CN108199847A - Security processing method, computer equipment and storage medium - Google Patents
Security processing method, computer equipment and storage medium Download PDFInfo
- Publication number
- CN108199847A CN108199847A CN201711481208.XA CN201711481208A CN108199847A CN 108199847 A CN108199847 A CN 108199847A CN 201711481208 A CN201711481208 A CN 201711481208A CN 108199847 A CN108199847 A CN 108199847A
- Authority
- CN
- China
- Prior art keywords
- client
- key
- parameter
- server
- private key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
A kind of security processing method, equipment and medium, the method for an embodiment include:Receive the digital signature request that client is sent;Digital signature response is returned to client, carries second, third client key generation parameter;The second user authorization message that client returns is received, carries second, third client key that client is generated respectively based on second, third client key generation parameter;Second, third server-side key is generated based on second, third client key and second, third server-side cipher generating parameter respectively;Private key ciphertext is obtained with the second private key ciphertext encrypted result that second service end secret key decryption stores, is signed with private key ciphertext to data to be signed and obtains digital signature result;Third private key ciphertext encrypted result is obtained with third server-side key encryption key ciphertext, third client key is generated into parameter, third server-side cipher generating parameter and third private key ciphertext encrypted result associated storage.This embodiment scheme improves safety.
Description
Technical field
The present invention relates to technical field of cryptology, more particularly to a kind of security processing method, computer equipment and
Computer storage media.
Background technology
It is Web bank, online working, online with the emergence of development and the E-Government e-commerce of Internet technology
The business such as shopping have stepped into public life, and continuous promptly change and progress.It is being related to many key industry
When business operation and the transmission of sensitive information, usually using digital signature technology, realize the integrity verification to data, it is anti-tamper with
And the safeguard protections such as resisting denying.The intelligent ciphers such as bluetooth, tone code and NFC (near field communication (NFC)) in conventional internet
Although being theoretically utilized in mobile internet device, it is various, compatible to be limited to type kind for key, intellective IC card equipment
Difference, individual carries and use is cumbersome, causes user experience very poor, there is no popularizations to open.By PKI (Public Key Infrastructure) technologies and
Commercial cipher chip is combined with wearable device, although the inconvenience of personal carrying can be reduced, when in use, still can
Face the problem of compatibility is adapted to, operating procedure is various.
Invention content
Based on this, the embodiment of the present application is designed to provide a kind of security processing method, computer equipment and meter
Calculation machine storage medium.
A kind of security processing method, including step:
Digital signature request is sent to server-side;
Receive the digital signature response that the server-side is returned based on the digital signature request, the digital signature response
Carry the second client key generation parameter and third client key generation parameter;
Second client key is generated based on second client key generation parameter, it is close based on the third client
Key generation parameter generation third client key, and send second user authorization message, the second user to the server-side
Authorization message carries second client key, the third client key;
Receive the digital signature result that the server-side returns.
A kind of security processing method, including step:
Receive the digital signature request that client is sent;
Digital signature response is returned to the client, the digital signature response carries the second client key generation ginseng
Number and third client key generate parameter;
The second user authorization message that the client returns is received, the second user authorization message carries the client
End group is given birth in the second client key of second client key generation parameter generation, based on the third client key
The third client key generated into parameter;
Based on second client key and second service end cipher generating parameter generation second service end key, described
Third client key and third server-side cipher generating parameter generation third server-side key;
The the second private key ciphertext encrypted result stored using second service end secret key decryption obtains private key ciphertext, and
It is signed with the private key ciphertext to data to be signed, obtains digital signature result;
The private key ciphertext is encrypted using the third server-side key, obtains third private key ciphertext encrypted result, and will
The third client key generation parameter, the third server-side cipher generating parameter and third private key ciphertext encryption
As a result associated storage.
A kind of computer equipment can be run on a memory and on a processor including memory, processor and storage
The step of computer program, the processor realizes method as described above when performing described program.
A kind of computer readable storage medium, is stored thereon with computer program, which realizes when being executed by processor
The step of method as described above.
Based on the scheme of embodiment as described above, by the private key escrow of signature in server-side, and signed each time
During name, the private key ciphertext based on server-side trustship, client cooperates with completion to sign with server-side, and completes signature each time
On the basis of, client further generates new client key, and server-side is based further on the new client key and service
Key is held to generate new private key ciphertext encrypted result, realizes the update to the private key ciphertext encrypted result of storage accordingly so that is every
The private key ciphertext encrypted result that the participation of the user of client is required for when once being signed and is used every time is all different, can
Pretend to be user's signature to prevent server-side backstage personnel from retaining private key ciphertext, so as to further improve security processing
Safety.
Description of the drawings
Fig. 1 is the schematic diagram of the application environment of a this embodiment scheme;
Fig. 2 is the flow diagram of the security processing method in one embodiment;
Fig. 3 is the flow diagram of the security processing method in a specific example;
Fig. 4 is the flow diagram of the security processing method in another embodiment;
Fig. 5 is the flow diagram of the security processing method in a specific example;
Fig. 6 is the interaction flow schematic diagram of the security processing in a specific example;
Fig. 7 is the flow diagram of the security processing method in another specific example;
Fig. 8 is the structure diagram of the computer equipment in one embodiment.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the object, technical solution and advantage for making the application are more clearly understood
The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, and
It is not used in restriction the application.
The schematic diagram of application environment that Fig. 1 is related to for application scheme in one embodiment, reference Fig. 1, the present embodiment
Scheme is related to terminal 101, server-side 102, further relates to cipher machine 103, and terminal 101 passes through network connection, password with server-side 102
Machine 103 is only connect with server-side 102, and in some embodiments, cipher machine 103 may be set to be a part for server-side 102.
Terminal 101 can be specifically that terminal console, mobile terminal and others can or be needed private key escrow to server-side 102
Equipment, mobile terminal can be specifically at least one of mobile phone, tablet computer, laptop etc., and server-side 120 can be with
The server cluster formed with independent server or multiple servers is realized.In application scheme, terminal 101 and user
It is interacted with server-side 102, realizes the input of user information, realize tying up for user and private key ciphertext together with server-side 102
Fixed and user licenses private key ciphertext.And server-side is interacted with terminal 101 and cipher machine 103, realizes private key for user
It preserves and private key ciphertext is licensed in management, binding and user of the realization user with private key ciphertext.Wherein, which can
Possess certificate and private key that authoritative institution issues.And cipher machine 103 is to generate encrypted private key ciphertext and export, import
Encrypted private key ciphertext is signed, and can only be communicated with server-side 102.
Fig. 2 shows the flow diagram of the security processing method in one embodiment, the method in the embodiment
Applied to the terminal 101 in above-mentioned Fig. 1 or the client being arranged in terminal 101.With reference to Fig. 2, the number in the embodiment
Security processing includes the following steps S201 to step S204.
Step S201:Digital signature request is sent to server-side.
Terminal 101 can send the digital signature request at the time of any need is signed to server-side.Number label
Can data to be signed, embodiments herein can also be carried with the relevant user information of the user of carried terminal in name request
The concrete type and content of user information and data to be signed are not defined.
Step S202:Receive the digital signature response that the server-side is returned based on the digital signature request, the number
Word signature response carries the second client key generation parameter and third client key generation parameter.
It can be that any terminal 101 can be used that second client key, which generates parameter and third client key generation parameter,
To generate the parameter of client key.In a specific example, second client key generation parameter and third client
Cipher generating parameter may each be the random number generated at random.
In one embodiment, certificate parameter can also be carried in digital signature response and (be known as third in the present embodiment
Certificate parameter), which is inputted with the user for terminal 101, in order to which next step server-side 102 receives
To terminal 101 send information when, can be verified.The third certificate parameter can be any ginseng that can be verified
Number, the random number such as generated at random, the form of the random number can be unlimited, number, Chinese character, the character string that can be randomly generated
Or a combination thereof etc. any possible form.
Step S203:Second client key is generated based on second client key generation parameter, based on described the
Three client keys generation parameter generation third client key, and send second user authorization message, institute to the server-side
It states second user authorization message and carries second client key, the third client key.
Second client key is generated based on the second client key generation parameter, is generated and joined based on third client key
The mode of number generation third client key is unlimited, such as can generate second with cipher key derivation function KDF, hash function etc.
Client key, third client key.
In a specific example, the second client key is being generated based on the second client key generation parameter, is being based on
Before third client key generation parameter generation third client key, step can also be included:Obtain CUSTOMER ID.It should
CUSTOMER ID can be the PIN code (Personal Identification Number, personal recognition code) of terminal 101,
The PIN code can be user's input by terminal 101.
In the case, the second client key is generated in above-mentioned the second client key generation parameter that is based on, based on the
During three client keys generation parameter generation third client key, following manner progress may be used:Based on the described second visitor
Family end cipher generating parameter and the CUSTOMER ID generate the second client key, are generated based on the third client key
Parameter and CUSTOMER ID generation third client key.So as to combine the participation of CUSTOMER ID so that the of generation
Two client keys, third client key have the direct participation of the user of client, are signed each time with further ensuring that
Journey has the participation of client user.
In one embodiment, under further including third certificate parameter unanimous circumstances in the response of above-mentioned digital signature,
Before sending second user authorization message to the server-side, step can also be included:Obtain the 4th verification ginseng input by user
Number.At this point, in above-mentioned second user authorization message, the 4th certificate parameter is also carried.Correct situation is inputted in terminal user
Under, the 4th certificate parameter should be identical with above-mentioned third certificate parameter.
In another embodiment, before the above-mentioned transmission second user authorization message to server-side, step can also be included
Suddenly:The second user authorization message is encrypted using server-side CertPubKey.Thus to further improve safety.
Step S204:Receive the digital signature result that the server-side returns.
It is appreciated that the digital signature result can be that data to be signed are carried out based on the private key ciphertext that server-side stores
The digital signature result that signature obtains.
Based on this embodiment scheme, during signature is performed, client obtains two client keys from server-side
Parameter is generated, and two client keys are returned to server-side, so as to which server-side is decrypted based on one of client key
In the case of going out private key ciphertext, it is also based on another client key and generates new private key ciphertext encrypted result, it is real accordingly
Now to the update of the private key ciphertext encrypted result of storage so that be required for the participation of the user of client when being signed each time
And the private key ciphertext encrypted result used every time is all different, can prevent server-side backstage personnel from retaining private key ciphertext encryption knot
Fruit pretends to be user's signature, so as to further improve the safety of security processing.
In a specific example, the method in the present embodiment can also include step S301 as shown in Figure 3 to step
S303。
Step S301:Private key escrow request is sent to the server-side.
Client can send private key escrow request, the private key support when any need carries out private key escrow to server-side
It can be with the relevant user information of the user of carried terminal 101, not to the concrete type of user information in the present embodiment in pipe request
It is defined with content.
Step S302:The private key escrow response that the server-side returns is received, the private key escrow response carries the first visitor
Family end cipher generating parameter.
First client key generation parameter can be the parameter that any terminal 101 can be used to generation client key.
In a specific example, first client key generation parameter may each be the random number generated at random.
In one embodiment, certificate parameter can also be carried in private key escrow response and (be known as first in the present embodiment
Certificate parameter), which is inputted with the user for terminal 101, in order to which next step server-side 102 receives
To terminal 101 send information when, can be verified.First certificate parameter can be any ginseng that can be verified
Number, the random number such as generated at random, the form of the random number can be unlimited, number, Chinese character, the character string that can be randomly generated
Or a combination thereof any possible form.
Step S303:First client key is generated, and to server-side based on first client key generation parameter
The first authorized user message is sent, first authorized user message carries first client key.
The mode that the first client key is generated based on the first client key generation parameter is unlimited, such as can use key
Derivation function KDF, hash function etc. generate the first client key.
In a specific example, before the first client key is generated based on the first client key generation parameter,
It can also include step:Obtain CUSTOMER ID.The CUSTOMER ID can be the PIN code of terminal 101, which can be
It is inputted by the user of terminal 101.
In the case, it is above-mentioned be based on the first client key generation parameter and generate the first client key when, can be with
It is carried out using following manner:Parameter is generated based on first client key and the CUSTOMER ID generates the first client
Key.So as to combine the participation of CUSTOMER ID so that the first client key of generation has the direct ginseng of the user of client
With.
In one embodiment, under further including the first certificate parameter unanimous circumstances in the response of above-mentioned private key escrow,
Before sending the first authorized user message to the server-side, step can also be included:Obtain the second verification ginseng input by user
Number.At this point, in above-mentioned first authorized user message, second certificate parameter is also carried.Correct situation is inputted in terminal user
Under, which should be identical with above-mentioned first certificate parameter.
In another embodiment, before above-mentioned the first authorized user message of transmission to server-side, step can also be included
Suddenly:First authorized user message is encrypted using server-side CertPubKey.Thus to further improve safety.
Fig. 4 shows the flow diagram of the security processing method of another embodiment, which is in Fig. 1
It is illustrated for the processing procedure of shown server-side 102.As shown in figure 3, the method in the embodiment includes step S401
To step S406.
Step S401:Receive the digital signature request that client is sent.
Client in terminal 101 can send the number label at the time of any need is digitally signed to server-side
Name request.Can data to be signed can also be carried with the relevant user information of the user of carried terminal in digital signature request, this
The embodiment of application is not defined the concrete type and content of user information and data to be signed.
Step S402:Digital signature response is returned to the client, the digital signature response carries the second client
Cipher generating parameter and third client key generation parameter.
It can be that any terminal 101 can be used that second client key, which generates parameter and third client key generation parameter,
To generate the parameter of client key.In a specific example, second client key generation parameter and third client
Cipher generating parameter may each be the random number generated at random.
In one embodiment, certificate parameter can also be carried in digital signature response and (be known as third in the present embodiment
Certificate parameter), which is inputted with the user for terminal 101, in order to which next step server-side 102 receives
To terminal 101 send information when, can be verified.The third certificate parameter can be any ginseng that can be verified
Number, the random number such as generated at random, the form of the random number can be unlimited, number, Chinese character, the character string that can be randomly generated
Or a combination thereof etc. any possible form.
Step S403:The second user authorization message that the client returns is received, the second user authorization message is taken
With second client key of the client based on second client key generation parameter generation, based on third visitor
The third client key of family end cipher generating parameter generation.
Any possible mode can be used to be based on the generation parameter generation of the second client key in client in terminal 101
Second client key, based on third client key generation parameter generation third client key, such as with key derivation letter
Number KDF, hash function etc..Can be based on the second client key generation parameter and user's identification in a specific example
Code the second client key of generation generates parameter and CUSTOMER ID generation third client based on third client key
Key.The CUSTOMER ID can be the PIN code of terminal 101, which can voluntarily be obtained from terminal 101, can be by
User's input of terminal 101.
In one embodiment, under further including third certificate parameter unanimous circumstances in the response of above-mentioned digital signature, on
It states in second user authorization message, also carries the 4th certificate parameter input by user.It is correct in terminal user's input,
4th certificate parameter should be identical with above-mentioned third certificate parameter.
Therefore, in the case, before next step S404 is entered, step can also be included:Verify that the described 4th tests
Demonstrate,prove the consistency of parameter and third certificate parameter.And in the case where verifying the 4th certificate parameter and third certificate parameter unanimous circumstances,
Next step S404 is entered back into, otherwise return to failure information to client or directly exits current digital signature flow.
In one example, have in client and the second user authorization message is added using server-side CertPubKey
In the case of close, after second user authorization message is received, into next step processing procedure (such as step S404) it
Before, step can also be included:The second user authorization message is decrypted using server-side certificate and private key.
Step S404:Based on second client key and second service end cipher generating parameter generation second service end
Key, based on the third client key and third server-side cipher generating parameter generation third server-side key.
Server-side is based on the second client key and second service end cipher generating parameter generation second service end key, base
It is unlimited in the mode of third client key and third server-side cipher generating parameter generation third server-side key, such as can be with
With generations such as cipher key derivation function KDF, hash functions.
Step S405:The the second private key ciphertext encrypted result stored using second service end secret key decryption is obtained private
Key ciphertext, and signed with the private key ciphertext to data to be signed, obtain digital signature result.
Wherein, the second private key ciphertext encrypted result here, can in the case where being not carried out any once signed process
To be the private key ciphertext encrypted result generated during above-mentioned private key escrow application success.There is the situation that performed digital signature procedure
Under, can be then the private key ciphertext encrypted result updated storage after last digital signature is successful.
In one embodiment, it is signed with private key ciphertext to data to be signed, obtains the mode of digital signature result
It can include:
CIPHERING REQUEST is sent to cipher machine, CIPHERING REQUEST carries the data to be signed and the private key ciphertext;This waits to sign
Name data can be carried in above-mentioned digital signature request, be sent to server-side by client, server-side can also be passed through
Other modes obtain the data to be signed;
Receive the number that using the private key ciphertext data to be signed are carried out with signature acquisition that the cipher machine returns
Word signature result.
Step S406:The private key ciphertext is encrypted using the third server-side key, obtains the encryption of third private key ciphertext
As a result, and the third client key is generated into parameter, the third server-side cipher generating parameter and third private
Key ciphertext encrypted result associated storage.
The private key ciphertext can be the private key ciphertext parsed to the second private key ciphertext encrypted result.
Wherein, here private to third client key generation parameter, third server-side cipher generating parameter and third
The associated storage of key ciphertext encrypted result can be the second client key generation parameter stored to server-side, second
The update of server-side cipher generating parameter and the second private key ciphertext encrypted result.I.e. it is close no longer to store the second client for server-side
Key generation parameter, second service end cipher generating parameter and the second private key ciphertext encrypted result, but store associated third
Client key generation parameter, third server-side cipher generating parameter and third private key ciphertext encrypted result, so that it is guaranteed that
Each time after digital signature, the participation of the server-side always user based on terminal generates new private key ciphertext encrypted result, really
Used private key ciphertext encrypted result is all different when guarantor's server-side is signed every time, can prevent server-side backstage personnel
Retain private key ciphertext encrypted result to pretend to be user's signature, further improve the safety of security processing.
In one embodiment, the method for the present embodiment can also include step S501 as shown in Figure 5 to step S504.
Step S501:Receive the private key escrow request that the client is sent.
Client can send private key escrow request, the private key support when any need carries out private key escrow to server-side
It can be with the relevant user information of the user of carried terminal 101, not to the concrete type of user information in the present embodiment in pipe request
It is defined with content.
Step S502:The private key escrow returned to the client responds, and the private key escrow response carries the first client
Hold cipher generating parameter.
First client key generation parameter can be the parameter that any terminal 101 can be used to generation client key.
In a specific example, first client key generation parameter may each be the random number generated at random.
In one embodiment, certificate parameter can also be carried in private key escrow response and (be known as first in the present embodiment
Certificate parameter), which is inputted with the user for terminal 101, in order to which next step server-side 102 receives
To terminal 101 send information when, can be verified.First certificate parameter can be any ginseng that can be verified
Number, the random number such as generated at random, the form of the random number can be unlimited, number, Chinese character, the character string that can be randomly generated
Or a combination thereof any possible form.
Step S503:The first authorized user message that the client returns is received, first authorized user message is taken
The first client key based on first client key generation parameter generation with the client.
The mode that client generates the first client key based on the first client key generation parameter is unlimited, such as can be with
The first client key is generated with cipher key derivation function KDF, hash function etc..
In a specific example, client is generating the first client key based on the first client key generation parameter
When, can be that the first client key is generated based on the first client key generation parameter and CUSTOMER ID.The user identifies
Code can be the PIN code of terminal 101, which can be user's input by terminal 101.So as to combine CUSTOMER ID
It participates in so that the first client key of generation has the direct participation of the user of client.
In one embodiment, under further including the first certificate parameter unanimous circumstances in the response of above-mentioned private key escrow, on
It states in the first authorized user message, also carries the second certificate parameter input by user.It is correct in terminal user's input,
Second certificate parameter should be identical with above-mentioned first certificate parameter.
Therefore, in the case, before next step S504 is entered, step can also be included:Verify that described second tests
Demonstrate,prove the consistency of parameter and the first certificate parameter.And in the case where verifying the second certificate parameter and the first certificate parameter unanimous circumstances,
Next step S504 is entered back into, otherwise return to failure information to client or directly exits current private key escrow application stream
Journey.
In one example, have in client and first authorized user message is added using server-side CertPubKey
In the case of close, after the first authorized user message is received, into next step processing procedure (such as step S504) it
Before, step can also be included:First authorized user message is decrypted using server-side certificate and private key.
Step S504:Private key ciphertext is obtained, based on first client key and first service end cipher generating parameter
First service end key is generated, the private key ciphertext is encrypted using first service end key, the first private key ciphertext is obtained and adds
Close result.
In one embodiment, obtaining the mode of private key ciphertext can include:
Private key ciphertext, which is sent, to cipher machine obtains request;
Receive the private key ciphertext that the cipher machine obtains request return based on the private key ciphertext.
After the first private key ciphertext encrypted result is obtained, the first client key can be generated parameter, first service end
Cipher generating parameter and the first private key ciphertext encrypted result are associated storage, are processed for subsequent digital signature
Journey.
Based on embodiment as described above, it may be determined that embodiments herein is by the signature private key trustship of terminal user
In server-side, data to be signed are sent to server-side when needing to be digitally signed, after completing digital signature by server-side
Signature value is returned to user, so as to fulfill digital signature.Wherein, the private key signed can be given birth to by the cipher machine of server-side
Into and export, and export private key can be private key ciphertext, by the private key encryption inside cipher machine, to improve safety.For private
Key ciphertext, the client that server-side reuses CUSTOMER ID (PIN code) and client is derived based on cipher generating parameter
Key is encrypted, and often carries out once signed operation, all private key ciphertext of re-encrypted, it is ensured that the only participation of user,
Signature could be completed, improves the safety of security processing.
Based on embodiment as described above, illustrated in greater detail is carried out below in conjunction with two of which specific example.The application
The scheme being related to is related to two digital security processes during the technology of a specific example is realized:Trustship private key Shen
Please with trustship private key signature, it is illustrated below in conjunction with the two processes.
Fig. 6 shows the interaction flow schematic diagram of the security processing in a specific example, is in the specific example
It is illustrated by taking the processing procedure of trustship private key application as an example.
With reference to shown in Fig. 6, during a specific application server-side trustship private key, the user of terminal 101 first beats
The client of terminal 101 is opened, and passes through the associated button clicked in client, control etc. and sends out trustship private key application instruction, visitor
Family end sends private key escrow request after trustship private key application instruction is received, to server-side.It can in private key escrow request
With the relevant user information of the user of carried terminal 101, the concrete type of user information and content are not carried out in the present embodiment
It limits.
After server-side receives private key escrow request, generation the first certificate parameter (can be random number) r1, the first client
Hold cipher generating parameter (can be random number) r2 and first service end cipher generating parameter (can be random number) r3.So
Afterwards, server-side returns to private key escrow response to client, and the visitors of the first certificate parameter r1 and first are included in private key escrow response
Family end cipher generating parameter r2.
After client receives private key escrow response, the first certificate parameter r1 can be shown, and user is prompted to input
Certificate parameter r1 and CUSTOMER ID (PIN code).The user of client can be based on prompting input validation parameter r1 and PIN code.
Then, client is based on the first client key generation parameter r2 and PIN code, calculates the first client key A:
A=f1 (PIN, r2), wherein, function f1 can be any function that can be used to generation key, such as cipher key derivation function KDF, breathe out
Uncommon function etc..
Client utilizes server-side digital certificate, to the second certificate parameter r1 ' input by user and the first client key A
It is encrypted, result B after being encrypted.Then the first authorized user message is sent to server-side, which includes
Result B after the encryption.
After server-side receives first authorized user message, using result B after the decryption encryption of server-side certificate and private key, obtain
The client key A ' after the second certificate parameter r1 ' and decryption after to decryption.
After decryption, server-side first compares the second certificate parameter r1 ' after decryption and the first certificate parameter r1 being locally stored
Whether consistent, if it is inconsistent, returning to error result, sending private key ciphertext to cipher machine if consistent obtains request, and
Receive the private key ciphertext D that cipher machine returns.
Then, server-side is according to the first client key A ' after decryption and first service end cipher generating parameter r3, meter
Calculate first service end ciphering key:C=f2 (A ', r3), wherein, function f2 () can be it is any can be generating the letter of key
Number, such as cipher key derivation function KDF, hash function.The function f2 () of server-side generation server-side key and client generation visitor
The function f1 () of family end key can be identical function or different functions.
Then, server-side utilizes first service end ciphering key encryption key ciphertext D, obtains the first private key ciphertext encrypted result
Any possible Encryption Algorithm may be used in E, when encryption, as AES (Advanced Encryption Standard, it is advanced plus
Data Encryption Standard)/DES (Data Encryption Algorithm, data encryption algorithm)/3DES (triple data encryption algorithm)/
SM4 (a kind of national secret algorithm) etc., the present embodiment is not specifically limited.
After the first private key ciphertext encrypted result E is obtained, client key is generated parameter r2, server-side key by server-side
Generate parameter r3 and private key ciphertext encrypted result E associated storages.And private key escrow is returned as a result, the private key escrow to client
As a result it can be successfully the information of trustship private key.
After the success trustship private key of client 101 of server-side 102, subsequent terminal 101 when being signed,
It can be digitally signed by private key of the server-side 101 based on trustship.It is shown in Fig. 7 at the security in a specific example
The interaction flow schematic diagram of reason method in the embodiment is illustrated by taking the iterative process being digitally signed as an example.
As shown in fig. 7, one it is specific be digitally signed during, the user of terminal 101 first opens a terminal 101
Client, and pass through the associated button clicked in client, control etc. and send out signature command.Client is receiving the signature
After instruction, digital signature request is sent to server-side, can be used in the digital signature request with the correlation of the user of carried terminal 101
Family information can also carry data to be signed, and embodiments herein is not to the concrete kind of user information and data to be signed
Type and content are defined.
After server-side receives the digital signature request, the second client key for reading out storage generates parameter, second
Server-side cipher generating parameter and the second private key ciphertext encrypted result, in the situation for being not carried out any digital signature
Under, the second client key generation parameter, second service end cipher generating parameter and the encryption of the second private key ciphertext of the storage
As a result the first client key to be stored during above-mentioned application private key escrow generates parameter r2, the life of first service end key
Into parameter r3 and the first private key ciphertext encrypted result E1.
Then, server-side generates new third certificate parameter r4, new third client key generates parameter r5 and new
Server-side cipher generating parameter r6.Then, server-side returns to digital signature response to client, is taken in digital signature response
With the second client key generation parameter r2, third certificate parameter r4 and third client key generation parameter r5.
After client receives digital signature response, third certificate parameter r4 can be shown, and user is prompted to input
Certificate parameter r4 and CUSTOMER ID (PIN code).The user of client can be based on prompting input validation parameter r4 and PIN code.
Then, client generates parameter r2 and PIN code according to the second client key, calculates the second client key
A1:A1=f1 (PIN, r2), wherein, function f1 () can be it is any can be used to generation key function, such as cipher key derivation function
KDF, hash function etc..
In addition, client generates parameter r5 and PIN code also according to third client key, third client key is calculated
A2:A2=f1 (PIN, r5), function f1 () can be it is any can be used to generation key function, as cipher key derivation function KDF,
Hash function etc..
Then, client utilizes server-side digital certificate, to the 4th certificate parameter r4 ' input by user, the second client
Key A 1 and third client key A2 are encrypted, result B after being encrypted.Then second user mandate is sent to server-side
Information, the second user authorization message carry result B after the encryption.
After server-side receives the second user authorization message, using result B after the decryption encryption of server-side certificate and private key, obtain
The second client key A1 ' after the 4th certificate parameter r4 ', decryption after to decryption and the third client key after decryption
A2′;
After decryption, server-side first compares the 4th certificate parameter r4 ' after decryption and the third certificate parameter r4 being locally stored
It is whether consistent, if it is inconsistent, return to error result, according to the of the second client key A1 ' and storage if consistent
Two server-side cipher generating parameter r3, calculate second service end ciphering key 1:C1=f2 (A1 ', r3), function f2 () can be
It is any can be generating the function of key, such as cipher key derivation function KDF, hash function.Server-side generates server-side key
The function f1 () of function f2 () and client generation client key can be identical function or different letters
Number.
Then, the second private key ciphertext encrypted result that server-side is stored using the decryption of second service end ciphering key 1 of generation
E1 obtains private key ciphertext D ', it will be understood that the decipherment algorithm being decrypted should with the Encryption Algorithm that private key ciphertext is encrypted
When being consistent.
After private key ciphertext D ' after being decrypted, private key ciphertext D ' of the server-side end group after decryption to data to be signed into
Row signature, obtains digital signature result.Can signature process be completed with combining cipher machine in one specific example, it specifically can be with
It is:Server-side sends CIPHERING REQUEST to cipher machine, and CIPHERING REQUEST carries data to be signed and private key ciphertext D ', used by cipher machine
Private key ciphertext D ' signs to data to be signed, obtains digital signature result, and return to server-side.Server-side is voluntarily counted
It calculates after obtaining digital signature result or obtaining the digital signature result that cipher machine returns, which can be returned to
Client, so as to complete digital signature procedure.
On the other hand, after digital signature result is obtained, server-side can also be further according to the third obtained after decryption
Client key A2 ' and newly-generated third server-side cipher generating parameter r6, calculates third server-side ciphering key 2:C2=f2
(A2 ', r6), the function f1 () of function f2 () and client the generation client key of server-side generation server-side key can be with
It is identical function or different functions.
After obtaining third server-side ciphering key 2, server-side encrypts what is obtained after above-mentioned decryption using third server-side ciphering key 2
Private key ciphertext D ', obtains third private key ciphertext encrypted result E2, and any possible Encryption Algorithm, such as AES/ may be used in when encryption
DES/3DES/SM4 etc..
Then, server-side is by third client key generation parameter r5, third server-side cipher generating parameter r6 and the
Three private key ciphertext encrypted result E2 are associated storage, with the second client key generation parameter r2, the second clothes updated storage
Be engaged in cipher generating parameter r3 and the second private key ciphertext encrypted result E1.I.e. server-side no longer stores the second client key generation ginseng
Number r2, second service cipher generating parameter r3 and the second private key ciphertext encrypted result E1, but store associated third client
Cipher generating parameter r5, third server-side cipher generating parameter r6 and third private key ciphertext encrypted result E2, so that it is guaranteed that often
After digital signature, the participation of user of the server-side always based on terminal 101 generates new private key ciphertext encrypted result, really
Used private key ciphertext encrypted result is all different when guarantor's server-side is digitally signed every time, can prevent server-side backstage
Personnel retain private key ciphertext to pretend to be user's signature, so as to further improve the safety of security processing.
Based on example as described above, a kind of computer equipment is also provided in one embodiment, the computer equipment packet
The computer program that includes memory, processor and storage on a memory and can run on a processor, wherein, processor performs
It is realized during described program such as the method for any one embodiment in the various embodiments described above.
Fig. 8 shows the internal structure chart of one embodiment Computer equipment.The computer equipment can be specifically Fig. 1
In terminal 101 or server-side 102.As shown in figure 8, the computer equipment include the processor connected by system bus,
Memory, network interface and input unit.Wherein, memory includes non-volatile memory medium and built-in storage.The computer
The non-volatile memory medium of equipment is stored with operating system, can also be stored with computer program, which is handled
When device performs, it may be such that processor realizes security processing method.Also computer program can be stored in the built-in storage, it should
When computer program is executed by processor, it may be such that processor performs security processing method.
It will be understood by those skilled in the art that the structure shown in Fig. 8, only part knot relevant with application scheme
The block diagram of structure does not form the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment
It can include either combining certain components than components more or fewer shown in figure or be arranged with different components.
One of ordinary skill in the art will appreciate that realizing all or part of flow in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, it is non-volatile computer-readable that the program can be stored in one
It takes in storage medium, in the embodiment of the present invention, which can be stored in the storage medium of computer system, and be calculated by this
At least one of machine system processor performs, to realize the flow for including the embodiment such as above-mentioned each method.Wherein, it is described
Storage medium can be magnetic disc, CD, read-only memory (Read-Only Memory, ROM) or random access memory
(Random Access Memory, RAM) etc..
Accordingly, a kind of storage medium is also provided in one embodiment, is stored thereon with computer program, wherein, the journey
It is realized when sequence is executed by processor such as the scalar product protocol processing method of any one embodiment in the various embodiments described above.
Each technical characteristic of embodiment described above can be combined arbitrarily, to make description succinct, not to above-mentioned reality
It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited
In contradiction, it is all considered to be the range of this specification record.
Embodiment described above only expresses the several embodiments of the present invention, and description is more specific and detailed, but simultaneously
It cannot therefore be construed as limiting the scope of the patent.It should be pointed out that those of ordinary skill in the art are come
It says, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to the protection of the present invention
Range.Therefore, the protection domain of patent of the present invention should be determined by the appended claims.
Claims (10)
1. a kind of security processing method, which is characterized in that including step:
Digital signature request is sent to server-side;
The digital signature response that the server-side is returned based on the digital signature request is received, the digital signature response carries
Second client key generates parameter and third client key generation parameter;
Second client key is generated based on second client key generation parameter, is given birth to based on the third client key
Third client key is generated, and second user authorization message, the second user mandate are sent to the server-side into parameter
Information carries second client key, the third client key;
Receive the digital signature result that the server-side returns.
2. according to the method described in claim 1, it is characterised in that it includes it is following it is every at least one of:
First item:
The digital signature response also carries third certificate parameter;
Before second user authorization message is sent to the server-side, step is further included:Obtain the 4th verification input by user
Parameter;
The second user authorization message also carries the 4th certificate parameter;
Section 2:
Second client key is generated based on second client key generation parameter, is given birth to based on the third client key
Before generating third client key into parameter, step is further included:Obtain CUSTOMER ID;
Second client key is generated based on second client key generation parameter, is given birth to based on the third client key
The step of generating third client key into parameter includes:Parameter is generated based on second client key and the user knows
Other code generates the second client key, and parameter and CUSTOMER ID generation third are generated based on the third client key
Client key;
Section 3:
Before second user authorization message is sent to the server-side, step is further included:
The second user authorization message is encrypted using server-side CertPubKey.
3. method according to claim 1 or 2, which is characterized in that before sending digital signature request to server-side, also wrap
Include step;
Private key escrow request is sent to the server-side;
The private key escrow response that the server-side returns is received, the private key escrow response carries the first client key generation ginseng
Number;
First client key is generated, and send the first user to server-side and award based on first client key generation parameter
Information is weighed, first authorized user message carries first client key.
4. according to the method described in claim 3, it is characterised in that it includes it is following it is every at least one of:
First item:
The private key escrow response also carries the first certificate parameter;
Before the first authorized user message is sent to the server-side, step is further included:Obtain the second verification input by user
Parameter;
First authorized user message also carries second certificate parameter;
Section 2:
Before generating the first client key based on first client key generation parameter, step is further included:Obtain user
Identification code;
The step of generating the first client key based on first client key generation parameter includes:Based on the described first visitor
Family end cipher generating parameter and the CUSTOMER ID generate the first client key;
Section 3:
Before the first authorized user message is sent to the server-side, step is further included:
First authorized user message is encrypted using server-side CertPubKey.
5. a kind of security processing method, which is characterized in that including step:
Receive the digital signature request that client is sent;
Return to digital signature response to the client, digital signature response carry the second client key generation parameter and
Third client key generates parameter;
The second user authorization message that the client returns is received, the second user authorization message carries client's end group
The second client key of parameter generation is generated in second client key, based on third client key generation ginseng
The third client key of number generation;
Based on second client key and second service end cipher generating parameter generation second service end key, based on described
Third client key and third server-side cipher generating parameter generation third server-side key;
Using second service end secret key decryption store the second private key ciphertext encrypted result, obtain private key ciphertext, and use this
Private key ciphertext signs to data to be signed, obtains digital signature result;
The private key ciphertext is encrypted using the third server-side key, obtains third private key ciphertext encrypted result, and by described in
Third client key generation parameter, the third server-side cipher generating parameter and the third private key ciphertext encrypted result
Associated storage.
6. according to the method described in claim 5, it is characterised in that it includes it is following it is every at least one of:
First item:
The digital signature response also carries third certificate parameter;
The second user authorization message also carries the 4th certificate parameter input by user;
Based on second client key and second service end cipher generating parameter generation second service end key, described the
Before three client keys and third server-side cipher generating parameter generation third server-side key, step is further included:Verification institute
State the consistency of the 4th certificate parameter and the third certificate parameter;
Section 2:
After second user authorization message is received, before generating second service end key and third server-side key, also wrap
Include step:The second user authorization message is decrypted using server-side certificate and private key;
Section 3:
It is signed with the private key ciphertext to data to be signed, the mode for obtaining digital signature result includes:
CIPHERING REQUEST is sent to cipher machine, the CIPHERING REQUEST carries the data to be signed and the private key ciphertext;
The number for carrying out the data to be signed using the private key ciphertext signature acquisition that the cipher machine returns is received to sign
Name result.
7. method according to claim 5 or 6, which is characterized in that before receiving the digital signature request that client is sent,
Further include step:
Receive the private key escrow request that the client is sent;
The private key escrow returned to the client responds, and the private key escrow response carries the first client key generation ginseng
Number;
The first authorized user message that the client returns is received, first authorized user message carries client's end group
In the first client key of first client key generation parameter generation;
Private key ciphertext is obtained, based on first client key and first service end cipher generating parameter generation first service end
Key encrypts the private key ciphertext using first service end key, obtains the first private key ciphertext encrypted result.
8. the method according to the description of claim 7 is characterized in that further include at least one in following items:
First item:
The private key escrow response also carries the first certificate parameter;First authorized user message also carries input by user
Two certificate parameters;
Before based on first client key and first service end cipher generating parameter generation first service end key, also
Including step:Verify the consistency of second certificate parameter and first certificate parameter;
Section 2:
After the first authorized user message is received, before the key of generation first service end, step is further included:Using server-side
Certificate and private key decrypts first authorized user message;
Section 3:
The mode for obtaining private key ciphertext includes:
Private key ciphertext, which is sent, to cipher machine obtains request;
Receive the private key ciphertext that the cipher machine obtains request return based on the private key ciphertext.
9. a kind of computer equipment including memory, processor and stores the meter that can be run on a memory and on a processor
Calculation machine program, which is characterized in that the processor realizes any one of claim 1 to 8 the method when performing described program
Step.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is by processor
The step of any one of claim 1 to 8 the method is realized during execution.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711481208.XA CN108199847B (en) | 2017-12-29 | 2017-12-29 | Digital security processing method, computer device, and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711481208.XA CN108199847B (en) | 2017-12-29 | 2017-12-29 | Digital security processing method, computer device, and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108199847A true CN108199847A (en) | 2018-06-22 |
CN108199847B CN108199847B (en) | 2020-09-01 |
Family
ID=62586849
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711481208.XA Active CN108199847B (en) | 2017-12-29 | 2017-12-29 | Digital security processing method, computer device, and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108199847B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110098928A (en) * | 2019-05-08 | 2019-08-06 | 国家电网有限公司 | A kind of key generation method and device of collaboration signature |
CN111046441A (en) * | 2019-10-31 | 2020-04-21 | 苏州浪潮智能科技有限公司 | Management method, equipment and medium for encrypted hard disk key |
CN112073200A (en) * | 2020-09-02 | 2020-12-11 | 北京五八信息技术有限公司 | Signature processing method and device |
CN112581285A (en) * | 2020-12-28 | 2021-03-30 | 上海万向区块链股份公司 | Block chain-based account generation method, system and medium in stock right transaction system |
CN112688784A (en) * | 2020-12-23 | 2021-04-20 | 安徽中科美络信息技术有限公司 | Digital signature and verification method, device and system |
CN113114646A (en) * | 2021-04-01 | 2021-07-13 | 深圳市腾讯网络信息技术有限公司 | Risk parameter determination method |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101197674A (en) * | 2007-12-10 | 2008-06-11 | 华为技术有限公司 | Encrypted communication method, server and encrypted communication system |
CN101212293A (en) * | 2006-12-31 | 2008-07-02 | 普天信息技术研究院 | Identity authentication method and system |
CN101547095A (en) * | 2009-02-11 | 2009-09-30 | 广州杰赛科技股份有限公司 | Application service management system and management method based on digital certificate |
US20100082985A1 (en) * | 2008-09-26 | 2010-04-01 | Bluetie, Inc. | Methods for integrating security in network communications and systems thereof |
CN102413132A (en) * | 2011-11-16 | 2012-04-11 | 北京数码视讯软件技术发展有限公司 | Two-way-security-authentication-based data downloading method and system |
CN102571355A (en) * | 2012-02-02 | 2012-07-11 | 飞天诚信科技股份有限公司 | Method and device for importing secret key without landing |
-
2017
- 2017-12-29 CN CN201711481208.XA patent/CN108199847B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101212293A (en) * | 2006-12-31 | 2008-07-02 | 普天信息技术研究院 | Identity authentication method and system |
CN101197674A (en) * | 2007-12-10 | 2008-06-11 | 华为技术有限公司 | Encrypted communication method, server and encrypted communication system |
US20100082985A1 (en) * | 2008-09-26 | 2010-04-01 | Bluetie, Inc. | Methods for integrating security in network communications and systems thereof |
CN101547095A (en) * | 2009-02-11 | 2009-09-30 | 广州杰赛科技股份有限公司 | Application service management system and management method based on digital certificate |
CN102413132A (en) * | 2011-11-16 | 2012-04-11 | 北京数码视讯软件技术发展有限公司 | Two-way-security-authentication-based data downloading method and system |
CN102571355A (en) * | 2012-02-02 | 2012-07-11 | 飞天诚信科技股份有限公司 | Method and device for importing secret key without landing |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110098928A (en) * | 2019-05-08 | 2019-08-06 | 国家电网有限公司 | A kind of key generation method and device of collaboration signature |
CN110098928B (en) * | 2019-05-08 | 2022-02-25 | 国家电网有限公司 | Key generation method and device for collaborative signature |
CN111046441A (en) * | 2019-10-31 | 2020-04-21 | 苏州浪潮智能科技有限公司 | Management method, equipment and medium for encrypted hard disk key |
CN112073200A (en) * | 2020-09-02 | 2020-12-11 | 北京五八信息技术有限公司 | Signature processing method and device |
CN112688784A (en) * | 2020-12-23 | 2021-04-20 | 安徽中科美络信息技术有限公司 | Digital signature and verification method, device and system |
CN112581285A (en) * | 2020-12-28 | 2021-03-30 | 上海万向区块链股份公司 | Block chain-based account generation method, system and medium in stock right transaction system |
CN113114646A (en) * | 2021-04-01 | 2021-07-13 | 深圳市腾讯网络信息技术有限公司 | Risk parameter determination method |
CN113114646B (en) * | 2021-04-01 | 2022-06-21 | 深圳市腾讯网络信息技术有限公司 | Risk parameter determination method and device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN108199847B (en) | 2020-09-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11856104B2 (en) | Methods for secure credential provisioning | |
CN100432889C (en) | System and method providing disconnected authentication | |
EP2304636B1 (en) | Mobile device assisted secure computer network communications | |
CN108199847A (en) | Security processing method, computer equipment and storage medium | |
CN110460439A (en) | Information transferring method, device, client, server-side and storage medium | |
CN110417750A (en) | File based on block chain technology is read and method, terminal device and the storage medium of storage | |
CN107358441A (en) | Method, system and the mobile device and safety certificate equipment of payment verification | |
JP2008527905A (en) | Security code generation method, method using security code generation method, and programmable apparatus for security code generation method | |
CN108471352A (en) | Processing method, system, computer equipment based on distributed private key and storage medium | |
WO2018120938A1 (en) | Offline key transmission method, terminal and storage medium | |
CN110135175A (en) | Information processing, acquisition methods, device, equipment and medium based on block chain | |
CN110224834A (en) | Identity identifying method, decryption and ciphering terminal based on dynamic token | |
CN108599926A (en) | A kind of HTTP-Digest modified AKA identity authorization systems and method based on pool of symmetric keys | |
CN108173648A (en) | Security processing method, equipment and storage medium based on private key escrow | |
CN107707562A (en) | A kind of method, apparatus of asymmetric dynamic token Encrypt and Decrypt algorithm | |
CN100459495C (en) | Password dynamic enciphering inputmethod of public emipering mode | |
CN115276978A (en) | Data processing method and related device | |
CN109660344A (en) | Anti- quantum calculation block chain method of commerce and system based on unsymmetrical key pond route device | |
CN110098925A (en) | Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system | |
KR101834522B1 (en) | Apparatus for confirming data and method for confirming data using the same | |
JPWO2011058629A1 (en) | Information management system | |
CN115499118A (en) | Message key generation method, message key generation device, file encryption method, message key decryption method, file encryption device, file decryption device and medium | |
Davaanaym et al. | A ping pong based one-time-passwords authentication system | |
WO2018052090A1 (en) | Transmission and reception system, transmission device, reception device, method, and computer program | |
JP5057270B2 (en) | Information verification method, information verification apparatus, and information verification system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |