702:Receive the second ciphertext acquisition that the client obtains the transmission of private key authorization response according to the application
Request, second ciphertext obtain request and carry the client according to the 4th cipher generating parameter and CUSTOMER ID
4th client key of generation.
Step S703:The second ciphertext is returned to the client and obtains response, and second ciphertext obtains to be carried in response
The second ciphertext extracted from the private key ciphertext mandate encrypted result of storage.
Step S704:The second ciphertext decryption response that client returns is received, the decryption response of the second ciphertext carries client
To the second decrypted result that the second ciphertext is decrypted, and after private key ciphertext is decrypted based on the second decrypted result, obtain
Authorization result is obtained, and private key ciphertext is encrypted according to the 4th client key, obtains the 4th private key ciphertext encryption knot
Fruit;By the 4th cipher generating parameter and the 4th private key ciphertext decrypted result associated storage.The private key ciphertext can be
The private key ciphertext that private key ciphertext mandate encrypted result is decrypted.
Other technical characteristics in the present embodiment can be identical with the technical characteristic in embodiment as described above.
As described above, embodiments herein by the signature private key trustship of organization user in server-side, need digital label
Data to be signed are sent to server-side during name, by signature value is returned to user after server-side completion digital signature, so as to real
Existing digital signature.And often carry out once signed operation, all private key ciphertext of re-encrypted, it is ensured that the only participation of user,
It could complete signature.
The embodiment of the present application scheme includes two processes during the realization of specific technology:Mechanism trustship private key application
With mechanism trustship private key signature.In the case where legal representative of enterprises can authorize other users to be signed, can also include
Four processes:Mechanism trustship private key application, mechanism trustship private key mandate, mechanism trustship private key is authorized and mechanism trustship private key
Signature.Wherein, the application of mechanism trustship private key is initiated by the handler of mechanism, confirms generation by legal representative of enterprises.If there is it
His user is needed using structure private key, can be initiated mechanism trustship private key mandate by the user, be confirmed by legal representative of enterprises and authorized,
Authorized user is authorized.After the authorized user is authorized, legal representative of enterprises and authorized user are executable
Mechanism trustship private key signature.
It is to be awarded comprising mechanism trustship private key application, mechanism trustship private key for purposes of illustration only, in following exemplary explanations
Power, mechanism trustship private key authorized and mechanism trustship private key signature this Four processes for illustrate.With reference to 8 to 11 institute of figure
Show, for ease of description, illustrated by taking following setting conditions as an example in following examples:Three clients 1,2,3, visitor
Mechanism trustship private key application, the trustship private key mandate of user application organization are submitted for handler and using mechanism trustship private in family end 1
Key sign, client 2 for the trustship private key application of legal representative's confirming mechanism and authorize other users using mechanism trustship private key,
And the trustship private key mandate of other users (authorized user) obtaining means, wherein, client 1 can be that webpage or APP are applied,
Client 2 can be APP applications, have the function of key generation (such as SM2 keys generate), operation and certificate request.It is appreciated that
It, can be different to the setting of client in other technical implementation way.
With reference to shown in Fig. 8 to 11, the server-side in the example is interacted with client 1, client 2 and cipher machine, realizes machine
Private key ciphertext is licensed in the preservation and management of structure private key, binding and user of the implementation mechanism user with private key ciphertext.And
Cipher machine is to generate encrypted private key ciphertext and export, import encrypted private key ciphertext and sign, and cipher machine is only
It can communicate with server-side.
Based on setting as described above, illustrated in greater detail is carried out below in conjunction with specific example.In those specific examples, enterprise
The legal representative of industry and the user (authorized user) of obtaining means trustship private key mandate first pass through it and use client (such as visitor
Family end 2) a pair of secret keys is generated to (such as SM2 key pairs), and applies for corresponding user certificate (such as SM2 certificates).
Fig. 8 be in a specific example based on private key escrow security processing interaction flow schematic diagram, the friendship
Mutual flow is illustrated by taking the process of mechanism trustship private key application as an example.
As shown in figure 8, during a specific mechanism trustship private key application, terminal that handler is used by it
After opening client 1, mechanism private key escrow instruction, client 1 are sent out by clicking associated button, control in client 1 etc.
After receiving the mechanism private key escrow instruction, asked to server-side transmitting mechanism private key escrow.In the mechanism private key escrow request
Mechanism private key application information can be carried, which can include the relevant information of mechanism (such as enterprise)
(such as mechanism ID), can also include the relevant information of handler, not to the specific of mechanism private key application information in the present embodiment
Type and content are defined.
After server-side receives the mechanism private key escrow request, to mechanism private key application information or mechanism private key application information
In the relevant information that includes stored, such as the relevant information of storing mechanism and related family's information of handler.Then, it takes
End group be engaged in the relevant information (such as mechanism ID) of mechanism, can have with the legal representative of obtaining means or to mechanism private key escrow
The account of personnel's (illustrating to simplify, following each embodiments are illustrated by taking legal representative as an example) of highest authorization decision, and
By the mechanism, private key application information is forwarded to the corresponding client 2 of account of legal representative.
For client 2 after the mechanism private key application information for receiving server-side return, sending the first processing to server-side please
It asks, relevant cipher generating parameter is obtained with request.It is appreciated that in the processing procedure corresponding to the Fig. 8, by the method for mechanism
The relevant treatment that people represents or there are the personnel of highest authorization decision to participate in the client 2 to mechanism private key escrow.
After server-side receives the first processing request, the first certificate parameter ry1 and first key generation parameter are generated
Rm1, the first certificate parameter ry1 and first key generation parameter rm1 may each be random number.Then the is returned to client 2
One processing response carries the first certificate parameter ry1 and first key generation parameter rm1 in the first processing response.
After client 2 receives the first processing response, the first certificate parameter ry1 can be shown, and prompt user defeated
Enter certificate parameter ry1 and CUSTOMER ID (PIN code).(legal representative has mechanism private key escrow to the user of client 2
The personnel of highest authorization decision) prompting input validation parameter ry1 and PIN code can be based on.User is based on prompting in this example
The certificate parameter of input is referred to as the second certificate parameter ry1 '.
Then, client 2 is based on first key generation parameter rm1 and PIN code, calculates the first client key.One
Following manner progress may be used in specific example, be primarily based on first key generation parameter rm1 and PIN code calculates the first visitor
Family end private key d1:d1=f1 (PIN, rm1), wherein, function f1 () can be it is any can be used to generation key function, such as key
Derivation function KDF, hash function etc..It is then based on first client private key d1Derive the first client public key P1=[d1]
G, wherein, basic points of the G for SM2 elliptic curves, (d1,P1) it is a pair of SM2 key pairs, for Sealing mechanism private key ciphertext.One tool
It can be by first client public key P in body example1Server-side is sent to as the first client key.
Then, client 2 utilizes legal representative's private key to mechanism private key application information, the second certificate parameter input by user
Ry1 ', the first client key P1It signs, obtains signature value s, and the first confirmation message is sent to server-side, this is first really
Recognizing in information can carry:Authorized user's certificate (such as certificate of legal representative or enterprise highest administration people), the second certificate parameter
Ry1 ', the first client key P1And signature value s.
After server-side receives the first confirmation message of the transmission of client 2, what is first carried in the first confirmation message second tests
Whether card parameter ry1 ' and the first certificate parameter ry1 being locally stored are consistent, if it is inconsistent, error result is returned, if
It is consistent then continue to execute subsequent step.
Whether server-side is effective using authorized user's certificate (such as legal representative's certificate) verification signature value s, if in vain,
Error result is returned, otherwise obtains private key ciphertext.Can be specifically to send private key ciphertext to cipher machine to obtain request, and receive close
The private key ciphertext D that ink recorder returns.
After obtaining private key ciphertext D, server-side utilizes the first client key P1Encryption key ciphertext D, obtains the first private key
Ciphertext encrypted result H1, Encryption Algorithm can be any possible algorithm, such as SM2 Encryption Algorithm.Then server-side is close by first
Key generation parameter rm1, authorized user's certificate (such as legal representative's certificate), signature value s and the first private key ciphertext encrypted result H1
It is stored.Then operating result is returned to client 1 and client 2, which can be successfully made mechanism private
The notification information of key trustship.
It is above-mentioned successfully by mechanism private key escrow to server-side after, the legal representative of mechanism can also further authorize other
User uses the private key in server-side trustship, and therefore, the legal representative of mechanism can be authorized by client 2 to server-side, then
Other are needed to authorize using the user of the private key by server-side.
Fig. 9 be in a specific example based on private key escrow security processing interaction flow schematic diagram, the friendship
Mutual flow is illustrated by taking the process of mechanism trustship private key mandate as an example.
As shown in figure 9, during a specific mechanism trustship private key mandate, authorized user, business entity, warp are treated
It does after the terminal that the users such as people or other users are used by it opens client 1, is pressed by clicking the correlation in client 1
Button, control etc. send out mechanism trustship private key authorized order, client 1 after the mechanism trustship private key authorized order is received, to
Server-side transmitting mechanism trustship private key authorization requests.Private key authorized application letter can be carried in the mechanism trustship private key authorization requests
Breath, the private key authorized application information can include the relevant information (such as mechanism ID) of mechanism (such as enterprise), can also include
Treat authorized user's certificate (legal representative's certificate), in the present embodiment not the concrete type to private key authorized application information and content into
Row limits.
After server-side receives the mechanism trustship private key authorization requests, to private key authorized application information or private key authorized application
The relevant information included in information is stored, as authorized user's certificate is treated in storage.Then, related letter of the server-side based on mechanism
It ceases (such as mechanism ID), can be with the account of the legal representative of obtaining means, and the mechanism trustship private key authorization requests are forwarded to method
The corresponding client 2 of account that people represents.
After client 2 receives the mechanism trustship private key authorization requests, second processing request is sent to server-side, with request
Obtain relevant cipher generating parameter.It is appreciated that in the processing procedure corresponding to the Fig. 9, joined by the legal representative of mechanism
With the relevant treatment of the client 2.
After server-side receives second processing request, the second cipher generating parameter rm2 is read from storage device.Its
In, second cipher generating parameter rm2 uses the key of rear newest storage for mechanism trustship private key generation, mandate, legal representative
Generate parameter.Assuming that the processes such as said mechanism trustship private key is not carried out any mandate after generating, legal representative uses, do not have yet
It is that the cipher generating parameter of storage is updated using others, then second cipher generating parameter rm2 should be above-mentioned
The first key generation parameter rm1 of storage.
In addition, server-side also generates third certificate parameter ry2 and third cipher generating parameter rm3, the third certificate parameter
Ry2 and third cipher generating parameter rm3 may each be random number.Then second processing response is returned to client 2, this is at first
Third certificate parameter ry2, the second cipher generating parameter rm2 and third cipher generating parameter rm3 are carried in reason response.
After client 2 receives second processing response, third certificate parameter ry2 can be shown, and prompt user defeated
Enter certificate parameter ry2 and CUSTOMER ID (PIN code).The user (such as legal representative) of client 2 can be based on prompting input and test
Demonstrate,prove parameter ry2 and PIN code.Certificate parameter of the user based on prompting input is referred to as the 4th certificate parameter ry2 ' in this example.
Then, client 2 is based on the second cipher generating parameter rm2 and PIN code, calculates the second client key.One
Following manner progress may be used in specific example, the second client is calculated based on the second cipher generating parameter rm2 and PIN code
Private key d2:d2=f1 (PIN, rm2), wherein, function f1 () can be it is any can be used to generation key function, such as key derivation
Function KDF, hash function etc..
On the other hand, it is close to calculate third client also based on third cipher generating parameter rm3 and PIN code for client 2
Key.Following manner progress may be used in one specific example, the is calculated based on third cipher generating parameter rm3 and PIN code
Three client private key d3:d3=f1 (PIN, rm3), wherein, function f1 () can be any function that can be used to generation key, such as
Cipher key derivation function KDF, hash function etc..It is then based on third client private key d3Derive third client public key P3=
[d3] G, wherein, basic points of the G for SM2 elliptic curves, (d3,P3) it is a pair of SM2 key pairs, for Sealing mechanism private key ciphertext.One
It can be by third client public key P in a specific example3Server-side is sent to as third client key.
Then, client 2 generates the 4th certificate parameter ry2 ' input by user, third key using legal representative's private key
Parameter rm3, third client key P3, treat that authorized user's certificate is signed, obtain signature value s, and the is sent to server-side
One ciphertext obtains request, and the first ciphertext obtains to be carried in request:4th certificate parameter ry2 ' input by user, the generation of third key
Parameter rm3, third client key P3And signature value s.
After server-side receives the first ciphertext acquisition request of the transmission of client 2, first verify that the first ciphertext is obtained in request
Whether the 4th certificate parameter ry2 ' carried and the third certificate parameter ry2 being locally stored are consistent, if it is inconsistent, returning wrong
Accidentally as a result, continuing to execute subsequent step if consistent.
Whether server-side reads legal representative's certificate from storage device, effective using legal representative's certification authentication signature value s,
If invalid, error result is returned, the second private key ciphertext encrypted result H of storage is otherwise read from storage device2.This second
Private key ciphertext encrypted result H2Added for mechanism trustship private key generation, mandate, legal representative using the private key ciphertext of rear newest storage
Close result.Assuming that the processes such as said mechanism trustship private key is not carried out any mandate after generating, legal representative uses, do not have yet
That the cipher generating parameter of storage is updated using others, then the second private key ciphertext encrypted result H2Should be above-mentioned
First private key ciphertext encrypted result H of storage1。
It, can be private by second according to SM2 ciphertexts form for being encrypted to obtain the private key ciphertext encrypted result using SM2
Key ciphertext encrypted result H2Split into C1、C2And C3, and return to the first ciphertext to client 2 and obtain response, which obtains
The first ciphertext C is carried in response1。
After client 2 receives first ciphertext acquisition response, using the second client private key d of above-mentioned generation2:d2=
First ciphertext is decrypted in f1 (PIN, r2), obtains the first decrypted result (x2,y2)=[d2]C1, then returned to server-side
The decryption response of first ciphertext, first ciphertext decryption response carry the first decrypted result x2||y2。
Server-side receives the first ciphertext decryption response of the return of client 2, first verifies in first ciphertext decryption response
The first decrypted result correctness, following manner progress can be used in this in a specific example:Calculate t2=KDF (x2||y2),
D=C2⊕t2, u=SM3 (x2||D||y2), D is the mechanism trustship private key ciphertext after decryption, then verifies u and C3It is whether consistent,
If it is inconsistent, returning to error result, subsequent step is unanimously then continued to execute.
Server-side (can be the public key read from certificate or prestored using the public key for treating authorized user
Other public keys) encryption the second private key ciphertext encrypted result H2Corresponding private key ciphertext D obtains private key ciphertext mandate encrypted result
H0, SM2 may be used in Encryption Algorithm.
In addition, server-side also utilizes third client key P3Encryption key ciphertext D, obtains the encryption of third private key ciphertext
As a result H3, SM2 may be used in Encryption Algorithm.
Conveniently, server-side storage third cipher generating parameter rm3, signature value s, private key ciphertext mandate encrypted result H0,
Three private key ciphertext encrypted result H3;And server-side no longer stores above-mentioned second cipher generating parameter rm2 and the second private key ciphertext adds
Close result H2.Then operating result is returned to client 1 and client 2, can is specifically the mechanism private key mandate successfully carried out
Result.
After above-mentioned legal representative successfully carries out mechanism trustship private key mandate, the other users of mechanism then can be from server-side
It is authorized, signature process is also able to carry out with the structure private key that can use trustship.
Figure 10 is the interaction flow schematic diagram of the processing of the security based on private key escrow in another specific example, should
Interaction flow is illustrated so that mechanism trustship private key obtains the process authorized as an example.
As shown in Figure 10, it during a specific mechanism trustship private key is authorized, needs to obtain treating for mandate
After authorized user opens client 2 by the terminal that it is used, sent out by clicking associated button, control in client 2 etc.
Application obtains private key authorized order, and client 2 sends to server-side and applies after receiving this application and obtaining private key authorized order
Obtain private key authorization requests.This application, which is obtained in private key authorization requests, can carry the relevant information for treating authorized user.
After server-side receives this application acquisition private key authorization requests, the 5th certificate parameter ry3 and the generation of the 4th key are generated
Parameter rm4, the 5th certificate parameter ry3 and the 4th cipher generating parameter rm4 may each be random number.Then it is returned to client 2
It returns application and obtains private key authorization response, it is close to carry the 5th certificate parameter ry3 and the 4th in this application acquisition private key authorization response
Key generation parameter rm4.
After client 2 receives application acquisition private key authorization response, the 5th certificate parameter ry3 can be shown, and carries
Show user input validation parameter ry3 and CUSTOMER ID (PIN code).Client 2 treats that authorized user can be based on the prompting and input
Certificate parameter ry3 and PIN code.Certificate parameter of the user based on prompting input is referred to as the 6th certificate parameter in this example
ry3′。
Then, client 2 is based on the 4th cipher generating parameter rm4 and PIN code, calculates the 4th client key.One
Following manner progress may be used in specific example, the 4th client is calculated based on the 4th cipher generating parameter rm4 and PIN code
Private key d4:d4=f1 (PIN, rm4), wherein, function f1 () can be it is any can be used to generation key function, such as key derivation
Function KDF, hash function etc..It is then based on the 4th client private key d4Derive the 4th client public key P4=[d4] G,
In, basic points of the G for SM2 elliptic curves, (d4,P4) it is a pair of SM2 key pairs, for Sealing mechanism private key ciphertext.One is specifically shown
It can be by the 4th client public key P in example4Server-side is sent to as the 4th client key.
Then, client 2 sends the second ciphertext to server-side and obtains request, which obtains in request and carry user
The 6th certificate parameter ry3 ' and the 4th client key P of input4。
After server-side receives the second ciphertext acquisition request of the transmission of client 2, first verify that the second ciphertext is obtained in request
Whether the 6th certificate parameter ry3 ' carried and the 5th certificate parameter ry3 being locally stored are consistent, if it is inconsistent, returning wrong
Accidentally as a result, continuing to execute subsequent step if consistent.
Server-side reads the private key ciphertext mandate encrypted result H of storage from storage device0, to be encrypted using SM2
To private key ciphertext mandate encrypted result H0For, it can be according to SM2 ciphertexts form by private key ciphertext mandate encrypted result H0It splits into
C1、C2And C3, and return to the second ciphertext to client 2 and obtain response, which obtains in response and carries the second ciphertext C1。
After client 2 receives second ciphertext acquisition response, the private key K for treating authorized user is utilized1, to the second ciphertext C1
It is decrypted, obtains the second decrypted result (x2,y2)=[K1]C1.Wherein, private key K1With being carried out in mechanism trustship private key mandate
In it is encrypted treat authorized user public key correspond to.Then the decryption response of the second ciphertext, second ciphertext decryption are returned to server-side
Response carries the second decrypted result x2||y2。
Server-side receives the second ciphertext decryption response of the return of client 2, first verifies in second ciphertext decryption response
The second decrypted result correctness, following manner progress can be used in this in a specific example:Calculate t2=KDF (x2||y2),
D=C2⊕t2, u=SM3 (x2||D||y2), D is the mechanism trustship private key ciphertext after decryption, then verifies u and C3It is whether consistent,
If it is inconsistent, returning to error result, subsequent step is unanimously then continued to execute;
Server-side also utilizes the 4th client key P4Encryption key ciphertext D obtains the 4th private key ciphertext encrypted result H4,
SM2 may be used in Encryption Algorithm.Then, server-side stores the 4th cipher generating parameter rm4 and the 4th private key ciphertext encryption knot
Fruit H4;And server-side no longer store before private key ciphertext encrypted result and corresponding cipher generating parameter (such as above-mentioned second is close
Key generates parameter rm2 and the second private key ciphertext encrypted result H2).Then operating result is returned to client 2, can be specifically into
The result that work(is authorized.
Based on application scheme, the legal representative of structure and the user (authorized user) for obtaining mandate may be used
The mechanism private key of server-side trustship is signed.Figure 11 shows the number peace based on private key escrow in another specific example
The interaction flow schematic diagram handled entirely, the interaction flow are illustrated by taking signature process as an example.
With reference to shown in Figure 11, during the specific digital signature during, need what is be digitally signed
After user (legal representative or authorized user of mechanism) opens client 1 by the terminal that it is used, by clicking client
Associated button, control on end 1 etc. send out signature command.Client 1 sends to server-side and signs after the signature command is received
Name request.The data to be signed signed can be carried in the signature request.
After server-side receives the signature request, the 5th cipher generating parameter rm5 is read from storage device (if user is enterprise
Industry legal person, rm5 are mechanism trustship private key generation, authorize, in signature process, and legal representative is generated using the key of rear newest storage
Parameter;If user is authorized user, rm5 is obtained for mechanism trustship private key to be authorized, in signature process, after authorized user's use
The cipher generating parameter of newest storage), and generate the 7th certificate parameter ry4 and the 6th cipher generating parameter rm6.Then to clothes
Business end returns to signature response, and it is close to carry the 7th certificate parameter ry4, the 5th cipher generating parameter rm5 and the 6th in the signature response
Key generation parameter rm6.
After client 1 receives second processing response, the 7th certificate parameter ry4 can be shown, and prompt user defeated
Enter certificate parameter ry4 and CUSTOMER ID (PIN code).The user (legal representative or authorized user) of client 1 can be based on should
Prompt input validation parameter ry4 and PIN code.Certificate parameter of the user based on prompting input is referred to as the 8th verification in this example
Parameter ry4 '.
Then, client 2 is based on the 5th cipher generating parameter rm5 and PIN code, calculates the 5th client key.One
Following manner progress may be used in specific example, the 5th client is calculated based on the 5th cipher generating parameter rm5 and PIN code
Private key d5:d5=f1 (PIN, rm5), wherein, function f1 () can be it is any can be used to generation key function, such as key derivation
Function KDF, hash function etc..
On the other hand, it is close to calculate the 6th client also based on the 6th cipher generating parameter rm6 and PIN code for client 2
Key.Following manner progress may be used in one specific example, the is calculated based on the 6th cipher generating parameter rm6 and PIN code
Six client private key d6:d6=f1 (PIN, rm6), wherein, function f1 () can be any function that can be used to generation key, such as
Cipher key derivation function KDF, hash function etc..It is then based on the 6th client private key d6Derive the 6th client public key P6=
[d6] G, wherein, basic points of the G for SM2 elliptic curves, (d6,P6) it is a pair of SM2 key pairs, for Sealing mechanism private key ciphertext.One
It can be by the 6th client public key P in a specific example6Server-side is sent to as the 6th client key.
Then, client 1 sends third ciphertext to server-side and obtains request, and third ciphertext obtains to be carried in request:User
The 8th certificate parameter ry4 ', the 6th client key P of input6, in the case where there is signature, signature value s can also be carried.
After server-side receives the third ciphertext acquisition request of the transmission of client 1, first verify that third ciphertext is obtained in request
Whether the 8th certificate parameter ry4 ' carried and the 7th certificate parameter ry4 being locally stored are consistent, if it is inconsistent, returning wrong
Accidentally as a result, continuing to execute subsequent step if consistent.
Server-side reads the 5th private key ciphertext encrypted result H of storage from storage device5If (user be business entity, H5For
Mechanism trustship private key generation authorizes, in signature process, and legal representative uses the private key ciphertext encrypted result of rear newest storage;If
User is authorized user, H5It obtains and authorizes, in signature process for mechanism trustship private key, authorized user uses rear newest storage
Private key ciphertext encrypted result).It, can be according to SM2 ciphertexts for being encrypted to obtain the private key ciphertext encrypted result using SM2
Form is by the 5th private key ciphertext encrypted result H5Split into C1、C2And C3, and return to third ciphertext to client 2 and obtain response, it should
Third ciphertext, which obtains, carries third ciphertext C in response1。
After client 1 receives third ciphertext acquisition response, using the 5th client private key d of above-mentioned generation5:d5=
The third ciphertext is decrypted in f1 (PIN, rm5), obtains third decrypted result (x2,y2)=[d5]C1, then returned to server-side
The decryption response of third ciphertext is returned, first ciphertext decryption response carries third decrypted result x2||y2。
Server-side receives the third ciphertext decryption response of the return of client 1, can first verify third ciphertext decryption response
In third decrypted result correctness, following manner progress can be used in this in a specific example:Calculate t2=KDF (x2||
y2),U=SM3 (x2||D||y2), D is the mechanism trustship private key ciphertext after decryption, then verifies u and C3It is
It is no consistent, if it is inconsistent, returning to error result, unanimously then continue to execute subsequent step.
Private key ciphertext D of the server-side end group after decryption signs to data to be signed, obtains digital signature result.One
Can signature process be completed with combining cipher machine in a specific example, can be specifically:Server-side sends to be signed to cipher machine
Data and private key ciphertext D sign to data to be signed using private key ciphertext D by cipher machine, obtain digital signature result,
And return to server-side.Server-side is voluntarily calculated digital signature result or obtains the digital signature result that cipher machine returns
Afterwards, which can be returned to client 1, so as to complete digital signature procedure.
Server-side also utilizes the 6th client key P6Encryption key ciphertext D obtains the 6th private key ciphertext encrypted result H6,
SM2 may be used in Encryption Algorithm.Then, server-side stores the 6th cipher generating parameter rm6, the 6th private key ciphertext encrypted result
H6;And server-side no longer store before private key ciphertext encrypted result and corresponding cipher generating parameter (such as above-mentioned 5th key
Generate parameter r5 and the 5th private key ciphertext encrypted result H5)。
Based on example as described above, a kind of computer equipment is also provided in one embodiment, the computer equipment packet
The computer program that includes memory, processor and storage on a memory and can run on a processor, wherein, processor performs
It is realized during described program such as the method for any one embodiment in the various embodiments described above.
Computer equipment in one embodiment can be terminal or server-side in Fig. 1, which includes
Processor, memory, network interface and the input unit connected by system bus.Wherein, memory includes non-volatile deposit
Storage media and built-in storage.The non-volatile memory medium of the computer equipment is stored with operating system, can also be stored with calculating
Machine program when the computer program is executed by processor, may be such that processor realizes the security processing based on private key escrow
Method.Also computer program can be stored in the built-in storage, when which is executed by processor, may be such that processor
Perform the security processing method based on private key escrow.It will be understood by those skilled in the art that structure described herein, only
Only it is the block diagram with the relevant part-structure of application scheme, does not form the computer being applied thereon to application scheme
The restriction of equipment, specific computer equipment can include portions more certain than components more or fewer shown in figure or combination
Part is arranged with different components.
One of ordinary skill in the art will appreciate that realizing all or part of flow in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, it is non-volatile computer-readable that the program can be stored in one
It takes in storage medium, in the embodiment of the present application, which can be stored in the storage medium of computer system, and be calculated by this
At least one of machine system processor performs, to realize the flow for including the embodiment such as above-mentioned each method.Wherein, it is described
Storage medium can be magnetic disc, CD, read-only memory (Read-Only Memory, ROM) or random access memory
(Random Access Memory, RAM) etc..
Accordingly, a kind of storage medium is also provided in one embodiment, is stored thereon with computer program, wherein, the journey
It is realized when sequence is executed by processor such as the security based on private key escrow of any one embodiment in the various embodiments described above
Processing method.
Each technical characteristic of embodiment described above can be combined arbitrarily, to make description succinct, not to above-mentioned reality
It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited
In contradiction, it is all considered to be the range of this specification record.
Embodiment described above only expresses the several embodiments of the present invention, and description is more specific and detailed, but simultaneously
It cannot therefore be construed as limiting the scope of the patent.It should be pointed out that for those of ordinary skills,
Under the premise of not departing from present inventive concept, various modifications and improvements can be made, these belong to protection scope of the present invention.
Therefore, the protection domain of patent of the present invention should be determined by the appended claims.
Claims (26)
1. a kind of security processing method based on private key escrow, including step:
Signature request is sent to server-side;
The signature response that the server-side returns is received, the signature response carries the 5th cipher generating parameter and the life of the 6th key
Into parameter;
5th client key is generated according to the 5th cipher generating parameter and CUSTOMER ID, is given birth to according to the 6th key
The 6th client key is generated, and send the acquisition of third ciphertext to the server-side and ask into parameter and the CUSTOMER ID
It asks, the third ciphertext obtains request and carries the 6th client key;
It receives the third ciphertext that the server-side returns and obtains response, the third ciphertext obtains response and carries from the 5th of storage
The third ciphertext extracted in private key ciphertext encrypted result;
The third ciphertext is decrypted and obtains third decrypted result, and sends the decryption of third ciphertext to the server-side and rings
Should, the third ciphertext decryption response carries the third decrypted result.
2. according to the method described in claim 1, it is characterized in that, the signature response also carries the 7th certificate parameter;
Before sending the decryption response of third ciphertext to the server-side, step is further included:Obtain the 8th verification ginseng input by user
Number;
The third ciphertext decryption response also carries the 8th certificate parameter.
3. method according to claim 1 or 2, which is characterized in that before signature request is sent to server-side, further include
Step:
Receive the mechanism private key letter of application that server-side is forwarded in the mechanism private key escrow request for receiving the transmission of the first client
Breath;
The first processing request is sent to the server-side, and receives the server-side is returned based on the described first processing request the
One processing response, the first processing response carry first key generation parameter;
Parameter is generated according to the first key and CUSTOMER ID generates the first client key, and is sent to the server-side
First confirmation message, first confirmation message carry first client key.
4. according to the method described in claim 3, it is characterised in that it includes in following three at least one of:
First item:Before the first confirmation message is sent to the server-side, step is further included:To first confirmation message into
Row signature;
Section 2:First confirmation message also carries client digital certificate;
Section 3:The first processing response also carries the first certificate parameter;The first confirmation message is being sent to the server-side
Before, step is further included:Obtain the CUSTOMER ID and the second certificate parameter input by user;First confirmation message
Also carry second certificate parameter.
5. method according to claim 1 or 2, which is characterized in that before signature request is sent to server-side, further include
Step:
The mechanism private key that server-side is forwarded in the mechanism trustship private key authorization requests for receiving the transmission of the first client is received to award
Weigh solicited message;
Second processing request is sent, and receive the server-side to the server-side based on the mechanism private key authorization requests information
Based on the second processing response that second processing request returns, the second processing response carries the second cipher generating parameter;
Second client key is generated, and send to the server-side according to second cipher generating parameter and CUSTOMER ID
First ciphertext obtains request;
Receive the first ciphertext that the server-side returns and obtain response, first ciphertext obtain response carry based on storage the
The first ciphertext that two private key ciphertext encrypted results determine;
First ciphertext is decrypted according to second client key, obtains the first decrypted result, and to the clothes
End the first ciphertext of transmission of being engaged in decrypts response, the first ciphertext decryption response carrying first decrypted result.
6. according to the method described in claim 5, it is characterised in that it includes it is following it is every at least one of:
First item:The second processing response also carries third cipher generating parameter;The first ciphertext is being sent to the server-side
Before obtaining request, step is further included:According to third cipher generating parameter and CUSTOMER ID generation third client key;Institute
It states the acquisition request of the first ciphertext and also carries the third client key;
Section 2:The second processing response also carries third certificate parameter;It is obtained sending the first ciphertext to the server-side
Before request, step is further included:Obtain the CUSTOMER ID and the 4th certificate parameter input by user;First ciphertext
It obtains request and also carries the 4th certificate parameter;
Section 3:The second processing response, which also carries, treats authorized user's certificate;It is obtained sending the first ciphertext to the server-side
Before taking request, step is further included:Request is obtained to first ciphertext to sign.
7. method according to claim 1 or 2, which is characterized in that before signature request is sent to server-side, further include
Step:
Application is sent to server-side and obtains private key authorization requests, and the application for receiving server-side return obtains private key authorization response;
Private key authorization response is obtained according to the application and sends the acquisition request of the second ciphertext to the server-side;
The second ciphertext for receiving the server-side return obtains response, and the private key that the second ciphertext obtains carrying from storage in response is close
Text authorizes the second ciphertext extracted in encrypted result;
Second ciphertext is decrypted, obtains the second decrypted result, and send the decryption of the second ciphertext to the server-side and ring
Should, the second ciphertext decryption response carries second decrypted result.
8. the method according to the description of claim 7 is characterized in that at least one in including following items:
First item:The application obtains private key authorization response and also carries the 4th cipher generating parameter;Second is being sent to server-side
Before ciphertext obtains request, step is further included:According to the 4th visitor of the 4th cipher generating parameter and CUSTOMER ID generation
Family end key;Second ciphertext obtains request and also carries the 4th client key;
Section 2:The application obtains private key authorization response and also carries the 5th certificate parameter;The second ciphertext is being sent to server-side
Before obtaining request, step is further included:Obtain the CUSTOMER ID and the 6th certificate parameter input by user;Described second
Ciphertext obtains request and also carries the 6th certificate parameter.
9. a kind of security processing method based on private key escrow, including step:
The signature request that client is sent is received, signature response, the signature are returned to the client according to the signature request
Response carries the 5th cipher generating parameter and the 6th cipher generating parameter;
It receives the third ciphertext that the client is sent and obtains request, the third ciphertext obtains request and carries the client root
The 6th client key generated according to the 6th cipher generating parameter and the CUSTOMER ID;
The acquisition response of third ciphertext is returned to the client, the third ciphertext obtains the 5th private carried in response from storage
The third ciphertext extracted in key ciphertext encrypted result;
The third ciphertext decryption response that the client returns is received, the third ciphertext decryption response carries the client pair
The third decrypted result that third ciphertext is decrypted, and after private key ciphertext is decrypted based on the third decrypted result,
It is digitally signed, and private key ciphertext is encrypted according to the 6th client key, obtain the encryption of the 6th private key ciphertext
As a result, and by the 6th cipher generating parameter and the 6th private key ciphertext decrypted result associated storage.
10. according to the method described in claim 9, it is characterized in that, the signature response also carries the 7th certificate parameter;It is described
Third ciphertext obtains request and also carries the 8th certificate parameter input by user;
Before the acquisition response of third ciphertext is returned to first client, step is further included:Verify the 8th verification ginseng
Number and the consistency of the 7th certificate parameter.
11. method according to claim 9 or 10, which is characterized in that before the signature request that client is sent is received,
Further include step:
When receiving mechanism private key escrow request, to client forwarding mechanism private key application information;
The first processing request that the client is sent is received, first is returned to the client according to the described first processing request
Processing response, the first processing response carry first key generation parameter;
Receive the first confirmation message that the client is sent, first confirmation message carries the client and is based on described the
One cipher generating parameter and the first client key of CUSTOMER ID generation;
Private key ciphertext is obtained, and the private key ciphertext is encrypted based on first client key, obtains the first private key
Ciphertext encrypted result;
The first key is generated into parameter, the first private key ciphertext encrypted result associated storage.
At least one of 12. according to the method for claim 11, which is characterized in that in including following items:
First item:The first processing response further includes the first certificate parameter;First confirmation message also carries user's input
The second certificate parameter;Before private key ciphertext is obtained, step is further included:Verify that second certificate parameter is tested with described first
Demonstrate,prove the consistency of parameter;
Section 2:Before private key ciphertext is obtained, step is further included:Verify the validity of the signature of first confirmation message;
Section 3:First confirmation message also carries the second client digital certificate;Before private key ciphertext is obtained, pass through
The validity of the signature of first confirmation message described in two client digital certificate authentications.
13. method according to claim 9 or 10, which is characterized in that before the signature request that client is sent is received,
Further include step:
When receiving mechanism trustship private key authorization requests, to client forwarding mechanism private key authorization requests information;
The second processing request that the client is sent is received, is asked to return to second to the client according to the second processing
Processing response, the second processing response carry the second cipher generating parameter;
It receives the first ciphertext that the client is sent and obtains request;
The first ciphertext is returned to the client and obtains response, and it is private that the first ciphertext acquisition response carries second based on storage
The first ciphertext that key ciphertext encrypted result determines;
The first ciphertext decryption response that the client returns is received, the first ciphertext decryption response carries the client pair
The first decrypted result that first ciphertext is decrypted, and private key ciphertext is being decrypted based on first decrypted result
Afterwards, based on treating that private key ciphertext is encrypted in authorized user's public key, private key ciphertext mandate encrypted result is obtained.
14. according to the method for claim 13, which is characterized in that further include at least one in following items:
First item:The second processing response also carries third cipher generating parameter;First ciphertext obtains request and also carries
The third client key that the client is generated according to the third cipher generating parameter and CUSTOMER ID;
The method further includes step:The private key ciphertext is encrypted according to the third client key, obtains third
Private key ciphertext encrypted result;By the third cipher generating parameter and the third private key ciphertext decrypted result associated storage;
Section 2:The second processing response also carries third certificate parameter;First ciphertext obtains request and also carries user
4th certificate parameter of input;
Before the acquisition response of the first ciphertext is returned to the client, step is further included:Verify the 4th certificate parameter with
The consistency of the third certificate parameter;
Section 3:The second processing response, which also carries, treats authorized user's certificate;
Before the acquisition response of the first ciphertext is returned to the client, step is further included:It verifies that first ciphertext obtains to ask
The validity for the signature asked.
15. method according to claim 9 or 10, which is characterized in that further include step:
It receives the application that the client is sent and obtains private key authorization requests, returning to application to the client obtains private key mandate
Response;
It receives the client the second ciphertext that private key authorization response sends is obtained according to the application and obtain request, and to described
Client returns to the second ciphertext and obtains response, and second ciphertext is obtained to carry in response and be encrypted from the private key ciphertext mandate of storage
Second ciphertext of as a result middle extraction;
The second ciphertext decryption response that the client returns is received, the second ciphertext decryption response carries the client pair
The second decrypted result that second ciphertext is decrypted, and private key ciphertext is being decrypted based on second decrypted result
Afterwards, Authorization result is obtained.
16. according to the method for claim 15, which is characterized in that further include at least one in following items:
First item:The application obtains private key authorization response and carries the 4th cipher generating parameter;Second ciphertext obtains request
Carry the 4th client key that the client is generated according to the 4th cipher generating parameter and CUSTOMER ID;
The method further includes step:Private key ciphertext is encrypted according to the 4th client key, obtains the 4th private key
Ciphertext encrypted result;By the 4th cipher generating parameter and the 4th private key ciphertext decrypted result associated storage;
Section 2:The application obtains private key authorization response and also carries the 5th certificate parameter;Second ciphertext obtains request also
Carry the 6th certificate parameter input by user;
Before the acquisition response of the second ciphertext is returned to the client, step is further included:Verify the 6th certificate parameter with
The consistency of 5th certificate parameter.
17. a kind of security processing method based on private key escrow, including step:
The mechanism private key that server-side is forwarded in the mechanism trustship private key authorization requests for receiving the transmission of the first client is received to award
Weigh solicited message;
Second processing request is sent, and receive the server-side to the server-side based on the mechanism private key authorization requests information
Based on the second processing response that second processing request returns, second processing response carry the second cipher generating parameter and
Third cipher generating parameter;
Second client key is generated according to second cipher generating parameter and CUSTOMER ID, is given birth to according to the third key
Into parameter and CUSTOMER ID generation third client key, and send the first ciphertext to the server-side and obtain request;
Receive the first ciphertext that the server-side returns and obtain response, first ciphertext obtain response carry based on storage the
The first ciphertext that two private key ciphertext encrypted results determine;
First ciphertext is decrypted according to second client key, obtains the first decrypted result, and to the clothes
End the first ciphertext of transmission of being engaged in decrypts response, the first ciphertext decryption response carrying first decrypted result.
At least one of 18. according to the method for claim 17, which is characterized in that in including following items:
First item:The second processing response also carries third certificate parameter;It is obtained sending the first ciphertext to the server-side
Before request, step is further included:Obtain the 4th certificate parameter input by user;First ciphertext is obtained described in request also carrying
4th certificate parameter;
Section 2:The second processing response, which also carries, treats authorized user's certificate;It is obtained sending the first ciphertext to the server-side
Before taking request, step is further included:Request is obtained to first ciphertext to sign.
19. a kind of security processing method based on private key escrow, including step:
Application is sent to server-side and obtains private key authorization requests, and the application for receiving server-side return obtains private key authorization response,
The application obtains private key authorization response and also carries the 4th cipher generating parameter;
4th client key is generated, and send out to the server-side according to the 4th cipher generating parameter and CUSTOMER ID
The second ciphertext is sent to obtain request, second ciphertext obtains request and also carries the 4th client key;
The second ciphertext for receiving the server-side return obtains response, and the private key that the second ciphertext obtains carrying from storage in response is close
Text authorizes the second ciphertext extracted in encrypted result;
Second ciphertext is decrypted, obtains the second decrypted result, and send the decryption of the second ciphertext to the server-side and ring
Should, the second ciphertext decryption response carries second decrypted result.
20. according to the method for claim 19, which is characterized in that the application obtains private key authorization response and also carries the 5th
Certificate parameter;
Before the acquisition request of the second ciphertext is sent to server-side, step is further included:Obtain the CUSTOMER ID and user
6th certificate parameter of input;
Second ciphertext obtains request and also carries the 6th certificate parameter.
21. a kind of security processing method based on private key escrow, including step:
When receiving mechanism trustship private key authorization requests, to client forwarding mechanism private key authorization requests information;
The second processing request that the client is sent is received, is asked to return to second to the client according to the second processing
Processing response, the second processing response carry the second cipher generating parameter, third cipher generating parameter;
It receives the first ciphertext that the client is sent and obtains request, first ciphertext obtains request and carries the client root
The third client key generated according to the third cipher generating parameter and CUSTOMER ID;
The first ciphertext is returned to the client and obtains response, and it is private that the first ciphertext acquisition response carries second based on storage
The first ciphertext that key ciphertext encrypted result determines;
The first ciphertext decryption response that the client returns is received, the first ciphertext decryption response carries the client pair
The first decrypted result that first ciphertext is decrypted, and private key ciphertext is being decrypted based on first decrypted result
Afterwards, based on treating that authorized user's public, private key ciphertext is encrypted, private key ciphertext mandate encrypted result is obtained, and according to the third
The private key ciphertext is encrypted in client key, obtains third private key ciphertext encrypted result;The third key is generated
Parameter and the third private key ciphertext decrypted result associated storage.
22. according to the method for claim 21, which is characterized in that further include at least one in following items:
First item:The second processing response also carries third certificate parameter;First ciphertext obtains request and also carries user
4th certificate parameter of input;
Before the acquisition response of the first ciphertext is returned to the client, step is further included:Verify the 4th certificate parameter with
The consistency of the third certificate parameter;
Section 2:The second processing response, which also carries, treats authorized user's certificate;
Before the acquisition response of the first ciphertext is returned to the client, step is further included:It verifies that first ciphertext obtains to ask
The validity for the signature asked.
23. a kind of security processing method based on private key escrow, including step:
It receives the application that client is sent and obtains private key authorization requests, returned to the client and apply for that obtaining private key mandate rings
Should, the application obtains private key authorization response and carries the 4th cipher generating parameter;
It receives the client to be asked according to the second ciphertext acquisition that the application acquisition private key authorization response is sent, described second
Ciphertext obtains request and carries the 4th visitor that the client is generated according to the 4th cipher generating parameter and CUSTOMER ID
Family end key;
Response is obtained to the client the second ciphertext of return, the private key that second ciphertext obtains carrying from storage in response is close
Text authorizes the second ciphertext extracted in encrypted result;
The second ciphertext decryption response that the client returns is received, the second ciphertext decryption response carries the client pair
The second decrypted result that second ciphertext is decrypted, and private key ciphertext is being decrypted based on second decrypted result
Afterwards, Authorization result is obtained, and private key ciphertext is encrypted according to the 4th client key, the 4th private key ciphertext is obtained and adds
Close result;By the 4th cipher generating parameter and the 4th private key ciphertext decrypted result associated storage.
24. according to the method for claim 23, it is characterised in that:The application obtains private key authorization response and also carries the 5th
Certificate parameter;Second ciphertext obtains request and also carries the 6th certificate parameter input by user;
Before the acquisition response of the second ciphertext is returned to the client, step is further included:Verify the 6th certificate parameter with
The consistency of 5th certificate parameter.
25. a kind of computer equipment including memory, processor and stores the meter that can be run on a memory and on a processor
Calculation machine program, which is characterized in that the processor realizes any one of claim 1 to 24 the method when performing described program
Step.
26. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is by processor
The step of any one of claim 1 to 24 the method is realized during execution.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711481070.3A CN108173648B (en) | 2017-12-29 | 2017-12-29 | Digital security processing method, device and storage medium based on private key escrow |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711481070.3A CN108173648B (en) | 2017-12-29 | 2017-12-29 | Digital security processing method, device and storage medium based on private key escrow |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108173648A true CN108173648A (en) | 2018-06-15 |
CN108173648B CN108173648B (en) | 2021-01-26 |
Family
ID=62516458
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711481070.3A Active CN108173648B (en) | 2017-12-29 | 2017-12-29 | Digital security processing method, device and storage medium based on private key escrow |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108173648B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111130803A (en) * | 2019-12-26 | 2020-05-08 | 信安神州科技(广州)有限公司 | Method, system and device for digital signature |
CN111294379A (en) * | 2018-12-10 | 2020-06-16 | 北京沃东天骏信息技术有限公司 | Block chain network service platform, authority hosting method thereof and storage medium |
CN111431713A (en) * | 2020-03-27 | 2020-07-17 | 财付通支付科技有限公司 | Private key storage method and device and related equipment |
CN114239065A (en) * | 2021-12-20 | 2022-03-25 | 北京深思数盾科技股份有限公司 | Data processing method based on secret key, electronic equipment and storage medium |
CN114499975A (en) * | 2021-12-28 | 2022-05-13 | 北京深思数盾科技股份有限公司 | Method for verifying login server, server and storage medium |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060095770A1 (en) * | 2004-10-29 | 2006-05-04 | Baylis Stephen W | Method of establishing a secure e-mail transmission link |
EP2509025A1 (en) * | 2011-04-08 | 2012-10-10 | Agence nationale des titres securises | Method for access to a protected resource of a trusted personal device |
CN104618116A (en) * | 2015-01-30 | 2015-05-13 | 北京数字认证股份有限公司 | Collaborative digital signature system and method |
CN104618107A (en) * | 2014-12-29 | 2015-05-13 | 广东信鉴信息科技有限公司 | Digital signature method and system |
CN106961336A (en) * | 2017-04-18 | 2017-07-18 | 北京百旺信安科技有限公司 | A kind of key components trustship method and system based on SM2 algorithms |
WO2017123100A1 (en) * | 2016-01-13 | 2017-07-20 | Hiddn Security As | 2-factor authentication for network connected storage device |
CN107480986A (en) * | 2017-08-14 | 2017-12-15 | 飞天诚信科技股份有限公司 | A kind of method and hardware wallet that digital cash wallet is realized using hardware |
CN107508667A (en) * | 2017-07-10 | 2017-12-22 | 中国人民解放军信息工程大学 | Ciphertext policy ABE base encryption method and its device of the fix duty without key escrow can be disclosed |
-
2017
- 2017-12-29 CN CN201711481070.3A patent/CN108173648B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060095770A1 (en) * | 2004-10-29 | 2006-05-04 | Baylis Stephen W | Method of establishing a secure e-mail transmission link |
US7660987B2 (en) * | 2004-10-29 | 2010-02-09 | Baylis Stephen W | Method of establishing a secure e-mail transmission link |
EP2509025A1 (en) * | 2011-04-08 | 2012-10-10 | Agence nationale des titres securises | Method for access to a protected resource of a trusted personal device |
CN104618107A (en) * | 2014-12-29 | 2015-05-13 | 广东信鉴信息科技有限公司 | Digital signature method and system |
CN104618116A (en) * | 2015-01-30 | 2015-05-13 | 北京数字认证股份有限公司 | Collaborative digital signature system and method |
WO2017123100A1 (en) * | 2016-01-13 | 2017-07-20 | Hiddn Security As | 2-factor authentication for network connected storage device |
CN106961336A (en) * | 2017-04-18 | 2017-07-18 | 北京百旺信安科技有限公司 | A kind of key components trustship method and system based on SM2 algorithms |
CN107508667A (en) * | 2017-07-10 | 2017-12-22 | 中国人民解放军信息工程大学 | Ciphertext policy ABE base encryption method and its device of the fix duty without key escrow can be disclosed |
CN107480986A (en) * | 2017-08-14 | 2017-12-15 | 飞天诚信科技股份有限公司 | A kind of method and hardware wallet that digital cash wallet is realized using hardware |
Non-Patent Citations (2)
Title |
---|
PAN J: ""Identity-based secure collaboration in wireless ad hoc networks"", 《COMPUTER NETWORKS》 * |
闻庆峰: ""SM9及其PKI在电子政务邮件系统中的应用"", 《计算机应用与软件》 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111294379A (en) * | 2018-12-10 | 2020-06-16 | 北京沃东天骏信息技术有限公司 | Block chain network service platform, authority hosting method thereof and storage medium |
CN111294379B (en) * | 2018-12-10 | 2022-06-07 | 北京沃东天骏信息技术有限公司 | Block chain network service platform, authority hosting method thereof and storage medium |
CN111130803A (en) * | 2019-12-26 | 2020-05-08 | 信安神州科技(广州)有限公司 | Method, system and device for digital signature |
CN111130803B (en) * | 2019-12-26 | 2023-02-17 | 信安神州科技(广州)有限公司 | Method, system and device for digital signature |
CN111431713A (en) * | 2020-03-27 | 2020-07-17 | 财付通支付科技有限公司 | Private key storage method and device and related equipment |
CN111431713B (en) * | 2020-03-27 | 2023-03-28 | 财付通支付科技有限公司 | Private key storage method and device and related equipment |
CN114239065A (en) * | 2021-12-20 | 2022-03-25 | 北京深思数盾科技股份有限公司 | Data processing method based on secret key, electronic equipment and storage medium |
CN114499975A (en) * | 2021-12-28 | 2022-05-13 | 北京深思数盾科技股份有限公司 | Method for verifying login server, server and storage medium |
CN114499975B (en) * | 2021-12-28 | 2023-05-26 | 北京深盾科技股份有限公司 | Verification method for login server, server and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN108173648B (en) | 2021-01-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Garg et al. | BAKMP-IoMT: Design of blockchain enabled authenticated key management protocol for internet of medical things deployment | |
CN108173648A (en) | Security processing method, equipment and storage medium based on private key escrow | |
CN100432889C (en) | System and method providing disconnected authentication | |
CN107359998B (en) | A kind of foundation and operating method of portable intelligent password management system | |
Anakath et al. | Privacy preserving multi factor authentication using trust management | |
CN107370600B (en) | Method for generating core identity digital certificate and identity side digital certificate | |
CN103905204B (en) | The transmission method and Transmission system of data | |
CN107819587A (en) | Authentication method and user equipment and certificate server based on full homomorphic cryptography | |
CN109067801A (en) | A kind of identity identifying method, identification authentication system and computer-readable medium | |
CN105474575B (en) | Secure Verification System, certificate server, intermediate server, Secure authentication method and program | |
JP2016502377A (en) | How to provide safety using safety calculations | |
CN106130716A (en) | Cipher key exchange system based on authentication information and method | |
CN108471352A (en) | Processing method, system, computer equipment based on distributed private key and storage medium | |
CN106850201A (en) | Intelligent terminal multiple-factor authentication method, intelligent terminal, certificate server and system | |
CN108199847A (en) | Security processing method, computer equipment and storage medium | |
CN112839046B (en) | Traceable anonymous crowdsourcing method and system based on block chain | |
CN109861813A (en) | Anti- quantum calculation https traffic method and system based on unsymmetrical key pond | |
CN109815659A (en) | Safety certifying method, device, electronic equipment and storage medium based on WEB project | |
CN110113334A (en) | Contract processing method, equipment and storage medium based on block chain | |
CN110138548A (en) | Based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method and system | |
CN109587100A (en) | A kind of cloud computing platform user authentication process method and system | |
CN110380859A (en) | Based on unsymmetrical key pond to and DH agreement quantum communications service station identity identifying method and system | |
WO2017050152A1 (en) | Password security system adopted by mobile apparatus and secure password entering method thereof | |
CN106936797A (en) | The management method and system of magnetic disk of virtual machine and file encryption key in a kind of cloud | |
McCarney | Password managers: Comparative evaluation, design, implementation and empirical analysis |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |