CN116321122A - Backup method of anonymous certificate on new terminal equipment - Google Patents
Backup method of anonymous certificate on new terminal equipment Download PDFInfo
- Publication number
- CN116321122A CN116321122A CN202310216886.2A CN202310216886A CN116321122A CN 116321122 A CN116321122 A CN 116321122A CN 202310216886 A CN202310216886 A CN 202310216886A CN 116321122 A CN116321122 A CN 116321122A
- Authority
- CN
- China
- Prior art keywords
- certificate
- anonymous
- identity
- backed
- backup
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a backup method of an anonymous certificate on a new terminal device, which comprises the following steps: a) Applying for and storing an identity certificate of an owner on the new terminal equipment by the owner of the anonymous certificate to be backed up; b) The owner generates a public and private key pair corresponding to the anonymous certificate to be backed up, backup anonymous certificate application information, identity verification information and authorization information on the new terminal equipment and sends the public and private key pair, the backup anonymous certificate application information, the identity verification information and the authorization information to an anonymous certificate issuing mechanism; c) The anonymous certificate issuing mechanism verifies whether the identity of the backup operation applicant is consistent with the identity of the anonymous certificate owner to be backed up through the identity verification information, and verifies whether the backup operation is authorized by the network application corresponding to the anonymous certificate to be backed up through the authorization information; if both the verification passes, issuing a backup anonymous certificate; d) And the anonymous certificate issuing mechanism synchronizes the issued backup anonymous certificate to the new terminal equipment and the network application corresponding to the anonymous certificate to be backed up. The invention ensures the availability and the safety of the related service of the anonymous certificate.
Description
Technical Field
The invention relates to the technical field of information transmission, in particular to a backup method of an anonymous certificate on new terminal equipment.
Background
In sensitive services such as internet banking and electronic payment, a service provider typically issues a digital certificate to a user and loads a USBKey (e.g., a U-shield of a bank) of the certificate to ensure security of user login and key sensitive operations (e.g., large transfer). However, with the popularity of the mobile internet, more and more users handle sensitive services such as mobile banking, mobile payment, etc. through mobile terminals. Therefore, a plurality of manufacturers release software cryptographic module products (namely soft KEYs) which can be deployed on the mobile terminal, and the mobile terminal is used as a digital certificate carrier, so that the problem that the traditional USBKey is difficult to deploy on the mobile terminal is solved. However, compared with the USBKey, the mobile terminal is inevitably updated frequently, and even one-man multi-terminal is very common, so that how to ensure the service continuity and convenience of the certificate related service in the case of terminal replacement and one-man multi-terminal is a problem to be solved urgently.
Disclosure of Invention
The invention aims at the technical problem and provides a backup method of an anonymous certificate on a new terminal device, which realizes the safe backup of a digital certificate issued by a service provider among a plurality of terminals.
In order to solve the technical problems, the technical scheme adopted by the embodiment of the invention is as follows:
the backup method of the anonymous certificate on the new terminal equipment is characterized in that the anonymous certificate is a digital certificate which represents the specific anonymous identity of a user in specific network application and does not contain real identity information and a corresponding private key thereof; the new terminal equipment refers to terminal equipment which does not store an anonymous certificate corresponding to an anonymous identity represented by the anonymous certificate to be backed up; the backup operation refers to a process of generating and storing a backup anonymous certificate corresponding to an anonymous identity represented by the anonymous certificate to be backed up on the new terminal device, wherein the backup anonymous certificate and the anonymous certificate to be backed up represent the same anonymous identity but have different public and private key pairs; the backup method relates to a network application certificate corresponding to an anonymous certificate to be backed up, an anonymous certificate owner to be backed up, a new terminal device, an anonymous certificate issuing mechanism and an identity certificate, and comprises the following steps:
a) The owner of the anonymous certificate to be backed up applies for and stores the identity certificate on the new terminal equipment;
b) Initiating an anonymous certificate backup application on a new terminal device by an anonymous certificate owner to be backed up, wherein the application comprises generating a public-private key pair corresponding to a backup anonymous certificate, a backup anonymous certificate application message signed by the private key of the backup anonymous certificate, an identity verification message signed by the private key of the identity certificate applied in the step a) and an authorization message signed by the private key of the network application certificate corresponding to the anonymous certificate to be backed up;
c) The owner of the anonymous certificate to be backed up sends a backup anonymous certificate application message, an identity verification message and an authorization message to an anonymous certificate issuing mechanism;
d) The anonymous certificate issuing mechanism verifies that the identity of the backup operation applicant is indeed consistent with the identity of the anonymous certificate owner to be backed up through an identity verification message, and verifies that the backup operation is authorized by the network application corresponding to the anonymous certificate to be backed up through an authorization message; issuing a backup anonymous certificate if the two verifications pass;
e) And the anonymous certificate issuing mechanism synchronizes the issued backup anonymous certificate to the new terminal equipment and the network application corresponding to the anonymous certificate to be backed up.
The identity certificate of the step a) is a digital certificate containing a user identity ID and a private key thereof; the identity certificate on the terminal equipment where the anonymous certificate to be backed up is located and the identity certificate generated on the new terminal equipment contain the same identity ID, but have different public and private key pairs.
Alternatively, the identity certificate may be a real-name digital certificate containing a natural person real-name identity ID and its private key, or an anonymous identity digital certificate containing a natural person network identity ID and its private key.
The backup anonymous certificate application message in the step b) comprises an anonymous identity ID represented by an anonymous certificate, a backup anonymous certificate public key, a network application identifier corresponding to the anonymous certificate to be backed up, and a signature of the backup anonymous certificate private key on the content; the identity verification message comprises a public key of the backup anonymous certificate, an identity certificate identifier generated in the step a), an identity certificate identifier to be backed up, and a signature of the private key of the identity certificate generated in the step a) on the content; the authorization message comprises the public key of the backup anonymous certificate, the identity certificate identifier generated in the step a) and the signature of the private key of the network application certificate corresponding to the anonymous certificate to be backed up on the content.
Optionally, the backup anonymous credential application message, the authentication message and the authorization message in the step b) may be combined into one message.
Optionally, the backup anonymous credential application message in step b) may include device information of the new terminal device, including but not limited to a device name, a device identifier, and the like.
The step c) maintains the corresponding relation between the anonymous certificate and the identity certificate by the anonymous certificate issuing authority.
The identity verification process of the step d) is as follows: obtaining a corresponding identity certificate (namely, an identity certificate corresponding to the anonymous certificate to be backed up) according to the identity of the anonymous certificate to be backed up in the identity verification message, wherein the identity certificate is the same as the identity certificate generated by the new terminal equipment in the identity verification message, the two identity certificates are valid, and the signature of the identity verification message is valid.
The authentication of the authorization message of step d) includes verifying that the network application certificate is valid and that the signature of the authorization message is valid.
The network application identifier corresponding to the anonymous certificate to be backed up can be a character string of a unique identifier network application or a network application certificate serial number or a network application certificate; the identity certificate identification and the anonymous certificate identification to be backed up can be the certificate serial number of the unique identification certificate or the identity certificate itself.
By adopting the technical scheme of the invention, the beneficial effects are as follows:
when the user accesses the network application by using the anonymous certificate, the invention allows the anonymous certificate of the same user in the same network application to be safely deployed on different terminal equipment of the user, and ensures that the user can roam on different terminal equipment without difference to access the corresponding network application by using the anonymous certificate. Meanwhile, the invention can ensure the availability and the security of related services of the anonymous certificate under the conditions that a user uses a new terminal, discards an old terminal or the terminal is lost, and the like.
Drawings
Fig. 1 is a schematic diagram of an embodiment of a backup method of anonymous certificates on a new terminal device according to the present invention.
Fig. 2 is a system architecture of the present invention.
Detailed Description
In order that those of ordinary skill in the art will readily understand and practice the invention, embodiments of the invention will be further described with reference to the drawings.
Fig. 1 shows an embodiment of a backup method of anonymous certificates on a new terminal device, and fig. 2 is a system architecture. The system shown in fig. 2 comprises an anonymous certificate terminal password suite, an anonymous certificate management server and a digital certificate issuing system. The terminal password suite of the anonymous certificate is arranged on the mobile terminal, provides management of the anonymous certificate and a private key thereof for the terminal, and provides password operation support for terminal equipment; the anonymous certificate management server is deployed on a remote server, maintains the association relation between an anonymous certificate and terminal equipment, an identity certificate, a network application and the like, and provides anonymous certificate storage and query service for a user; the digital certificate issuing system provides issuing and management functions of anonymous certificates, identity certificates and certificate revocation lists. The anonymous certificate terminal password suite is connected with an anonymous certificate management server through a secure network channel, and the anonymous certificate management server is connected with a digital certificate issuing system through the secure network channel. In the system, the anonymous credential terminal password suite can be realized as an APP or an SDK on the user mobile terminal; the anonymous credential management server may be implemented as an application or website on a server or PC; the digital certificate issuing system is a standard digital certificate issuing system.
The anonymous credential backup flow shown in fig. 1 is as follows:
a) The owner of the anonymous certificate to be backed up applies for and stores the identity certificate on the new terminal device through the terminal password suite of the anonymous certificate.
b) And the owner of the anonymous certificate to be backed up initiates an anonymous certificate backup application on the new terminal equipment through the password suite of the anonymous certificate terminal. The method comprises the following steps:
● Calling an anonymous certificate terminal password suite to acquire an anonymous certificate list currently applied by a user, and selecting an anonymous certificate to carry out backup operation;
calling an anonymous certificate terminal password suite to generate a public-private key pair corresponding to the backup anonymous certificate;
● Generating a backup anonymous certificate application message, wherein the backup anonymous certificate application message comprises an anonymous identity ID extracted from a selected anonymous certificate to be backed up, a network application identifier corresponding to the certificate, a device name, a backup anonymous certificate public key generated in the previous step and a signature of the content by using a backup anonymous certificate private key generated in the previous step;
generating an identity verification message comprising the public key of the backup anonymous certificate, the identity certificate identifier generated in step a), the identity certificate identifier to be backed up, and the signature of the private key of the identity certificate generated in step a) on the content;
generating an authorization message comprising the public key of the backup anonymous certificate, the identity certificate identifier generated in the step a), and the signature of the private key of the network application certificate corresponding to the anonymous certificate to be backed up on the content;
c) The owner of the anonymous certificate to be backed up sends a backup anonymous certificate application message, an identity verification message and an authorization message to an anonymous certificate management server;
d) The anonymous certificate management server verifies that the identity of the backup operation applicant is indeed consistent with the identity of the anonymous certificate owner to be backed up through an identity verification message, and verifies that the backup operation is authorized by the network application corresponding to the anonymous certificate to be backed up through an authorization message; if the two verifications pass, an anonymous certificate application request is sent to a digital certificate issuing system;
e) The digital certificate issuing system issues a backup anonymous certificate and returns the issued backup anonymous certificate to the anonymous certificate management system; the anonymous certificate management system records the corresponding relation between the new certificate and the identity certificate, the terminal equipment and the network application, and synchronizes the backup anonymous certificate to the new terminal equipment and the network application corresponding to the anonymous certificate to be backed up.
Although specific embodiments of the invention have been disclosed for illustrative purposes, it will be appreciated by those skilled in the art that the invention may be implemented with the help of a variety of examples: various alternatives, variations and modifications are possible without departing from the spirit and scope of the invention and the appended claims. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed as the best mode contemplated for carrying out this invention, but that the invention will have the scope indicated by the scope of the appended claims.
Claims (9)
1. A method for backing up anonymous certificates on a new terminal device, comprising the steps of:
a) Applying for and storing an identity certificate of an owner of the anonymous certificate to be backed up on the selected new terminal equipment;
b) Generating a public-private key pair corresponding to the backup anonymous certificate, backup anonymous certificate application information signed by the backup anonymous certificate private key, identity verification information signed by the identity certificate private key applied in the step a) and authorization information signed by the network application certificate private key corresponding to the to-be-backed up anonymous certificate on the new terminal equipment by the owner of the to-be-backed up anonymous certificate;
c) The owner of the anonymous certificate to be backed up sends the backup anonymous certificate application information, the identity verification information and the authorization information to an anonymous certificate issuing organization;
d) The anonymous certificate issuing mechanism verifies whether the identity of the backup operation applicant is consistent with the identity of the anonymous certificate owner to be backed up or not through the identity verification information, and verifies whether the backup operation is authorized by the network application corresponding to the anonymous certificate to be backed up or not through the authorization information; if both the verification passes, issuing a backup anonymous certificate;
e) And the anonymous certificate issuing mechanism synchronizes the issued backup anonymous certificate to the new terminal equipment and the network application corresponding to the anonymous certificate to be backed up.
2. The method according to claim 1, characterized in that the owner of the anonymous credential to be backed up applies for and stores the identity credential of the owner on said new terminal device by means of a terminal password suite; the identity certificate comprises a digital certificate with a user identity ID and a private key thereof; the identity certificate on the terminal equipment where the anonymous certificate to be backed up is located and the identity certificate generated and stored on the new terminal equipment contain the same identity ID, but have different public and private key pairs.
3. The method of claim 2, wherein the user ID is a user real name ID or a user's network ID.
4. A method according to claim 1, 2 or 3, wherein the backup anonymous credential application information includes an anonymous ID represented by the backup anonymous credential, a public key of the backup anonymous credential, a network application identifier corresponding to the anonymous credential to be backed up, and a signature of the above content using a private key of the backup anonymous credential; the identity verification information comprises the public key of the backup anonymous certificate, the identity certificate identifier generated in the step a), the identity certificate identifier to be backed up and the signature of the identity certificate private key generated in the step a) on the content; the authorization information comprises the public key of the backup anonymous certificate, the identity certificate identifier generated in the step a) and the signature of the private key of the network application certificate corresponding to the anonymous certificate to be backed up.
5. A method according to claim 1, 2 or 3, wherein the step d) of verifying by said authentication information whether the identity of the applicant of the backup operation is consistent with the identity of the owner of the anonymous credential to be backed up comprises: and obtaining a corresponding identity certificate according to the to-be-backed anonymous certificate identification in the identity verification information, and if the identity certificate corresponding to the new terminal equipment in the identity verification information has the same identity ID, both the identity certificates are valid and the signature of the identity verification information is valid, passing the verification.
6. A method according to claim 1, 2 or 3, wherein the network application identifier corresponding to the anonymous credential to be backed up is a string or a network application credential serial number or a network application credential uniquely identifying the network application; the identity certificate mark is an identity certificate serial number or an identity certificate itself; the anonymous credential to be backed up is identified as the anonymous credential serial number to be backed up or the anonymous credential itself to be backed up.
7. The method of claim 1, wherein the backup anonymous credential application information contains device information of the new terminal device, including, but not limited to, a device name, a device identifier.
8. The method of claim 1, wherein the anonymous credential issuer maintains a correspondence of anonymous credentials to identity credentials.
9. The method of claim 1, wherein the step d) of verifying by the authorization information includes verifying whether a network application certificate is valid and whether a signature of the authorization information is valid.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310216886.2A CN116321122A (en) | 2023-03-08 | 2023-03-08 | Backup method of anonymous certificate on new terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310216886.2A CN116321122A (en) | 2023-03-08 | 2023-03-08 | Backup method of anonymous certificate on new terminal equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116321122A true CN116321122A (en) | 2023-06-23 |
Family
ID=86821774
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310216886.2A Pending CN116321122A (en) | 2023-03-08 | 2023-03-08 | Backup method of anonymous certificate on new terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116321122A (en) |
-
2023
- 2023-03-08 CN CN202310216886.2A patent/CN116321122A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4265145B2 (en) | Access control method and system | |
| CN109688133B (en) | Communication method based on account login free | |
| US20090187980A1 (en) | Method of authenticating, authorizing, encrypting and decrypting via mobile service | |
| US20090268912A1 (en) | Data use managing system | |
| US20070074027A1 (en) | Methods of verifying, signing, encrypting, and decrypting data and file | |
| US7945959B2 (en) | Secure physical distribution of a security token through a mobile telephony provider's infrastructure | |
| US20090327706A1 (en) | Account management system, root-account management apparatus, derived-account management apparatus, and program | |
| US20090199303A1 (en) | Ce device management server, method of issuing drm key by using ce device management server, and computer readable recording medium | |
| US20060026421A1 (en) | System and method for making accessible a set of services to users | |
| US20090119505A1 (en) | Transaction method and verification method | |
| JP2008262365A (en) | Content using system and content using method | |
| WO2020042508A1 (en) | Method, system and electronic device for processing claim incident based on blockchain | |
| CN109462572B (en) | Multi-factor authentication method, system, storage medium and security gateway based on encryption card and UsbKey | |
| KR102410006B1 (en) | Method for creating decentralized identity able to manage user authority and system for managing user authority using the same | |
| KR101792220B1 (en) | Method, mobile terminal, device and program for providing user authentication service of combining biometric authentication | |
| US20230412400A1 (en) | Method for suspending protection of an object achieved by a protection device | |
| EP1574978A1 (en) | Personal information control system, mediation system, and terminal unit | |
| JP2010128554A (en) | Account issuing system, allocation device, registration device, account issuing method and program | |
| JP2004102872A (en) | Online commerce system for personal information protection | |
| CN209882108U (en) | Device for mobile phone terminal to safely access information network | |
| JP2005011239A (en) | Ticket transfer system, ticket confirmation device and ticket transfer method | |
| JP3940283B2 (en) | Service reservation and provision method for mutual authentication using a ticket, program thereof, and recording medium recording the program | |
| CN116321122A (en) | Backup method of anonymous certificate on new terminal equipment | |
| JP2002042102A (en) | User authenticating method, service registering method, authentication card, recording medium recording service registration/user authentication program, authentication organization device, and service providing device | |
| JP4282272B2 (en) | Privacy protection type multiple authority confirmation system, privacy protection type multiple authority confirmation method, and program thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |