CN113486320A - Enterprise electronic signature control method and device, storage medium and terminal equipment - Google Patents
Enterprise electronic signature control method and device, storage medium and terminal equipment Download PDFInfo
- Publication number
- CN113486320A CN113486320A CN202110830746.5A CN202110830746A CN113486320A CN 113486320 A CN113486320 A CN 113486320A CN 202110830746 A CN202110830746 A CN 202110830746A CN 113486320 A CN113486320 A CN 113486320A
- Authority
- CN
- China
- Prior art keywords
- signature
- information
- server
- key component
- sponsor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 230000000977 initiatory effect Effects 0.000 claims abstract description 16
- 230000015654 memory Effects 0.000 claims description 27
- 238000004590 computer program Methods 0.000 claims description 17
- 230000006870 function Effects 0.000 claims description 15
- 238000007726 management method Methods 0.000 claims description 10
- 238000012795 verification Methods 0.000 claims description 10
- 230000004044 response Effects 0.000 claims description 4
- 238000007789 sealing Methods 0.000 claims description 2
- 238000009434 installation Methods 0.000 description 7
- 230000009286 beneficial effect Effects 0.000 description 4
- 238000012790 confirmation Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000005034 decoration Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides an enterprise electronic signature control method, which comprises the following steps: initiating a seal using request of the enterprise electronic signature; receiving ciphertext information and signature information returned by the server, wherein the ciphertext information is generated by encrypting the plaintext information by the server by adopting a first public key component, and the signature information is generated by signing the digital fingerprint generated by Hash operation of the plaintext information by the server by adopting a second private key component; decrypting the signature information by adopting a second public key component to obtain a digital fingerprint, and decrypting the ciphertext information by adopting a first private key component to obtain the plaintext information; submitting the digital fingerprint and the plaintext information to the server so that the server confirms and returns an identity authentication result that the identity authentication of the sponsor passes according to the digital fingerprint and the plaintext information; acquiring the seal using authority of the enterprise electronic signature; the first private key component and the second private key component are separately generated and correspondingly stored in the sponsor client and the server. The method can guarantee the use safety and high efficiency of the electronic signature of the enterprise.
Description
Technical Field
The invention relates to the technical field of signature authority processing, in particular to an enterprise electronic signature control method and device, a computer readable storage medium and terminal equipment.
Background
In the field of electronic signatures, in order to improve efficiency, an enterprise electronic signature can be used in multiple roles of a sponsor, the traditional method is that an electronic certificate associated with the enterprise electronic signature is hosted to a cloud, a user logs in a user account when the user needs the electronic certificate, and the token (token) of the user is acquired after the electronic certificate logs in successfully, so that the signature using permission of the enterprise electronic signature can be acquired. To some extent, the method lacks certain security, for example, if the user account is stolen, the possibility that the enterprise electronic signature is illegally used exists, the secure use of the enterprise electronic signature cannot be ensured, and the signature certificate of the user is leaked, and the risk of stealing the enterprise signature also exists. Therefore, there is a need for an enterprise electronic signature management and control method to ensure the safety and efficiency of the use of enterprise electronic signatures.
Disclosure of Invention
In order to solve at least one of the above technical defects, the present invention provides an enterprise electronic signature control method, a corresponding apparatus, a computer-readable storage medium, and a terminal device according to the following technical solutions.
According to one aspect, the embodiment of the invention provides an enterprise electronic signature control method, which comprises the following steps:
initiating a seal using request of the enterprise electronic signature;
receiving ciphertext information and signature information returned by the server after responding to the seal using request, wherein the ciphertext information is generated by encrypting the plaintext information by the server by adopting a first public key component, and the signature information is generated by signing the digital fingerprint generated by Hash operation of the plaintext information by the server by adopting a second private key component;
decrypting the signature information by adopting a second public key component to obtain the digital fingerprint, and decrypting the ciphertext information by adopting a first private key component to obtain the plaintext information;
submitting the digital fingerprint and the plaintext information to a server so that the server confirms and returns an identity authentication result that the identity authentication of a manager passes according to the digital fingerprint and the plaintext information;
obtaining the seal using authority of the enterprise electronic signature according to the identity authentication result;
the first private key component and the second private key component are separately generated and respectively and correspondingly stored in the client side and the server side of the operator.
Preferably, before initiating the seal using request of the enterprise electronic signature, the method further includes:
judging whether the digital certificate and the key pair of the sponsor are installed locally;
if not, applying for and installing a digital certificate and a key pair; or, the client side which is provided with the digital certificate and the key pair of the sponsor is cooperated to carry out the sponsor identity authentication.
Preferably, said applying for and installing a digital certificate and key pair comprises:
issuing an issuance request to a certificate issuing authority through a secure SDK;
receiving the corresponding digital certificate code and the code of the key pair returned by the certificate authority in response to the issuance request;
installing, by the secure SDK, the first private key component of the digital certificate and key pair according to the encoding.
Preferably, before issuing an issuance request to the certificate authority through the secure SDK, the method further includes: and performing real-name authentication based on the short message verification code and the biological identification.
Preferably, the performing the identity authentication of the sponsor in cooperation with the client of the digital certificate and the key pair of the installed sponsor includes:
a first client side which is not provided with a digital certificate and a key pair obtains a random number and displays the random number by a two-dimensional code;
and the second client side which is provided with the digital certificate and the key pair of the sponsor carries out digital signature on the random number corresponding to the two-dimensional code by adopting a first private key component, and provides a signature result to the signature verifier, so that the signature verifier confirms that the first client side belongs to the sponsor according to the signature result and the random number.
Preferably, the signing verifier confirms that the first client belongs to a sponsor according to the signature result and the random number, and includes:
acquiring a random number acquired by the first client;
decrypting the signature result by adopting a first public key component to obtain a decrypted random number;
judging whether the decrypted random number is consistent with the random number obtained by the first client side;
and if so, confirming that the first client belongs to the sponsor.
Preferably, the identity authentication result that the identity authentication of the sponsor is passed is generated by the following steps:
calculating the plaintext information by adopting a Hash function to obtain a Hash value;
judging whether the digital fingerprint is consistent with the Hash value;
if yes, an identity authentication result that the identity authentication of the sponsor is passed is generated.
In addition, according to another aspect, an embodiment of the present invention provides an enterprise electronic signature management and control apparatus, including:
the signature request module is used for initiating a signature request of enterprise electronic signature;
the receiving module is used for receiving ciphertext information and signature information returned by the server after responding to the seal using request, the ciphertext information is generated by encrypting plaintext information by the server by adopting a first public key component, and the signature information is generated by signing a digital fingerprint generated by Hash operation of the plaintext information by the server by adopting a second private key component;
the decryption module is used for decrypting the signature information by adopting a second public key component to obtain the digital fingerprint, and decrypting the ciphertext information by adopting a first private key component to obtain the plaintext information;
the identity authentication result acquisition module is used for submitting the digital fingerprint and the plaintext information to the server so that the server confirms and returns an identity authentication result which passes identity authentication of a manager according to the digital fingerprint and the plaintext information;
the seal authority acquisition module is used for acquiring the seal authority of the enterprise electronic signature according to the identity authentication result;
the first private key component and the second private key component are separately generated and respectively and correspondingly stored in the client side and the server side of the operator.
According to yet another aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the above-mentioned enterprise electronic signature management and control method.
According to yet another aspect, embodiments of the present invention provide a terminal device, the computer including one or more processors; a memory; one or more computer programs, wherein the one or more computer programs are stored in the memory and configured to be executed by the one or more processors, the one or more computer programs configured to: the enterprise electronic signature control method is executed.
Compared with the prior art, the invention has the following beneficial effects:
according to the enterprise electronic signature control method and device, the computer readable storage medium and the terminal device, the client side which initiates the signature request is subjected to the office identity authentication, the office identity authentication needs to be completed based on the first private key component and the second private key component which are separately generated and separately and safely stored, the signature using authority of the enterprise electronic signature is obtained only after the office identity authentication is passed, the private key can be effectively prevented from being leaked, the signature verification cannot be completed even if the account number of the office is stolen, and the use safety and the high efficiency of the enterprise electronic signature are effectively guaranteed.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
The foregoing and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a flowchart of a method for managing and controlling an enterprise electronic signature according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of an enterprise electronic signature control apparatus according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a terminal device according to an embodiment of the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are illustrative only and should not be construed as limiting the invention.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. As used herein, the term "and/or" includes all or any element and all combinations of one or more of the associated listed items.
It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
The embodiment of the invention provides an enterprise electronic signature control method, as shown in fig. 1, the method comprises the following steps:
step S110: and initiating a seal using request of the enterprise electronic seal.
For the embodiment, in order to improve the operation efficiency, the enterprise generally allows a plurality of predefined employees, i.e. the managers, to obtain the sealing authority of the enterprise electronic signature after passing the manager identity authentication. When the operator needs to use the enterprise electronic signature, a signature using request of the enterprise electronic signature needs to be initiated at the client side of the operator, and the signature using request is sent to the server side.
For this embodiment, the identity authentication of the sponsor needs to be implemented based on a secret key thereof, the secret key in the secret key includes a first secret key component and a second secret key component, the first secret key component and the second secret key component are separately generated and respectively stored in the sponsor client and the sponsor server, specifically, in order to ensure the security, reliability and normalization of enterprise electronic signature management and control, the secret key of the sponsor is separately generated and separately stored securely, so as to effectively prevent the secret key from being leaked, the secret key is generated in the client and the sponsor server through negotiation, only sub-secret keys are respectively reserved, and complete secret keys are not known each other.
Step S120: and receiving ciphertext information and signature information returned by the server after responding to the seal using request, wherein the ciphertext information is generated by encrypting the plaintext information by the server by adopting a first public key component, and the signature information is generated by signing the digital fingerprint generated by the server by adopting a second private key component to perform Hash operation on the plaintext information.
For this embodiment, the second private key component and the second public key component are stored in the server, and the server may request to obtain the first public key component. After receiving a seal request for enterprise electronic signature initiated by a client, a server randomly generates a section of plaintext information, wherein the plaintext information can be a randomly generated random number. Then, the server side acquires a first public key component, and encrypts the plaintext information through an encryption algorithm to generate encrypted information; meanwhile, based on Hash function, Hash operation is carried out on the plaintext information to generate a digital fingerprint, namely a Hash value, and further a second private key component stored in the server is adopted to sign the digital fingerprint to generate signature information.
For this embodiment, after the ciphertext information and the signature information are generated, the server attaches the signature information to the ciphertext information and packs the ciphertext information and returns the signature information to the client that initiates the request for the seal. And the client receives the packed information which is returned by the server after responding to the seal using request and contains the ciphertext information and the signature information, and extracts the ciphertext information and the signature information from the packed information.
The server side can pre-store the first public key component when negotiating with the client side to generate the key, and can also obtain the digital certificate of the client side of the sponsor through the enterprise electronic signature cloud key security system, and determine the first public key component through the digital certificate. The digital Certificate is issued by a third party CA (Certificate Authority) Authority.
The second private key component and the second public key component are stored in the server, specifically in a PKI middleware of the server, and the PKI middleware is provided by a third-party CA organization.
In other embodiments, the packaged information may be a two-dimensional code, that is, the server side pays the signature information after the ciphertext information to generate a two-dimensional code, and returns the two-dimensional code to the client side which initiates the request for the seal. And after the code is scanned by the client, ciphertext information and signature information are extracted. The method can improve the convenience and efficiency of information transmission between the client and the server, and further improve the efficiency of information transmission between the client and the server
Step S130: and decrypting the signature information by adopting the second public key component to obtain the digital fingerprint, and decrypting the ciphertext information by adopting the first private key component to obtain the plaintext information.
For the present embodiment, the first private key component and the first public key component are stored in the client that passes the sponsor real-name authentication and that installs the digital certificate and key pair. The client initiating the seal request obtains the ciphertext information and the signature information, obtains a public key matched with a second private key component for signature, namely a second public key component, and decrypts the signature information through a decryption algorithm to obtain a decryption result of the signature information, wherein the decryption result is supposed to be the digital fingerprint; meanwhile, a private key matched with the first public key component used for encryption, namely the first private key component, is obtained, the ciphertext information is decrypted through a decryption algorithm, and a decryption result of the ciphertext information is obtained, wherein the decryption result is supposed to be the plaintext information.
For a client side which is authenticated by a non-sponsor real name and is provided with a digital certificate and a key pair, after the client side initiates a seal request and receives ciphertext information and signature information returned by a server side, the client side is difficult to acquire a second public key component matched with a second private key component for signature so as to decrypt the signature information, and a digital fingerprint generated by the server side in the prior art is obtained; the client does not have a first private key matched with the first public key component used for encryption to decrypt the ciphertext information to obtain plaintext information randomly generated by the server.
Step S140: and submitting the digital fingerprint and the plaintext information to a server so that the server confirms and returns an identity authentication result that the identity authentication of the sponsor passes according to the digital fingerprint and the plaintext information.
Wherein the identity authentication result that the identity authentication of the sponsor is passed is generated by the following steps: calculating the plaintext information by adopting a Hash function to obtain a Hash value; judging whether the digital fingerprint is consistent with the Hash value; if yes, an identity authentication result that the identity authentication of the sponsor is passed is generated.
For this embodiment, the client initiating the request for the seal submits the decryption result of the signature information and the ciphertext information to the server, so that the server confirms and returns the identity authentication result that the identity authentication of the sponsor passes according to the decryption result. Specifically, the server performs Hash operation on a decryption result of received ciphertext information by adopting a Hash function to generate a Hash value, compares the decryption result of the received signature information with the Hash value and a digital fingerprint generated by the server in the past, generates an identity authentication result which passes identity authentication of a manager if the decryption result of the received signature information is consistent with the Hash value, and determines that the identity illegally interrupts a seal using request of an enterprise electronic signature if the decryption result of the received signature information is inconsistent with the Hash value and the digital fingerprint generated by the server in the past.
For the client side which is authenticated by the real name of the operator and is provided with the digital certificate and the key pair, the decryption results of the signature information and the ciphertext information are the fingerprint information and the plaintext information respectively, and the server side performs Hash operation on the plaintext information by adopting a Hash function to obtain the fingerprint information.
In other embodiments, after the digital fingerprint and the plaintext information are submitted to the server, the server may further forward the digital fingerprint and the plaintext information to the signatory to confirm and return an identity authentication result that the identity authentication of the sponsor passes according to the digital fingerprint and the plaintext information.
Step S150: and acquiring the seal using authority of the enterprise electronic signature according to the identity authentication result.
For this embodiment, after the client initiating the seal using request passes the identity authentication, the seal using authority of the enterprise electronic signature can be obtained, and the enterprise electronic signature is used by the identity of the sponsor in the business process authorized by the enterprise.
According to the enterprise electronic signature control method provided by the invention, the client side which initiates the signature request is subjected to the office identity authentication, the office identity authentication needs to be completed based on the first private key component and the second private key component which are separately generated and separately and safely stored, the signature authority of the enterprise electronic signature is obtained after the office identity authentication is passed, the private key can be effectively prevented from being leaked, the signature verification cannot be completed even if the account number of the office is stolen, and the use safety and the high efficiency of the enterprise electronic signature are effectively guaranteed.
In some embodiments, before the step S110 initiates the seal using request of the enterprise electronic signature, the method further includes: judging whether the digital certificate and the key pair of the sponsor are installed locally; if not, applying for and installing a digital certificate and a key pair; or, the client side which is provided with the digital certificate and the key pair of the sponsor is cooperated to carry out the sponsor identity authentication.
For this embodiment, the seal request for initiating the electronic signature of the enterprise needs to be implemented by the client side having the local installed digital certificate and key pair of the sponsor, the sponsor can directly initiate the seal request by using the sponsor client side having the local installed digital certificate and key pair of the sponsor, and if the seal request is initiated by using the client side not having the installed digital certificate and key pair of the sponsor, the seal request is allowed to be initiated by performing the license authentication of the sponsor in cooperation with the client side having the installed digital certificate and key pair of the sponsor.
In the embodiment, two modes are provided as the precondition for the sponsor to initiate the seal request, so that the sponsor can conveniently select a proper mode according to the actual use condition to meet the precondition for initiating the seal request, and the convenience and the high efficiency of the use of the electronic signature of the enterprise are effectively guaranteed.
In some embodiments, said applying for and installing a digital certificate and key pair comprises: issuing an issuance request to a certificate issuing authority through a secure SDK; receiving the corresponding digital certificate code and the code of the key pair returned by the certificate authority in response to the issuance request; installing, by the secure SDK, the first private key component of the digital certificate and key pair according to the encoding.
For the present embodiment, the secure SDK is provided by a third party CA authority, i.e. a certificate authority. The certificate authority responds to the issuing request to return base64 codes corresponding to the digital certificate codes and the key pairs, the client initiating the issuing request installs the first private key component of the digital certificate and the key pairs locally at the client through the secure SDK according to the base64 codes.
In the embodiment, the installation of the digital certificate and the key pair is realized through the secure SDK, so that the security of the key generation and storage environment is guaranteed, and powerful technical support is provided for improving the use security of the electronic signature of the enterprise.
In some embodiments, before initiating an issuance request to the certificate authority via the secure SDK, the method further comprises: and performing real-name authentication based on the short message verification code and the biological identification.
For this embodiment, before issuing an issuance request to a certificate authority through a secure SDK, the sponsor needs to apply for real-name authentication, specifically, the real-name authentication is performed through a short message verification code and biometric identification, such as a human face living body identification, and only after the real-name authentication passes, the sponsor is qualified to apply for a personal digital certificate and a secret key pair, and if the short message verification code and biometric identification do not pass, the sponsor needs to return and re-authenticate.
In this embodiment, by performing real-name authentication based on the short message verification code and biometric identification before issuing the issuance request and the chapter request, even if the attacker has control capability on the terminal device, the attacker cannot complete real-name authentication to perform subsequent operations.
In other embodiments, the upper limit of the times that the short message verification code and/or the biometric identification cannot pass can be further set, if the upper limit of the times still cannot pass the real-name authentication, it can be determined that the account of the current dealer is suspected to be stolen, the account of the dealer is locked, and the real-name authentication is not allowed to be applied within the preset time.
In some embodiments, the performing the sponsor identity authentication in coordination with the client having installed the sponsor's digital certificate and key pair comprises: a first client side which is not provided with a digital certificate and a key pair obtains a random number and displays the random number by a two-dimensional code; and the second client side which is provided with the digital certificate and the key pair of the sponsor carries out digital signature on the random number corresponding to the two-dimensional code by adopting a first private key component, and provides a signature result to the signature verifier, so that the signature verifier confirms that the first client side belongs to the sponsor according to the signature result and the random number.
For this embodiment, when the sponsor performs system operation on the client that is not installed with the digital certificate and key pair and wants to initiate a chapter request, the mobile client and the mobile collaboration system that have already installed the digital certificate and key pair by the sponsor need to perform the sponsor identity authentication. For example, when a web end which is not installed with a digital certificate and key pair performs system operation, since the web end does not have a digital certificate and a private key of a sponsor, identity authentication thereof cannot be performed directly at the web end.
For the above situation, the conventional method is to simply perform identity authentication through token or cookie, and such a method has low security, and will bring security loss to the enterprise of the operator when the account is stolen.
For this embodiment, the step of performing the identity authentication of the sponsor through the mobile client and the mobile collaboration system in which the sponsor has installed the digital certificate and the key pair specifically includes: a first client, such as a web client, which is not provided with the digital certificate and the key pair obtains a random number from a server, and the random number is displayed through a two-dimensional code, so that the mobile client can be conveniently connected. And then, the dealer scans the code by using a second client side provided with the digital certificate and the key pair of the dealer, namely the dealer mobile client side aims at the two-dimensional code, extracts a random number corresponding to the two-dimensional code, digitally signs the random number corresponding to the two-dimensional code by using the first private key component, and provides a signature result for the server side. The server side carries out Hash operation on the random number initially provided for the web side by adopting a Hash function to obtain a Hash value of the random number, and submits the Hash value of the random number and a received signature result to a signature verifier, wherein the signature verifier can be a key cooperation system of a third-party CA mechanism. The signature verifying party decrypts the signature result by using the first public component to obtain a decrypted result, and can further perform Hash operation on the decrypted result by using a Hash function, judge whether the operation result is consistent with a Hash value of the received random number, and if so, confirm that the sponsor himself wants to use the first client to initiate a signature request currently, wherein the first client belongs to the sponsor; if the decryption fails, the fact that the user wants to use the first client to initiate the chapter request is not the sponsor per se at present is shown; and if the numerical values are inconsistent, determining that the current user certificate is at risk of leakage.
In some embodiments, the verifying the signer confirms that the first client belongs to a sponsor according to the signature result and the random number, including: acquiring a random number acquired by the first client; decrypting the signature result by adopting a first public key component to obtain a decrypted random number; judging whether the decrypted random number is consistent with the random number obtained by the first client side; if yes, confirming that the first client belongs to a sponsor
For this embodiment, after the server receives the decryption result, the server may also directly submit the random number to the signer without performing Hash operation on the random number, and the signer directly determines whether the decryption result is consistent with the random number, and if so, may determine that the sponsor wishes to use the first client to initiate the chapter request at present, and the first client is subordinate to the sponsor.
In addition, an embodiment of the present invention provides an enterprise electronic signature control apparatus, as shown in fig. 2, the apparatus includes: the signature module 21, the receiving module 22, the decryption module 23, the identity authentication result obtaining module 24 and the seal authority obtaining module 25;
the signature request module 21 is configured to initiate a signature request for an enterprise electronic signature;
the receiving module 22 is configured to receive ciphertext information and signature information returned by the server after responding to the seal using request, where the ciphertext information is generated by the server by encrypting plaintext information by using a first public key component, and the signature information is generated by the server by signing a digital fingerprint generated by Hash operation of the plaintext information by using a second private key component;
the decryption module 23 is configured to decrypt the signature information by using the second public key component to obtain the digital fingerprint, and decrypt the ciphertext information by using the first private key component to obtain the plaintext information;
the identity authentication result obtaining module 24 is configured to submit the digital fingerprint and the plaintext information to the server, so that the server confirms and returns an identity authentication result that the identity authentication of the sponsor passes according to the digital fingerprint and the plaintext information;
the seal authority acquiring module 25 is configured to acquire a seal authority of an enterprise electronic signature according to the identity authentication result;
the first private key component and the second private key component are separately generated and respectively and correspondingly stored in the client side and the server side of the operator.
Preferably, the enterprise electronic signature management and control device further comprises an installation confirmation module, and the installation confirmation module is configured to: prior to the initiating a seal-using request for an enterprise electronic signature: judging whether the digital certificate and the key pair of the sponsor are installed locally; if not, applying for and installing a digital certificate and a key pair; or, the client side which is provided with the digital certificate and the key pair of the sponsor is cooperated to carry out the sponsor identity authentication.
Preferably, the installation confirming module includes an installation unit, and the installation unit is configured to apply for and install a digital certificate and a key pair, specifically:
issuing an issuance request to a certificate issuing authority through a secure SDK;
receiving the corresponding digital certificate code and the code of the key pair returned by the certificate authority in response to the issuance request;
installing, by the secure SDK, the first private key component of the digital certificate and key pair according to the encoding.
Preferably, the enterprise electronic signature control device further includes a real-name authentication module, and the real-name authentication module is configured to: and before issuing an issuing request to a certificate issuing organization through the secure SDK, performing real-name authentication based on the short message verification code and the biological identification.
Preferably, the installation confirmation module includes a collaborative authentication module, and the collaborative authentication module is configured to perform the identity authentication of the installed sponsor in cooperation with the client to which the digital certificate and the key pair of the installed sponsor are provided, and specifically includes:
a first client side which is not provided with a digital certificate and a key pair obtains a random number and displays the random number by a two-dimensional code;
and the second client side which is provided with the digital certificate and the key pair of the sponsor carries out digital signature on the random number corresponding to the two-dimensional code by adopting a first private key component, and provides a signature result to the signature verifier, so that the signature verifier confirms that the first client side belongs to the sponsor according to the signature result and the random number.
Preferably, the signing verifier confirms that the first client belongs to a sponsor according to the signature result and the random number, and includes:
acquiring a random number acquired by the first client;
decrypting the signature result by adopting a first public key component to obtain a decrypted random number;
judging whether the decrypted random number is consistent with the random number obtained by the first client side;
and if so, confirming that the first client belongs to the sponsor.
Preferably, the identity authentication result that the identity authentication of the sponsor is passed is generated by the following steps:
calculating the plaintext information by adopting a Hash function to obtain a Hash value;
judging whether the digital fingerprint is consistent with the Hash value;
if yes, an identity authentication result that the identity authentication of the sponsor is passed is generated.
The contents of the method embodiments of the present invention are all applicable to the apparatus embodiments, the functions specifically implemented by the apparatus embodiments are the same as those of the method embodiments, and the beneficial effects achieved by the apparatus embodiments are also the same as those achieved by the method described above, and for details, refer to the description of the method embodiments, and are not described herein again.
Furthermore, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the enterprise electronic signature management and control method described in any of the above embodiments. The computer-readable storage medium includes, but is not limited to, any type of disk including floppy disks, hard disks, optical disks, CD-ROMs, and magneto-optical disks, ROMs (Read-Only memories), RAMs (Random AcceSS memories), EPROMs (EraSable Programmable Read-Only memories), EEPROMs (Electrically EraSable Programmable Read-Only memories), flash memories, magnetic cards, or optical cards. That is, a storage device includes any medium that stores or transmits information in a form readable by a device (e.g., a computer, a cellular phone), and may be a read-only memory, a magnetic or optical disk, or the like.
The contents of the method embodiment of the present invention are all applicable to the embodiment of the storage medium, the functions specifically implemented by the embodiment of the storage medium are the same as those of the method embodiment described above, and the beneficial effects achieved by the embodiment of the storage medium are also the same as those achieved by the method described above.
In addition, an embodiment of the present invention further provides a terminal device, as shown in fig. 3. The terminal device described in this embodiment may be a mobile terminal, a PC terminal, or the like. The terminal device includes a processor 302, a memory 303, an input unit 304, a display unit 305, and the like. Those skilled in the art will appreciate that the device configuration means shown in fig. 3 do not constitute a limitation of all devices and may include more or less components than those shown, or some components in combination. The memory 303 may be used to store the computer program 301 and the functional modules, and the processor 302 executes the computer program 301 stored in the memory 303, thereby performing various functional applications of the device and data processing. The memory may be internal or external memory, or include both internal and external memory. The memory may comprise read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), flash memory, or random access memory. The external memory may include a hard disk, a floppy disk, a ZIP disk, a usb-disk, a magnetic tape, etc. The disclosed memory includes, but is not limited to, these types of memory. The disclosed memory is by way of example only and not by way of limitation.
The input unit 304 is used for receiving input of signals and receiving keywords input by a user. The input unit 304 may include a touch panel and other input devices. The touch panel can collect touch operations of a user on or near the touch panel (for example, operations of the user on or near the touch panel by using any suitable object or accessory such as a finger, a stylus and the like) and drive the corresponding connecting device according to a preset program; other input devices may include, but are not limited to, one or more of a physical keyboard, function keys (e.g., play control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like. The display unit 305 may be used to display information input by a user or information provided to the user and various menus of the terminal device. The display unit 305 may take the form of a liquid crystal display, an organic light emitting diode, or the like. The processor 302 is a control center of the terminal device, connects various parts of the entire computer by various interfaces and lines, and performs various functions and processes data by operating or executing software programs and/or modules stored in the memory 302 and calling data stored in the memory.
As an embodiment, the terminal device includes: one or more processors 302, a memory 303, one or more computer programs 301, wherein the one or more computer programs 301 are stored in the memory 303 and configured to be executed by the one or more processors 302, and the one or more computer programs 301 are configured to perform the enterprise electronic signature management method according to any of the above embodiments.
The contents of the method embodiment of the present invention are all applicable to the terminal device embodiment, the functions specifically implemented by the terminal device embodiment are the same as those of the method embodiment, and the beneficial effects achieved by the terminal device embodiment are also the same as those achieved by the method.
In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The foregoing is only a partial embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (10)
1. An enterprise electronic signature control method is characterized by comprising the following steps:
initiating a seal using request of the enterprise electronic signature;
receiving ciphertext information and signature information returned by the server after responding to the seal using request, wherein the ciphertext information is generated by encrypting the plaintext information by the server by adopting a first public key component, and the signature information is generated by signing the digital fingerprint generated by Hash operation of the plaintext information by the server by adopting a second private key component;
decrypting the signature information by adopting a second public key component to obtain the digital fingerprint, and decrypting the ciphertext information by adopting a first private key component to obtain the plaintext information;
submitting the digital fingerprint and the plaintext information to a server so that the server confirms and returns an identity authentication result that the identity authentication of a manager passes according to the digital fingerprint and the plaintext information;
obtaining the seal using authority of the enterprise electronic signature according to the identity authentication result;
the first private key component and the second private key component are separately generated and respectively and correspondingly stored in the client side and the server side of the operator.
2. The method according to claim 1, wherein before initiating the request for sealing of the enterprise electronic signature, the method further comprises:
judging whether the digital certificate and the key pair of the sponsor are installed locally;
if not, applying for and installing a digital certificate and a key pair; or, the client side which is provided with the digital certificate and the key pair of the sponsor is cooperated to carry out the sponsor identity authentication.
3. The method for managing and controlling enterprise electronic signatures according to claim 2, wherein said applying for and installing digital certificates and key pairs comprises:
issuing an issuance request to a certificate issuing authority through a secure SDK;
receiving the corresponding digital certificate code and the code of the key pair returned by the certificate authority in response to the issuance request;
installing, by the secure SDK, the first private key component of the digital certificate and key pair according to the encoding.
4. The method according to claim 3, wherein before issuing an issuance request to a certificate authority via the secure SDK, the method further comprises: and performing real-name authentication based on the short message verification code and the biological identification.
5. The method for managing and controlling enterprise electronic signatures according to claim 2, wherein the performing of the identity authentication of the sponsor in cooperation with the client having installed the sponsor's digital certificate and key pair comprises:
a first client side which is not provided with a digital certificate and a key pair obtains a random number and displays the random number by a two-dimensional code;
and the second client side which is provided with the digital certificate and the key pair of the sponsor carries out digital signature on the random number corresponding to the two-dimensional code by adopting a first private key component, and provides a signature result to the signature verifier, so that the signature verifier confirms that the first client side belongs to the sponsor according to the signature result and the random number.
6. The method for managing and controlling the enterprise electronic signature according to claim 5, wherein the signer confirms that the first client belongs to a sponsor according to the signature result and the random number, and the method comprises the following steps:
acquiring a random number acquired by the first client;
decrypting the signature result by adopting a first public key component to obtain a decrypted random number;
judging whether the decrypted random number is consistent with the random number obtained by the first client side;
and if so, confirming that the first client belongs to the sponsor.
7. The method for managing and controlling the enterprise electronic signature according to claim 1, wherein the identity authentication result that the identity authentication of the sponsor is passed is generated by the following steps:
calculating the plaintext information by adopting a Hash function to obtain a Hash value;
judging whether the digital fingerprint is consistent with the Hash value;
if yes, an identity authentication result that the identity authentication of the sponsor is passed is generated.
8. The utility model provides an enterprise's electronic signature management and control device which characterized in that includes:
the signature request module is used for initiating a signature request of enterprise electronic signature;
the receiving module is used for receiving ciphertext information and signature information returned by the server after responding to the seal using request, the ciphertext information is generated by encrypting plaintext information by the server by adopting a first public key component, and the signature information is generated by signing a digital fingerprint generated by Hash operation of the plaintext information by the server by adopting a second private key component;
the decryption module is used for decrypting the signature information by adopting a second public key component to obtain the digital fingerprint, and decrypting the ciphertext information by adopting a first private key component to obtain the plaintext information;
the identity authentication result acquisition module is used for submitting the digital fingerprint and the plaintext information to the server so that the server confirms and returns an identity authentication result which passes identity authentication of a manager according to the digital fingerprint and the plaintext information;
the seal authority acquisition module is used for acquiring the seal authority of the enterprise electronic signature according to the identity authentication result;
the first private key component and the second private key component are separately generated and respectively and correspondingly stored in the client side and the server side of the operator.
9. A computer-readable storage medium, wherein a computer program is stored on the computer-readable storage medium, and when executed by a processor, the computer program implements the enterprise electronic signature management method according to any one of claims 1 to 7.
10. A terminal device, characterized in that it comprises:
one or more processors;
a memory;
one or more computer programs, wherein the one or more computer programs are stored in the memory and configured to be executed by the one or more processors, the one or more computer programs configured to: executing the enterprise electronic signature management and control method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110830746.5A CN113486320B (en) | 2021-07-22 | 2021-07-22 | Enterprise electronic signature management and control method and device, storage medium and terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110830746.5A CN113486320B (en) | 2021-07-22 | 2021-07-22 | Enterprise electronic signature management and control method and device, storage medium and terminal equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113486320A true CN113486320A (en) | 2021-10-08 |
| CN113486320B CN113486320B (en) | 2024-03-29 |
Family
ID=77943016
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110830746.5A Active CN113486320B (en) | 2021-07-22 | 2021-07-22 | Enterprise electronic signature management and control method and device, storage medium and terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113486320B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107948189A (en) * | 2017-12-19 | 2018-04-20 | 数安时代科技股份有限公司 | Asymmetric cryptography authentication identifying method, device, computer equipment and storage medium |
| CN108206831A (en) * | 2017-12-29 | 2018-06-26 | 北京书生电子技术有限公司 | Implementation method and server, the client and readable storage medium storing program for executing of E-seal |
| CN109818747A (en) * | 2018-12-28 | 2019-05-28 | 苏州科达科技股份有限公司 | Digital signature method and device |
| CN109872155A (en) * | 2019-02-22 | 2019-06-11 | 矩阵元技术(深圳)有限公司 | Data processing method and device |
-
2021
- 2021-07-22 CN CN202110830746.5A patent/CN113486320B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107948189A (en) * | 2017-12-19 | 2018-04-20 | 数安时代科技股份有限公司 | Asymmetric cryptography authentication identifying method, device, computer equipment and storage medium |
| CN108206831A (en) * | 2017-12-29 | 2018-06-26 | 北京书生电子技术有限公司 | Implementation method and server, the client and readable storage medium storing program for executing of E-seal |
| CN109818747A (en) * | 2018-12-28 | 2019-05-28 | 苏州科达科技股份有限公司 | Digital signature method and device |
| CN109872155A (en) * | 2019-02-22 | 2019-06-11 | 矩阵元技术(深圳)有限公司 | Data processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113486320B (en) | 2024-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20180144114A1 (en) | Securing Blockchain Transactions Against Cyberattacks | |
| US9075980B2 (en) | Integrity protected smart card transaction | |
| US20180034810A1 (en) | A system and methods for protecting keys in computerized devices operating versus a server | |
| US20090031125A1 (en) | Method and Apparatus for Using a Third Party Authentication Server | |
| US8953805B2 (en) | Authentication information generating system, authentication information generating method, client apparatus, and authentication information generating program for implementing the method | |
| KR102477000B1 (en) | Trusted Key Server | |
| CN109076090B (en) | Updating biometric data templates | |
| CN107733636B (en) | Authentication method and authentication system | |
| CN112232814A (en) | Encryption and decryption method of payment key, payment authentication method and terminal equipment | |
| KR102012262B1 (en) | Key management method and fido authenticator software authenticator | |
| EP2758922A2 (en) | Securing transactions against cyberattacks | |
| US20200127824A1 (en) | Updating biometric template protection keys | |
| US20120124378A1 (en) | Method for personal identity authentication utilizing a personal cryptographic device | |
| CN113886771A (en) | Software authorization authentication method | |
| CN111355591A (en) | Block chain account safety management method based on real-name authentication technology | |
| TW201822043A (en) | Login mechanism for operating system capable of improving the convenience and security of logging into a computer operating system | |
| CN110176989B (en) | Quantum communication service station identity authentication method and system based on asymmetric key pool | |
| CN114338201A (en) | Data processing method and device, electronic device and storage medium | |
| CN112351043A (en) | Vehicle navigation factory setting password management method and system | |
| CN112348998A (en) | Method and device for generating one-time password, intelligent door lock and storage medium | |
| CN113486320B (en) | Enterprise electronic signature management and control method and device, storage medium and terminal equipment | |
| CN108985079B (en) | Data verification method and verification system | |
| JP2021111925A (en) | Electronic signature system | |
| CN113139166B (en) | Evaluation expert signature method and device based on cloud certificate | |
| CN117834242A (en) | Verification method, device, apparatus, storage medium, and program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |