CN109560933B - Authentication method and system based on digital certificate, storage medium and electronic equipment - Google Patents

Authentication method and system based on digital certificate, storage medium and electronic equipment Download PDF

Info

Publication number
CN109560933B
CN109560933B CN201811186820.9A CN201811186820A CN109560933B CN 109560933 B CN109560933 B CN 109560933B CN 201811186820 A CN201811186820 A CN 201811186820A CN 109560933 B CN109560933 B CN 109560933B
Authority
CN
China
Prior art keywords
data
signed
digital certificate
mobile terminal
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811186820.9A
Other languages
Chinese (zh)
Other versions
CN109560933A (en
Inventor
孙曦
落红卫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ant Rongxin Chengdu Network Technology Co ltd
Original Assignee
Ant Rongxin Chengdu Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ant Rongxin Chengdu Network Technology Co ltd filed Critical Ant Rongxin Chengdu Network Technology Co ltd
Priority to CN201811186820.9A priority Critical patent/CN109560933B/en
Publication of CN109560933A publication Critical patent/CN109560933A/en
Application granted granted Critical
Publication of CN109560933B publication Critical patent/CN109560933B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

One or more embodiments of the present specification provide an authentication method based on a digital certificate, including a mobile terminal interacting with a server side and generating data to be signed at the server side; the trusted application server on the server side packages the data to be signed and then returns the data to the mobile terminal; the mobile terminal verifies the packaged data to be signed through a secret key shared by the mobile terminal and the trusted application server, and signs through a private key of a user certificate after the verification is passed; and the mobile terminal returns the signed data to the server side and verifies the signed data by using the public key of the user digital certificate. One or more embodiments of the present specification also relate to a digital certificate based authentication system, a storage medium, and an electronic device. In one or more embodiments of the present description, the data to be signed is first sent to the server for security encapsulation, and then returned to the mobile application and sent to the digital certificate application for signature, so as to authenticate the digital certificate.

Description

Authentication method and system based on digital certificate, storage medium and electronic equipment
Technical Field
One or more embodiments of the present disclosure relate to the field of mobile terminal digital certificate authentication, and in particular, to a digital certificate-based authentication method and system, a storage medium, and an electronic device.
Background
Along with the development of mobile internet services, the security requirement for user identity authentication is more and more strong. Digital certificate applications are a typical way of user identity authentication. The traditional digital certificate application is that an independent certificate hardware carrier is issued to a user, a private key corresponding to a user certificate is arranged in the carrier, and when a network service transaction confirmation link is carried out, the user uses the certificate to carry out signature, so that identity authentication is realized. In the mobile internet stage, the digital certificate application of the user can be built in a security unit in the mobile terminal of the user, and when the identity of the user needs to be authenticated, the built-in digital certificate is called to carry out signature operation. However, currently, such a usage mode in the mobile terminal has a security hole, for example, security cannot be guaranteed in a process of transferring data to be signed in the mobile terminal, and particularly, when the mobile application is transferred to a digital certificate application located in a security unit, there may be a possibility that the data to be signed is tampered by a person. Therefore, there is a need to provide a more reliable solution.
In the prior art, a possible security enhancement method is to share a security key in the mobile application and the digital certificate application for performing encryption protection on the transmitted data to be signed, however, since the security protection strength of the mobile application itself is not sufficient, there is still a possibility that the security key is revealed, so the security enhancement method is still not sufficient.
Disclosure of Invention
One or more embodiments of the present specification provide an authentication method and system, an electronic device, and a storage medium based on a digital certificate, which can ensure or avoid security during transmission of data to be signed from a mobile application to a digital certificate application in a mobile terminal to some extent, and are not tampered with maliciously, based on at least one of the above technical problems.
To achieve the above object, one or more embodiments of the present specification provide a digital certificate-based authentication method, including the steps of:
s1, the mobile terminal sends a signature request to the server side for generating data to be signed at the server side;
s2, the trusted application server on the server side packages the data to be signed and returns the data to the mobile terminal;
s3, the mobile terminal unseals and verifies the packaged data to be signed through a secret key shared by the mobile terminal and the trusted application server, and the data to be signed is signed by using a private key of a user certificate after the verification is passed;
and S4, the mobile terminal returns the signed data to the server side, and verifies the signed data by using the public key of the user digital certificate.
Further, step S2 includes the following sub-steps:
s21, the mobile application server responds to the mobile terminal signature request and generates data to be signed;
s22, the trusted application server receives the data to be signed and uses the server key in the trusted application server to carry out first packaging;
s23, the trusted application server returns the first packaged data to be signed to the mobile application server;
and S24, the mobile application server returns the first packaged data to be signed to the mobile application in the mobile terminal.
Further, step S3 includes the following sub-steps:
s31, the mobile application in the mobile terminal sends the first packaged data to be signed to the digital certificate application in the mobile terminal;
and S32, the digital certificate application uses the secret key shared by the trusted application server to unseal and carry out third verification, and the third verification passes and then uses the private key of the user certificate to sign.
Further, step S4 includes the following sub-steps:
s41, returning the data to the mobile application in the mobile terminal after the user digital certificate is signed;
s42, the mobile application in the mobile terminal returns the signed data to the mobile application server;
and S43, the mobile application server uses the public key of the user digital certificate to verify the signed data.
Further, step S3 further includes the following sub-steps:
s33, the mobile application in the mobile terminal sends the first packaged data to be signed to a trusted application in the mobile terminal;
s34, the trusted application in the mobile terminal uses the key negotiated with the trusted application server to unseal the packaged data to be signed and carry out first verification of data integrity, and the trusted application in the mobile terminal and the key shared by the digital certificate application are used for carrying out second packaging after the first verification is passed;
s35, the trusted application in the mobile terminal sends the second packaged data to be signed to the digital certificate application in the mobile terminal;
and S36, the digital certificate application in the mobile terminal uses the secret key shared with the trusted application in the mobile terminal to unseal and carry out second verification, and the second verification passes and then uses the private key of the user certificate to sign.
Further, step S4 further includes the following sub-steps:
s44, returning the data after the user digital certificate in the mobile terminal is signed to the trusted application in the mobile terminal;
s45, the trusted application in the mobile terminal returns the signed data to the mobile application in the mobile terminal;
s46, the mobile application in the mobile terminal returns the signed data to the mobile application server;
and S47, the mobile application server uses the public key of the user digital certificate to verify the signed data.
Preferably, in step S2, the data to be signed is encapsulated with an asymmetric key.
Preferably, in step S2, the data to be signed is encapsulated with a symmetric key.
The authentication system based on the digital certificate comprises a security unit, a mobile application server and a trusted application server, wherein the security unit is arranged in a mobile terminal; a mobile application in a mobile terminal sends data to be signed, which needs a user digital certificate to sign, to a mobile application server; the mobile application server receives data to be signed and sends the data to the trusted application server; the trusted application server receives data to be signed and performs first packaging by using a server key; the trusted application server returns the first packaged data to be signed to the mobile application server; the mobile application server returns the first packaged data to be signed to the mobile application; the mobile terminal verifies the first packaged data to be signed through a secret key shared with the trusted application server, and uses a user certificate private key to sign after the verification is passed; and the mobile terminal returns the signed data to the mobile application server and verifies the signed data by using the public key of the user digital certificate.
Preferably, the mobile application sends the first packaged data to be signed to the digital certificate application; the digital certificate application uses a secret key shared with the trusted application server to carry out third verification, and a user certificate private key is used for signing after the third verification is passed; returning the data to the mobile application after the user digital certificate is signed; the mobile application returns the signed data to the mobile application server; and the mobile application server verifies the signed data by using the public key of the user digital certificate.
Preferably, a trusted application with digital certificate access built into the trusted execution environment is also included; the mobile application sends the first packaged data to be signed to the trusted application; the trusted application uses a key negotiated with the trusted application server to perform first verification on the integrity of the packaged data to be signed, and uses a key shared by the trusted application and the digital certificate application to perform second packaging after the first verification is passed; the trusted application sends the second packaged data to be signed to the digital certificate application; the digital certificate application uses a secret key shared with the trusted application to carry out second verification, and a user certificate private key is used for signing after the second verification is passed; returning the data after the user digital certificate is signed to the trusted application; the trusted application returns the signed data to the mobile application; the mobile application returns the signed data to the mobile application server; and the mobile application server verifies the signed data by using the public key of the user digital certificate.
Preferably, the server key comprises a symmetric key, and the encryption algorithm of the symmetric key comprises any one of DES, 3DES, IDEA, FEAL and BLOWFSH.
Preferably, the server key comprises an asymmetric key, and the encryption algorithm of the asymmetric key comprises any one of RSA, Elgamal, knapsack algorithm, Rabin and D-H, ECC.
Preferably, the key shared by the trusted application and the digital certificate application comprises an asymmetric key, and the encryption algorithm of the asymmetric key comprises any one of RSA, Elgamal, knapsack algorithm, Rabin and D-H, ECC.
Preferably, the key shared by the trusted application and the digital certificate application comprises an asymmetric key, and the encryption algorithm of the asymmetric key comprises any one of RSA, Elgamal, knapsack algorithm, Rabin and D-H, ECC.
An electronic device comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the authentication method based on the digital certificate.
A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the above-mentioned digital certificate-based authentication method.
Advantages of one or more embodiments of the present description over the prior art are:
one or more embodiments of the present specification provide a digital certificate-based authentication method, including the steps of: the mobile terminal interacts with the server side and is used for generating data to be signed at the server side; the trusted application server on the server side packages the data to be signed and then returns the data to the mobile terminal; the mobile terminal unseals and verifies the packaged data to be signed through a secret key shared by the mobile terminal and the trusted application server, and signs the data to be signed through a private key of a user certificate after the verification is passed; and the mobile terminal returns the signed data to the server side and verifies the signed data by using the public key of the user digital certificate. One or more embodiments of the present specification also relate to a digital certificate based authentication system, a storage medium, and an electronic device. In one or more embodiments of the present description, data to be signed is sent to a server for security encapsulation, and then returned to a mobile application, and sent to a digital certificate application through a trusted application for signature, so as to ensure that the data to be signed is not tampered before being sent to the digital certificate application, and ensure data security in a digital certificate authentication process.
The foregoing description is only an overview of one or more embodiments of the present disclosure, and in order to provide a clear understanding of the technical solutions of one or more embodiments of the present disclosure and to be implemented in accordance with the contents of the present disclosure, the following detailed description is given of preferred embodiments of one or more embodiments of the present disclosure with reference to the accompanying drawings. The detailed description of one or more embodiments of the present specification is provided by the following examples and their accompanying drawings.
Drawings
The following description is given in further detail in connection with the accompanying drawings and the description of one or more embodiments.
FIG. 1 is a flow diagram of a digital certificate based authentication method in accordance with one or more embodiments of the present disclosure;
fig. 2 is a flowchart of an authentication method based on a digital certificate according to embodiment 1 of the present specification;
fig. 3 is a schematic diagram of a digital certificate-based authentication system according to embodiment 3 of the present specification;
fig. 4 is a flowchart of an authentication method based on a digital certificate according to embodiment 2 of the present specification;
fig. 5 is a schematic diagram of an authentication system based on a digital certificate according to embodiment 4 of the present specification.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of one or more embodiments of the present specification, but not all embodiments. All other embodiments that can be derived by a person skilled in the art from the embodiments of the present description without making any creative effort shall fall within the protection scope of one or more embodiments of the present description.
The authentication method based on the digital certificate, as shown in fig. 1, includes the following steps:
s1, the mobile terminal sends a signature request to the server side for generating data to be signed at the server side; in an embodiment, as shown in fig. 1, a mobile terminal interacts with a server side and generates data to be signed on the server side, for example, in online shopping, a user views, browses, places, and the like on an online store platform, and interacts with a server side through a mobile phone client, where some data are generated on the mobile phone side, such as information input by the user or selected user side information, and some data are generated on the server side, such as information on the server side, such as an order number, a serial number, and the like, and the server side sends a signing request according to the mobile terminal, summarizes and processes the user side information and the server side information, and generates data to be signed. It should be understood that the data source for generating the data to be signed may originate from the mobile terminal, or may originate from the server side, and is not limited herein. It should also be understood that interaction means that objects participating in an activity can interact with each other, both aspects interacting; for example: when a computer plays a certain multimedia program, a programmer can send an instruction to control the operation of the program, but the program is executed unilaterally, and the program responds correspondingly after receiving the corresponding instruction, which is called interaction.
S2, the trusted application server on the server side packages the data to be signed and returns the data to the mobile terminal;
s3, the mobile terminal unseals and verifies the packaged data to be signed through a secret key shared by the mobile terminal and the trusted application server, and the data to be signed is signed by using a private key of a user certificate after the verification is passed;
and S4, the mobile terminal returns the signed data to the server side, and verifies the signed data by using the public key of the user digital certificate.
It should be understood that the encapsulation process includes, but is not limited to, data encryption, data packaging for verifying data integrity, and the corresponding decapsulation process includes, but is not limited to, data decryption, integrity verification.
Embodiment 1, an authentication method based on a digital certificate is shown in fig. 2, and it should be understood that the process described in this embodiment is premised on that a digital certificate has already been initialized and issued, and this embodiment is configured as an application example of a digital certificate, and includes the following steps:
s11, the mobile terminal interacts with the mobile application server; the user applies for and installs the digital certificate application in the security unit of the mobile terminal, and the mobile application server also retains the public key certificate of the user; and the user interacts with the server through the mobile application to generate the data to be signed which needs the digital certificate of the user to sign. For example, a user can trigger a third-party service to call a calling interface module in a mobile terminal through a mobile application in the mobile terminal to acquire device information and digital certificate installation information of the mobile terminal, and after the calling interface module finds that a digital certificate is locally installed in the mobile terminal, a signature request is generated through the mobile terminal to request a server side to generate a signature instruction, namely data to be signed.
S21, the mobile application server responds to the mobile terminal interaction request and generates data to be signed; the trusted application server is a server for correspondingly managing a digital certificate management trusted application located in a trusted execution environment in the mobile terminal, the digital certificate management trusted application serving as an entry for controlling access to the digital certificate application in the security unit. For example, a mobile application server on the server side receives a signature request of a mobile terminal, generates a signature instruction, namely data to be signed, and issues the signature instruction, namely the data to be signed, to a trusted application server corresponding to a digital certificate through the mobile application server.
S22, the trusted application server receives the data to be signed and uses the server key to carry out first encapsulation; in this embodiment, the application server key is configured as a key shared by the trusted application server and the digital certificate application for ensuring the integrity of the data to be signed after being packaged, and the key shared by the trusted application server and the digital certificate application may be configured as a symmetric key, for example, by using any one of encryption algorithms including, but not limited to, DES, 3DES, IDEA, FEAL, and BLOWFISH, to configure the key shared with the digital certificate application in the trusted application server as a symmetric key. Likewise, the key shared by the trusted application server and the digital certificate application may also be configured as an asymmetric key, for example, an encryption algorithm using an asymmetric key including, but not limited to, any of RSA, Elgamal, knapsack algorithm, Rabin, D-H, ECC, and the key shared by the trusted application server and the digital certificate application is configured as a public key for packaging. For example, the trusted application server receives the data to be signed, and performs first encapsulation on the data to be signed by using the asymmetric public key through the trusted application server, so that the security of the encapsulated data is remarkably improved in the subsequent data transmission process.
S23, the trusted application server returns the first packaged data to be signed to the mobile application server; for example, on the server side, the trusted application server returns the first encapsulated data to be signed to the mobile application server.
And S24, the mobile application server returns the first packaged data to be signed to the mobile application. For example, the mobile application server returns the first encapsulated data to be signed to the mobile application in the mobile terminal through a calling interface module in the mobile terminal, so that the security of the data returned from the server is ensured. In the conventional scheme, data to be signed is easy to be attacked and tampered in the transmission process, for example, in the interaction process between the mobile terminal and the server side, the data to be signed is easy to be tampered because the data to be signed is not packaged by a trusted application server; in this embodiment, the server key is embodied as a key shared by the trusted application server and the digital certificate application, and integrity is ensured by performing encryption and encapsulation using the key shared by the trusted application server and the digital certificate application.
S31, the mobile application sends the first packaged data to be signed to the digital certificate application; for example, the mobile application issues the first encapsulated data to be signed to a digital certificate application in an SE (secure element) through a calling interface module in the mobile terminal; in the conventional scheme, data to be signed is easy to be attacked and tampered in the transmission process, for example, in the process that mobile application sends the data to be signed to digital certificate application in a mobile terminal, the data to be signed is easy to be tampered because the data to be signed is not packaged by a trusted application server; in this embodiment, the server key is embodied as a key shared by the trusted application server and the digital certificate application, and integrity is ensured by performing encryption and encapsulation using the key shared by the trusted application server and the digital certificate application.
And S32, the digital certificate application uses the key shared by the trusted application server to perform third verification, and the third verification is signed by using the private key of the user certificate after passing the third verification. And the mobile application directly sends the data to be signed after the data to be signed is obtained and safely packaged by the server to the digital certificate application. At this time, the key used by the trusted application server to securely encapsulate the data to be signed is directly negotiated with the digital certificate application in the secure element. For example, in the present embodiment, in step S22, the key shared by the trusted application server and the digital certificate application may be configured as a symmetric key, for example, by using any one of encryption algorithms including, but not limited to, DES, 3DES, IDEA, FEAL, and BLOWFISH, to configure the key shared by the trusted application server and the digital certificate application as a symmetric key. Likewise, the key shared by the trusted application server with the digital certificate application may also be configured as an asymmetric key, such as an encryption algorithm using an asymmetric key including, but not limited to, any of RSA, Elgamal, knapsack algorithm, Rabin, D-H, ECC, and the key shared with the trusted application server within the digital certificate application is configured as a private key for verification. Verifying the first packaged data to be signed, wherein the purpose of verification comprises confirming the integrity and correctness of the data, if the verification is passed, the data to be signed is indicated to be not illegally tampered, and the data to be signed is signed by using a private key of a user certificate; if the verification fails, it indicates that the data to be signed for performing the digital payment or granting the application authority has been attacked in the process of step S31, the data is incorrect or incomplete, the signature request is illegal, and the private key of the user certificate does not perform signature or alarm.
S41, returning the data to the mobile application after the user digital certificate is signed; for example, data that has been signed and authenticated by a user digital certificate in the mobile terminal in a digital certificate application in the SE (secure element) is returned to the mobile application, and waits for being sent to the mobile application server for server-side data authentication and storage.
S42, the mobile application returns the signed data to the mobile application server; for example, the signature authentication data is returned to the mobile application server on the server side through a call interface module in the mobile terminal.
And S43, the mobile application server uses the public key of the user digital certificate to verify the signed data. After the verification is passed, the user who is really legal participates in the transaction. For example, if the mobile application server passes the verification, the third-party service is determined to be a legal operation of a legal user.
Embodiment 2, an authentication method based on a digital certificate is shown in fig. 4, and it should be understood that the process described in this embodiment is premised on that a digital certificate has already been initialized and issued, and this embodiment is configured as an application example of a digital certificate, and includes the following steps:
s11, the mobile terminal interacts with the mobile application server; the user applies for and installs the digital certificate application in the security unit of the mobile terminal, and the mobile application server also retains the public key certificate of the user; and the user interacts with the server through the mobile application to generate the data to be signed which needs the digital certificate of the user to sign. For example, a user can trigger a third-party service to call a calling interface module in a mobile terminal through a mobile application in the mobile terminal to acquire device information and digital certificate installation information of the mobile terminal, and after the calling interface module finds that a digital certificate is locally installed in the mobile terminal, a signature request is generated through the mobile terminal to request a server side to generate a signature instruction, namely data to be signed.
S21, the mobile application server responds to the mobile terminal interaction request and generates data to be signed; the trusted application server is a server for correspondingly managing a digital certificate management trusted application located in a trusted execution environment in the mobile terminal, the digital certificate management trusted application serving as an entry for controlling access to the digital certificate application in the security unit. For example, a mobile application server on the server side receives a signature request of a mobile terminal, generates a signature instruction, namely data to be signed, and issues the signature instruction, namely the data to be signed, to a trusted application server corresponding to a digital certificate through the mobile application server.
S22, the trusted application server receives the data to be signed and uses the server key to carry out first encapsulation; in this embodiment, the application server key is configured as a key shared by the trusted application server and the digital certificate management trusted application for ensuring the integrity of the data to be signed after being packaged, and the key shared by the trusted application server and the digital certificate management trusted application may be configured as a symmetric key, for example, by using any one of encryption algorithms including, but not limited to, DES, 3DES, IDEA, FEAL, and BLOWFISH, to configure the key shared with the digital certificate management trusted application in the trusted application server as a symmetric key. Likewise, the key shared by the trusted application server and the digital certificate managing trusted application may also be configured as an asymmetric key, for example, an encryption algorithm using an asymmetric key including, but not limited to, any of RSA, Elgamal, knapsack algorithm, Rabin, and D-H, ECC, and the key shared by the trusted application server and the digital certificate managing trusted application is configured as a public key for packaging. In this embodiment, the trusted application server receives the data to be signed, and performs first encapsulation on the data to be signed by using the asymmetric public key through the trusted application server, so that the security of the encapsulated data is significantly improved in the subsequent data transmission process.
S23, the trusted application server returns the first packaged data to be signed to the mobile application server; for example, on the server side, the trusted application server returns the first encapsulated data to be signed to the mobile application server.
And S24, the mobile application server returns the first packaged data to be signed to the mobile application. For example, the mobile application server returns the first encapsulated data to be signed to the mobile application in the mobile terminal through a calling interface module in the mobile terminal, so that the security of the data returned from the server is ensured. In the conventional scheme, data to be signed is easy to be attacked and tampered in the transmission process, for example, in the interaction process between the mobile terminal and the server side, the data to be signed is easy to be tampered because the data to be signed is not packaged by a trusted application server; in this embodiment, the server key is embodied as a key shared by the trusted application server and the digital certificate management trusted application, and the integrity is ensured by performing encryption and encapsulation using the key shared by the trusted application server and the digital certificate management trusted application.
S33, the mobile application sends the first packaged data to be signed to the trusted application; in the embodiment, as a secret key shared by the trusted application server and the trusted application managed by the digital certificate is used for encryption and encapsulation, for example, even if the data to be signed is attacked, the data cannot be tampered because no corresponding secret key is used for decryption, so that the integrity of the data is ensured, meanwhile, the trusted application is placed in a trusted execution environment and operates in the trusted execution environment to provide security-related services for mobile application software or other trusted applications, and the trusted execution environment is an isolated execution environment operating in the mobile device and has stronger security capability compared with a common operating system, so that application programs, sensitive data and the like operating therein are ensured to be stored, processed and protected in a relatively trusted environment, and the security is improved.
S34, the trusted application uses a key negotiated with the trusted application server to perform first verification on the integrity of the packaged data to be signed, and the trusted application and the digital certificate application share the key to perform second packaging after the first verification is passed; in this embodiment, the trusted application and the digital certificate application also share a trusted key for performing security protection on data during transmission, and the trusted key is respectively secured through the trusted execution environment and the security unit, which is relatively high in security. Likewise, the key shared by the trusted application and the digital certificate application may also be configured as an asymmetric key, for example, an encryption algorithm using an asymmetric key including, but not limited to, any of RSA, Elgamal, knapsack algorithm, Rabin, D-H, ECC, the key shared with the digital certificate application within the trusted application being configured as a public key for encapsulation. For example, performing first verification on the data to be signed after the first package, wherein the purpose of the first verification comprises confirming the integrity and the correctness of the data, if the verification is passed, the data to be signed is indicated to be not illegally tampered, and performing second package by using a secret key shared with the digital certificate application in the trusted application; if the verification fails, it indicates that the data to be signed has been attacked in the process of step S33, the data is incorrect or incomplete, the signature request is illegal at this time, the second encapsulation or alarm is not performed on the key shared by the digital certificate application, and the security of the second encapsulated data is significantly improved in the subsequent data transmission process.
S35, the trusted application sends the second packaged data to be signed to the digital certificate application; in this embodiment, because the encrypted second package is used, for example, even if the data to be signed is attacked, the data cannot be tampered because no corresponding secret key is used for decryption, so that the integrity of the data is ensured, and the security of the data is improved.
And S36, the digital certificate application uses the key shared with the trusted application to perform second verification, and the second verification is signed by using the private key of the user certificate after passing the second verification. In this embodiment, corresponding to step S34, when the key shared by the trusted application and the digital certificate application can be configured as a symmetric key, for example, using any one of encryption algorithms including, but not limited to DES, 3DES, IDEA, FEAL, BLOWFISH, the key shared with the trusted application within the digital certificate application is configured as a symmetric key. Similarly, when the key shared by the trusted application server and the digital certificate application is also configured as an asymmetric key, for example, an encryption algorithm using an asymmetric key including, but not limited to, any of RSA, Elgamal, knapsack algorithm, Rabin, and D-H, ECC, the key shared with the trusted application within the digital certificate application is configured as a private key for verification. For example, the data to be signed after the second package is verified, the purpose of verification includes confirming the integrity and correctness of the data, if the verification is passed, it is indicated that the data to be signed is not illegally tampered, and the signature is performed by using a private key of a user certificate; if the verification fails, it indicates that the data to be signed has been attacked in the process of step S35, the data is incorrect or incomplete, the signature request is illegal, and the private key of the user certificate does not perform signature or alarm.
S44, returning the data after the user digital certificate is signed to the trusted application; for example, data that has been signed and authenticated by a user digital certificate within the mobile terminal is returned to the trusted application in the SE (secure element), waiting for return to the mobile application.
S45, the trusted application returns the signed data to the mobile application; for example, the mobile application of the mobile terminal returns the signature authenticated data to the mobile application, and waits for the signature authenticated data to be sent to the mobile application server for server-side data authentication and storage.
S46, the mobile application returns the signed data to the mobile application server; for example, data for making a digital payment or granting an application right, which is signature-authenticated, is returned to the mobile server by the mobile application of the mobile terminal.
And S47, the mobile application server uses the public key of the user digital certificate to verify the signed data. After the verification is passed, the user who is really legal participates in the transaction. For example, if the mobile application server passes the verification, the legal operation of the legal user is determined, and the transaction is legal.
Embodiment 3, as shown in fig. 3, the authentication system based on digital certificate includes a security unit built in a mobile terminal, a mobile application server, and a trusted application server; a user digital certificate public key is arranged in the mobile application server, and a digital certificate application is arranged in the security unit; the digital certificate application is a string of numbers for marking identity information of each communication party in networking communication, and provides a mode for verifying the identity of a communication entity on the Internet. In this embodiment, the user is issued by a legal authority, the user's certificate corresponds to the private key stored in the digital certificate application in the mobile terminal security unit, and the user public key certificate can be obtained by the mobile application server from the legal authority and used for subsequently verifying the validity of the user certificate private key signature, thereby determining that the user actually participates in the transaction. And the safety unit can provide a more safe data storage and operation environment.
A mobile application in a mobile terminal sends data to be signed, which needs a user digital certificate to sign, to a mobile application server; the mobile application server receives data to be signed and sends the data to the trusted application server; the trusted application server receives data to be signed and performs first packaging by using a server key; the trusted application server returns the first packaged data to be signed to the mobile application server; the mobile application server returns the first packaged data to be signed to the mobile application; the mobile terminal verifies the first packaged data to be signed through a secret key shared with the trusted application server, and uses a user certificate private key to sign after the verification is passed; and the mobile terminal returns the signed data to the mobile application server and verifies the signed data by using the public key of the user digital certificate. The mobile application in the mobile application sends the first packaged data to be signed to the digital certificate application; the digital certificate application uses a secret key shared with the trusted application server to carry out third verification, and a user certificate private key is used for signing after the third verification is passed; returning the data to the mobile application after the user digital certificate is signed; the mobile application returns the signed data to the mobile application server; and the mobile application server verifies the signed data by using the public key of the user digital certificate. After the verification is passed, the user who is really legal participates in the transaction.
In the traditional scheme, data to be signed is easy to be attacked and tampered in the transmission process, for example, in the interaction process of a mobile terminal and a server side, the data to be signed is easy to be tampered because the data to be signed is not packaged by a trusted application server; for another example, in the process that the mobile application issues the data to be signed to the digital certificate application in the mobile terminal, the data to be signed is not packaged by the trusted application server, so that the data is easy to be tampered; in this embodiment, the server key is embodied as a key shared by the trusted application server and the digital certificate application, and integrity is ensured by performing encryption and encapsulation using the key shared by the trusted application server and the digital certificate application.
In this embodiment, the key shared by the trusted application server and the digital certificate application may be configured as a symmetric key, for example, by using any one of encryption algorithms including, but not limited to, DES, 3DES, IDEA, FEAL, BLOWFISH, and configuring the key shared with the digital certificate application in the trusted application server and the key shared with the trusted application server in the digital certificate application as symmetric keys. Likewise, the key shared by the trusted application server and the digital certificate application may also be configured as an asymmetric key, for example, an encryption algorithm using an asymmetric key including, but not limited to, any of RSA, Elgamal, knapsack algorithm, Rabin, and D-H, ECC, the key shared with the digital certificate application within the trusted application server being configured as a public key for packaging, and the key shared with the trusted application server within the digital certificate application being configured as a private key for verification.
Embodiment 4, as shown in fig. 5, the authentication system based on a digital certificate includes a security unit built in a mobile terminal, a mobile application server, and a trusted application server, where a public key of a user digital certificate is built in the mobile application server, and a digital certificate application is installed in the security unit; the digital certificate application is a string of numbers for marking identity information of each communication party in networking communication, and provides a mode for verifying the identity of a communication entity on the Internet. In this embodiment, the user is issued by a legal authority, the user's certificate corresponds to the private key stored in the digital certificate application in the mobile terminal security unit, and the user public key certificate can be obtained by the mobile application server from the legal authority and used for subsequently verifying the validity of the user certificate private key signature, thereby determining that the user actually participates in the transaction. And the safety unit can provide a more safe data storage and operation environment. The digital certificate based authentication system further comprises a trusted application built into the trusted execution environment for digital certificate access; the trusted execution environment is an isolated execution environment running in the mobile device, and has stronger safety capability compared with a common operating system, so that the application programs, sensitive data and the like running in the trusted execution environment are ensured to be stored, processed and protected in the relatively trusted environment, and the safety is improved.
A mobile application in a mobile terminal sends data to be signed, which needs a user digital certificate to sign, to a mobile application server; the mobile application server receives data to be signed and sends the data to the trusted application server; the trusted application server receives data to be signed and performs first packaging by using a server key; the trusted application server returns the first packaged data to be signed to the mobile application server; the mobile application server returns the first packaged data to be signed to the mobile application; the mobile terminal verifies the first packaged data to be signed through a secret key shared with the trusted application server, and uses a user certificate private key to sign after the verification is passed; and the mobile terminal returns the signed data to the mobile application server and verifies the signed data by using the public key of the user digital certificate. The mobile application sends the first packaged data to be signed to the trusted application; the trusted application uses a key negotiated with the trusted application server to perform first verification on the integrity of the packaged data to be signed, and uses a key shared by the trusted application and the digital certificate application to perform second packaging after the first verification is passed; the trusted application sends the second packaged data to be signed to the digital certificate application; the digital certificate application uses a secret key shared with the trusted application to carry out second verification, and a user certificate private key is used for signing after the second verification is passed; returning the data after the user digital certificate is signed to the trusted application; the trusted application returns the signed data to the mobile application; the mobile application returns the signed data to the mobile application server; and the mobile application server verifies the signed data by using the public key of the user digital certificate. After the verification is passed, the user who is really legal participates in the transaction.
In the traditional scheme, data to be signed is easy to be attacked and tampered in the transmission process, for example, in the interaction process of a mobile terminal and a server side, the data to be signed is easy to be tampered because the data to be signed is not packaged by a trusted application server; for another example, in the process that the mobile application sends the data to be signed to the trusted application in the mobile terminal, the data to be signed is not packaged by the trusted application server, so that the data is easy to be tampered; for another example, in the process that the trusted application issues the data to be signed to the digital certificate application in the mobile terminal, the data to be signed is easy to be tampered because the data to be signed is not packaged by the trusted application; in this embodiment, the server key is embodied as a key shared by the trusted application server and the trusted application, and since the key shared by the trusted application server and the key shared by the trusted application and the digital application certificate are used for encryption and encapsulation to ensure integrity, and meanwhile, since the trusted application is placed in the trusted execution environment and operates in the trusted execution environment to provide security-related services for the mobile application software or other trusted applications, the trusted execution environment is an isolated execution environment operating in the mobile device, and has a strong security capability compared with a common operating system, so as to ensure that the application programs, sensitive data and the like operating therein are stored, processed and protected in a relatively trusted environment, and thus security is improved; compared with the SE (security element), the TEE (trusted execution environment) and the SE are in relatively independent execution environments, and a scene applied by the SE is not limited.
In this embodiment, the key shared by the trusted application server and the trusted application, and the key shared by the trusted application and the digital application certificate may be configured as a symmetric key, for example, by using any one of encryption algorithms including, but not limited to, DES, 3DES, IDEA, FEAL, BLOWFISH, configuring the key shared with the trusted application in the trusted application server, the key shared with the trusted application server in the trusted application server as a symmetric key, or configuring the key shared with the digital application certificate in the trusted application, and the key shared with the trusted application in the digital application certificate as a symmetric key. Likewise, the key shared by the trusted application server and the trusted application, and the key shared by the trusted application and the digital application certificate may also be configured as an asymmetric key, for example, an encryption algorithm using an asymmetric key includes, but is not limited to, any one of RSA, Elgamal, knapsack algorithm, Rabin, and D-H, ECC, the key shared with the trusted application in the trusted application server is configured as a public key for packaging, and the key shared with the trusted application server in the trusted application server is configured as a private key for verification; or configuring a secret key shared with the digital application certificate in the trusted application as a public key for packaging, and configuring a secret key shared with the trusted application in the digital application certificate as a private key for verification.
An electronic device comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the computer program to realize the authentication method based on the digital certificate.
A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the above-mentioned digital certificate-based authentication method.
One or more embodiments of the present specification provide an authentication method based on a digital certificate, including a mobile terminal interacting with a server side and generating data to be signed at the server side; the trusted application server on the server side packages the data to be signed and then returns the data to the mobile terminal; the mobile terminal verifies the packaged data to be signed through a secret key shared by the mobile terminal and the trusted application server, and signs through a private key of a user certificate after the verification is passed; and the mobile terminal returns the signed data to the server side and verifies the signed data by using the public key of the user digital certificate. One or more embodiments of the present specification also relate to a digital certificate based authentication system, a storage medium, and an electronic device. In one or more embodiments of the present description, the data to be signed is first sent to the server for security encapsulation, and then returned to the mobile application and sent to the digital certificate application for signature, so as to authenticate the digital certificate.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiments of the apparatus, the electronic device, and the nonvolatile computer storage medium, since they are substantially similar to the embodiments of the method, the description is simple, and the relevant points can be referred to the partial description of the embodiments of the method.
The apparatus, the electronic device, the nonvolatile computer storage medium and the method provided in the embodiments of the present description correspond to each other, and therefore, the apparatus, the electronic device, and the nonvolatile computer storage medium also have similar advantageous technical effects to the corresponding method.
In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Hardware Description Language), traffic, pl (core universal Programming Language), HDCal (jhdware Description Language), lang, Lola, HDL, laspam, hardward Description Language (vhr Description Language), vhal (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the various elements may be implemented in the same one or more software and/or hardware implementations in implementing one or more embodiments of the present description.
As will be appreciated by one skilled in the art, the present specification embodiments may be provided as a method, system, or computer program product. Accordingly, embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The description has been presented with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the description. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
This description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The foregoing is illustrative of embodiments of the present disclosure and is not intended to limit one or more embodiments of the present disclosure. Various modifications and alterations to one or more embodiments described herein will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of one or more embodiments of the present specification should be included in the scope of claims of one or more embodiments of the present specification. One or more embodiments of this specification.

Claims (9)

1. The authentication method based on the digital certificate is characterized by comprising the following steps:
the mobile terminal initiates a signature request to a server side for generating data to be signed at the server side;
the trusted application server on the server side packages the data to be signed and then returns the data to the mobile terminal;
the mobile terminal unseals and verifies the packaged data to be signed through a secret key shared by the mobile terminal and the trusted application server, and signs the data to be signed through a private key of a user certificate after the verification is passed;
the mobile terminal returns the signed data to the server side, and verifies the signed data by using a public key of the user digital certificate;
the step of packaging the data to be signed by the trusted application server on the server side and then returning the packaged data to the mobile terminal specifically comprises the following steps:
the mobile application server responds to the mobile terminal signature request and generates data to be signed;
the trusted application server receives the data to be signed and uses a server key in the trusted application server to perform first packaging;
the trusted application server returns the first packaged data to be signed to the mobile application server;
the mobile application server returns the first packaged data to be signed to the mobile application in the mobile terminal;
the method comprises the following steps that the mobile terminal verifies the packaged data to be signed through a secret key shared with a trusted application server, and the signature by using a user certificate private key after the verification is passed specifically comprises the following steps:
the mobile application in the mobile terminal sends the first packaged data to be signed to the digital certificate application in the mobile terminal;
and the digital certificate application uses a secret key shared with the trusted application server to unseal and carry out third verification, and the third verification is carried out by using a private key of the user certificate after passing the third verification.
2. The authentication method based on the digital certificate as claimed in claim 1, wherein the mobile terminal returns the signed data to the server side, and verifying the signed data using the public key of the user digital certificate specifically comprises:
returning the data to the mobile application in the mobile terminal after the user digital certificate is signed;
the mobile application in the mobile terminal returns the signed data to the mobile application server;
and the mobile application server verifies the signed data by using the public key of the user digital certificate.
3. The authentication method based on the digital certificate of claim 1, wherein the mobile terminal verifies the packaged data to be signed by a secret key shared with a trusted application server, and the signing by using a private key of a user certificate after the verification specifically comprises:
the mobile application in the mobile terminal sends the first packaged data to be signed to a trusted application in the mobile terminal;
the trusted application in the mobile terminal uses a key negotiated with the trusted application server to decapsulate the encapsulated data to be signed and perform first verification of data integrity, and after the first verification is passed, the trusted application in the mobile terminal and a key shared by the digital certificate application are used for second encapsulation;
the trusted application in the mobile terminal sends the second packaged data to be signed to the digital certificate application in the mobile terminal;
and the digital certificate application in the mobile terminal uses the secret key shared with the trusted application in the mobile terminal to unseal and carry out second verification, and the user certificate private key is used for signing after the second verification is passed.
4. The authentication method based on the digital certificate as claimed in claim 3, wherein the mobile terminal returns the signed data to the server side, and the verifying the signed data using the public key of the user digital certificate further comprises:
returning the data after the signature of the user digital certificate in the mobile terminal to the trusted application in the mobile terminal;
the trusted application in the mobile terminal returns the signed data to the mobile application in the mobile terminal;
the mobile application in the mobile terminal returns the signed data to the mobile application server;
and the mobile application server verifies the signed data by using the public key of the user digital certificate.
5. The digital certificate-based authentication method as claimed in any one of claims 1 to 4, wherein the data to be signed is encapsulated using an asymmetric key or a symmetric key.
6. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1-5 are implemented when the program is executed by the processor.
7. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 5.
8. An authentication system based on digital certificates, characterized in that: the system comprises a safety unit, a mobile application server and a trusted application server which are arranged in a mobile terminal;
a user digital certificate public key is arranged in the mobile application server, and a digital certificate application is arranged in the security unit; a mobile application in a mobile terminal sends data to be signed, which needs a user digital certificate to sign, to a mobile application server; the mobile application server receives data to be signed and sends the data to the trusted application server;
the trusted application server receives data to be signed and performs first packaging by using a server key; the trusted application server returns the first packaged data to be signed to the mobile application server; the mobile application server returns the first packaged data to be signed to the mobile application;
the mobile terminal verifies the first packaged data to be signed through a secret key shared with the trusted application server, and uses a user certificate private key to sign after the verification is passed; the mobile terminal returns the signed data to the mobile application server, and verifies the signed data by using a public key of a user digital certificate;
the mobile terminal verifies the first packaged data to be signed through a secret key shared with the trusted application server, and signs through a private key of a user certificate after the verification is passed; the mobile terminal returns the signed data to the mobile application server, and the verifying the signed data by using the public key of the user digital certificate specifically comprises the following steps:
the mobile application sends the first packaged data to be signed to the digital certificate application; the digital certificate application uses a secret key shared with the trusted application server to carry out third verification, and a user certificate private key is used for signing after the third verification is passed; returning the data to the mobile application after the user digital certificate is signed; the mobile application returns the signed data to the mobile application server; and the mobile application server verifies the signed data by using the public key of the user digital certificate.
9. The digital certificate-based authentication system of claim 8, wherein: also included is a trusted application for digital certificate access built into the trusted execution environment; the mobile application sends the first packaged data to be signed to the trusted application; the trusted application uses a key negotiated with the trusted application server to perform first verification on the integrity of the packaged data to be signed, and uses a key shared by the trusted application and the digital certificate application to perform second packaging after the first verification is passed; the trusted application sends the second packaged data to be signed to the digital certificate application; the digital certificate application uses a secret key shared with the trusted application to carry out second verification, and a user certificate private key is used for signing after the second verification is passed; returning the data after the user digital certificate is signed to the trusted application; the trusted application returns the signed data to the mobile application; the mobile application returns the signed data to the mobile application server; and the mobile application server verifies the signed data by using the public key of the user digital certificate.
CN201811186820.9A 2018-10-12 2018-10-12 Authentication method and system based on digital certificate, storage medium and electronic equipment Active CN109560933B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811186820.9A CN109560933B (en) 2018-10-12 2018-10-12 Authentication method and system based on digital certificate, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811186820.9A CN109560933B (en) 2018-10-12 2018-10-12 Authentication method and system based on digital certificate, storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN109560933A CN109560933A (en) 2019-04-02
CN109560933B true CN109560933B (en) 2022-04-08

Family

ID=65864912

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811186820.9A Active CN109560933B (en) 2018-10-12 2018-10-12 Authentication method and system based on digital certificate, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN109560933B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110365488B (en) * 2019-07-23 2020-05-15 上海铂英飞信息技术有限公司 Authentication method, device and system based on untrusted environment
CN110838919B (en) * 2019-11-01 2021-04-13 广州小鹏汽车科技有限公司 Communication method, storage method, operation method and device
CN114531225A (en) * 2020-11-02 2022-05-24 深圳Tcl新技术有限公司 End-to-end communication encryption method, device, storage medium and terminal equipment
CN114785514B (en) * 2022-03-23 2023-11-14 国网上海能源互联网研究院有限公司 Method and system for application license authorization of industrial Internet of things terminal

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101790166A (en) * 2009-12-30 2010-07-28 上海柯斯软件有限公司 Digital signing method based on mobile phone intelligent card
CN102088441A (en) * 2009-12-08 2011-06-08 北京大学 Data encryption transmission method and system for message-oriented middleware
CN105871867A (en) * 2016-04-27 2016-08-17 腾讯科技(深圳)有限公司 Identity authentication method, system and equipment
CN108335105A (en) * 2018-01-18 2018-07-27 中国建设银行股份有限公司 Data processing method and relevant device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014106181A2 (en) * 2012-12-31 2014-07-03 Vasco Data Security, Inc. A method and an apparatus for securely signing application data
US20160335627A1 (en) * 2015-05-11 2016-11-17 Gemalto Sa Method, device and a server for signing data

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102088441A (en) * 2009-12-08 2011-06-08 北京大学 Data encryption transmission method and system for message-oriented middleware
CN101790166A (en) * 2009-12-30 2010-07-28 上海柯斯软件有限公司 Digital signing method based on mobile phone intelligent card
CN105871867A (en) * 2016-04-27 2016-08-17 腾讯科技(深圳)有限公司 Identity authentication method, system and equipment
CN108335105A (en) * 2018-01-18 2018-07-27 中国建设银行股份有限公司 Data processing method and relevant device

Also Published As

Publication number Publication date
CN109560933A (en) 2019-04-02

Similar Documents

Publication Publication Date Title
US11489678B2 (en) Platform attestation and registration for servers
CN111680305B (en) Data processing method, device and equipment based on block chain
CN110032883B (en) Method, system and node for realizing privacy protection in block chain
CN109560933B (en) Authentication method and system based on digital certificate, storage medium and electronic equipment
CN108055132B (en) Method, device and equipment for service authorization
CN109886682B (en) Method, node and storage medium for realizing contract calling in block chain
CN111898156B (en) Method, node and storage medium for realizing contract call in block chain
CN106899571B (en) Information interaction method and device
CN111741028B (en) Service processing method, device, equipment and system
EP3945695B1 (en) Method, apparatus, and device for processing blockchain data
CN107092824B (en) Application program running method and device
CN112016924A (en) Data evidence storage method, device and equipment based on block chain
CN113704826A (en) Privacy protection-based business risk detection method, device and equipment
CN111783051A (en) Identity authentication method and device and electronic equipment
US20240113898A1 (en) Secure Module and Method for App-to-App Mutual Trust Through App-Based Identity
CN115640589A (en) Security protection equipment, service execution method, device and storage medium
CN115603943A (en) Method and device for off-line identity authentication, storage medium and electronic equipment
CN114553428B (en) Trusted verification system, trusted verification device, trusted verification storage medium and electronic equipment
JP2023542574A (en) Model protection methods, devices, devices, systems, storage media and programs
CN111783071A (en) Password-based and privacy data-based verification method, device, equipment and system
CN114969784A (en) Model processing method, device and equipment
CN115604716A (en) Method, device storage medium and equipment for service binding and service execution

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20201010

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Applicant after: Innovative advanced technology Co.,Ltd.

Address before: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Applicant before: Advanced innovation technology Co.,Ltd.

Effective date of registration: 20201010

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Applicant after: Advanced innovation technology Co.,Ltd.

Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands

Applicant before: Alibaba Group Holding Ltd.

TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20220310

Address after: Room 204, building 15, No. 1999, middle section of Yizhou Avenue, Chengdu hi tech Zone, China (Sichuan) pilot Free Trade Zone, Chengdu, Sichuan

Applicant after: Ant Rongxin (Chengdu) Network Technology Co.,Ltd.

Address before: 27 Hospital Road, George Town, Grand Cayman ky1-9008

Applicant before: Innovative advanced technology Co.,Ltd.

GR01 Patent grant
GR01 Patent grant