CN113343202A - Mutual authentication method based on digital certificate under condition of limited participation - Google Patents
Mutual authentication method based on digital certificate under condition of limited participation Download PDFInfo
- Publication number
- CN113343202A CN113343202A CN202110624207.6A CN202110624207A CN113343202A CN 113343202 A CN113343202 A CN 113343202A CN 202110624207 A CN202110624207 A CN 202110624207A CN 113343202 A CN113343202 A CN 113343202A
- Authority
- CN
- China
- Prior art keywords
- digital certificate
- certificate
- digital
- issuer
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a mutual authentication method under the condition of limited participants based on a digital certificate, wherein a digital certificate authentication mechanism carries out digital signature operation according to specific information in a digital certificate signing and issuing request, and when the digital certificate is signed and issued, an issuer signature and an issuer public key are embedded; the digital certificates authenticated with each other are issued by the same digital certificate certification authority; and when mutual authentication is carried out: one digital certificate obtains an issuer public key embedded by the digital certificate, and the issuer public key is used for verifying whether the signature of the issuer of the other digital certificate is correct; if the verification is correct, the verification is passed; if not, the verification fails. The use cost of the holder of the certificate needing mutual authentication is greatly simplified, the verification process of the digital certificate is greatly simplified, and the advantages of space cost and performance cost are obvious.
Description
Technical Field
The invention belongs to the technical field of digital certificates, and particularly relates to a mutual authentication method under the condition of limited participation.
Background
Digital certificates are important means for various personalized high-value application services to confirm user identities and prevent repudiation, and are widely used in applications such as online banking and electronic contracts.
Conventional digital certificates, whether digital certificates in x.509 format or V2X certificates based on IEEE1609.2, have a similar authentication manner, i.e. a chain trust relationship of "entity certificate-CA certificate-root certificate", also referred to as "certificate chain". The format of a conventional digital certificate is shown in fig. 1.
For example, chinese patent 201210338461.0 discloses a method for associating and verifying multiple digital certificates, which uses one or more digital certificates as a primary certificate, and performs operations such as digital signature on specific information in an issuance request of a secondary certificate through the primary certificate to obtain a primary certificate-specific identifier, and an issuing authority (CA) of the secondary certificate includes the primary certificate-specific identifier as a component in the content of the secondary certificate in the issued secondary certificate. And during verification, extracting the special identification of the main certificate in the secondary certificate, and verifying the validity of the special identification by methods such as signature verification and the like so as to obtain the validity of the association.
Under the 'certificate chain' system, if an entity certificate A is to be authenticated, a CA signature on the certificate A needs to be verified firstly, then a root CA signature on a certificate of an issuer (CA) of the certificate A is verified, and finally a self-signature on the certificate of the issuer (root CA) of the CA certificate is verified; therefore, in the authentication process, 3 certificates, namely an a certificate, a signer (CA) certificate of the a certificate, and a CA certificate signer (root CA) certificate, need to be accessed, wherein the latter two certificates are called as preset certificates, because the a certificate cannot be verified without the two certificates, and meanwhile, in order to prevent the two certificates from being maliciously replaced (further, the a certificate can be forged by breaking a trust chain), a verifier needs to acquire the two certificates through a reliable channel in advance and keep the certificates properly. Here, we have found a problem that the acquisition, storage, and update of the CA certificate and the root CA certificate need to be performed in a highly secure environment, which also causes high use cost for the user.
The above use costs, while unjustified, are effective and necessary if the trusted party is unlimited; but at the same time, the "certificate chain" puts requirements on the capacity of the storage space and the security of the storage location. For the internet of things embedded module, any additional space requirement and security requirement bring additional cost, and the cost is multiplied by the huge number of modules, and finally, the cost can be a huge number.
Disclosure of Invention
Aiming at the technical problems, the technical problems to be solved by the invention are as follows: under the condition that the participation is limited, the same safety as the certificate chain can be realized without using the certificate chain, and the method is more convenient and faster and has lower use cost.
In order to achieve the purpose, the invention adopts the technical scheme that: a mutual authentication method under the condition of limited participators based on digital certificate, 1, entity certificate includes one or more public keys of issuers; 2. when another entity certificate is verified, the public key of the issuer is obtained from the own or opposite end entity certificate, and then the public key is used to complete the certificate verification process.
The digital certificate certification authority carries out digital signature operation according to the specific information in the digital certificate signing request, and embeds the signer signature and the public key of the signer when the digital certificate is signed;
the digital certificates authenticated with each other are issued by the same digital certificate certification authority;
and when mutual authentication is carried out: one digital certificate obtains an issuer public key embedded by the digital certificate, and the issuer public key is used for verifying whether the signature of the issuer of the other digital certificate is correct; if the verification is correct, the verification is passed; if not, the verification fails.
Further, one digital certificate comprises an issuer signature and an issuer public key of one or more digital certificate authorities; the mutually authenticated digital certificates comprise one or more issuer public keys that are identical.
Further, when the digital certificate is issued, the public key of the issuer is attached to the subject item, the issuer item, the certificate extension item or other certificate contents of the digital certificate. More preferably, in order to improve the independence of the issuer public key and avoid the influence of the digital certificate issuing program, the issuer public key is attached to the certificate extension of the digital certificate.
The invention has the following beneficial effects: in the verification process, the participation of a certificate chain is not needed, and the verification can be carried out only by the certificate of the participator. The use cost of the holder of the certificate needing mutual authentication is greatly simplified, the verification process of the digital certificate is greatly simplified, and the advantages of space cost and performance cost are obvious. The invention is an innovative invention which breaks through the traditional thinking and creatively uses the certificate and public key algorithm principle from the practical aspect.
Drawings
Fig. 1 is a prior art digital certificate format.
Fig. 2 is a digital certificate format of a mutual authentication method under a limited participant condition according to an embodiment of the present invention.
Detailed Description
In order to facilitate understanding of those skilled in the art, the present invention will be further described with reference to the following embodiments and accompanying drawings.
The digital certificate is an online identification for proving the identity of the user, identifies the identities of all communication parties in the network, and can ensure that the transaction performed on the network is safe and credible. The digital certificate mainly has the following functions:
1. identity authentication: the digital certificate includes the following main contents: identity information of the certificate owner, the public key of the certificate owner, the validity period of the public key, the name of the CA issuing the digital certificate, the digital signature of the CA, etc.
2. Encrypting transmission information: data is transmitted over the network by means of digital certificates, which are encrypted and then transmitted over the network in the form of a password. The sender encrypts the file by using the public key of the receiver, and the receiver decrypts the file by using the private key unique to the receiver to obtain the file plaintext.
3. Digital signature anti-repudiation: the anti-repudiation realized by official seal, signature and the like in real life can be realized by digital signature of a digital certificate on the network.
Digital Certificate Authority (CA): is the issuing authority of the certificate. The CA is the authority responsible for issuing certificates, authenticating certificates, and managing issued certificates. It makes policies and specific steps to verify, identify the user's identity, and sign the user's certificate to ensure ownership of the certificate holder's identity and public key.
The traditional digital certificate only contains the signature of the CA. In the new digital certificate shown in fig. 2, when the certificate is issued, the CA not only adds its own signature, but also embeds its own public key (PUBK-CA) as a part of the certificate into the issued digital certificate.
Consider that in the above-described model, the CA signed two entity certificates a and B, which contain the public key of the CA (pub-CA) in addition to the CA signature.
The holder of certificate a, when authenticating certificate B, can verify according to the following steps:
1) obtaining a public CA key (PUBK-CA) from a certificate of the user;
2) the certificate B's CA signature is verified to be correct using the PUBK-CA. If the verification is correct, the verification is passed; if not, the verification is not passed;
in the verification process, the participation of a certificate chain is not needed, and the verification can be carried out only by the certificate of the participator. Greatly simplifying the use cost of the certificate A and the certificate B holders and also greatly simplifying the certificate verification process.
The certificate verification process seems to have many limitations in use, and compared with the traditional certificate chain mode, the certificate verification process is not flexible enough and has poor expansibility. In fact, however, this approach is inventive to achieve both increased convenience and preservation of security by giving up a portion of the flexibility.
A scenario is envisaged in which: there are 3 independent components on a certain device, and these 3 components need to pass mutual authentication before they can work. The traditional digital certificate scenario needs to issue entity certificates for the 3 components respectively, and needs to install complete certificate chains on the 3 components respectively, which puts requirements on the capacity of the storage space and the security of the storage location. For the internet of things embedded module, any additional space requirement and security requirement bring additional cost, and the cost is multiplied by the huge number of modules, and finally, the cost can be a huge number.
The scheme designed by the invention only needs to store 1 certificate, and the verification process only needs 1 step, so that the space cost and performance cost advantages are obvious. The components on the same device use certificates from the same CA, so that the application mode is difficult without increasing any cost; the flexibility sacrificed by the invention is not needed in the scene, and the invention is an innovative invention which breaks through the traditional thinking and creatively uses the certificate and public key algorithm principle from the practical point of view.
The above embodiments are only for illustrating the technical idea of the present invention, and the protection scope of the present invention is not limited thereby, and any modification made on the basis of the technical solution according to the technical idea of the present invention falls within the protection scope of the present invention.
Claims (3)
1. A mutual authentication method based on digital certificates under the condition of limited participants is characterized in that:
the digital certificate certification authority carries out digital signature operation according to the specific information in the digital certificate signing request, and embeds the signer signature and the public key of the signer when the digital certificate is signed;
the digital certificates authenticated with each other are issued by the same digital certificate certification authority;
and when mutual authentication is carried out: one digital certificate obtains an issuer public key embedded by the digital certificate, and the issuer public key is used for verifying whether the signature of the issuer of the other digital certificate is correct; if the verification is correct, the verification is passed; if not, the verification fails.
2. The digital certificate based mutual authentication method under limited party conditions according to claim 1, characterized in that:
a digital certificate including an issuer signature and an issuer public key of one or more digital certificate authorities; the mutually authenticated digital certificates comprise one or more issuer public keys that are identical.
3. The mutual authentication method under limited party conditions based on digital certificates according to claim 1 or 2, characterized in that:
when the digital certificate is issued, the public key of the issuer is attached to the subject item, the issuer item and the certificate extension item of the digital certificate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110624207.6A CN113343202A (en) | 2021-06-04 | 2021-06-04 | Mutual authentication method based on digital certificate under condition of limited participation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110624207.6A CN113343202A (en) | 2021-06-04 | 2021-06-04 | Mutual authentication method based on digital certificate under condition of limited participation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113343202A true CN113343202A (en) | 2021-09-03 |
Family
ID=77473905
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110624207.6A Pending CN113343202A (en) | 2021-06-04 | 2021-06-04 | Mutual authentication method based on digital certificate under condition of limited participation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113343202A (en) |
-
2021
- 2021-06-04 CN CN202110624207.6A patent/CN113343202A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107196966B (en) | Identity authentication method and system based on block chain multi-party trust | |
| CN102932149B (en) | Integrated identity based encryption (IBE) data encryption system | |
| CN108599954B (en) | Identity verification method based on distributed account book | |
| EP1249095B1 (en) | Method for issuing an electronic identity | |
| US7937584B2 (en) | Method and system for key certification | |
| US8819813B2 (en) | Method and system for signing and authenticating electronic documents via a signature authority which may act in concert with software controlled by the signer | |
| CN109687965B (en) | Real-name authentication method for protecting user identity information in network | |
| US6738912B2 (en) | Method for securing data relating to users of a public-key infrastructure | |
| US20060206433A1 (en) | Secure and authenticated delivery of data from an automated meter reading system | |
| CN101136748B (en) | Identification authentication method and system | |
| CN109450843B (en) | SSL certificate management method and system based on block chain | |
| US10742426B2 (en) | Public key infrastructure and method of distribution | |
| CN1980121B (en) | Electronic signing mobile terminal, system and method | |
| CN108243166A (en) | A kind of identity identifying method and system based on USBKey | |
| CN103312691A (en) | Method and system for authenticating and accessing cloud platform | |
| WO2000030292A1 (en) | Method and system for authenticating and utilizing secure resources in a computer system | |
| US20030126085A1 (en) | Dynamic authentication of electronic messages using a reference to a certificate | |
| US20160344725A1 (en) | Signal haystacks | |
| MX2012011105A (en) | Certificate authority. | |
| CN103684798A (en) | Authentication system used in distributed user service | |
| CN113536347A (en) | Bidding method and system based on digital signature | |
| CN112565294A (en) | Identity authentication method based on block chain electronic signature | |
| CN113676330B (en) | Digital certificate application system and method based on secondary secret key | |
| CN113343202A (en) | Mutual authentication method based on digital certificate under condition of limited participation | |
| CN108768958B (en) | Verification method for data integrity and source based on no leakage of verified information by third party |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |