CN109981278B - Digital certificate application method, system, user identification card, device and medium - Google Patents

Digital certificate application method, system, user identification card, device and medium Download PDF

Info

Publication number
CN109981278B
CN109981278B CN201711456434.2A CN201711456434A CN109981278B CN 109981278 B CN109981278 B CN 109981278B CN 201711456434 A CN201711456434 A CN 201711456434A CN 109981278 B CN109981278 B CN 109981278B
Authority
CN
China
Prior art keywords
signature
data
service system
certificate
identification card
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711456434.2A
Other languages
Chinese (zh)
Other versions
CN109981278A (en
Inventor
于绍泉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Liaoning Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Liaoning Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Liaoning Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201711456434.2A priority Critical patent/CN109981278B/en
Publication of CN109981278A publication Critical patent/CN109981278A/en
Application granted granted Critical
Publication of CN109981278B publication Critical patent/CN109981278B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a digital certificate application method, a signature service system, a user identity identification card, a digital certificate application system, a digital certificate application device and a computer readable storage medium. The digital certificate application method comprises the following steps: when a certificate application request sent by a service system is received, generating a key pair generation instruction, and sending the key pair generation instruction to a user identity identification card; after receiving public key information returned by the user identity identification card, forming certificate request information comprising the public key information; performing hash operation on the certificate request information to obtain hash data, and sending the hash data to the user identity identification card; when signature data returned by a user identity identification card is received, a certificate request data packet comprising authentication request information and signature data is formed; and acquiring the digital certificate according to the certificate request data packet. The embodiment of the invention can improve the reliability and stability of the digital certificate application process.

Description

Digital certificate application method, system, user identification card, device and medium
Technical Field
The present invention relates to the field of electronic authentication technologies, and in particular, to a digital certificate application method, a signature service system, a user identification card, a digital certificate application system, a digital certificate application apparatus, and a computer-readable storage medium.
Background
In recent years, the development of the internet, especially the mobile internet, is rapid, and a safe and universal mobile signature product is an important guarantee for protecting the service safety of the mobile internet. The traditional U shield and the cipher device have a plurality of defects in portability and terminal compatibility, so that an electronic authentication technology suitable for the era of mobile internet is developed, and a safety protection function is provided for safety of various account numbers and payment safety.
The current digital certificate application method is as follows:
1. the mobile signature platform sends a data short message request to the SIM card through a mobile network to generate a P10 data packet, namely a certificate request data packet;
2. the SIM card generates a public and private key pair, and a P10 data packet is assembled;
3. the SIM card divides the complete P10 data packet into a plurality of data short messages and sends the data short messages to the mobile signature platform;
4. the mobile signature platform sends the P10 data packet to the digital certificate issuing platform to obtain the digital certificate.
The above digital certificate application method has the following disadvantages:
the mobile signature service system and the SIM card carry out data interaction in a data short message mode, and the P10 data packet contains various information. Taking an RSA algorithm with a length of 1024 bits as an example, the byte length of the P10 data packet generated according to the asn.1 coding mode at least reaches 350 bytes or more. And one data short message carries data with the length of 140 bytes at most, except the safety message header of the data short message, the SIM card sends a complete P10 data packet to the mobile signature service system, and at least four data short messages need to be sent continuously. Considering factors such as short message delay and short message bearing data length limitation, the number of short messages required for sending the P10 data packet is large, and the waiting time of the mobile signature platform is long, so that the system reliability and stability are poor.
Disclosure of Invention
The embodiment of the invention provides a digital certificate application method, a signature service system, a user identity identification card, a digital certificate application system, a digital certificate application device and a computer readable storage medium.
In a first aspect, an embodiment of the present invention provides a method for applying for a digital certificate, where the method includes:
when a certificate application request sent by a service system is received, generating a key pair generation instruction, and sending the key pair generation instruction to a user identity identification card;
after public key information returned by the user identity identification card is received, certificate request information comprising the public key information is formed;
performing hash operation on the certificate request information to obtain hash data, and sending the hash data to the user identity identification card;
when signature data returned by the user identity identification card is received, a certificate request data packet comprising the authentication request information and the signature data is formed; the signature data is obtained by the user identity identification card by adopting a private key in a generated key pair to sign the hash data;
and acquiring the digital certificate according to the certificate request data packet.
In a second aspect, an embodiment of the present invention provides a method for applying for a digital certificate, where the method includes:
when a key pair generation instruction sent by a signature service system is received, generating a key pair, and returning public key information in the key pair to the signature service system;
and when receiving the hash data sent by the signature service system, signing the hash data by adopting a private key in the key pair to obtain signature data, and returning the signature data to the signature service system.
In a third aspect, an embodiment of the present invention provides a method for applying for a digital certificate, where the method includes:
when receiving a certificate application request sent by a service system, a signature service system generates a key pair generation instruction and sends the key pair generation instruction to a user identity identification card;
the user identity identification card generates a key pair when receiving a key pair generation instruction sent by a signature service system, and returns public key information in the key pair to the signature service system;
after receiving the public key information returned by the user identity identification card, the signature service system forms certificate request information comprising the public key information; performing hash operation on the certificate request information to obtain hash data, and sending the hash data to the user identity identification card;
when the user identity identification card receives the hash data sent by the signature service system, the hash data is signed by adopting a private key in the key pair to obtain signature data, and the signature data is returned to the signature service system;
when the signature service system receives the signature data returned by the user identity identification card, a certificate request data packet comprising the authentication request information and the signature data is formed; and acquiring a digital certificate according to the certificate request data packet.
In a fourth aspect, an embodiment of the present invention provides a signature service system, where the system includes:
the instruction generation module is used for generating a key pair generation instruction when receiving a certificate application request sent by a service system and sending the key pair generation instruction to the user identity identification card;
the information forming module is used for forming certificate request information comprising the public key information after receiving the public key information returned by the user identity identification card;
the Hash operation module is used for carrying out Hash operation on the certificate request information to obtain Hash data and sending the Hash data to the user identity identification card;
the data packet forming module is used for forming a certificate request data packet comprising the authentication request information and the signature data when receiving the signature data returned by the user identity identification card; the signature data is obtained by signing the hash data by the user identity identification card by adopting a private key in a generated key pair;
and the certificate acquisition module is used for acquiring the digital certificate according to the certificate request data packet.
In a fifth aspect, an embodiment of the present invention provides a user identification card, including:
the system comprises a key pair generation module, a signature service system and a key pair generation module, wherein the key pair generation module is used for generating a key pair when receiving a key pair generation instruction sent by the signature service system and returning public key information in the key pair to the signature service system;
and the data signature module is used for signing the hash data by adopting a private key in the key pair to obtain signature data when receiving the hash data sent by the signature service system, and returning the signature data to the signature service system.
In a sixth aspect, an embodiment of the present invention provides a digital certificate application system, including the signature service system provided in the fourth aspect and the user identification card provided in the fifth aspect.
In a seventh aspect, an embodiment of the present invention provides a digital certificate application apparatus, which includes at least one processor, at least one memory, and computer program instructions stored in the memory, and when executed by the processor, the computer program instructions implement the method of the first aspect or the second aspect in the foregoing embodiments.
In an eighth aspect, embodiments of the present invention provide a computer-readable storage medium, on which computer program instructions are stored, which, when executed by a processor, implement the method of the first aspect or the second aspect in the above embodiments.
According to the scheme provided by the embodiment of the invention, the authentication request information in the certificate request data packet is formed by the signature service system, the process that various data form a complete certificate request data packet is also completed in the signature service system, and only the signature data in the certificate request data packet is formed by the user identity identification card, so that the user identity identification card only needs one data short message for sending the signature data to the signature service system, and does not need a plurality of data short messages, therefore, the waiting time of the signature service system is short, and compared with the condition that the user identity identification card needs a plurality of data short messages for sending related data to the signature service system in the prior art, the reliability and stability of the digital certificate application process can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments of the present invention will be briefly described below, and for those skilled in the art, other drawings may be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart illustrating a digital certificate application method according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating a digital certificate application method according to an embodiment of the present invention;
FIG. 3 is a flow chart illustrating a digital certificate application method according to an embodiment of the present invention;
FIG. 4 is a flow chart illustrating a digital certificate application method according to an embodiment of the present invention;
FIG. 5 is a flow diagram illustrating the execution of a signature service in one embodiment of the invention;
FIG. 6 is a block diagram showing the structure of a signature service system in one embodiment of the present invention;
FIG. 7 is a block diagram illustrating the structure of a SIM card in accordance with an embodiment of the present invention;
fig. 8 is a block diagram illustrating a digital certificate application apparatus according to an embodiment of the present invention.
Detailed Description
Features and exemplary embodiments of various aspects of the present invention will be described in detail below, and in order to make objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not to be construed as limiting the invention. It will be apparent to one skilled in the art that the present invention may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present invention by illustrating examples of the present invention.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
In a first aspect, an embodiment of the present invention provides a method for applying for a digital certificate, where the method may be executed by a signature service system, and as shown in fig. 1, the method may specifically include the following steps:
s101, generating a key pair generation instruction when receiving a certificate application request sent by a service system, and sending the key pair generation instruction to a user identity identification card;
the service system may also be referred to as a service platform.
For example, when a user requests a service manager to help transact a downloading service of a digital certificate to a service platform, the manager checks the identity of the user, and after the check is passed, the service platform sends a certificate application request to a signature service system, that is, an application process of the digital certificate is started. Of course, when receiving the certificate application request, the validity of the service and the validity of the PKI (i.e. public key infrastructure) may be checked in sequence, and after the check is passed, the key pair generation instruction is generated.
The certificate application request is a request for applying a digital certificate.
The subscriber identity module card may also be referred to as a SIM card. It is understood that the SIM card is a secure medium at the financial chip level. And when the SIM card receives a key pair generation instruction sent by the signature service system, generating a key pair, and returning the public key information in the key pair to the signature service system. The public key information may include a public key, a public key exponent, and/or other public key related information.
S102, after public key information returned by the user identity identification card is received, certificate request information comprising the public key information is formed;
the certificate request information, i.e., the certificationRequestInformation, includes public key information, but may also include other information, such as an entity name. Other information in the certificate request message may be custom data, which may be set as desired. After the signature service system receives the public key information returned by the SIM card, the public key information and other information can form certificate request information in an assembling mode.
It is understood that the certificate request information is a part of data included in the certificate request packet, i.e., the P10 data, which is formed by the signature service system.
S103, carrying out hash operation on the certificate request information to obtain hash data, and sending the hash data to the user identity identification card;
for example, the SHA-1 algorithm is used to perform a hash operation on the certificate request information, thereby obtaining hash data.
And after the SIM card receives the hash data, signing the hash data by adopting a private key in the generated key pair so as to obtain signature data, and then returning the signature data to the signature service system. It can be seen that the signature data is formed by the SIM card.
S104, forming a certificate request data packet comprising the authentication request information and the signature data when receiving the signature data returned by the user identity identification card; the signature data is obtained by signing the hash data by the user identity identification card by adopting a private key in a generated key pair;
it is understood that the certificate request packet, i.e., the PKCS #10 packet (abbreviated as the P10 packet), includes authentication request information and signature data. Of course, other data, such as signature algorithms, may also be included. Specifically, the authentication request information, the signature data, the signature algorithm and/or other data may be formed into a complete P10 data packet according to the format requirement of the P10 data packet.
The P10 data packet can be obtained through the above steps, and the digital certificate can be obtained through S105.
And S105, acquiring the digital certificate according to the certificate request data packet.
In the digital certificate application method provided by the embodiment of the invention, the authentication request information in the certificate request data packet is formed by the signature service system, the process of forming a complete certificate request data packet by various data is also completed in the signature service system, and only the signature data in the certificate request data packet is formed by the user identification card, so that the user identification card only needs one data short message for sending the signature data to the signature service system, and does not need a plurality of data short messages, therefore, the waiting time of the signature service system is short, compared with the condition that the user identification card needs a plurality of data short messages for sending related data to the signature service system in the prior art, the time delay is short, and the reliability and the stability of the digital certificate application process are improved. Moreover, because the authentication request information in the certificate request data packet is formed by the signature service system and is not formed in the SIM card, other data except the public key information of the authentication request information can be self-defined data, when the data is in butt joint with each PKI (namely public key infrastructure), the signature service system can flexibly adapt to the interface of each PKI, compared with the condition that the composition of the certificate request information is fixed because the certificate request information is generated by the SIM card in the prior art, the signature service system in the embodiment of the invention can be compatible with each PKI interface, thereby improving the flexibility and the expansibility of the signature service system,
the signature service system is favorable for providing signature service.
In some embodiments, there are various ways to obtain the digital certificate according to the P10 data packet in step S105, and an optional way is described below:
s1051, sending a certificate application request carrying the certificate request data packet to a digital certificate issuing system;
the above-mentioned digital certificate issuing system, for example, public key infrastructure, or PKI, such as digital certificate registration authority RA, digital certificate authority CA, and the like. After the signing service system forms the P10 data packet, a certificate application request is sent to the digital certificate issuing system, and the request carries the P10 data packet. When the digital certificate issuing system receives the request, the digital certificate is generated and issued, and the digital certificate is returned to the signature service system.
S1052, when receiving the digital certificate returned by the digital certificate issuing system, analyzing the digital certificate to obtain certificate data, and sending the certificate data to the user identity identification card;
s1053, when receiving the response information of the certificate installation completion returned by the user identification card, sending the response information of the successful certificate application to the service system.
And after the installation is finished, sending response information of the certificate installation completion to the signature service system. And when the signature service system receives the response information, returning a response information to the service system to inform the service system that the application of the digital certificate is successful.
In a second aspect, the present invention further provides a digital certificate application method, which may be executed by a user identification card, as shown in fig. 2, and the method corresponds to the digital certificate application method executed by a signature service system, and specifically may include the following steps:
s201, when a key pair generation instruction sent by a signature service system is received, generating a key pair, and returning public key information in the key pair to the signature service system;
it will be appreciated that the public key information may include a public key, a public key exponent, and/or other information.
In practical applications, it may also be detected whether the signed password is set before generating the key pair. Specifically, whether a terminal of a user to which an SIM card belongs or a terminal of the SIM card is set with a signature password or not is detected, and if the signature password is set, a step of generating a key pair is executed; if the signature password is not set, prompt information for setting the signature password needs to be sent to the user terminal, and the step of generating the key pair can be executed after the user sets the signature password on the user terminal. This ensures that the user has set the signing password when the step of generating the key pair is performed.
S202, when the hash data sent by the signature service system is received, the hash data is signed by the private key of the key pair to obtain signature data, and the signature data is returned to the signature service system.
It will be appreciated that so-called signing is in fact an encryption process, i.e. the encryption of hash data using the private key of a key pair.
The digital certificate application method provided by the embodiment of the invention is matched with the digital certificate application method executed by the signature service system to realize the application of the digital certificate. Because only the signature data in the certificate request data packet is formed by the user identity identification card, the user identity identification card only needs one data short message and does not need a plurality of data short messages when sending the signature data to the signature service system, so that the waiting time of the signature service system is short, and the reliability and the stability of the digital certificate application process can be improved compared with the condition that the user identity identification card needs a plurality of data short messages to send related data to the signature service system in the prior art.
In some embodiments, the user identification card may further perform the steps of:
s203, installing a digital certificate when receiving the certificate data sent by the signature service system; and when the digital certificate is installed, sending response information of the certificate installation completion to the signature service system.
Through the above step S203, the SIM card completes the installation of the digital certificate. Step S203 is matched with steps S1051 to S1053 above, and the whole process of acquiring the digital certificate is completed.
In a third aspect, based on the digital certificate application methods provided in the first and second aspects, an embodiment of the present invention further provides a digital certificate application method, where the method is executed by a signature service system and a user identity card, as shown in fig. 3, and specifically includes:
s301, when receiving a certificate application request sent by a service system, a signature service system generates a key pair generation instruction and sends the key pair generation instruction to a user identity identification card;
s302, when receiving a key pair generation instruction sent by a signature service system, the user identity identification card generates a key pair, and returns public key information in the key pair to the signature service system;
s303, after receiving the public key information returned by the user identity identification card, the signature service system forms certificate request information comprising the public key information; performing hash operation on the certificate request information to obtain hash data, and sending the hash data to the user identity identification card;
s304, when the user identity identification card receives the hash data sent by the signature service system, the hash data is signed by using a private key in the key pair to obtain signature data, and the signature data is returned to the signature service system;
s305, when the signature service system receives the signature data returned by the user identity identification card, forming a certificate request data packet comprising the authentication request information and the signature data; and acquiring a digital certificate according to the certificate request data packet.
For explanation, examples, and beneficial effects of relevant contents in the digital certificate application method provided in the embodiment of the present application, reference may be made to corresponding parts in the first aspect and the second aspect, which are not described herein again.
Referring specifically to fig. 4, the overall process of digital certificate application generally includes:
s401, a user requests a service manager to download a digital certificate;
s402, a service manager verifies the identity of the user;
s403, after the certificate passes the verification, triggering a certificate application process through a service system;
s404, after the certificate application process is triggered, the service system sends a certificate application request to the signature service system;
s405, after receiving a certificate application request sent by a service system, the signature service system generates a key pair generation instruction;
s406, sending the key pair generation instruction to the SIM card;
s407, after receiving the key pair generation instruction, the SIM card generates a key pair;
s408, public key information such as a public key, a public key index and the like in the key pair is sent to the signature service system;
s409, the signature service system forms certificate request information according to the public key information, and performs hash operation on the certificate request information to obtain hash data;
s410, the signature service system sends the generated hash data to the SIM card;
s411, the SIM card signs the hash data by adopting a private key to obtain signature data;
s412, the SIM card returns the signature data to the signature service system;
s413, the signature service system assembles the data such as the signature data, the certificate request information and the signature algorithm into a P10 data packet according to the format requirement of the P10 data packet:
s414, the signature service system sends a certificate application request carrying a P10 data packet to the RA/CA;
s415, when the RA/CA receives the certificate application request, generating a corresponding digital certificate;
s416, the RA/CA returns the digital certificate to the signature service system;
s417, the signature service system analyzes the digital certificate to obtain certificate data (which can also be called as certificate information);
s418, the signature service system sends the certificate data to the SIM card;
s419, installing a digital certificate on the SIM card;
s420, after the SIM card is installed, sending response information of the installed SIM card to a signature service system;
and S421, after receiving the response information sent by the SIM card, the signature service system sends the response information successfully applied to the service system.
The application of the digital certificate is completed through the above steps S401 to S421.
After the application of the digital certificate is completed in steps S401 to S421, the user may provide a digital signature service, and a specific signature service process may include:
s501, the service system sends the data to be signed encrypted by RSA (public key encryption algorithm) to a signature service system;
s502, the signature service system sends a service signature request carrying data to be signed to the SIM card;
s503, the signature service system conducts RSA encryption on data to be signed to obtain transaction data;
s504, the signature service system sends the transaction data to the user terminal;
s505, popping up an STK (sim tools) menu by the user terminal, displaying transaction data, and then confirming the transaction data by the user;
s506, the user terminal sends the user confirmation result to the SIM card;
s507, the SIM card signs the user confirmation result by adopting a private key;
s508, the SIM card sends response information to the signature service system according to the signed user confirmation result;
s509, after receiving the response message sent by the SIM card, the signature service system sends the response message to the service system.
Through the above steps S501 to S509, the signature service is realized. In the process, the service system directly sends the data to be signed to the SIM card for signature through the signature service system, the signature service system does not perform Hash operation on the data to be signed any more, and the signature process is simple and efficient.
In a fourth aspect, an embodiment of the present invention provides a signature service system, as shown in fig. 6, where the system 600 includes:
the instruction generation module 601 is configured to generate a key pair generation instruction when receiving a certificate application request sent by a service system, and send the key pair generation instruction to a user identification card;
an information forming module 602, configured to form certificate request information including public key information after receiving the public key information returned by the user identification card;
the hash operation module 603 performs hash operation on the certificate request information to obtain hash data, and sends the hash data to the user identification card;
a data packet forming module 604, configured to form a certificate request data packet including the authentication request information and the signature data when receiving the signature data returned by the user identification card; the signature data is obtained by signing the hash data by the user identity identification card by adopting a private key in a generated key pair;
a certificate obtaining module 605, configured to obtain a digital certificate according to the certificate request packet.
In some embodiments, the certificate acquisition module is specifically configured to: sending a certificate application request carrying the certificate request data packet to a digital certificate issuing system; when a digital certificate returned by the digital certificate issuing system is received, analyzing the digital certificate to obtain certificate data, and sending the certificate data to the user identity identification card; and when response information of certificate installation completion returned by the user identity identification card is received, response information of successful certificate application is sent to the service system.
In some embodiments, the information forming module specifically forms a certificate request packet including the authentication request information, the signature data, and a signature algorithm.
In some embodiments, the public key information includes a public key and a public key exponent.
It can be understood that each functional module in the signature service system corresponds to each step in the digital certificate application method provided in the first aspect, and for explanation, examples, and beneficial effects of relevant contents, reference may be made to corresponding contents in the first aspect, which are not described herein again.
In a fifth aspect, an embodiment of the present invention provides a user identification card, as shown in fig. 7, the user identification card 700 includes:
a key pair generation module 701, configured to generate a key pair when receiving a key pair generation instruction sent by a signature service system, and return public key information in the key pair to the signature service system;
and the data signature module 702 is configured to, when hash data sent by the signature service system is received, sign the hash data by using a private key in the key pair to obtain signature data, and return the signature data to the signature service system.
In some embodiments, the user identification card further comprises:
the certificate installation module is used for installing a digital certificate when receiving the certificate data sent by the signature service system; and when the digital certificate is installed, sending response information of the certificate installation to the signing service system.
In some embodiments, the key pair generation module detects whether the user terminal sets a signature password before generating the key pair; if yes, executing the step of generating the key pair; otherwise, sending out prompt information for setting the signature password to the user terminal, and executing the step of generating the key pair after the user terminal sets the signature password.
It can be understood that each functional module in the user identification card corresponds to each step in the digital certificate application method provided by the second aspect, and the explanation, example, beneficial effects and the like of the relevant content thereof can refer to the corresponding content in the second aspect, and are not described herein again.
In a sixth aspect, an embodiment of the present invention provides a digital certificate application system, including the signature service system in the fourth aspect and the user identification card in the fifth aspect.
In a seventh aspect, an embodiment of the present invention provides a digital certificate applying apparatus to execute the digital certificate applying method in the first aspect or the second aspect, and fig. 8 illustrates a hardware structure diagram of the digital certificate applying apparatus provided in the embodiment of the present invention.
The digital certificate application apparatus may include a processor 801 and memory 802 that stores computer program instructions.
Specifically, the processor 801 may include a Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC), or may be configured as one or more Integrated circuits implementing embodiments of the present invention.
Memory 802 may include mass storage for data or instructions. By way of example, and not limitation, memory 802 may include a Hard Disk Drive (HDD), a floppy Disk Drive, flash memory, an optical Disk, a magneto-optical Disk, a tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 802 may include removable or non-removable (or fixed) media, where appropriate. The memory 802 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 802 is a non-volatile solid-state memory. In a particular embodiment, the memory 802 includes Read Only Memory (ROM). Where appropriate, the ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), electrically rewritable ROM (EAROM), or flash memory or a combination of two or more of these.
The processor 801 reads and executes the computer program instructions stored in the memory 802 to implement any of the digital certificate application methods in the above embodiments.
In one example, the digital certificate application apparatus may also include a communication interface 803 and a bus 810. As shown in fig. 8, the processor 801, the memory 802, and the communication interface 803 are connected via a bus 810 to complete communication therebetween.
The communication interface 803 is mainly used for implementing communication between modules, apparatuses, units and/or devices in the embodiments of the present invention.
Bus 810 includes hardware, software, or both to couple the components of the digital certificate application apparatus to each other. By way of example, and not limitation, a bus may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), a Hypertransport (HT) interconnect, an Industry Standard Architecture (ISA) bus, an infiniband interconnect, a Low Pin Count (LPC) bus, a memory bus, a Micro Channel Architecture (MCA) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCI-X) bus, a Serial Advanced Technology Attachment (SATA) bus, a video electronics standards association local (VLB) bus, or other suitable bus or a combination of two or more of these. Bus 810 may include one or more buses, where appropriate. Although specific buses have been described and shown in the embodiments of the invention, any suitable buses or interconnects are contemplated by the invention.
The digital certificate application equipment can execute the digital certificate application method in the embodiment of the invention based on the acquired network management performance index of the cell to be tested.
It is to be understood that the invention is not limited to the precise arrangements and instrumentalities shown. A detailed description of known methods is omitted herein for the sake of brevity. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present invention are not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications and additions or change the order between the steps after comprehending the spirit of the present invention.
The functional blocks shown in the above-described structural block diagrams may be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments can be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, Erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, Radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.
In an eighth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which computer program instructions are stored, and the computer program instructions, when executed by a processor, implement the digital certificate application method provided in the first aspect or the second aspect.
It should also be noted that the exemplary embodiments mentioned in this patent describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, may be performed in an order different from the order in the embodiments, or may be performed simultaneously.
As described above, only the specific embodiments of the present invention are provided, and it can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the system, the module and the unit described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again. It should be understood that the scope of the present invention is not limited thereto, and any equivalent modifications or substitutions can be easily made by those skilled in the art within the technical scope of the present invention.

Claims (13)

1. A digital certificate application method is applied to a signature service system and is characterized by comprising the following steps:
when a certificate application request sent by a service system is received, generating a key pair generation instruction, and sending the key pair generation instruction to a user identity identification card;
after public key information returned by the user identity identification card is received, certificate request information comprising the public key information is formed;
performing hash operation on the certificate request information to obtain hash data, and sending the hash data to the user identity identification card;
when signature data returned by the user identification card is received, a certificate request data packet comprising the certificate request information and the signature data is formed, wherein the signature data is obtained by signing the hash data by a private key in a generated key pair of the user identification card;
and acquiring the digital certificate according to the certificate request data packet.
2. The method of claim 1, wherein obtaining a digital certificate from the certificate request packet comprises:
sending a certificate application request carrying the certificate request data packet to a digital certificate issuing system;
when a digital certificate returned by the digital certificate issuing system is received, analyzing the digital certificate to obtain certificate data, and sending the certificate data to the user identity identification card;
and when response information of the completion of the certificate installation returned by the user identity identification card is received, response information of successful certificate application is sent to the service system.
3. The method according to claim 1, wherein the forming a certificate request packet including the certificate request information and the signature data comprises: forming a certificate request packet comprising the certificate request information, the signature data and a signature algorithm.
4. The method according to any one of claims 1 to 3, wherein the public key information comprises a public key and a public key exponent.
5. A digital certificate application method is applied to a user identity identification card, and is characterized by comprising the following steps:
generating a key pair when receiving a key pair generation instruction sent by a signature service system, and returning public key information in the key pair to the signature service system;
when receiving the hash data sent by the signature service system, adopting a private key in the key pair to sign the hash data to obtain signature data, and returning the signature data to the signature service system so that the signature service system forms a certificate request data packet comprising certificate request information and the signature data when receiving the signature data returned by the user identity identification card.
6. The method of claim 5, further comprising:
installing a digital certificate when receiving the certificate data sent by the signature service system;
and when the digital certificate is installed, sending response information of the certificate installation to the signing service system.
7. The method of claim 5 or 6, wherein before generating the key pair, the method further comprises:
detecting whether a user terminal sets a signature password;
if yes, executing the step of generating the key pair;
otherwise, sending prompt information for setting the signature password to the user terminal, and executing the step of generating the key pair after the user terminal sets the signature password.
8. A method for applying for a digital certificate, comprising:
when receiving a certificate application request sent by a service system, a signature service system generates a key pair generation instruction and sends the key pair generation instruction to a user identity identification card;
the user identity identification card generates a key pair when receiving a key pair generation instruction sent by a signature service system, and returns public key information in the key pair to the signature service system;
after receiving the public key information returned by the user identity identification card, the signature service system forms certificate request information comprising the public key information; performing hash operation on the certificate request information to obtain hash data, and sending the hash data to the user identity identification card;
when the user identity identification card receives the hash data sent by the signature service system, the hash data is signed by adopting a private key in the key pair to obtain signature data, and the signature data is returned to the signature service system;
when the signature service system receives the signature data returned by the user identity identification card, a certificate request data packet comprising the certificate request information and the signature data is formed; and acquiring a digital certificate according to the certificate request data packet.
9. A signature service system, comprising:
the instruction generation module is used for generating a key pair generation instruction when receiving a certificate application request sent by a service system and sending the key pair generation instruction to the user identity identification card;
the information forming module is used for forming certificate request information comprising the public key information after receiving the public key information returned by the user identity identification card;
the Hash operation module is used for carrying out Hash operation on the certificate request information to obtain Hash data and sending the Hash data to the user identity identification card;
the data packet forming module is used for forming a certificate request data packet comprising the certificate request information and the signature data when receiving the signature data returned by the user identity identification card; the signature data is obtained by the user identity identification card by adopting a private key in a generated key pair to sign the hash data;
and the certificate acquisition module is used for acquiring the digital certificate according to the certificate request data packet.
10. A user identification card, comprising:
the system comprises a key pair generation module, a signature service system and a key pair generation module, wherein the key pair generation module is used for generating a key pair when receiving a key pair generation instruction sent by the signature service system and returning public key information in the key pair to the signature service system;
and the data signature module is used for signing the hash data by adopting a private key in the key pair to obtain signature data when receiving the hash data sent by the signature service system, and returning the signature data to the signature service system so that the signature service system forms a certificate request data packet comprising certificate request information and the signature data when receiving the signature data returned by the user identity identification card.
11. A digital certificate application system comprising the signature service system as claimed in claim 9 and the user identification card as claimed in claim 10.
12. A digital certificate application apparatus, comprising: at least one processor, at least one memory, and computer program instructions stored in the memory, which when executed by the processor, implement the method of any of claims 1-4 or any of claims 5-7.
13. A computer readable storage medium having computer program instructions stored thereon which, when executed by a processor, implement the method of any of claims 1-4 or any of claims 5-7.
CN201711456434.2A 2017-12-28 2017-12-28 Digital certificate application method, system, user identification card, device and medium Active CN109981278B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711456434.2A CN109981278B (en) 2017-12-28 2017-12-28 Digital certificate application method, system, user identification card, device and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711456434.2A CN109981278B (en) 2017-12-28 2017-12-28 Digital certificate application method, system, user identification card, device and medium

Publications (2)

Publication Number Publication Date
CN109981278A CN109981278A (en) 2019-07-05
CN109981278B true CN109981278B (en) 2022-09-13

Family

ID=67074332

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711456434.2A Active CN109981278B (en) 2017-12-28 2017-12-28 Digital certificate application method, system, user identification card, device and medium

Country Status (1)

Country Link
CN (1) CN109981278B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111125665A (en) * 2019-12-04 2020-05-08 中国联合网络通信集团有限公司 Authentication method and device
CN111209589A (en) * 2019-12-31 2020-05-29 航天信息股份有限公司 Method and system for dynamic data desensitization based on regional chain
CN111291392B (en) * 2020-01-22 2022-09-06 京东科技控股股份有限公司 Electronic signature method and device, electronic equipment and storage medium
CN111428279B (en) * 2020-03-26 2023-12-08 国汽(北京)智能网联汽车研究院有限公司 Explicit certificate generation method, device, equipment and storage medium
CN112491613B (en) * 2020-11-26 2022-02-22 北京航空航天大学 Information service identifier generation method and device
CN114125844B (en) * 2021-11-24 2024-04-19 中国银行股份有限公司 Method and device for generating and downloading digital certificate

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101777978A (en) * 2008-11-24 2010-07-14 华为终端有限公司 Method and system based on wireless terminal for applying digital certificate and wireless terminal
CN101938520A (en) * 2010-09-07 2011-01-05 中兴通讯股份有限公司 Mobile terminal signature-based remote payment system and method
CN102904865A (en) * 2011-07-29 2013-01-30 中国移动通信集团公司 Method, system and equipment for management of multiple digital certificates on basis of mobile terminal
CN106936577A (en) * 2015-12-29 2017-07-07 航天信息股份有限公司 A kind of method for certificate request, terminal and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9331990B2 (en) * 2003-12-22 2016-05-03 Assa Abloy Ab Trusted and unsupervised digital certificate generation using a security token
CN101527630B (en) * 2008-12-31 2011-02-16 北京飞天诚信科技有限公司 Method, server and system for manufacturing certificate remotely
CN101977193B (en) * 2010-10-28 2013-11-13 飞天诚信科技股份有限公司 Method and system for safely downloading certificate
CN106921496A (en) * 2015-12-25 2017-07-04 卓望数码技术(深圳)有限公司 A kind of digital signature method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101777978A (en) * 2008-11-24 2010-07-14 华为终端有限公司 Method and system based on wireless terminal for applying digital certificate and wireless terminal
CN101938520A (en) * 2010-09-07 2011-01-05 中兴通讯股份有限公司 Mobile terminal signature-based remote payment system and method
WO2012031433A1 (en) * 2010-09-07 2012-03-15 中兴通讯股份有限公司 System and method for remote payment based on mobile terminal
CN102904865A (en) * 2011-07-29 2013-01-30 中国移动通信集团公司 Method, system and equipment for management of multiple digital certificates on basis of mobile terminal
CN106936577A (en) * 2015-12-29 2017-07-07 航天信息股份有限公司 A kind of method for certificate request, terminal and system

Also Published As

Publication number Publication date
CN109981278A (en) 2019-07-05

Similar Documents

Publication Publication Date Title
CN109981278B (en) Digital certificate application method, system, user identification card, device and medium
CN111224788B (en) Electronic contract management method, device and system based on block chain
CN107133520B (en) Credibility measuring method and device for cloud computing platform
EP3101607A1 (en) NFC-ENABLED DEVICES FOR & xA;PERFORMING SECURE CONTACTLESS TRANSACTIONS AND USING HCE
CN110393019B (en) Method and related device for updating firmware
CN109245899B (en) Trust chain design method based on SM9 cryptographic algorithm
US10158990B2 (en) SMS message reading control method and terminal
CN112579125B (en) Firmware upgrading method and device, electronic equipment and storage medium
CN110955921A (en) Electronic signature method, device, equipment and storage medium
CN112199644A (en) Mobile terminal application program safety detection method, system, terminal and storage medium
CN110650478A (en) OTA method, system, device, SE module, program server and medium
CN114040401B (en) Terminal authentication method and system
CN111147259B (en) Authentication method and device
CN115664655A (en) TEE credibility authentication method, device, equipment and medium
CN108075895B (en) Node permission method and system based on block chain
CN113824566B (en) Certificate authentication method, code number downloading method, device, server and storage medium
JPWO2018179293A1 (en) Verification information providing device, verification device, information management system, method, and program
CN111148213B (en) Registration method of 5G user terminal, user terminal equipment and medium
CN115344848B (en) Identification acquisition method, device, equipment and computer readable storage medium
CN109348472B (en) OTA (over the air) upgrading method and system based on single-point pushing
CN114172923B (en) Data transmission method, communication system and communication device
CN112651835B (en) Alliance chain transaction method, device, electronic equipment and storage medium
CN114390478A (en) Equipment authentication system, method and terminal equipment
CN114338278A (en) Tunnel communication method, device, equipment and medium
CN113572717A (en) Communication connection establishing method, washing and protecting equipment and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant