CN115021931A - Mobile digital certificate service method - Google Patents

Mobile digital certificate service method Download PDF

Info

Publication number
CN115021931A
CN115021931A CN202210598499.5A CN202210598499A CN115021931A CN 115021931 A CN115021931 A CN 115021931A CN 202210598499 A CN202210598499 A CN 202210598499A CN 115021931 A CN115021931 A CN 115021931A
Authority
CN
China
Prior art keywords
mobile terminal
information
digital certificate
server
mobile
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210598499.5A
Other languages
Chinese (zh)
Inventor
黄玲丹
赵刚
曾政响
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Central Control Digital Shaanxi Information Technology Co ltd
Original Assignee
Central Control Digital Shaanxi Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Central Control Digital Shaanxi Information Technology Co ltd filed Critical Central Control Digital Shaanxi Information Technology Co ltd
Priority to CN202210598499.5A priority Critical patent/CN115021931A/en
Publication of CN115021931A publication Critical patent/CN115021931A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The invention relates to a mobile digital certificate service method, which has the technical scheme key points that: the method comprises the following steps: the mobile terminal sends digital certificate request information to the server terminal; the server generates a corresponding mobile digital certificate according to the digital certificate request information, stores the mobile digital certificate in an authentication system and sends the mobile digital certificate to the mobile terminal; the mobile terminal sends the signature information to the server terminal, and the server terminal forwards the signature information to the authentication system; the authentication system generates authentication response information according to the signature information and sends the authentication response information to the server side, and the server side sends the authentication response information to the mobile side; the mobile terminal sends the authentication response information to the certificate dependent terminal, and the certificate dependent terminal generates an authentication result according to the authentication response information; the method and the device have the advantage of providing the authentication service mechanism of the mobile terminal.

Description

Mobile digital certificate service method
Technical Field
The invention relates to the field of communication, in particular to a mobile digital certificate service method.
Background
The digital signature is the application of asymmetric key encryption technology and digital digest technology, and mainly comprises the information signature of a sender and the information signature authentication of a receiver.
Digital signatures are an important technology for realizing signature authentication, and can provide security services such as identity verification, data integrity, non-repudiation and the like. Meanwhile, the security of self transmission of information is also required to be ensured, the digital signature is encrypted, and an attacker is prevented from pretending to be the signature.
At present, the application range of the existing digital certificate authentication service system is limited to a common PC, and an authentication mechanism specially used for various mobile terminals including a mobile phone is not proposed yet, so there is still room for improvement.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a mobile digital certificate service method which has the advantage of providing an authentication service mechanism of a mobile terminal.
The technical purpose of the invention is realized by the following technical scheme: a mobile digital certificate service method, comprising:
the mobile terminal sends digital certificate request information to the server terminal;
the server generates a corresponding mobile digital certificate according to the digital certificate request information, stores the mobile digital certificate in an authentication system, and sends the mobile digital certificate to the mobile terminal;
the mobile terminal sends the signature information to the server terminal, and the server terminal forwards the signature information to the authentication system;
the authentication system generates authentication response information according to the signature information and sends the authentication response information to the server side, and the server side sends the authentication response information to the mobile side;
and the mobile terminal sends the authentication response information to the certificate dependent terminal, and the certificate dependent terminal generates an authentication result according to the authentication response information.
Optionally, the server generates a corresponding mobile digital certificate according to the digital certificate request information, including:
the server side obtains a mobile terminal identification and a mobile terminal key pair according to the digital certificate request information;
the server generates a mobile terminal public key digital certificate according to the mobile terminal identification and a public key in the mobile terminal key pair;
the server generates a dynamic key according to the mobile terminal identifier;
the server side encrypts a private key in the mobile terminal key pair through the dynamic key to obtain an encrypted private key;
and the server stores the encrypted private key in the mobile terminal public key digital certificate to obtain the mobile digital certificate.
Optionally, the server generates the dynamic key according to the mobile terminal identifier by calculating according to the following formula:
HOTP(K,C)=Truncate(HMAC-SHA-1(K,C));
wherein: HOTP (K, C) is the generated dynamic key; k is seed, K ═ MD5(IMEI + IMSI); c is a counter of the user identity identification module; truncate (HMAC-SHA-1(K, C)) is a dynamic key generation algorithm.
Optionally, the server generates a mobile terminal public key digital certificate according to the mobile terminal identifier and the public key in the mobile terminal key pair, including:
the server side sends the mobile terminal identification and the public key in the mobile terminal key pair to the authentication system;
the authentication system generates a mobile terminal public key digital certificate according to the mobile terminal identification and the public key, and sends the mobile terminal public key digital certificate to the server terminal.
Optionally, the sending, by the mobile terminal, the signature information to the server, and the forwarding, by the server, the signature information to the authentication system includes:
the mobile terminal generates original information to be sent and sends the original information to be sent and the mobile terminal identification to the digital signature unit;
the digital signature unit extracts an encrypted private key from the mobile digital certificate, decrypts the encrypted private key, and digitally signs the mobile terminal identifier and original information to be sent to generate signature information;
the digital signature unit sends the signature information to the server, and the server performs format conversion on the signature information and sends the signature information to the authentication system.
Optionally, the generating, by the authentication system, authentication response information according to the signature information includes:
the authentication system extracts the mobile terminal identification and the mobile digital certificate of the corresponding mobile terminal according to the signature information;
the authentication system extracts a corresponding public key file in an external database according to the mobile terminal identification, and performs signature information verification on the mobile digital certificate through the public key file; if the verification fails, returning to the mobile terminal to send the signature information to the server terminal, and forwarding the signature information to the authentication system by the server terminal; if the verification is successful, the original information to be sent and the mobile digital certificate are digitally signed through a private key in the mobile terminal key pair, and authentication response information is obtained.
Optionally, the generating, by the certificate dependent terminal, an authentication result according to the authentication response information includes:
the certificate dependent terminal verifies the digital signature of the private key in the mobile terminal key pair in the authentication response information according to the public key in the corresponding mobile terminal key pair in the authentication system;
if the digital signature in the authentication response information is successfully verified, extracting the mobile terminal identification and the original information content to be sent from the authentication response information to complete identity authentication;
and if the verification of the digital signature in the authentication response information fails, generating an alarm that the identity of the mobile terminal is not authenticated.
A mobile digital certificate service method, system, computer device, and medium, comprising:
a computer device comprising a memory storing a computer program and a processor implementing the steps of the method described above when executing the computer program.
A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method.
In conclusion, the invention has the following beneficial effects: the method comprises the steps that a mobile terminal can send digital certificate request information to a corresponding server, the digital certificate request information comprises identification information and an initial counter value of the mobile terminal, the server registers the identification information and the initial counter value of the mobile terminal and generates a record, then a corresponding mobile digital certificate is generated according to the identification information and the initial counter value of the mobile terminal, and then the mobile digital certificate is sent to the mobile terminal; at this time, the mobile terminal already has a corresponding mobile digital certificate, so that when the mobile terminal needs to perform signature authentication, the mobile terminal needs to send signature information to the server, wherein the signature information comprises original information to be sent and identification information of the mobile terminal; the server side transcodes the signature information to enable the signature information to be in accordance with a decoding format of the authentication system, then forwards the signature information to the authentication system, the authentication system verifies the signature information according to the mobile terminal identification information and the mobile digital certificate attached to the signature information, generates corresponding authentication response information according to a verification result and sends the authentication response information to the server side, and the server side transcodes the authentication response information and sends the transcoded authentication response information to the mobile terminal; if the verification result is successful, the mobile terminal can send the corresponding authentication response information to the certificate dependent terminal needing signature authentication, the certificate dependent terminal signs the file needing signature authentication according to the authentication response information, and the corresponding authentication result is generated to prompt the user and realize the authentication service of the mobile terminal.
Drawings
FIG. 1 is a schematic flow diagram of the present invention;
FIG. 2 is a block diagram of the present invention in its assembled configuration;
fig. 3 is an internal structural diagram of a computer device in an embodiment of the present invention.
Detailed Description
In order to make the objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in detail below. Several embodiments of the invention are shown in the drawings. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein.
In the present invention, unless otherwise expressly specified or limited, the terms "mounted," "connected," "secured," and the like are to be construed broadly and can, for example, be fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations. The terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature.
In the present invention, unless otherwise expressly stated or limited, "above" or "below" a first feature means that the first and second features are in direct contact, or that the first and second features are not in direct contact but are in contact with each other via another feature therebetween. Also, the first feature being "on," "above" and "over" the second feature includes the first feature being directly on and obliquely above the second feature, or merely indicating that the first feature is at a higher level than the second feature. A first feature being "under," "below," and "beneath" a second feature includes the first feature being directly under and obliquely below the second feature, or simply meaning that the first feature is at a lesser elevation than the second feature. The terms "vertical," "horizontal," "left," "right," "up," "down," and the like are used for descriptive purposes only and are not intended to indicate or imply that the referenced devices or elements must be in a particular orientation, configuration, and operation, and therefore should not be construed as limiting the present invention.
The invention is described in detail below with reference to the figures and examples.
The invention provides a mobile digital certificate service method, as shown in fig. 1, comprising:
step 100, the mobile terminal sends digital certificate request information to a server;
step 200, the server generates a corresponding mobile digital certificate according to the digital certificate request information, stores the mobile digital certificate in an authentication system, and sends the mobile digital certificate to the mobile terminal;
step 300, the mobile terminal sends the signature information to the server terminal, and the server terminal forwards the signature information to the authentication system;
step 400, the authentication system generates authentication response information according to the signature information and sends the authentication response information to the server, and the server sends the authentication response information to the mobile terminal;
and 500, the mobile terminal sends the authentication response information to the certificate dependent terminal, and the certificate dependent terminal generates an authentication result according to the authentication response information.
In practical application, a mobile terminal is a terminal which communicates with the internet, such as a mobile phone, a tablet personal computer and the like, when a user needs digital certificate authentication service, the mobile terminal can send digital certificate request information to a corresponding server, the digital certificate request information comprises identification information and an initial counter value of the mobile terminal, and the identification information can be an equipment identification code or a mobile user identification code of the mobile terminal; the initial counter value can be the initial value of a 4-byte counter stored in the user identity module card; the server side is a corresponding digital certificate authorization server, registers identification information and an initial counter value of the mobile side, generates a record, generates a corresponding mobile digital certificate according to the identification information and the initial counter value of the mobile side, and then sends the mobile digital certificate to the mobile side; at this time, the mobile terminal already has a corresponding mobile digital certificate, so that when the mobile terminal needs to perform signature authentication, the mobile terminal needs to send signature information to the server, wherein the signature information comprises original information to be sent and identification information of the mobile terminal; the server side transcodes the signature information to enable the signature information to be in accordance with a decoding format of the authentication system, then forwards the signature information to the authentication system, the authentication system verifies the signature information according to the mobile terminal identification information and the mobile digital certificate attached to the signature information, generates corresponding authentication response information according to a verification result and sends the authentication response information to the server side, and the server side transcodes the authentication response information and sends the transcoded authentication response information to the mobile terminal; if the verification result is successful, the mobile terminal can send the corresponding authentication response information to the certificate dependent terminal needing signature authentication, the certificate dependent terminal signs the file needing signature authentication according to the authentication response information, and the corresponding authentication result is generated to prompt the user and realize the authentication service of the mobile terminal.
Further, the server generates a corresponding mobile digital certificate according to the digital certificate request information, including:
the server side obtains a mobile terminal identification and a mobile terminal key pair according to the digital certificate request information;
the server generates a mobile terminal public key digital certificate according to the mobile terminal identification and a public key in the mobile terminal key pair;
the server generates a dynamic key according to the mobile terminal identifier;
the server side encrypts a private key in the mobile terminal key pair through the dynamic key to obtain an encrypted private key;
and the server stores the encrypted private key in the mobile terminal public key digital certificate to obtain the mobile digital certificate.
In practical application, the server generates a mobile terminal key pair, namely a public key and a private key, by using public key algorithms such as RSA and ECC; the mobile terminal identification is an equipment identification code or a mobile user identification code, or can be a pseudo code uniquely corresponding to the equipment identification code or the mobile user identification code, and a corresponding mobile terminal public key digital certificate is generated according to the equipment identification code or the mobile user identification code, the pseudo code thereof and the public key; in order to ensure the use safety of the mobile terminal public key digital certificate, the server can generate a dynamic secret key according to the mobile terminal identification, encrypt the private key to obtain an encrypted private key, and store the encrypted private key into the mobile terminal public key digital certificate to obtain the mobile digital certificate with the encrypted private key.
Optionally, the server generates the dynamic key according to the mobile terminal identifier by calculation according to the following formula:
HOTP(K,C)=Truncate(HMAC-SHA-1(K,C));
wherein: HOTP (K, C) is the generated dynamic key; k is seed, K ═ MD5(IMEI + IMSI); c is a counter of the user identity identification module; truncate (HMAC-SHA-1(K, C)) is a dynamic key generation algorithm.
In practical applications, the dynamic key generation algorithm is specifically HS ═ HMAC-SHA-1(K, C); here, a Hash information Authentication Codes (HMAC) Secure Hash Algorithm (SHA), i.e., HMAC-SHA, is used to calculate 20 bytes of digest data HS;
offset is Low4Bit (HS 19); here, the digest data HS takes the lower 4 bits of the last byte of the HS array from the Offset starting from the 19 th bit to obtain a value of 0x0-0xf, which is used as an Offset. Offset is a number between 0 and 15, and ensures that the over-bit overflow exception does not occur when four bytes are taken according to the Offset in the 20-byte array; HS [ Offset ] &0x8 f; here, according to the Offset positioning, 4 bytes are taken from the HS array, the sign bit of the first byte is removed, and the first byte is the highest bit;
digit ═ 4BytetoI nt (HS Offset); here, the continuous 4 bytes at the Offset are converted into an integer;
digit% 1000000 here, the HS generated above is truncated, taking one million modulo, to get the 6 numeric characters displayed, which are the dynamic keys. In this case, Digit is a long integer of the along type, and in order to obtain 6 digits, it takes a modulus of 1000000 (8 digits take a modulus of 100000000); after some numbers are subjected to modulus extraction, the possible real numbers are less than 6 bits, and at the moment, 0 is supplemented to the front end; and encrypting the user private key by using the dynamic secret key and public key algorithm to generate an encrypted private key.
Optionally, the generating, by the server, a mobile public key digital certificate according to the mobile identity and a public key in the mobile secret key pair includes:
the server side sends the mobile terminal identification and the public key in the mobile terminal key pair to the authentication system;
the authentication system generates a mobile terminal public key digital certificate according to the mobile terminal identification and the public key, and sends the mobile terminal public key digital certificate to the server terminal.
In practical application, the authentication system may generate a mobile terminal public key digital certificate according to the mobile terminal identifier, that is, the device identification code or the mobile subscriber identification code, or a pseudo code uniquely corresponding to the device identification code or the mobile subscriber identification code, and the public key in the mobile terminal key pair, and return the mobile terminal public key digital certificate to the service terminal.
Further, the mobile terminal sends the signature information to the server terminal, and the server terminal forwards the signature information to the authentication system, including:
the mobile terminal generates original information to be sent and sends the original information to be sent and the mobile terminal identification to the digital signature unit;
the digital signature unit extracts an encrypted private key from the mobile digital certificate, decrypts the encrypted private key, and digitally signs the mobile terminal identifier and original information to be sent to generate signature information;
the digital signature unit sends the signature information to the server, and the server performs format conversion on the signature information and sends the signature information to the authentication system.
In practical application, original information to be sent comprises information content and a certificate dependence terminal address; the digital signature unit needs to extract an encrypted private key from the mobile digital certificate, decrypt the encrypted private key to obtain a private key, and print a digital signature corresponding to the private key for original information to be sent and a mobile terminal identifier to ensure the security of the information.
Further, the authentication system generates authentication response information according to the signature information, and includes:
the authentication system extracts the mobile terminal identification and the mobile digital certificate of the corresponding mobile terminal according to the signature information;
the authentication system extracts a corresponding public key file in an external database according to the mobile terminal identification, and performs signature information verification on the mobile digital certificate through the public key file; if the verification fails, returning to the mobile terminal to send the signature information to the server terminal, and forwarding the signature information to the authentication system by the server terminal; if the verification is successful, the original information to be sent and the mobile digital certificate are digitally signed through a private key in the mobile terminal key pair, and authentication response information is obtained.
In practical application, the authentication system can carry out signature verification according to the private key of the mobile digital certificate of the user and the public key file stored in the authentication system, and the private key and the public key of the mobile digital certificate of the same user are kept associated when the private key and the public key are sent to the authentication system at the server side, so that signature information verification can be realized only by verifying whether the private key of the mobile digital certificate is associated with the public key file stored in the authentication system.
Further, the certificate dependent terminal generates an authentication result according to the authentication response information, including:
the certificate dependent terminal verifies the digital signature of the private key in the mobile terminal key pair in the authentication response information according to the public key in the corresponding mobile terminal key pair in the authentication system;
if the digital signature in the authentication response information is successfully verified, extracting the mobile terminal identification and the original information content to be sent from the authentication response information to complete identity authentication;
and if the verification of the digital signature in the authentication response information fails, generating an alarm that the identity of the mobile terminal is not authenticated.
In practical application, the certificate dependent terminal needs to extract a public key file from a digital certificate library in the authentication system and verify the public key file with a private key file signature in the authentication response information, and the verification is successful, namely the authentication response information received by the certificate dependent terminal is a real and effective signature, so that the certificate authentication service can be completed; if the verification fails, only the information content is extracted from the authentication response information, and the mobile terminal is prompted that the identity of the information is not authenticated.
As shown in fig. 2, the present invention also provides a mobile digital certificate service system, including:
the mobile terminal 10 is configured to send digital certificate request information and signature information to the server, receive a mobile digital certificate and authentication response information sent by the server, and send the authentication response information to the certificate dependent terminal;
the server 20 is configured to generate a corresponding mobile digital certificate according to the digital certificate request information sent by the mobile terminal, store the mobile digital certificate in the authentication system, and send the mobile digital certificate to the mobile terminal; the system is used for receiving signature information sent by the mobile terminal and forwarding the signature information to the authentication system; the mobile terminal is used for receiving authentication response information sent by the authentication system and sending the authentication response information to the mobile terminal;
the authentication system 30 is used for generating authentication response information according to the signature information and sending the authentication response information to the server;
and the certificate dependent terminal 40 is used for receiving the authentication response information sent by the mobile terminal and generating an authentication result according to the authentication response information.
Furthermore, the server is also used for obtaining a mobile terminal identifier and a mobile terminal key pair according to the digital certificate request information; generating a mobile terminal public key digital certificate according to the mobile terminal identification and a public key in a mobile terminal key pair; generating a dynamic key according to the mobile terminal identification; encrypting a private key in a mobile terminal key pair through a dynamic key to obtain an encrypted private key; and storing the encrypted private key in the public key digital certificate of the mobile terminal to obtain the mobile digital certificate.
Further, the server is also used for sending the mobile terminal identification and the public key in the mobile terminal key pair to the authentication system; and the authentication system is used for generating a mobile terminal public key digital certificate according to the mobile terminal identification and the public key and sending the mobile terminal public key digital certificate to the server terminal.
Further, the mobile terminal is configured to generate original information to be sent, and send the original information to be sent and the mobile terminal identifier to the digital signature unit; the digital signature unit is used for extracting the encrypted private key from the mobile digital certificate, decrypting the encrypted private key, digitally signing the mobile terminal identification and the original information to be sent to generate signature information and sending the signature information to the server;
and the server is also used for carrying out format conversion on the signature information and then sending the signature information to the authentication system.
Furthermore, the authentication system is also used for extracting a mobile terminal identifier and a mobile digital certificate of the corresponding mobile terminal according to the signature information; extracting a corresponding public key file in an external database according to the mobile terminal identification, and verifying signature information of the mobile digital certificate through the public key file; if the verification fails, returning to the mobile terminal to send the signature information to the server terminal, and forwarding the signature information to the authentication system by the server terminal; if the verification is successful, the original information to be sent and the mobile digital certificate are digitally signed through a private key in the mobile terminal key pair, and authentication response information is obtained.
Further, the certificate dependent terminal is also used for verifying the digital signature of the private key in the mobile terminal key pair in the authentication response information according to the public key in the corresponding mobile terminal key pair in the authentication system; if the digital signature in the authentication response information is successfully verified, extracting the mobile terminal identification and the original information content to be sent from the authentication response information to complete identity authentication; and if the verification of the digital signature in the authentication response information fails, generating an alarm that the identity of the mobile terminal is not authenticated.
For a specific limitation of a mobile digital certificate service system, reference may be made to the above limitation on a mobile digital certificate service method, which is not described herein again. The modules in the mobile digital certificate service system can be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent of a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 3. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The computer program is executed by a processor to implement a mobile digital certificate service method.
Those skilled in the art will appreciate that the architecture shown in fig. 3 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program: the mobile terminal sends digital certificate request information to the server terminal;
the server generates a corresponding mobile digital certificate according to the digital certificate request information, stores the mobile digital certificate in an authentication system and sends the mobile digital certificate to the mobile terminal;
the mobile terminal sends the signature information to the server terminal, and the server terminal forwards the signature information to the authentication system;
the authentication system generates authentication response information according to the signature information and sends the authentication response information to the server side, and the server side sends the authentication response information to the mobile side;
and the mobile terminal sends the authentication response information to the certificate dependent terminal, and the certificate dependent terminal generates an authentication result according to the authentication response information.
In one embodiment, the server generates the corresponding mobile digital certificate according to the digital certificate request information, including:
the server side obtains a mobile terminal identification and a mobile terminal key pair according to the digital certificate request information;
the server generates a mobile terminal public key digital certificate according to the mobile terminal identification and a public key in the mobile terminal key pair;
the server generates a dynamic key according to the mobile terminal identifier;
the server side encrypts a private key in the mobile terminal key pair through the dynamic key to obtain an encrypted private key;
and the server stores the encrypted private key in the mobile terminal public key digital certificate to obtain the mobile digital certificate.
In one embodiment, the server generates the dynamic key according to the mobile terminal identifier by calculation according to the following formula:
HOTP(K,C)=Truncate(HMAC-SHA-1(K,C));
wherein: HOTP (K, C) is the generated dynamic key; k is seed, K ═ MD5(IMEI + IMSI); c is a counter of the user identity identification module; truncate (HMAC-SHA-1(K, C)) is a dynamic key generation algorithm.
In one embodiment, the server generates a mobile terminal public key digital certificate according to the mobile terminal identifier and a public key in a mobile terminal key pair, including:
the server side sends the mobile terminal identification and the public key in the mobile terminal key pair to the authentication system;
the authentication system generates a mobile terminal public key digital certificate according to the mobile terminal identification and the public key, and sends the mobile terminal public key digital certificate to the server terminal.
In one embodiment, the mobile terminal sends the signature information to the server terminal, and the server terminal forwards the signature information to the authentication system, including:
the mobile terminal generates original information to be sent and sends the original information to be sent and the mobile terminal identification to the digital signature unit;
the digital signature unit extracts an encrypted private key from the mobile digital certificate, decrypts the encrypted private key, and digitally signs the mobile terminal identifier and original information to be sent to generate signature information;
the digital signature unit sends the signature information to the server, and the server performs format conversion on the signature information and sends the signature information to the authentication system.
In one embodiment, the authentication system generates authentication response information from the signature information, including:
the authentication system extracts the mobile terminal identification and the mobile digital certificate of the corresponding mobile terminal according to the signature information;
the authentication system extracts a corresponding public key file in an external database according to the mobile terminal identification, and performs signature information verification on the mobile digital certificate through the public key file; if the verification fails, returning to the mobile terminal to send the signature information to the server terminal, and forwarding the signature information to the authentication system by the server terminal; if the verification is successful, the original information to be sent and the mobile digital certificate are digitally signed through a private key in the mobile terminal key pair, and authentication response information is obtained.
In one embodiment, the certificate dependent terminal generates an authentication result according to the authentication response information, including:
the certificate dependent terminal verifies the digital signature of the private key in the mobile terminal key pair in the authentication response information according to the public key in the corresponding mobile terminal key pair in the authentication system;
if the digital signature in the authentication response information is successfully verified, extracting the mobile terminal identification and the original information content to be sent from the authentication response information to complete identity authentication;
and if the verification of the digital signature in the authentication response information fails, generating an alarm that the identity of the mobile terminal is not authenticated.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above may be implemented by hardware instructions of a computer program, which may be stored in a non-volatile computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above description is only a preferred embodiment of the present invention, and the protection scope of the present invention is not limited to the above embodiments, and all technical solutions belonging to the idea of the present invention belong to the protection scope of the present invention. It should be noted that modifications and embellishments within the scope of the invention may occur to those skilled in the art without departing from the principle of the invention, and are considered to be within the scope of the invention.

Claims (10)

1. A mobile digital certificate service method, comprising:
the mobile terminal sends digital certificate request information to the server terminal;
the server generates a corresponding mobile digital certificate according to the digital certificate request information, stores the mobile digital certificate in an authentication system and sends the mobile digital certificate to the mobile terminal;
the mobile terminal sends the signature information to the server terminal, and the server terminal forwards the signature information to the authentication system;
the authentication system generates authentication response information according to the signature information and sends the authentication response information to the server side, and the server side sends the authentication response information to the mobile side;
and the mobile terminal sends the authentication response information to the certificate dependent terminal, and the certificate dependent terminal generates an authentication result according to the authentication response information.
2. The method according to claim 1, wherein the server generates the corresponding mobile digital certificate according to the digital certificate request information, including:
the server side obtains a mobile terminal identification and a mobile terminal key pair according to the digital certificate request information;
the server generates a mobile terminal public key digital certificate according to the mobile terminal identification and a public key in the mobile terminal key pair;
the server generates a dynamic key according to the mobile terminal identifier;
the server side encrypts a private key in the mobile terminal key pair through the dynamic key to obtain an encrypted private key;
and the server stores the encrypted private key in the mobile terminal public key digital certificate to obtain the mobile digital certificate.
3. The method according to claim 2, wherein the server generates the dynamic key according to the mobile terminal identifier by calculating according to the following formula:
HOTP(K,C)=Truncate(HMAC-SHA-1(K,C));
wherein: HOTP (K, C) is the generated dynamic key; k is seed, K ═ MD5(IMEI + IMSI); c is a counter of the user identity identification module; truncate (HMAC-SHA-1(K, C)) is a dynamic key generation algorithm.
4. The method according to claim 3, wherein the server generates a mobile terminal public key digital certificate according to the mobile terminal identifier and a public key in a mobile terminal key pair, including:
the server side sends the mobile terminal identification and the public key in the mobile terminal key pair to the authentication system;
the authentication system generates a mobile terminal public key digital certificate according to the mobile terminal identification and the public key, and sends the mobile terminal public key digital certificate to the server terminal.
5. The method of claim 4, wherein the mobile terminal sends the signature information to the server terminal, and the server terminal forwards the signature information to the authentication system, including:
the mobile terminal generates original information to be sent and sends the original information to be sent and the mobile terminal identification to the digital signature unit;
the digital signature unit extracts an encrypted private key from the mobile digital certificate, decrypts the encrypted private key, and digitally signs the mobile terminal identifier and original information to be sent to generate signature information;
the digital signature unit sends the signature information to the server, and the server performs format conversion on the signature information and sends the signature information to the authentication system.
6. The method of claim 5, wherein the authentication system generates authentication response information based on the signature information, comprising:
the authentication system extracts the mobile terminal identification and the mobile digital certificate of the corresponding mobile terminal according to the signature information;
the authentication system extracts a corresponding public key file in an external database according to the mobile terminal identification, and performs signature information verification on the mobile digital certificate through the public key file; if the verification fails, returning to the mobile terminal to send the signature information to the server terminal, and forwarding the signature information to the authentication system by the server terminal; if the verification is successful, the original information to be sent and the mobile digital certificate are digitally signed through a private key in the mobile terminal key pair, and authentication response information is obtained.
7. The method according to claim 6, wherein the certificate dependent terminal generates an authentication result according to the authentication response information, and comprises:
the certificate dependent terminal verifies the digital signature of the private key in the mobile terminal key pair in the authentication response information according to the public key in the corresponding mobile terminal key pair in the authentication system;
if the digital signature in the authentication response information is successfully verified, extracting the mobile terminal identification and the original information content to be sent from the authentication response information to complete identity authentication;
and if the verification of the digital signature in the authentication response information fails, generating an alarm that the identity of the mobile terminal is not authenticated.
8. A mobile digital certificate service system, comprising:
the mobile terminal is used for sending the digital certificate request information and the signature information to the server terminal, receiving the mobile digital certificate and the authentication response information sent by the server terminal, and sending the authentication response information to the certificate dependent terminal;
the server is used for generating a corresponding mobile digital certificate according to the digital certificate request information sent by the mobile terminal, storing the mobile digital certificate in the authentication system and sending the mobile digital certificate to the mobile terminal; the system is used for receiving signature information sent by the mobile terminal and forwarding the signature information to the authentication system; the mobile terminal is used for receiving authentication response information sent by the authentication system and sending the authentication response information to the mobile terminal;
the authentication system is used for generating authentication response information according to the signature information and sending the authentication response information to the server;
and the certificate dependent terminal is used for receiving the authentication response information sent by the mobile terminal and generating an authentication result according to the authentication response information.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
CN202210598499.5A 2022-05-30 2022-05-30 Mobile digital certificate service method Pending CN115021931A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210598499.5A CN115021931A (en) 2022-05-30 2022-05-30 Mobile digital certificate service method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210598499.5A CN115021931A (en) 2022-05-30 2022-05-30 Mobile digital certificate service method

Publications (1)

Publication Number Publication Date
CN115021931A true CN115021931A (en) 2022-09-06

Family

ID=83070821

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210598499.5A Pending CN115021931A (en) 2022-05-30 2022-05-30 Mobile digital certificate service method

Country Status (1)

Country Link
CN (1) CN115021931A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101616409A (en) * 2009-07-28 2009-12-30 徐嵩 A kind of dynamic password authentication method
CN101938520A (en) * 2010-09-07 2011-01-05 中兴通讯股份有限公司 Mobile terminal signature-based remote payment system and method
CN102202307A (en) * 2011-06-17 2011-09-28 刘明晶 Mobile terminal identity authentication system and method based on digital certificate
EP2747366A1 (en) * 2012-12-24 2014-06-25 British Telecommunications public limited company Client/server access authentication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101616409A (en) * 2009-07-28 2009-12-30 徐嵩 A kind of dynamic password authentication method
CN101938520A (en) * 2010-09-07 2011-01-05 中兴通讯股份有限公司 Mobile terminal signature-based remote payment system and method
CN102202307A (en) * 2011-06-17 2011-09-28 刘明晶 Mobile terminal identity authentication system and method based on digital certificate
EP2747366A1 (en) * 2012-12-24 2014-06-25 British Telecommunications public limited company Client/server access authentication

Similar Documents

Publication Publication Date Title
CN109471844B (en) File sharing method and device, computer equipment and storage medium
US7373509B2 (en) Multi-authentication for a computing device connecting to a network
US8724819B2 (en) Credential provisioning
EP1728352B1 (en) Secure data transfer
CN111010367B (en) Data storage method and device, computer equipment and storage medium
CN109756343A (en) Authentication method, device, computer equipment and the storage medium of digital signature
KR20180048793A (en) Identification method and apparatus
US20080130879A1 (en) Method and system for a secure PKI (Public Key Infrastructure) key registration process on mobile environment
KR20080041153A (en) Providing multimedia system security to removable user identity modules
CN113472793B (en) Personal data protection system based on hardware password equipment
CN111614621B (en) Internet of things communication method and system
CN111294203B (en) Information transmission method
CN111884811B (en) Block chain-based data evidence storing method and data evidence storing platform
CN113572743A (en) Data encryption and decryption method and device, computer equipment and storage medium
CN114244508B (en) Data encryption method, device, equipment and storage medium
CN112583588B (en) Communication method and device and readable storage medium
CN110941861B (en) File protection method and device, computer equipment and medium
CN116527261A (en) Key recovery method, electronic device and storage medium
CN115021931A (en) Mobile digital certificate service method
NL1043779B1 (en) Method for electronic signing and authenticaton strongly linked to the authenticator factors possession and knowledge
CN114358932A (en) Authentication processing method and device
CN110071908B (en) Terminal binding method and device, computer equipment and storage medium
CN117040760B (en) Layout file signing method supporting double algorithms
CN113872769B (en) Device authentication method and device based on PUF, computer device and storage medium
CN112287399B (en) Digital signature method, system and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination