CN111628860A - Method for generating and applying double-key system digital certificate - Google Patents
Method for generating and applying double-key system digital certificate Download PDFInfo
- Publication number
- CN111628860A CN111628860A CN201910148673.4A CN201910148673A CN111628860A CN 111628860 A CN111628860 A CN 111628860A CN 201910148673 A CN201910148673 A CN 201910148673A CN 111628860 A CN111628860 A CN 111628860A
- Authority
- CN
- China
- Prior art keywords
- certificate
- public key
- encryption
- signature
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a method for generating a double-key system digital certificate, which comprises the following steps: receiving a digital certificate application request from a user, and analyzing the digital certificate application request to obtain a signature public key or a temporary public key of a certificate; the method comprises the steps of obtaining a certificate encryption key pair, encrypting a private key in the certificate encryption key pair by using a randomly generated symmetric key to obtain a first encryption result, encrypting the randomly generated symmetric key by using a signature public key or a temporary public key of the obtained certificate to obtain a second encryption result, issuing a double-key system digital certificate to a user, wherein the double-key system digital certificate comprises the signature public key of the certificate and a public key in the certificate encryption key pair, and sending the encryption result to the user. The invention can solve the technical problem that the owner of the double-digital certificate is unnecessarily lost due to the lack of effective matching property between the double-digital certificates in the use process of the existing digital certificate.
Description
Technical Field
The invention belongs to the technical field of information security and the field of internet communication, and particularly relates to a generation method and an application method of a double-key system digital certificate.
Background
With the continuous improvement of the informatization degree, each government department or enterprise and public institution has deployed a large amount of business systems on the internet and carries out business data exchange with other branch institutions or partners in various regions through the internet. These business data are important digital assets of government departments or enterprises and public institutions, and need to ensure confidentiality, authenticity, integrity and non-repudiation, and digital certificates are mainly adopted to meet the requirements at present.
Digital certificates are authoritative electronic documents that prove the identity of entities (e.g., people, servers, etc.) that communicate information and conduct business over the internet. The digital certificate is divided into a signature certificate and an encryption certificate, wherein the signature certificate is used for identity verification in the communication process, and the encryption certificate is used for encryption of key data in the communication process. The existing digital certificate belongs to either a single certificate system, that is, a user only uses a signature certificate or an encryption certificate to perform signature or encryption operation, or a dual certificate system, that is, a user simultaneously uses a signature certificate and an encryption certificate to perform signature and encryption operation. At the same time, the country has also successively introduced the standards of the related digital certificates, and the concept of double certificates is proposed. In the national security SSL related standard, it is specified that a signed certificate and an encrypted certificate are to be used, wherein the key of the signed certificate comes from the user and the key of the encrypted certificate comes from a trusted third party authority (e.g. a key management center). Since the signature key and the encryption key are respectively stored in the two digital certificates.
Therefore, the existing digital certificates have some non-negligible technical problems in the using process: firstly, due to the lack of effective matching between the double digital certificates, any two digital certificates can be combined into the double digital certificates, so that a trusted third party authority user can easily replace any one of the double digital certificates, and meanwhile, the trusted third party authority user is not known by the owner of the double digital certificates, and further unnecessary loss is caused to the owner of the double digital certificates; secondly, when a user uses a double-digital certificate, a signature certificate and an encryption certificate need to be distinguished, but a simple and effective distinguishing mode is lacked at present, and when a lawbreaker uses the encryption certificate as the signature certificate and uses the signature certificate as the encryption certificate, a judicial organization is difficult to obtain relevant evidence of illegal transactions; thirdly, the user cannot determine whether the digital certificate belongs to a single certificate system or a double certificate system, thereby bringing about the problem of mixed use of the digital certificate; fourth, for a single certificate system, since the private key is only stored in the user's own hand and the data encrypted by the public key can only be decrypted by the user himself, there is a difficulty in obtaining evidence when the judicial organization wishes to obtain the data encrypted by the user.
Disclosure of Invention
In view of the above defects or improvement needs in the prior art, the present invention provides a method for generating a dual-key system digital certificate and a method for applying the same, which aim to solve the above technical problems in the existing digital certificate using process.
In order to achieve the above object, according to one aspect of the present invention, there is provided a method for generating a dual-key system digital certificate, which is applied to a CA, the method comprising the steps of:
(1) receiving a digital certificate application request from a user, and analyzing the digital certificate application request to obtain a signature public key or a temporary public key of a certificate;
(2) acquiring a certificate encryption key pair, encrypting a private key in the certificate encryption key pair by using a randomly generated symmetric key to obtain a first encryption result, and encrypting the randomly generated symmetric key by using the signature public key or the temporary public key of the certificate obtained in the step (1) to obtain a second encryption result;
(3) the user is issued a dual-key system digital certificate that includes the public signature key of the certificate and the public key of the certificate encryption key pair.
(4) And (3) sending the encryption result obtained in the step (2) to the user.
Preferably, encrypting the private key of the certificate encryption key pair is a combination of a symmetric encryption algorithm, which is SM2, RSA, or ECC, or an asymmetric encryption algorithm, which is AES, 3DES, or SM4, or the like, and encrypting the randomly generated symmetric key is the asymmetric encryption algorithm used, which includes SM2, RSA, or ECC.
According to another aspect of the present invention, there is provided a method for generating a dual-key system digital certificate, which is applied to a CA, the method comprising the steps of:
(1) receiving a digital certificate application request from a user, and analyzing the digital certificate application request to obtain a signature public key or a temporary public key of a certificate;
(2) acquiring a certificate encryption key pair, and encrypting a private key in the certificate encryption key pair by using the signature public key or the temporary public key of the certificate acquired in the step (1) to acquire an encryption result;
(3) the user is issued a dual-key system digital certificate that includes the public signature key of the certificate and the public key of the certificate encryption key pair.
(4) And (3) sending the encryption result obtained in the step (2) to the user.
Preferably, the encryption of the private key of the certificate encryption key pair is using an asymmetric encryption algorithm, including SM2, RSA, or ECC, among others.
Preferably, the dual-key system digital certificate includes a TBS field, a signature algorithm field, and a signature value field, signature public key information of the certificate and encryption public key information of the certificate are filled in the TBS field, where the signature public key information of the certificate includes a signature public key of the certificate, and the encryption public key information of the certificate includes a public key in a certificate encryption key pair, where a public key information subfield in the TBS field is an extension of a public key information subfield in the TBS field of an existing x.509 digital certificate, and is used to store the signature public key information of the certificate and the encryption public key information of the certificate.
Preferably, the dual-key system digital certificate includes a TBS field, a signature algorithm field, and a signature value field, the TBS field is filled with signature public key information of the certificate and encryption public key information of the certificate, where the signature public key information of the certificate includes a signature public key of the certificate, and the encryption public key information of the certificate includes a public key in a certificate encryption key pair, where a public key information subfield in the TBS field is a public key information subfield added in the TBS field of the existing x.509 digital certificate and used for storing public key information different from public key information stored in an original public key information subfield in the TBS field of the existing x.509 digital certificate.
Preferably, the dual-key system digital certificate includes a TBS field, a signature algorithm field, and a signature value field, the TBS field is filled with signature public key information of the certificate and encryption public key information of the certificate, where the signature public key information of the certificate includes a signature public key of the certificate, and the encryption public key information of the certificate includes a public key in a certificate encryption key pair, where a public key information subfield in the TBS field is a public key information filled in an extension subfield in the TBS field of the existing x.509 digital certificate, and the public key information is different from the public key information stored in an original public key information subfield in the TBS field of the existing x.509 digital certificate.
According to another aspect of the present invention, there is provided an application method of a dual-key system digital certificate generated by the above-described generation method of the dual-key system digital certificate, the application method including the steps of:
(1) a first user acquires a double-key system digital certificate and analyzes the double-key system digital certificate to acquire signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair;
(2) the first user signs data by using a private key corresponding to a public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain signed data, and sends the double-key system digital certificate and the signed data to the second user;
(3) the second user analyzes the double-key system digital certificate to obtain the signature public key information of the certificate and the encryption public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encryption public key information of the certificate comprises a public key in a certificate encryption key pair;
(4) the second user verifies the signed data from the first user by using the signature public key of the certificate obtained by analysis to determine whether the first user is a legal user, if so, the step (5) is carried out, otherwise, the process is ended;
(5) the second user encrypts the message to be sent to the first user by using the encrypted public key of the certificate obtained by analysis, and sends the encrypted result to the first user; (6) and (3) the first user decrypts the encryption result obtained in the step (5) by using a private key corresponding to the public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain the information plaintext.
According to another aspect of the present invention, there is provided an application method of a dual-key system digital certificate generated by the above-described generation method of the dual-key system digital certificate, the application method including the steps of:
(1) a first user acquires a double-key system digital certificate and analyzes the double-key system digital certificate to acquire signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair;
(2) the first user signs data by using a private key corresponding to a public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain signed data, and sends the double-key system digital certificate and the signed data to the second user;
(3) the second user analyzes the double-key system digital certificate to obtain the signature public key information of the certificate and the encryption public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encryption public key information of the certificate comprises a public key in a certificate encryption key pair;
(4) the second user verifies the signed data from the first user by using the signature public key of the certificate obtained by analysis to determine whether the first user is a legal user, if so, the step (5) is carried out, otherwise, the process is ended;
(5) the second user signs the data which needs to be sent to the first user by using the own private signature key to obtain a signature result, and sends the double-key system digital certificate and the signature result which are obtained in the step (3) to the first user;
(6) the first user analyzes the double-key system digital certificate from the second user to obtain a signature public key, and verifies the signature result from the second user by using the signature public key to determine whether the second user is a legal user, if so, the step (7) is carried out, otherwise, the process is ended;
(7) the second user encrypts the message to be sent to the first user by using the encrypted public key of the certificate obtained by analysis, and sends the encrypted result to the first user;
(8) and (3) the first user decrypts the encryption result obtained in the step (7) by using a private key corresponding to the public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain the information plaintext.
Preferably, the analyzing the dual-key system digital certificate specifically includes determining whether a public key information subfield in a TBS field of the x.509 digital certificate is extended, or two public key information subfields exist in the TBS field, or an extended subfield exists in the TBS field; if the public key information subfield in the TBS field is expanded, the analysis process is to directly acquire the signature public key information of the certificate and the encryption public key information of the certificate from the expanded public key information subfield; if two public key information subfields exist in the TBS field, acquiring signature public key information of the certificate and encryption public key information of the certificate from the two public key information subfields respectively; and if the TBS field has the extension subfield, acquiring the signature public key information of the certificate and the encryption public key information of the certificate from the public key information subfield and the extension subfield in the TBS field respectively, or acquiring the encryption public key information of the certificate and the signature public key information of the certificate.
In general, compared with the prior art, the above technical solution contemplated by the present invention can achieve the following beneficial effects:
(1) because the single certificate is adopted to realize the function of double certificates, the invention can solve the technical problem that any one of the double digital certificates is easy to replace by a trusted third party authority user due to poor matching in the existing double certificate system, thereby causing loss to a certificate owner;
(2) the digital certificate of the invention is specially provided with subfields for storing the public key in the certificate encryption key pair and the public key in the certificate signature key pair, so that the technical problem that the judicial organization cannot obtain the illegal transaction evidence because the encryption certificate and the signature certificate are mixed in the existing digital certificate can be solved.
(3) The invention is essentially a single digital certificate, but realizes the functions which can be realized by double digital certificates, thereby solving the technical problem that the existing users are easy to mix the digital certificates based on the existing digital certificate system.
(4) Because the private key corresponding to the public key in the certificate encryption key pair is stored in a third-party trusted authority (such as KMC or CA), the judicial organization can decrypt the data encrypted by the encrypted public key by the user in a mode of directly calling the private key from the third-party trusted authority, thereby directly obtaining evidence.
(5) The capacity of the digital certificate can realize the function of double certificates, and the capacity of the digital certificate is smaller than that of the double digital certificates, so that the requirement on the storage capacity of hardware is lower, and the equipment cost is reduced.
Drawings
Fig. 1 is a flowchart of a method of generating a dual-key system digital certificate according to a first embodiment of the present invention;
fig. 2 is a flowchart of a method of generating a dual-key system digital certificate according to a second embodiment of the present invention;
fig. 3 is a flowchart of an application method of a dual-key system digital certificate according to a first embodiment of the present invention;
fig. 4 is a flowchart of an application method of a dual-key system digital certificate according to a second embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
As shown in fig. 1, according to a first embodiment of the present invention, a method for generating a dual-key system digital Certificate is provided, which is applied in a Certificate Authority (CA), and includes the following steps:
(1) receiving a digital certificate application request from a user, and analyzing the digital certificate application request to obtain a signature public key of a certificate;
in this step, the obtained signature public key of the certificate is the public key in the signature key pair of the subsequent certificate.
Alternatively, the result after parsing in this step may also be a temporary public key of the certificate.
Specifically, a digital certificate application request sent by a user is received from a remote device or a local device.
(2) Acquiring a certificate encryption key pair, encrypting a private key in the certificate encryption key pair by using a randomly generated symmetric key to obtain a first encryption result, and encrypting the randomly generated symmetric key by using the signature public key of the certificate obtained in the step (1) to obtain a second encryption result;
specifically, the certificate encryption key pair may be acquired from a Key Management Center (KMC) or the CA itself.
The encryption of the private key in the certificate encryption key pair in this step is a combination of a symmetric encryption algorithm and an asymmetric encryption algorithm, wherein the asymmetric algorithm may be, for example: SM2, RSA, ECC, etc., and the symmetric algorithm may be, for example, AES, 3DES, SM4, etc., it should be noted that the algorithm is by no means limited to the above, and any combination of asymmetric encryption algorithms and the resulting algorithm is within the scope of the present invention.
The random symmetric key is encrypted in this step by using an asymmetric encryption algorithm, such as SM2, RSA, ECC, etc., and it should be noted that the algorithm is by no means limited to the above, and any asymmetric encryption algorithm is within the scope of the present invention.
Alternatively, this step may also be encrypting the randomly generated symmetric key by using the temporary public key of the certificate obtained in step (1) to obtain a second encryption result;
as shown in fig. 2, alternatively, the step (2) can be replaced by:
(2') obtaining a certificate encryption key pair, and encrypting a private key in the certificate encryption key pair by using the signature public key of the certificate obtained in the step (1) to obtain an encryption result;
the asymmetric encryption algorithm used for encrypting the private key in the certificate encryption key pair in this step may be, for example, SM2, RSA, ECC, etc., and it should be noted that the algorithm is by no means limited to the above, and any asymmetric encryption algorithm is within the scope of the present invention.
Alternatively, the encrypting the private key in the certificate encryption key pair in this step may also be encrypting the private key in the certificate encryption key pair by using the temporary public key of the certificate obtained in step (1) to obtain an encryption result;
(3) the user is issued a dual-key system digital certificate that includes the public signature key of the certificate and the public key of the certificate encryption key pair.
Specifically, the digital certificate in this step is modified from the structure of the conventional x.509 digital certificate defined in RFC5280 or RFC3280 international standards.
The existing x.509 digital certificate includes a To be signed certificate (TBS) field, a signature algorithm field, and a signature value field.
The invention modifies the structure by filling the signature public key information of the certificate and the encryption public key information of the certificate in the TBS field, wherein the signature public key information of the certificate comprises the signature public key of the certificate and can also comprise a corresponding public key algorithm and the like according to the requirement, and the encryption public key information of the certificate comprises the public key in the encryption key pair of the certificate and can also comprise a corresponding public key algorithm and the like according to the requirement.
The specific modification of the structure may be one of the following three types:
A. and expanding the public key information subfield in the TBS field of the X.509 digital certificate, and storing the signature public key information of the certificate and the encryption public key information of the certificate.
B. A public key information subfield is added in a TBS field of an X.509 digital certificate and is used for storing public key information different from the public key information stored in the public key information subfield in the TBS field.
Specifically, if the signature public key information of the certificate is already stored in the public key information subfield originally included in the TBS field, the encryption public key information of the certificate is stored in the newly added public key information subfield; if the encrypted public key information of the certificate is already stored in the public key information subfield originally included in the TBS certificate field, the signature public key information of the certificate is stored in the newly added public key information subfield.
C. Public key information different from the public key information stored in the public key information subfield originally in the TBS field is filled in the extension subfield in the TBS field of the x.509 digital certificate.
Specifically, if the signature public key information of the certificate is already stored in the public key information subfield originally included in the TBS field, the encryption public key information of the certificate is filled; and if the encrypted public key information of the certificate is already stored in the public key information subfield originally included in the TBS field, filling the signature public key information of the certificate in the newly added public key information subfield.
(4) And (3) sending the encryption result obtained in the step (2) to the user.
As shown in fig. 3, according to another embodiment of the present invention, there is provided an application method of a dual-key system digital certificate generated by the first embodiment, the application method including the steps of:
(1) a first user acquires a dual-key system digital certificate and analyzes the dual-key system digital certificate to acquire signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate and can also comprise a corresponding public key algorithm and the like as required, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair and can also comprise a corresponding public key algorithm and the like as required;
specifically, in the analysis process, it is first determined whether the public key information subfield in the TBS field of the x.509 digital certificate is extended, two public key information subfields exist in the TBS field, or an extension subfield exists in the TBS field; if the public key information subfield in the TBS field is expanded, the analysis process is to directly acquire the signature public key information of the certificate and the encryption public key information of the certificate from the expanded public key information subfield; if two public key information subfields exist in the TBS field, acquiring signature public key information of the certificate and encryption public key information of the certificate from the two public key information subfields respectively; and if the TBS field has the extension subfield, acquiring the signature public key information of the certificate and the encryption public key information of the certificate from the public key information subfield and the extension subfield in the TBS field respectively, or acquiring the encryption public key information of the certificate and the signature public key information of the certificate.
(2) The first user signs data by using a private key corresponding to a public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain signed data, and sends the double-key system digital certificate and the signed data to the second user;
(3) the second user analyzes the dual-key system digital certificate to obtain signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate and can also comprise a corresponding public key algorithm and the like as required, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair and can also comprise a corresponding public key algorithm and the like as required;
the process of parsing the certificate in this step is completely the same as that in step (1), and is not described herein again.
(4) The second user verifies the signed data from the first user by using the signature public key of the certificate obtained by analysis to determine whether the first user is a legal user, if so, the step (5) is carried out, otherwise, the process is ended;
(5) the second user encrypts the message to be sent to the first user by using the encrypted public key of the certificate obtained by analysis, and sends the encrypted result to the first user; (6) and (3) the first user decrypts the encryption result obtained in the step (5) by using a private key corresponding to the public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain the information plaintext.
As shown in fig. 4, in another embodiment, the steps (5) and (6) may be replaced by:
(5') the second user signs the data which needs to be sent to the first user by using the own private signature key to obtain a signature result, and sends the double-key system digital certificate and the signature result which are obtained in the step (3) to the first user;
(6 ') the first user analyzes the double-key system digital certificate from the second user to obtain a signature public key, and verifies the signature result from the second user by using the signature public key to determine whether the second user is a legal user, if so, the step (7') is carried out, otherwise, the process is ended;
(7') the second user encrypts the message to be sent to the first user by using the encrypted public key of the certificate obtained by analysis, and sends the encrypted result to the first user;
(8 ') the first user decrypts the encryption result obtained in the step (7') by using the private key corresponding to the public key in the certificate encryption key pair obtained by analyzing in the step (1) to obtain the information plaintext.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A method for generating a double-key system digital certificate is applied to CA, and is characterized by comprising the following steps:
(1) receiving a digital certificate application request from a user, and analyzing the digital certificate application request to obtain a signature public key or a temporary public key of a certificate;
(2) acquiring a certificate encryption key pair, encrypting a private key in the certificate encryption key pair by using a randomly generated symmetric key to obtain a first encryption result, and encrypting the randomly generated symmetric key by using the signature public key or the temporary public key of the certificate obtained in the step (1) to obtain a second encryption result;
(3) the user is issued a dual-key system digital certificate that includes the public signature key of the certificate and the public key of the certificate encryption key pair.
(4) And (3) sending the encryption result obtained in the step (2) to the user.
2. The method of generation of claim 1, wherein encrypting the private key of the certificate encryption key pair is a combination of a symmetric encryption algorithm and an asymmetric encryption algorithm, wherein the asymmetric algorithm is SM2, RSA, or ECC, the symmetric algorithm is AES, 3DES, or SM4, and wherein encrypting the randomly generated symmetric key is the asymmetric encryption algorithm used, including SM2, RSA, or ECC.
3. A method for generating a double-key system digital certificate is applied to CA, and is characterized by comprising the following steps:
(1) receiving a digital certificate application request from a user, and analyzing the digital certificate application request to obtain a signature public key or a temporary public key of a certificate;
(2) acquiring a certificate encryption key pair, and encrypting a private key in the certificate encryption key pair by using the signature public key or the temporary public key of the certificate acquired in the step (1) to acquire an encryption result;
(3) the user is issued a dual-key system digital certificate that includes the public signature key of the certificate and the public key of the certificate encryption key pair.
(4) And (3) sending the encryption result obtained in the step (2) to the user.
4. The generation method according to claim 1, wherein the encryption of the private key of the certificate encryption key pair is performed using an asymmetric encryption algorithm, including SM2, RSA, or ECC.
5. The generation method according to any one of claims 1 to 4,
the dual-key system digital certificate comprises a TBS field, a signature algorithm field and a signature value field;
the TBS field is filled with signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair;
the public key information subfield in the TBS field is an extension of the public key information subfield in the TBS field of an existing x.509 digital certificate, and is used to store signature public key information of the certificate and encryption public key information of the certificate.
6. The generation method according to any one of claims 1 to 4,
the dual-key system digital certificate comprises a TBS field, a signature algorithm field and a signature value field;
the TBS field is filled with signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair;
the public key information subfield in the TBS field is obtained by adding a public key information subfield in the TBS field of the existing x.509 digital certificate, and is used for storing public key information different from the public key information stored in the public key information subfield in the TBS field of the existing x.509 digital certificate.
7. The generation method according to any one of claims 1 to 4,
the dual-key system digital certificate comprises a TBS field, a signature algorithm field and a signature value field;
the TBS field is filled with signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair;
the public key information subfield in the TBS field is obtained by filling the extension subfield in the TBS field of the existing x.509 digital certificate with public key information different from the public key information subfield stored in the public key information subfield originally in the TBS field of the existing x.509 digital certificate.
8. A method for applying a dual-key system digital certificate generated by the method for generating a dual-key system digital certificate according to any one of claims 1 to 5, the method comprising the steps of:
(1) a first user acquires a double-key system digital certificate and analyzes the double-key system digital certificate to acquire signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair;
(2) the first user signs data by using a private key corresponding to a public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain signed data, and sends the double-key system digital certificate and the signed data to the second user;
(3) the second user analyzes the double-key system digital certificate to obtain the signature public key information of the certificate and the encryption public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encryption public key information of the certificate comprises a public key in a certificate encryption key pair;
(4) the second user verifies the signed data from the first user by using the signature public key of the certificate obtained by analysis to determine whether the first user is a legal user, if so, the step (5) is carried out, otherwise, the process is ended;
(5) the second user encrypts the message to be sent to the first user by using the encrypted public key of the certificate obtained by analysis, and sends the encrypted result to the first user;
(6) and (3) the first user decrypts the encryption result obtained in the step (5) by using a private key corresponding to the public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain the information plaintext.
9. A method for applying a dual-key system digital certificate generated by the method for generating a dual-key system digital certificate according to any one of claims 1 to 5, the method comprising the steps of:
(1) a first user acquires a double-key system digital certificate and analyzes the double-key system digital certificate to acquire signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair;
(2) the first user signs data by using a private key corresponding to a public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain signed data, and sends the double-key system digital certificate and the signed data to the second user;
(3) the second user analyzes the double-key system digital certificate to obtain the signature public key information of the certificate and the encryption public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encryption public key information of the certificate comprises a public key in a certificate encryption key pair;
(4) the second user verifies the signed data from the first user by using the signature public key of the certificate obtained by analysis to determine whether the first user is a legal user, if so, the step (5) is carried out, otherwise, the process is ended;
(5) the second user signs the data which needs to be sent to the first user by using the own private signature key to obtain a signature result, and sends the double-key system digital certificate and the signature result which are obtained in the step (3) to the first user;
(6) the first user analyzes the double-key system digital certificate from the second user to obtain a signature public key, and verifies the signature result from the second user by using the signature public key to determine whether the second user is a legal user, if so, the step (7) is carried out, otherwise, the process is ended;
(7) the second user encrypts the message to be sent to the first user by using the encrypted public key of the certificate obtained by analysis, and sends the encrypted result to the first user;
(8) and (3) the first user decrypts the encryption result obtained in the step (7) by using a private key corresponding to the public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain the information plaintext.
10. The method according to claim 8 or 9, wherein the parsing of the dual-key system digital certificate is performed by first determining whether the public key information subfield in the TBS field of the x.509 digital certificate is extended, whether there are two public key information subfields in the TBS field, or whether there is an extension subfield in the TBS field; if the public key information subfield in the TBS field is expanded, the analysis process is to directly acquire the signature public key information of the certificate and the encryption public key information of the certificate from the expanded public key information subfield; if two public key information subfields exist in the TBS field, acquiring signature public key information of the certificate and encryption public key information of the certificate from the two public key information subfields respectively; and if the TBS field has the extension subfield, acquiring the signature public key information of the certificate and the encryption public key information of the certificate from the public key information subfield and the extension subfield in the TBS field respectively, or acquiring the encryption public key information of the certificate and the signature public key information of the certificate.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910148673.4A CN111628860B (en) | 2019-02-28 | 2019-02-28 | Method for generating digital certificate of double-key system and application method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910148673.4A CN111628860B (en) | 2019-02-28 | 2019-02-28 | Method for generating digital certificate of double-key system and application method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111628860A true CN111628860A (en) | 2020-09-04 |
CN111628860B CN111628860B (en) | 2023-08-08 |
Family
ID=72270782
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910148673.4A Active CN111628860B (en) | 2019-02-28 | 2019-02-28 | Method for generating digital certificate of double-key system and application method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111628860B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113239379A (en) * | 2021-05-19 | 2021-08-10 | 郑州信大捷安信息技术股份有限公司 | SCEP (secure certificate privacy protocol) -based national secret certificate issuing method and system |
CN116155515A (en) * | 2023-04-20 | 2023-05-23 | 中汽智联技术有限公司 | Type-selectable double-key certificate generation method, electronic device and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105246071A (en) * | 2014-07-11 | 2016-01-13 | 电信科学技术研究院 | Message generation and authentication methods and equipment in Internet-of-vehicles system |
CN106453330A (en) * | 2016-10-18 | 2017-02-22 | 深圳市金立通信设备有限公司 | Identity authentication method and system |
US9660978B1 (en) * | 2016-08-08 | 2017-05-23 | ISARA Corporation | Using a digital certificate with multiple cryptosystems |
CN107360002A (en) * | 2017-08-15 | 2017-11-17 | 武汉信安珞珈科技有限公司 | A kind of application method of digital certificate |
CN108270558A (en) * | 2016-12-30 | 2018-07-10 | 上海格尔软件股份有限公司 | A kind of private key introduction method based on temporary key pair |
CN108683647A (en) * | 2018-04-28 | 2018-10-19 | 重庆交通大学 | A kind of data transmission method based on multi-enciphering |
-
2019
- 2019-02-28 CN CN201910148673.4A patent/CN111628860B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105246071A (en) * | 2014-07-11 | 2016-01-13 | 电信科学技术研究院 | Message generation and authentication methods and equipment in Internet-of-vehicles system |
US9660978B1 (en) * | 2016-08-08 | 2017-05-23 | ISARA Corporation | Using a digital certificate with multiple cryptosystems |
CN106453330A (en) * | 2016-10-18 | 2017-02-22 | 深圳市金立通信设备有限公司 | Identity authentication method and system |
CN108270558A (en) * | 2016-12-30 | 2018-07-10 | 上海格尔软件股份有限公司 | A kind of private key introduction method based on temporary key pair |
CN107360002A (en) * | 2017-08-15 | 2017-11-17 | 武汉信安珞珈科技有限公司 | A kind of application method of digital certificate |
CN108683647A (en) * | 2018-04-28 | 2018-10-19 | 重庆交通大学 | A kind of data transmission method based on multi-enciphering |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113239379A (en) * | 2021-05-19 | 2021-08-10 | 郑州信大捷安信息技术股份有限公司 | SCEP (secure certificate privacy protocol) -based national secret certificate issuing method and system |
CN113239379B (en) * | 2021-05-19 | 2022-02-11 | 郑州信大捷安信息技术股份有限公司 | SCEP (secure certificate privacy protocol) -based national secret certificate issuing method and system |
CN116155515A (en) * | 2023-04-20 | 2023-05-23 | 中汽智联技术有限公司 | Type-selectable double-key certificate generation method, electronic device and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN111628860B (en) | 2023-08-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10673632B2 (en) | Method for managing a trusted identity | |
ES2851148T3 (en) | Method and apparatus for obtaining input from a multipart secure computing protocol | |
CN106789080B (en) | Digital signature generation method and device | |
US9813249B2 (en) | URL-based certificate in a PKI | |
CN110022217B (en) | Advertisement media service data credible storage system based on block chain | |
EP1676281B1 (en) | Efficient management of cryptographic key generations | |
WO2017024934A1 (en) | Electronic signing method, device and signing server | |
CN101212293B (en) | Identity authentication method and system | |
US20080031459A1 (en) | Systems and Methods for Identity-Based Secure Communications | |
CN113014392A (en) | Block chain-based digital certificate management method, system, equipment and storage medium | |
US8806206B2 (en) | Cooperation method and system of hardware secure units, and application device | |
CN103974255B (en) | A kind of vehicle access system and method | |
CN113382002B (en) | Data request method, request response method, data communication system, and storage medium | |
Win et al. | Privacy enabled digital rights management without trusted third party assumption | |
CN110519040B (en) | Anti-quantum computation digital signature method and system based on identity | |
CN111628860B (en) | Method for generating digital certificate of double-key system and application method | |
CN109784920B (en) | Transaction information auditing method and device based on blockchain | |
CN109039599B (en) | Attribute-based encryption and decryption method and system supporting blind key distribution | |
US7031469B2 (en) | Optimized enveloping via key reuse | |
CN111342968B (en) | Method and system for issuing double digital certificates | |
CN111343126A (en) | Method and system for processing digital certificate application | |
Springer et al. | Blockchain-based PKI within a Corporate Organization: Advantages and Challenges | |
KR100377196B1 (en) | System and method for key recovery using multiple agents | |
Symeonidis et al. | HERMES: Scalable, Secure, and Privacy-Enhancing Vehicle Access System | |
JP2016163198A (en) | File management device, file management system, file management method, and file management program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |