CN114598455A - Method, device, terminal entity and system for signing and issuing digital certificate - Google Patents
Method, device, terminal entity and system for signing and issuing digital certificate Download PDFInfo
- Publication number
- CN114598455A CN114598455A CN202011402744.8A CN202011402744A CN114598455A CN 114598455 A CN114598455 A CN 114598455A CN 202011402744 A CN202011402744 A CN 202011402744A CN 114598455 A CN114598455 A CN 114598455A
- Authority
- CN
- China
- Prior art keywords
- certificate
- terminal entity
- digital signature
- terminal
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 230000004044 response Effects 0.000 claims abstract description 96
- 238000013475 authorization Methods 0.000 claims abstract description 87
- 238000012795 verification Methods 0.000 claims description 32
- 238000012545 processing Methods 0.000 claims description 9
- 239000003795 chemical substances by application Substances 0.000 description 42
- 238000004891 communication Methods 0.000 description 28
- 230000008520 organization Effects 0.000 description 18
- 230000008569 process Effects 0.000 description 12
- 238000012790 confirmation Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 230000003287 optical effect Effects 0.000 description 8
- 238000004590 computer program Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 239000000835 fiber Substances 0.000 description 2
- 230000008676 import Effects 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 208000033748 Device issues Diseases 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000001172 regenerating effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000000844 transformation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application discloses a method, a device, a terminal entity and a system for signing and issuing a digital certificate, wherein the method comprises the following steps: the proxy equipment receives a terminal entity certificate authorization request containing a first terminal entity public key sent by a terminal entity, and can issue a digital certificate for the terminal entity due to the fact that the proxy equipment has an intermediate certificate, so that the proxy equipment generates a first terminal entity certificate for the first terminal entity public key according to the terminal entity certificate authorization request, uses a first proxy equipment private key to digitally sign the first terminal entity certificate, obtains a digital signature value of the first terminal entity certificate, generates and sends a terminal entity certificate authorization response to the terminal entity, and accordingly, the proxy equipment can issue the first terminal entity certificate. Because the number of the agent devices can be multiple, the condition that a large number of terminal entities request the only CA server to authenticate the digital certificate of the terminal entity is avoided, the load of the CA server is reduced, and the network bandwidth resource can be saved.
Description
Technical Field
The embodiment of the invention relates to the technical field of information technology and communication, in particular to a method, a device, a terminal entity and a system for issuing a digital certificate.
Background
Communication between communication devices generally needs to be mutually trusted, and the trust in communication between communication devices can be considered as communication across trust domains, and the communication devices can also be referred to as Network Entities (NEs). Generally speaking, communications among multiple boards in a communication device are considered to belong to communications in the same trust domain, and communications among boards do not provide any security function. With the continuous development of network attack technology, the requirements on the system security and the toughness capability of the communication equipment are higher and higher, and the inter-board communication security of the communication equipment becomes more and more important.
In order to ensure the communication security between the communication device boards, protocols such as a Transport Layer Security (TLS), a data packet transport layer security (DTLS), an internet security protocol (IPSEC), and a media access control layer security (MACSEC) are generally used. These protocols typically use digital certificates as proof of identity between the communicating parties. This requires that each service board on the device can provide a separate digital certificate identity.
Since a massive terminal entity such as a service board needs to request a Certificate Authority (CA) server to issue a digital certificate for the terminal entity, the CA server will issue the digital certificate for the massive terminal entity, which may cause an excessive load on the CA server and consume a large amount of network bandwidth resources.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, a terminal entity and a system for issuing a digital certificate, where a CA server authorizes an agent device to send an intermediate certificate, and the agent device issues a terminal entity certificate of each terminal to each terminal entity, so that each terminal entity does not need to request the CA server for authorization and authentication to issue the digital certificate, thereby reducing the burden of the CA server.
In a first aspect, a method for issuing a digital certificate is provided, the method comprising: the terminal entity generates a pair of key pairs of a first terminal entity public key and a first terminal entity private key of the terminal entity in advance, and the agent device generates a pair of key pairs of a first agent device public key and a first agent device private key of the agent device in advance. The proxy equipment receives a terminal entity certificate authorization request sent by a terminal entity, the terminal entity certificate authorization request comprises a first terminal entity public key, and the proxy equipment has an intermediate certificate and can issue a digital certificate for the terminal entity, so that the proxy equipment generates a first terminal entity certificate for the first terminal entity public key according to the terminal entity certificate authorization request, uses a first proxy equipment private key to digitally sign the first terminal entity certificate, obtains a digital signature value of the first terminal entity certificate, generates a terminal entity certificate authorization response, and returns the terminal entity certificate authorization response to the terminal entity, thereby realizing the issue of the proxy equipment for the first terminal entity certificate. The terminal entity certificate authorization response comprises a first terminal entity certificate and a certificate chain of the first terminal entity certificate, the first terminal entity certificate comprises a first terminal entity public key and a digital signature value of the first terminal entity certificate, the certificate chain of the first terminal entity certificate is used for verifying whether the digital signature value of the first terminal entity certificate is correct, the certificate chain of the first terminal entity certificate comprises a CA root certificate and a first intermediate certificate, the first intermediate certificate is signed and issued to the proxy equipment by a CA server, and the first intermediate certificate comprises a first proxy equipment public key, so that the proxy equipment with the first intermediate certificate can sign and issue the digital certificate for the terminal entity.
According to the scheme, the proxy equipment with the intermediate certificate can issue the digital certificate to each terminal entity. Generally speaking, only one CA server is provided in a digital certificate management system, and there may be a plurality of proxy devices, so that it is avoided that a large number of terminal entities request the only CA server for authentication of a digital certificate to the terminal entity, and thus the load of the CA server is reduced, and network bandwidth resources can also be saved. In addition, since there may be a plurality of proxy devices, the proxy devices may be disposed in the vicinity of the terminal entity, and thus the proxy devices may provide very secure, fast, and convenient authentication of the digital certificate to the terminal entity.
In one possible implementation, the method further includes: the method comprises the steps that proxy equipment sends an intermediate certificate authorization request containing a first proxy equipment public key to a CA server, the proxy equipment receives an intermediate certificate authorization response sent by the CA server, the intermediate certificate authorization response contains a first intermediate certificate and a certificate chain of the first intermediate certificate, the first intermediate certificate contains the first proxy equipment public key and a digital signature value of the first intermediate certificate, the certificate chain of the first intermediate certificate contains a CA root certificate, the CA root certificate contains a CA root public key, the digital signature value of the first intermediate certificate is obtained by the CA server through digital signature of the CA private key root on the first intermediate certificate, and the CA root public key and the CA root private key are a pair of keys generated by the CA server; the proxy device verifies that the digital signature value of the first intermediate certificate is correct using the certificate chain of the first intermediate certificate. Therefore, the CA server can issue the intermediate certificate for the agent device, so that the agent device with the intermediate certificate can issue the digital certificate of the terminal entity to each terminal entity.
In one possible implementation, the method further includes: when the terminal entity needs to update its terminal entity certificate, the terminal entity will generate a new key pair: a second terminal entity public key and a second terminal entity private key. The proxy equipment receives a first certificate updating request which is sent by the terminal entity and contains a public key of a second terminal entity, generates a certificate of the second terminal entity for the public key of the second terminal entity according to the first certificate updating request, and digitally signing the second terminal entity certificate by using the private key of the first proxy device to obtain the digital signature value of the second terminal entity certificate, generating and sending a first certificate update response to the terminal entity, the first certificate update response comprises a second terminal entity certificate and a certificate chain of the second terminal entity certificate, the second terminal entity certificate comprises a second terminal entity public key and a digital signature value of the second terminal entity certificate, the certificate chain of the second terminal entity certificate is used for verifying whether the digital signature value of the second terminal entity certificate is correct, and the certificate chain of the second terminal entity certificate comprises a CA root certificate and a first intermediate certificate. When the terminal entity certificate needs to be updated, the terminal entity certificate does not need to be requested to be updated from the CA server, and the terminal entity certificate only needs to be requested to be updated from the proxy equipment which is positioned near the terminal entity. Therefore, the authentication that massive terminal entities request to update the digital certificate from the only CA server is avoided, the load of the CA server is reduced, and the network bandwidth resource can be saved.
In one possible implementation, the method further includes: when the proxy device needs to update the intermediate certificate, the proxy device will generate a new key pair: a second proxy device public key and a second proxy device private key. The agent equipment sends a second certificate updating request containing a public key of the second agent equipment to the CA server, and receives a second certificate updating response sent by the CA server, wherein the second certificate updating response contains a second intermediate certificate and a certificate chain of the second intermediate certificate, the second intermediate certificate contains the public key of the second agent equipment and a digital signature value of the second intermediate certificate, and the digital signature value of the second intermediate certificate is obtained by the CA server through digitally signing the second intermediate certificate by using a CA root private key; when the proxy device verifies that the digital signature value of the second intermediate certificate is correct using the certificate chain of the second intermediate certificate, the proxy device replaces the first intermediate certificate with the second intermediate certificate. When the intermediate certificate needs to be updated, the proxy equipment timely requests the CA server to update the intermediate certificate, so that the intermediate certificate is updated timely.
In one possible implementation, the method further comprises: after the intermediate certificate is updated, the terminal entity needs to update and reissue the terminal entity certificate to the proxy equipment, at this time, the proxy equipment receives a third certificate update request which is sent by the terminal entity and contains a first terminal entity public key, the proxy equipment generates a third terminal entity certificate for the first terminal entity public key according to the third certificate update request, digitally signs the third terminal entity certificate by using a second proxy equipment private key to obtain a digital signature value of the third terminal entity certificate, and generates and sends a third certificate update response to the terminal entity, wherein the third certificate update response contains a certificate chain of the third terminal entity certificate and the third terminal entity certificate, the third terminal entity certificate contains the digital signature value of the first terminal entity public key and the third terminal entity certificate, and the certificate chain of the third terminal entity certificate is used for verifying whether the digital signature value of the third terminal entity certificate is correct or not, the certificate chain of the third end entity certificate contains the CA root certificate and the second intermediate certificate. And after the intermediate certificate is updated, the proxy equipment issues a new terminal entity certificate for the terminal entity again, and at the moment, the legality of the terminal entity certificate is continued.
In one possible implementation, the method further includes: verifying that the digital signature value of the second intermediate certificate is correct using the certificate chain of the second intermediate certificate, specifically: the agent equipment verifies whether the digital signature value of the CA root certificate is correct or not by using the CA root public key, and determines that the second intermediate certificate is incorrect when the digital signature value of the CA root certificate is verified to be incorrect; when the digital signature value of the CA root certificate is verified to be correct, the CA root public key is used for verifying whether the digital signature value of the second intermediate certificate is correct, and when the digital signature value of the second intermediate certificate is verified to be incorrect, the second intermediate certificate is determined to be incorrect; when the digital signature value of the second intermediate certificate is verified to be correct, it is determined that the second intermediate certificate is correct.
In a second aspect, the present invention provides a method for issuing a digital certificate, including: the terminal entity generates a pair of key pairs of a first terminal entity public key and a first terminal entity private key of the terminal entity in advance, and the agent device generates a pair of key pairs of a first agent device public key and a first agent device private key of the agent device in advance. A terminal entity sends an entity certificate authorization request containing a first terminal entity public key terminal to proxy equipment, and receives a terminal entity certificate authorization response sent by the proxy equipment, wherein the terminal entity certificate authorization response contains a first terminal entity certificate and a certificate chain of the first terminal entity certificate, the first terminal entity certificate contains a first terminal entity public key and a digital signature value of the first terminal entity certificate, and the certificate chain of the first terminal entity certificate is used for verifying whether the digital signature value of the first terminal entity certificate is correct or not; and verifying whether the digital signature value of the first terminal entity certificate is correct by utilizing the certificate chain of the first terminal entity certificate.
According to the scheme, the proxy equipment with the intermediate certificate can issue the digital certificate to each terminal entity. Generally speaking, only one CA server is provided in a digital certificate management system, and there may be a plurality of proxy devices, so that it is avoided that a large number of terminal entities request the only CA server for authentication of a digital certificate to the terminal entity, and thus the load of the CA server is reduced, and network bandwidth resources can also be saved. In addition, since there may be a plurality of proxy devices, the proxy devices may be disposed in the vicinity of the terminal entity, and thus the proxy devices may provide very secure, fast, and convenient authentication of the digital certificate to the terminal entity.
In one possible implementation, the method further includes: regenerating the key pair at the terminal entity: the terminal entity sends a first certificate updating request containing the public key of the second terminal entity to the proxy equipment, and the terminal entity receives a first certificate updating response sent by the equipment, wherein the first certificate updating response contains a certificate chain of a certificate of the second terminal entity and the certificate of the second terminal entity, the certificate of the second terminal entity contains the public key of the second terminal entity and a digital signature value of the certificate of the second terminal entity, and the certificate chain of the certificate of the second terminal entity is used for verifying whether the digital signature value of the certificate of the second terminal entity is correct; and replacing the first terminal entity certificate with the second terminal entity certificate when the certificate chain of the second terminal entity certificate is used for verifying that the digital signature value of the second terminal entity certificate is correct. When the terminal entity certificate needs to be updated, the terminal entity certificate does not need to be requested to be updated from the CA server, and the terminal entity certificate only needs to be requested to be updated from the proxy equipment near the terminal entity. Therefore, the authentication that massive terminal entities request to update the digital certificate by the only CA server is avoided, the load of the CA server is reduced, and the network bandwidth resource can be saved.
In one possible implementation, the method further includes: when the proxy device needs to update the intermediate certificate, the proxy device will generate a new key pair: a second proxy device public key and a second proxy device private key. The terminal entity sends a third certificate updating request containing the first terminal entity public key to the proxy equipment, and the terminal entity receives a third certificate updating response sent by the proxy equipment, wherein the third certificate updating response contains a third terminal entity certificate and a certificate chain of the third terminal entity certificate, the third terminal entity certificate contains the first terminal entity public key and a digital signature value of the third terminal entity certificate, and the certificate chain of the third terminal entity certificate is used for verifying whether the digital signature value of the third terminal entity certificate is correct or not; and replacing the first terminal entity certificate with the third terminal entity certificate when the certificate chain of the third terminal entity certificate is used for verifying that the digital signature value of the third terminal entity certificate is correct. And after the intermediate certificate is updated, the proxy equipment issues a new terminal entity certificate for the terminal entity again, and at the moment, the legality of the terminal entity certificate is continued.
In one possible implementation, the method further includes: the certificate chain of the first terminal entity certificate comprises an authorization certification CA root certificate and a first intermediate certificate, and whether the digital signature value of the first terminal entity certificate is correct is verified by using the certificate chain of the first terminal entity certificate, which specifically comprises the following steps: verifying whether the digital signature value of the CA root certificate is correct or not by using the CA root public key, and determining that the first terminal entity certificate is incorrect when the digital signature value of the CA root certificate is verified to be incorrect; when the digital signature value of the CA root certificate is verified to be correct, the CA root public key is used for verifying whether the digital signature value of the first intermediate certificate is correct, and when the digital signature value of the first intermediate certificate is verified to be incorrect, the first terminal entity certificate is determined to be incorrect; when the digital signature value of the first intermediate certificate is verified to be correct, verifying whether the digital signature value of the first terminal entity certificate is correct by using a first proxy equipment public key contained in the first intermediate certificate, and when the digital signature value of the first terminal entity certificate is verified to be incorrect, determining that the first terminal entity certificate is incorrect; and when the digital signature value of the first terminal entity certificate is verified to be correct, determining that the first terminal entity certificate is correct.
In a third aspect, the present application provides a digital certificate issuing apparatus, which includes one or more units and is configured to implement the digital certificate issuing method according to the first aspect.
In a fourth aspect, the present application provides an end entity, which includes one or more modules, and is configured to implement the method for issuing a digital certificate according to the second aspect.
In a fifth aspect, the present application provides a computer-readable storage medium having stored thereon a computer program or instructions which, when executed by a proxy device, cause the proxy device to perform the method of the first aspect or any possible implementation manner of the first aspect.
In a sixth aspect, the present application provides a computer-readable storage medium comprising a computer program or instructions which, when executed by a terminal entity, cause the terminal entity to perform the method of the second aspect or any possible implementation manner of the second aspect.
Drawings
Fig. 1 is a schematic diagram illustrating a chain relationship of certificate chains according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a digital certificate management system according to an embodiment of the present invention;
fig. 3 is a flowchart of digital certificate issuance according to an embodiment of the present invention;
fig. 4 is a flowchart of a digital certificate update according to an embodiment of the present invention;
fig. 5 is a flowchart of a digital certificate update according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an apparatus for issuing a digital certificate according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a terminal entity according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an apparatus for issuing a digital certificate according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a terminal entity according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it should be understood that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Hereinafter, some terms in the present application will be explained. It should be noted that these explanations are for the convenience of those skilled in the art, and do not limit the scope of protection claimed in the present application.
Symmetric encryption algorithm: the encryptor and the decryptor encrypt and decrypt information using the same rule.
Asymmetric encryption algorithm: also known as public key cryptography or double key cryptography. Asymmetric encryption algorithms require two keys: public keys (public keys for short) and private keys (private keys for short). The public key and the private key are a pair, and if the public key is used for encrypting data, only the corresponding private key can be used for decryption, and if the private key is used for encrypting data, only the corresponding public key can be used for decryption. Since two different keys are used for encryption and decryption. The current typical asymmetric encryption algorithm is the RSA algorithm, designed by three-digit scientists Rivest, Shamir, and Adleman. The RSA cryptosystem is a public key cryptosystem, a public key is open, a private key is secret, and an encryption and decryption algorithm of the RSA cryptosystem is open. Content encrypted by the public key can be, and only can be, decrypted by the private key, or content encrypted by the private key can be, and only can be, decrypted by the public key. That is, the pair of public and private keys of RSA can be used for encryption and decryption, and the content encrypted by one party can be decrypted by and only by the other party.
Digital signatures, also known as public key digital signatures, are added to the data unit followed by a piece of content, or a cryptographic transformation of the data unit, which can prove that the data unit has not been modified. Such data or transformations allow the recipient of the data unit to verify the source of the data unit and the integrity of the data unit and to protect the data against counterfeiting by a person (e.g., the recipient). Which is a method of signing a message in electronic form, a signed message being capable of being transmitted in a communication network. The digital signature can be obtained based on both the public key cryptosystem and the private key cryptosystem.
Public Key Infrastructure (PKI), also known as public key infrastructure, public crypto key infrastructure, or public key infrastructure. PKI is a versatile security infrastructure implemented using asymmetric cryptographic algorithms and techniques and providing network security services for the purpose of creating, managing, distributing, using, storing, and revoking certificates. The PKI links the user's personal identity with the public key by means of a CA authority. The identity of the user must be unique for each certificate authority. The link relationships are created through a registration and publication process, which may be done by various software of the CA organization or under human supervision, depending on the level of assurance. This role of PKI in determining link relationships is called the certificate Authority (RA). The RA mechanism ensures that the public key and the personal identity are linked and can be protected against repudiation. PKI is generally composed of the following parts: CA organization, RA organization, certificate bank, key backup and recovery system, certificate revocation processing system, application system interface and certificate.
A CA mechanism: the CA authority is the core enforcement authority of PKI, also known as a certificate authority or CA server. The CA authority is the authority responsible for issuing certificates, certifying certificates and managing issued certificates, and in particular, the CA authority may establish policies and specific steps to verify, identify the identity of users, and sign user certificates to ensure ownership of the certificate holders' identities and public keys, and is an authoritative, trusted and equitable third party authority. The CA organization also has a hierarchical structure, in a large PKI facility, due to the fact that the number of users is large, the load is possibly large when one CA organization is used for certificate verification and issuing service, hierarchical deployment of the CA organization is needed, in the hierarchical deployment of the CA organization, a top-down trust certificate chain needs to be established among all CA organizations, a subordinate CA organization trusts a superior CA organization, and the subordinate CA organization issues and authenticates a certificate by the superior CA organization. The hierarchical relationships can be seen in the certificate chain.
An RA mechanism: is a component of a CA organization, and is a certificate application, registration, examination and approval and correction and management organization. The RA organization is also called a hierarchical structure, and is a registration headquarters and is responsible for certificate application registration summarization. The RA organization is a window facing the user of the CA organization and is responsible for receiving the certificate application of the user and verifying the identity of the user. In practice, the RA mechanism in PKI is not independent, but is incorporated with the CA mechanism.
Digital certificate: the certificate is a file which is signed by an issuing organization and contains public key owner information and a public key, and is digitally signed by the issuing organization, and the certificate is the technical foundation guarantee of digital signature. The certificate generally contains a certificate version, a certificate serial number, a certificate signing algorithm, issuer information, a certificate validity period, a public key and user information, wherein the certificate serial number is issued by an issuer and is guaranteed to be unique within the use range of the certificate; the certificate validity period comprises certificate effective time and certificate invalid time; issuer information is determined by the issuer and user information is determined by the certificate applicant. The certificate may also contain key usage, certificate type, extended key usage, and certificate revocation list distribution point, where key usage represents functions and services that the public key of the certificate can support, such as: certificate signature (certificate signature), key encryption (key encryption), data encryption (data encryption), key agreement (key authentication), and Certificate Revocation List (CRL) signature. Since the certificate signature and the certificate Revocation List signature can only be key usages that a CA certificate can have, although a key usage extension field is an optional item, this extension field is an indispensable key extension item for a root CA, and two key usages, namely, a certificate signature and a Certificate Revocation List (CRL) signature, must be provided. The certificate types are root certificate (root certificate), intermediate certificate (intermediate certificate) and terminal entity certificate (end-entity certificate), wherein the root certificate is a certificate issued by a CA authority, the digital signature of the root certificate is issued by a root private key, so that the signature of the root certificate can be verified by using a root public key, and the digital signature of the root certificate is usually called self-signature. The intermediate certificate is issued by a CA (certificate authority), the name of the root certificate is contained in the intermediate certificate, and the signature of the intermediate certificate is digitally signed by using a root private key, so that the legality of the intermediate certificate needs to be verified by using a root public key. The terminal entity certificate is signed and issued by an intermediate certificate owner, the terminal entity certificate comprises the name of the intermediate certificate, and the digital signature of the terminal entity certificate is signed and issued by an intermediate private key, so that the intermediate public key is required to verify the validity of the terminal entity certificate. The root certificate or intermediate certificate has the ability to issue a certificate for its next level certificate, typically only one level, in which case the intermediate certificate may be referred to as a secondary certificate, although the intermediate certificate may have multiple levels. The terminal entity certificate does not have the authorization capability of issuing the certificate, and only has the function of proving the identity of the terminal entity, and what needs to be explained is that: the terminal entity includes various devices for proving the identity of the terminal entity by using a terminal entity certificate, such as a mobile phone, a computer, a single board, a server, network equipment and the like.
A certificate chain (certificate chain) is an ordered certificate list, which is a trust relationship between certificates, and generally includes a three-level structure, a root certificate, an intermediate certificate, and a terminal entity certificate, as shown in fig. 1, the terminal entity certificate is at the bottom in the certificate chain sequence, and the terminal entity certificate includes terminal entity information, a terminal entity public key, a digital signature value, and the like. The upper level of the terminal entity certificate is an intermediate certificate, namely: the end entity certificate is issued by an authority possessing an intermediate certificate. The intermediate certificate is issued by the authority of the CA. Fig. 1 shows only one intermediate certificate, but the certificate chain may have a plurality of intermediate certificates, where the uppermost intermediate certificate is issued by the root certificate, the lowermost intermediate certificate is used for issuing the terminal entity certificate, and the root certificate is self-issued by the CA authority. When the terminal entity identity is verified, the legitimacy of each certificate issuer of the whole certificate chain needs to be verified. And searching the certificate of the issuer layer by layer according to the certificate chain until a self-signed root certificate is found, then verifying the correctness of the digital signature value of the next stage by a corresponding public key, and when the digital signature value of each stage of certificate is verified to be correct, indicating that the certificate of the terminal entity is correct.
The Certificate Management Protocol (Certificate Management Protocol) is an internet Protocol for the behavior between a client (owner and user of a Certificate) and a CA authority (issuer of the Certificate) at the time of application and renewal operations of the Certificate in the PKI system. CMP evolved to a second version, CMPv2 for short.
As shown in fig. 2, a network system architecture provided in an embodiment of the present invention includes: a CA server and a plurality of NEs, wherein the NEs may further include a service board (service board) and a control board (main control board), and a certificate management agent (certificate management agent) may be installed on the service board and the control board. Currently, the security of communications between different network elements is increased by means of cryptographic algorithms.
Generally, each service board in the NE may independently request certificate issuance or certificate update service from the CA server. The specific flow of the certificate service may include the following: all single boards including a service single board and a control single board are preset with an initial terminal entity certificate and an initial certificate chain for indicating the identity of the single board when leaving a factory, the initial certificate chain comprises an initial intermediate certificate and an initial root certificate for signing and issuing the initial terminal certificate, and the initial terminal entity certificate is usually signed and issued by a network equipment manufacturer and is not signed and issued by a CA server. After the control board and the service board are respectively on-line, the service board and the control board establish a secure communication channel by using a preset initial terminal entity certificate as an identity credential, and the secure protocol used for establishing the secure channel is various, for example: TLS/DTLS/MACSEC. Then, the control board and the service board may respectively request the CA server to issue a new certificate (i.e., a terminal entity certificate authenticated by the CA server), and the CA server returns the authenticated certificate to the control board and the service board, respectively. The control single board and the service single board use the authenticated terminal entity certificate to replace the pre-set initial terminal entity certificate, so that the authenticated terminal entity certificate can be used as the authentication evidence for communication between the control single board and the service single board. However, the above process of each board requesting the CA server to issue a certificate may have the following technical problems: because of the numerous communication devices in the existing network, the number of the service boards of the communication device is more than tens of times of the number of the communication devices. If each service single board or control single board independently applies for the authenticated terminal entity certificate from the CA server, the CA server may be overloaded, the management network traffic may be increased, and more network bandwidth may be occupied.
Based on the above technical problem, the embodiment of the present invention discloses a new method for acquiring a certificate, and for convenience of description, different stages of certificate acquisition are described below with 4 different embodiments.
Example one
When the network device leaves the factory, the device manufacturer may pre-configure an initial terminal entity certificate and an initial certificate chain of the device itself for each terminal entity (e.g., a service board) and a proxy device (e.g., a control board), where the initial certificate chain includes an initial intermediate certificate and an initial root certificate that issue an initial terminal certificate. When the terminal entity normally operates, the administrator can load the CA root certificate of the CA server itself for the agent device in the network device, the CA root certificate includes the CA root public key, the CA root certificate is a digital certificate which is self-signed by the CA server using the CA root private key included in the first key pair, the first key pair is generated by the CA server, and the first key pair includes the CA root public key and the CA root private key. The CA root public key may be used to verify whether a digital signature value of a message sent by the CA server to the agent device is correct, where the digital signature value is signed by the CA root private key, and it needs to be noted that: the agent device may also be loaded with a CA certificate chain, and for convenience of description, the following description will take the example of loading only a CA root certificate as an example. If the CA certificate chain is loaded, it is necessary to correspondingly verify whether the digital signature values of the digital certificates of each level are correct by using the digital certificates of each level included in the certificate chain and each public key, and the process of gradually verifying whether the digital certificates of each level are correct by using the certificate chain will be described in detail in the following process step 308. Similarly, the CA server may import an initial terminal entity certificate and an initial certificate chain of the preset proxy device, where the initial terminal entity certificate of the preset proxy device includes the initial proxy device public key, the terminal entity certificate of the preset proxy device is a digital certificate issued by the network device or an authority trusted by the network device using the initial proxy device private key included in the second key pair, and the second key pair includes the initial proxy device public key and the initial proxy device private key. The initial proxy device public key of the initial terminal entity certificate of the preset proxy device is used for verifying whether the digital signature value of the message sent to the CA server by the proxy device is correct or not, and the digital signature is signed by the initial proxy device private key.
As shown in fig. 3, the method for implementing digital certificate issuance by a proxy device includes:
step 301: the proxy device generates a third key pair for the proxy device itself, the third key pair including the first proxy device public key and the first proxy device private key. In the prior art, there are various methods for generating the key pair, and details are not described here.
The proxy device constructs an intermediate certificate authorization request, the intermediate certificate authorization request comprises applicant information (namely the information of the proxy device, such as the name of the proxy device) and a public key of the first proxy device, the initial proxy device private key is used for carrying out digital signature on the intermediate certificate authorization request, and then the digitally signed intermediate certificate authorization request is sent to the CA server. The intermediate certificate authorization request may be carried in a CMP message, a CMPv2 message, or other message type message, such as: the CMPv2 message is specifically an Initialization Request (IR).
Step 302: and the CA server receives the intermediate certificate authorization request, verifies whether the digital signature value of the intermediate certificate authorization request is correct by using an initial proxy device public key contained in an initial terminal entity certificate of the pre-loaded proxy device, generates a first intermediate certificate for the proxy device according to the applicant information contained in the intermediate certificate authorization request and the first proxy device public key after the digital signature value is verified to be correct, and digitally signs the first intermediate certificate by using a CA root private key, wherein the first intermediate certificate contains the first proxy device public key. The CA server generates an intermediate certificate authorization response containing the first intermediate certificate, digitally signs the intermediate certificate authorization response by using a CA root private key, and sends the digitally signed intermediate certificate authorization response to the proxy equipment, wherein the intermediate certificate authorization response also contains a certificate chain of the first intermediate certificate. The intermediate certificate authority response may be carried by an IP message or a message in a format such as CMPv2, and the certificate chain of the first intermediate certificate includes the CA root certificate.
Here, it should be noted that: if there are multiple intermediate certificates, such as: there are 3 intermediate certificates, namely: the relation of the three certificates is: the first-level certificate of the intermediate certificate a is a CA root certificate, that is, the CA root certificate is used as the intermediate certificate a for digital signature, the first-level certificate of the intermediate certificate b is the intermediate certificate a, that is, a public key included in the intermediate certificate a is used as the intermediate certificate b for digital signature, the first-level certificate of the intermediate certificate c is the intermediate certificate b, that is, a public key included in the intermediate certificate b is used as the intermediate certificate c for digital signature, the intermediate certificate c is the first intermediate certificate, and a certificate chain of the first intermediate certificate includes the CA root certificate, the intermediate certificate a and the intermediate certificate b.
Step 303: the proxy device receives the intermediate certificate authorization response, respectively verifies the digital signature values of the intermediate certificate authorization response by using the pre-loaded CA root public key of the CA root certificate, and verifies whether the digital signature value of the first intermediate certificate is correct by using the certificate chain of the first intermediate certificate, when the digital signature value of the first intermediate certificate is verified to be correct, the proxy device sends a certificate confirmation message to the CA server to confirm that the first intermediate certificate is received, wherein the certificate confirmation message can be a CertConf message.
The process of verifying whether the digital signature value of the first intermediate certificate is correct using the certificate chain of the first intermediate certificate is as follows: the proxy device obtains all certificates from the certificate chain of the first intermediate certificate, which is only a CA root certificate in the embodiment of the invention, and then verifies whether the digital signature value of the CA root certificate is correct by using a pre-loaded CA root public key, if the digital signature value of the CA root certificate is verified to be incorrect, the first intermediate certificate is determined to be incorrect, if the digital signature value of the CA root certificate is verified to be incorrect, the CA root public key is used for verifying whether the digital signature value of the first intermediate certificate is correct, if the digital signature value of the first intermediate certificate is verified to be incorrect, the first intermediate certificate is determined to be incorrect, and if the digital signature value of the first intermediate certificate is verified to be correct, the first intermediate certificate is determined to be correct.
It should be noted that: if the certificate chain of the first intermediate certificate contains the CA root certificate, the intermediate certificate a and the intermediate certificate b, the process of verifying whether the digital signature value of the first intermediate certificate is correct using the certificate chain of the first intermediate certificate is as follows: the agent device acquires all certificates from the certificate chain of the first intermediate certificate, then verifies whether the digital signature value of the CA root certificate is correct by using a pre-loaded CA root public key, if the digital signature value of the CA root certificate is verified to be incorrect, the first intermediate certificate is determined to be incorrect, if the digital signature value of the CA root certificate is verified to be correct, the digital signature value of the intermediate certificate a is verified to be correct by using the CA root public key, if the digital signature value of the intermediate certificate a is verified to be incorrect, the first intermediate certificate is determined to be incorrect, if the digital signature value of the intermediate certificate a is verified to be correct, the digital signature value of the intermediate certificate b is verified to be correct by using a public key contained in the intermediate certificate a, if the digital signature value of the intermediate certificate b is verified to be incorrect, the first intermediate certificate is incorrect, if the digital signature value of the intermediate certificate b is verified to be correct, it is verified whether the digital signature value of the first intermediate certificate is correct using the public key included in the intermediate certificate b, and if the digital signature value of the first intermediate certificate is verified to be incorrect, it is determined that the first intermediate certificate is incorrect, and if the digital signature value of the first intermediate certificate is verified to be correct, it is determined that the first intermediate certificate is correct.
Step 304: after receiving the certificate confirmation message, the CA server sends a PKI confirmation (PKIConf) message to the proxy equipment to confirm the receipt of the certificate confirmation message.
Step 305: after the agent device receives the first intermediate certificate sent by the CA server, the agent device sends a certificate application notice to each terminal entity.
The equipment leaves a factory, each terminal entity and the proxy equipment are all preset with an initial terminal entity certificate and an initial terminal root certificate issued by a manufacturer and the proxy equipment, after the terminal entity is on line, a secure communication channel (TLS/DTLS/MASEC and the like) is automatically established with the proxy equipment, and the preset terminal entity certificate is used as an identity authentication certificate.
It should be noted that: the proxy device has an intermediate certificate that can issue a digital certificate for the terminal entity, and also has a terminal entity certificate that attests to the identity of the proxy device.
Step 306: the terminal entity generates a fourth key pair of the terminal entity, wherein the fourth key pair comprises the first terminal entity public key and the first terminal entity private key. After the terminal entity receives the certificate application notification, the terminal entity constructs a terminal entity certificate authorization request, the terminal entity certificate authorization request comprises applicant information (namely terminal entity information, such as the name of the terminal entity) and a first terminal entity public key, the terminal entity certificate authorization request is digitally signed by using an initial terminal entity private key of an initial terminal entity certificate, and then the digitally signed terminal entity certificate authorization request is sent to the proxy equipment through a secure channel between single boards. The end entity certificate authorization request may be carried in a CMP message, a CMPv2 message, or other message type message.
Step 307: the proxy equipment receives the terminal entity certificate authorization request from the secure channel, obtains an initial terminal entity public key from a pre-loaded initial terminal certificate of the first terminal entity, and verifies whether the digital signature value of the terminal entity certificate authorization request is correct or not by using the initial terminal entity public key. If the verification is not passed, the terminal entity certificate authorization request is regarded as an untrusted message, and the proxy equipment does not process the terminal entity certificate authorization request or replies a warning message to the terminal entity. And if the verification is passed, the agent equipment generates a first terminal entity certificate for the terminal entity according to the first intermediate certificate, the applicant information contained in the terminal entity certificate authorization request and the first terminal entity public key, and performs digital signature on the first terminal entity certificate by using the first agent equipment private key, wherein the first terminal entity certificate contains the first terminal entity public key. The proxy equipment generates a terminal entity certificate authorization response containing the digitally signed first terminal entity certificate and a certificate chain of the first terminal entity certificate, the proxy equipment can use an initial proxy equipment private key of an initial terminal entity certificate of the proxy equipment to digitally sign the terminal entity certificate authorization response, and sends the terminal entity certificate authorization response to the terminal entity through a secure channel between single boards, and at the moment, the certificate chain of the first terminal entity certificate contains a CA root certificate and a first intermediate certificate.
Step 308: the terminal entity receives a terminal entity certificate authorization response of the proxy equipment from the secure channel, the initial terminal entity public key of the initial terminal certificate of the proxy equipment is utilized to verify whether the digital signature value of the terminal entity certificate authorization response is correct, if the verification result is incorrect, the terminal entity certificate authorization response is considered to be an untrustworthy message, the proxy equipment does not process the terminal entity certificate authorization response, or a warning message is replied to the terminal entity. And if the verification result is correct, verifying whether the digital signature value of the first terminal entity certificate is correct by using the certificate chain of the first terminal entity certificate so as to ensure that the first terminal entity certificate is correct.
The process of verifying whether the digital signature value of the first terminal entity certificate is correct by using the certificate chain of the first terminal entity certificate comprises the following steps: the terminal entity first obtains all digital certificates contained in the certificate chain from the certificate chain of the first terminal entity certificate, namely: and the first intermediate certificate and the CA root certificate verify whether the digital signature value contained in the CA root certificate is correct by using the CA root public key, and when the verification result is incorrect, the first terminal entity certificate is incorrect. And when the verification result is correct, verifying whether the digital signature value contained in the first intermediate certificate is correct by using the CA root certificate containing the CA root public key, and when the verification result is incorrect, indicating that the first terminal entity certificate is incorrect. And when the verification result is correct, verifying whether the digital signature value contained in the first terminal entity certificate is correct by using the first intermediate certificate containing the first proxy equipment public key, and when the verification result is incorrect, indicating that the first terminal entity certificate is incorrect. And when the verification result is correct, the first terminal entity certificate is correct. It should be noted that: if the certificate chain of the first terminal entity certificate includes the CA root certificate, the intermediate certificate a, and the intermediate certificate b, the process of verifying the CA root certificate, the intermediate certificate a, and the intermediate certificate b is the same as the content described in step 303, in the embodiment of the present invention, if the certificate chain of the second intermediate certificate or the certificate chain of the third terminal entity certificate includes the CA root certificate, the intermediate certificate a, and the intermediate certificate b, the process of verifying the CA root certificate, the intermediate certificate a, and the intermediate certificate b is the same as the content described in step 303.
In the above step 306, step 307 and step 308, the terminal entity and the agent device use their respective initial terminal entity private keys to digitally sign the message, and the terminal entity and the agent device use their corresponding initial terminal entity public keys to verify whether the digital signature value of the message is correct. In the subsequent process, if the terminal entity and the agent device obtain respective identity certificates (terminal entity certificates) issued by the intermediate certificate, for example: the proxy device may further generate a fifth key pair of the proxy device itself, where the fifth key pair includes a public key of the terminal entity of the proxy device and a private key of the terminal entity of the proxy device, and the proxy device may issue a terminal entity certificate for the proxy device using a first proxy device private key of the first intermediate certificate, where the terminal entity certificate of the proxy device includes the public key of the terminal entity of the proxy device. At this time: in the above step 306, step 307 and step 308, the terminal entity may further perform digital signature on the message by using the first terminal entity private key, and the proxy device may further use the first terminal entity public key to determine whether the digital signature value of the message is correct; correspondingly, the proxy device may also use a private key of a terminal entity of the proxy device to digitally sign the message, and the terminal entity may also use a public key of the terminal entity of the proxy device to determine whether the digitally signed value of the message is correct.
Optionally, after obtaining the first terminal entity certificate, the terminal entity may send a certificate obtaining notification to the proxy device.
Step 309: and the proxy equipment detects that all terminal entities successfully apply for the first terminal entity certificate, and sends a certificate switching notification to each terminal entity through the secure channel.
The proxy device may locally store a list of end entities that records whether the end entity has received the first end entity certificate.
Step 310: and after receiving the certificate switching notification, each terminal entity replaces the preset initial terminal entity certificate with the first terminal entity certificate issued by the proxy equipment.
In the embodiment of the invention, in the digital certificate management system, the CA server can issue the intermediate certificate for the agent equipment, so that the agent equipment with the intermediate certificate can issue the digital certificate for each terminal entity. Generally speaking, only one CA server is provided in a digital certificate management system, and there may be a plurality of proxy devices, so that it is avoided that a large number of terminal entities request the only CA server for authentication of a digital certificate to the terminal entity, and thus the load of the CA server is reduced, and network bandwidth resources can also be saved. In addition, since there may be a plurality of proxy devices, the proxy devices may be disposed in the vicinity of the terminal entity, such as: the service single board (as terminal entity) and the control single board (as proxy device) in the same network device, the communication between the service single board and the control single board is faster and safer, so the proxy device can provide the terminal entity with the authentication of the digital certificate very safely, quickly and conveniently.
When the first terminal entity certificate of the terminal entity is out of date quickly or the corresponding private key is damaged and leaked, the terminal entity needs to request the proxy device to update the first terminal entity certificate in time. And after the certificate of the first terminal entity is updated successfully. As shown in fig. 4, the flow of the certificate updating method is as follows:
step 401: and when the terminal entity determines that the terminal entity certificate needs to be applied to the proxy equipment again, a sixth key pair of the terminal entity is regenerated, wherein the sixth key pair comprises a second terminal entity public key and a second terminal entity private key. The terminal entity constructs a first certificate updating request, the first certificate updating request comprises a public key of a second terminal entity and applicant information (namely the information of the terminal entity), digital signature is carried out on the first certificate updating request by using a private key of the second terminal entity, and the first certificate updating request is sent to the proxy equipment through the inter-board secure channel.
The terminal entity may periodically detect whether the deadline of the first terminal entity certificate is within the update range, and when it is detected that the deadline of the first terminal entity certificate of the terminal entity is already within the update range, or when the terminal entity periodically detects that the private key corresponding to the first terminal entity certificate is damaged or leaked, the terminal entity determines that the terminal entity certificate needs to be applied to the CA server again.
Step 402: the proxy equipment receives the first certificate updating request, firstly uses the second terminal entity public key in the first certificate updating request to verify whether the digital signature value of the first certificate updating request is correct, when the verification result is correct, generates a second terminal entity certificate according to the applicant information contained in the first certificate updating request and the second terminal entity public key, and uses the first proxy equipment private key related to the first intermediate certificate to carry out digital signature on the second terminal entity certificate. The proxy equipment generates a first certificate updating response, the first certificate updating response comprises a second terminal entity certificate carrying the digital signature and a certificate chain of the second terminal entity certificate, the proxy equipment sends the first certificate updating response to the terminal entity through the secure channel, and the certificate chain of the second terminal entity certificate at the moment comprises the CA root certificate and the first intermediate certificate.
Step 403: the terminal entity receives a first certificate updating response of the proxy equipment from the secure channel, verifies whether a digital signature value of the first certificate updating response is correct by using a first proxy equipment public key related to the first intermediate certificate, confirms that the first certificate updating response is not trusted when the verification result is incorrect, confirms that the first certificate updating response is trusted if the verification result is correct, verifies whether a digital signature value of the second terminal entity certificate is correct by using a certificate chain of the second terminal entity certificate to ensure that the second terminal entity certificate is trusted, and replaces the first terminal entity certificate with the second terminal entity certificate after the verification is passed.
The process of verifying whether the digital signature value of the second terminal entity certificate is correct by using the certificate chain of the second terminal entity certificate comprises the following steps: the terminal entity first obtains all digital certificates contained in the certificate chain from the certificate chain of the second terminal entity certificate, namely: and the first intermediate certificate and the CA root certificate verify whether the digital signature value contained in the CA root certificate is correct by using the CA root public key, and when the verification result is incorrect, the second terminal entity certificate is incorrect. And when the verification result is correct, the CA root certificate containing the CA root public key is continuously used for verifying whether the digital signature value contained in the first intermediate certificate is correct, and when the verification result is incorrect, the second terminal entity certificate is incorrect. And when the verification result is correct, continuously utilizing the first intermediate certificate containing the first proxy equipment public key to verify whether the digital signature value contained in the second terminal entity certificate is correct, and when the verification result is incorrect, indicating that the second terminal entity certificate is incorrect. And when the verification result is correct, the second terminal entity certificate is correct.
In the embodiment of the invention, in the digital certificate management system, the proxy equipment with the intermediate certificate can issue the digital certificate to each terminal entity, so that when the terminal entity certificate needs to be updated, the CA server does not need to request to update the terminal entity certificate, and only the proxy equipment near the terminal entity needs to request to update the terminal entity certificate. Therefore, the authentication that massive terminal entities request to update the digital certificate by the only CA server is avoided, the load of the CA server is reduced, and the network bandwidth resource can be saved. In addition, the proxy device may provide very secure, fast, and convenient update management of digital certificates to the end entity.
When the first intermediate certificate of the network device is out of date quickly or the corresponding private key is damaged or leaked, the network device needs to request the CA server to update the first intermediate certificate in time. After the first intermediate certificate is successfully updated, the proxy device needs to notify each terminal entity to update the first terminal entity certificate, and re-issues a new terminal entity certificate (i.e., a third terminal entity certificate) to each terminal entity by using a new intermediate certificate (i.e., a second intermediate certificate). As shown in fig. 5, based on the embodiment shown in fig. 3, the flow of the certificate updating method includes the following steps:
step 501: and when the agent equipment determines that the intermediate certificate needs to be applied to the CA server again, the agent equipment regenerates a seventh key pair, wherein the seventh key pair comprises a second agent equipment public key and a second agent equipment private key. The agent device constructs a second certificate updating request, the second certificate updating request comprises applicant information (specifically agent device information, such as an agent device name) and a second agent device public key, the second certificate updating request is digitally signed by a second agent device private key, and then the digitally signed second certificate updating request is sent to the CA server through an https channel. The second certificate Update Request may be carried with a Key Update Request (KUR).
The proxy device may periodically detect whether the deadline of the first intermediate certificate is within the update range, and when it is detected that the deadline of the first intermediate certificate of the terminal entity is already within the update range, or when the proxy device periodically detects that a private key corresponding to the first intermediate certificate is damaged or leaked, the proxy device determines that the intermediate certificate needs to be applied to the CA server again.
Step 502: and after the verification is passed, the CA server generates a new intermediate certificate (subsequently recorded as a second intermediate certificate) for the proxy equipment according to the second proxy equipment public key of the second certificate updating request and the applicant information, and performs digital signature on the second intermediate certificate by using the CA root private key. And the CA server generates a second certificate update response containing the second intermediate certificate and a certificate chain of the second intermediate certificate, performs digital signature on the second certificate update response by using a CA root private key, and sends the digitally signed second certificate update response to the proxy equipment through an https channel. The second certificate Update Response may be carried with a Key Update Response (KUP). The certificate chain of the second intermediate certificate now comprises the CA root certificate.
Step 503: and the proxy equipment receives the second certificate updating response, verifies whether the digital signature value of the second certificate updating response is correct or not by using the CA root public key of the CA root certificate, and when the verification result is correct, the received second certificate updating response is correct, and the proxy equipment sends a certificate confirmation message to the CA server to confirm that the second intermediate certificate is received.
Step 504: the CA server sends a PKI confirmation message to the main control unit, confirming receipt of the certificate confirmation message.
Step 505: and after receiving the PKI confirmation message, the proxy equipment sends an intermediate certificate updating notice to each terminal entity.
Step 506: and after receiving the intermediate certificate updating notification, the terminal entity generates a third certificate updating request, wherein the third certificate updating request comprises the public key of the first terminal entity and the information of an applicant (the information of the terminal entity), digitally signs the third certificate updating request by using the private key of the first terminal entity, and sends the third certificate updating request to the proxy equipment through the inter-board secure channel.
Step 507: and the proxy equipment receives the third certificate updating request, firstly uses the first terminal entity public key in the third certificate updating request to verify whether the digital signature value of the third certificate updating request is correct, generates a third terminal entity certificate according to the applicant information and the first terminal entity public key contained in the third certificate updating request when the verification result is correct, and uses a second proxy equipment private key related to the second intermediate certificate to digitally sign the third terminal entity certificate. And the proxy equipment generates a third certificate update response, wherein the third certificate update response comprises a third terminal entity certificate carrying the digital signature and a certificate chain of the third terminal entity certificate, the proxy equipment sends the third certificate update response to the terminal entity through the secure channel, and the certificate chain of the third terminal entity certificate at the moment comprises the CA root certificate and the second intermediate certificate.
Step 508: and the terminal entity receives a third certificate update response of the proxy equipment from the secure channel, verifies whether the digital signature values of the third terminal entity certificate and the certificate chain of the third terminal entity certificate are correct or not to ensure the validity of the third terminal entity certificate and uses the third terminal entity certificate to replace the first terminal entity certificate after the verification is passed.
The terminal entity first obtains all digital certificates contained in the certificate chain from the certificate chain of the third terminal entity certificate, namely: and the second intermediate certificate and the CA root certificate verify whether the digital signature value contained in the CA root certificate is correct by using the CA root certificate containing the CA root public key, and when the verification result is incorrect, the third terminal entity certificate is incorrect. And when the verification result is correct, verifying whether the digital signature value contained in the second intermediate certificate is correct by using the CA root certificate containing the CA root public key, and when the verification result is incorrect, indicating that the third terminal entity certificate is incorrect. And when the verification result is correct, verifying whether the digital signature value contained in the third terminal entity certificate is correct by using the second intermediate certificate containing the public key of the second proxy equipment, and when the verification result is incorrect, indicating that the third terminal entity certificate is incorrect. And when the verification result is correct, the third terminal entity certificate is correct.
Step 509: after the agent equipment detects that all terminal entities successfully update the certificate, revoking all first terminal entity certificates signed and issued by using the initial agent equipment private key to generate a certificate revoking notice containing CRL information, and sending the certificate revoking notice through the inter-board secure channel so as to inform all terminal entities to revoke the first terminal entity certificate.
Step 510: and the terminal entity receives the certificate revoke notice and imports the CRL information carried in the message into the context of the secure connection between the boards so as to revoke the first terminal entity certificate.
In the embodiment of the invention, in the digital certificate management system, the proxy equipment with the intermediate certificate can issue the digital certificate to each terminal entity, so when the intermediate certificate needs to be updated, massive terminal entities do not need to request the CA server to update the intermediate certificate, and only the proxy equipment needs to request the CA server to update the intermediate certificate, thereby avoiding that massive terminal entities update the intermediate certificate to the only CA server, reducing the load of the CA server and saving network bandwidth resources. In addition, when the proxy equipment updates the intermediate certificate, the proxy equipment sends an intermediate certificate updating notice to the terminal entity in time, so that the terminal entity updates the terminal entity certificate in time.
Referring to fig. 6, an apparatus 600 for issuing a digital certificate is provided in an embodiment of the present application, where the apparatus 600 may be deployed in a proxy device provided in the embodiments shown in fig. 3, fig. 4, or fig. 5, and includes: a receiving unit 601, configured to receive a terminal entity certificate authorization request sent by a terminal entity, where the terminal entity certificate authorization request includes a first terminal entity public key;
a certificate issuing unit 602, configured to generate a first terminal entity certificate for the first terminal entity public key according to the terminal entity certificate authorization request, perform digital signature on the first terminal entity certificate by using a first proxy device private key, obtain a digital signature value of the first terminal entity certificate, and generate a terminal entity certificate authorization response, where the terminal entity certificate authorization response includes the first terminal entity certificate and a certificate chain of the first terminal entity certificate, the first terminal entity certificate includes the first terminal entity public key and the digital signature value of the first terminal entity certificate, the certificate chain of the first terminal entity certificate is used to verify whether the digital signature value of the first terminal entity certificate is correct, and the certificate chain of the first terminal entity certificate includes an authorization authentication CA root certificate and a first intermediate certificate, wherein the first intermediate certificate includes a first proxy device public key, and the first proxy device public key and the first proxy device private key are a pair of keys generated by the proxy device.
A sending unit 603, configured to send the terminal entity certificate authorization response to the terminal entity.
Optionally, in an application scenario, the apparatus 600 further includes an authentication unit 604. The sending unit 603 is further configured to send an intermediate certificate authorization request to the CA server, where the intermediate certificate authorization request includes the public key of the first proxy device. In this scenario, the receiving unit 601 is further configured to receive an intermediate certificate authorization response sent by the CA server, where the intermediate certificate authorization response includes a first intermediate certificate and a certificate chain of the first intermediate certificate, where the first intermediate certificate includes the first proxy public key and a digital signature value of the first intermediate certificate, the certificate chain of the first intermediate certificate includes the CA root certificate, the CA root certificate includes a CA root public key, the digital signature value of the first intermediate certificate is obtained by the CA server digitally signing the first intermediate certificate using a CA root private key, and the CA root public key and the CA root private key are a pair of secret keys generated by the CA server. A verifying unit 604, configured to verify that the digital signature value of the first intermediate certificate is correct using the certificate chain of the first intermediate certificate.
Optionally, in another application scenario, the receiving unit 601 is further configured to receive a first certificate update request sent by the terminal entity, where the first certificate update request includes a public key of a second terminal entity. In this scenario, the certificate issuing unit 602 is further configured to, according to the first certificate update request, generating a second terminal entity certificate for the second terminal entity public key, performing digital signature on the second terminal entity certificate by using a first proxy device private key, obtaining a digital signature value of the second terminal entity certificate, generating a first certificate update response, wherein the first certificate update response comprises the second end entity certificate and a certificate chain of the second end entity certificate, the second terminal entity certificate contains the second terminal entity public key and a digital signature value of the second terminal entity certificate, and the certificate chain of the second terminal entity certificate is used for verifying whether the digital signature value of the second terminal entity certificate is correct or not, and comprises the CA root certificate and the first intermediate certificate. In this scenario, the sending unit 603 is further configured to send the first certificate update response to the end entity.
Optionally, in another application scenario, the apparatus 600 further includes a replacing unit 605, where the replacing unit 605 is configured to verify that the digital signature value of the second intermediate certificate is correct using the certificate chain of the second intermediate certificate, and replace the first intermediate certificate with the second intermediate certificate. In this application scenario, the sending unit 603 is further configured to send a second certificate update request to the CA server, where the second certificate update request includes a second proxy device public key. In this application scenario, the receiving unit 601 is further configured to receive a second certificate update response sent by the CA server, where the second certificate update response includes a second intermediate certificate and a certificate chain of the second intermediate certificate, and the second intermediate certificate includes the second proxy device public key and a digital signature value of the second intermediate certificate, where the digital signature value of the second intermediate certificate is obtained by digitally signing, by the CA server, the second intermediate certificate using a CA root private key.
Optionally, in another application scenario, the receiving unit 601 is further configured to receive a third certificate update request sent by the terminal entity, where the third certificate update request includes the public key of the first terminal entity. In this application scenario, the certificate issuing unit 602 is further configured to generate a third terminal entity certificate for the first terminal entity public key according to the third certificate update request, perform digital signature on the third terminal entity certificate by using a second proxy device private key, obtain a digital signature value of the third terminal entity certificate, and generate a third certificate update response, where the third certificate update response includes a certificate chain of the third terminal entity certificate and the third terminal entity certificate, the third terminal entity certificate includes the first terminal entity public key and the digital signature value of the third terminal entity certificate, the certificate chain of the third terminal entity certificate is used to verify whether the digital signature value of the third terminal entity certificate is correct, and the certificate chain of the third terminal entity certificate includes the CA root certificate and the second intermediate certificate, the second proxy device private key and the second proxy device public key are a pair of key pairs generated by the proxy device. In this application scenario, the sending unit 603 is further configured to send the third certificate update response to the terminal entity.
Optionally, the replacing unit 605 is specifically configured to verify whether the digital signature value of the CA root certificate is correct by using the CA root public key, and determine that the second intermediate certificate is incorrect when the digital signature value of the CA root certificate is verified to be incorrect; when the digital signature value of the CA root certificate is verified to be correct, verifying whether the digital signature value of the second intermediate certificate is correct by using the CA root public key, and when the digital signature value of the second intermediate certificate is verified to be incorrect, determining that the second intermediate certificate is incorrect; and when the digital signature value of the second intermediate certificate is verified to be correct, determining that the second intermediate certificate is correct.
The proxy equipment with the intermediate certificate can issue the digital certificate to each terminal entity. Generally, only one CA server is in a digital certificate management system, and a plurality of proxy devices can be provided, so that the condition that massive terminal entities request the unique CA server for authenticating the digital certificate to the terminal entity is avoided, the load of the CA server is reduced, and the network bandwidth resource can be saved. In addition, since there may be a plurality of proxy devices, the proxy devices may be disposed in the vicinity of the terminal entity, and thus the proxy devices may provide very secure, fast, and convenient authentication of the digital certificate to the terminal entity.
Referring to fig. 7, an embodiment of the present application provides a terminal entity 700, where the terminal entity 700 may be deployed in the terminal entity provided in the embodiment shown in fig. 3, fig. 4, or fig. 5, and includes:
a sending module 701, configured to send a terminal entity certificate authorization request to the proxy device, where the terminal entity certificate authorization request includes a first terminal entity public key.
A receiving module 702, configured to receive a terminal entity certificate authorization response sent by the proxy device, where the terminal entity certificate authorization response includes a first terminal entity certificate and a certificate chain of the first terminal entity certificate, the first terminal entity certificate includes the first terminal entity public key and a digital signature value of the first terminal entity certificate, and the certificate chain of the first terminal entity certificate is used to verify whether the digital signature value of the first terminal entity certificate is correct.
A verifying module 703, configured to verify whether the digital signature value of the first terminal entity certificate is correct by using the certificate chain of the first terminal entity certificate.
Optionally, in an application scenario, the sending module 701 is further configured to send a first certificate update request to the proxy device, where the first certificate update request includes a public key of a second terminal entity. In this application scenario, the receiving module 702 is further configured to receive the first certificate update response sent by the proxy device, where the first certificate update response includes a second terminal entity certificate and a certificate chain of the second terminal entity certificate, the second terminal entity certificate includes the second terminal entity public key and a digital signature value of the second terminal entity certificate, and the certificate chain of the second terminal entity certificate is used to verify whether the digital signature value of the second terminal entity certificate is correct. In this application scenario, the terminal entity further includes a replacing module 704, configured to replace the first terminal entity certificate with the second terminal entity certificate when the certificate chain of the second terminal entity certificate is used to verify that the digital signature value of the second terminal entity certificate is correct.
Optionally, in another application scenario, the sending module 701 is further configured to send a third certificate update request to the proxy device, where the third certificate update request includes the public key of the first terminal entity. In this application scenario, the receiving module 702 is further configured to receive a third certificate update response sent by the proxy device, where the third certificate update response includes a third terminal entity certificate and a certificate chain of the third terminal entity certificate, the third terminal entity certificate includes the first terminal entity public key and a digital signature value of the third terminal entity certificate, and the certificate chain of the third terminal entity certificate is used to verify whether the digital signature value of the third terminal entity certificate is correct. In this application scenario, the replacing module 704 is further configured to replace the first terminal entity certificate with the third terminal entity certificate when the certificate chain of the third terminal entity certificate is used to verify that the digital signature value of the third terminal entity certificate is correct.
Optionally, in another application scenario, the verifying module 703 is specifically configured to verify whether the digital signature value of the CA root certificate is correct by using a CA root public key, and determine that the first terminal entity certificate is incorrect when the digital signature value of the CA root certificate is verified to be incorrect; when the digital signature value of the CA root certificate is verified to be correct, verifying whether the digital signature value of the first intermediate certificate is correct by using the CA root public key, and when the digital signature value of the first intermediate certificate is verified to be incorrect, determining that the first terminal entity certificate is incorrect; when the digital signature value of the first intermediate certificate is verified to be correct, verifying whether the digital signature value of the first terminal entity certificate is correct by using a first proxy equipment public key contained in the first intermediate certificate, and when the digital signature value of the first terminal entity certificate is verified to be incorrect, determining that the first terminal entity certificate is incorrect; and when the digital signature value of the first terminal entity certificate is verified to be correct, determining that the first terminal entity certificate is correct.
Optionally, in another application scenario, the receiving module 702 is further configured to receive a certificate application notification sent by the proxy device.
Referring to fig. 8, an embodiment of the present application provides a schematic diagram of an apparatus 800 for issuing a digital certificate. The apparatus 800 may be a proxy device in any of the embodiments described above. The apparatus 800 comprises at least one processor 801, an internal connection 802, a memory 803 and at least one transceiver 804.
The apparatus 800 is a hardware structure apparatus, and can be used to implement the functional modules in the apparatus 600 described in fig. 6. For example, it is conceivable for those skilled in the art that the certificate issuing unit 602, the verifying unit 604 or the replacing unit 605 in the apparatus 600 shown in fig. 6 may be implemented by the at least one processor 801 calling codes in the memory 803, and the receiving unit 601 and the sending unit 603 in the apparatus 600 shown in fig. 6 may be implemented by the transceiver 804.
Optionally, the apparatus 800 may also be used to implement the functions of the proxy apparatus in any of the above embodiments.
Alternatively, the processor 801 may be a general processing unit (CPU), a Network Processor (NP), a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the program according to the present disclosure.
The internal connections 802 may include a path for passing information between the components. Optionally, the internal connection 802 is a single board or a bus.
The transceiver 804 is used for communicating with other devices or communication networks.
The memory 803 may be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that can store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to these. The memory may be self-contained and coupled to the processor via a bus. The memory may also be integral to the processor.
The memory 803 is used for storing application program codes for executing the scheme of the application, and the processor 801 controls the execution. The processor 801 is configured to execute application program code stored in the memory 803 and cooperate with the at least one transceiver 804 to cause the apparatus 800 to perform functions of the method of the present patent.
In particular implementations, processor 801 may include one or more CPUs such as CPU0 and CPU1 in fig. 8, for example, as an example.
In particular implementations, the apparatus 800 may include multiple processors, such as the processor 801 and the processor 807 of fig. 8, for example, as an example. Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
Referring to fig. 9, an embodiment of the present application provides a schematic diagram of a terminal entity 900. The terminal entity 900 may be the terminal entity in any of the embodiments described above. The end entity 900 comprises at least one processor 901, an internal connection 902, a memory 903 and at least one transceiver 904.
The terminal entity 900 is a hardware structure device, and can be used to implement the functional modules in the terminal entity 700 described in fig. 7. For example, those skilled in the art may appreciate that the authentication module 703 or the replacement module 704 in the terminal entity 700 shown in fig. 7 may be implemented by the at least one processor 901 calling code in the memory 903, and the transmission module 701 and the reception module 702 in the terminal entity 700 shown in fig. 7 may be implemented by the transceiver 904.
Optionally, the terminal entity 900 may also be configured to implement the function of the proxy apparatus in any of the embodiments described above.
Alternatively, the processor 901 may be a general processing unit (CPU), a Network Processor (NP), a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the program according to the present disclosure.
The internal connections 902 may include a path for passing information between the components. Optionally, the internal connection 902 is a single board or a bus.
The transceiver 904 is used to communicate with other devices or communication networks.
The memory 903 may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, a Random Access Memory (RAM) or other types of dynamic storage devices that can store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to these. The memory may be self-contained and coupled to the processor via a bus. The memory may also be integral to the processor.
The memory 903 is used for storing application program codes for executing the scheme of the application, and the processor 901 controls the execution. The processor 901 is adapted to execute application program code stored in the memory 903 and to cooperate with the at least one transceiver 904 to enable the terminal entity 900 to carry out the functions of the method of the patent.
In particular implementations, processor 901 may include one or more CPUs such as CPU0 and CPU1 in fig. 9 as an example.
In one embodiment, the terminal entity 900 may include a plurality of processors, such as the processor 901 and the processor 907 in fig. 9. Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by hardware, firmware, or a combination thereof. When implemented in software, the functions described above may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a computer. Taking this as an example but not limiting: computer-readable media can include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. Furthermore, the method is simple. Any connection is properly termed a computer-readable medium. For example, if software is transmitted from a website, a server, or other remote source using a coaxial cable, a fiber optic cable, a twisted pair, a Digital Subscriber Line (DSL), or a wireless technology such as infrared, radio, and microwave, the coaxial cable, the fiber optic cable, the twisted pair, the DSL, or the wireless technology such as infrared, radio, and microwave are included in the fixation of the medium. Disk and disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy Disk and blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
The foregoing disclosure shows only a few specific embodiments of the invention, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (12)
1. A method for digital certificate issuance, the method comprising:
the proxy equipment receives a terminal entity certificate authorization request sent by a terminal entity, wherein the terminal entity certificate authorization request comprises a first terminal entity public key;
the proxy equipment generates a first terminal entity certificate for the first terminal entity public key according to the terminal entity certificate authorization request, digitally signs the first terminal entity certificate by using a first proxy equipment private key, obtains a digital signature value of the first terminal entity certificate, and generates a terminal entity certificate authorization response, wherein the terminal entity certificate authorization response comprises the first terminal entity certificate and a certificate chain of the first terminal entity certificate, the first terminal entity certificate comprises the first terminal entity public key and the digital signature value of the first terminal entity certificate, the certificate chain of the first terminal entity certificate is used for verifying whether the digital signature value of the first terminal entity certificate is correct, and the certificate chain of the first terminal entity certificate comprises an authorization authentication (CA) root certificate and a first intermediate certificate, the first intermediate certificate comprises a first proxy device public key, and the first proxy device public key and the first proxy device private key are a pair of keys generated by the proxy device;
and the proxy equipment sends the terminal entity certificate authorization response to the terminal entity.
2. The method of claim 1, further comprising: the proxy equipment sends an intermediate certificate authorization request to a CA server, wherein the intermediate certificate authorization request comprises the public key of the first proxy equipment;
the agent device receives an intermediate certificate authorization response sent by the CA server, wherein the intermediate certificate authorization response comprises a first intermediate certificate and a certificate chain of the first intermediate certificate, the first intermediate certificate comprises a first agent public key and a digital signature value of the first intermediate certificate, the certificate chain of the first intermediate certificate comprises the CA root certificate, the CA root certificate comprises a CA root public key, the digital signature value of the first intermediate certificate is obtained by the CA server by digitally signing the first intermediate certificate by using a CA root private key, and the CA root public key and the CA root private key are a pair of secret key pairs generated by the CA server;
the proxy device verifies that the digital signature value of the first intermediate certificate is correct using the certificate chain of the first intermediate certificate.
3. The method of claim 1 or 2, further comprising: the proxy equipment receives a first certificate updating request sent by the terminal entity, wherein the first certificate updating request comprises a public key of a second terminal entity;
the proxy equipment generates a second terminal entity certificate for the second terminal entity public key according to the first certificate updating request, digitally signs the second terminal entity certificate by using a first proxy equipment private key, obtains a digital signature value of the second terminal entity certificate, and generates a first certificate updating response, wherein the first certificate updating response comprises the second terminal entity certificate and a certificate chain of the second terminal entity certificate, the second terminal entity certificate comprises the second terminal entity public key and the digital signature value of the second terminal entity certificate, the certificate chain of the second terminal entity certificate is used for verifying whether the digital signature value of the second terminal entity certificate is correct, and the certificate chain of the second terminal entity certificate comprises the CA root certificate and a first intermediate certificate;
the proxy device sends the first certificate update response to the end entity.
4. The method of claim 1 or 2, further comprising: the agent equipment sends a second certificate updating request to the CA server, wherein the second certificate updating request comprises a second agent equipment public key;
the agent equipment receives a second certificate update response sent by the CA server, wherein the second certificate update response comprises a second intermediate certificate and a certificate chain of the second intermediate certificate, the second intermediate certificate comprises a public key of the second agent equipment and a digital signature value of the second intermediate certificate, and the digital signature value of the second intermediate certificate is obtained by digitally signing the second intermediate certificate by the CA server by using a CA root private key;
the proxy device verifies that the digital signature value of the second intermediate certificate is correct using the certificate chain of the second intermediate certificate, and replaces the first intermediate certificate with the second intermediate certificate.
5. The method of claim 4, further comprising:
the proxy equipment receives a third certificate updating request sent by the terminal entity, wherein the third certificate updating request comprises the public key of the first terminal entity;
the proxy equipment generates a third terminal entity certificate for the first terminal entity public key according to the third certificate updating request, and digitally signing the third terminal entity certificate by using a private key of the second proxy device to obtain a digital signature value of the third terminal entity certificate and generate a third certificate update response, wherein the third certificate update response comprises the third end entity certificate and a certificate chain of third end entity certificates, the third terminal entity certificate contains the first terminal entity public key and a digital signature value of the third terminal entity certificate, the certificate chain of the third terminal entity certificate is used for verifying whether the digital signature value of the third terminal entity certificate is correct, the certificate chain of the third end entity certificate includes the CA root certificate and the second intermediate certificate, the second proxy device private key and the second proxy device public key are a pair of key pairs generated by the proxy device;
the proxy device sends the third certificate update response to the terminal entity.
6. The method according to claim 4, wherein the verifying that the digital signature value of the second intermediate certificate is correct using the certificate chain of the second intermediate certificate is specifically:
the agent equipment verifies whether the digital signature value of the CA root certificate is correct or not by using a CA root public key, and determines that the second intermediate certificate is incorrect when the digital signature value of the CA root certificate is verified to be incorrect; when the digital signature value of the CA root certificate is verified to be correct, verifying whether the digital signature value of the second intermediate certificate is correct or not by using the CA root public key, and when the digital signature value of the second intermediate certificate is verified to be incorrect, determining that the second intermediate certificate is incorrect; when the digital signature value of the second intermediate certificate is verified to be correct, it is determined that the second intermediate certificate is correct.
7. An apparatus for digital certificate issuance, the method comprising:
the terminal entity certificate authorization system comprises a receiving unit, a first processing unit and a second processing unit, wherein the receiving unit is used for receiving a terminal entity certificate authorization request sent by a terminal entity, and the terminal entity certificate authorization request comprises a first terminal entity public key;
a certificate issuing unit, configured to generate a first terminal entity certificate for the first terminal entity public key according to the terminal entity certificate authorization request, perform digital signature on the first terminal entity certificate by using a first proxy device private key, obtain a digital signature value of the first terminal entity certificate, and generate a terminal entity certificate authorization response, where the terminal entity certificate authorization response includes the first terminal entity certificate and a certificate chain of the first terminal entity certificate, the first terminal entity certificate includes the first terminal entity public key and the digital signature value of the first terminal entity certificate, the certificate chain of the first terminal entity certificate is used to verify whether the digital signature value of the first terminal entity certificate is correct, and the certificate chain of the first terminal entity certificate includes an authorization authentication CA root certificate and a first intermediate certificate, the first intermediate certificate comprises a first proxy device public key, and the first proxy device public key and the first proxy device private key are a pair of keys generated by the proxy device;
a sending unit, configured to send the terminal entity certificate authorization response to the terminal entity.
8. The apparatus of claim 7, further comprising: an authentication unit, wherein:
the sending unit is further configured to send an intermediate certificate authorization request to the CA server, where the intermediate certificate authorization request includes a first proxy device public key;
the receiving unit is further configured to receive an intermediate certificate authorization response sent by the CA server, where the intermediate certificate authorization response includes a first intermediate certificate and a certificate chain of the first intermediate certificate, the first intermediate certificate includes the first proxy public key and a digital signature value of the first intermediate certificate, the certificate chain of the first intermediate certificate includes the CA root certificate, the CA root certificate includes a CA root public key, the digital signature value of the first intermediate certificate is obtained by digitally signing, by the CA server, the first intermediate certificate using a CA root private key, and the CA root public key and the CA root private key are a pair of secret key pairs generated by the CA server;
the verification unit is used for verifying that the digital signature value of the first intermediate certificate is correct by using the certificate chain of the first intermediate certificate.
9. The apparatus according to claim 7 or 8, wherein the receiving unit is further configured to receive a first certificate update request sent by the terminal entity, where the first certificate update request includes a public key of a second terminal entity;
the certificate issuing unit is further configured to generate a second terminal entity certificate for the second terminal entity public key according to the first certificate update request, and digitally signing the second terminal entity certificate by using a first proxy device private key to obtain a digital signature value of the second terminal entity certificate, generating a first certificate update response, wherein the first certificate update response comprises the second end entity certificate and a certificate chain of the second end entity certificate, the second terminal entity certificate contains the second terminal entity public key and a digital signature value of the second terminal entity certificate, the certificate chain of the second terminal entity certificate is used for verifying whether the digital signature value of the second terminal entity certificate is correct, the certificate chain of the second end entity certificate comprises the CA root certificate and a first intermediate certificate;
the sending unit is further configured to send the first certificate update response to the terminal entity.
10. The apparatus of claim 7 or 8, further comprising: a replacement unit, wherein:
the sending unit is further configured to send a second certificate update request to the CA server, where the second certificate update request includes a second proxy device public key;
the receiving unit is further configured to receive a second certificate update response sent by the CA server, where the second certificate update response includes a second intermediate certificate and a certificate chain of the second intermediate certificate, and the second intermediate certificate includes the second proxy device public key and a digital signature value of the second intermediate certificate, where the digital signature value of the second intermediate certificate is obtained by digitally signing, by the CA server, the second intermediate certificate using a CA root private key;
the replacing unit is configured to verify that the digital signature value of the second intermediate certificate is correct using the certificate chain of the second intermediate certificate, and replace the first intermediate certificate with the second intermediate certificate.
11. The apparatus according to claim 10, wherein the receiving unit is further configured to receive a third certificate update request sent by the terminal entity, where the third certificate update request includes the first terminal entity public key;
the certificate issuing unit is further configured to generate a third terminal entity certificate for the first terminal entity public key according to the third certificate update request, digitally sign the third terminal entity certificate by using a second proxy device private key, obtain a digital signature value of the third terminal entity certificate, and generate a third certificate update response, where the third certificate update response includes a certificate chain of the third terminal entity certificate and the third terminal entity certificate, the third terminal entity certificate includes the first terminal entity public key and the digital signature value of the third terminal entity certificate, the certificate chain of the third terminal entity certificate is used to verify whether the digital signature value of the third terminal entity certificate is correct, the certificate chain of the third terminal entity certificate includes the CA root certificate and the second intermediate certificate, and the second proxy device private key and the second proxy device public key are a pair generated by the proxy device A key pair;
the sending unit is further configured to send the third certificate update response to the terminal entity.
12. The method according to claim 20, wherein the replacement unit is specifically configured to verify whether the digital signature value of the CA root certificate is correct using a CA root public key, and determine that the second intermediate certificate is incorrect when the digital signature value of the CA root certificate is verified to be incorrect; when the digital signature value of the CA root certificate is verified to be correct, verifying whether the digital signature value of the second intermediate certificate is correct by using the CA root public key, and when the digital signature value of the second intermediate certificate is verified to be incorrect, determining that the second intermediate certificate is incorrect; and when the digital signature value of the second intermediate certificate is verified to be correct, determining that the second intermediate certificate is correct.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011402744.8A CN114598455A (en) | 2020-12-04 | 2020-12-04 | Method, device, terminal entity and system for signing and issuing digital certificate |
| PCT/CN2021/125960 WO2022116734A1 (en) | 2020-12-04 | 2021-10-25 | Digital certificate issuing method and apparatus, terminal entity, and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011402744.8A CN114598455A (en) | 2020-12-04 | 2020-12-04 | Method, device, terminal entity and system for signing and issuing digital certificate |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114598455A true CN114598455A (en) | 2022-06-07 |
Family
ID=81812368
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011402744.8A Pending CN114598455A (en) | 2020-12-04 | 2020-12-04 | Method, device, terminal entity and system for signing and issuing digital certificate |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN114598455A (en) |
| WO (1) | WO2022116734A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116865971A (en) * | 2023-06-12 | 2023-10-10 | 淮南市公安局 | Internet of things terminal identity authentication method based on digital certificate |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115567314B (en) * | 2022-10-14 | 2024-01-30 | 中电云计算技术有限公司 | License security agent method and platform based on hardware trusted trust chain |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101488851A (en) * | 2009-02-25 | 2009-07-22 | 中国人民解放军信息工程大学 | Method and apparatus for signing identity verification certificate in trusted computing |
| US10547457B1 (en) * | 2016-10-21 | 2020-01-28 | Wells Fargo Bank N.A. | Systems and methods for notary agent for public key infrastructure names |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546173B (en) * | 2011-12-19 | 2014-09-10 | 河海大学 | Digital signature system and signature method based on certificate |
| CN104486356A (en) * | 2014-12-29 | 2015-04-01 | 芜湖乐锐思信息咨询有限公司 | Data transmission method based on internet online tractions |
| CN107360003B (en) * | 2017-08-17 | 2020-08-25 | 上海市数字证书认证中心有限公司 | Digital certificate issuing method, system, storage medium and mobile terminal |
-
2020
- 2020-12-04 CN CN202011402744.8A patent/CN114598455A/en active Pending
-
2021
- 2021-10-25 WO PCT/CN2021/125960 patent/WO2022116734A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101488851A (en) * | 2009-02-25 | 2009-07-22 | 中国人民解放军信息工程大学 | Method and apparatus for signing identity verification certificate in trusted computing |
| US10547457B1 (en) * | 2016-10-21 | 2020-01-28 | Wells Fargo Bank N.A. | Systems and methods for notary agent for public key infrastructure names |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116865971A (en) * | 2023-06-12 | 2023-10-10 | 淮南市公安局 | Internet of things terminal identity authentication method based on digital certificate |
| CN116865971B (en) * | 2023-06-12 | 2024-02-27 | 淮南市公安局 | Internet of things terminal identity authentication method based on digital certificate |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2022116734A1 (en) | 2022-06-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10382485B2 (en) | Blockchain-assisted public key infrastructure for internet of things applications | |
| US8788811B2 (en) | Server-side key generation for non-token clients | |
| US7689828B2 (en) | System and method for implementing digital signature using one time private keys | |
| US10567370B2 (en) | Certificate authority | |
| US9137017B2 (en) | Key recovery mechanism | |
| US6839841B1 (en) | Self-generation of certificates using secure microprocessor in a device for transferring digital information | |
| US20110296171A1 (en) | Key recovery mechanism | |
| US7512785B2 (en) | Revocation distribution | |
| US6948061B1 (en) | Method and device for performing secure transactions | |
| US20060155855A1 (en) | Apparatus, methods and computer software productus for judging the validity of a server certificate | |
| KR20010108150A (en) | Authentication enforcement using decryption and authentication in a single transaction in a secure microprocessor | |
| CN109302369B (en) | Data transmission method and device based on key verification | |
| JP2015171153A (en) | Revocation of root certificates | |
| CN113472790B (en) | Information transmission method, client and server based on HTTPS protocol | |
| CN103490881A (en) | Authentication service system, user authentication method, and authentication information processing method and system | |
| WO2022116734A1 (en) | Digital certificate issuing method and apparatus, terminal entity, and system | |
| US20100223464A1 (en) | Public key based device authentication system and method | |
| JP2004248220A (en) | Public key certificate issuing apparatus, public key certificate recording medium, certification terminal equipment, public key certificate issuing method, and program | |
| KR20100025624A (en) | Method for generating secure key using certificateless public key in insecure communication channel | |
| CN111131160A (en) | User, service and data authentication system | |
| JP2024513521A (en) | Secure origin of trust registration and identification management of embedded devices | |
| Cisco | Configuring Certification Authority Interoperability | |
| JP2000261428A (en) | Authentication device in decentralized processing system | |
| Boeyen et al. | Liberty trust models guidelines | |
| CN113796058B (en) | Key transmission method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |