CN108199847A - Security processing method, computer equipment and storage medium - Google Patents

Security processing method, computer equipment and storage medium Download PDF

Info

Publication number
CN108199847A
CN108199847A CN201711481208.XA CN201711481208A CN108199847A CN 108199847 A CN108199847 A CN 108199847A CN 201711481208 A CN201711481208 A CN 201711481208A CN 108199847 A CN108199847 A CN 108199847A
Authority
CN
China
Prior art keywords
client
key
parameter
server
private key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711481208.XA
Other languages
Chinese (zh)
Other versions
CN108199847B (en
Inventor
陈壹鹏
王胜男
张永强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Authentication Technology Co Ltd
Age Of Security Polytron Technologies Inc
Original Assignee
Guangdong Authentication Technology Co Ltd
Age Of Security Polytron Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Authentication Technology Co Ltd, Age Of Security Polytron Technologies Inc filed Critical Guangdong Authentication Technology Co Ltd
Priority to CN201711481208.XA priority Critical patent/CN108199847B/en
Publication of CN108199847A publication Critical patent/CN108199847A/en
Application granted granted Critical
Publication of CN108199847B publication Critical patent/CN108199847B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

A kind of security processing method, equipment and medium, the method for an embodiment include:Receive the digital signature request that client is sent;Digital signature response is returned to client, carries second, third client key generation parameter;The second user authorization message that client returns is received, carries second, third client key that client is generated respectively based on second, third client key generation parameter;Second, third server-side key is generated based on second, third client key and second, third server-side cipher generating parameter respectively;Private key ciphertext is obtained with the second private key ciphertext encrypted result that second service end secret key decryption stores, is signed with private key ciphertext to data to be signed and obtains digital signature result;Third private key ciphertext encrypted result is obtained with third server-side key encryption key ciphertext, third client key is generated into parameter, third server-side cipher generating parameter and third private key ciphertext encrypted result associated storage.This embodiment scheme improves safety.

Description

Security processing method, computer equipment and storage medium
Technical field
The present invention relates to technical field of cryptology, more particularly to a kind of security processing method, computer equipment and Computer storage media.
Background technology
It is Web bank, online working, online with the emergence of development and the E-Government e-commerce of Internet technology The business such as shopping have stepped into public life, and continuous promptly change and progress.It is being related to many key industry When business operation and the transmission of sensitive information, usually using digital signature technology, realize the integrity verification to data, it is anti-tamper with And the safeguard protections such as resisting denying.The intelligent ciphers such as bluetooth, tone code and NFC (near field communication (NFC)) in conventional internet Although being theoretically utilized in mobile internet device, it is various, compatible to be limited to type kind for key, intellective IC card equipment Difference, individual carries and use is cumbersome, causes user experience very poor, there is no popularizations to open.By PKI (Public Key Infrastructure) technologies and Commercial cipher chip is combined with wearable device, although the inconvenience of personal carrying can be reduced, when in use, still can Face the problem of compatibility is adapted to, operating procedure is various.
Invention content
Based on this, the embodiment of the present application is designed to provide a kind of security processing method, computer equipment and meter Calculation machine storage medium.
A kind of security processing method, including step:
Digital signature request is sent to server-side;
Receive the digital signature response that the server-side is returned based on the digital signature request, the digital signature response Carry the second client key generation parameter and third client key generation parameter;
Second client key is generated based on second client key generation parameter, it is close based on the third client Key generation parameter generation third client key, and send second user authorization message, the second user to the server-side Authorization message carries second client key, the third client key;
Receive the digital signature result that the server-side returns.
A kind of security processing method, including step:
Receive the digital signature request that client is sent;
Digital signature response is returned to the client, the digital signature response carries the second client key generation ginseng Number and third client key generate parameter;
The second user authorization message that the client returns is received, the second user authorization message carries the client End group is given birth in the second client key of second client key generation parameter generation, based on the third client key The third client key generated into parameter;
Based on second client key and second service end cipher generating parameter generation second service end key, described Third client key and third server-side cipher generating parameter generation third server-side key;
The the second private key ciphertext encrypted result stored using second service end secret key decryption obtains private key ciphertext, and It is signed with the private key ciphertext to data to be signed, obtains digital signature result;
The private key ciphertext is encrypted using the third server-side key, obtains third private key ciphertext encrypted result, and will The third client key generation parameter, the third server-side cipher generating parameter and third private key ciphertext encryption As a result associated storage.
A kind of computer equipment can be run on a memory and on a processor including memory, processor and storage The step of computer program, the processor realizes method as described above when performing described program.
A kind of computer readable storage medium, is stored thereon with computer program, which realizes when being executed by processor The step of method as described above.
Based on the scheme of embodiment as described above, by the private key escrow of signature in server-side, and signed each time During name, the private key ciphertext based on server-side trustship, client cooperates with completion to sign with server-side, and completes signature each time On the basis of, client further generates new client key, and server-side is based further on the new client key and service Key is held to generate new private key ciphertext encrypted result, realizes the update to the private key ciphertext encrypted result of storage accordingly so that is every The private key ciphertext encrypted result that the participation of the user of client is required for when once being signed and is used every time is all different, can Pretend to be user's signature to prevent server-side backstage personnel from retaining private key ciphertext, so as to further improve security processing Safety.
Description of the drawings
Fig. 1 is the schematic diagram of the application environment of a this embodiment scheme;
Fig. 2 is the flow diagram of the security processing method in one embodiment;
Fig. 3 is the flow diagram of the security processing method in a specific example;
Fig. 4 is the flow diagram of the security processing method in another embodiment;
Fig. 5 is the flow diagram of the security processing method in a specific example;
Fig. 6 is the interaction flow schematic diagram of the security processing in a specific example;
Fig. 7 is the flow diagram of the security processing method in another specific example;
Fig. 8 is the structure diagram of the computer equipment in one embodiment.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the object, technical solution and advantage for making the application are more clearly understood The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, and It is not used in restriction the application.
The schematic diagram of application environment that Fig. 1 is related to for application scheme in one embodiment, reference Fig. 1, the present embodiment Scheme is related to terminal 101, server-side 102, further relates to cipher machine 103, and terminal 101 passes through network connection, password with server-side 102 Machine 103 is only connect with server-side 102, and in some embodiments, cipher machine 103 may be set to be a part for server-side 102. Terminal 101 can be specifically that terminal console, mobile terminal and others can or be needed private key escrow to server-side 102 Equipment, mobile terminal can be specifically at least one of mobile phone, tablet computer, laptop etc., and server-side 120 can be with The server cluster formed with independent server or multiple servers is realized.In application scheme, terminal 101 and user It is interacted with server-side 102, realizes the input of user information, realize tying up for user and private key ciphertext together with server-side 102 Fixed and user licenses private key ciphertext.And server-side is interacted with terminal 101 and cipher machine 103, realizes private key for user It preserves and private key ciphertext is licensed in management, binding and user of the realization user with private key ciphertext.Wherein, which can Possess certificate and private key that authoritative institution issues.And cipher machine 103 is to generate encrypted private key ciphertext and export, import Encrypted private key ciphertext is signed, and can only be communicated with server-side 102.
Fig. 2 shows the flow diagram of the security processing method in one embodiment, the method in the embodiment Applied to the terminal 101 in above-mentioned Fig. 1 or the client being arranged in terminal 101.With reference to Fig. 2, the number in the embodiment Security processing includes the following steps S201 to step S204.
Step S201:Digital signature request is sent to server-side.
Terminal 101 can send the digital signature request at the time of any need is signed to server-side.Number label Can data to be signed, embodiments herein can also be carried with the relevant user information of the user of carried terminal in name request The concrete type and content of user information and data to be signed are not defined.
Step S202:Receive the digital signature response that the server-side is returned based on the digital signature request, the number Word signature response carries the second client key generation parameter and third client key generation parameter.
It can be that any terminal 101 can be used that second client key, which generates parameter and third client key generation parameter, To generate the parameter of client key.In a specific example, second client key generation parameter and third client Cipher generating parameter may each be the random number generated at random.
In one embodiment, certificate parameter can also be carried in digital signature response and (be known as third in the present embodiment Certificate parameter), which is inputted with the user for terminal 101, in order to which next step server-side 102 receives To terminal 101 send information when, can be verified.The third certificate parameter can be any ginseng that can be verified Number, the random number such as generated at random, the form of the random number can be unlimited, number, Chinese character, the character string that can be randomly generated Or a combination thereof etc. any possible form.
Step S203:Second client key is generated based on second client key generation parameter, based on described the Three client keys generation parameter generation third client key, and send second user authorization message, institute to the server-side It states second user authorization message and carries second client key, the third client key.
Second client key is generated based on the second client key generation parameter, is generated and joined based on third client key The mode of number generation third client key is unlimited, such as can generate second with cipher key derivation function KDF, hash function etc. Client key, third client key.
In a specific example, the second client key is being generated based on the second client key generation parameter, is being based on Before third client key generation parameter generation third client key, step can also be included:Obtain CUSTOMER ID.It should CUSTOMER ID can be the PIN code (Personal Identification Number, personal recognition code) of terminal 101, The PIN code can be user's input by terminal 101.
In the case, the second client key is generated in above-mentioned the second client key generation parameter that is based on, based on the During three client keys generation parameter generation third client key, following manner progress may be used:Based on the described second visitor Family end cipher generating parameter and the CUSTOMER ID generate the second client key, are generated based on the third client key Parameter and CUSTOMER ID generation third client key.So as to combine the participation of CUSTOMER ID so that the of generation Two client keys, third client key have the direct participation of the user of client, are signed each time with further ensuring that Journey has the participation of client user.
In one embodiment, under further including third certificate parameter unanimous circumstances in the response of above-mentioned digital signature, Before sending second user authorization message to the server-side, step can also be included:Obtain the 4th verification ginseng input by user Number.At this point, in above-mentioned second user authorization message, the 4th certificate parameter is also carried.Correct situation is inputted in terminal user Under, the 4th certificate parameter should be identical with above-mentioned third certificate parameter.
In another embodiment, before the above-mentioned transmission second user authorization message to server-side, step can also be included Suddenly:The second user authorization message is encrypted using server-side CertPubKey.Thus to further improve safety.
Step S204:Receive the digital signature result that the server-side returns.
It is appreciated that the digital signature result can be that data to be signed are carried out based on the private key ciphertext that server-side stores The digital signature result that signature obtains.
Based on this embodiment scheme, during signature is performed, client obtains two client keys from server-side Parameter is generated, and two client keys are returned to server-side, so as to which server-side is decrypted based on one of client key In the case of going out private key ciphertext, it is also based on another client key and generates new private key ciphertext encrypted result, it is real accordingly Now to the update of the private key ciphertext encrypted result of storage so that be required for the participation of the user of client when being signed each time And the private key ciphertext encrypted result used every time is all different, can prevent server-side backstage personnel from retaining private key ciphertext encryption knot Fruit pretends to be user's signature, so as to further improve the safety of security processing.
In a specific example, the method in the present embodiment can also include step S301 as shown in Figure 3 to step S303。
Step S301:Private key escrow request is sent to the server-side.
Client can send private key escrow request, the private key support when any need carries out private key escrow to server-side It can be with the relevant user information of the user of carried terminal 101, not to the concrete type of user information in the present embodiment in pipe request It is defined with content.
Step S302:The private key escrow response that the server-side returns is received, the private key escrow response carries the first visitor Family end cipher generating parameter.
First client key generation parameter can be the parameter that any terminal 101 can be used to generation client key. In a specific example, first client key generation parameter may each be the random number generated at random.
In one embodiment, certificate parameter can also be carried in private key escrow response and (be known as first in the present embodiment Certificate parameter), which is inputted with the user for terminal 101, in order to which next step server-side 102 receives To terminal 101 send information when, can be verified.First certificate parameter can be any ginseng that can be verified Number, the random number such as generated at random, the form of the random number can be unlimited, number, Chinese character, the character string that can be randomly generated Or a combination thereof any possible form.
Step S303:First client key is generated, and to server-side based on first client key generation parameter The first authorized user message is sent, first authorized user message carries first client key.
The mode that the first client key is generated based on the first client key generation parameter is unlimited, such as can use key Derivation function KDF, hash function etc. generate the first client key.
In a specific example, before the first client key is generated based on the first client key generation parameter, It can also include step:Obtain CUSTOMER ID.The CUSTOMER ID can be the PIN code of terminal 101, which can be It is inputted by the user of terminal 101.
In the case, it is above-mentioned be based on the first client key generation parameter and generate the first client key when, can be with It is carried out using following manner:Parameter is generated based on first client key and the CUSTOMER ID generates the first client Key.So as to combine the participation of CUSTOMER ID so that the first client key of generation has the direct ginseng of the user of client With.
In one embodiment, under further including the first certificate parameter unanimous circumstances in the response of above-mentioned private key escrow, Before sending the first authorized user message to the server-side, step can also be included:Obtain the second verification ginseng input by user Number.At this point, in above-mentioned first authorized user message, second certificate parameter is also carried.Correct situation is inputted in terminal user Under, which should be identical with above-mentioned first certificate parameter.
In another embodiment, before above-mentioned the first authorized user message of transmission to server-side, step can also be included Suddenly:First authorized user message is encrypted using server-side CertPubKey.Thus to further improve safety.
Fig. 4 shows the flow diagram of the security processing method of another embodiment, which is in Fig. 1 It is illustrated for the processing procedure of shown server-side 102.As shown in figure 3, the method in the embodiment includes step S401 To step S406.
Step S401:Receive the digital signature request that client is sent.
Client in terminal 101 can send the number label at the time of any need is digitally signed to server-side Name request.Can data to be signed can also be carried with the relevant user information of the user of carried terminal in digital signature request, this The embodiment of application is not defined the concrete type and content of user information and data to be signed.
Step S402:Digital signature response is returned to the client, the digital signature response carries the second client Cipher generating parameter and third client key generation parameter.
It can be that any terminal 101 can be used that second client key, which generates parameter and third client key generation parameter, To generate the parameter of client key.In a specific example, second client key generation parameter and third client Cipher generating parameter may each be the random number generated at random.
In one embodiment, certificate parameter can also be carried in digital signature response and (be known as third in the present embodiment Certificate parameter), which is inputted with the user for terminal 101, in order to which next step server-side 102 receives To terminal 101 send information when, can be verified.The third certificate parameter can be any ginseng that can be verified Number, the random number such as generated at random, the form of the random number can be unlimited, number, Chinese character, the character string that can be randomly generated Or a combination thereof etc. any possible form.
Step S403:The second user authorization message that the client returns is received, the second user authorization message is taken With second client key of the client based on second client key generation parameter generation, based on third visitor The third client key of family end cipher generating parameter generation.
Any possible mode can be used to be based on the generation parameter generation of the second client key in client in terminal 101 Second client key, based on third client key generation parameter generation third client key, such as with key derivation letter Number KDF, hash function etc..Can be based on the second client key generation parameter and user's identification in a specific example Code the second client key of generation generates parameter and CUSTOMER ID generation third client based on third client key Key.The CUSTOMER ID can be the PIN code of terminal 101, which can voluntarily be obtained from terminal 101, can be by User's input of terminal 101.
In one embodiment, under further including third certificate parameter unanimous circumstances in the response of above-mentioned digital signature, on It states in second user authorization message, also carries the 4th certificate parameter input by user.It is correct in terminal user's input, 4th certificate parameter should be identical with above-mentioned third certificate parameter.
Therefore, in the case, before next step S404 is entered, step can also be included:Verify that the described 4th tests Demonstrate,prove the consistency of parameter and third certificate parameter.And in the case where verifying the 4th certificate parameter and third certificate parameter unanimous circumstances, Next step S404 is entered back into, otherwise return to failure information to client or directly exits current digital signature flow.
In one example, have in client and the second user authorization message is added using server-side CertPubKey In the case of close, after second user authorization message is received, into next step processing procedure (such as step S404) it Before, step can also be included:The second user authorization message is decrypted using server-side certificate and private key.
Step S404:Based on second client key and second service end cipher generating parameter generation second service end Key, based on the third client key and third server-side cipher generating parameter generation third server-side key.
Server-side is based on the second client key and second service end cipher generating parameter generation second service end key, base It is unlimited in the mode of third client key and third server-side cipher generating parameter generation third server-side key, such as can be with With generations such as cipher key derivation function KDF, hash functions.
Step S405:The the second private key ciphertext encrypted result stored using second service end secret key decryption is obtained private Key ciphertext, and signed with the private key ciphertext to data to be signed, obtain digital signature result.
Wherein, the second private key ciphertext encrypted result here, can in the case where being not carried out any once signed process To be the private key ciphertext encrypted result generated during above-mentioned private key escrow application success.There is the situation that performed digital signature procedure Under, can be then the private key ciphertext encrypted result updated storage after last digital signature is successful.
In one embodiment, it is signed with private key ciphertext to data to be signed, obtains the mode of digital signature result It can include:
CIPHERING REQUEST is sent to cipher machine, CIPHERING REQUEST carries the data to be signed and the private key ciphertext;This waits to sign Name data can be carried in above-mentioned digital signature request, be sent to server-side by client, server-side can also be passed through Other modes obtain the data to be signed;
Receive the number that using the private key ciphertext data to be signed are carried out with signature acquisition that the cipher machine returns Word signature result.
Step S406:The private key ciphertext is encrypted using the third server-side key, obtains the encryption of third private key ciphertext As a result, and the third client key is generated into parameter, the third server-side cipher generating parameter and third private Key ciphertext encrypted result associated storage.
The private key ciphertext can be the private key ciphertext parsed to the second private key ciphertext encrypted result.
Wherein, here private to third client key generation parameter, third server-side cipher generating parameter and third The associated storage of key ciphertext encrypted result can be the second client key generation parameter stored to server-side, second The update of server-side cipher generating parameter and the second private key ciphertext encrypted result.I.e. it is close no longer to store the second client for server-side Key generation parameter, second service end cipher generating parameter and the second private key ciphertext encrypted result, but store associated third Client key generation parameter, third server-side cipher generating parameter and third private key ciphertext encrypted result, so that it is guaranteed that Each time after digital signature, the participation of the server-side always user based on terminal generates new private key ciphertext encrypted result, really Used private key ciphertext encrypted result is all different when guarantor's server-side is signed every time, can prevent server-side backstage personnel Retain private key ciphertext encrypted result to pretend to be user's signature, further improve the safety of security processing.
In one embodiment, the method for the present embodiment can also include step S501 as shown in Figure 5 to step S504.
Step S501:Receive the private key escrow request that the client is sent.
Client can send private key escrow request, the private key support when any need carries out private key escrow to server-side It can be with the relevant user information of the user of carried terminal 101, not to the concrete type of user information in the present embodiment in pipe request It is defined with content.
Step S502:The private key escrow returned to the client responds, and the private key escrow response carries the first client Hold cipher generating parameter.
First client key generation parameter can be the parameter that any terminal 101 can be used to generation client key. In a specific example, first client key generation parameter may each be the random number generated at random.
In one embodiment, certificate parameter can also be carried in private key escrow response and (be known as first in the present embodiment Certificate parameter), which is inputted with the user for terminal 101, in order to which next step server-side 102 receives To terminal 101 send information when, can be verified.First certificate parameter can be any ginseng that can be verified Number, the random number such as generated at random, the form of the random number can be unlimited, number, Chinese character, the character string that can be randomly generated Or a combination thereof any possible form.
Step S503:The first authorized user message that the client returns is received, first authorized user message is taken The first client key based on first client key generation parameter generation with the client.
The mode that client generates the first client key based on the first client key generation parameter is unlimited, such as can be with The first client key is generated with cipher key derivation function KDF, hash function etc..
In a specific example, client is generating the first client key based on the first client key generation parameter When, can be that the first client key is generated based on the first client key generation parameter and CUSTOMER ID.The user identifies Code can be the PIN code of terminal 101, which can be user's input by terminal 101.So as to combine CUSTOMER ID It participates in so that the first client key of generation has the direct participation of the user of client.
In one embodiment, under further including the first certificate parameter unanimous circumstances in the response of above-mentioned private key escrow, on It states in the first authorized user message, also carries the second certificate parameter input by user.It is correct in terminal user's input, Second certificate parameter should be identical with above-mentioned first certificate parameter.
Therefore, in the case, before next step S504 is entered, step can also be included:Verify that described second tests Demonstrate,prove the consistency of parameter and the first certificate parameter.And in the case where verifying the second certificate parameter and the first certificate parameter unanimous circumstances, Next step S504 is entered back into, otherwise return to failure information to client or directly exits current private key escrow application stream Journey.
In one example, have in client and first authorized user message is added using server-side CertPubKey In the case of close, after the first authorized user message is received, into next step processing procedure (such as step S504) it Before, step can also be included:First authorized user message is decrypted using server-side certificate and private key.
Step S504:Private key ciphertext is obtained, based on first client key and first service end cipher generating parameter First service end key is generated, the private key ciphertext is encrypted using first service end key, the first private key ciphertext is obtained and adds Close result.
In one embodiment, obtaining the mode of private key ciphertext can include:
Private key ciphertext, which is sent, to cipher machine obtains request;
Receive the private key ciphertext that the cipher machine obtains request return based on the private key ciphertext.
After the first private key ciphertext encrypted result is obtained, the first client key can be generated parameter, first service end Cipher generating parameter and the first private key ciphertext encrypted result are associated storage, are processed for subsequent digital signature Journey.
Based on embodiment as described above, it may be determined that embodiments herein is by the signature private key trustship of terminal user In server-side, data to be signed are sent to server-side when needing to be digitally signed, after completing digital signature by server-side Signature value is returned to user, so as to fulfill digital signature.Wherein, the private key signed can be given birth to by the cipher machine of server-side Into and export, and export private key can be private key ciphertext, by the private key encryption inside cipher machine, to improve safety.For private Key ciphertext, the client that server-side reuses CUSTOMER ID (PIN code) and client is derived based on cipher generating parameter Key is encrypted, and often carries out once signed operation, all private key ciphertext of re-encrypted, it is ensured that the only participation of user, Signature could be completed, improves the safety of security processing.
Based on embodiment as described above, illustrated in greater detail is carried out below in conjunction with two of which specific example.The application The scheme being related to is related to two digital security processes during the technology of a specific example is realized:Trustship private key Shen Please with trustship private key signature, it is illustrated below in conjunction with the two processes.
Fig. 6 shows the interaction flow schematic diagram of the security processing in a specific example, is in the specific example It is illustrated by taking the processing procedure of trustship private key application as an example.
With reference to shown in Fig. 6, during a specific application server-side trustship private key, the user of terminal 101 first beats The client of terminal 101 is opened, and passes through the associated button clicked in client, control etc. and sends out trustship private key application instruction, visitor Family end sends private key escrow request after trustship private key application instruction is received, to server-side.It can in private key escrow request With the relevant user information of the user of carried terminal 101, the concrete type of user information and content are not carried out in the present embodiment It limits.
After server-side receives private key escrow request, generation the first certificate parameter (can be random number) r1, the first client Hold cipher generating parameter (can be random number) r2 and first service end cipher generating parameter (can be random number) r3.So Afterwards, server-side returns to private key escrow response to client, and the visitors of the first certificate parameter r1 and first are included in private key escrow response Family end cipher generating parameter r2.
After client receives private key escrow response, the first certificate parameter r1 can be shown, and user is prompted to input Certificate parameter r1 and CUSTOMER ID (PIN code).The user of client can be based on prompting input validation parameter r1 and PIN code.
Then, client is based on the first client key generation parameter r2 and PIN code, calculates the first client key A: A=f1 (PIN, r2), wherein, function f1 can be any function that can be used to generation key, such as cipher key derivation function KDF, breathe out Uncommon function etc..
Client utilizes server-side digital certificate, to the second certificate parameter r1 ' input by user and the first client key A It is encrypted, result B after being encrypted.Then the first authorized user message is sent to server-side, which includes Result B after the encryption.
After server-side receives first authorized user message, using result B after the decryption encryption of server-side certificate and private key, obtain The client key A ' after the second certificate parameter r1 ' and decryption after to decryption.
After decryption, server-side first compares the second certificate parameter r1 ' after decryption and the first certificate parameter r1 being locally stored Whether consistent, if it is inconsistent, returning to error result, sending private key ciphertext to cipher machine if consistent obtains request, and Receive the private key ciphertext D that cipher machine returns.
Then, server-side is according to the first client key A ' after decryption and first service end cipher generating parameter r3, meter Calculate first service end ciphering key:C=f2 (A ', r3), wherein, function f2 () can be it is any can be generating the letter of key Number, such as cipher key derivation function KDF, hash function.The function f2 () of server-side generation server-side key and client generation visitor The function f1 () of family end key can be identical function or different functions.
Then, server-side utilizes first service end ciphering key encryption key ciphertext D, obtains the first private key ciphertext encrypted result Any possible Encryption Algorithm may be used in E, when encryption, as AES (Advanced Encryption Standard, it is advanced plus Data Encryption Standard)/DES (Data Encryption Algorithm, data encryption algorithm)/3DES (triple data encryption algorithm)/ SM4 (a kind of national secret algorithm) etc., the present embodiment is not specifically limited.
After the first private key ciphertext encrypted result E is obtained, client key is generated parameter r2, server-side key by server-side Generate parameter r3 and private key ciphertext encrypted result E associated storages.And private key escrow is returned as a result, the private key escrow to client As a result it can be successfully the information of trustship private key.
After the success trustship private key of client 101 of server-side 102, subsequent terminal 101 when being signed, It can be digitally signed by private key of the server-side 101 based on trustship.It is shown in Fig. 7 at the security in a specific example The interaction flow schematic diagram of reason method in the embodiment is illustrated by taking the iterative process being digitally signed as an example.
As shown in fig. 7, one it is specific be digitally signed during, the user of terminal 101 first opens a terminal 101 Client, and pass through the associated button clicked in client, control etc. and send out signature command.Client is receiving the signature After instruction, digital signature request is sent to server-side, can be used in the digital signature request with the correlation of the user of carried terminal 101 Family information can also carry data to be signed, and embodiments herein is not to the concrete kind of user information and data to be signed Type and content are defined.
After server-side receives the digital signature request, the second client key for reading out storage generates parameter, second Server-side cipher generating parameter and the second private key ciphertext encrypted result, in the situation for being not carried out any digital signature Under, the second client key generation parameter, second service end cipher generating parameter and the encryption of the second private key ciphertext of the storage As a result the first client key to be stored during above-mentioned application private key escrow generates parameter r2, the life of first service end key Into parameter r3 and the first private key ciphertext encrypted result E1.
Then, server-side generates new third certificate parameter r4, new third client key generates parameter r5 and new Server-side cipher generating parameter r6.Then, server-side returns to digital signature response to client, is taken in digital signature response With the second client key generation parameter r2, third certificate parameter r4 and third client key generation parameter r5.
After client receives digital signature response, third certificate parameter r4 can be shown, and user is prompted to input Certificate parameter r4 and CUSTOMER ID (PIN code).The user of client can be based on prompting input validation parameter r4 and PIN code.
Then, client generates parameter r2 and PIN code according to the second client key, calculates the second client key A1:A1=f1 (PIN, r2), wherein, function f1 () can be it is any can be used to generation key function, such as cipher key derivation function KDF, hash function etc..
In addition, client generates parameter r5 and PIN code also according to third client key, third client key is calculated A2:A2=f1 (PIN, r5), function f1 () can be it is any can be used to generation key function, as cipher key derivation function KDF, Hash function etc..
Then, client utilizes server-side digital certificate, to the 4th certificate parameter r4 ' input by user, the second client Key A 1 and third client key A2 are encrypted, result B after being encrypted.Then second user mandate is sent to server-side Information, the second user authorization message carry result B after the encryption.
After server-side receives the second user authorization message, using result B after the decryption encryption of server-side certificate and private key, obtain The second client key A1 ' after the 4th certificate parameter r4 ', decryption after to decryption and the third client key after decryption A2′;
After decryption, server-side first compares the 4th certificate parameter r4 ' after decryption and the third certificate parameter r4 being locally stored It is whether consistent, if it is inconsistent, return to error result, according to the of the second client key A1 ' and storage if consistent Two server-side cipher generating parameter r3, calculate second service end ciphering key 1:C1=f2 (A1 ', r3), function f2 () can be It is any can be generating the function of key, such as cipher key derivation function KDF, hash function.Server-side generates server-side key The function f1 () of function f2 () and client generation client key can be identical function or different letters Number.
Then, the second private key ciphertext encrypted result that server-side is stored using the decryption of second service end ciphering key 1 of generation E1 obtains private key ciphertext D ', it will be understood that the decipherment algorithm being decrypted should with the Encryption Algorithm that private key ciphertext is encrypted When being consistent.
After private key ciphertext D ' after being decrypted, private key ciphertext D ' of the server-side end group after decryption to data to be signed into Row signature, obtains digital signature result.Can signature process be completed with combining cipher machine in one specific example, it specifically can be with It is:Server-side sends CIPHERING REQUEST to cipher machine, and CIPHERING REQUEST carries data to be signed and private key ciphertext D ', used by cipher machine Private key ciphertext D ' signs to data to be signed, obtains digital signature result, and return to server-side.Server-side is voluntarily counted It calculates after obtaining digital signature result or obtaining the digital signature result that cipher machine returns, which can be returned to Client, so as to complete digital signature procedure.
On the other hand, after digital signature result is obtained, server-side can also be further according to the third obtained after decryption Client key A2 ' and newly-generated third server-side cipher generating parameter r6, calculates third server-side ciphering key 2:C2=f2 (A2 ', r6), the function f1 () of function f2 () and client the generation client key of server-side generation server-side key can be with It is identical function or different functions.
After obtaining third server-side ciphering key 2, server-side encrypts what is obtained after above-mentioned decryption using third server-side ciphering key 2 Private key ciphertext D ', obtains third private key ciphertext encrypted result E2, and any possible Encryption Algorithm, such as AES/ may be used in when encryption DES/3DES/SM4 etc..
Then, server-side is by third client key generation parameter r5, third server-side cipher generating parameter r6 and the Three private key ciphertext encrypted result E2 are associated storage, with the second client key generation parameter r2, the second clothes updated storage Be engaged in cipher generating parameter r3 and the second private key ciphertext encrypted result E1.I.e. server-side no longer stores the second client key generation ginseng Number r2, second service cipher generating parameter r3 and the second private key ciphertext encrypted result E1, but store associated third client Cipher generating parameter r5, third server-side cipher generating parameter r6 and third private key ciphertext encrypted result E2, so that it is guaranteed that often After digital signature, the participation of user of the server-side always based on terminal 101 generates new private key ciphertext encrypted result, really Used private key ciphertext encrypted result is all different when guarantor's server-side is digitally signed every time, can prevent server-side backstage Personnel retain private key ciphertext to pretend to be user's signature, so as to further improve the safety of security processing.
Based on example as described above, a kind of computer equipment is also provided in one embodiment, the computer equipment packet The computer program that includes memory, processor and storage on a memory and can run on a processor, wherein, processor performs It is realized during described program such as the method for any one embodiment in the various embodiments described above.
Fig. 8 shows the internal structure chart of one embodiment Computer equipment.The computer equipment can be specifically Fig. 1 In terminal 101 or server-side 102.As shown in figure 8, the computer equipment include the processor connected by system bus, Memory, network interface and input unit.Wherein, memory includes non-volatile memory medium and built-in storage.The computer The non-volatile memory medium of equipment is stored with operating system, can also be stored with computer program, which is handled When device performs, it may be such that processor realizes security processing method.Also computer program can be stored in the built-in storage, it should When computer program is executed by processor, it may be such that processor performs security processing method.
It will be understood by those skilled in the art that the structure shown in Fig. 8, only part knot relevant with application scheme The block diagram of structure does not form the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment It can include either combining certain components than components more or fewer shown in figure or be arranged with different components.
One of ordinary skill in the art will appreciate that realizing all or part of flow in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, it is non-volatile computer-readable that the program can be stored in one It takes in storage medium, in the embodiment of the present invention, which can be stored in the storage medium of computer system, and be calculated by this At least one of machine system processor performs, to realize the flow for including the embodiment such as above-mentioned each method.Wherein, it is described Storage medium can be magnetic disc, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access Memory, RAM) etc..
Accordingly, a kind of storage medium is also provided in one embodiment, is stored thereon with computer program, wherein, the journey It is realized when sequence is executed by processor such as the scalar product protocol processing method of any one embodiment in the various embodiments described above.
Each technical characteristic of embodiment described above can be combined arbitrarily, to make description succinct, not to above-mentioned reality It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited In contradiction, it is all considered to be the range of this specification record.
Embodiment described above only expresses the several embodiments of the present invention, and description is more specific and detailed, but simultaneously It cannot therefore be construed as limiting the scope of the patent.It should be pointed out that those of ordinary skill in the art are come It says, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to the protection of the present invention Range.Therefore, the protection domain of patent of the present invention should be determined by the appended claims.

Claims (10)

1. a kind of security processing method, which is characterized in that including step:
Digital signature request is sent to server-side;
The digital signature response that the server-side is returned based on the digital signature request is received, the digital signature response carries Second client key generates parameter and third client key generation parameter;
Second client key is generated based on second client key generation parameter, is given birth to based on the third client key Third client key is generated, and second user authorization message, the second user mandate are sent to the server-side into parameter Information carries second client key, the third client key;
Receive the digital signature result that the server-side returns.
2. according to the method described in claim 1, it is characterised in that it includes it is following it is every at least one of:
First item:
The digital signature response also carries third certificate parameter;
Before second user authorization message is sent to the server-side, step is further included:Obtain the 4th verification input by user Parameter;
The second user authorization message also carries the 4th certificate parameter;
Section 2:
Second client key is generated based on second client key generation parameter, is given birth to based on the third client key Before generating third client key into parameter, step is further included:Obtain CUSTOMER ID;
Second client key is generated based on second client key generation parameter, is given birth to based on the third client key The step of generating third client key into parameter includes:Parameter is generated based on second client key and the user knows Other code generates the second client key, and parameter and CUSTOMER ID generation third are generated based on the third client key Client key;
Section 3:
Before second user authorization message is sent to the server-side, step is further included:
The second user authorization message is encrypted using server-side CertPubKey.
3. method according to claim 1 or 2, which is characterized in that before sending digital signature request to server-side, also wrap Include step;
Private key escrow request is sent to the server-side;
The private key escrow response that the server-side returns is received, the private key escrow response carries the first client key generation ginseng Number;
First client key is generated, and send the first user to server-side and award based on first client key generation parameter Information is weighed, first authorized user message carries first client key.
4. according to the method described in claim 3, it is characterised in that it includes it is following it is every at least one of:
First item:
The private key escrow response also carries the first certificate parameter;
Before the first authorized user message is sent to the server-side, step is further included:Obtain the second verification input by user Parameter;
First authorized user message also carries second certificate parameter;
Section 2:
Before generating the first client key based on first client key generation parameter, step is further included:Obtain user Identification code;
The step of generating the first client key based on first client key generation parameter includes:Based on the described first visitor Family end cipher generating parameter and the CUSTOMER ID generate the first client key;
Section 3:
Before the first authorized user message is sent to the server-side, step is further included:
First authorized user message is encrypted using server-side CertPubKey.
5. a kind of security processing method, which is characterized in that including step:
Receive the digital signature request that client is sent;
Return to digital signature response to the client, digital signature response carry the second client key generation parameter and Third client key generates parameter;
The second user authorization message that the client returns is received, the second user authorization message carries client's end group The second client key of parameter generation is generated in second client key, based on third client key generation ginseng The third client key of number generation;
Based on second client key and second service end cipher generating parameter generation second service end key, based on described Third client key and third server-side cipher generating parameter generation third server-side key;
Using second service end secret key decryption store the second private key ciphertext encrypted result, obtain private key ciphertext, and use this Private key ciphertext signs to data to be signed, obtains digital signature result;
The private key ciphertext is encrypted using the third server-side key, obtains third private key ciphertext encrypted result, and by described in Third client key generation parameter, the third server-side cipher generating parameter and the third private key ciphertext encrypted result Associated storage.
6. according to the method described in claim 5, it is characterised in that it includes it is following it is every at least one of:
First item:
The digital signature response also carries third certificate parameter;
The second user authorization message also carries the 4th certificate parameter input by user;
Based on second client key and second service end cipher generating parameter generation second service end key, described the Before three client keys and third server-side cipher generating parameter generation third server-side key, step is further included:Verification institute State the consistency of the 4th certificate parameter and the third certificate parameter;
Section 2:
After second user authorization message is received, before generating second service end key and third server-side key, also wrap Include step:The second user authorization message is decrypted using server-side certificate and private key;
Section 3:
It is signed with the private key ciphertext to data to be signed, the mode for obtaining digital signature result includes:
CIPHERING REQUEST is sent to cipher machine, the CIPHERING REQUEST carries the data to be signed and the private key ciphertext;
The number for carrying out the data to be signed using the private key ciphertext signature acquisition that the cipher machine returns is received to sign Name result.
7. method according to claim 5 or 6, which is characterized in that before receiving the digital signature request that client is sent, Further include step:
Receive the private key escrow request that the client is sent;
The private key escrow returned to the client responds, and the private key escrow response carries the first client key generation ginseng Number;
The first authorized user message that the client returns is received, first authorized user message carries client's end group In the first client key of first client key generation parameter generation;
Private key ciphertext is obtained, based on first client key and first service end cipher generating parameter generation first service end Key encrypts the private key ciphertext using first service end key, obtains the first private key ciphertext encrypted result.
8. the method according to the description of claim 7 is characterized in that further include at least one in following items:
First item:
The private key escrow response also carries the first certificate parameter;First authorized user message also carries input by user Two certificate parameters;
Before based on first client key and first service end cipher generating parameter generation first service end key, also Including step:Verify the consistency of second certificate parameter and first certificate parameter;
Section 2:
After the first authorized user message is received, before the key of generation first service end, step is further included:Using server-side Certificate and private key decrypts first authorized user message;
Section 3:
The mode for obtaining private key ciphertext includes:
Private key ciphertext, which is sent, to cipher machine obtains request;
Receive the private key ciphertext that the cipher machine obtains request return based on the private key ciphertext.
9. a kind of computer equipment including memory, processor and stores the meter that can be run on a memory and on a processor Calculation machine program, which is characterized in that the processor realizes any one of claim 1 to 8 the method when performing described program Step.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is by processor The step of any one of claim 1 to 8 the method is realized during execution.
CN201711481208.XA 2017-12-29 2017-12-29 Digital security processing method, computer device, and storage medium Active CN108199847B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711481208.XA CN108199847B (en) 2017-12-29 2017-12-29 Digital security processing method, computer device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711481208.XA CN108199847B (en) 2017-12-29 2017-12-29 Digital security processing method, computer device, and storage medium

Publications (2)

Publication Number Publication Date
CN108199847A true CN108199847A (en) 2018-06-22
CN108199847B CN108199847B (en) 2020-09-01

Family

ID=62586849

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711481208.XA Active CN108199847B (en) 2017-12-29 2017-12-29 Digital security processing method, computer device, and storage medium

Country Status (1)

Country Link
CN (1) CN108199847B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110098928A (en) * 2019-05-08 2019-08-06 国家电网有限公司 A kind of key generation method and device of collaboration signature
CN111046441A (en) * 2019-10-31 2020-04-21 苏州浪潮智能科技有限公司 Management method, equipment and medium for encrypted hard disk key
CN112073200A (en) * 2020-09-02 2020-12-11 北京五八信息技术有限公司 Signature processing method and device
CN112581285A (en) * 2020-12-28 2021-03-30 上海万向区块链股份公司 Block chain-based account generation method, system and medium in stock right transaction system
CN112688784A (en) * 2020-12-23 2021-04-20 安徽中科美络信息技术有限公司 Digital signature and verification method, device and system
CN113114646A (en) * 2021-04-01 2021-07-13 深圳市腾讯网络信息技术有限公司 Risk parameter determination method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101197674A (en) * 2007-12-10 2008-06-11 华为技术有限公司 Encrypted communication method, server and encrypted communication system
CN101212293A (en) * 2006-12-31 2008-07-02 普天信息技术研究院 Identity authentication method and system
CN101547095A (en) * 2009-02-11 2009-09-30 广州杰赛科技股份有限公司 Application service management system and management method based on digital certificate
US20100082985A1 (en) * 2008-09-26 2010-04-01 Bluetie, Inc. Methods for integrating security in network communications and systems thereof
CN102413132A (en) * 2011-11-16 2012-04-11 北京数码视讯软件技术发展有限公司 Two-way-security-authentication-based data downloading method and system
CN102571355A (en) * 2012-02-02 2012-07-11 飞天诚信科技股份有限公司 Method and device for importing secret key without landing

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212293A (en) * 2006-12-31 2008-07-02 普天信息技术研究院 Identity authentication method and system
CN101197674A (en) * 2007-12-10 2008-06-11 华为技术有限公司 Encrypted communication method, server and encrypted communication system
US20100082985A1 (en) * 2008-09-26 2010-04-01 Bluetie, Inc. Methods for integrating security in network communications and systems thereof
CN101547095A (en) * 2009-02-11 2009-09-30 广州杰赛科技股份有限公司 Application service management system and management method based on digital certificate
CN102413132A (en) * 2011-11-16 2012-04-11 北京数码视讯软件技术发展有限公司 Two-way-security-authentication-based data downloading method and system
CN102571355A (en) * 2012-02-02 2012-07-11 飞天诚信科技股份有限公司 Method and device for importing secret key without landing

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110098928A (en) * 2019-05-08 2019-08-06 国家电网有限公司 A kind of key generation method and device of collaboration signature
CN110098928B (en) * 2019-05-08 2022-02-25 国家电网有限公司 Key generation method and device for collaborative signature
CN111046441A (en) * 2019-10-31 2020-04-21 苏州浪潮智能科技有限公司 Management method, equipment and medium for encrypted hard disk key
CN112073200A (en) * 2020-09-02 2020-12-11 北京五八信息技术有限公司 Signature processing method and device
CN112688784A (en) * 2020-12-23 2021-04-20 安徽中科美络信息技术有限公司 Digital signature and verification method, device and system
CN112581285A (en) * 2020-12-28 2021-03-30 上海万向区块链股份公司 Block chain-based account generation method, system and medium in stock right transaction system
CN113114646A (en) * 2021-04-01 2021-07-13 深圳市腾讯网络信息技术有限公司 Risk parameter determination method
CN113114646B (en) * 2021-04-01 2022-06-21 深圳市腾讯网络信息技术有限公司 Risk parameter determination method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN108199847B (en) 2020-09-01

Similar Documents

Publication Publication Date Title
US11856104B2 (en) Methods for secure credential provisioning
CN100432889C (en) System and method providing disconnected authentication
EP2304636B1 (en) Mobile device assisted secure computer network communications
CN108199847A (en) Security processing method, computer equipment and storage medium
CN110460439A (en) Information transferring method, device, client, server-side and storage medium
CN110417750A (en) File based on block chain technology is read and method, terminal device and the storage medium of storage
CN107358441A (en) Method, system and the mobile device and safety certificate equipment of payment verification
JP2008527905A (en) Security code generation method, method using security code generation method, and programmable apparatus for security code generation method
CN108471352A (en) Processing method, system, computer equipment based on distributed private key and storage medium
WO2018120938A1 (en) Offline key transmission method, terminal and storage medium
CN110135175A (en) Information processing, acquisition methods, device, equipment and medium based on block chain
CN110224834A (en) Identity identifying method, decryption and ciphering terminal based on dynamic token
CN108599926A (en) A kind of HTTP-Digest modified AKA identity authorization systems and method based on pool of symmetric keys
CN108173648A (en) Security processing method, equipment and storage medium based on private key escrow
CN107707562A (en) A kind of method, apparatus of asymmetric dynamic token Encrypt and Decrypt algorithm
CN100459495C (en) Password dynamic enciphering inputmethod of public emipering mode
CN115276978A (en) Data processing method and related device
CN109660344A (en) Anti- quantum calculation block chain method of commerce and system based on unsymmetrical key pond route device
CN110098925A (en) Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system
KR101834522B1 (en) Apparatus for confirming data and method for confirming data using the same
JPWO2011058629A1 (en) Information management system
CN115499118A (en) Message key generation method, message key generation device, file encryption method, message key decryption method, file encryption device, file decryption device and medium
Davaanaym et al. A ping pong based one-time-passwords authentication system
WO2018052090A1 (en) Transmission and reception system, transmission device, reception device, method, and computer program
JP5057270B2 (en) Information verification method, information verification apparatus, and information verification system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant