Network mapping certificate issuing method
Technical Field
The invention relates to the technical field of identity document management, in particular to a network mapping document issuing method.
Background
In the prior art, the government of China issues identity cards and legal identity cards of passports according to qualification or power granted or granted by law so as to realize reliable identity management at the legal level, and plays a great role in guaranteeing the rights and interests of citizens, maintaining social order and guaranteeing national safety for a long time. With the rapid development of internet technology, the real society extends to the depth of network space, and the network society becomes an important part of the real society. The internet brings the world-wide change to the life of people, and simultaneously obviously changes the behavior modes of people, such as behaviors and services of mail receiving and sending, social contact, shopping and bank transaction which are only generated in the real society before, and the behaviors and services rapidly appear and develop in the network space. In many areas, network services are emerging to surpass, replace, and even subvert traditional services. Meanwhile, due to the lack of effective legal identity management measures, network illegal crimes are frequent, the equity of citizens, social stability and national security are seriously threatened, and the research and establishment of a uniform and standardized network legal identity management method are imperative. To solve the problem of network legal identity management, various featured techniques and methods are gradually developed in the industry, including the following solutions.
1. The electronic legal identity document is provided with a personal digital certificate function. The technical scheme firstly requires that the electronic legal identity document has the capability of carrying the personal digital certificate, and secondly, the issuing authority issues the personal digital certificate bound with the electronic legal identity document while issuing the electronic legal identity document to the document bearer. Currently, most electronic identity cards issued by eu countries use this solution. Under the on-site inspection mode, the licensee proves the legal identity of the licensee by showing the electronic legal identity document; under the network checking mode, the licensee proves the legal identity of the licensee in a remote online mode by showing the personal digital certificate carried by the electronic legal identity document, and has the equivalent legal efficacy of a field checking mode, thereby not only solving the problem of offline identity authentication, but also solving the problem of online legal identity authentication, and theoretically, the method is a relatively perfect and perfect technical route. For the country which directly issues the electronic legal identity document carrying the personal digital certificate, the problem of online and offline identity management is solved at one time. However, more than 14 hundred million second-generation identity cards which are not upgraded or modified recently are issued in China, electronic legal certificates which are issued according to the international civil aviation organization technical specification and are not provided with personal digital certificates, such as electronic passports, electronic hometown returning certificates and electronic standing certificates, and permanent residence identity cards of foreigners and harbor and Australian station resident certificates issued in the last two years, the solution adopted in China at the present stage is firstly necessary to upgrade and modify the resident identity cards, the electronic passports, the electronic hometown returning certificates, the electronic standing certificates, the permanent residence identity cards of foreigners and the harbor station resident certificates, and is obviously unrealistic.
2. The electronic legal identity card is additionally issued with a personal digital certificate, the technical scheme does not require the electronic legal identity card to have the capability of carrying the personal digital certificate, but carries the personal digital certificate on other hardware media of a USBKey, a mobile phone and a bank card, and the issuing authority can be a government authority for issuing the electronic legal identity card, such as a third party commercial organization of an electronic authentication service provider specified in the electronic signature method of the people's republic of China. The biggest defect is that because the personal digital certificate and the electronic legal certificate are mutually independent, the citizen needs to use different identity certificates aiming at different identity checking scenes, which not only brings inconvenience to the citizen, but also more importantly, like the situation that 13 hundred million people are basically realized by using huge administrative resources, financial resources and material resources in the past 10 years of China, the person takes one second-generation identity card, if the person uses national strength again to sign and issue the personal digital certificate for the whole citizen, the method is not feasible basically, if the person signs and issues the personal digital certificate by means of commercial institutions, not only the economic investment is huge, but also the popularization time is years or even decades, and meanwhile, the legal effectiveness and the authority of the method cannot be compared with the legal identity certificate.
3. From 25/5 in 2018, the General Data Protection Regulation (GDPR) in the european union starts to be enforced. The specification strengthens the protection of personal information and increases the punishment for data leakage; on the 5 th and 1 st in 2018, the personal information security standard of the GB/T35273 and 2017 information security technology begins to be implemented, and after the personal information is definitely collected, a personal information controller should immediately perform de-identification processing; the network security law of China starts to be implemented in 6 months and 1 day in 2018, and law enforcement punishment tickets are issued to Internet companies by at least five provinces since the implementation; internet personal information security protection guide (survey of comments), which is referred to as social survey comments; and 8, 10 and 1 in 2019, formal implementation of the personal information network protection regulations for children. The personal information security of the network space is improved at a high position in China and abroad, and the identity management of the network space is the basis for improving the management of the network space.
4. Under the condition of no unified, standard and mature network legal identity management solution, various merchants explore various network identity authentication means and methods for implementing the national network real-name policy. In the early days, the user is required to actively input the information of the identity card number and the name, and the user inputs what the system accepts, so that the authenticity of the information of the identity card number and the name input by the user is found to be difficult to ensure, for example, a cattle can use the name of a "Qingfeng steamed stuffed bun" to rob a train ticket as a typical example. Later, the authentication method was upgraded, one of which means is to submit the identification number and name inputted by the user to the third-party organization of the national citizen identification number inquiry service center system to verify the personal identification information submitted by the network user, and the third-party organization has the user information and the information matching passes the authentication. The mode adopts the mode of information comparison information for verification, can identify the identity information which is falsely compiled, but cannot identify the falsely used real identity information. The reason is that the ID card number and other personal information are separated from the carrier of the ID card, and the ID card is only a string of characters, and the third-party checking system can only solve the problem that the personal information is not existed in the system, but the problem of real name, namely real person cannot be solved. Later, user authentication measures were further improved, and users were required to provide bank card numbers, telephone numbers, and even pictures of personal identification cards to further authenticate themselves. These auxiliary means really play a certain degree of reinforcement to the implementation of real-name system, but the authentication effect is gradually offset with the continuous upgrade of identity fraud means, and then the cost of identity authentication is continuously pushed up and the user experience is sharply reduced. The fundamental reason for such a result is that these auxiliary authentication means are not based on electronic strict rules and procedures, and solve formal authentication, which cannot achieve the effectiveness of authenticating identity through legal certificates in real life. Moreover, leakage of personal information data is brought, the personal information data face security problems such as embezzlement, abuse and leakage, security threats are increased continuously, the aspects of personal privacy, property security and the like are concerned, and national and social security is also influenced. According to ' the investigation report 2016 for protecting the equity of the Chinese netizens ' issued by the China Internet Association ', the economic loss of 6.88 hundred million netizens in China in recent one year can be estimated to 915 million yuan due to junk short messages, fraud information, personal information leakage and the like.
Chinese patent CN1339894A provides an identity certificate and a method for making the same, wherein in the process of making the identity certificate, a certificate issuing authority first constructs a first information packet, and the first information packet includes identity information and biological information; then selecting an asymmetric key algorithm, and carrying out digital cipher encryption on the first information packet by using a private key to generate a second information packet; and finally, storing the second information packet generated by the confidentiality into a medium to prepare an identity certificate, but the problem that the falsely compiled identity information can be identified and the falsely used real identity information cannot be identified cannot be solved.
Disclosure of Invention
In order to overcome the defects, the invention provides a network mapping certificate issuing method.
The method comprises the following steps:
step 1, extracting the certificate-carried information,
step 1.1, the certificate-carried information, namely information recorded on the legal identity certificate entity card, is divided into personal basic information of name, gender, birth date and certificate number; biometric information of the photo and fingerprint images; and 3 categories of physical anti-counterfeiting and digital anti-counterfeiting certificate anti-counterfeiting characteristic information;
step 1.2, making an issuing network mapping certificate, extracting necessary contents from legal identity certificate carrying information, and specifically extracting which contents in the certificate carrying information need to be determined according to actual needs and related strategies;
step 1.3, obtaining the certificate carrying information directly by reading the electronic legal identity document or obtaining the certificate carrying information by manufacturing and issuing a database of the electronic legal identity document;
step 2, mapping transformation:
step 2,1, the extracted certificate information is transformed into the element data stored in the network mapping certificate through specific transformation;
and 2, step 1, mapping transformation adopts mathematical transformation or password transformation and is determined according to actual needs and relevant strategies.
The elements stored in the network mapping certificate have the following characteristics: firstly, the source is from legal identity card carrying information; secondly, the transformation is irreversible, namely the original text of the information of the certificate can not be reversely pushed through the element data; third, the personal information and privacy of the holder can not be revealed in the open release; and fourthly, remote online security authentication through a network is supported, and the authentication process has the capabilities of resisting bypass attack, man-in-the-middle attack and replay attack and preventing eavesdropping and counterfeiting.
Step 3, generating different types of mapping certificate elements after different types of certificate information are mapped and transformed: generating basic information verification elements after mapping and transforming personal basic information of name, gender, birth date and certificate number;
step 3.1, verifying whether the personal information obtained by the business system through other ways belongs to the legal bearer of the network mapping certificate; generating authentication identity authentication elements after the biological characteristic information of the photo and the fingerprint image/template is mapped and transformed;
step 3.2, whether the authenticated party is the legal holder of the network mapping certificate is authenticated;
and 3.3, the physical anti-counterfeiting and digital anti-counterfeiting certificate anti-counterfeiting characteristic information, namely the digital anti-counterfeiting characteristic information of the personalized key association factor, is mapped and transformed to generate a certificate entity authentication element, and whether the authenticated party presents the electronic legal identity certificate entity associated and bound with the network mapping certificate on line or not is authenticated.
Step 4, signature:
step 4.1, mapping certificate element data, adding and mapping certificate serial number, version number, validity period, issuer and relevant information of a holder, and then using a network mapping certificate signing and issuing organization to map certificate signing and signing digital certificate signatures to complete network mapping certificate signing and issuing;
and 4.2, attaching the signature data to the electronic file of the network mapping certificate and issuing the signature data, and verifying the authenticity and integrity of the network mapping certificate.
Step 5, issuing a network mapping certificate revocation list:
step 5.1, when entity certificates bound by the network mapping certificates in a correlation mode fail due to logout and loss report, a network mapping certificate issuing mechanism needs to issue a revocation list at the first time, and network mapping certificates corresponding to the failed entity certificates are synchronously failed;
step 5.2, a network mapping certificate revocation list is used for network mapping certificate signing digital certificate signing and updating periodically by using a network mapping certificate signing and issuing mechanism;
step 5.3, carrying out emergency updating when entity certificate failure occurs;
and 5.4, the validity period of the network mapping certificate cannot exceed the validity period of the corresponding entity certificate, the naturally expired entity certificate also naturally expires, and the invalidation of the entity certificate is not required to be confirmed by issuing a revocation list.
Step 6, issuing a signature digital certificate, a network mapping certificate and a network mapping certificate revocation list, wherein the network mapping certificate signature digital certificate, the network mapping certificate and the network mapping certificate revocation list are used when a network mapping certificate verifying authority verifies the network mapping certificate, and the network mapping certificate issuing authority issues the network mapping certificate verifying authority or a subsystem in real time; the network mapping certificate holder can also download the network mapping certificate of the holder and actively show the certificate in the authentication process.
Compared with the prior art, the method has the advantages that:
1. the method of the invention is based on the prior electronic legal identity document and the related database resources, provides a network space legal identity management scheme which is safe, reliable, economical and easy, meets the application requirements of the Internet and accords with the Chinese situation, solves the problem of network legal identity management currently faced by China, and reduces the risk of personal portrait through big data association analysis.
2. A network legal identity management system taking electronic legal identity document network mapping documents as a core is established, a legal identity management system corresponding to the real society is established in a network space, and a mode and a process for using the legal identity documents to prove identities in real life are transplanted to the network space, so that the legal effectiveness of the legal identity documents in the real society is exerted, and the problem of network space legal identity management is solved.
3. The invention solves the technical problem that the electronic legal identity document without carrying the personal digital certificate can not be directly applied to the network legal identity management; compared with the existing network identity authentication mode which depends on the form and color derived from the population information base, the invention does not stay at the aspect of form comparison of personal information any more, really solves the problem of legal identity authentication of real name and real person, and effectively avoids the problems of subjective and non-subjective errors caused by human factors; the system architecture which is the same as the legal identity management system in the real society is maintained, two key points of the legal identity certificate for proving the authenticity and effectiveness of legal identity certificates of a certifier and the identity of the certificates are maintained, the network and offline integrated application of the electronic legal identity certificates is realized by means of a network mapping certificate technology, the universality of laws, regulations and administrative regulations of the identity certificate law of residents of the people's republic of China is strengthened, the existing general cognition and habits of the public are met, and the electronic legal identity certificate is easy to accept and popularize;
4. the invention participates in mapping transformation or mathematical transformation according to the fingerprint information of the mapping certificate carrier and the attribute of the industry identification, so that the mapping certificate and the identity identification of the same holder are distinguished in different carriers and different industries, and the risk of portraying people by big data correlation analysis is avoided.
Drawings
FIG. 1 is a schematic diagram of a system for providing network-mapped credential verification services directly from a network-mapped credential issuing authority in accordance with the method of the present invention;
FIG. 2 is a schematic diagram of a system for a network service system to perform network mapped certificate verification services according to the method of the present invention;
fig. 3 is a schematic diagram of issuance and management of network mapping certificates according to the method of the present invention.
Detailed Description
The method comprises the following steps:
step 1, extracting the certificate-carried information,
step 1.1, the certificate-carried information, namely information recorded on the legal identity certificate entity card, is divided into personal basic information of name, gender, birth date and certificate number; biometric information of the photo and fingerprint images; and 3 categories of physical anti-counterfeiting and digital anti-counterfeiting certificate anti-counterfeiting characteristic information;
step 1.2, making an issuing network mapping certificate, extracting necessary contents from legal identity certificate carrying information, and specifically extracting which contents in the certificate carrying information need to be determined according to actual needs and related strategies;
step 1.3, obtaining the certificate carrying information directly by reading the electronic legal identity document or obtaining the certificate carrying information by manufacturing and issuing a database of the electronic legal identity document;
step 2, mapping transformation:
step 2,1, the extracted certificate information is transformed into the element data stored in the network mapping certificate through specific transformation;
and 2, step 1, mapping transformation adopts mathematical transformation or password transformation and is determined according to actual needs and relevant strategies.
The elements stored in the network mapping certificate have the following characteristics: firstly, the source is from legal identity card carrying information; secondly, the transformation is irreversible, namely the original text of the information of the certificate can not be reversely pushed through the element data; third, the personal information and privacy of the holder can not be revealed in the open release; and fourthly, remote online security authentication through a network is supported, and the authentication process has the capabilities of resisting bypass attack, man-in-the-middle attack and replay attack and preventing eavesdropping and counterfeiting.
Step 3, generating different types of mapping certificate elements after different types of certificate information are mapped and transformed: generating basic information verification elements after mapping and transforming personal basic information of name, gender, birth date and certificate number;
step 3.1, verifying whether the personal information obtained by the business system through other ways belongs to the legal bearer of the network mapping certificate; generating authentication identity authentication elements after the biological characteristic information of the photo and the fingerprint image/template is mapped and transformed;
step 3.2, whether the authenticated party is the legal holder of the network mapping certificate is authenticated;
and 3.3, the physical anti-counterfeiting and digital anti-counterfeiting certificate anti-counterfeiting characteristic information, namely the digital anti-counterfeiting characteristic information of the personalized key association factor, is mapped and transformed to generate a certificate entity authentication element, and whether the authenticated party presents the electronic legal identity certificate entity associated and bound with the network mapping certificate on line or not is authenticated.
Step 4, signature:
step 4.1, mapping certificate element data, adding and mapping certificate serial number, version number, validity period, issuer and relevant information of a holder, and then using a network mapping certificate signing and issuing organization to map certificate signing and signing digital certificate signatures to complete network mapping certificate signing and issuing;
and 4.2, attaching the signature data to the electronic file of the network mapping certificate and issuing the signature data, and verifying the authenticity and integrity of the network mapping certificate.
Step 5, issuing a network mapping certificate revocation list:
step 5.1, when entity certificates bound by the network mapping certificates in a correlation mode fail due to logout and loss report, a network mapping certificate issuing mechanism needs to issue a revocation list at the first time, and network mapping certificates corresponding to the failed entity certificates are synchronously failed;
step 5.2, a network mapping certificate revocation list is used for network mapping certificate signing digital certificate signing and updating periodically by using a network mapping certificate signing and issuing mechanism;
step 5.3, carrying out emergency updating when entity certificate failure occurs;
and 5.4, the validity period of the network mapping certificate cannot exceed the validity period of the corresponding entity certificate, the naturally expired entity certificate also naturally expires, and the invalidation of the entity certificate is not required to be confirmed by issuing a revocation list.
Step 6, issuing a signature digital certificate, a network mapping certificate and a network mapping certificate revocation list, wherein the network mapping certificate signature digital certificate, the network mapping certificate and the network mapping certificate revocation list are used when a network mapping certificate verifying authority verifies the network mapping certificate, and the network mapping certificate issuing authority issues the network mapping certificate verifying authority or a subsystem in real time; the network mapping certificate holder can also download the network mapping certificate of the holder and actively show the certificate in the authentication process.
The network mapping certificate verification mechanism has the function of providing network mapping certificate verification service; the network service system is abbreviated as XX website, and is a legal identity relying party, that is, some services need to authenticate the legal identity of a client, such as establishing a bank account, applying for an e-mail address, establishing a microblog account and opening a treasure shop under the real name condition. The legal identity authentication method for the client accepted by the administration is a face label, namely the legal identity of the client is confirmed in a mode that a waiter manually checks the second generation ID of the client, an electronic passport, an electronic ticket for the residents in Macau and Macau in electronic harbor to come to and come to the home, an electronic ticket for the residents in Taiwan to come to and come to the home, a foreigner permanent residence ID and a harbor station residence ID at the business system business network; after the network service system is accessed to the network legal identity management system based on the network mapping certificate of the electronic legal identity certificate, the legal identity of a client can be confirmed in a remote online mode by means of the network mapping certificate verification service provided by the network mapping certificate verification mechanism. The network mapping certificate holder, namely a network service system client, applies for the network mapping certificate from a network mapping certificate issuing organization, and proves the legal identity of the network mapping certificate to the network service system by using the network mapping certificate to participate in the related service with the requirement of real name system. The network mapping certificate verification service is provided by a third-party independent mechanism, can be directly provided by a network mapping certificate issuing mechanism, and can be automatically completed by a network service system. The network mapping certificate verification service is logically independently embodied.
The invention is described in detail with reference to the accompanying drawings, wherein for the case of the network mapping certificate issuing authority providing the network mapping certificate verification service, as shown in fig. 1, the issuing of the network mapping certificate and the revocation list is embodied as an internal flow, for the case of the network mapping certificate verification service being completed by the network service system, as shown in fig. 2, ③④⑤ of the network mapping certificate verification flow is embodied as an internal flow, the issuing of the network mapping certificate issuing and the related services are handled by the network mapping certificate issuing authority, the specific service logic is shown in fig. 3, the related services include the issuing of the network mapping certificate signing digital certificate, the issuing of the network mapping certificate revocation list, and the issuing of the network mapping certificate signing digital certificate, the issuing of the network mapping certificate signing administrative authority and the issuing of the legal digital certificate, the network mapping certificate issuing authority must first meet the laws and regulations of China and obtain the authority of the network mapping certificate, and then issues the authority representing the network mapping certificate signing authority.
The present invention is not limited to the above-described embodiments, and any variations, modifications, and substitutions which may occur to those skilled in the art may be made without departing from the spirit of the invention.