CN112688784B - Digital signature and verification method, device and system - Google Patents
Digital signature and verification method, device and system Download PDFInfo
- Publication number
- CN112688784B CN112688784B CN202011532883.2A CN202011532883A CN112688784B CN 112688784 B CN112688784 B CN 112688784B CN 202011532883 A CN202011532883 A CN 202011532883A CN 112688784 B CN112688784 B CN 112688784B
- Authority
- CN
- China
- Prior art keywords
- signature
- ciphertext
- application system
- private key
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a digital signature and verification method, a device and a system, wherein the method comprises the following steps: the method comprises the following steps: acquiring a dynamic identifier of a user side, using the combination of an SM9 private key and the dynamic identifier as input, and using an SM3 algorithm to obtain a first hash result; taking the first hash result as a secret key, and encrypting a plaintext by using an SM4 algorithm to obtain a ciphertext; taking the combination of an SM9 private key, a ciphertext and a timestamp as input, using an SM3 algorithm to obtain a second hash result, and taking the second hash result as an encrypted signature of the ciphertext; and sending the encrypted signature of the ciphertext, the dynamic identification, the user information of the user side and the timestamp to an application system so that the application system can verify the encrypted signature of the ciphertext.
Description
Technical Field
The invention relates to the technical field of data encryption, in particular to a digital signature and verification method, device and system.
Background
With the rapid development of internet technology, signature verification technology is also increasingly applied to e-commerce transactions and document approval in order to ensure safety and fairness.
The invention patent with the application number of 201410616744.6 in the prior art discloses a data signature method, a signature verification method, data signature equipment and a verification server, wherein the data signature method comprises the following steps: when a first signature request is received, extracting a signature identifier and data to be signed from the first signature request, generating abstract information of the data to be signed, determining a target signature certificate corresponding to the signature identifier from a plurality of preset signature certificates, signing the abstract information by using the target signature certificate to obtain first signature data, and sending the first signature data and the signature identifier to a verification server for the verification server to verify the first signature data. Therefore, the invention can identify the data to be signed through the signature mark, and ensure the security of the signature to a certain extent. Even if the signature identification is tampered, the signature identification is sent to a verification server to verify whether a fraudulent signature condition exists. The invention presets a plurality of signature certificates, at least comprises a transaction signature certificate and a common signature certificate, and respectively signs transaction data and common data.
In the prior art, a hash algorithm is used for hashing a plaintext and an identifier to obtain summary information, and then a signature certificate is used for signing the obtained summary information, so that essentially an asymmetric encryption algorithm is used for signing, but the SM9 encryption efficiency is low, and the requirement on hardware is high, so that the prior art has the technical problem of low signature efficiency.
Disclosure of Invention
The technical problem to be solved by the present invention is how to provide a method, device and system for digital signature and verification to improve the signature efficiency.
The invention solves the technical problems through the following technical means:
in a first aspect, the present invention provides a digital signature method, which is applied to a user side, where the user side has an SM9 private key in advance, and the method includes:
acquiring a dynamic identifier of a user side, using a combination of an SM9 private key and the dynamic identifier as input, and using an SM3 algorithm to obtain a first Hash result;
taking the first hash result as a secret key, and encrypting a plaintext by using an SM4 algorithm to obtain a ciphertext;
taking the combination of an SM9 private key, a ciphertext and a timestamp as input, using an SM3 algorithm to obtain a second hash result, and taking the second hash result as an encrypted signature of the ciphertext;
and sending the encrypted signature of the ciphertext, the dynamic identification, the user information of the user side and the timestamp to an application system so that the application system can verify the encrypted signature of the ciphertext.
Optionally, the dynamic identification includes:
the random number is dynamically generated, and one or a combination of a preset number of subsets selected from preset character sets.
In a second aspect, the present invention further provides a digital signature verification method, applied to an application system, where the method includes:
receiving an encrypted signature, a ciphertext, a dynamic identifier, user information of a user side and a timestamp sent by the user side, sending the ciphertext, the user information of the user side and the timestamp to an encryption machine so that the user information of the user side of the encryption machine can be queried to obtain an SM9 private key, generating a verification signature according to the ciphertext, the SM9 private key obtained by querying and the timestamp, and sending the verification signature to an application system;
comparing whether the verification signature is consistent with the encrypted signature;
if yes, the dynamic identification is sent to the encryption machine, so that the encryption machine processes the dynamic identification and the searched SM9 private key by using an SM3 algorithm to obtain a third hash value, and the third hash value is sent to an application system;
and receiving the third hash value, and decrypting the ciphertext by using the third hash value as a key to obtain a plaintext.
Optionally, when the step of sending the dynamic identifier to the encryption engine is executed, the method further includes:
and sending the user information to the encryption machine so that the encryption machine can obtain the SM9 private key according to the user information.
In a third aspect, the present invention further provides a digital signature verification method, which is applied to an encryption apparatus, where a plurality of user information SM9 private key pairs are preset in the encryption apparatus, and the method includes:
receiving a ciphertext, user information of a user side and a timestamp sent by an application system, inquiring an obtained SM9 private key according to the user information, and generating a verification signature according to the ciphertext, the inquired obtained SM9 private key and the timestamp; sending the verification signature to an application system so that the application system can compare whether the verification signature is consistent with the encryption signature or not;
receiving a dynamic identifier under the condition that the comparison verification signature is consistent with the signature;
and processing the dynamic identification and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value, and sending the third hash value to an application system, so that the application system decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
In a fourth aspect, the present invention provides a digital signature apparatus, applied to a user side, where the user side has an SM9 private key in advance, and the apparatus includes:
the acquisition module is used for acquiring the dynamic identification of the user side, using the combination of an SM9 private key and the dynamic identification as input, and using an SM3 algorithm to obtain a first hash result;
the encryption module is used for encrypting the plaintext by using an SM4 algorithm by taking the first hash result as a secret key to obtain a ciphertext;
the signature module is used for taking the combination of the SM9 private key, the ciphertext and the timestamp as input, obtaining a second hash result by using an SM3 algorithm, and taking the second hash result as an encrypted signature of the ciphertext;
the first sending module is used for sending the encrypted signature of the ciphertext, the dynamic identifier, the user information of the user side and the timestamp to the application system so that the application system can verify the encrypted signature of the ciphertext.
Optionally, the dynamic identification includes:
the random number is dynamically generated, and one or a combination of a preset number of subsets selected from preset character sets.
In a fifth aspect, the present invention provides a digital signature verification apparatus, applied to an application system, the apparatus including:
the first receiving module is used for receiving the encrypted signature, the ciphertext, the dynamic identification, the user information of the user side and the timestamp sent by the user side, sending the ciphertext, the user information of the user side and the timestamp to the encryption machine, so that the user information of the user side of the encryption machine is inquired to obtain an SM9 private key, a verification signature is generated according to the ciphertext, the SM9 private key obtained by inquiry and the timestamp, and the verification signature is sent to an application system;
the comparison module is used for comparing whether the verification signature is consistent with the encrypted signature or not, and if so, triggering a second sending module;
the second sending module is used for sending the dynamic identifier to the encryption machine so that the encryption machine processes the dynamic identifier and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value and sends the third hash value to the application system;
the first receiving module is further configured to receive the third hash value, and decrypt the ciphertext with the third hash value as the key to obtain the plaintext.
Optionally, the second sending module is further configured to:
and sending the user information to the encryption machine so that the encryption machine can obtain the SM9 private key according to the user information.
In a sixth aspect, the present invention provides a digital signature verification apparatus, which is applied to an encryption apparatus, where a plurality of user information SM9 private key pairs are preset in the encryption apparatus, and the apparatus includes:
the second receiving module is used for receiving the ciphertext, the user information of the user side and the timestamp sent by the application system, inquiring the obtained SM9 private key according to the user information, and generating a verification signature according to the ciphertext, the obtained SM9 private key and the timestamp; sending the verification signature to an application system so that the application system can compare whether the verification signature is consistent with the encryption signature or not;
the second receiving module is also used for receiving the dynamic identification under the condition that the comparison verification signature is consistent with the signature;
and the third sending module is used for processing the dynamic identifier and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value and sending the third hash value to the application system, so that the application system decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
In a seventh aspect, the present invention provides a digital signature and verification method, where the method includes:
the method comprises the steps that a user side obtains a dynamic identifier of the user side, the SM9 private key and the dynamic identifier are combined to be used as input, and a first Hash result is obtained through an SM3 algorithm; taking the first hash result as a secret key, and encrypting a plaintext by using an SM4 algorithm to obtain a ciphertext; taking the combination of an SM9 private key, a ciphertext and a timestamp as input, using an SM3 algorithm to obtain a second hash result, and taking the second hash result as an encrypted signature of the ciphertext; sending the encrypted signature, the ciphertext, the dynamic identification, the user information of the user side and the timestamp of the ciphertext to an application system;
the application system receives an encrypted signature, a ciphertext, a dynamic identifier, user information of a user side and a timestamp sent by the user side, and sends the ciphertext, the user information of the user side and the timestamp to the encryption machine;
the encryption machine receives a ciphertext, user information of a user side and a timestamp sent by an application system, processes the timestamp, the ciphertext and an SM9 private key obtained through query by using an SM3 algorithm, generates a verification signature, and generates the verification signature; and sending the verification signature to an application system;
the application system compares whether the verification signature is consistent with the encryption signature; if yes, the dynamic identification and the user information of the user side are sent to the encryption machine;
the encryption machine receives the dynamic identification under the condition that the comparison verification signature is consistent with the signature; processing the dynamic identification and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value and sending the third hash value to an application system;
and the application system receives the third hash value, and decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
In an eighth aspect, the present invention provides a digital signature and verification system, including:
the user terminal according to the fourth aspect;
the application system according to the fifth aspect;
the encryption machine according to the sixth aspect.
The invention has the advantages that:
by applying the embodiment of the invention, only the private key of SM9 is used as the encrypted object of the SM3 algorithm for signature, compared with the prior art that the SM9 algorithm is used for encryption, for example, public information such as mobile phone numbers and the like is used as the public key, the embodiment of the invention does not need to call the SM9 encryption algorithm, and the operation speed of the SM3 algorithm is far greater than that of the SM9 algorithm, so that the signature efficiency is improved.
The embodiment of the invention can also ensure the integrity of data while improving the signature efficiency and realize the anti-repudiation of the data of the client.
Drawings
Fig. 1 is a schematic flow chart of a digital signature method according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a digital signature verification method according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a digital signature verification method according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an architecture of a digital signature and verification system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
The invention provides a digital signature method, a digital signature verification device and a digital signature verification system.
Example 1
The invention is applied to a digital signature and verification system, which comprises: the system comprises a user side, an application system and an encryption machine, wherein the user side is in remote communication with the application system; the application system and the encryption machine are deployed on the same side, and short-range secret communication is achieved between the application system and the encryption machine.
Fig. 1 is a schematic flow chart of a digital signature method according to an embodiment of the present invention, and as shown in fig. 1, the digital signature method is applied to a user side, where the user side has an SM9 private key in advance, and the method includes:
s101: and acquiring a dynamic identifier of the user side, using the combination of an SM9 private key and the dynamic identifier as input, and using an SM3 algorithm to obtain a first Hash result.
Illustratively, the dynamic identifier may be a dynamically generated random number, and the length of the random number may be 5 bits, 10 bits, 100 bits, or 1000 bits. The set of characters with set number can be selected from a preset character set stored in the user side, and a set formed by the characters is used as the dynamic identification.
Then, splicing the SM9 private key and the dynamic identification to obtain a splicing result: SM9+ dynamic identification.
Then, using an SM3 algorithm, e.g. a hash algorithm, hash (SM 9+ dynamic identity), a digest is obtained, which is taken as the first hash result.
In this step, the SM9 private key is added in the generation process of the first hash result, which can ensure that the secret key can only be generated in the user side and the encryption machine, and since the man in the middle can not manufacture the SM9 private key, the embodiment of the present invention can realize high security of the encryption system under the condition that the client side and the encryption machine are secure.
S102: and using the first hash result as a secret key, and encrypting the plaintext by using an SM4 algorithm to obtain a ciphertext.
Illustratively, the first hash result obtained in step S101 is used as a key of an SM4 encryption algorithm, where the SM4 encryption algorithm may be a symmetric encryption algorithm.
And then encrypting the plaintext by using SM 4:
SM4 (plaintext) = ciphertext.
S103: and taking the combination of the SM9 private key, the ciphertext and the timestamp as input, obtaining a second hash result by using an SM3 algorithm, and taking the second hash result as an encrypted signature of the ciphertext.
And splicing the SM9 private key, the ciphertext and the timestamp to obtain a splicing result of the SM9 private key, the ciphertext and the timestamp.
Then, using SM3 algorithm to abstract the splicing result:
SM3 (SM 9 private key + ciphertext + timestamp) = second hash result, which is the signature of the ciphertext.
In practical applications, the time stamp may be the time stamp of the moment when the embodiment of the present invention starts to be executed.
In practical application, the SM3 algorithm, namely the hash algorithm, has irreversibility, low falsification and uniqueness, so that the integrity of plaintext data can be ensured. In this step, after adding the SM9 key parameter to the SM3 to generate the second hash result, the second hash result may be made to correspond to trace information of the client, that is, the SM9 private key. Meanwhile, the SM9 secret key is stored highly safely, only the client and the encryption machine are used for storing, and the SM9 private key has uniqueness, so that the data integrity can be guaranteed, and meanwhile, the anti-repudiation performance of the client data is realized.
S104: carrying out encrypted signature on the ciphertext, namely a second hash result; and the ciphertext, the dynamic identification, the user information of the user side and the timestamp are sent to an application system, so that the application system can verify the encrypted signature of the ciphertext.
In the embodiment 1 of the present invention, only the private key of the SM9 is used as the encrypted object of the SM3 algorithm to perform signature, and compared with the prior art in which the SM9 algorithm is used to perform encryption, for example, public information such as a mobile phone number is used as a public key, the embodiment of the present invention does not need to call the encryption algorithm of the SM9, and the operation speed of the SM3 algorithm is much faster than that of the SM9 algorithm, so that the signature efficiency can be greatly improved under the condition that the security and integrity of a plaintext are ensured.
In addition, the embodiment of the invention does not relate to the transmission of a public key and a private key, so that the invention is safer; the dynamic identification is used by the user side and used for generating the key A, the identification cannot be corresponding to the key A by illegal molecules, and further the dynamic identification has complex variability, for example, random numbers can be used, so that the information security is further improved.
In addition, in the embodiment of the invention, the data volume of the SM9 private key used by the SM9 is smaller, and the data volume is usually only a few k of capacity and cannot exceed 10k; the CA certificate has larger data volume, and usually has capacity of dozens of k, even hundreds of k, so the embodiment of the invention can save more memory.
Finally, the embodiment of the invention omits a CA certificate authentication center and can realize decentralization.
Example 2
Fig. 2 is a schematic flow chart of a digital signature verification method according to an embodiment of the present invention, and as shown in fig. 2, embodiment 2 of the present invention is implemented based on embodiment 1, embodiment 2 of the present invention is applied to an application system, and the method includes:
s201: the method comprises the steps of receiving an encrypted signature, a ciphertext, a dynamic identification, user information of a user side and a time stamp sent by the user side, sending the ciphertext, the user information of the user side and the time stamp to an encryption machine, so that the user information of the user side of the encryption machine is inquired to obtain an SM9 private key, generating a verification signature according to the ciphertext, the SM9 private key obtained through inquiry and the time stamp, and sending the verification signature to an application system.
The user side signs the signature of the ciphertext, namely a second hash result; a ciphertext; dynamic identification; a time stamp; user information of a user side, namely identity identification information of the user is sent to an application system, the application system receives the information, and then the user information, the ciphertext and the time stamp in the information are sent to an encryption machine.
After receiving the user information, the ciphertext and the timestamp, the encryption machine queries a user information SM9 private key pair corresponding to the user information from a plurality of user information SM9 private key pairs stored in the encryption machine, and further obtains an SM9 private key corresponding to the user information received by the encryption machine.
And obtaining a verification signature by using an SM3 algorithm, namely SM3 (an SM9 private key, a ciphertext and a timestamp corresponding to the user information).
The encryption engine sends the verification signature to the application system.
S202: and the application system compares and compares whether the verification signature is consistent with the encrypted signature.
If the two are consistent, executing S203;
and if the two are not consistent, returning the information that the signature verification fails to pass to the user terminal.
S203: in order to reduce the running load of the encryption machine and focus the functions of the encryption machine on key life cycle management and key operation, in the embodiment of the invention, a complex logic processing process is placed in an application system, and therefore, the logic steps of verifying the consistency of the signature and the encrypted signature and verifying whether the consistency passes are executed by the application system. And after the verification is passed, the application system sends the dynamic identification to the encryption machine. Since the encryption machine verifies the encryption signature in step S201, the encryption machine stores the queried SM9 private key in its own cache, and at this time, after the encryption machine receives the dynamic identifier, the encryption machine processes the dynamic identifier and the queried SM9 private key stored in the cache by using an SM3 algorithm to obtain a third hash value and sends the third hash value to the application system.
Further, if a large number of concurrent encryption signature verifications exist at the same time, the memory overflow caused by storing a large number of SM9 in the encryption machine, and possibly the data confusion, therefore, under a high concurrency condition, such as a condition that the verification times are more than 1000 times/second, the encryption machine does not store the SM9 private key queried in the step S01 in the cache, but performs re-query according to the user information re-sent by the application system, that is, the application system sends the dynamic identifier to the encryption machine, and simultaneously, the application system also sends the user information to the encryption machine; the encryption machine inquires a corresponding SM9 private key from a plurality of user information SM9 private key pairs stored in the encryption machine, and then generates a third hash value by using the SM9 private key.
The application system sends the dynamic identifier to the encryption machine, and after receiving the dynamic identifier, the encryption machine obtains the digest by using an SM3 algorithm, such as a hash algorithm, hash (SM 9+ dynamic identifier), and uses the digest as a third hash result. And the encryption machine sends the third hash result to the application system as a decryption key corresponding to the user information.
S204: and receiving a third hash value, and decrypting the ciphertext by using the third hash value as a key to obtain a plaintext.
Example 3
Fig. 3 is a schematic flow diagram of a digital signature verification method according to an embodiment of the present invention, and as shown in fig. 3, embodiment 3 of the present invention is implemented based on embodiment 1 and embodiment 2, embodiment 3 of the present invention is applied to an encryption apparatus, a plurality of user information SM9 private key pairs are preset in the encryption apparatus, and the method includes:
s301: receiving a ciphertext, user information of a user side and a timestamp sent by an application system, inquiring an obtained SM9 private key according to the user information, and generating a verification signature according to the ciphertext, the inquired obtained SM9 private key and the timestamp; sending the verification signature to an application system so that the application system can compare whether the verification signature is consistent with the encryption signature or not;
s302: receiving a dynamic identifier under the condition that the comparison verification signature is consistent with the signature;
s303: and processing the dynamic identification and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value, and sending the third hash value to an application system, so that the application system decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
The specific principle and process of embodiment 3 of the present invention have been described in embodiment 2, and the embodiments of the present invention are not described herein again.
Example 4
Corresponding to embodiment 1 of the present invention, embodiment 4 of the present invention further provides a digital signature apparatus, which is applied to a user side, where the user side has an SM9 private key in advance, and the apparatus includes:
the acquisition module is used for acquiring the dynamic identification of the user side, using the combination of an SM9 private key and the dynamic identification as input, and using an SM3 algorithm to obtain a first hash result;
the encryption module is used for encrypting the plaintext by using an SM4 algorithm by taking the first hash result as a secret key to obtain a ciphertext;
the signature module is used for taking the combination of the SM9 private key, the ciphertext and the timestamp as input, obtaining a second Hash result by using an SM3 algorithm, and taking the second Hash result as an encrypted signature of the ciphertext;
the first sending module is used for sending the encrypted signature of the ciphertext, the dynamic identifier, the user information of the user side and the timestamp to the application system so that the application system can verify the encrypted signature of the ciphertext.
In a specific implementation manner of the embodiment of the present invention, the dynamic identifier includes:
the random number is dynamically generated, and one or a combination of a preset number of subsets selected from preset character sets.
Example 5
Corresponding to embodiment 1 of the present invention, embodiment 5 of the present invention further provides a digital signature verification apparatus, which is applied to an application system, and the apparatus includes:
the first receiving module is used for receiving the encrypted signature, the ciphertext, the dynamic identification, the user information of the user side and the timestamp sent by the user side, sending the ciphertext, the user information of the user side and the timestamp to the encryption machine, so that the user information of the user side of the encryption machine is inquired to obtain an SM9 private key, a verification signature is generated according to the ciphertext, the SM9 private key obtained through inquiry and the timestamp, and the verification signature is sent to an application system;
the comparison module is used for comparing whether the verification signature is consistent with the encrypted signature or not, and if so, triggering a second sending module;
the second sending module is used for sending the dynamic identifier to the encryption machine so that the encryption machine processes the dynamic identifier and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value and sends the third hash value to the application system;
the first receiving module is further configured to receive the third hash value, and decrypt the ciphertext with the third hash value as the key to obtain the plaintext.
In a specific implementation manner of the embodiment of the present invention, the second sending module is further configured to:
and sending the user information to the encryption machine so that the encryption machine can inquire an SM9 private key according to the user information.
Example 6
Corresponding to embodiment 1 of the present invention, embodiment 6 of the present invention further provides a digital signature verification apparatus, which is applied to an encryption apparatus, where a plurality of user information SM9 private key pairs are preset in the encryption apparatus, and the apparatus includes:
the second receiving module is used for receiving the ciphertext, the user information of the user side and the timestamp sent by the application system, generating a verification signature according to the SM9 private key obtained by user information inquiry and the SM9 private key obtained by ciphertext and inquiry and the timestamp; sending the verification signature to an application system so that the application system can compare whether the verification signature is consistent with the encryption signature or not;
the second receiving module is also used for receiving the dynamic identification under the condition that the comparison verification signature is consistent with the signature;
and the third sending module is used for processing the dynamic identifier and the searched SM9 private key by using an SM3 algorithm to obtain a third hash value and sending the third hash value to the application system so that the application system decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
Example 7
Corresponding to embodiments 1 to 6 of the present invention, embodiment 7 of the present invention further provides a digital signature and verification method, where the method includes:
the method comprises the steps that a user side obtains a dynamic identifier of the user side, the SM9 private key and the dynamic identifier are combined to be used as input, and a first Hash result is obtained through an SM3 algorithm; taking the first hash result as a secret key, and encrypting a plaintext by using an SM4 algorithm to obtain a ciphertext; taking the combination of an SM9 private key, a ciphertext and a timestamp as input, using an SM3 algorithm to obtain a second hash result, and taking the second hash result as an encrypted signature of the ciphertext; sending the encrypted signature, the ciphertext, the dynamic identification, the user information of the user side and the timestamp of the ciphertext to an application system;
the application system receives an encrypted signature, a ciphertext, a dynamic identifier, user information of a user side and a timestamp which are sent by the user side, and sends the ciphertext, the user information of the user side and the timestamp to the encryption machine;
the encryption machine receives a ciphertext, user information of a user side and a timestamp sent by an application system, processes the timestamp, the ciphertext and an SM9 private key obtained through query by using an SM3 algorithm, generates a verification signature, and generates the verification signature; and sending the verification signature to an application system;
the application system compares whether the verification signature is consistent with the encrypted signature; if yes, the dynamic identification and the user information of the user side are sent to the encryption machine;
the encryption machine receives the dynamic identification under the condition that the comparison verification signature is consistent with the signature; processing the dynamic identification and the searched SM9 private key by using an SM3 algorithm to obtain a third hash value and sending the third hash value to an application system;
and the application system receives the third hash value, and decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
Example 8
Corresponding to embodiments 1 to 7 of the present invention, embodiment 8 of the present invention further provides a digital signature and verification system. Fig. 4 is a schematic diagram of an architecture of a digital signature and verification system according to an embodiment of the present invention, as shown in fig. 4, the system includes:
the application system 802 according to embodiment 5;
the encryption equipment 803 according to embodiment 6.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A digital signature method is applied to a user side which is provided with an SM9 private key in advance, and the method comprises the following steps:
acquiring a dynamic identifier of a user side, using a combination of an SM9 private key and the dynamic identifier as input, and using an SM3 algorithm to obtain a first Hash result;
taking the first hash result as a secret key, and encrypting a plaintext by using an SM4 algorithm to obtain a ciphertext;
taking the combination of an SM9 private key, a ciphertext and a timestamp as input, using an SM3 algorithm to obtain a second hash result, and taking the second hash result as an encrypted signature of the ciphertext;
and sending the encrypted signature of the ciphertext, the dynamic identifier, the user information of the user side and the timestamp to an application system so that the application system can verify the encrypted signature of the ciphertext.
2. A digital signature method as claimed in claim 1, wherein said dynamic identification comprises:
and one or a combination of dynamically generated random numbers and a set number of subsets selected from a preset character set.
3. A digital signature verification method based on the method of claim 1 or 2, applied to an application system, the method comprising:
receiving an encrypted signature, a ciphertext, a dynamic identifier, user information of a user side and a timestamp sent by the user side, sending the ciphertext, the user information of the user side and the timestamp to an encryption machine, so that the encryption machine can obtain an SM9 private key according to user information of the user side through inquiry, generate a verification signature according to the ciphertext, the SM9 private key obtained through inquiry and the timestamp, and send the verification signature to an application system;
comparing whether the verification signature is consistent with the encrypted signature;
if so, sending the dynamic identifier to an encryption machine, so that the encryption machine processes the dynamic identifier and an SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value and sends the third hash value to an application system;
and receiving the third hash value, and decrypting the ciphertext by using the third hash value as a key to obtain a plaintext.
4. A digital signature verification method as claimed in claim 3, wherein in performing said step of sending said dynamic identification to a cryptographic engine, said method further comprises:
and sending the user information to the encryption machine so that the encryption machine can obtain the SM9 private key according to the user information.
5. A digital signature verification method based on any one of the methods of claims 1-4, characterized in that, the method is applied to a cryptographic machine, a plurality of private key pairs of user information SM9 are preset in the cryptographic machine, and the method comprises:
receiving a ciphertext, user information of a user side and a timestamp sent by an application system, inquiring an obtained SM9 private key according to the user information, and generating a verification signature according to the ciphertext, the obtained SM9 private key and the timestamp; sending the verification signature to an application system so that the application system can compare whether the verification signature is consistent with the encryption signature or not;
receiving a dynamic identifier under the condition that the verification signature is consistent with the encrypted signature by comparison;
and processing the dynamic identification and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value, and sending the third hash value to an application system, so that the application system decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
6. A digital signature apparatus applied to a user side, the user side having an SM9 private key in advance, the apparatus comprising:
the acquisition module is used for acquiring the dynamic identification of the user side, using the combination of an SM9 private key and the dynamic identification as input, and using an SM3 algorithm to obtain a first hash result;
the encryption module is used for encrypting the plaintext by using an SM4 algorithm by taking the first hash result as a secret key to obtain a ciphertext;
the signature module is used for taking the combination of the SM9 private key, the ciphertext and the timestamp as input, obtaining a second Hash result by using an SM3 algorithm, and taking the second Hash result as an encrypted signature of the ciphertext;
the first sending module is used for sending the encrypted signature of the ciphertext, the dynamic identifier, the user information of the user side and the timestamp to the application system so that the application system can verify the encrypted signature of the ciphertext.
7. A digital signature verification apparatus, applied to an application system, the apparatus comprising:
the first receiving module is used for receiving the encrypted signature, the ciphertext, the dynamic identifier, the user information of the user side and the timestamp which are sent by the user side applying the device according to claim 6, sending the ciphertext, the user information of the user side and the timestamp to the encryption machine, so that the user information of the user side of the encryption machine is inquired to obtain an SM9 private key, a verification signature is generated according to the ciphertext, the inquired SM9 private key and the timestamp, and the verification signature is sent to an application system;
the comparison module is used for comparing whether the verification signature is consistent with the encrypted signature or not, and if so, triggering a second sending module;
the second sending module is used for sending the dynamic identifier to the encryption machine so that the encryption machine processes the dynamic identifier and the searched SM9 private key by using an SM3 algorithm to obtain a third hash value and sends the third hash value to an application system;
the first receiving module is further configured to receive the third hash value, and decrypt the ciphertext using the third hash value as a key to obtain a plaintext.
8. A digital signature verification device is characterized in that the device is applied to an encryption machine, a plurality of user information SM9 private key pairs are preset in the encryption machine, and the device comprises:
a second receiving module, configured to receive a ciphertext sent by an application system applying the apparatus according to claim 7, user information of a user side applying the apparatus according to claim 6, and a timestamp, query an SM9 private key obtained according to the user information, and generate a verification signature according to the ciphertext, the SM9 private key obtained through the query, and the timestamp; sending the verification signature to an application system so that the application system can compare whether the verification signature is consistent with the encryption signature or not;
the second receiving module is also used for receiving the dynamic identification under the condition that the verification signature is compared with the encrypted signature to be consistent;
and the third sending module is used for processing the dynamic identifier and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value and sending the third hash value to the application system, so that the application system decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
9. A method for digital signature and verification, the method comprising:
the method comprises the steps that a user side obtains a dynamic identifier of the user side, the SM9 private key and the dynamic identifier are combined to be used as input, and a first Hash result is obtained through an SM3 algorithm; encrypting the plaintext by using an SM4 algorithm by taking the first hash result as a secret key to obtain a ciphertext; taking the combination of an SM9 private key, a ciphertext and a timestamp as input, using an SM3 algorithm to obtain a second hash result, and taking the second hash result as an encrypted signature of the ciphertext; sending the encrypted signature of the ciphertext, the dynamic identifier, the user information of the user side and the timestamp to an application system;
the application system receives an encrypted signature, a ciphertext, a dynamic identifier, user information of a user side and a timestamp sent by the user side, and sends the ciphertext, the user information of the user side and the timestamp to the encryption machine;
the encryption machine receives a ciphertext, user information of a user side and a timestamp sent by an application system, processes the timestamp, the ciphertext and an SM9 private key obtained according to user information query by using an SM3 algorithm, and generates a verification signature; and sending the verification signature to an application system;
the application system compares whether the verification signature is consistent with the encryption signature; if yes, the dynamic identification and the user information of the user side are sent to the encryption machine;
the encryption machine receives the dynamic identification under the condition that the verification signature is compared with the encrypted signature to be consistent; processing the dynamic identification and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value and sending the third hash value to an application system;
and the application system receives the third hash value, and decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
10. A digital signature verification system, the system comprising:
a user terminal applying the device of claim 6;
an application system to which the apparatus of claim 7 is applied;
an encryption apparatus using the apparatus of claim 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011532883.2A CN112688784B (en) | 2020-12-23 | 2020-12-23 | Digital signature and verification method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011532883.2A CN112688784B (en) | 2020-12-23 | 2020-12-23 | Digital signature and verification method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112688784A CN112688784A (en) | 2021-04-20 |
| CN112688784B true CN112688784B (en) | 2023-04-11 |
Family
ID=75450872
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011532883.2A Active CN112688784B (en) | 2020-12-23 | 2020-12-23 | Digital signature and verification method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112688784B (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113382002B (en) * | 2021-06-10 | 2022-11-22 | 杭州安恒信息技术股份有限公司 | Data request method, request response method, data communication system, and storage medium |
| CN113127934B (en) * | 2021-06-17 | 2021-10-01 | 北京信安世纪科技股份有限公司 | Log file based signature and signature verification method and electronic equipment |
| CN113285959A (en) * | 2021-06-25 | 2021-08-20 | 贵州大学 | Mail encryption method, decryption method and encryption and decryption system |
| CN113259934A (en) * | 2021-06-25 | 2021-08-13 | 贵州大学 | Short message verification code encryption method, decryption method and encryption and decryption system |
| CN113472542A (en) * | 2021-06-29 | 2021-10-01 | 广州炒米信息科技有限公司 | Network attack defense method and device based on SM3 algorithm, storage medium, client terminal and service terminal |
| CN113392418B (en) * | 2021-06-30 | 2022-10-11 | 北京紫光展锐通信技术有限公司 | Data deployment method and device, computer readable storage medium, deployment device and user side |
| CN113726503B (en) * | 2021-07-12 | 2023-11-14 | 国网山东省电力公司信息通信公司 | Method and system for protecting web interaction information |
| CN113986845B (en) * | 2021-12-27 | 2022-03-29 | 南京大学 | Method and system for issuing unconditional trusted timestamp |
| CN114553438A (en) * | 2022-03-02 | 2022-05-27 | 深圳壹账通智能科技有限公司 | Data transmission method and device, electronic equipment and storage medium |
| CN114978694B (en) * | 2022-05-23 | 2024-07-23 | 深圳云创数安科技有限公司 | Data volume generation method, device, equipment and storage medium based on digital signature |
| CN114817068A (en) * | 2022-05-25 | 2022-07-29 | 云账户技术(天津)有限公司 | Interface testing method and device based on mock test and electronic equipment |
| CN115208632B (en) * | 2022-06-16 | 2023-11-07 | 国网浙江省电力有限公司营销服务中心 | Front-end and back-end data encryption transmission method and system |
| CN115174260B (en) * | 2022-07-29 | 2024-02-02 | 中国工商银行股份有限公司 | Data verification method, device, computer, storage medium and program product |
| CN115225272A (en) * | 2022-09-20 | 2022-10-21 | 北方健康医疗大数据科技有限公司 | Big data disaster recovery system, method and equipment based on domestic commercial cryptographic algorithm |
| CN116527236B (en) * | 2023-06-29 | 2023-09-19 | 深圳市亲邻科技有限公司 | Information change verification method and system for encryption card |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110943976A (en) * | 2019-11-08 | 2020-03-31 | 中国电子科技网络信息安全有限公司 | Password-based user signature private key management method |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102412971B (en) * | 2011-11-30 | 2015-04-29 | 西安西电捷通无线网络通信股份有限公司 | SM2 key exchange protocol based key agreement method and device |
| CN107483429B (en) * | 2017-08-09 | 2019-10-11 | 北京中软信科技有限公司 | A kind of data ciphering method and device |
| CN108199847B (en) * | 2017-12-29 | 2020-09-01 | 数安时代科技股份有限公司 | Digital security processing method, computer device, and storage medium |
| CN108629027B (en) * | 2018-05-09 | 2023-08-01 | 深圳壹账通智能科技有限公司 | User database reconstruction method, device, equipment and medium based on block chain |
| CN109768987B (en) * | 2019-02-26 | 2022-01-28 | 重庆邮电大学 | Block chain-based data file safe and private storage and sharing method |
| CN110445621B (en) * | 2019-09-27 | 2019-12-27 | 瓦戈科技有限公司 | Application method and system of trusted identification |
| CN110837634B (en) * | 2019-10-24 | 2023-10-27 | 杭州安存网络科技有限公司 | Electronic signature method based on hardware encryption machine |
-
2020
- 2020-12-23 CN CN202011532883.2A patent/CN112688784B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110943976A (en) * | 2019-11-08 | 2020-03-31 | 中国电子科技网络信息安全有限公司 | Password-based user signature private key management method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112688784A (en) | 2021-04-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112688784B (en) | Digital signature and verification method, device and system | |
| CN107493273B (en) | Identity authentication method, system and computer readable storage medium | |
| CN104065653B (en) | A kind of interactive auth method, device, system and relevant device | |
| CN113691502B (en) | Communication method, device, gateway server, client and storage medium | |
| CN104065652B (en) | A kind of auth method, device, system and relevant device | |
| CN113067699B (en) | Data sharing method and device based on quantum key and computer equipment | |
| CN101090316B (en) | Identify authorization method between storage card and terminal equipment at off-line state | |
| CN109728914B (en) | Digital signature verification method, system, device and computer readable storage medium | |
| CN106790156B (en) | Intelligent device binding method and device | |
| CN107592202B (en) | Application signature method, device, system, computing equipment and storage medium | |
| CN109714176B (en) | Password authentication method, device and storage medium | |
| CN110690956B (en) | Bidirectional authentication method and system, server and terminal | |
| CN109361669A (en) | Identity identifying method, device and the equipment of communication equipment | |
| CN106850207B (en) | CA-free identity authentication method and system | |
| CN110677382A (en) | Data security processing method, device, computer system and storage medium | |
| WO2021042851A1 (en) | Data signature method and device for use in blockchain, computer apparatus, and storage medium | |
| CN113781678A (en) | Vehicle Bluetooth key generation and authentication method and system under network-free environment | |
| CN111526007B (en) | Random number generation method and system | |
| CN113382002B (en) | Data request method, request response method, data communication system, and storage medium | |
| CN111510442A (en) | User verification method and device, electronic equipment and storage medium | |
| CN113347143A (en) | Identity authentication method, device, equipment and storage medium | |
| CN109218251B (en) | Anti-replay authentication method and system | |
| CN113259722B (en) | Secure video Internet of things key management method, device and system | |
| CN111327561B (en) | Authentication method, system, authentication server, and computer-readable storage medium | |
| CN113890736A (en) | Mobile terminal identity authentication method and system based on SM9 cryptographic algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 10 / F, R & D building, Hefei Institute of technology innovation, Chinese Academy of Sciences, 2666 Xiyou Road, Hefei hi tech Zone, Hefei, Anhui 230000 Applicant after: Zhongke Meiluo Technology Co., Ltd. Address before: 10 / F, R & D building, Hefei Institute of technology innovation, Chinese Academy of Sciences, 2666 Xiyou Road, Hefei hi tech Zone, Hefei, Anhui 230000 Applicant before: ANHUI ZHONGKE MEILUO INFORMATION TECHNOLOGY CO.,LTD. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |