CN112258170A - PKI-based parallel signature system and method - Google Patents
PKI-based parallel signature system and method Download PDFInfo
- Publication number
- CN112258170A CN112258170A CN202011290317.5A CN202011290317A CN112258170A CN 112258170 A CN112258170 A CN 112258170A CN 202011290317 A CN202011290317 A CN 202011290317A CN 112258170 A CN112258170 A CN 112258170A
- Authority
- CN
- China
- Prior art keywords
- signature
- module
- expandable
- root
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000012545 processing Methods 0.000 claims abstract description 31
- 230000006378 damage Effects 0.000 claims description 18
- 238000009795 derivation Methods 0.000 claims description 11
- 238000013507 mapping Methods 0.000 claims description 7
- 230000008569 process Effects 0.000 description 6
- 238000004422 calculation algorithm Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/04—Payment circuits
- G06Q20/06—Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme
- G06Q20/065—Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using e-cash
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
Landscapes
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Engineering & Computer Science (AREA)
- Finance (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a PKI-based parallel signature system and a PKI-based parallel signature method, which relate to and comprise: the root key management module is used for performing registration processing and logout processing on the expandable signature module, wherein the root key management module utilizes a root private key to sign a public key certificate of the expandable signature module when processing the registration of the expandable signature module; the system comprises a root private key module, an expandable signature module, a root public key module and a root public key module, wherein the root private key module is used for requesting registration and logout, and signing data by using a private key of the root private key module; and the signature request gateway is used for receiving a signature request of an external system, selecting an expandable signature module to sign data in the signature request according to the signature request, and returning the data signed by the expandable signature module to the external system. The method and the device can guarantee the safety of the root private key.
Description
Technical Field
The application relates to encryption technology, in particular to a PKI-based parallel signature system and a PKI-based parallel signature method.
Background
Digital currency is a new generation of currency that is equivalent to existing currency. The issuer issues the currency by issuing encrypted strings that represent the actual currency of the denomination. The user can actually store and manage these currencies in the wallet. Meanwhile, the issuing organization operates a digital currency registration center and records the ownership conversion relation of the currency in the circulation process. The digital currency registration center marks ownership of the currency with a string associated with the public key. When a user uses currency, the user needs to sign the transaction by using a private key of the user, the digital currency registration center can verify the transaction according to the number of the currency and a corresponding public key, and after the identity of a currency owner is determined, the currency ownership is converted, and the corresponding currency ownership is marked as a new public key. In essence, the transaction payment process of digital currency is the transfer process of the ownership of the currency.
Because the existing digital currency is a system for realizing specific functions based on public key cryptography signature, the performance of digital signature in the system can become an important performance bottleneck point of the whole system. The existing digital signature algorithm process depends on a private key managed by a system, and the private key needs to be kept properly for safety consideration and even needs to be placed in proprietary cryptography hardware, so how to balance the existing signature mode and realize the balance of safety and performance.
A common approach to managing private keys is to use a TEE or SE chip. The general TEE scheme allows a user to freely import and export a private key, and the realization principle is to protect a fixed memory area and a CPU register group and prevent illegal access. The scheme can ensure the safety to a certain extent, meanwhile, the operation resources are not so precious, and not only the codes related to the key can be operated. While the computing resources in the SE are precious, the private key introduced into the SE is often not allowed to be randomly exported, and meanwhile, the computing resources of the SE are also precious and have low performance, but the SE is often used in a scene with high security requirements, and the scene may have high-performance requirements, so that the performance and the security need to be balanced in the scene.
The public key infrastructure is a digital certificate system realized based on digital signatures, and the security of distributed public keys is ensured through the signature authentication of CA. The trustiness of all public keys under the whole public key tree can be ensured as long as the safety of the root public key is ensured. In essence, the digital certificate is a data structure that binds the public key with the authentication information, and through this mode, the digital certificate can form a chained data authentication mode, which guarantees the security of the user public key.
In summary, each digital signature of the existing cryptography requires the participation of a private key, which results in the risk of revealing the root private key. In consideration of the requirement of high security, the private key is placed in hardware and is limited by the performance of security protection hardware, and the performance limitation is difficult to break through directly. Due to the sensitivity of the private key, when the private key is deployed in parallel, the secrecy of the private key is threatened, and a pure password encryption service becomes a performance bottleneck of a system.
Disclosure of Invention
In view of the above, in order to solve at least one of the above technical problems, the present application aims to: a PKI-based parallel signature system and method are provided to improve the security of private keys and system efficiency.
In a first aspect, an embodiment of the present application provides:
a PKI based parallel signature system, comprising:
the root key management module is used for performing registration processing and logout processing on the expandable signature module, wherein the root key management module utilizes a root private key to sign a public key certificate of the expandable signature module when processing the registration of the expandable signature module;
the system comprises a root private key module, an expandable signature module, a root public key module and a root public key module, wherein the root private key module is used for requesting registration and logout, and signing data by using a private key of the root private key module;
and the signature request gateway is used for receiving a signature request of an external system, selecting an expandable signature module to sign data in the signature request according to the signature request, and returning the data signed by the expandable signature module to the external system.
In some embodiments, when the root key management module performs registration processing on the extensible signature module, the method includes:
the root key management module receives a private key derivation request of the expandable signature module;
the root key management module obtains a public key certificate and a mark of the expandable signature module from the private key derivation request;
the root key management module uses a root private key to sign the public key certificate of the expandable signature module;
the root key management module sends the public key certificate signed by the root private key to the expandable signature module;
and the root key management module records the public key certificate and the mark of the expandable signature module in an expandable signature module list.
In some embodiments, when the root key management module performs logout processing on the extensible signature module, the method includes:
the root key management module receives a destroying request of the expandable signature module;
the root key management module acquires a public key certificate of the expandable signature module from the destruction request;
the root key management module verifies the validity of the extensible signature module according to the public key certificate and the extensible signature module list acquired from the destruction request;
when the expandable signature module sending the destruction request is valid, the root key management module generates a revoke certificate according to the destruction request;
the root key management module signs the revoke certificate by using a root private key and returns the revoke certificate to the expandable signature module which sends the destruction request;
and the root key management module removes or marks the expandable signature module which sends the destroy request as invalid in the expandable signature module list.
In some embodiments, when the extensible signature module requests registration from the root private key module, the method includes:
the expandable signature module generates a unique mark, and randomly generates a private key and a public key certificate corresponding to the private key;
the expandable signature module sends a private key derivation request to the root key management module, and the registration request carries a public key certificate and the mark;
the expandable signature module stores the public key certificate signed by the root key management module by using the root private key;
the extensible signature module sends the public key certificate signed by the root private key to the signature request gateway for registration;
the expandable signature module monitors the signature request of the signature request gateway and carries out signature processing by utilizing a private key of the expandable signature module.
In some embodiments, when the extensible signature module requests logout from the root private key module, the method includes:
the expandable signature module generates a destruction request according to the mark of the expandable signature module and the public key certificate;
the expandable signature module uses a private key of the expandable signature module to sign the destroying request and then sends the destroying request to the root key management module;
the extensible signature module receives a revoke certificate of the root key management module;
the extensible signature module sends the revoke certificate to a signature request gateway so as to destroy a public key certificate stored in the signature request gateway;
the extensible signature module stops servicing.
In some embodiments, the signature request gateway stores a mapping table of the extensible signature modules, and the mapping table records flags of all the extensible signature modules and public key certificates corresponding to each extensible signature module.
In some embodiments, the selecting an expandable signature module according to the signature request to sign the data in the signature request specifically includes:
acquiring data needing to be signed from the signing request and converting the data into a hash value;
and selecting an expandable signature module to sign the hash value.
In some embodiments, the root key management module operates based on an SE chip.
In some embodiments, the signature request gateway sends the public key certificate of the extensible signature module while returning the data signed by the extensible signature module to the external system.
In a second aspect, embodiments of the present application provide:
a PKI-based parallel signature method is realized by the system, and comprises the following steps:
the root key management module registers at least one expandable signature module and signs a public key certificate of each expandable signature module;
the signature request gateway receives a signature request of an external system, selects an expandable signature module to sign data in the signature request according to the signature request, and returns the data signed by the expandable signature module to the external system.
The embodiment of the application carries out signature management on the expandable signature module by arranging the root key management module, can carry out private key derivation by the expandable signature module, thereby, a plurality of expandable signature modules can execute specific signature processing, on one hand, because the root private key is only used for the expandable signature modules in the system, the leakage risk is reduced, by adopting the framework of the scheme, the root key management module can be deployed in the SE chip to operate, because the processing amount of signing the expandable signature module certificate is less, the cost of the SE chip is not greatly increased, the risk of private key leakage of the expandable signature module can be reduced to a certain extent through the logout mechanism of the expandable signature module, and multiple extensible signature modules can implement parallel signature processing based on existing PKI (public key infrastructure).
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a PKI-based parallel signature system provided in an embodiment of the present application;
FIG. 2 is a flowchart of a registration process of an extensible signature module according to an embodiment of the present application;
FIG. 3 is a flowchart illustrating logout processing of an extensible signature module according to an embodiment of the present disclosure;
fig. 4 is a flowchart of a PKI-based parallel signature method according to an embodiment of the present application.
Detailed Description
In order to make the purpose, technical solutions and advantages of the present application clearer, the technical solutions of the present application will be clearly and completely described below through embodiments with reference to the accompanying drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, the present embodiment discloses a PKI-based parallel signature system, which is compatible with current PKI, and comprises:
the root key management module is used for performing registration processing and logout processing on the expandable signature module, wherein the root key management module utilizes a root private key to sign a public key certificate of the expandable signature module when processing the registration of the expandable signature module;
the system comprises a root private key module, an expandable signature module, a root public key module and a root public key module, wherein the root private key module is used for requesting registration and logout, and signing data by using a private key of the root private key module;
and the signature request gateway is used for receiving a signature request of an external system, selecting an expandable signature module to sign data in the signature request according to the signature request, and returning the data signed by the expandable signature module to the external system.
It should be understood that the root private key of the root key management module in the system is stored in the SE chip, and the extensible signature module may operate in a TEE-based scheme. This ensures that the root private key is relatively secure. Even if the derivative private key of the extensible signature module is leaked, the data security can be guaranteed by logging off the certificate of the extensible signature module. It should be understood that the root key management module may perform logout processing on the extensible signature module according to a certain period, that is, the logout time may be determined when the extensible signature module performs login. Different extensible signature modules can have different life cycles and can also be logged off at any time according to the requirements.
According to the embodiment of the application, the root key management module is arranged to perform signature management on the expandable signature module, and private key derivation can be performed through the expandable signature module, so that a plurality of expandable signature modules can execute specific signature processing.
The root key management module manages the most core root private key in the system, and the key needs to be strictly protected. In practical application, the root private key can be stored in the SE hardware chip, so that the root private key cannot be exported, and the overall security of the root private key is ensured. Meanwhile, the root key management module is responsible for signing the unsigned certificate of the extensible signature module and managing the information of the extensible signature module.
The root key management module also needs to record an extensible signature module list, and the extensible signature module list records which extensible signature modules are online and valid and how many extensible signature modules are logged off and offline.
The root key management module records a certificate which generates a root private key and a public key certificate associated with the root private key, wherein the public key certificate is a certificate which is signed by a self-signature or other CA.
Referring to fig. 2, in some embodiments, when the root key management module performs registration processing on the extensible signature module, the method includes:
the root key management module receives a private key derivation request of the expandable signature module;
the root key management module obtains a public key certificate and a mark of the expandable signature module from the private key derivation request; in some embodiments, the root key management module checks whether the flag is stored in the extensible signature module list, and if so, returns an identification, otherwise, performs the next step.
The root key management module uses a root private key to sign the public key certificate of the expandable signature module;
the root key management module sends the public key certificate signed by the root private key to the expandable signature module;
and the root key management module records the public key certificate and the mark of the expandable signature module in an expandable signature module list.
The present embodiment is described in terms of a root key management module, and it can be understood that corresponding processing is performed in the extensible signature module.
As can also be seen in fig. 2, in some embodiments, when the extensible signature module requests registration from the root private key module, the method includes:
the expandable signature module generates a unique mark, and randomly generates a private key and a public key certificate corresponding to the private key; wherein the flag may be generated by a flag generation method of any distributed system.
The expandable signature module sends a private key derivation request to the root key management module, and the registration request carries a public key certificate and the mark;
the expandable signature module stores the public key certificate signed by the root key management module by using the root private key;
the extensible signature module sends the public key certificate signed by the root private key to the signature request gateway for registration;
the expandable signature module monitors the signature request of the signature request gateway and carries out signature processing by utilizing a private key of the expandable signature module.
This embodiment describes the process of registration from the perspective of the extensible signature module.
By the processing, the extensible signature modules can be dynamically registered and unregistered, the processing speed of the data signature can be improved by controlling the number of the extensible signature modules, and the risk that the derived private key is leaked can be reduced by managing the life cycle of the extensible signature modules.
The logoff procedure is explained as follows:
in some embodiments, from the perspective of a root key management module, when the root key management module performs logout processing on the extensible signature module, the method includes:
the root key management module receives a destroying request of the expandable signature module;
the root key management module acquires a public key certificate of the expandable signature module from the destruction request;
the root key management module verifies the validity of the extensible signature module according to the public key certificate and the extensible signature module list acquired from the destruction request;
when the expandable signature module sending the destruction request is valid, the root key management module generates a revoke certificate according to the destruction request;
the root key management module signs the revoke certificate by using a root private key and returns the revoke certificate to the expandable signature module which sends the destruction request;
and the root key management module removes or marks the expandable signature module which sends the destroy request as invalid in the expandable signature module list.
In some embodiments, as shown in fig. 3, the description is made from the perspective of an extensible signature module, where the extensible signature module requests logout from the root private key module, and the method includes:
the expandable signature module generates a destruction request according to the mark of the expandable signature module and the public key certificate;
the expandable signature module uses a private key of the expandable signature module to sign the destroying request and then sends the destroying request to the root key management module;
the extensible signature module receives a revoke certificate of the root key management module;
the extensible signature module sends the revoke certificate to a signature request gateway so as to destroy a public key certificate stored in the signature request gateway;
the extensible signature module stops servicing.
According to the embodiment, the extensible signature module with the private key leakage risk can be flexibly cancelled through the cancellation mechanism, and the safety of the system is improved.
In some embodiments, the signature request gateway stores a mapping table of the extensible signature modules, and the mapping table records flags of all the extensible signature modules and public key certificates corresponding to each extensible signature module. It should be understood that different extensible signature modules are modules for specifically processing signatures, namely, the root key management module is used for performing signature authentication on the extensible signature module, and data of an external system is signed by a private key of the extensible signature module, so that even if the private key of the extensible signature module is leaked, security holes can be blocked by logging off the extensible signature module.
In some embodiments, the selecting an expandable signature module according to the signature request to sign the data in the signature request specifically includes:
acquiring data needing to be signed from the signing request and converting the data into a hash value;
and selecting an expandable signature module to sign the hash value.
It can be understood that the data volume required to be signed may be huge, and in order to ensure the overall efficiency of the system and reduce the data transmission volume, the transferred data required to be signed may be replaced with corresponding hash values according to the design of different signature algorithms, and this way may reduce the data transmission volume to the maximum extent and ensure the overall performance of the system.
In some embodiments, the root key management module operates based on an SE chip.
In some embodiments, the signature request gateway sends the public key certificate of the extensible signature module while returning the data signed by the extensible signature module to the external system.
The signature request gateway is responsible for receiving an external signature request, completing the calculation of the hash value part of the signature request, selecting an extensible signature module, sending data needing to be signed to the extensible signature module, and simultaneously returning a certificate corresponding to the signed extensible signature module to a requester.
The signature request gateway has a mapping table of the extensible signature module, and the table records the marks of all the extensible signature modules and the public key certificates corresponding to the extensible signature modules. The external system can obtain the corresponding public key certificate according to the mark of the extensible signature module. The obtained public key certificate can be verified according to the following logic, and the set of verification logic can also be performed by an external system:
and reading a root public key certificate index corresponding to the public key certificate, and obtaining the corresponding root certificate from a network or equipment built-in environment.
The root certificate is used to verify whether the current public key certificate is signed by the root public key certificate.
The set of authentication logic has the advantages of being in accordance with the existing authentication method of the certificate chain in the public key infrastructure, and basically not needing to modify an external system.
When the signature request gateway receives the signature request information of the external system, the specific signature execution flow is as follows:
and reading request information needing to be signed, and calculating a hash value corresponding to the signature information.
And the signature request gateway selects an online extensible signature module according to a distributed system node selection algorithm and sends the hash value or the real signature data to the online extensible signature module.
And obtaining the signed digital signature, reading the corresponding extensible signature module certificate, and returning the certificate to the requester.
Referring to fig. 4, the embodiment discloses a PKI-based parallel signature method, which is implemented by the above system, and includes the following steps:
the root key management module registers at least one expandable signature module and signs a public key certificate of each expandable signature module;
the signature request gateway receives a signature request of an external system, selects an expandable signature module to sign data in the signature request according to the signature request, and returns the data signed by the expandable signature module to the external system.
It can be understood that the method is implemented based on a system, and the corresponding technical effect of the system embodiment can be achieved.
From the above description of the embodiments, it is obvious for those skilled in the art that the present application can be implemented by software and necessary general hardware, and certainly can be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods described in the embodiments of the present application.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present application and the technical principles employed. It will be understood by those skilled in the art that the present application is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the application. Therefore, although the present application has been described in more detail with reference to the above embodiments, the present application is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present application, and the scope of the present application is determined by the scope of the appended claims.
Claims (10)
1. A PKI-based parallel signature system, comprising:
the root key management module is used for performing registration processing and logout processing on the expandable signature module, wherein the root key management module utilizes a root private key to sign a public key certificate of the expandable signature module when processing the registration of the expandable signature module;
the system comprises a root private key module, an expandable signature module, a root public key module and a root public key module, wherein the root private key module is used for requesting registration and logout, and signing data by using a private key of the root private key module;
and the signature request gateway is used for receiving a signature request of an external system, selecting an expandable signature module to sign data in the signature request according to the signature request, and returning the data signed by the expandable signature module to the external system.
2. The PKI-based parallel signing system according to claim 1, wherein when said root key management module performs registration processing on said extensible signing module, it comprises:
the root key management module receives a private key derivation request of the expandable signature module;
the root key management module obtains a public key certificate and a mark of the expandable signature module from the private key derivation request;
the root key management module uses a root private key to sign the public key certificate of the expandable signature module;
the root key management module sends the public key certificate signed by the root private key to the expandable signature module;
and the root key management module records the public key certificate and the mark of the expandable signature module in an expandable signature module list.
3. The PKI-based parallel signing system according to claim 2, wherein when said root key management module performs logout processing on said extensible signing module, it comprises:
the root key management module receives a destroying request of the expandable signature module;
the root key management module acquires a public key certificate of the expandable signature module from the destruction request;
the root key management module verifies the validity of the extensible signature module according to the public key certificate and the extensible signature module list acquired from the destruction request;
when the expandable signature module sending the destruction request is valid, the root key management module generates a revoke certificate according to the destruction request;
the root key management module signs the revoke certificate by using a root private key and returns the revoke certificate to the expandable signature module which sends the destruction request;
and the root key management module removes or marks the expandable signature module which sends the destroy request as invalid in the expandable signature module list.
4. The PKI-based parallel signing system according to claim 1, wherein said extensible signing module, when requesting registration from said root private key module, comprises:
the expandable signature module generates a unique mark, and randomly generates a private key and a public key certificate corresponding to the private key;
the expandable signature module sends a private key derivation request to the root key management module, and the registration request carries a public key certificate and the mark;
the expandable signature module stores the public key certificate signed by the root key management module by using the root private key;
the extensible signature module sends the public key certificate signed by the root private key to the signature request gateway for registration;
the expandable signature module monitors the signature request of the signature request gateway and carries out signature processing by utilizing a private key of the expandable signature module.
5. The PKI-based parallel signing system according to claim 4, wherein said extensible signing module, when requesting logout from said root private key module, comprises:
the expandable signature module generates a destruction request according to the mark of the expandable signature module and the public key certificate;
the expandable signature module uses a private key of the expandable signature module to sign the destroying request and then sends the destroying request to the root key management module;
the extensible signature module receives a revoke certificate of the root key management module;
the extensible signature module sends the revoke certificate to a signature request gateway so as to destroy a public key certificate stored in the signature request gateway;
the extensible signature module stops servicing.
6. The PKI-based parallel signing system according to claim 1, wherein said signature request gateway stores a mapping table of extensible signature modules, and said mapping table records flags of all extensible signature modules and public key certificates corresponding to each extensible signature module.
7. The PKI-based parallel signature system according to claim 6, wherein the selecting an expandable signature module to sign the data in the signature request according to the signature request includes:
acquiring data needing to be signed from the signing request and converting the data into a hash value;
and selecting an expandable signature module to sign the hash value.
8. The PKI-based parallel signing system of claim 1, wherein said root key management module operates based on a SE chip.
9. The PKI-based parallel signing system according to claim 1, wherein said signing request gateway sends a public key certificate of the extensible signing module while returning the data signed by said extensible signing module to an external system.
10. A PKI-based parallel signature method implemented by the system of claim 1, comprising the steps of:
the root key management module registers at least one expandable signature module and signs a public key certificate of each expandable signature module;
the signature request gateway receives a signature request of an external system, selects an expandable signature module to sign data in the signature request according to the signature request, and returns the data signed by the expandable signature module to the external system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011290317.5A CN112258170A (en) | 2020-11-17 | 2020-11-17 | PKI-based parallel signature system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011290317.5A CN112258170A (en) | 2020-11-17 | 2020-11-17 | PKI-based parallel signature system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112258170A true CN112258170A (en) | 2021-01-22 |
Family
ID=74266977
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011290317.5A Pending CN112258170A (en) | 2020-11-17 | 2020-11-17 | PKI-based parallel signature system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112258170A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113821835A (en) * | 2021-11-24 | 2021-12-21 | 飞腾信息技术有限公司 | Key management method, key management device and computing equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101771541A (en) * | 2008-12-26 | 2010-07-07 | 中兴通讯股份有限公司 | Secret key certificate generating method and system for home gateway |
| CN106921496A (en) * | 2015-12-25 | 2017-07-04 | 卓望数码技术(深圳)有限公司 | A kind of digital signature method and system |
| CN111783097A (en) * | 2020-05-28 | 2020-10-16 | 东方红卫星移动通信有限公司 | Information integrity measurement verification method and system for satellite-borne computing system |
-
2020
- 2020-11-17 CN CN202011290317.5A patent/CN112258170A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101771541A (en) * | 2008-12-26 | 2010-07-07 | 中兴通讯股份有限公司 | Secret key certificate generating method and system for home gateway |
| CN106921496A (en) * | 2015-12-25 | 2017-07-04 | 卓望数码技术(深圳)有限公司 | A kind of digital signature method and system |
| CN111783097A (en) * | 2020-05-28 | 2020-10-16 | 东方红卫星移动通信有限公司 | Information integrity measurement verification method and system for satellite-borne computing system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113821835A (en) * | 2021-11-24 | 2021-12-21 | 飞腾信息技术有限公司 | Key management method, key management device and computing equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Lim et al. | Blockchain technology the identity management and authentication service disruptor: a survey | |
| CN109768988A (en) | Decentralization Internet of Things security certification system, facility registration and identity identifying method | |
| Bao et al. | IoTChain: A three-tier blockchain-based IoT security architecture | |
| US20190295069A1 (en) | Systems and methods for integrating cryptocurrency wallet identifiers with digital certificates | |
| US9614847B2 (en) | User authentication | |
| KR20190075771A (en) | Authentication System Using Block Chain Through Distributed Storage after Separating Personal Information | |
| JP2019185774A (en) | Integrated log-in method for block chain infrastructure, terminal, and server using the same | |
| CN113301022B (en) | Internet of things equipment identity security authentication method based on block chain and fog calculation | |
| TWI648679B (en) | License management system and method using blockchain | |
| KR20190114434A (en) | Method for oauth service through blockchain, and terminal and server using the same | |
| CN109889497A (en) | A kind of data integrity verification method for going to trust | |
| CN101527634B (en) | System and method for binding account information with certificates | |
| KR20190114432A (en) | Method for oauth service through blockchain, and terminal and server using the same | |
| KR20190114433A (en) | Method for oauth service through blockchain, and terminal and server using the same | |
| Yeh et al. | A robust mobile payment scheme with smart contract-based transaction repository | |
| TW202137199A (en) | Method of authenticating biological payment device, apparatus, electronic device, and computer-readable medium | |
| He et al. | A novel cryptocurrency wallet management scheme based on decentralized multi-constrained derangement | |
| KR20190115515A (en) | AUTHENTICATION METHOD AND SYSTEM OF IoT(Internet of Things) DEVICE BASED ON PUBLIC KEY INFRASTRUCTURE | |
| Neela et al. | An improved RSA technique with efficient data integrity verification for outsourcing database in cloud | |
| Riad et al. | A blockchain‐based key‐revocation access control for open banking | |
| CN112258170A (en) | PKI-based parallel signature system and method | |
| CN114268447A (en) | File transmission method and device, electronic equipment and computer readable medium | |
| WO2024011863A9 (en) | Communication method and apparatus, sim card, electronic device, and terminal device | |
| KR102216285B1 (en) | Method for sso service through blockchain, and terminal and server using the same | |
| Noor et al. | Decentralized Access Control using Blockchain Technology for Application in Smart Farming |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |