Contract signing management system and method based on PKICA authentication and block chain technology
Technical Field
The invention relates to the technical field of contract signing management, in particular to a system and a method for contract signing management based on PKICA authentication and a block chain technology.
Background
A contract is an agreement between parties or parties to set up, change, terminate a civil relationship. The contract established by law is protected by law. At present, contracts are mostly in the form of paper, which leads to the following situations: the complexity of off-line contract signing, the easy loss and the easy falsification of paper contracts and the like.
The current PKI authentication system is an identity authentication mechanism which is most widely and mature in application, but requires that a user must safely store a secret key of the user. On one hand, complex passwords are difficult to remember, and on the other hand, simple password passwords are easy to crack by hackers in various ways to cause security threats, so that other ways are needed to protect the passwords in higher security requirements or special occasions.
In the data transmission process, the data can only be opened by a person who is determined by adopting an asymmetric encryption mode, but the conditions of slow encryption speed, lengthened ciphertext and the like can occur in a large file subjected to asymmetric encryption, so that the system operation efficiency is low
Disclosure of Invention
The invention aims to provide a contract signing management system and a method based on PKICA authentication and a block chain technology, which aim to solve the problems of insecurity in contract storage management and low efficiency of online electronic contracts in the prior art.
In order to achieve the purpose, the invention provides the following technical scheme: a contract signing management system based on PKICA authentication and block chain technology comprises a CA registration center, a contract storage union chain network, a client system and a platform system, wherein the CA registration center is used for sending an X.509v3 digital certificate of biological characteristic data, the client system is used for authenticating biological characteristics and simple passwords of a user, the platform system is used for authenticating and signing the identical data, and the contract storage union chain network is used for performing block chain storage on signed contract information.
Preferably, the client system comprises user registration, certificate application, contract signing, contract management and identity double authentication.
Preferably, the platform system comprises a user management center, a contract management center, a data center and a contract uplink.
Preferably, the contract data transmission between the client system and the platform system is carried out by data communication transmission in a mode of combining a Keccak hash algorithm, a symmetric encryption algorithm AES-128 and an asymmetric encryption algorithm RSA.
In order to achieve the above purpose, the invention also provides the following technical scheme: a use method of a contract signing management system based on PKICA authentication and block chain technology comprises the following steps:
(1) the user registers the mobile phone number of the user in a client system or a platform system, and then performs real-name authentication and passes the authentication;
(2) a user submits a certificate application through a client system and provides the biological characteristic information of the user at the same time;
(3) the method comprises the steps that a CA (certificate Authority) registry verifies the validity of personal information and biological characteristics of a user to obtain an X.509v3 digital certificate issued by the CA registry;
(4) the contract initiator completes the electronic contract writing and submits a verification application;
(5) after verification is completed, calling a digital certificate to complete a signature process, filling a contract signing related party list, clicking to upload, and performing file transmission through a CUTP protocol;
(6) the platform system receives an electronic contract provided by an initiator, obtains an SHA-3 value through an SHA-3 algorithm, takes the value as a data fingerprint of a file, randomly generates a 128-bit key, and obtains an encrypted ciphertext through a symmetric encryption algorithm AES-128;
(7) after the steps are completed, the electronic contract, the SHA-3 value, the encrypted ciphertext and the secret key are integrated into a file, a public key of a receiver is obtained for encryption, and asymmetric encryption is completed through an RSA algorithm to obtain a final encrypted data packet;
(8) after receiving the prompt, the contract signing related party verifies the user according to the verification process in the step (4);
(9) after the verification is passed, the encrypted data packet is decrypted by using a private key, and the validity of information in the packet is verified, specifically, whether the validity of the signature and the contract SHA-3 value are consistent or not is verified;
(10) after the information validity is verified, the contract signing related party receives the contract plaintext, and after the contract plaintext is confirmed to be correct, the digital certificate is called to complete signing through the certificate verification process again, and a timestamp is added and uploaded;
(11) after all contract signing parties complete signing processes, the platform system packages information such as file abstracts, timestamp information, signer information and the like and stores the information into a contract storage alliance chain network.
Preferably, according to step (2), the biometric information is a biostatic feature comprising a fingerprint, an iris, a retina, a palm vein map.
Preferably, the collected biometric information is consistent with uniqueness, stability, generality, collectability.
Preferably, according to step (4), the verification process is as follows:
firstly, a verification request is lifted;
submitting a CA digital certificate and acquiring biological characteristic information;
thirdly, analyzing the biological characteristic index domain of the CA digital certificate;
retrieving the biological characteristic information database to obtain corresponding biological characteristic information datum data;
converting the collected biological characteristic information into characteristic information data and comparing the characteristic information data with the biological characteristic information reference data acquired from the database;
sixthly, obtaining a contrast deviation ratio, and comparing the contrast deviation ratio with the fault-tolerant deviation ratio;
when the error rate is less than the fault tolerance deviation rate, verifying the certificate validity and the signature validity, and outputting a verification result;
and if the deviation ratio is larger than the fault-tolerant deviation ratio, directly outputting a verification result. .
Compared with the prior art, the invention has the beneficial effects that: the system can apply for the X.509v3 digital certificate embedded with the biological characteristic data to a CA registration authority;
before calling the digital certificate signature, the user needs to complete authentication based on biological characteristics and a simple password, so that convenience and safety are improved;
in the process of contract encryption transmission, a mode of a Keccak hash algorithm, a symmetric encryption algorithm AES-128 and an asymmetric encryption algorithm RSA is adopted, so that the encryption speed is guaranteed, the system efficiency is improved, the safety is guaranteed, and only a specified person can obtain information through a private key;
no matter any operation is performed on a user side or a platform system, an operation abstract, operator identity information and timestamp information are recorded and stored in a block chain network, so that the information backtracking and non-repudiation are ensured.
Drawings
FIG. 1 is a flow chart of a digital certificate application process of the present invention;
FIG. 2 is a schematic diagram of the CA certificate structure of the present invention;
FIG. 3 is a certificate verification flow diagram of the present invention;
FIG. 4 is a contract signing flow diagram of the present invention;
fig. 5 is a system architecture diagram of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1 to 5, the present invention provides a technical solution: a kind of contract signing management system based on PKICA authentication and block chain technology, characterized by that: the system comprises a CA registration center, a contract storage union link network, a client system and a platform system, wherein the CA registration center is used for sending an X.509v3 digital certificate of biological characteristic data, the client system is used for authenticating biological characteristics and simple passwords of a user, the platform system is used for authenticating and signing the same data, and the contract storage union link network is used for performing block link storage on signed contract information.
The structure diagram of the X.509v3 digital certificate is shown in FIG. 2.
The client system comprises user registration, certificate application, contract signing, contract management and identity dual authentication;
description of client functions:
1. user registration: a user registers a platform account;
2. applying for a certificate: a user applies for a digital certificate embedded with user biological characteristic information from a CA registration center (shown in figure 1);
3. contract signing: initiating and checking contracts, and adding signatures and the like;
4. contract management: checking and downloading a signed contract participated by a user;
5. identity double authentication: user identity authentication is completed based on the biological characteristics and the validity of the CA certificate;
biometric authentication scan hardware functional description: and reading the biological characteristic information of the user and converting the biological characteristic information into data information.
The platform system comprises a user management center, contract management, a data center and contract uplink;
description of platform System functions:
1. the user management center: the method comprises the steps of auditing user registration information by a background, managing user feedback and the like
2. Contract management: contract encryption, decryption, transmission, contract expiration reminding and the like
3. The data center comprises: output data report
4. Contract uplink: and uploading the signed contract to a contract storage alliance chain network.
CA registration center: making and issuing a digital certificate;
contract storage federation chain network: the distributed alliance network for storing information ensures data security, and the alliance chain only allows persons or organizations who obtain approval to have relevant operation rights.
And the contract data transmission between the client system and the platform system is carried out by data communication transmission in a mode of combining a Keccak hash algorithm, a symmetric encryption algorithm AES-128 and an asymmetric encryption algorithm RSA.
The system is constructed as shown in the system architecture diagram of fig. 5, and comprises a client, a platform system and biometric authentication scanning hardware.
As shown in fig. 4, a method for using a contract signing management system based on PKICA authentication and blockchain technology includes the steps of:
(1) the user registers the mobile phone number of the user in a client system or a platform system, and then performs real-name authentication and passes the authentication;
(2) a user submits a certificate application through a client system and provides the biological characteristic information of the user at the same time;
(3) the method comprises the steps that a CA (certificate Authority) registry verifies the validity of personal information and biological characteristics of a user to obtain an X.509v3 digital certificate issued by the CA registry;
(4) the contract initiator completes the electronic contract writing and submits a verification application;
(5) after verification is completed, calling a digital certificate to complete a signature process, filling a contract signing related party list, clicking to upload, and performing file transmission through a CUTP protocol;
(6) the platform system receives an electronic contract provided by an initiator, obtains an SHA-3 value through an SHA-3 algorithm, takes the value as a data fingerprint of a file, randomly generates a 128-bit key, and obtains an encrypted ciphertext through a symmetric encryption algorithm AES-128;
(7) after the steps are completed, the electronic contract, the SHA-3 value, the encrypted ciphertext and the secret key are integrated into a file, a public key of a receiver is obtained for encryption, and asymmetric encryption is completed through an RSA algorithm to obtain a final encrypted data packet;
(8) after receiving the prompt, the contract signing related party verifies the user according to the verification process in the step (4);
(9) after the verification is passed, the encrypted data packet is decrypted by using a private key, and the validity of information in the packet is verified, specifically, whether the validity of the signature and the contract SHA-3 value are consistent or not is verified;
(10) after the information validity is verified, the contract signing related party receives the contract plaintext, and after the contract plaintext is confirmed to be correct, the digital certificate is called to complete signing through the certificate verification process again, and a timestamp is added and uploaded;
(11) after all contract signing parties complete signing processes, the platform system packages information such as file abstracts, timestamp information, signer information and the like and stores the information into a contract storage alliance chain network.
Characteristics of decentralized and distributed storage of the contract storage alliance chain network ensure the safety and effectiveness of data. In addition, any operation in the platform system, no matter at the user end, records the operation summary, the operator identity information, and the timestamp information (requests the PKI timestamp server to obtain the timestamp).
According to step (2), the biometric information is a biostatic feature, which includes a fingerprint, an iris, a retina, a palm vein map.
The collected biological characteristic information accords with uniqueness, stability, universality and collectibility.
The collected biometric information needs to conform to 4 characteristics, uniqueness, from which it must be possible to derive the identity of the person, no two persons having matching characteristic values; stability this characteristic does not change significantly over time; the universality is that all people needing identity authentication have the characteristic; collectibility this feature can be quantitatively measured.
As shown in fig. 3, according to step (4), the verification process is:
firstly, a verification request is lifted;
submitting a CA digital certificate and acquiring biological characteristic information;
thirdly, analyzing the biological characteristic index domain of the CA digital certificate;
retrieving the biological characteristic information database to obtain corresponding biological characteristic information datum data;
converting the collected biological characteristic information into characteristic information data and comparing the characteristic information data with the biological characteristic information reference data acquired from the database;
sixthly, obtaining a contrast deviation ratio, and comparing the contrast deviation ratio with the fault-tolerant deviation ratio;
when the error rate is less than the fault tolerance deviation rate, verifying the certificate validity and the signature validity, and outputting a verification result;
and if the deviation ratio is larger than the fault-tolerant deviation ratio, directly outputting a verification result. .
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.