CN113536284A - Method, device, equipment and storage medium for verifying digital certificate - Google Patents
Method, device, equipment and storage medium for verifying digital certificate Download PDFInfo
- Publication number
- CN113536284A CN113536284A CN202110825226.5A CN202110825226A CN113536284A CN 113536284 A CN113536284 A CN 113536284A CN 202110825226 A CN202110825226 A CN 202110825226A CN 113536284 A CN113536284 A CN 113536284A
- Authority
- CN
- China
- Prior art keywords
- certificate
- party
- verified
- digital certificate
- center
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000012795 verification Methods 0.000 claims abstract description 39
- 238000004590 computer program Methods 0.000 claims description 5
- 230000004044 response Effects 0.000 claims description 5
- 238000010276 construction Methods 0.000 claims description 3
- 238000012546 transfer Methods 0.000 abstract description 17
- 230000005540 biological transmission Effects 0.000 abstract description 15
- 230000008569 process Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the invention discloses a method, a device, equipment and a storage medium for verifying a digital certificate. Wherein, the method comprises the following steps: responding to a verification request of a digital certificate of a party to be verified by a requester, and determining a certificate center to be mutually trusted; constructing a corresponding mutual trust logic tree according to trust chain data formed after the certificate center to be mutually trusted is registered on the mutual trust platform, wherein each node of the mutual trust logic tree is an identifier of the certificate center or a mobile terminal contained in the trust chain data; and verifying whether the digital certificate of the party to be verified is credible according to the mutual trust logic tree. The technical scheme provided by the embodiment of the invention realizes accurate mutual trust between different certificate centers to be mutually trusted, and the mutual trust logic tree visually represents the trust transfer condition of different certificate centers, so that the trust chain between different certificate centers to be mutually trusted does not need to be continuously checked, the convenience and the accuracy of digital certificate verification are improved, and the safety of information transmission is further ensured.
Description
Technical Field
The embodiment of the invention relates to the technical field of identity authentication, in particular to a method, a device, equipment and a storage medium for verifying a digital certificate.
Background
With the rapid development of mobile devices, considering that when a mobile device transmits information through electromagnetic waves, the mobile device is generally intercepted or intercepted by interference, so that there is a great risk of tampering in information transmission at a mobile terminal, a digital certificate needs to be introduced to sign the transmitted information, so as to prevent tampering and loss of the transmitted information.
At present, when different Public Key Infrastructures (PKI) issue corresponding digital certificates for mobile terminals, different encryption and decryption algorithms, some of which are international and some of which are national cryptographic algorithms, are used, so that in order to ensure the information transmission security of the mobile terminals, different digital certificates issued by different Certificate Authorities (CAs) for the mobile terminals are used to sign transmitted information in different scenes. At this time, supporting the verification of digital certificates issued by different CA organizations becomes an urgent problem to be solved.
Disclosure of Invention
The embodiment of the invention provides a method, a device, equipment and a storage medium for verifying a digital certificate, which can realize accurate mutual trust among different certificate centers, improve the convenience and accuracy of digital certificate verification and ensure the safety of information transmission.
In a first aspect, an embodiment of the present invention provides a method for verifying a digital certificate, which is applied to a mutually trusted platform registered with at least two certificate centers, and includes:
responding to a verification request of a digital certificate of a party to be verified by a requester, and determining a certificate center to be mutually trusted;
constructing a corresponding mutual trust logic tree according to trust chain data formed after the certificate center to be mutually trusted is registered on the mutual trust platform, wherein each node of the mutual trust logic tree is an identifier of the certificate center or a mobile terminal contained in the trust chain data;
and verifying whether the digital certificate of the party to be verified is credible according to the mutual trust logic tree.
In a second aspect, an embodiment of the present invention provides an apparatus for verifying a digital certificate, configured in a mutually trusted platform in which at least two certificate centers are registered, including:
the mutual trust waiting determination module is used for responding to the verification request of the digital certificate of the party to be verified by the requester and determining the certificate center to be mutually trusted;
a mutually trusted logic construction module, configured to construct a corresponding mutually trusted logic tree according to trust chain data formed after the certificate center to be mutually trusted is registered on the mutually trusted platform, where each node of the mutually trusted logic tree is an identifier of the certificate center or the mobile terminal included in the trust chain data;
and the certificate verification module is used for verifying whether the digital certificate of the party to be verified is trusted according to the mutual trust logic tree.
In a third aspect, an embodiment of the present invention provides an electronic device, including:
one or more processors;
storage means for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement a method for authenticating a digital certificate as described in any of the embodiments of the present invention.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a method for verifying a digital certificate according to any embodiment of the present invention.
The embodiment of the invention provides a method, a device, equipment and a storage medium for verifying a digital certificate, wherein a certificate center to be mutually trusted is determined according to a verification request of a digital certificate of a party to be verified by a requesting party, then a corresponding mutual trust logic tree is constructed by utilizing trust chain data formed after the certificate center to be mutually trusted is registered on a mutual trust platform, each node of the mutual trust logic tree can be an identifier of a certificate center or a mobile terminal contained in the trust chain data, and the mutual trust logic tree is further adopted to verify whether the digital certificate of the party to be verified is trusted, so that accurate mutual trust among different certificate centers to be mutually trusted is realized, the mutual trust logic tree visually represents the trust transfer condition of the different certificate centers, the trust chain among the different certificate centers to be mutually trusted does not need to be continuously checked, and the convenience and the accuracy of digital certificate verification are improved; at this time, the security of information transmission is further ensured by accurately verifying the digital certificate of the information transmission party.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments made with reference to the following drawings:
fig. 1 is a flowchart of a method for verifying a digital certificate according to an embodiment of the present invention;
fig. 2A is a flowchart of a method for verifying a digital certificate according to a second embodiment of the present invention;
fig. 2B is a schematic diagram of a mutual trust logic tree constructed in the method according to the second embodiment of the present invention;
fig. 3 is a schematic structural diagram of an apparatus for verifying a digital certificate according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of a method for verifying a digital certificate according to an embodiment of the present invention. The embodiment can be applied to the situation that the authenticity and the timeliness of the digital certificate of the party to be verified for transmitting the information are verified during information transmission. The method for verifying a digital certificate provided in this embodiment may be performed by a digital certificate verifying apparatus provided in an embodiment of the present invention, where the apparatus may be implemented in software and/or hardware, and is integrated in an electronic device that executes the method, the electronic device is configured with a pre-developed mutual trust platform, and at least two certificate centers (that is, CA agencies) are registered in the platform.
Specifically, referring to fig. 1, the method specifically includes the following steps:
s110, responding to the verification request of the digital certificate of the party to be verified by the requester, and determining the certificate center to be mutually trusted.
Specifically, in order to implement mutual trust between different certificate centers and support a certain certificate center to accurately verify the authenticity and timeliness of a digital certificate issued by a sender when another certificate center is used for information transmission, in this embodiment, a mutual trust platform is developed in advance, a large number of certificate centers are registered in the mutual trust platform, and mutual trust between different certificate centers is implemented by adopting a cross-authentication manner.
In this embodiment, when a sending party in information transmission transmits information to another terminal or a server, in order to avoid tampering the transmitted information in the middle, the sending party may be used as a party to be verified in this embodiment, and then a digital certificate of the party to be verified is used to sign the transmitted information, so as to ensure privacy and integrity of data in the transmission process of the wireless device. Specifically, when another terminal or the server receives the information transmitted by the party to be verified, the digital certificate of the party to be verified can be analyzed, and at this time, whether the received information is tampered is judged by verifying whether the digital certificate of the party to be verified is real and valid. Therefore, in this embodiment, the other party of information transmission (for example, another terminal or a server receiving the information transmitted by the party to be authenticated) may be used as a requesting party, a verification request of the digital certificate of the party to be authenticated is initiated to the pre-developed mutual trust platform, and the mutual trust platform verifies the authenticity and validity of the digital certificate of the party to be authenticated, so as to determine whether the digital certificate of the party to be authenticated is trusted.
In the embodiment, after receiving the verification request of the digital certificate of the party to be verified sent by the requester, the mutually trusted platform firstly resolves the verification request to obtain the digital certificate carried by the party to be verified when the information is transmitted and the information of the certificate center responsible for verifying the certificate by the requester, and then resolves the digital certificate of the party to be verified to obtain the certificate center which signs the digital certificate for the party to be verified, thereby determining the certificate center to be mutually trusted. For example, if the mutually trusted platform receives a verification request of a digital certificate of a party to be verified by a requester, a first certificate center for issuing the digital certificate of the party to be verified and a second certificate center pointed by the requester are directly determined and found out, and then the first certificate center and the second certificate center are used as certificate centers to be mutually trusted.
It should be noted that the digital certificate of the party to be verified is issued by a registered certificate center in the mutually trusted platform, and in order to achieve accurate verification of the digital certificate of the party to be verified, the certificate center responsible for verifying the certificate by the requesting party is also registered in the mutually trusted platform, so in this embodiment, the certificate centers to be mutually trusted are all registered certificate centers in the mutually trusted platform, and corresponding mutual trust is achieved between different registered certificate centers in the mutually trusted platform in a cross-certification manner, and whether the digital certificate of the party to be verified is trusted is determined in a trust transfer manner.
It should be noted that, in this embodiment, the verifying the digital certificate of the party to be verified by the requestor may refer to that the party to be verified actively sends a request to the requestor to verify whether the digital certificate of the party to be verified is trusted, and may also refer to that the requestor logs in the mutual trust platform in this embodiment on a local device (such as a mobile terminal or a computer terminal), and then actively verifies whether the digital certificate of the party to be verified is trusted. The embodiment does not limit the specific authentication scenario of the digital certificate of the party to be authenticated.
And S120, constructing a corresponding mutual trust logic tree according to trust chain data formed after the certificate center to be mutually trusted registers on the mutual trust platform.
Optionally, when registering each certificate center in the mutually trusted platform, for each registered certificate center, corresponding cross-authentication is established with the registered certificate center to realize trust transfer between different certificate centers, that is, one or more specific certificate centers are selected from all registered certificate centers, and then a private key of the specific certificate center is used to issue a corresponding digital certificate for the registered certificate center, so that the device trusting the specific certificate center can trust the registered certificate center, at this time, corresponding trust chain data is recorded by analyzing the trust transfer process of the certificate during registration of each registered certificate center, and the trust chain data is used to represent the trust transfer process performed by any certificate center among different certificate centers in a cross-authentication manner after the certificate center is registered in the mutually trusted platform, for example, certificate centers A, B, C and D are registered on the mutual trust platform, A is used as the certificate center which is first registered to the mutual trust platform, and issues corresponding digital certificates for B and C to represent that A trusts B and C, then C issues a corresponding digital certificate for D to represent that C trusts D, at this time, through analyzing the trust transfer process of D, the trust chain data of D can be obtained to be A-C-D, and at this time, both B, C and D can be trusted as long as A is determined to be trusted.
Taking the example that the mutual trust platform registers a new certificate center, the mutual trust platform will first receive the registration request of the new certificate center, respond to the registration request of the new certificate center, establish the cross-authentication between the new certificate center and the registered certificate center, and generate the trust chain data of the new certificate center. That is, for a new certificate center, a certain specific certificate center or specific certificate centers are selected from registered certificate centers, the specific certificate center issues a corresponding digital certificate for the new certificate center to establish cross-authentication between the new certificate center and each specific certificate center, so as to realize trust transfer from the registered certificate center to the new certificate center, and further add the new certificate center to the trust chain data of each specific certificate center issuing the digital certificate for the new certificate center, thereby generating the trust chain data of the new certificate center.
It should be noted that, in this embodiment, when registering a new certificate center, the mutually trusted platform may randomly filter a specific certificate center used for issuing a digital certificate for the new certificate center, or may issue a corresponding digital certificate for the new certificate center through a certificate center registered latest in the registered certificate centers according to the registration order, where the trust transfer order between the registered certificate centers is not limited in this embodiment.
In this embodiment, after the certificate center to be mutually trusted is determined, the certificate issuance condition of the certificate center to be mutually trusted itself may be analyzed and checked, and trust chain data generated by each certificate center to be mutually trusted after registration of the mutually trusted platform is found, for example, certificate centers A, B, C and D are registered on the mutually trusted platform, a is used as a certificate center first registered in the mutually trusted platform, and issues corresponding digital certificates for B and C, which represents that a trusts B and C, then C is used as D and issues a corresponding digital certificate, which represents that C trusts D, if B is responsible for certificate management of a requestor and D is used as a digital certificate to be verified, then the certificate centers to be mutually trusted are B and D, at this time, the trust chain data of B is an a-B-requestor, and the trust chain data of D is an a-C-D-to be verified. Then, a corresponding mutual trust logic tree can be constructed by analyzing the certificate centers and the trust transfer process contained in the trust chain data of each certificate center to be mutually trusted, and at this time, each node of the mutual trust logic tree can be the identifier of the certificate center or the mobile terminal contained in the trust chain data of the certificate center to be mutually trusted, so that whether the digital certificate of the party to be verified is trusted or not can be judged according to the trust transfer process between the certificate centers to be mutually trusted represented in the mutual trust logic tree.
S130, verifying whether the digital certificate of the party to be verified is credible according to the mutual trust logic tree.
Specifically, the mutually trusted logic tree represents a trust transfer process between certificate centers to be mutually trusted, so that whether a party to be verified is trusted or not can be verified from the party to be verified, when the party to be verified is trusted, whether a certificate center which issues a digital certificate for the party to be verified is verified continuously, if the party to be verified is trusted, whether another certificate center which issues a digital certificate for the certificate center is verified continuously, the steps are sequentially circulated until whether a certificate center which is responsible for certificate management of a requester is verified, and if the certificate center which is responsible for certificate management of the requester is determined to be trusted, the digital certificate of the party to be verified can be determined to be trusted for the requester, so that accurate verification of the digital certificate is realized, and further, the security of information transmission is ensured by accurately verifying the digital certificate.
It should be noted that the digital certificate of the party to be authenticated in this embodiment may be a mobile terminal certificate, and the authentication method of the mobile terminal certificate is mainly described in this embodiment.
According to the technical scheme provided by the embodiment, a certificate center to be mutually trusted is determined according to a verification request of a digital certificate of a party to be verified by a requester, then trust chain data formed by the certificate center to be mutually trusted after registration on a mutual trust platform is utilized to construct a corresponding mutual trust logic tree, each node of the mutual trust logic tree can be an identifier of a certificate center or a mobile terminal contained in the trust chain data, and the mutual trust logic tree is further adopted to verify whether the digital certificate of the party to be verified is trusted, so that accurate mutual trust among different certificate centers to be mutually trusted is realized, the mutual trust logic tree visually represents trust transfer conditions of different certificate centers, the trust chain among different certificate centers to be mutually trusted does not need to be continuously checked, and convenience and accuracy of digital certificate verification are improved; at this time, the security of information transmission is further ensured by accurately verifying the digital certificate.
Example two
Fig. 2A is a flowchart of a method for verifying a digital certificate according to a second embodiment of the present invention. The embodiment of the invention is optimized on the basis of the embodiment. Optionally, in this embodiment, the digital certificate of the party to be authenticated may be a mobile terminal certificate, and this embodiment mainly explains in detail a specific process of issuing a digital certificate for a mobile terminal used by the party to be authenticated and a specific authentication process of the digital certificate of the party to be authenticated.
Specifically, referring to fig. 2A, the method of this embodiment may specifically include:
s210, in response to the application instruction of the digital certificate of the party to be verified, determining a target certificate center which is selected by the party to be verified and used for synchronously issuing the digital certificate.
Optionally, when applying for the digital certificate to the mutually trusted platform, the party to be verified sends a corresponding application instruction, and at this time, the mutually trusted platform supports that the party to be verified respectively applies for the corresponding digital certificates to the registered certificate centers, that is, the mutually trusted platform is provided with a function of synchronously applying for the digital certificates signed and issued by the certificate centers. In this embodiment, in response to an application instruction of a digital certificate of a party to be verified, the mutually trusted platform first parses the application instruction, thereby determining each target certificate center selected by the party to be verified and used for synchronously issuing the digital certificate for the party to be verified, so that trust chain data of each target certificate center registered on the mutually trusted platform is subsequently used for synchronously issuing corresponding digital certificates for the party to be verified respectively.
And S220, synchronously issuing a corresponding digital certificate for the party to be verified by using trust chain data formed by each target certificate center after the mutual trust platform is registered and the equipment identification code of the mobile terminal where the party to be verified is located.
Optionally, after determining each target certificate center selected by the party to be verified and used for synchronously issuing the digital certificate for the party to be verified, trust chain data generated after each target certificate center is registered on the mutually trusted platform may be directly found out, and an equipment identification code of the party to be verified is determined by analyzing hardware equipment information of a mobile terminal where the party to be verified is located, where the equipment identification code is used to indicate that the party to be verified adopts equipment uniqueness of the mobile terminal. Then, by using the trust chain data of each target certificate center, a corresponding digital certificate can be synchronously issued for the equipment identification code of the party to be verified, so that synchronous certificate issuing facing a plurality of certificate centers is realized.
It should be noted that, in order to ensure the uniqueness of the mobile terminal used by the party to be authenticated, when a target certificate center selected by the party to be authenticated and used for synchronously issuing a digital certificate is determined, a machine position divided in the device identification code is set according to hardware information of the mobile terminal where the party to be authenticated is located, and a random algorithm is adopted to generate a serial number divided in the device identification code, in consideration of the fact that the mobile terminal used by different parties to be authenticated may be copied, so that the certificate center cannot distinguish the object to which the certificate is issued, and the problem that the mobile terminal to be authenticated, to which the party to be authenticated is indicated by the digital certificate, is not unique is caused.
That is, the 64-bit representing the device identification code of the party to be authenticated is first divided into a plurality of parts in a manner of dividing the namespace as follows:
the 1 st bit occupies 1bit, and the value of the 1 st bit is always 0, so that the 1 st bit can be used as a sign bit and is not used.
The 2 nd bit to the 42 th bit occupy 41 bits and can be used as a time stamp bit, and at this time, the 41 bits can represent 2^41 numbers which represent milliseconds, so that the available time period is (1L < <41)/(1000L360024 × 365) ═ 69 years.
The 10 bits occupied by the 43 th bit to the 52 th bit can represent machine bits, namely 2^10 ^ 1024 machines, wherein the first 4 bits in the 10 bits can represent machine identifier mapping, and the last 6 bits can represent the working domain of the machine, so as to fragment mobile terminals of different models and regions, and reduce the probability of the repetition of the equipment identifier of the mobile terminals.
The last 12 bits can be used as the serial number of the mobile terminal, which can indicate 2^12 ^ 4096 numbers.
Then, the timestamp, the machine number and the working region of the party to be verified are judged by reading the hardware information of the mobile terminal used by the party to be verified, so that the timestamp bit and the machine bit in each bit divided in the equipment identification code of the party to be verified are set; moreover, considering that the number of the mobile terminals is large, in this embodiment, a random algorithm may be adopted to generate the serial numbers divided in the device identification code of the party to be authenticated, instead of adopting the serial numbers in the incremental mode, so as to concurrently generate corresponding device identification codes for a plurality of mobile terminals, thereby improving the generation efficiency of the device identification codes.
And S230, responding to the digital certificate verification request of the requester to the party to be verified, and determining the certificate center to be mutually trusted.
S240, building a corresponding mutual trust logic tree according to trust chain data formed after the certificate center to be mutually trusted registers on the mutual trust platform.
And S250, determining the public certificate centers of the requesting party and the party to be verified based on the mutual trust logic tree.
Optionally, in order to improve the efficiency of digital certificate verification, in this embodiment, after the corresponding mutual trust logic tree is constructed, a public certificate center that establishes a trust transfer relationship with both certificate centers corresponding to the requesting party and the party to be verified can be found visually. For example, certificate centers A, B, C and D are registered on the mutually trusted platform, a, as the certificate center first registered to the mutually trusted platform, issues corresponding digital certificates for B and C, indicating that a trusts B and C, then C issues a corresponding digital certificate for D, indicating that C trusts D, if B is responsible for certificate management of the requester and D issues a corresponding digital certificate for the party to be verified, a mutually trusted logic tree as shown in fig. 2B may be constructed, and at this time, it may be determined that public certificate centers of the requester and the party to be verified are a.
S260, verifying whether the public certificate center is credible or not, and taking the credible result of the public certificate center as the credible result of the digital certificate of the party to be verified.
Optionally, because the certificate center responsible for the certificate management of the requestor and the public certificate center have established a corresponding trust transfer relationship in a cross-authentication manner between different certificate centers, that is, the certificate center responsible for the certificate management of the requestor trusts the public certificate center, in order to improve the verification efficiency of the digital certificate, in this embodiment, starting from the party to be verified, it is first verified whether the party to be verified is trusted, when the party to be verified is trusted, it is continuously verified whether the certificate center that issued the digital certificate for the party to be verified is trusted, if so, it is continuously verified whether another certificate center that issued the digital certificate for the certificate center is trusted, and the process is sequentially repeated until it is verified whether the public certificate center is trusted. Because the requesting party trusts the public certificate center, if the public certificate center is determined to be trusted, the digital certificate of the party to be verified can be directly determined to be trusted for the requesting party, and therefore accurate verification of the digital certificate is achieved. In the above circular verification process, if any certificate center is not trusted, it can be determined that the digital certificate of the party to be verified is not trusted.
According to the technical scheme provided by the embodiment, a certificate center to be mutually trusted is determined according to a verification request of a digital certificate of a party to be verified by a requester, then trust chain data formed by the certificate center to be mutually trusted after registration on a mutual trust platform is utilized to construct a corresponding mutual trust logic tree, each node of the mutual trust logic tree can be an identifier of a certificate center or a mobile terminal contained in the trust chain data, and the mutual trust logic tree is further adopted to verify whether the digital certificate of the party to be verified is trusted, so that accurate mutual trust among different certificate centers to be mutually trusted is realized, the mutual trust logic tree visually represents trust transfer conditions of different certificate centers, the trust chain among different certificate centers to be mutually trusted does not need to be continuously checked, and the convenience and the accuracy of certificate verification of the mobile terminal are improved; at this time, the mobile terminal certificate is accurately verified, so that the safety of mobile terminal information transmission is further ensured.
EXAMPLE III
Fig. 3 is a schematic structural diagram of an apparatus for verifying a digital certificate according to a third embodiment of the present invention, configured in a mutually trusted platform registered with at least two certificate centers, as shown in fig. 3, the apparatus may include:
a module 310 for determining mutual trust, configured to determine a certificate center to be mutually trusted in response to a verification request of a digital certificate of a party to be verified by a requestor;
a mutually trusted logic construction module 320, configured to construct a corresponding mutually trusted logic tree according to trust chain data formed after the certificate center to be mutually trusted is registered on the mutually trusted platform, where each node of the mutually trusted logic tree is an identifier of the certificate center or the mobile terminal included in the trust chain data;
and the certificate verification module 330 is configured to verify whether the digital certificate of the party to be verified is trusted according to the mutual trust logic tree.
According to the technical scheme provided by the embodiment, a certificate center to be mutually trusted is determined according to a verification request of a digital certificate of a party to be verified by a requester, then trust chain data formed by the certificate center to be mutually trusted after registration on a mutual trust platform is utilized to construct a corresponding mutual trust logic tree, each node of the mutual trust logic tree can be an identifier of a certificate center or a mobile terminal contained in the trust chain data, and the mutual trust logic tree is further adopted to verify whether the digital certificate of the party to be verified is trusted, so that accurate mutual trust among different certificate centers to be mutually trusted is realized, the mutual trust logic tree visually represents trust transfer conditions of different certificate centers, the trust chain among different certificate centers to be mutually trusted does not need to be continuously checked, and convenience and accuracy of digital certificate verification are improved; at this time, the security of information transmission is further ensured by accurately verifying the digital certificate.
Further, the certificate verification module 330 may be specifically configured to:
determining public certificate centers of the requesting party and the party to be verified based on the mutual trust logic tree;
and verifying whether the public certificate center is credible or not, and taking the credible result of the public certificate center as the credible result of the digital certificate of the party to be verified.
Further, the module 310 for determining mutual trust may be specifically configured to:
if receiving the verification request of the digital certificate of the party to be verified from the requester, using a first certificate center for issuing the digital certificate of the party to be verified and a second certificate center pointed by the requester as the certificate centers to be mutually trusted.
Further, the digital certificate of the party to be authenticated may be a mobile terminal certificate, and the apparatus for authenticating a digital certificate may further include:
the certificate application module is used for responding to an application instruction of the digital certificate of the party to be verified, and determining a target certificate center which is selected by the party to be verified and used for synchronously issuing the digital certificate;
and the certificate issuing module is used for synchronously issuing a corresponding digital certificate for the party to be verified by using trust chain data formed after each target certificate center is registered in the mutual trust platform and the equipment identification code of the mobile terminal where the party to be verified is located.
Further, the apparatus for verifying a digital certificate may further include:
and the equipment identifier generating module is used for setting the divided machine positions in the equipment identifier according to the hardware information of the mobile terminal where the party to be verified is located, and generating the divided serial numbers in the equipment identifier by adopting a random algorithm.
Further, the apparatus for verifying a digital certificate may further include:
and the certificate center registration module is used for responding to a registration request of a new certificate center, establishing cross authentication between the new certificate center and the registered certificate center, and generating trust chain data of the new certificate center.
The digital certificate verification device provided by the embodiment can be applied to the digital certificate verification method provided by any embodiment, and has corresponding functions and beneficial effects.
Example four
Fig. 4 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention. As shown in fig. 4, the electronic device includes a processor 40, a storage device 41, and a communication device 42; the number of the processors 40 in the electronic device may be one or more, and one processor 40 is taken as an example in fig. 4; the processor 40, the storage means 41 and the communication means 42 of the electronic device may be connected by a bus or other means, which is exemplified in fig. 4.
The storage device 41, which is a computer-readable storage medium, may be used to store software programs, computer-executable programs, and modules, such as modules corresponding to the authentication method of a digital certificate in the embodiment of the present invention (for example, the module 310 for determining mutual trust, the module 320 for building mutual trust logic, and the module 330 for verifying a certificate in the authentication device of a digital certificate). The processor 40 executes various functional applications and data processing of the electronic device by executing software programs, instructions, and modules stored in the storage device 41, that is, implements the above-described digital certificate authentication method.
The storage device 41 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the storage device 41 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, storage device 41 may further include memory located remotely from multifunction controller 40, which may be connected to the electronic device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The communication means 42 may be used to enable a network connection or a mobile data connection between the devices.
The electronic device provided by this embodiment can be used to execute the method for verifying the digital certificate provided by any of the above embodiments, and has corresponding functions and advantages.
EXAMPLE five
Fifth, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, can implement the method for verifying a digital certificate in any of the above embodiments.
The method specifically comprises the following steps:
responding to a verification request of a digital certificate of a party to be verified by a requester, and determining a certificate center to be mutually trusted;
constructing a corresponding mutual trust logic tree according to trust chain data formed after the certificate center to be mutually trusted is registered on the mutual trust platform, wherein each node of the mutual trust logic tree is an identifier of the certificate center or a mobile terminal contained in the trust chain data;
and verifying whether the digital certificate of the party to be verified is credible according to the mutual trust logic tree.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the apparatus for verifying a digital certificate, the units and modules included in the apparatus are merely divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method for verifying a digital certificate, which is applied to a mutually trusted platform registered with at least two certificate centers, comprises the following steps:
responding to a verification request of a digital certificate of a party to be verified by a requester, and determining a certificate center to be mutually trusted;
constructing a corresponding mutual trust logic tree according to trust chain data formed after the certificate center to be mutually trusted is registered on the mutual trust platform, wherein each node of the mutual trust logic tree is an identifier of the certificate center or a mobile terminal contained in the trust chain data;
and verifying whether the digital certificate of the party to be verified is credible according to the mutual trust logic tree.
2. The method according to claim 1, wherein said verifying whether the digital certificate of the party to be authenticated is authentic according to the mutually trusted logical tree comprises:
determining public certificate centers of the requesting party and the party to be verified based on the mutual trust logic tree;
and verifying whether the public certificate center is credible or not, and taking the credible result of the public certificate center as the credible result of the digital certificate of the party to be verified.
3. The method of claim 1, wherein determining the certificate authority to be mutually trusted in response to an authentication request of a digital certificate of a party to be authenticated by a requestor comprises:
if receiving the verification request of the digital certificate of the party to be verified from the requester, using a first certificate center for issuing the digital certificate of the party to be verified and a second certificate center pointed by the requester as the certificate centers to be mutually trusted.
4. The method according to claim 1, wherein the digital certificate of the party to be authenticated is a mobile terminal certificate, and before determining a certificate authority to be mutually trusted in response to an authentication request of the digital certificate of the party to be authenticated by the requestor, the method further comprises:
responding to the application instruction of the digital certificate of the party to be verified, and determining a target certificate center which is selected by the party to be verified and used for synchronously issuing the digital certificate;
and synchronously issuing a corresponding digital certificate for the party to be verified by using trust chain data formed by each target certificate center after the mutual trust platform is registered and the equipment identification code of the mobile terminal where the party to be verified is located.
5. The method according to claim 4, wherein when determining a target certificate authority selected by the party to be authenticated for synchronously issuing digital certificates, the method further comprises:
and setting the divided machine positions in the equipment identification code according to the hardware information of the mobile terminal where the party to be verified is located, and generating the divided serial numbers in the equipment identification code by adopting a random algorithm.
6. The method according to any one of claims 1-5, further comprising:
and responding to a registration request of a new certificate center, establishing cross authentication between the new certificate center and the registered certificate centers, and generating trust chain data of the new certificate center.
7. An apparatus for verifying a digital certificate, which is provided in a mutually trusted platform in which at least two certificate centers are registered, comprising:
the mutual trust waiting determination module is used for responding to the verification request of the digital certificate of the party to be verified by the requester and determining the certificate center to be mutually trusted;
a mutually trusted logic construction module, configured to construct a corresponding mutually trusted logic tree according to trust chain data formed after the certificate center to be mutually trusted is registered on the mutually trusted platform, where each node of the mutually trusted logic tree is an identifier of the certificate center or the mobile terminal included in the trust chain data;
and the certificate verification module is used for verifying whether the digital certificate of the party to be verified is trusted according to the mutual trust logic tree.
8. The apparatus of claim 7, wherein the certificate verification module is specifically configured to:
determining public certificate centers of the requesting party and the party to be verified based on the mutual trust logic tree;
and verifying whether the public certificate center is credible or not, and taking the credible result of the public certificate center as the credible result of the digital certificate of the party to be verified.
9. An electronic device, characterized in that the electronic device comprises:
one or more processors;
storage means for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement a method of authenticating a digital certificate as recited in any one of claims 1-6.
10. A computer-readable storage medium on which a computer program is stored, the program, when being executed by a processor, implementing a method of authenticating a digital certificate according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110825226.5A CN113536284B (en) | 2021-07-21 | Digital certificate verification method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110825226.5A CN113536284B (en) | 2021-07-21 | Digital certificate verification method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113536284A true CN113536284A (en) | 2021-10-22 |
| CN113536284B CN113536284B (en) | 2024-06-21 |
Family
ID=
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115378737A (en) * | 2022-10-24 | 2022-11-22 | 中汽数据(天津)有限公司 | Cross-domain device communication trust method, device, equipment and medium |
| CN115802350A (en) * | 2023-02-07 | 2023-03-14 | 中汽智联技术有限公司 | Certificate revocation status verification system, method, and storage medium |
| CN117156440A (en) * | 2023-10-27 | 2023-12-01 | 中电科网络安全科技股份有限公司 | Certificate authentication method, system, storage medium and electronic equipment |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100058058A1 (en) * | 2006-11-13 | 2010-03-04 | Cryptograf Co., Ltd. | Certificate Handling Method and System for Ensuring Secure Identification of Identities of Multiple Electronic Devices |
| US20170063557A1 (en) * | 2015-08-28 | 2017-03-02 | Fortinet, Inc. | Detection of fraudulent certificate authority certificates |
| CN108696348A (en) * | 2017-04-06 | 2018-10-23 | 中国移动通信有限公司研究院 | A kind of method, apparatus, system and electronic equipment for realizing CA mutual trusts |
| CN108737111A (en) * | 2018-05-24 | 2018-11-02 | 中国互联网络信息中心 | A kind of digital certificate processing method and processing device |
| CN110598422A (en) * | 2019-08-01 | 2019-12-20 | 浙江葫芦娃网络集团有限公司 | Trusted identity authentication system and method based on mobile digital certificate |
| WO2020117559A1 (en) * | 2018-12-06 | 2020-06-11 | Visa International Service Association | Secured extended range application data exchange |
| CN111555885A (en) * | 2020-03-18 | 2020-08-18 | 西安电子科技大学 | Credible identity authentication method, system, storage medium and cloud computing terminal |
| CN111683060A (en) * | 2020-05-20 | 2020-09-18 | 国汽(北京)智能网联汽车研究院有限公司 | Communication message verification method, device and computer storage medium |
| CN111831996A (en) * | 2020-06-10 | 2020-10-27 | 北京国电通网络技术有限公司 | Service system of multi-digital certificate certification authority |
| CN112435024A (en) * | 2020-11-17 | 2021-03-02 | 浙江大学 | Alliance chain cross-chain privacy protection method based on group signature and CA multi-party authentication |
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100058058A1 (en) * | 2006-11-13 | 2010-03-04 | Cryptograf Co., Ltd. | Certificate Handling Method and System for Ensuring Secure Identification of Identities of Multiple Electronic Devices |
| US20170063557A1 (en) * | 2015-08-28 | 2017-03-02 | Fortinet, Inc. | Detection of fraudulent certificate authority certificates |
| CN108696348A (en) * | 2017-04-06 | 2018-10-23 | 中国移动通信有限公司研究院 | A kind of method, apparatus, system and electronic equipment for realizing CA mutual trusts |
| CN108737111A (en) * | 2018-05-24 | 2018-11-02 | 中国互联网络信息中心 | A kind of digital certificate processing method and processing device |
| WO2020117559A1 (en) * | 2018-12-06 | 2020-06-11 | Visa International Service Association | Secured extended range application data exchange |
| CN110598422A (en) * | 2019-08-01 | 2019-12-20 | 浙江葫芦娃网络集团有限公司 | Trusted identity authentication system and method based on mobile digital certificate |
| CN111555885A (en) * | 2020-03-18 | 2020-08-18 | 西安电子科技大学 | Credible identity authentication method, system, storage medium and cloud computing terminal |
| CN111683060A (en) * | 2020-05-20 | 2020-09-18 | 国汽(北京)智能网联汽车研究院有限公司 | Communication message verification method, device and computer storage medium |
| CN111831996A (en) * | 2020-06-10 | 2020-10-27 | 北京国电通网络技术有限公司 | Service system of multi-digital certificate certification authority |
| CN112435024A (en) * | 2020-11-17 | 2021-03-02 | 浙江大学 | Alliance chain cross-chain privacy protection method based on group signature and CA multi-party authentication |
Non-Patent Citations (1)
| Title |
|---|
| 赵盛荣 等: "省级政务云平台上多CA互信云服务平台的建设与运营研究", 《图书情报导刊》, vol. 4, no. 10, 31 October 2019 (2019-10-31) * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115378737A (en) * | 2022-10-24 | 2022-11-22 | 中汽数据(天津)有限公司 | Cross-domain device communication trust method, device, equipment and medium |
| CN115802350A (en) * | 2023-02-07 | 2023-03-14 | 中汽智联技术有限公司 | Certificate revocation status verification system, method, and storage medium |
| CN115802350B (en) * | 2023-02-07 | 2023-05-05 | 中汽智联技术有限公司 | Certificate revocation status verification system, method and storage medium |
| CN117156440A (en) * | 2023-10-27 | 2023-12-01 | 中电科网络安全科技股份有限公司 | Certificate authentication method, system, storage medium and electronic equipment |
| CN117156440B (en) * | 2023-10-27 | 2024-01-30 | 中电科网络安全科技股份有限公司 | Certificate authentication method, system, storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111429254B (en) | Business data processing method and device and readable storage medium | |
| CN107483509B (en) | A kind of auth method, server and readable storage medium storing program for executing | |
| CN108111314B (en) | Method and equipment for generating and verifying digital certificate | |
| CN108259437B (en) | HTTP access method, HTTP server and system | |
| CN108769230B (en) | Transaction data storage method, device, server and storage medium | |
| EP3779792B1 (en) | Two-dimensional code generation method, data processing method, apparatus, and server | |
| CN110177124B (en) | Identity authentication method based on block chain and related equipment | |
| JP3971890B2 (en) | Signature verification support apparatus, signature verification support method, and electronic signature verification method | |
| CN112165382B (en) | Software authorization method and device, authorization server side and terminal equipment | |
| CN109981287B (en) | Code signing method and storage medium thereof | |
| CN111639327A (en) | Authentication method and device for open platform | |
| CN112948851A (en) | User authentication method, device, server and storage medium | |
| US20210184854A1 (en) | Device validation using tokens | |
| CN112734431A (en) | Method and device for querying Fabric Block Link book data | |
| CN115664655A (en) | TEE credibility authentication method, device, equipment and medium | |
| CN109981650B (en) | Transfer method and system for general certificates in block chain | |
| CN110602051B (en) | Information processing method based on consensus protocol and related device | |
| CN115114630A (en) | Data sharing method and device and electronic equipment | |
| CN111737766A (en) | Method for judging validity of digital certificate signature data in block chain | |
| CN108183804B (en) | Certificate sharing method | |
| CN114172923B (en) | Data transmission method, communication system and communication device | |
| CN114338091B (en) | Data transmission method, device, electronic equipment and storage medium | |
| CN113872986B (en) | Power distribution terminal authentication method and device and computer equipment | |
| CN114124515B (en) | Bidding transmission method, key management method, user verification method and corresponding devices | |
| CN113536284A (en) | Method, device, equipment and storage medium for verifying digital certificate |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |