CN113824566A - Certificate authentication method, code number downloading method, device, server and storage medium - Google Patents

Certificate authentication method, code number downloading method, device, server and storage medium Download PDF

Info

Publication number
CN113824566A
CN113824566A CN202111214327.5A CN202111214327A CN113824566A CN 113824566 A CN113824566 A CN 113824566A CN 202111214327 A CN202111214327 A CN 202111214327A CN 113824566 A CN113824566 A CN 113824566A
Authority
CN
China
Prior art keywords
center
certificate
target
public key
trusted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111214327.5A
Other languages
Chinese (zh)
Other versions
CN113824566B (en
Inventor
钱京
何碧波
崔可
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hengbao Co Ltd
Original Assignee
Hengbao Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hengbao Co Ltd filed Critical Hengbao Co Ltd
Priority to CN202111214327.5A priority Critical patent/CN113824566B/en
Publication of CN113824566A publication Critical patent/CN113824566A/en
Application granted granted Critical
Publication of CN113824566B publication Critical patent/CN113824566B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/40Security arrangements using identity modules

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a certificate authentication method, a code number downloading method, a device, a server and a storage medium, wherein the method comprises the following steps: the server receives a certificate to be authenticated of the smart card; if the certificate to be authenticated is not the certificate issued by the first target CA center, acquiring a public key certificate of a second target CA center to which the certificate to be authenticated belongs from a superior trusted CA center; the first target CA center is a CA center which has signed and issued a certificate to the server; the upper-level credible CA center is any CA center in the first target CA centers; the upper-level credible CA center and the second target CA center are positioned in the same credible environment; and authenticating the certificate to be authenticated by using the public key certificate of the second target CA center. The scheme solves the problem that certificate authentication cannot be realized if the server side does not store the certificate corresponding to the smart card side in the prior art. Furthermore, the above-described scheme can achieve authentication of all certificates when all legitimate CA centers are located in the trusted environment.

Description

Certificate authentication method, code number downloading method, device, server and storage medium
Technical Field
The application relates to the technical field of smart cards, in particular to a certificate authentication method, a code number downloading method, a device, a server and a storage medium.
Background
With the popularization of smart cards, many smart cards (e.g., Embedded Subscriber Identity Module (eSIM) cards) are widely used in various wearable and internet-of-things terminal devices. The smart card on the product can support downloading, installation, activation and deactivation of the code number of the operator, so that the problem of waste of resource management of the code number of the operator is solved to a certain extent.
In the existing carrier code number downloading technology promoted by the GSMA (Global System for Mobile Communications Association), a certificate authentication mechanism is used to perform bidirectional authentication between a server and a smart card to ensure the security of the downloading process and data, and the certificates used by the server and the smart card must be issued by the same CA (digital certificate authentication System) certificate issuing center. Meanwhile, the intelligent card end and the server end can support multiple sets of certificate management, namely, the intelligent card end and the server end respectively store and manage certificates issued by different CA centers, and can adapt to proper certificates to carry out bidirectional authentication and complete code number downloading according to actual conditions.
However, the smart card is used as a terminal chip with limited storage resources, and the certificates which can be stored are limited, but in the existing scheme, the smart card end can only perform mutual authentication with the server end, and simultaneously, the smart card end and the server end both store the certificates which are issued corresponding to the same CA center, and thus, the authentication of all the certificates cannot be realized.
Disclosure of Invention
An object of the embodiments of the present application is to provide a certificate authentication method, a code number downloading method, a device, a server, and a storage medium, so as to solve the problem in the prior art that if a certificate issued by the same CA center corresponding to an intelligent card is not stored in a server, certificate authentication cannot be implemented.
The embodiment of the application provides a certificate authentication method, which is applied to a server side and comprises the following steps: receiving a certificate to be authenticated of the smart card; if the certificate to be authenticated is not the certificate issued by the first target CA center, acquiring a public key certificate of a second target CA center to which the certificate to be authenticated belongs from a superior trusted CA center; the first target CA center is a CA center which has issued a certificate to the server; the superior trusted CA center is any one of the first target CA centers; the superior trusted CA center and the second target CA center are positioned in the same trusted environment; and authenticating the certificate to be authenticated by using the public key certificate of the second target CA center.
In the implementation process, a trusted environment between the CA centers is constructed in advance, and then when the server does not locally store the certificate corresponding to the certificate to be authenticated of the smart card, the server can obtain the public key certificate of the CA center to which the certificate to be authenticated stored in the smart card belongs from the trusted environment, so that the certificate authentication of the smart card is realized. Therefore, the problem that certificate authentication cannot be realized if the certificate issued by the same CA center corresponding to the intelligent card end is not stored in the server in the prior art is solved. Furthermore, it is desirable for the mobile terminal user that the smart card has access to all operator number servers to download all operator numbers. By adopting the scheme of the embodiment of the application, when all legal CA centers are added into the trusted environment together, the smart card and the server can get rid of the limitation that various certificates need to be stored by the smart card and the server, and the authentication of all certificates can be realized through the implementation process, so that the user requirements are met.
Further, the trusted environment is a blockchain consisting of trusted CA centers; when acquiring the public key certificate of the second target CA center to which the certificate to be authenticated belongs from the upper trusted CA center, before authenticating the certificate to be authenticated by using the public key certificate of the second target CA center, the method further comprises: acquiring link logic information of the block chain and a trusted signature of the second target CA center from the superior trusted CA center; the link logic information comprises the connection relation of all CA centers in the block chain; verifying the trusted signature of the second target CA center by adopting a public key of a third target CA center; the third target CA center is a CA center in the block chain that signs the second target CA center; and determining that the verification is passed.
In the implementation process, the CA center forms a block chain, and decentralized CA center trusted environment management is realized based on the block chain technology. And meanwhile, the credibility verification of the second target CA center corresponding to the certificate to be authenticated is realized through the link logic information of the block chain, so that the security of the obtained public key certificate is further ensured. In addition, since the link logic information of the block chain includes the connection relationship of each CA center in the block chain, and the public key and the trusted signature of each CA center, the public key itself is public, and there is no security risk.
Further, before verifying the trusted signature of the second target CA center with the public key of a third target CA center, the method further comprises: according to the unique center identification of the second target CA center, determining the position of the second target CA center in the link logic information; and determining a third target CA center for signing the second target CA center according to the connection relation of all CA centers in the block chain and a preset signature rule.
In the implementation process, the position of the second target CA center can be quickly determined in the link logic information based on the unique center identification of the second target CA center, and then a third target CA center for signing the second target CA center can be quickly determined, so that the normal operation of the credible verification of the second target CA center is ensured. In addition, because the unique center identification is not secret-related data of the CA center, the scheme of the application has no security risk.
Further, the signature rule is that a former CA center in the block chain signs a latter CA center.
In the implementation manner, the former CA center in the block chain is used for signing the latter CA center, so that alternate signatures can be continuously implemented according to a fixed rule when a new CA center is added into the block chain, and compared with a manner of signing a newly added CA center by using a fixed CA center, the probability that the signature of the CA center is cracked is reduced, and the security in each CA in the block chain is improved.
Further, the letter signable is as follows: signing the unique certificate identities of all public key certificates in the CA center.
It should be understood that in practical applications, there may be multiple public key certificates managed within one CA center. By signing the unique certificate identifications of all public key certificates in the CA center, this enables trusted verification of any public key certificate in the CA center by signature verification when the certificate is requested. In addition, the public key certificate is publicable, and the unique certificate identification of the public key certificate is not secret data of a CA center, so that the scheme of the application has no security risk.
The embodiment of the application also provides a code number downloading method, which is applied to a server and comprises the following steps: after passing the authentication according to the certificate authentication method, generating a temporary public and private key pair according to the system of the public key certificate; negotiating with a temporary private key in the temporary public and private key pair and a public key in the certificate to be authenticated to generate a session key; and encrypting and sending the code number data by adopting the session key.
Through the implementation process, the server generates the temporary public and private key pair according to the system of the public key certificate of the second target CA center, so that the generated temporary public and private key pair can be suitable for the certificate to be authenticated of the smart card, normal encryption transmission and identification of subsequent code number data can be ensured, and the security of the code number data downloading process is ensured.
The embodiment of the present application further provides a certificate authentication apparatus, which is applied to a server, and includes: the system comprises a receiving module, an obtaining module and an authentication module; the receiving module is used for receiving a certificate to be authenticated of the smart card; the acquisition module is used for acquiring a public key certificate of a second target CA center to which the certificate to be authenticated belongs from a superior trusted CA center if the certificate to be authenticated is not a certificate issued by a first target CA center; the first target CA center is a CA center which has issued a certificate to the server; the superior trusted CA center is any one of the first target CA centers; the superior trusted CA center and the second target CA center are positioned in the same trusted environment; and the authentication module is used for authenticating the certificate to be authenticated by using the public key certificate of the second target CA center.
The embodiment of the present application further provides a code number downloading device, which is applied to a server and includes: the system comprises a certificate authentication module, a generation module and an encryption module; the certificate authentication module is used for authenticating the certificate to be authenticated of the smart card according to the certificate authentication method; the generation module is used for generating a temporary public and private key pair according to the system of the public key certificate after the authentication is passed; the system comprises a temporary public and private key pair, a public key and a public key, wherein the temporary private key in the temporary public and private key pair is used for negotiating with the public key in the certificate to be authenticated to generate a session key; and the encryption module is used for encrypting the code number data by adopting the session key and sending the encrypted code number data.
The embodiment of the application also provides a server, which comprises a processor, a memory and a communication bus; the communication bus is used for realizing connection communication between the processor and the memory; the processor is configured to execute one or more programs stored in the memory to implement any one of the above-described certificate authentication methods or to implement the above-described code number download method.
There is also provided in an embodiment of the present application a computer-readable storage medium storing one or more programs, where the one or more programs are executable by one or more processors to implement the certificate authentication method of any one of the above or to implement the code number downloading method.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a certificate authentication method according to an embodiment of the present application;
fig. 2 is a schematic diagram of a CA center block chain according to an embodiment of the present disclosure;
fig. 3 is a schematic flowchart of a code number downloading method according to an embodiment of the present application;
fig. 4 is a schematic specific flowchart illustrating a process from certificate authentication to code number downloading according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a certificate authentication apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a code number downloading device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a server according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
The first embodiment is as follows:
in order to solve the problem that certificate authentication cannot be realized if a certificate issued by the same CA center corresponding to an intelligent card end is not stored in a server in the prior art, the embodiment of the application provides a certificate authentication method. As shown in fig. 1, fig. 1 is a schematic flowchart of a certificate authentication method provided in an embodiment of the present application, and includes:
s101: and receiving a certificate to be authenticated of the smart card.
It should be noted that, before executing the solution provided by the embodiment of the present application, the present application needs to construct a trusted environment between CA centers in advance.
The trusted environment is an environment in which CA centers trust each other and can be networked with each other with high security and trust.
In the embodiment of the application, when the trusted environment is constructed, the offline verification authentication can be performed by personnel such as engineers, and it is ensured that the CA center needing to be added to the trusted environment is the trusted CA center with an actual security subject. In addition, in the trusted environment, network connection is realized between the CA centers through a special secure network, and an independent network address can be configured in the trusted environment for each CA center so as to ensure the network communication security. Through the measures of the two aspects, the CA center which is maliciously manufactured and counterfeited can be effectively prevented from being added into the trusted environment.
In the embodiment of the present application, the trusted environment may be constructed in the form of, but not limited to, a blockchain.
For example, referring to fig. 2, in the embodiment of the present application, a blockchain formed by trusted CA centers may be constructed in the form of the blockchain shown in fig. 2.
In the blockchain, the entity of each node is a certificate server in each CA certificate, and for convenience of management, in this example, management of the blockchain is performed in an identified manner.
Taking the case shown in fig. 2 as an example, each node in the blockchain has a unique center identifier, and each root public key certificate (hereinafter, referred to as a public key certificate) under the node also has a unique certificate identifier (it should be understood that the node is characterized by a CA center, and a CA center generally manages therein a plurality of root public key certificates for issuing certificates, and in the embodiment of the present application, a unique certificate identifier may be assigned to each public key certificate).
It should be noted here that in an implementation manner of the embodiment of the present application, public key certificates under different nodes may have the same unique certificate identifier, but different public key certificates under the same node should have different unique certificate identifiers. In addition, in another implementation manner of the embodiment of the present application, it may also be set that all public key certificates under all nodes have different unique certificate identifications, so that management is facilitated.
It should be understood that, in each CA center, there is an asymmetric public and private key pair for linked list management, the public key in the asymmetric public and private key pair is public, the private key is not public, and the public key is independent of each public key certificate of the CA center, so that the public key can be used to realize the unique center identification of the CA center, for example, the HASH (HASH) value of the public key can be calculated, and the HASH value of the public key is used as the unique center identification of the CA center.
For the unique certificate identifier of the public key certificate, the public key in the public key certificate may be used to implement the unique certificate identifier of the public key certificate, for example, the HASH value of the public key in the public key certificate may be calculated, and the HASH value of the public key is used as the unique certificate identifier of the public key certificate.
It should be understood that, in the embodiment of the present application, a unique center identifier may also be allocated to each CA center through a preset encoding specification or an identifier generation rule, or a unique certificate identifier may also be allocated to each public key certificate.
In this way, the whole blockchain is identified by the public key or the unique information of the public key certificate (namely, the unique center identification of the CA center and the unique certificate identification of the public key certificate), so that the data volume is small, and the authentication and the verification are convenient. And from the perspective of data security, there is no security risk because the public key itself is public.
In the embodiment of the application, in order to ensure the credibility and the safety of the data acquired by the server, signatures can be performed between CA certificates in the trusted environment according to a preset signature rule to obtain a trusted signature. Therefore, when data is sent to the server, the trusted signature is also sent, so that the server can determine whether the received data is trusted or not by judging whether the trusted signature can pass the signature verification or not in a manner of verifying the trusted signature.
In the embodiment of the present application, the signature rule may be, but is not limited to, that some or some specific CA center in the trusted environment signs another CA center.
Taking the block chain shown in fig. 2 as an example, the signature rule may be that a former CA center in the block chain signs a latter CA center, or that a first CA center in the block chain signs other CA centers. It should be understood that the above are only two possible signature rules exemplified in the embodiments of the present application, and are not intended to limit the scheme of the embodiments of the present application.
In the embodiment of the present application, in order to ensure that the subsequent signature verification effect can cover each public key certificate of the CA center, in the embodiment of the present application, the signature of the unique certificate identifications of all public key certificates of the CA center that need to be signed can be performed, so as to obtain the trusted signature.
It should be understood that, in each CA center, a different asymmetric algorithm key pair is maintained for node addition, deletion, revocation and the like, and in this embodiment, the CA center to be signed may be signed by using a private key of the asymmetric algorithm key pair.
In the embodiment of the present application, when signing the unique certificate identifications of all public key certificates of the CA center to be signed, the unique certificate identifications of all public key certificates of the CA center to be signed may be accumulated or spliced to obtain one identification data, and then the identification data is signed.
After the trusted environment is built, the scheme of the embodiment of the application can be adopted to perform certificate authentication.
It should be understood that the certificate authentication scheme provided in the embodiments of the present application is applied to a server, such as a device like a code server. In the actual application process, the smart card (e.g., a Subscriber Identity Module (SIM) card, an Embedded-SIM (SIM) card, etc.) is usually disposed on an electronic device such as a terminal, and it needs to be connected to the server through the terminal, so as to send the certificate to be authenticated of the smart card to the server.
S102: and if the certificate to be authenticated is not the certificate issued by the first target CA center, acquiring a public key certificate of a second target CA center to which the certificate to be authenticated belongs from the superior trusted CA center.
The first target CA center is a CA center that has issued a certificate to the server. And the superior trusted CA center is any one of the first target CA centers. And the second target CA center is the CA center which issues the certificate to be authenticated. In the embodiment of the present application, the upper trusted CA center should be located in the same trusted environment as the second target CA center, otherwise, the solution of the embodiment of the present application cannot be executed.
In the embodiment of the application, after receiving the certificate to be authenticated of the smart card, the server first determines whether a public key certificate corresponding to the certificate to be authenticated is stored locally (or determines that the certificate to be authenticated is not a certificate issued by the first target CA center, and the effect achieved by the certificate to be authenticated and the certificate to be authenticated are consistent).
If the public key certificate corresponding to the certificate to be authenticated is locally stored (the certificate to be authenticated is a certificate issued by the first target CA center), authentication is performed only in the existing manner.
However, if the public key certificate corresponding to the certificate to be authenticated is not stored locally (the certificate to be authenticated is not a certificate issued by the first target CA center), the server cannot perform authentication at present, and at this time, the server needs to obtain the public key certificate corresponding to the second target CA center to which the certificate to be authenticated belongs from the trusted environment.
In order to ensure security, in the embodiment of the present application, the server is accessed to the trusted environment through the upper trusted CA center. Because the upper-level trusted CA center is the CA center which has issued the certificate to the server, the trust relationship is established between the upper-level trusted CA center and the server, and the data interaction is more trusted.
In the embodiment of the application, in order to obtain the public key certificate of the second target CA center to which the certificate to be authenticated belongs from the upper-level trusted CA center, the server may analyze the certificate to be authenticated, so as to identify and obtain the unique center identifier of the second target CA center and the corresponding identifier of the certificate to be authenticated. Then, the unique center identifier of the second target CA center and the corresponding identifier of the certificate to be authenticated may be carried in the request and sent to the upper level trusted CA center, so as to be forwarded to the second target CA center. The second target CA center can return the corresponding public key certificate to the superior credible CA center according to the corresponding identification of the certificate to be authenticated, and then the public key certificate is sent to the server.
In order to ensure the security of the authentication process and prevent the use of counterfeit public key certificates, the link logic information of the trusted environment and the trusted signature of the second target CA center can be returned while returning the corresponding public key certificate, so that the public key of the third target CA center is used to verify the trusted signature of the second target CA center, and the subsequent step S103 is executed after the verification is passed. If not, the received public key certificate is deemed not to be credible, the authentication can be ended, and authentication failure information is returned.
It should be noted that the third target CA center described in the above paragraph refers to a CA center that signs the second target CA center in the trusted environment. The link logic information described in the above paragraph includes the connection relationship of each CA center in the trusted environment.
In this embodiment of the present application, the position of the second target CA center may be determined in the link logic information according to the analyzed unique center identifier of the second target CA center. And determining a third target CA center for signing the second target CA center according to the link logic information including the connection relation of all CA centers in the trusted environment and the signature rule when the trusted environment is established.
In this embodiment, the link logic information may further include a public key used for performing trusted signature verification in each CA center. At this time, after the third target CA center is determined by the signature rule and the link logic information when the trusted environment is constructed, the public key for verifying the trusted signature of the second target CA center can be determined.
In addition, the link logic information may not carry a public key used for performing trusted signature verification in each CA center. At this time, after the third target CA center is determined by the signature rule and the link logic information when the trusted environment is established, the public key used by the third target CA center for trusted signature verification may be acquired by the superior trusted CA center.
S103: and authenticating the certificate to be authenticated by using the public key certificate of the second target CA center.
The process of authenticating the certificate to be authenticated by using the public key certificate can be implemented by adopting the existing general technology, and the description is not expanded herein.
After the certificate to be authenticated of the smart card is authenticated according to the certificate authentication method, referring to fig. 3, the code number data may be downloaded according to the code number downloading method shown in fig. 3.
The code number downloading method comprises the following steps:
s301: and generating a temporary public and private key pair according to the system of the public key certificate of the second target CA center.
It should be noted that, because the certificate to be authenticated of the smart card is issued by the second target CA center, in order to complete the subsequent encryption and decryption process together with the certificate to be authenticated, a temporary public and private key pair needs to be generated according to the system of the public key certificate of the second target CA center, so as to ensure that the subsequent process is performed normally.
S302: and negotiating with a temporary private key in the temporary public and private key pair and a public key in the certificate to be authenticated to generate a session key.
S303: and encrypting the code number data by adopting the session key and transmitting the encrypted code number data.
In the embodiment of the present application, after the session key is generated, the session key may be used to perform block encryption processing on the profile (i.e., code number data), and send the encrypted profile ciphertext to the smart card.
It should be noted that, in order to ensure the security of the profile downloading process, before sending the encrypted profile ciphertext to the smart card, a signature may also be calculated by using a unique identifier of the session key to the smart card (e.g., Electronic Identity (eID)) to obtain SIGN _ DP. And returning the temporary public key in the temporary public and private key pair and the SIGN _ DP to the smart card.
The smart card can negotiate with a private key in a certificate to be authenticated, which is possessed by the smart card, by using the temporary public key to obtain the session key, and then calculates a signature for the unique identifier of the smart card through the session key and verifies whether SIGN _ DP is correct or not. If the verification result is correct, the verification passing message can be returned, so that the server side issues the encrypted profile ciphertext. Otherwise, the flow ends.
It should be understood that the code number downloading method and the certificate authentication method are both applied to the server. For most cases, the server for implementing code number data downloading and the server for implementing certificate authentication are one, and therefore the certificate authentication method and the code number downloading method provided in the embodiment of the present application may be implemented by the same executing body. However, in some cases, the server for implementing the code number data download and the server for implementing the certificate authentication are different servers, and then the two methods provided in the embodiment of the present application need to be implemented on the two servers respectively.
The certificate authentication method and the code number downloading method provided by the embodiment of the application have the advantages that the trusted environment between the CA centers is constructed in advance, and then when the certificate issued by the same CA center corresponding to the certificate to be authenticated of the intelligent card is not stored locally at the server, the server can obtain the public key certificate of the CA center to which the certificate to be authenticated of the intelligent card belongs from the trusted environment, so that the certificate to be authenticated of the intelligent card is realized. Therefore, the problem that certificate authentication cannot be realized if the certificate issued by the same CA center corresponding to the intelligent card end is not stored in the server in the prior art is solved. Furthermore, it is desirable for the mobile terminal user that the smart card has access to all operator number servers to download all operator numbers. By adopting the scheme of the embodiment of the application, when all legal CA centers are added into the trusted environment together, the smart card and the server can get rid of the limitation that various certificates need to be stored by the smart card and the server, and the authentication of all certificates can be realized through the implementation process, so that the user requirements are met. In addition, in the embodiment of the application, the server generates the temporary public and private key pair according to the system of the public key certificate of the second target CA center, so that the generated temporary public and private key pair can be applied to the certificate to be authenticated of the smart card, and can perform session key negotiation with the certificate to be authenticated of the smart card, thereby ensuring normal encryption transmission and identification of subsequent code number data, and ensuring the security of the code number data downloading process.
Example two:
in this embodiment, based on the first embodiment, a specific code number data downloading process of an eSIM card, which is a smart card, is taken as an example to further illustrate the present application. The eSIM card is set on the terminal, and the terminal realizes connection with a server (in this embodiment, a code server, and provides certificate authentication and code download services) through an LPA (Local Profile Assistant).
Referring to fig. 4, the whole process includes:
the LPA sends an information acquisition instruction to the eSIM card to request for acquisition of eID, a vendor certificate CERT _ EUM and an eSIM card certificate CERT _ EUICC of the eSIM card.
And 2, the eSIM card returns the eID of the eSIM card, the vendor certificate CERT _ EUM and the eSIM card certificate CERT _ EUICC to the LPA.
3, the LPA sends a code number downloading request to the code number server, wherein the code number downloading request comprises: eID, CERT _ EUM, CERT _ EUICC and a terminal certificate CERT _ LPA.
In the embodiment of the application, the terminal can acquire the network address of the code number server in the modes of code scanning, user input, pre-configuration and the like, so that connection is realized.
In the embodiment of the present application, it is assumed that the certificate included in the code number download request transmitted by the LPA is issued by the CA center a. It is assumed that only the public key certificate issued by the CA center B exists in the code number server.
4. And after receiving the code number downloading request, the code number server checks certificate data in the code number downloading request.
In this embodiment, the code number server finds that the CA certificate issuing centers are different, and requests the CA center B to acquire the link logic information of the block chain and the public key certificate of the CA center a.
And 5, the CA center B acquires the latest link logic information and the public key certificate of the CA center A in real time and returns the latest link logic information and the public key certificate to the code number server.
6. And the code number server acquires a public key of a last CA center of the CA center A in the block chain through the link logic information, and verifies the trusted signature of the CA center A.
After the certificate passes, the validity of the CERT _ EUM and CERT _ LPA certificates is verified by using the public key certificate of the CA center A, and then the validity of the CERT _ EUICC certificate is verified by using the CERT _ EUM.
If the authentication fails, the process is finished, and the LPA is informed that the downloading application fails.
If the authentication is passed, a temporary public-private key pair eKEY _ PUB (temporary public key) and eKEY _ PRI (temporary private key) of the same system as the public key certificate of the CA center A are generated. And performing key agreement by using the eKEY _ PRI and a public key EUICC _ PUB in CERT _ EUICC to generate a session key S (the session key is a symmetric key), performing block encryption processing on the profile by using the S, and calculating a signature for eID by using the S to obtain SIGN _ DP. Finally, eKEY _ PUB and SIGN _ DP are returned to the LPA.
The LPA forwards the eKEY _ PUB and SIGN _ DP to the eSIM card.
And 8, after receiving the eKEY _ PUB and the SIGN _ DP, the eSIM card performs key agreement with the eKEY _ PUB by using a private key of the CERT _ EUICC certificate stored in the card to generate a session key S, and calculates the signature of the eID by using the S and verifies whether the SIGN _ DP is correct. If not, the process ends and the LPA is notified of the failure of the request. If the result is correct, the verification result is returned to the LPA end.
And 9, after receiving the result of passing the verification, the LPA requests a code number server to start downloading the profile.
10. And the code number server side issues the encrypted profile to the LPA.
The LPA forwards the encrypted profile to the eSIM card.
And 12, after the eSIM card completes profile decryption and storage, returning a downloading result to the LPA.
The LPA may present the results to the user and notify the code server.
By the scheme, the certificate credible authentication between different CA centers is realized, the authentication problem of different certificates between the eSIM card and the code number server is solved, the eSIM card is not required to store a large number of certificates issued by the CA certificate center, and a large amount of space can be saved for the eSIM card.
Example three:
based on the same inventive concept, the embodiment of the present application further provides a certificate authentication apparatus 500 and a code number downloading apparatus 600. Referring to fig. 5 and 6, fig. 5 shows a certificate authentication apparatus adopting the method shown in fig. 1, and fig. 6 shows a code number download apparatus adopting the method shown in fig. 3. It should be understood that the specific functions of the apparatus 500 and the apparatus 600 can be referred to the above description, and the detailed description is omitted here as appropriate to avoid redundancy. The apparatus 500 and the apparatus 600 include at least one software functional module that can be stored in a memory in the form of software or firmware or solidified in an operating system of the apparatus 500, 600. Specifically, the method comprises the following steps:
referring to fig. 5, the apparatus 500 is applied to a server, and includes: a receiving module 501, an obtaining module 502 and an authenticating module 503. Wherein:
the receiving module 501 is configured to receive a certificate to be authenticated of a smart card;
the obtaining module 502 is configured to obtain, from a superior trusted CA center, a public key certificate of a second target CA center to which the certificate to be authenticated belongs if the certificate to be authenticated is not a certificate issued by a first target CA center; the first target CA center is a CA center which has issued a certificate to the server; the superior trusted CA center is any one of the first target CA centers; the superior trusted CA center and the second target CA center are positioned in the same trusted environment;
the authentication module 503 is configured to authenticate the certificate to be authenticated by using the public key certificate of the second target CA center.
In a possible implementation of the embodiment of the present application, the trusted environment is a blockchain formed by trusted CA centers.
When acquiring the public key certificate of the second target CA center to which the certificate to be authenticated belongs from the upper trusted CA center, before authenticating the certificate to be authenticated by using the public key certificate of the second target CA center, the acquiring module 502 is further configured to acquire the link logic information of the block chain and the trusted signature of the second target CA center from the upper trusted CA center; the link logic information includes a connection relationship of each CA center included in the block chain.
The authentication module 503 is further configured to verify the trusted signature of the second target CA center by using a public key of a third target CA center, and determine that the verification is passed. The third target CA center is a CA center in the block chain that signs the second target CA center.
In a feasible example of this feasible embodiment, before verifying the trusted signature of the second target CA center by using the public key of the third target CA center, the obtaining module 502 is further configured to determine, in the link logic information, a position of the second target CA center according to the unique center identifier of the second target CA center; and determining a third target CA center for signing the second target CA center according to the connection relation of all CA centers in the block chain and a preset signature rule.
In this embodiment of the present application, the signature rule is that a former CA center in the block chain signs a latter CA center.
In the embodiment of the present application, the signable name is: signing the unique certificate identities of all public key certificates in the CA center.
Referring to fig. 6, the apparatus 600 is applied to a server, and includes: a certificate authentication module 601, a generation module 602, and an encryption module 603. Wherein:
the certificate authentication module 601 is configured to authenticate a certificate to be authenticated of a smart card according to the certificate authentication method in the first embodiment;
the generating module 602 is configured to generate a temporary public and private key pair according to the system of the public key certificate after the authentication passes; the system comprises a temporary public and private key pair, a public key and a public key, wherein the temporary private key in the temporary public and private key pair is used for negotiating with the public key in the certificate to be authenticated to generate a session key;
the encryption module 603 is configured to encrypt and send the number data by using the session key.
It should be understood that, for the sake of brevity, the contents described in some embodiments are not repeated in this embodiment.
Example four:
the present embodiment provides a server, which is shown in fig. 7 and includes a processor 701, a memory 702, and a communication bus 703. Wherein:
the communication bus 703 is used for connecting communication between the processor 701 and the memory 702.
The processor 701 is configured to execute one or more programs stored in the memory 702 to implement the certificate authentication method and/or the code number downloading method performed by the server in the first embodiment and/or the second embodiment.
It will be appreciated that the configuration shown in fig. 7 is merely illustrative and that the server may include more or fewer components than shown in fig. 7 or have a different configuration than shown in fig. 7. For example, it also has components such as external communication interfaces.
The present embodiment further provides a computer-readable storage medium, such as a floppy disk, an optical disk, a hard disk, a flash Memory, a usb (Secure Digital Memory Card), an MMC (Multimedia Card), etc., in which one or more programs for implementing the above steps are stored, and the one or more programs can be executed by one or more processors to implement the certificate authentication method and/or the code number downloading method executed by the server in the first embodiment and/or the second embodiment. And will not be described in detail herein.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
In this context, a plurality means two or more.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A certificate authentication method is applied to a server side, and comprises the following steps:
receiving a certificate to be authenticated of the smart card;
if the certificate to be authenticated is not the certificate issued by the first target CA center, acquiring a public key certificate of a second target CA center to which the certificate to be authenticated belongs from a superior trusted CA center; the first target CA center is a CA center which has issued a certificate to the server; the superior trusted CA center is any one of the first target CA centers; the superior trusted CA center and the second target CA center are positioned in the same trusted environment;
and authenticating the certificate to be authenticated by using the public key certificate of the second target CA center.
2. The certificate authentication method as claimed in claim 1, wherein the trusted environment is a blockchain constituted by trusted CA centers;
when acquiring the public key certificate of the second target CA center to which the certificate to be authenticated belongs from the upper trusted CA center, before authenticating the certificate to be authenticated by using the public key certificate of the second target CA center, the method further comprises:
acquiring link logic information of the block chain and a trusted signature of the second target CA center from the superior trusted CA center; the link logic information comprises the connection relation of all CA centers in the block chain;
verifying the trusted signature of the second target CA center by adopting a public key of a third target CA center; the third target CA center is a CA center in the block chain that signs the second target CA center;
and determining that the verification is passed.
3. The certificate authentication method of claim 2, wherein prior to verifying the trusted signature of the second target CA center with a public key of a third target CA center, the method further comprises:
according to the unique center identification of the second target CA center, determining the position of the second target CA center in the link logic information;
and determining a third target CA center for signing the second target CA center according to the connection relation of all CA centers in the block chain and a preset signature rule.
4. The certificate authentication method according to claim 3, wherein the signature rule is that a former CA center in the block chain signs a latter CA center.
5. A certificate authentication method according to any one of claims 2-4, characterized in that said signable name is: signing the unique certificate identities of all public key certificates in the CA center.
6. A code number downloading method is characterized by being applied to a server and comprising the following steps:
after the certificate authentication method according to any one of claims 1 to 5 passes the authentication, generating a temporary public and private key pair according to the system of the public key certificate;
negotiating with a temporary private key in the temporary public and private key pair and a public key in the certificate to be authenticated to generate a session key;
and encrypting and sending the code number data by adopting the session key.
7. A certificate authentication device is applied to a server side and comprises: the system comprises a receiving module, an obtaining module and an authentication module;
the receiving module is used for receiving a certificate to be authenticated of the smart card;
the acquisition module is used for acquiring a public key certificate of a second target CA center to which the certificate to be authenticated belongs from a superior trusted CA center if the certificate to be authenticated is not a certificate issued by a first target CA center; the first target CA center is a CA center which has issued a certificate to the server; the superior trusted CA center is any one of the first target CA centers; the superior trusted CA center and the second target CA center are positioned in the same trusted environment;
and the authentication module is used for authenticating the certificate to be authenticated by using the public key certificate of the second target CA center.
8. A code number downloading device is characterized by being applied to a server side and comprising: the system comprises a certificate authentication module, a generation module and an encryption module;
the certificate authentication module is used for authenticating the certificate to be authenticated of the smart card according to the certificate authentication method of any one of claims 1 to 5;
the generation module is used for generating a temporary public and private key pair according to the system of the public key certificate after the authentication is passed; the system comprises a temporary public and private key pair, a public key and a public key, wherein the temporary private key in the temporary public and private key pair is used for negotiating with the public key in the certificate to be authenticated to generate a session key;
and the encryption module is used for encrypting the code number data by adopting the session key and sending the encrypted code number data.
9. A server, comprising: a processor, a memory, and a communication bus;
the communication bus is used for realizing connection communication between the processor and the memory;
the processor is configured to execute one or more programs stored in the memory to implement the certificate authentication method of any one of claims 1-5 or to implement the code number download method of claim 6.
10. A computer-readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement the certificate authentication method as claimed in any one of claims 1 to 5, or to implement the code number download method as claimed in claim 6.
CN202111214327.5A 2021-10-19 2021-10-19 Certificate authentication method, code number downloading method, device, server and storage medium Active CN113824566B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111214327.5A CN113824566B (en) 2021-10-19 2021-10-19 Certificate authentication method, code number downloading method, device, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111214327.5A CN113824566B (en) 2021-10-19 2021-10-19 Certificate authentication method, code number downloading method, device, server and storage medium

Publications (2)

Publication Number Publication Date
CN113824566A true CN113824566A (en) 2021-12-21
CN113824566B CN113824566B (en) 2022-12-02

Family

ID=78916981

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111214327.5A Active CN113824566B (en) 2021-10-19 2021-10-19 Certificate authentication method, code number downloading method, device, server and storage medium

Country Status (1)

Country Link
CN (1) CN113824566B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116506134A (en) * 2023-06-28 2023-07-28 山东海量信息技术研究院 Digital certificate management method, device, equipment, system and readable storage medium
CN117156440A (en) * 2023-10-27 2023-12-01 中电科网络安全科技股份有限公司 Certificate authentication method, system, storage medium and electronic equipment

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1547341A (en) * 2003-12-04 2004-11-17 上海格尔软件股份有限公司 Method for Trust Domain spanning intercommunication of digital certificate
US10123202B1 (en) * 2017-07-11 2018-11-06 Verizon Patent And Licensing Inc. System and method for virtual SIM card
CN108900305A (en) * 2018-06-28 2018-11-27 公安部第三研究所 More certificate issuances and verification method based on intelligent and safe chip
CN109218028A (en) * 2018-09-19 2019-01-15 江苏恒宝智能系统技术有限公司 A kind of method, apparatus and system for signing and issuing eSIM certificate online
CN110011988A (en) * 2019-03-21 2019-07-12 平安科技(深圳)有限公司 Based on the certification authentication method and device of block chain, storage medium, electronic device
CN110198537A (en) * 2019-05-13 2019-09-03 深圳杰睿联科技有限公司 Support eSIM management method, system and the eSIM activating method of multi-digital certificate
CN111918274A (en) * 2020-07-30 2020-11-10 恒宝股份有限公司 Code number configuration and management method and device, electronic equipment and readable storage medium
CN112862487A (en) * 2021-03-03 2021-05-28 青岛海链数字科技有限公司 Digital certificate authentication method, equipment and storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1547341A (en) * 2003-12-04 2004-11-17 上海格尔软件股份有限公司 Method for Trust Domain spanning intercommunication of digital certificate
US10123202B1 (en) * 2017-07-11 2018-11-06 Verizon Patent And Licensing Inc. System and method for virtual SIM card
CN108900305A (en) * 2018-06-28 2018-11-27 公安部第三研究所 More certificate issuances and verification method based on intelligent and safe chip
CN109218028A (en) * 2018-09-19 2019-01-15 江苏恒宝智能系统技术有限公司 A kind of method, apparatus and system for signing and issuing eSIM certificate online
CN110011988A (en) * 2019-03-21 2019-07-12 平安科技(深圳)有限公司 Based on the certification authentication method and device of block chain, storage medium, electronic device
CN110198537A (en) * 2019-05-13 2019-09-03 深圳杰睿联科技有限公司 Support eSIM management method, system and the eSIM activating method of multi-digital certificate
CN111918274A (en) * 2020-07-30 2020-11-10 恒宝股份有限公司 Code number configuration and management method and device, electronic equipment and readable storage medium
CN112862487A (en) * 2021-03-03 2021-05-28 青岛海链数字科技有限公司 Digital certificate authentication method, equipment and storage medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116506134A (en) * 2023-06-28 2023-07-28 山东海量信息技术研究院 Digital certificate management method, device, equipment, system and readable storage medium
CN116506134B (en) * 2023-06-28 2023-09-15 山东海量信息技术研究院 Digital certificate management method, device, equipment, system and readable storage medium
CN117156440A (en) * 2023-10-27 2023-12-01 中电科网络安全科技股份有限公司 Certificate authentication method, system, storage medium and electronic equipment
CN117156440B (en) * 2023-10-27 2024-01-30 中电科网络安全科技股份有限公司 Certificate authentication method, system, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN113824566B (en) 2022-12-02

Similar Documents

Publication Publication Date Title
EP3800909B1 (en) Remote management method, and device
JP5099139B2 (en) How to get and check public key certificate status
US20170099148A1 (en) Securely authorizing client applications on devices to hosted services
CN108848496B (en) TEE-based virtual eSIM card authentication method, TEE terminal and management platform
US11689367B2 (en) Authentication method and system
CN101777978A (en) Method and system based on wireless terminal for applying digital certificate and wireless terminal
CN113824566B (en) Certificate authentication method, code number downloading method, device, server and storage medium
CN111783068A (en) Device authentication method, system, electronic device and storage medium
CN109005032B (en) Routing method and device
CN109660534B (en) Multi-merchant-based security authentication method and device, electronic equipment and storage medium
CN113285932B (en) Method for acquiring edge service, server and edge device
CN114978635B (en) Cross-domain authentication method and device, user registration method and device
CN112861106B (en) Digital certificate processing method and system, electronic device and storage medium
CN110650478A (en) OTA method, system, device, SE module, program server and medium
CN113536284B (en) Digital certificate verification method, device, equipment and storage medium
CN112235301B (en) Access right verification method and device and electronic equipment
CN111865917B (en) Block chain-based safe delivery method, system and medium for Internet of things equipment
CN111414640B (en) Key access control method and device
CN114117551B (en) Access verification method and device
CN112583588B (en) Communication method and device and readable storage medium
CN116074061A (en) Data processing method and device for rail transit, electronic equipment and storage medium
CN115622812A (en) Digital identity verification method and system based on block chain intelligent contract
CN111163466B (en) Method for 5G user terminal to access block chain, user terminal equipment and medium
US20210111906A1 (en) Pseudonym credential configuration method and apparatus
CN114374516A (en) Certificate revocation list distribution method and device, storage medium, server and vehicle networking device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant