CN113486320B - Enterprise electronic signature management and control method and device, storage medium and terminal equipment - Google Patents
Enterprise electronic signature management and control method and device, storage medium and terminal equipment Download PDFInfo
- Publication number
- CN113486320B CN113486320B CN202110830746.5A CN202110830746A CN113486320B CN 113486320 B CN113486320 B CN 113486320B CN 202110830746 A CN202110830746 A CN 202110830746A CN 113486320 B CN113486320 B CN 113486320B
- Authority
- CN
- China
- Prior art keywords
- signature
- information
- sponsor
- client
- key component
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 230000000977 initiatory effect Effects 0.000 claims abstract description 17
- 230000015654 memory Effects 0.000 claims description 29
- 238000012795 verification Methods 0.000 claims description 22
- 238000007726 management method Methods 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 15
- 230000006870 function Effects 0.000 claims description 15
- 238000009434 installation Methods 0.000 claims description 8
- 238000012790 confirmation Methods 0.000 claims description 5
- 230000007246 mechanism Effects 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000005291 magnetic effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000012856 packing Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides an enterprise electronic signature management and control method, which comprises the following steps: initiating a seal application request of an enterprise electronic seal; receiving ciphertext information and signature information returned by a server, wherein the ciphertext information is generated by encrypting plaintext information by the server by adopting a first public key component, and the signature information is generated by signing a digital fingerprint generated by Hash operation of the plaintext information by adopting a second private key component; decrypting the signature information by adopting a second public key component to obtain a digital fingerprint, and decrypting the ciphertext information by adopting a first private key component to obtain the plaintext information; submitting the digital fingerprint and the plaintext information to a server so that the server confirms and returns an identity authentication result passing the identity authentication of the sponsor according to the digital fingerprint and the plaintext information; obtaining a seal authority of an enterprise electronic seal; the first private key component and the second private key component are generated separately and are correspondingly stored in the sponsor client and the server. The method can ensure the use safety and the high efficiency of the electronic signature of the enterprise.
Description
Technical Field
The invention relates to the technical field of signature authority processing, in particular to an enterprise electronic signature management and control method, an enterprise electronic signature management and control device, a computer readable storage medium and terminal equipment.
Background
In the field of electronic signature, in order to improve efficiency, an enterprise electronic signature can be generally used in multiple sponsor roles, conventionally, an electronic certificate associated with the enterprise electronic signature is hosted to a cloud end, a user logs in a user account when the user needs the electronic signature, and after the login is successful, a token of the user is acquired, so that the signing authority of the enterprise electronic signature can be acquired. To a certain extent, the method lacks certain security, for example, if a user account is stolen, the possibility that the enterprise electronic signature is illegally used exists, the safe use of the enterprise electronic signature cannot be ensured, and the risk that the signature certificate of the user is leaked can also exist for the illegal use of the enterprise signature. Therefore, a method for managing and controlling the electronic signature of the enterprise is needed to ensure the use safety and the high efficiency of the electronic signature of the enterprise.
Disclosure of Invention
In order to solve at least one of the technical defects, the invention provides an enterprise electronic signature management and control method, a corresponding device, a computer readable storage medium and terminal equipment.
According to one aspect, the embodiment of the invention provides an enterprise electronic signature management and control method, which comprises the following steps:
initiating a seal application request of an enterprise electronic seal;
receiving ciphertext information and signature information returned by the server after responding to the seal application request, wherein the ciphertext information is generated by encrypting plaintext information by the server by adopting a first public key component, and the signature information is generated by signing a digital fingerprint generated by Hash operation of the plaintext information by adopting a second private key component;
decrypting the signature information by adopting a second public key component to obtain the digital fingerprint, and decrypting the ciphertext information by adopting a first private key component to obtain the plaintext information;
submitting the digital fingerprint and the plaintext information to a server so that the server confirms and returns an identity authentication result passing the identity authentication of the sponsor according to the digital fingerprint and the plaintext information;
obtaining the seal authority of the enterprise electronic signature according to the identity authentication result;
the first private key component and the second private key component are generated separately and are stored in the sponsor client and the server correspondingly respectively.
Preferably, before the initiating the chapter using request of the electronic signature of the enterprise, the method further includes:
judging whether a digital certificate and a key pair of a sponsor are installed locally or not;
if not, applying for and installing a digital certificate and a key pair; or, the client terminal cooperated with the digital certificate and the key pair of the installed sponsor performs the sponsor identity authentication.
Preferably, the applying for and installing the digital certificate and the key pair includes:
initiating an issuing request to a certificate issuing mechanism through a secure SDK;
receiving a corresponding digital certificate code and a code of a key pair returned by a certificate authority in response to the issuing request;
and installing the first private key component of the digital certificate and key pair through the secure SDK according to the code.
Preferably, before the issuing request is sent to the certificate authority through the secure SDK, the method further comprises: and carrying out real-name authentication based on the short message verification code and the biological identification.
Preferably, the client that cooperates with the installed sponsor's digital certificate and key pair performs sponsor's identity authentication, including:
a first client terminal not provided with a digital certificate and a key pair acquires a random number and displays the random number in a two-dimensional code;
and the second client of the installed sponsor digital certificate and key pair adopts a first private key component to digitally sign the random number corresponding to the two-dimensional code, and the signature result is provided to a signature verification party, so that the signature verification party confirms that the first client is subordinate to the sponsor according to the signature result and the random number.
Preferably, the signing checking party confirms that the first client belongs to a sponsor according to the signing result and the random number, and the signing checking party comprises:
acquiring a random number acquired by the first client;
decrypting the signature result by adopting a first public key component to obtain a decrypted random number;
judging whether the decrypted random number is consistent with the random number obtained by the first client;
if yes, confirming that the first client is subordinate to the sponsor.
Preferably, the identity authentication result of passing the identity authentication of the sponsor is generated by the following steps:
calculating the plaintext information by adopting a Hash function to obtain a Hash value;
judging whether the digital fingerprint is consistent with the Hash value;
if yes, an identity authentication result passing the identity authentication of the sponsor is generated.
In addition, according to another aspect, an embodiment of the present invention provides an electronic signature management apparatus for an enterprise, including:
the signature request module is used for initiating a signature application request of the enterprise electronic signature;
the receiving module is used for receiving ciphertext information and signature information returned by the server after responding to the seal application request, wherein the ciphertext information is generated by encrypting plaintext information by the server by adopting a first public key component, and the signature information is generated by signing a digital fingerprint generated by Hash operation of the plaintext information by adopting a second private key component;
the decryption module is used for decrypting the signature information by adopting the second public key component to obtain the digital fingerprint, and decrypting the ciphertext information by adopting the first private key component to obtain the plaintext information;
the identity authentication result acquisition module is used for submitting the digital fingerprint and the plaintext information to the server so that the server confirms and returns an identity authentication result passing the identity authentication of the sponsor according to the digital fingerprint and the plaintext information;
the seal permission acquisition module is used for acquiring the seal permission of the enterprise electronic signature according to the identity authentication result;
the first private key component and the second private key component are generated separately and are stored in the sponsor client and the server correspondingly respectively.
According to yet another aspect, an embodiment of the present invention provides a computer readable storage medium having a computer program stored thereon, which when executed by a processor implements the method for managing electronic signatures of an enterprise as described above.
According to yet another aspect, an embodiment of the present invention provides a terminal device, the computer including one or more processors; a memory; one or more computer programs, wherein the one or more computer programs are stored in the memory and configured to be executed by the one or more processors, the one or more computer programs configured to: and executing the enterprise electronic signature management and control method.
Compared with the prior art, the invention has the following beneficial effects:
according to the enterprise electronic signature management and control method, device, computer readable storage medium and terminal equipment, the client side initiating the signature request is subjected to the manager identity authentication, the manager identity authentication is completed based on the first private key component and the second private key component which are separately generated and separately and safely stored, the signature authority of the enterprise electronic signature is obtained after the manager identity authentication is passed, the leakage of the private key can be effectively prevented, the signature verification cannot be completed even if the manager account is stolen, and the use safety and the high efficiency of the enterprise electronic signature are effectively ensured.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
The foregoing and/or additional aspects and advantages of the invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings, in which:
FIG. 1 is a flowchart of a method for managing and controlling electronic signatures of enterprises according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an electronic signature management and control device for enterprises according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a terminal device according to an embodiment of the present invention.
Description of the embodiments
Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative only and are not to be construed as limiting the invention.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless expressly stated otherwise, as understood by those skilled in the art. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. The term "and/or" as used herein includes all or any element and all combination of one or more of the associated listed items.
It will be understood by those skilled in the art that all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs unless defined otherwise. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
The embodiment of the invention provides an enterprise electronic signature management and control method, as shown in fig. 1, which comprises the following steps:
step S110: a request for signing an electronic signature of an enterprise is initiated.
For this embodiment, in order to improve the operation efficiency, the enterprise generally allows a plurality of predefined employees, i.e., sponsors, to obtain the seal authority of the enterprise electronic signature after passing the sponsor's identity authentication. When a sponsor needs to use the enterprise electronic signature, a chapter using request of the enterprise electronic signature needs to be initiated at a client side of the sponsor, and the chapter using request is sent to a server side.
For this embodiment, identity authentication of the sponsor needs to be implemented based on its secret key, the secret key in the secret key includes a first secret key component and a second secret key component, where the first secret key component and the second secret key component are separately generated and are respectively stored in the sponsor client and the server, specifically, in order to ensure security, reliability and standardization of electronic signature management and control of the enterprise, the secret key of the sponsor is separately generated and separately stored, so that leakage of the secret key is effectively prevented, the secret key is generated by negotiating between the client and the server, only the sub secret keys are reserved, and the complete secret key is not known from each other.
Step S120: and receiving ciphertext information and signature information returned by the server after responding to the seal application request, wherein the ciphertext information is generated by encrypting plaintext information by the server by adopting a first public key component, and the signature information is generated by signing a digital fingerprint generated by Hash operation of the plaintext information by adopting a second private key component.
For this embodiment, the second private key component and the second public key component are stored in the server, and the server may request to obtain the first public key component. After receiving the electronic signature application request of the enterprise initiated by the client, the server randomly generates a piece of plaintext information, wherein the plaintext information can be a randomly generated random number. Then, the server acquires a first public key component, encrypts the plaintext information through an encryption algorithm, and generates encrypted information; meanwhile, hash operation is carried out on plaintext information based on a Hash function, a digital fingerprint, namely a Hash value, is generated, and a second private key component stored in a server side is further adopted to sign the digital fingerprint, so that signature information is generated.
For this embodiment, after the ciphertext information and the signature information are generated, the server side attaches the signature information to the ciphertext information and packages the ciphertext information together, and returns the ciphertext information and the signature information to the client side that initiated the chapter using request. And the client receives the packing information containing the ciphertext information and the signature information returned by the server after responding to the chapter application request and extracts the ciphertext information and the signature information from the packing information.
The server may pre-store the first public key component when negotiating with the client to generate the key, or may obtain the digital certificate of the sponsor client through the enterprise electronic signature cloud key security system, and determine the first public key component through the digital certificate. The digital certificate is issued by a third party CA (Certificate Authority, certificate issuing) authority.
The second private key component and the second public key component are stored in the server, particularly in a PKI middleware of the server, wherein the PKI middleware is provided by a third-party CA mechanism.
In other embodiments, the package information may be a two-dimensional code, that is, the server side pays the signature information to the ciphertext information to generate a two-dimensional code together, and returns the two-dimensional code to the client side that initiates the chapter request. And after the client scans the codes, ciphertext information and signature information are extracted. The method can improve the convenience and efficiency of information transmission between the client and the server, and further
Step S130: and decrypting the signature information by adopting the second public key component to obtain the digital fingerprint, and decrypting the ciphertext information by adopting the first private key component to obtain the plaintext information.
For the present embodiment, the first private key component and the first public key component are stored in a client authenticated by a sponsor real name and installed with a digital certificate and key pair. The client initiating the seal application request obtains the ciphertext information and the signature information, obtains a public key matched with a second private key component for signing, namely a second public key component, decrypts the signature information through a decryption algorithm, and obtains a decryption result of the signature information, wherein the decryption result is supposed to be the digital fingerprint; meanwhile, a private key matched with the first public key component used for encryption, namely the first private key component, is obtained, and ciphertext information is decrypted through a decryption algorithm to obtain a decryption result of the ciphertext information, wherein the decryption result is supposed to be the plaintext information.
For a client which is authenticated by a non-sponsor in real name and is provided with a digital certificate and a key pair, after the client initiates a chapter using request and receives ciphertext information and signature information returned by a server, the client is difficult to acquire a second public key component matched with a second private key component for signature so as to decrypt the signature information, and a digital fingerprint generated by the server before is obtained; the client also does not have a first private key matching the first public key component used for encryption to decrypt the ciphertext information to obtain plaintext information that the server has randomly generated before.
Step S140: and submitting the digital fingerprint and the plaintext information to a server, so that the server confirms and returns an identity authentication result passing the identity authentication of the sponsor according to the digital fingerprint and the plaintext information.
The identity authentication result of the manager passing the identity authentication is generated by the following steps: calculating the plaintext information by adopting a Hash function to obtain a Hash value; judging whether the digital fingerprint is consistent with the Hash value; if yes, an identity authentication result passing the identity authentication of the sponsor is generated.
For the embodiment, the client initiating the chapter request submits the decryption results of the signature information and the ciphertext information to the server, so that the server confirms and returns an identity authentication result passing the identity authentication of the sponsor according to the decryption results. Specifically, the server side carries out Hash operation on a decryption result of the received ciphertext information by adopting a Hash function to generate a Hash value, compares the decryption result of the received signature information with the Hash value and a digital fingerprint generated by the server side before, generates an identity authentication result which passes the identity authentication of the sponsor through the identity authentication of the sponsor if the decryption result is consistent with the Hash value, and determines that the identity illegally interrupts a seal application request of the enterprise electronic signature if the identity authentication passes the identity authentication of the sponsor.
For a client which is authenticated by a sponsor in real name and is provided with a digital certificate and a key pair, the decryption results of signature information and ciphertext information of the client are the fingerprint information and the plaintext information respectively, and the client adopts a Hash function to carry out Hash operation on the plaintext information to obtain the fingerprint information.
In other embodiments, after the digital fingerprint and the plaintext information are submitted to the server, the digital fingerprint and the plaintext information may be further forwarded by the server to the signer to confirm and return an authentication result passing the identity authentication of the sponsor according to the digital fingerprint and the plaintext information.
Step S150: and obtaining the seal authority of the enterprise electronic signature according to the identity authentication result.
For this embodiment, after the client initiating the request for signing passes the identity authentication, the signing authority of the electronic signature of the enterprise can be obtained, and the electronic signature of the enterprise is used by the identity of the sponsor on the business process authorized by the enterprise.
According to the enterprise electronic signature management and control method, the client side initiating the signature request is subjected to the manager identity authentication, the manager identity authentication is required to be completed in a cooperative mode based on the first private key component and the second private key component which are separately generated and separately and safely stored, the signature authority of the enterprise electronic signature is obtained after the manager identity authentication is passed, leakage of the private key can be effectively prevented, signature verification cannot be completed even if the manager account is stolen, and the use safety and the high efficiency of the enterprise electronic signature are effectively guaranteed.
In some embodiments, before the step S110 initiates the signing request of the electronic signature of the enterprise, the method further includes: judging whether a digital certificate and a key pair of a sponsor are installed locally or not; if not, applying for and installing a digital certificate and a key pair; or, the client terminal cooperated with the digital certificate and the key pair of the installed sponsor performs the sponsor identity authentication.
For this embodiment, the chapter request for initiating the electronic signature of the enterprise may be implemented by a client having a digital certificate and a key pair of a local installed sponsor, and the sponsor may directly initiate the chapter request by the sponsor client having the digital certificate and the key pair of the local installed sponsor.
In this embodiment, by providing two ways as the preconditions of the chapter request by the sponsor, the sponsor can conveniently select a proper way according to the actual use situation to meet the preconditions of the chapter request, thereby effectively guaranteeing the convenience and the high efficiency of the enterprise electronic signature.
In some embodiments, the applying for and installing the digital certificate and key pair includes: initiating an issuing request to a certificate issuing mechanism through a secure SDK; receiving a corresponding digital certificate code and a code of a key pair returned by a certificate authority in response to the issuing request; and installing the first private key component of the digital certificate and key pair through the secure SDK according to the code.
For this embodiment, the secure SDK is provided by a third party CA authority, i.e., a certificate authority. The certificate issuing organization responds to the issuing request and returns a base64 code corresponding to the digital certificate code and the key pair, and the client side initiating the issuing request locally installs the first private key component of the digital certificate and the key pair on the client side through the secure SDK according to the base64 code.
In the embodiment, the installation of the digital certificate and the key pair is realized through the secure SDK, so that the security of the key generation and storage environment is ensured, and further, powerful technical support is provided for improving the use security of the enterprise electronic signature.
In some embodiments, before the issuing request is initiated to the certificate authority through the secure SDK, the method further comprises: and carrying out real-name authentication based on the short message verification code and the biological identification.
For this embodiment, the sponsor also needs to apply for real-name authentication before issuing a request to the certificate authority through the secure SDK, specifically, performs real-name authentication through a short message verification code mode and a biometric identification mode, for example, a face living body identification mode, and only after the real-name authentication is passed, is qualified to apply for the personal digital certificate and the key pair, and if the short message verification code and the biometric identification are not passed, needs to return and re-authenticate.
In this embodiment, by performing real-name authentication based on the short message authentication code and the biometric identification before issuing the request and the chapter request, the attacker cannot complete the real-name authentication for subsequent operations even if the attacker has control capability to the terminal device.
In other embodiments, the upper limit of the number of times that the short message verification code and/or the biometric identification do not pass may be further set, if the upper limit of the number of times exceeds, the fact that the account of the current sponsor is suspected to be stolen may be determined, the account of the sponsor is locked, and the application of the real-name authentication is not allowed within a predetermined time.
In some embodiments, the client that coordinates the installed sponsor's digital certificate and key pair performs sponsor identity authentication, comprising: a first client terminal not provided with a digital certificate and a key pair acquires a random number and displays the random number in a two-dimensional code; and the second client of the installed sponsor digital certificate and key pair adopts a first private key component to digitally sign the random number corresponding to the two-dimensional code, and the signature result is provided to a signature verification party, so that the signature verification party confirms that the first client is subordinate to the sponsor according to the signature result and the random number.
For this embodiment, when the sponsor performs system operation on the client without the digital certificate and key pair installed, and wants to initiate a chapter request, the sponsor is required to perform sponsor identity authentication on the mobile client and the mobile collaboration system where the sponsor has installed the digital certificate and key pair. For example, when a web terminal, in which a digital certificate and a key pair are not installed, performs system operation, since the web terminal does not have a digital certificate and a private key of a manager, it cannot directly perform identity authentication thereof at the web terminal.
For the above situation, the conventional method is to simply perform identity verification through a token or a cookie, so that the security of the method is not high, and security loss is brought to enterprises of sponsors when accounts are stolen.
For this embodiment, the steps of performing the manager identity authentication through the mobile client and the mobile collaboration system in which the manager has installed the digital certificate and the key pair are specifically: the first client, such as a web terminal, which is not provided with the digital certificate and the key pair, acquires a random number from the server terminal and displays the random number through the two-dimension code, so that the mobile client is convenient to link up. And then, the sponsor adopts a second client side provided with the digital certificate and the key pair of the sponsor, namely, the mobile client side of the sponsor aims at the two-dimensional code scanning code, extracts the random number corresponding to the two-dimensional code, adopts a first private key component to digitally sign the random number corresponding to the two-dimensional code, and provides a signature result to the server side. The server side carries out Hash operation on the random number initially provided to the web side by adopting a Hash function to obtain a Hash value of the random number, and the server side submits the Hash value of the random number and the received signature result to a signature verification party, wherein the signature verification party can be a key cooperation system of a third-party CA mechanism. The signature verification party decrypts the signature result by using the first public component to obtain a decryption result, further adopts a Hash function to carry out Hash operation on the decryption result, judges whether the operation result is consistent with the Hash value of the received random number, and if so, can confirm that the sponsor himself/herself who wants to initiate a chapter request by using the first client at present, wherein the first client belongs to the sponsor; if the decryption fails, the fact that the client currently wants to use the first client to initiate the chapter request is not the sponsor himself/herself is indicated; if the values are inconsistent, the risk of leakage of the current user certificate is considered.
In some embodiments, the signer validating that the first client is subordinate to a sponsor based on the signature result and the random number comprises: acquiring a random number acquired by the first client; decrypting the signature result by adopting a first public key component to obtain a decrypted random number; judging whether the decrypted random number is consistent with the random number obtained by the first client; if yes, confirming that the first client is subordinate to the sponsor
For this embodiment, after the server receives the decryption result, the server may directly submit the random number to the label checking party without performing Hash operation on the random number, so that the label checking party directly determines whether the decryption result is consistent with the random number, and if so, it may be confirmed that the sponsor himself/herself wants to initiate the chapter request using the first client currently, and the first client belongs to the sponsor.
In addition, an embodiment of the present invention provides an electronic signature management and control device for an enterprise, as shown in fig. 2, where the device includes: the signature request module 21, the receiving module 22, the decryption module 23, the identity authentication result acquisition module 24 and the signature authority acquisition module 25;
the signature request module 21 is configured to initiate a signature request of an electronic signature of an enterprise;
the receiving module 22 is configured to receive ciphertext information and signature information returned by the server in response to the seal application request, where the ciphertext information is generated by encrypting plaintext information by the server using a first public key component, and the signature information is generated by signing a digital fingerprint generated by Hash operation of plaintext information by the server using a second private key component;
the decryption module 23 is configured to decrypt the signature information by using a second public key component to obtain the digital fingerprint, and decrypt the ciphertext information by using a first private key component to obtain the plaintext information;
the identity authentication result obtaining module 24 is configured to submit the digital fingerprint and the plaintext information to a server, so that the server confirms and returns an identity authentication result that the identity authentication of the sponsor passes according to the digital fingerprint and the plaintext information;
the seal permission obtaining module 25 is configured to obtain a seal permission of an electronic seal of an enterprise according to the identity authentication result;
the first private key component and the second private key component are generated separately and are stored in the sponsor client and the server correspondingly respectively.
Preferably, the enterprise electronic signature management and control device further comprises an installation confirmation module, wherein the installation confirmation module is used for: before the initiation of the signing request of the enterprise electronic signature: judging whether a digital certificate and a key pair of a sponsor are installed locally or not; if not, applying for and installing a digital certificate and a key pair; or, the client terminal cooperated with the digital certificate and the key pair of the installed sponsor performs the sponsor identity authentication.
Preferably, the installation confirmation module comprises an installation unit, and the installation unit is used for applying for and installing a digital certificate and a key pair, specifically:
initiating an issuing request to a certificate issuing mechanism through a secure SDK;
receiving a corresponding digital certificate code and a code of a key pair returned by a certificate authority in response to the issuing request;
and installing the first private key component of the digital certificate and key pair through the secure SDK according to the code.
Preferably, the enterprise electronic signature management and control device further includes a real-name authentication module, where the real-name authentication module is configured to: and before issuing an issuing request to a certificate issuing organization through the secure SDK, performing real-name authentication based on the short message verification code and the biological recognition.
Preferably, the installation confirmation module includes a cooperative authentication module, where the cooperative authentication module is configured to perform manager identity authentication on a client of a digital certificate and key pair of an installed manager, specifically:
a first client terminal not provided with a digital certificate and a key pair acquires a random number and displays the random number in a two-dimensional code;
and the second client of the installed sponsor digital certificate and key pair adopts a first private key component to digitally sign the random number corresponding to the two-dimensional code, and the signature result is provided to a signature verification party, so that the signature verification party confirms that the first client is subordinate to the sponsor according to the signature result and the random number.
Preferably, the signing checking party confirms that the first client belongs to a sponsor according to the signing result and the random number, and the signing checking party comprises:
acquiring a random number acquired by the first client;
decrypting the signature result by adopting a first public key component to obtain a decrypted random number;
judging whether the decrypted random number is consistent with the random number obtained by the first client;
if yes, confirming that the first client is subordinate to the sponsor.
Preferably, the identity authentication result of passing the identity authentication of the sponsor is generated by the following steps:
calculating the plaintext information by adopting a Hash function to obtain a Hash value;
judging whether the digital fingerprint is consistent with the Hash value;
if yes, an identity authentication result passing the identity authentication of the sponsor is generated.
The content of the method embodiment of the present invention is applicable to the embodiment of the present device, and the functions of the embodiment of the present device that are specifically implemented are the same as those of the embodiment of the present method, and the beneficial effects achieved by the method are the same as those achieved by the method, and detailed descriptions in the embodiment of the present method are omitted herein.
In addition, an embodiment of the present invention provides a computer readable storage medium, where a computer program is stored, where the computer program is executed by a processor to implement the method for managing electronic signatures of an enterprise according to any one of the above embodiments. The computer readable storage medium includes, but is not limited to, any type of disk including floppy disks, hard disks, optical disks, CD-ROMs, and magneto-optical disks, ROMs (Read-Only memories), RAMs (Random AcceSS Memory, random access memories), EPROMs (EraSable Programmable Read-Only memories), EEPROMs (Electrically EraSable Programmable Read-Only memories), flash memories, magnetic cards, or optical cards. That is, a storage device includes any medium that stores or transmits information in a form readable by a device (e.g., computer, cell phone), and may be read-only memory, magnetic or optical disk, etc.
The content of the method embodiment of the present invention is applicable to the storage medium embodiment, and functions of the storage medium embodiment are the same as those of the method embodiment, and beneficial effects achieved by the method are the same as those achieved by the method, and detailed description of the method embodiment is omitted herein.
In addition, the embodiment of the invention also provides a terminal device, as shown in fig. 3. The terminal device in this embodiment may be a mobile terminal, a PC terminal, or the like. The terminal device comprises a processor 302, a memory 303, an input unit 304, a display unit 305 and the like. It will be appreciated by those skilled in the art that the device architecture shown in fig. 3 does not constitute a limitation of all devices, and may include more or fewer components than shown, or may combine certain components. The memory 303 may be used to store a computer program 301 and functional modules, and the processor 302 runs the computer program 301 stored in the memory 303 to perform various functional applications of the device and data processing. The memory may be internal memory or external memory, or include both internal memory and external memory. The internal memory may include read-only memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), flash memory, or random access memory. The external memory may include a hard disk, floppy disk, ZIP disk, U-disk, tape, etc. The disclosed memory includes, but is not limited to, these types of memory. The memory disclosed herein is by way of example only and not by way of limitation.
The input unit 304 is used for receiving input of a signal and receiving keywords input by a user. The input unit 304 may include a touch panel and other input devices. The touch panel may collect touch operations on or near the user (e.g., the user's operation on or near the touch panel using any suitable object or accessory such as a finger, stylus, etc.), and drive the corresponding connection device according to a preset program; other input devices may include, but are not limited to, one or more of a physical keyboard, function keys (e.g., play control keys, switch keys, etc.), a trackball, mouse, joystick, etc. The display unit 305 may be used to display information input by a user or information provided to the user and various menus of the terminal device. The display unit 305 may take the form of a liquid crystal display, an organic light emitting diode, or the like. The processor 302 is a control center of the terminal device, connects various parts of the entire computer using various interfaces and lines, performs various functions and processes data by running or executing software programs and/or modules stored in the memory 303, and calling data stored in the memory.
As an embodiment, the terminal device includes: one or more processors 302, a memory 303, one or more computer programs 301, wherein the one or more computer programs 301 are stored in the memory 303 and configured to be executed by the one or more processors 302, the one or more computer programs 301 configured to perform the enterprise electronic signature management method described in any of the embodiments above.
The content of the method embodiment of the present invention is applicable to the terminal device embodiment, and functions of the terminal device embodiment are the same as those of the method embodiment, and beneficial effects achieved by the method are the same as those achieved by the method, and detailed description of the method embodiment is omitted herein.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing module, or each unit may exist alone physically, or two or more units may be integrated in one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules may also be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product.
The foregoing is only a partial embodiment of the present invention, and it should be noted that it will be apparent to those skilled in the art that modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the present invention.
Claims (6)
1. The enterprise electronic signature management and control method is characterized by comprising the following steps of:
judging whether a digital certificate and a key pair of a sponsor are installed locally or not;
if not, carrying out manager identity authentication by cooperating with the client side of the digital certificate and key pair of the installed manager; comprising the following steps: a first client without a digital certificate and a key pair acquires a random number and displays the random number in a two-dimensional code, a second client with a digital certificate and a key pair of an installed sponsor digitally signs the random number corresponding to the two-dimensional code by adopting a first private key component, and a signature result is provided to a signature verification party, so that the signature verification party confirms that the first client is subordinate to the sponsor according to the signature result and the random number;
initiating a seal application request of an enterprise electronic seal;
receiving ciphertext information and signature information returned by the server after responding to the seal application request, wherein the ciphertext information is generated by encrypting plaintext information by the server by adopting a first public key component, and the signature information is generated by signing a digital fingerprint generated by Hash operation of the plaintext information by adopting a second private key component;
decrypting the signature information by adopting a second public key component to obtain the digital fingerprint, and decrypting the ciphertext information by adopting a first private key component to obtain the plaintext information;
submitting the digital fingerprint and the plaintext information to a server so that the server confirms and returns an identity authentication result passing the identity authentication of the sponsor according to the digital fingerprint and the plaintext information;
obtaining the seal authority of the enterprise electronic signature according to the identity authentication result;
the first private key component and the second private key component are generated separately and are stored in the sponsor client and the server correspondingly respectively.
2. The method of claim 1, wherein the signer confirms that the first client is subordinate to a sponsor based on the signing result and the random number, comprising:
acquiring a random number acquired by the first client;
decrypting the signature result by adopting a first public key component to obtain a decrypted random number;
judging whether the decrypted random number is consistent with the random number obtained by the first client;
if yes, confirming that the first client is subordinate to the sponsor.
3. The method for managing and controlling electronic signatures of enterprises according to claim 1, wherein the identity authentication result passed by the sponsor identity authentication is generated by the steps of:
calculating the plaintext information by adopting a Hash function to obtain a Hash value;
judging whether the digital fingerprint is consistent with the Hash value;
if yes, an identity authentication result passing the identity authentication of the sponsor is generated.
4. An enterprise electronic signature management and control device, comprising:
the installation confirmation module is used for judging whether the digital certificate and the key pair of the sponsor are installed locally; if not, carrying out manager identity authentication by cooperating with the client side of the digital certificate and key pair of the installed manager; comprising the following steps: a first client without a digital certificate and a key pair acquires a random number and displays the random number in a two-dimensional code, a second client with a digital certificate and a key pair of an installed sponsor digitally signs the random number corresponding to the two-dimensional code by adopting a first private key component, and a signature result is provided to a signature verification party, so that the signature verification party confirms that the first client is subordinate to the sponsor according to the signature result and the random number;
the signature request module is used for initiating a signature application request of the enterprise electronic signature;
the receiving module is used for receiving ciphertext information and signature information returned by the server after responding to the seal application request, wherein the ciphertext information is generated by encrypting plaintext information by the server by adopting a first public key component, and the signature information is generated by signing a digital fingerprint generated by Hash operation of the plaintext information by adopting a second private key component;
the decryption module is used for decrypting the signature information by adopting the second public key component to obtain the digital fingerprint, and decrypting the ciphertext information by adopting the first private key component to obtain the plaintext information;
the identity authentication result acquisition module is used for submitting the digital fingerprint and the plaintext information to the server so that the server confirms and returns an identity authentication result passing the identity authentication of the sponsor according to the digital fingerprint and the plaintext information;
the seal permission acquisition module is used for acquiring the seal permission of the enterprise electronic signature according to the identity authentication result;
the first private key component and the second private key component are generated separately and are stored in the sponsor client and the server correspondingly respectively.
5. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the enterprise electronic signature management method of any one of claims 1 to 3.
6. A terminal device, characterized in that it comprises:
one or more processors;
a memory;
one or more computer programs, wherein the one or more computer programs are stored in the memory and configured to be executed by the one or more processors, the one or more computer programs configured to: an enterprise electronic signature management method according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110830746.5A CN113486320B (en) | 2021-07-22 | 2021-07-22 | Enterprise electronic signature management and control method and device, storage medium and terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110830746.5A CN113486320B (en) | 2021-07-22 | 2021-07-22 | Enterprise electronic signature management and control method and device, storage medium and terminal equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113486320A CN113486320A (en) | 2021-10-08 |
| CN113486320B true CN113486320B (en) | 2024-03-29 |
Family
ID=77943016
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110830746.5A Active CN113486320B (en) | 2021-07-22 | 2021-07-22 | Enterprise electronic signature management and control method and device, storage medium and terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113486320B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118427797B (en) * | 2024-05-17 | 2024-09-10 | 国网安徽省电力有限公司信息通信分公司 | Electronic seal generation method, device, system and medium based on fingerprint characteristics |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107948189A (en) * | 2017-12-19 | 2018-04-20 | 数安时代科技股份有限公司 | Asymmetric cryptography authentication identifying method, device, computer equipment and storage medium |
| CN108206831A (en) * | 2017-12-29 | 2018-06-26 | 北京书生电子技术有限公司 | Implementation method and server, the client and readable storage medium storing program for executing of E-seal |
| CN109818747A (en) * | 2018-12-28 | 2019-05-28 | 苏州科达科技股份有限公司 | Digital signature method and device |
| CN109872155A (en) * | 2019-02-22 | 2019-06-11 | 矩阵元技术(深圳)有限公司 | Data processing method and device |
-
2021
- 2021-07-22 CN CN202110830746.5A patent/CN113486320B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107948189A (en) * | 2017-12-19 | 2018-04-20 | 数安时代科技股份有限公司 | Asymmetric cryptography authentication identifying method, device, computer equipment and storage medium |
| CN108206831A (en) * | 2017-12-29 | 2018-06-26 | 北京书生电子技术有限公司 | Implementation method and server, the client and readable storage medium storing program for executing of E-seal |
| CN109818747A (en) * | 2018-12-28 | 2019-05-28 | 苏州科达科技股份有限公司 | Digital signature method and device |
| CN109872155A (en) * | 2019-02-22 | 2019-06-11 | 矩阵元技术(深圳)有限公司 | Data processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113486320A (en) | 2021-10-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10382427B2 (en) | Single sign on with multiple authentication factors | |
| EP2999189B1 (en) | Network authentication method for secure electronic transactions | |
| US20180144114A1 (en) | Securing Blockchain Transactions Against Cyberattacks | |
| US8112787B2 (en) | System and method for securing a credential via user and server verification | |
| CN101350723B (en) | USB Key equipment and method for implementing verification thereof | |
| US7895432B2 (en) | Method and apparatus for using a third party authentication server | |
| US10848304B2 (en) | Public-private key pair protected password manager | |
| US8321924B2 (en) | Method for protecting software accessible over a network using a key device | |
| US9053313B2 (en) | Method and system for providing continued access to authentication and encryption services | |
| US20090293111A1 (en) | Third party system for biometric authentication | |
| US8953805B2 (en) | Authentication information generating system, authentication information generating method, client apparatus, and authentication information generating program for implementing the method | |
| TWM623435U (en) | System for verifying client identity and transaction services using multiple security levels | |
| KR102012262B1 (en) | Key management method and fido authenticator software authenticator | |
| US11665156B2 (en) | Method and system for securely authenticating a user by an identity and access service using a pictorial code and a one-time code | |
| CN112232814A (en) | Encryption and decryption method of payment key, payment authentication method and terminal equipment | |
| US20120221862A1 (en) | Multifactor Authentication System and Methodology | |
| US20180262471A1 (en) | Identity verification and authentication method and system | |
| CN111355591A (en) | Block chain account safety management method based on real-name authentication technology | |
| TW201822043A (en) | Login mechanism for operating system capable of improving the convenience and security of logging into a computer operating system | |
| EP2775658A2 (en) | A password based security method, systems and devices | |
| CN113486320B (en) | Enterprise electronic signature management and control method and device, storage medium and terminal equipment | |
| WO2023022584A1 (en) | System and method for decentralising digital identification | |
| JP2024529288A (en) | Encoded animated images and methods for generating, displaying and reading such encoded animated images, in particular for authorizing their operation on online services - Patents.com | |
| TW202319998A (en) | System for using multiple security levels to verify customer identity and transaction services and method thereof | |
| CN113987461A (en) | Identity authentication method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |