CN110932851A - PKI-based multi-party cooperative operation key protection method - Google Patents
PKI-based multi-party cooperative operation key protection method Download PDFInfo
- Publication number
- CN110932851A CN110932851A CN201911206709.6A CN201911206709A CN110932851A CN 110932851 A CN110932851 A CN 110932851A CN 201911206709 A CN201911206709 A CN 201911206709A CN 110932851 A CN110932851 A CN 110932851A
- Authority
- CN
- China
- Prior art keywords
- key
- server
- client
- certificate
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The invention discloses a key protection method based on PKI (public key infrastructure) multi-party cooperative operation, which relates to the field of electronic authentication PKI (public key infrastructure) cryptographic technology integration innovation, combines various cryptographic technologies and combined authentication of various factors to ensure the safety of generation, calling and storage of a user private key, obtains a pseudo key by adding a user identity factor into a real key as a part of salt and converting the pseudo key after being confused with other data of a server, performs fragmentation processing on the pseudo key, and controls the storage of a part locally by a user, thereby realizing that the integrity and confidentiality of the real key of the user are not influenced by single key leakage through the mechanism.
Description
Technical Field
The invention relates to the field of electronic authentication PKI (public key infrastructure) cryptographic technology integration innovation, in particular to a key protection method based on PKI (public key infrastructure) multi-party cooperative operation.
Background
At present, an electronic authentication PKI (public key infrastructure) cryptographic technology mainly adopts a hardware medium intelligent cryptographic key USBKey (such as a bank U shield and an IC (integrated circuit) card) to generate, store and perform cryptographic operation on a terminal personal computer, and controls authentication access to a user through PIN (personal identification number) code protection of a hardware medium, but the hardware mainly depends on a PC (personal computer) application scene at present and is not beneficial to convenient use of intelligent terminal application scenes such as a mobile internet, an internet of things and the like. The traditional password protection mode of using a hardware medium USBKey as a password is not beneficial to convenient use in application scenes of intelligent terminals such as mobile internet, internet of things and the like, firstly, carrying USBKey equipment with a user is inconvenient and easy to lose, secondly, some intelligent terminals cannot be adapted, and the requirements on software and hardware environments of the intelligent terminals are high.
At present, in order to conveniently use a PKI digital authentication technology in an intelligent terminal application scene such as a mobile internet, an internet of things and the like, a soft key mode is mainly used during application integration, namely a file key is generated by an intelligent terminal and is stored and called locally, and the mode has great potential safety hazards. Each link of the method in the processes of key generation, storage, operation, transmission and the like is possibly intercepted by a malicious program, so that the key is leaked.
Disclosure of Invention
The invention aims to: the method combines a plurality of cryptographic technologies and combined authentication of a plurality of factors to ensure the safety of generation, calling and storage of a user private key, adds a user identity factor into a real key as a part of salt, transforms the salt into a pseudo key after being confused with other data of a server, performs fragmentation processing on the pseudo key, and controls the storage of a part of the data locally by a user.
The technical scheme adopted by the invention is as follows:
a key protection method based on PKI multi-party cooperative operation comprises a User, a Client, a Server and an external RA/CA/KMC Server,
user: the user participates in information input and operation determination;
client side: the key correlation operation of the client side is taken charge;
server side Server: the system is in charge of server-side key division and related operation, the key operation needs to be realized by adopting a hardware password component with high safety, and a certificate application request is sent to an external RA/CA/KMC server for applying for a digital certificate and an encryption key;
external RA/CA/KMC server: an external third party system service for applying for a digital certificate and an encryption key;
the key protection method based on the PKI multi-party cooperative operation mainly comprises the following steps:
s1 user certificate registration: after the User passes the real-name authentication, a server encryption machine randomly generates a signature key and a certificate request P10 for the User, salt adding and confusion processing is carried out on a real private key, A, B, C three sections of pseudo keys are divided, the User encrypts two sections of A, B stored in the encryption machine in a protected mode through an identity ID and a PIN code, and the server encrypts two sections of B, C stored in the encryption machine in an encrypted mode through a built-in key of the encryption machine; the certificate request P10 is used for applying for a certificate to an external RA/CA/KMC server, and the private key of the user encrypted certificate is stored after being encrypted by using a pseudo key B segment; the whole key generation, division, transmission and storage are correspondingly protected by adopting PKI technology and multiple factors of people and equipment.
S2 digital signature application: using the identity ID and the certificate PIN code as a unique certificate of a private key holder, decrypting a Client side to obtain two divided keys d _ A and d _ B, using one part of d _ B as a symmetric key, combining the other part of d _ A with a HASH value to be signed, symmetrically encrypting, and then sending to a server side to synthesize a pseudo key, desalting and signing a true key, wherein the true key signature value is symmetrically encrypted by using the symmetric key d _ B and then returned to the Client side, and the Client side decrypts by using the same symmetric key d _ B to obtain a true key signature value of the server side; the PKI technology and the multiple factors of people and equipment are adopted to correspondingly protect the whole processes of key fragment decryption, pseudo key synthesis, truth seeking, encryption and data transmission.
S3 data encryption application: the method comprises the steps that an encryptor encrypts data to be sent by using an encryption certificate public key of a receiver, a decryptor decrypts by using an Identity (ID) and a certificate PIN code as a unique certificate of a private key holder to obtain two divided signature keys d _ A and d _ B at a Client, one of the d _ B signature private keys is used as a symmetric key to decrypt an encryption certificate private key (encryption private key) encrypted and stored in a registration link, and then the decrypted private key is used for decrypting a received ciphertext. PKI technology and identity and PIN information of the entity are correspondingly protected in the processes of decryption of the key fragment and decryption of data.
By adopting the key protection method based on the PKI multi-party cooperative operation, the integrity and confidentiality of a real key of a user can be ensured after the key is leaked at any one of the Client side and the Server side, the safety of the generation, calling, storage and operation of a private key of the user is ensured, and the key protection safety level of the method can reach the high safety level of the traditional hardware medium intelligent cipher key USBKey (such as a bank U shield and an IC card).
Further, the step S1 registration of the user certificate mainly includes the following steps:
s101: a User initiates a certificate registration application, firstly, information such as a User real name, a real certificate, real person biological characteristics and the like is acquired through a Client for authentication, and the authentication enters a subsequent certificate registration link;
s102: the Client generates a temporary SM2 asymmetric key, the private key is marked as T _ Pri, and the public key is marked as T _ Pub;
s103: the Client side sends the real-name identity ID and the public key T _ Pub to the Server side Server;
s104: the Server distributes a Session symmetric key Session for the client, and the Session symmetric key Session is recorded as T _ Session;
s105: the Server side Server calls a key generation interface of the hardware password module to generate a formal SM2 asymmetric key pair for the client, the private key is recorded as d, and the public key is recorded as P;
s106: the Server side Server calls a PKCS10 generation interface of the hardware cryptographic module to generate a certificate request P10 for the client;
s107: the Server side Server calls an interface use certificate request P10 of an external RA/CA/KMC Server system to apply for a client 'signature certificate SignCert, an encryption certificate EncryptCert and an encryption key plaintext EncryptKey';
s108: the Server side Server carries out salting and data confusion processing on the client private key d to obtain a pseudo private key d ═ Mix (salt, d);
s109: the Server end Server sequentially divides d' into A, B, C three parts, which are respectively marked as d _ A, d _ B, d _ C;
s110: the Server side Server calls a symmetric encryption interface of the hardware cryptographic module, takes T _ Session as a symmetric key, symmetrically encrypts and outputs'd _ A + d _ B, SignCert, EncryptCert and EncryptKey ', and records as client ' SM4_ Enc (T _ Session, d _ A + d _ B, SignCert, EncryptCert and EncryptKey);
s111: the Server performs SM2 asymmetric encryption on the T _ Session by using T _ Pub, which is denoted as T _ Session ═ SM2_ Enc (T _ Pub, T _ Session);
s112: the Server side Server calls a symmetric encryption interface of the hardware cryptographic module, performs symmetric encryption output on'd _ B + d _ C and EncryptKey' by using a built-in device symmetric key, and records the symmetric encryption output as Server ═ SM4_ Enc (d _ B + d _ C and EncryptKey);
s113: the Server side Server stores the Server' in a database;
s114: the Server side Server returns the Client '+ T _ Session' to the Client side;
s115: the Client uses T _ Pri to perform SM2 asymmetric decryption on T _ Session ', so as to obtain a Session symmetric key T _ Session ═ SM2_ Dec (T _ Pri, T _ Session');
s116: the Client uses T _ Session to symmetrically decrypt the Client 'by SM4 to obtain d _ A + d _ B, SignCert, EncryptCert, EncryptKey is SM4_ Dec (T _ Session, Client');
s117: the Client uses d _ B to perform SM4 symmetric encryption on the encrypt key, so as to obtain the encrypt key ═ SM4_ Enc (d _ B, encrypt key);
s118: a user inputs a certificate PIN code, and the certificate PIN code is recorded as Cert _ PIN;
s119: the Client performs HASH operation on the real-name identity ID + Cert _ PIN to obtain Cert _ PIN ═ SM3 (identity ID + Cert _ PIN);
s120: the Client uses the Cert _ PIN ' to perform SM4 symmetric encryption on the d _ A + d _ B to obtain (d _ A + d _ B) ' (SM 4_ Enc (Cert _ PIN ', d _ A + d _ B);
s121: client stores (d _ A + d _ B) ', SignCert, EncryptCert, EncryptKey';
s122: and finishing the user registration.
Further, the step S2 of applying the digital signature mainly includes the following steps:
s201: the digital signature starts;
s202: client identity identification obtains identity ID;
s203: a user inputs a certificate PIN code, and the certificate PIN code is recorded as Cert _ PIN;
s204: the Client performs HASH operation on the real-name identity ID + Cert _ PIN to obtain Cert _ PIN ═ SM3 (identity ID + Cert _ PIN);
s205: the Client uses the Cert _ PIN 'to symmetrically decrypt the (d _ a + d _ B)' by using the SM4, so as to obtain d _ a + d _ B as SM4_ Dec (Cert _ PIN ', (d _ a + d _ B)');
s206: the Client performs HASH operation on the information P to be signed to obtain a HASH value H-SM 3 (P);
s207: the Client uses d _ B to symmetrically encrypt d _ a + H to obtain (d _ a + H)' (SM 4_ Enc (d _ B, d _ a + H);
s208: the Client side sends the identity ID (d _ A + H)' to the Server side Server;
s209: the Server side Server finds out the user certificate according to the real-name identity ID, calls an external RA/CA/KMC Server interface, and confirms the certificate state (if the certificate is invalid, the operation is terminated);
s210: the Server side Server finds out a corresponding Server' value during registration according to the real-name identity ID;
s211: the Server side Server calls a symmetric decryption interface of the hardware cryptographic module, uses an equipment built-in symmetric key to symmetrically decrypt and output the Server 'to obtain d _ B + d _ C, and the EncryptKey is SM4_ Dec (Server');
s212: the Server side Server uses d _ B to symmetrically decrypt (d _ a + H) 'to obtain d _ a + H ═ SM4_ Dec (d _ B, (d _ a + H)');
s213: the Server side Server synthesizes an obfuscated pseudo private key d' ═ d _ A + d _ B + d _ C;
s214: the Server side Server performs impurity removal (desalting) processing on the pseudo private key d 'to obtain a user true private key d ═ Unmix (salt, d');
s215: the Server side Server encrypts H by using a true private key d to generate a P1/P7 digital signature, which is recorded as P1(d, H)/P7(d, H, certificate);
s216: the Server side Server symmetrically encrypts SignData by using d _ B as a symmetric key to obtain SignData ═ SM4_ Enc (d _ B, SignData);
s217: the Server returns SignData' to the Client;
s218: the Client side decrypts the SignData 'symmetrically by using d _ B as a symmetric key to obtain a digital signature SignData which is SM4_ Dec (d _ B, SignData');
s219: the digital signature ends.
Further, the step S3 data encryption application mainly includes the following steps:
s301: the User-A encryption information is sent to a User-B, and data encryption is started;
s302: the Client-A uses an encryption certificate EncryptCert _ B of the User-B to perform digital Envelope packaging on data to be sent, and the data to be sent is marked as Envelope _ B (EncryptCert _ B, data);
s303: the Client-A sends the Envelope _ B to the Client-B;
s304: identifying the Client-B to obtain the ID of the User-B;
s305: a User-B User inputs a certificate PIN code and records the certificate PIN code as Cert _ PIN;
s306: client-B performs HASH operation on the real-name identity ID + Cert _ PIN to obtain Cert _ PIN ═ SM3 (identity ID + Cert _ PIN);
s307: client-B uses Cert _ PIN 'to perform SM4 symmetric decryption on (d _ a + d _ B)' to obtain d _ a + d _ B ═ SM4_ Dec (Cert _ PIN ', (d _ a + d _ B)');
s308: the client-B decrypts the EncryptKey 'by using d _ B, and obtains the EncryptKey as SM4_ Dec (d _ B, EncryptKey');
s309: the client-B decrypts the Envelope _ B by using the EncryptKey to obtain plaintext data which is Decrypt (EncryptKey, Envelope _ B);
s310: and ending the data decryption.
The following specific security problems exist in the existing soft key (file key) technology:
1. the key generation and operation of the conventional soft key of the client are unsafe, and the key generation and operation of the conventional soft key of the client are inconvenient if a hardware key is used;
2. the conventional soft key lacks an enhanced safety mechanism in key storage and transmission, so that the key is easy to leak;
3. the conventional soft key encryption adopts the same salting factor, so that global risk is easy to occur;
4. the key storage and transmission of the conventional soft key lack a security mechanism for key segmentation, so that the key is easy to leak;
5. the conventional key negotiation has multiple interactions of session key negotiation, and the efficiency is low;
6. the key server database is dragged to be stored, and then the risk of data leakage is caused;
the invention relates to a key protection method based on PKI multi-party cooperative operation, aiming at the problems, the scheme is adopted, and the key protection method has the main advantages that:
1. the generation and operation of the Client real secret key are realized by depending on a hardware password component (an encryption machine or an encryption card) of the Server, the generation and operation of the secret key are safer, and the use is convenient;
2. salt addition and confusion are adopted for the real secret key to generate a pseudo secret key, and both secret key storage and secret key transmission use the pseudo secret key to prevent the real secret key from being leaked;
3. the salt adding factor is associated with user identity information and a PIN code, each user is special, and the salt adding factor of each user is different, so that global risks in the salt removing operation are prevented;
4. the transmission and storage of the pseudo key adopt a key segmentation technology, the client and the server only keep partial segment cipher texts, the key segmentation and multiple encryption realize high security of key transmission and storage, and the single leakage does not influence the security of the whole key;
5. a certain sharing segment in the pseudo key is skillfully used to realize the sharing of the session key, so that the session key does not need to be negotiated, and the efficiency is high;
6. the segment key stored at the server side is decrypted by adopting a hardware password component (an encryption machine or an encryption card) and can be decrypted and called only inside the hardware password component (the encryption machine or the encryption card), so that the real key is ensured not to fall to the ground, even if the database is dragged to the database, and the key data cannot be untied without the hardware password component (the encryption machine or the encryption card), and the security is higher.
In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that:
1. the invention relates to a PKI-based key protection method for multi-party cooperative operation.A Client terminal Client real key is generated and operated by depending on a hardware password component (an encryption machine or an encryption card) of a Server terminal, so that the key is more safe to generate and operate and convenient to use;
2. the invention relates to a PKI-based multi-party cooperative operation secret key protection method, which adopts salt addition and confusion to generate a pseudo secret key for a real secret key, and both secret key storage and secret key transmission use the pseudo secret key to prevent the real secret key from being leaked;
3. the invention relates to a PKI-based multi-party cooperative operation key protection method, wherein salt adding factors are associated with user identity information and PIN codes, each user is special, and the salt adding factors of each user are different, so that global risks in desalting operation are prevented;
4. the invention relates to a PKI-based multi-party cooperative operation secret key protection method, a secret key segmentation technology is adopted for transmitting and storing a pseudo secret key, only partial segment ciphertext is reserved for a client and a server, the secret key segmentation and multiple encryption realize high safety of secret key transmission and storage, and the safety of the whole secret key is not influenced by single leakage;
5. the invention relates to a PKI-based key protection method for multi-party cooperative operation, which skillfully utilizes a certain sharing segment in a pseudo key to realize session key sharing, so that the session key does not need to be negotiated and the efficiency is high;
6. the invention relates to a PKI-based key protection method for multi-party cooperative operation.A fragment key stored at a server end is decrypted by adopting a hardware password component (an encryption machine or an encryption card) and can be decrypted and called only inside the hardware password component (the encryption machine or the encryption card), so that a real key is ensured not to fall down, key data cannot be decrypted even if a database is dragged to the database and the hardware password component (the encryption machine or the encryption card) is absent, and the safety is higher.
Drawings
The invention will now be described, by way of example, with reference to the accompanying drawings, in which:
FIG. 1 is a functional block diagram of the present invention;
FIG. 2 is a flowchart of step S1 of the user certificate registration of the present invention;
FIG. 3 is a flow chart of the step S2 digital signature application of the present invention;
FIG. 4 is a flowchart of the present invention for the step S3 data encryption application;
Detailed Description
All of the features disclosed in this specification, or all of the steps in any method or process so disclosed, may be combined in any combination, except combinations of features and/or steps that are mutually exclusive.
It is noted that relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The present invention will be described in detail with reference to fig. 1 to 4.
Example 1
A key protection method based on PKI multi-party cooperative operation, as shown in figure 1, comprises a User, a Client, a Server and an external RA/CA/KMC Server,
user: the user participates in information input and operation determination;
client side: the key correlation operation of the client side is taken charge;
server side Server: the system is in charge of server-side key division and related operation, the key operation needs to be realized by adopting a hardware password component with high safety, and a certificate application request is sent to an external RA/CA/KMC server for applying for a digital certificate and an encryption key;
external RA/CA/KMC server: an external third party system service for applying for a digital certificate and an encryption key;
the key protection method based on the PKI multi-party cooperative operation mainly comprises the following steps:
s1 user certificate registration: after the User passes the real-name authentication, a server encryption machine randomly generates a signature key and a certificate request P10 for the User, salt adding and confusion processing is carried out on a real private key, A, B, C three sections of pseudo keys are divided, the User encrypts two sections of A, B stored in the encryption machine in a protected mode through an identity ID and a PIN code, and the server encrypts two sections of B, C stored in the encryption machine in an encrypted mode through a built-in key of the encryption machine; the certificate request P10 is used for applying for a certificate to an external RA/CA/KMC server, and the private key of the user encrypted certificate is stored after being encrypted by using a pseudo key B segment; the whole key generation, division, transmission and storage are correspondingly protected by adopting PKI technology and multiple factors of people and equipment.
S2 digital signature application: using the identity ID and the certificate PIN code as a unique certificate of a private key holder, decrypting a Client side to obtain two divided keys d _ A and d _ B, using one part of d _ B as a symmetric key, combining the other part of d _ A with a HASH value to be signed, symmetrically encrypting, and then sending to a server side to synthesize a pseudo key, desalting and signing a true key, wherein the true key signature value is symmetrically encrypted by using the symmetric key d _ B and then returned to the Client side, and the Client side decrypts by using the same symmetric key d _ B to obtain a true key signature value of the server side; the PKI technology and the multiple factors of people and equipment are adopted to correspondingly protect the whole processes of key fragment decryption, pseudo key synthesis, truth seeking, encryption and data transmission.
S3 data encryption application: the method comprises the steps that an encryptor encrypts data to be sent by using an encryption certificate public key of a receiver, a decryptor decrypts by using an Identity (ID) and a certificate PIN code as a unique certificate of a private key holder to obtain two divided signature keys d _ A and d _ B at a Client, one of the d _ B signature private keys is used as a symmetric key to decrypt an encryption certificate private key (encryption private key) encrypted and stored in a registration link, and then the decrypted private key is used for decrypting a received ciphertext. PKI technology and identity and PIN information of the entity are correspondingly protected in the processes of decryption of the key fragment and decryption of data.
By adopting the key protection method based on the PKI multi-party cooperative operation, the integrity and confidentiality of a real key of a user can be ensured after the key is leaked at any one of the Client side and the Server side, the safety of the generation, calling, storage and operation of a private key of the user is ensured, and the key protection safety level of the method can reach the high safety level of the traditional hardware medium intelligent cipher key USBKey (such as a bank U shield and an IC card).
Example 2
This embodiment is a further description of embodiment 1, and as shown in fig. 2, the step S1 of registering the user certificate mainly includes the following steps:
s101: a User initiates a certificate registration application, firstly, information such as a User real name, a real certificate, real person biological characteristics and the like is acquired through a Client for authentication, and the authentication enters a subsequent certificate registration link;
s102: the Client generates a temporary SM2 asymmetric key, the private key is marked as T _ Pri, and the public key is marked as T _ Pub;
s103: the Client side sends the real-name identity ID and the public key T _ Pub to the Server side Server;
s104: the Server distributes a Session symmetric key Session for the client, and the Session symmetric key Session is recorded as T _ Session;
s105: the Server side Server calls a key generation interface of the hardware password module to generate a formal SM2 asymmetric key pair for the client, the private key is recorded as d, and the public key is recorded as P;
s106: the Server side Server calls a PKCS10 generation interface of the hardware cryptographic module to generate a certificate request P10 for the client;
s107: the Server side calls an interface use certificate request P10 of the CA system to apply for a client 'signature certificate SignCert, encryption certificate EncryptCert and encryption key plaintext EncryptKey';
s108: the Server side Server carries out salting and data confusion processing on the client private key d to obtain a pseudo private key d ═ Mix (salt, d);
s109: the Server end Server sequentially divides d' into A, B, C three parts, which are respectively marked as d _ A, d _ B, d _ C;
s110: the Server side Server calls a symmetric encryption interface of the hardware cryptographic module, takes T _ Session as a symmetric key, symmetrically encrypts and outputs'd _ A + d _ B, SignCert, EncryptCert and EncryptKey ', and records as client ' SM4_ Enc (T _ Session, d _ A + d _ B, SignCert, EncryptCert and EncryptKey);
s111: the Server performs SM2 asymmetric encryption on the T _ Session by using T _ Pub, which is denoted as T _ Session ═ SM2_ Enc (T _ Pub, T _ Session);
s112: the Server side Server calls a symmetric encryption interface of the hardware cryptographic module, performs symmetric encryption output on'd _ B + d _ C and EncryptKey' by using a built-in device symmetric key, and records the symmetric encryption output as Server ═ SM4_ Enc (d _ B + d _ C and EncryptKey);
s113: the Server side Server stores the Server' in a database;
s114: the Server side Server returns the Client '+ T _ Session' to the Client side;
s115: the Client uses T _ Pri to perform SM2 asymmetric decryption on T _ Session ', so as to obtain a Session symmetric key T _ Session ═ SM2_ Dec (T _ Pri, T _ Session');
s116: the Client uses T _ Session to symmetrically decrypt the Client 'by SM4 to obtain d _ A + d _ B, SignCert, EncryptCert, EncryptKey is SM4_ Dec (T _ Session, Client');
s117: the Client uses d _ B to perform SM4 symmetric encryption on the encrypt key, so as to obtain the encrypt key ═ SM4_ Enc (d _ B, encrypt key);
s118: a user inputs a certificate PIN code, and the certificate PIN code is recorded as Cert _ PIN;
s119: the Client performs HASH operation on the real-name identity ID + Cert _ PIN to obtain Cert _ PIN ═ SM3 (identity ID + Cert _ PIN);
s120: the Client uses the Cert _ PIN ' to perform SM4 symmetric encryption on the d _ A + d _ B to obtain (d _ A + d _ B) ' (SM 4_ Enc (Cert _ PIN ', d _ A + d _ B);
s121: client stores (d _ A + d _ B) ', SignCert, EncryptCert, EncryptKey';
s122: and finishing the user registration.
Example 3
This embodiment is a further description of embodiment 1, and as shown in fig. 3, the step S2 digital signature application mainly includes the following steps:
s201: the digital signature starts;
s202: client identity identification obtains identity ID;
s203: a user inputs a certificate PIN code, and the certificate PIN code is recorded as Cert _ PIN;
s204: the Client performs HASH operation on the real-name identity ID + Cert _ PIN to obtain Cert _ PIN ═ SM3 (identity ID + Cert _ PIN);
s205: the Client uses the Cert _ PIN 'to symmetrically decrypt the (d _ a + d _ B)' by using the SM4, so as to obtain d _ a + d _ B as SM4_ Dec (Cert _ PIN ', (d _ a + d _ B)');
s206: the Client performs HASH operation on the information P to be signed to obtain a HASH value H-SM 3 (P);
s207: the Client uses d _ B to symmetrically encrypt d _ a + H to obtain (d _ a + H)' (SM 4_ Enc (d _ B, d _ a + H);
s208: the Client side sends the identity ID (d _ A + H)' to the Server side Server;
s209: the Server side Server finds the user certificate according to the real-name identity ID, calls a CA interface, and confirms the certificate state (if the certificate is invalid, the operation is terminated);
s210: the Server side Server finds out a corresponding Server' value during registration according to the real-name identity ID;
s211: the Server side Server calls a symmetric decryption interface of the hardware cryptographic module, uses an equipment built-in symmetric key to symmetrically decrypt and output the Server 'to obtain d _ B + d _ C, and the EncryptKey is SM4_ Dec (Server');
s212: the Server side Server uses d _ B to symmetrically decrypt (d _ a + H) 'to obtain d _ a + H ═ SM4_ Dec (d _ B, (d _ a + H)');
s213: the Server side Server synthesizes an obfuscated pseudo private key d' ═ d _ A + d _ B + d _ C;
s214: the Server side Server performs impurity removal (desalting) processing on the pseudo private key d 'to obtain a user true private key d ═ Unmix (salt, d');
s215: the Server side Server encrypts H by using a true private key d to generate a P1/P7 digital signature, which is recorded as P1(d, H)/P7(d, H, certificate);
s216: the Server side Server symmetrically encrypts SignData by using d _ B as a symmetric key to obtain SignData ═ SM4_ Enc (d _ B, SignData);
s217: the Server returns SignData' to the Client;
s218: the Client side decrypts the SignData 'symmetrically by using d _ B as a symmetric key to obtain a digital signature SignData which is SM4_ Dec (d _ B, SignData');
s219: the digital signature ends.
Example 4
This embodiment is a further description of embodiment 1, and as shown in fig. 4, the data encryption application of step S3 mainly includes the following steps:
s301: the User-A encryption information is sent to a User-B, and data encryption is started;
s302: the Client-A uses an encryption certificate EncryptCert _ B of the User-B to perform digital Envelope packaging on data to be sent, and the data to be sent is marked as Envelope _ B (EncryptCert _ B, data);
s303: the Client-A sends the Envelope _ B to the Client-B;
s304: identifying the Client-B to obtain the ID of the User-B;
s305: a User-B User inputs a certificate PIN code and records the certificate PIN code as Cert _ PIN;
s306: client-B performs HASH operation on the real-name identity ID + Cert _ PIN to obtain Cert _ PIN ═ SM3 (identity ID + Cert _ PIN);
s307: client-B uses Cert _ PIN 'to perform SM4 symmetric decryption on (d _ a + d _ B)' to obtain d _ a + d _ B ═ SM4_ Dec (Cert _ PIN ', (d _ a + d _ B)');
s308: the client-B decrypts the EncryptKey 'by using d _ B, and obtains the EncryptKey as SM4_ Dec (d _ B, EncryptKey');
s309: the client-B decrypts the Envelope _ B by using the EncryptKey to obtain plaintext data which is Decrypt (EncryptKey, Envelope _ B);
s310: and ending the data decryption.
The above description is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be made by those skilled in the art without inventive work within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope defined by the claims.
Claims (4)
1. A PKI-based key protection method for multi-party cooperative operation comprises a User, a Client, a Server and an external RA/CA/KMC Server, and is characterized in that:
user: the user participates in information input and operation determination;
client side: the key correlation operation of the client side is taken charge;
server side Server: the system is in charge of server-side key division and related operation, the key operation needs to be realized by adopting a hardware password component with high safety, and a certificate application request is sent to an external RA/CA/KMC server for applying for a digital certificate and an encryption key;
external RA/CA/KMC server: an external third party system service for applying for a digital certificate and an encryption key;
the key protection method based on the PKI multi-party cooperative operation mainly comprises the following steps:
s1 user certificate registration: after the User passes the real-name authentication, a server encryption machine randomly generates a signature key and a certificate request P10 for the User, salt adding and confusion processing is carried out on a real private key, A, B, C three sections of pseudo keys are divided, the User encrypts two sections of A, B stored in the encryption machine in a protected mode through an identity ID and a PIN code, and the server encrypts two sections of B, C stored in the encryption machine in an encrypted mode through a built-in key of the encryption machine; the certificate request P10 is used for applying for a certificate to an external RA/CA/KMC server, and the private key of the user encrypted certificate is stored after being encrypted by using a pseudo key B segment;
s2 digital signature application: using the identity ID and the certificate PIN code as a unique certificate of a private key holder, decrypting a Client side to obtain two divided keys d _ A and d _ B, using one part of d _ B as a symmetric key, combining the other part of d _ A with a HASH value to be signed, symmetrically encrypting, and then sending to a server side to synthesize a pseudo key, desalting and signing a true key, wherein the true key signature value is symmetrically encrypted by using the symmetric key d _ B and then returned to the Client side, and the Client side decrypts by using the same symmetric key d _ B to obtain a true key signature value of the server side;
s3 data encryption application: the method comprises the steps that an encryptor encrypts data to be sent by using an encryption certificate public key of a receiver, a decryptor decrypts by using an Identity (ID) and a certificate PIN code as a unique certificate of a private key holder to obtain two divided signature keys d _ A and d _ B at a Client, one of the d _ B signature private keys is used as a symmetric key to decrypt an encryption certificate private key (encryption private key) encrypted and stored in a registration link, and then the decrypted private key is used for decrypting a received ciphertext.
2. The key protection method for multi-party cooperative operation based on PKI as recited in claim 1, wherein: the step S1 registration of the user certificate mainly includes the following steps:
s101: a User initiates a certificate registration application, firstly, information such as a User real name, a real certificate, real person biological characteristics and the like is acquired through a Client for authentication, and the authentication enters a subsequent certificate registration link;
s102: the Client generates a temporary SM2 asymmetric key, the private key is marked as T _ Pri, and the public key is marked as T _ Pub;
s103: the Client side sends the real-name identity ID and the public key T _ Pub to the Server side Server;
s104: the Server distributes a Session symmetric key Session for the client, and the Session symmetric key Session is recorded as T _ Session;
s105: the Server side Server calls a key generation interface of the hardware password module to generate a formal SM2 asymmetric key pair for the client, the private key is recorded as d, and the public key is recorded as P;
s106: the Server side Server calls a PKCS10 generation interface of the hardware cryptographic module to generate a certificate request P10 for the client;
s107: the Server side Server calls an interface use certificate request P10 of an external RA/CA/KMC Server system to apply for a client 'signature certificate SignCert, an encryption certificate EncryptCert and an encryption key plaintext EncryptKey';
s108: the Server side Server carries out salting and data confusion processing on the client private key d to obtain a pseudo private key d ═ Mix (salt, d);
s109: the Server end Server sequentially divides d' into A, B, C three parts, which are respectively marked as d _ A, d _ B, d _ C;
s110: the Server side Server calls a symmetric encryption interface of the hardware cryptographic module, takes T _ Session as a symmetric key, symmetrically encrypts and outputs'd _ A + d _ B, SignCert, EncryptCert and EncryptKey ', and records as client ' SM4_ Enc (T _ Session, d _ A + d _ B, SignCert, EncryptCert and EncryptKey);
s111: the Server performs SM2 asymmetric encryption on the T _ Session by using T _ Pub, which is denoted as T _ Session ═ SM2_ Enc (T _ Pub, T _ Session);
s112: the Server side Server calls a symmetric encryption interface of the hardware cryptographic module, performs symmetric encryption output on'd _ B + d _ C and EncryptKey' by using a built-in device symmetric key, and records the symmetric encryption output as Server ═ SM4_ Enc (d _ B + d _ C and EncryptKey);
s113: the Server side Server stores the Server' in a database;
s114: the Server side Server returns the Client '+ T _ Session' to the Client side;
s115: the Client uses T _ Pri to perform SM2 asymmetric decryption on T _ Session ', so as to obtain a Session symmetric key T _ Session ═ SM2_ Dec (T _ Pri, T _ Session');
s116: the Client uses T _ Session to symmetrically decrypt the Client 'by SM4 to obtain d _ A + d _ B, SignCert, EncryptCert, EncryptKey is SM4_ Dec (T _ Session, Client');
s117: the Client uses d _ B to perform SM4 symmetric encryption on the encrypt key, so as to obtain the encrypt key ═ SM4_ Enc (d _ B, encrypt key);
s118: a user inputs a certificate PIN code, and the certificate PIN code is recorded as Cert _ PIN;
s119: the Client performs HASH operation on the real-name identity ID + Cert _ PIN to obtain Cert _ PIN ═ SM3 (identity ID + Cert _ PIN);
s120: the Client uses the Cert _ PIN ' to perform SM4 symmetric encryption on the d _ A + d _ B to obtain (d _ A + d _ B) ' (SM 4_ Enc (Cert _ PIN ', d _ A + d _ B);
s121: client stores (d _ A + d _ B) ', SignCert, EncryptCert, EncryptKey';
s122: and finishing the user registration.
3. The key protection method for multi-party cooperative operation based on PKI as recited in claim 1, wherein: the step S2 digital signature application mainly includes the following steps:
s201: the digital signature starts;
s202: client identity identification obtains identity ID;
s203: a user inputs a certificate PIN code, and the certificate PIN code is recorded as Cert _ PIN;
s204: the Client performs HASH operation on the real-name identity ID + Cert _ PIN to obtain Cert _ PIN ═ SM3 (identity ID + Cert _ PIN);
s205: the Client uses the Cert _ PIN 'to symmetrically decrypt the (d _ a + d _ B)' by using the SM4, so as to obtain d _ a + d _ B as SM4_ Dec (Cert _ PIN ', (d _ a + d _ B)');
s206: the Client performs HASH operation on the information P to be signed to obtain a HASH value H-SM 3 (P);
s207: the Client uses d _ B to symmetrically encrypt d _ a + H to obtain (d _ a + H)' (SM 4_ Enc (d _ B, d _ a + H);
s208: the Client side sends the identity ID (d _ A + H)' to the Server side Server;
s209: the Server side Server finds out the user certificate according to the real-name identity ID, calls an external RA/CA/KMC Server interface, and confirms the certificate state (if the certificate is invalid, the operation is terminated);
s210: the Server side Server finds out a corresponding Server' value during registration according to the real-name identity ID;
s211: the Server side Server calls a symmetric decryption interface of the hardware cryptographic module, uses an equipment built-in symmetric key to symmetrically decrypt and output the Server 'to obtain d _ B + d _ C, and the EncryptKey is SM4_ Dec (Server');
s212: the Server side Server uses d _ B to symmetrically decrypt (d _ a + H) 'to obtain d _ a + H ═ SM4_ Dec (d _ B, (d _ a + H)');
s213: the Server side Server synthesizes an obfuscated pseudo private key d' ═ d _ A + d _ B + d _ C;
s214: the Server side Server performs impurity removal (desalting) processing on the pseudo private key d 'to obtain a user true private key d ═ Unmix (salt, d');
s215: the Server side Server encrypts H by using a true private key d to generate a P1/P7 digital signature, which is recorded as P1(d, H)/P7(d, H, certificate);
s216: the Server side Server symmetrically encrypts SignData by using d _ B as a symmetric key to obtain SignData ═ SM4_ Enc (d _ B, SignData);
s217: the Server returns SignData' to the Client;
s218: the Client side decrypts the SignData 'symmetrically by using d _ B as a symmetric key to obtain a digital signature SignData which is SM4_ Dec (d _ B, SignData');
s219: the digital signature ends.
4. The key protection method for multi-party cooperative operation based on PKI as recited in claim 1, wherein: the step S3 data encryption application mainly includes the following steps:
s301: the User-A encryption information is sent to a User-B, and data encryption is started;
s302: the Client-A uses an encryption certificate EncryptCert _ B of the User-B to perform digital Envelope packaging on data to be sent, and the data to be sent is marked as Envelope _ B (EncryptCert _ B, data);
s303: the Client-A sends the Envelope _ B to the Client-B;
s304: identifying the Client-B to obtain the ID of the User-B;
s305: a User-B User inputs a certificate PIN code and records the certificate PIN code as Cert _ PIN;
s306: client-B performs HASH operation on the real-name identity ID + Cert _ PIN to obtain Cert _ PIN ═ SM3 (identity ID + Cert _ PIN);
s307: client-B uses Cert _ PIN 'to perform SM4 symmetric decryption on (d _ a + d _ B)' to obtain d _ a + d _ B ═ SM4_ Dec (Cert _ PIN ', (d _ a + d _ B)');
s308: the client-B decrypts the EncryptKey 'by using d _ B, and obtains the EncryptKey as SM4_ Dec (d _ B, EncryptKey');
s309: the client-B decrypts the Envelope _ B by using the EncryptKey to obtain plaintext data which is Decrypt (EncryptKey, Envelope _ B);
s310: and ending the data decryption.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911206709.6A CN110932851B (en) | 2019-11-29 | 2019-11-29 | PKI-based multi-party cooperative operation key protection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911206709.6A CN110932851B (en) | 2019-11-29 | 2019-11-29 | PKI-based multi-party cooperative operation key protection method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110932851A true CN110932851A (en) | 2020-03-27 |
CN110932851B CN110932851B (en) | 2022-09-23 |
Family
ID=69847937
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911206709.6A Active CN110932851B (en) | 2019-11-29 | 2019-11-29 | PKI-based multi-party cooperative operation key protection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110932851B (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111641587A (en) * | 2020-04-27 | 2020-09-08 | 河南省云安大数据安全防护产业技术研究院有限公司 | Internet of things equipment interconnection method and device |
CN112016082A (en) * | 2020-10-26 | 2020-12-01 | 成都掌控者网络科技有限公司 | Authority list safety control method |
CN112115491A (en) * | 2020-08-20 | 2020-12-22 | 恒安嘉新(北京)科技股份公司 | Symmetric encryption key protection method, device, equipment and storage medium |
CN113130031A (en) * | 2021-05-18 | 2021-07-16 | 中南大学湘雅三医院 | PKI-based intercourse electronic medical record interaction system, method, equipment and storage medium |
CN113726503A (en) * | 2021-07-12 | 2021-11-30 | 国网山东省电力公司信息通信公司 | Method and system for protecting web interaction information |
CN115632778A (en) * | 2022-12-20 | 2023-01-20 | 四川省数字证书认证管理中心有限公司 | Multi-terminal encryption and decryption intercommunication method |
CN116827542A (en) * | 2023-08-29 | 2023-09-29 | 江苏省国信数字科技有限公司 | Digital certificate management method and system of intelligent device |
CN117118759A (en) * | 2023-10-24 | 2023-11-24 | 四川省数字证书认证管理中心有限公司 | Method for reliable use of user control server terminal key |
CN117479151A (en) * | 2023-12-27 | 2024-01-30 | 阳光凯讯(北京)科技股份有限公司 | Data encryption transmission method |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030135740A1 (en) * | 2000-09-11 | 2003-07-17 | Eli Talmor | Biometric-based system and method for enabling authentication of electronic messages sent over a network |
CN101115060A (en) * | 2007-08-09 | 2008-01-30 | 上海格尔软件股份有限公司 | Method for protecting user encryption key in asymmetric cipher key transmitting process of user key management system |
CN101483518A (en) * | 2009-02-20 | 2009-07-15 | 北京天威诚信电子商务服务有限公司 | Customer digital certificate private key management method and system |
CN104618120A (en) * | 2015-03-04 | 2015-05-13 | 青岛微智慧信息有限公司 | Digital signature method for escrowing private key of mobile terminal |
CN106548345A (en) * | 2016-12-07 | 2017-03-29 | 北京信任度科技有限公司 | The method and system of block chain private key protection are realized based on Secret splitting |
CN110224812A (en) * | 2019-06-12 | 2019-09-10 | 江苏慧世联网络科技有限公司 | A kind of method and equipment that the electronic signature mobile client calculated based on Secure is communicated with Collaboration Server |
-
2019
- 2019-11-29 CN CN201911206709.6A patent/CN110932851B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030135740A1 (en) * | 2000-09-11 | 2003-07-17 | Eli Talmor | Biometric-based system and method for enabling authentication of electronic messages sent over a network |
CN101115060A (en) * | 2007-08-09 | 2008-01-30 | 上海格尔软件股份有限公司 | Method for protecting user encryption key in asymmetric cipher key transmitting process of user key management system |
CN101483518A (en) * | 2009-02-20 | 2009-07-15 | 北京天威诚信电子商务服务有限公司 | Customer digital certificate private key management method and system |
CN104618120A (en) * | 2015-03-04 | 2015-05-13 | 青岛微智慧信息有限公司 | Digital signature method for escrowing private key of mobile terminal |
CN106548345A (en) * | 2016-12-07 | 2017-03-29 | 北京信任度科技有限公司 | The method and system of block chain private key protection are realized based on Secret splitting |
CN110224812A (en) * | 2019-06-12 | 2019-09-10 | 江苏慧世联网络科技有限公司 | A kind of method and equipment that the electronic signature mobile client calculated based on Secure is communicated with Collaboration Server |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111641587A (en) * | 2020-04-27 | 2020-09-08 | 河南省云安大数据安全防护产业技术研究院有限公司 | Internet of things equipment interconnection method and device |
CN112115491A (en) * | 2020-08-20 | 2020-12-22 | 恒安嘉新(北京)科技股份公司 | Symmetric encryption key protection method, device, equipment and storage medium |
CN112115491B (en) * | 2020-08-20 | 2024-03-22 | 恒安嘉新(北京)科技股份公司 | Symmetric encryption key protection method, device, equipment and storage medium |
CN112016082A (en) * | 2020-10-26 | 2020-12-01 | 成都掌控者网络科技有限公司 | Authority list safety control method |
CN113130031A (en) * | 2021-05-18 | 2021-07-16 | 中南大学湘雅三医院 | PKI-based intercourse electronic medical record interaction system, method, equipment and storage medium |
CN113726503B (en) * | 2021-07-12 | 2023-11-14 | 国网山东省电力公司信息通信公司 | Method and system for protecting web interaction information |
CN113726503A (en) * | 2021-07-12 | 2021-11-30 | 国网山东省电力公司信息通信公司 | Method and system for protecting web interaction information |
CN115632778A (en) * | 2022-12-20 | 2023-01-20 | 四川省数字证书认证管理中心有限公司 | Multi-terminal encryption and decryption intercommunication method |
CN116827542A (en) * | 2023-08-29 | 2023-09-29 | 江苏省国信数字科技有限公司 | Digital certificate management method and system of intelligent device |
CN116827542B (en) * | 2023-08-29 | 2023-11-07 | 江苏省国信数字科技有限公司 | Digital certificate management method and system of intelligent device |
CN117118759A (en) * | 2023-10-24 | 2023-11-24 | 四川省数字证书认证管理中心有限公司 | Method for reliable use of user control server terminal key |
CN117118759B (en) * | 2023-10-24 | 2024-01-30 | 四川省数字证书认证管理中心有限公司 | Method for reliable use of user control server terminal key |
CN117479151A (en) * | 2023-12-27 | 2024-01-30 | 阳光凯讯(北京)科技股份有限公司 | Data encryption transmission method |
CN117479151B (en) * | 2023-12-27 | 2024-03-12 | 阳光凯讯(北京)科技股份有限公司 | Data encryption transmission method |
Also Published As
Publication number | Publication date |
---|---|
CN110932851B (en) | 2022-09-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110932851B (en) | PKI-based multi-party cooperative operation key protection method | |
CN111475796B (en) | Anti-quantum computation identity authentication method and system based on secret sharing and quantum communication service station | |
US20180013555A1 (en) | Data transmission method and apparatus | |
CN111130803B (en) | Method, system and device for digital signature | |
US11874935B2 (en) | Protecting data from brute force attack | |
EP3476078B1 (en) | Systems and methods for authenticating communications using a single message exchange and symmetric key | |
CN113204760B (en) | Method and system for establishing secure channel for software cryptographic module | |
EP1501238A1 (en) | Method and system for key distribution comprising a step of authentication and a step of key distribution using a KEK (key encryption key) | |
CN111052673A (en) | Anonymous broadcasting method, key exchange method, anonymous broadcasting system, key exchange system, communication device, and program | |
EP1079565A2 (en) | Method of securely establishing a secure communication link via an unsecured communication network | |
CN113708917A (en) | APP user data access control system and method based on attribute encryption | |
US20060129812A1 (en) | Authentication for admitting parties into a network | |
CN114499837A (en) | Method, device, system and equipment for preventing leakage of message | |
CN102036194B (en) | Method and system for encrypting MMS | |
KR20060078768A (en) | System and method for key recovery using distributed registration of private key | |
TW200803392A (en) | Method, device, server arrangement, system and computer program products for securely storing data in a portable device | |
CN113824713B (en) | Key generation method, system and storage medium | |
KR101912443B1 (en) | Public key based encryption method and key generation server | |
CN111526131B (en) | Anti-quantum-computation electronic official document transmission method and system based on secret sharing and quantum communication service station | |
KR101793528B1 (en) | Certificateless public key encryption system and receiving terminal | |
US11917056B1 (en) | System and method of securing a server using elliptic curve cryptography | |
CN114531235B (en) | Communication method and system for end-to-end encryption | |
Das | A hybrid algorithm for secure cloud computing | |
JPH0373633A (en) | Cryptographic communication system | |
JP2007521525A (en) | System for authenticating and authorizing a party in a secure communication network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |