CN117040760B - Layout file signing method supporting double algorithms - Google Patents
Layout file signing method supporting double algorithms Download PDFInfo
- Publication number
- CN117040760B CN117040760B CN202311048044.7A CN202311048044A CN117040760B CN 117040760 B CN117040760 B CN 117040760B CN 202311048044 A CN202311048044 A CN 202311048044A CN 117040760 B CN117040760 B CN 117040760B
- Authority
- CN
- China
- Prior art keywords
- file
- public key
- hash value
- encrypted
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004422 calculation algorithm Methods 0.000 title claims abstract description 70
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000012795 verification Methods 0.000 claims description 66
- 238000004891 communication Methods 0.000 claims description 38
- 230000005540 biological transmission Effects 0.000 claims description 28
- 239000000284 extract Substances 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 abstract description 3
- 230000002829 reductive effect Effects 0.000 description 4
- 230000009977 dual effect Effects 0.000 description 3
- PCTMTFRHKVHKIS-BMFZQQSSSA-N (1s,3r,4e,6e,8e,10e,12e,14e,16e,18s,19r,20r,21s,25r,27r,30r,31r,33s,35r,37s,38r)-3-[(2r,3s,4s,5s,6r)-4-amino-3,5-dihydroxy-6-methyloxan-2-yl]oxy-19,25,27,30,31,33,35,37-octahydroxy-18,20,21-trimethyl-23-oxo-22,39-dioxabicyclo[33.3.1]nonatriaconta-4,6,8,10 Chemical compound C1C=C2C[C@@H](OS(O)(=O)=O)CC[C@]2(C)[C@@H]2[C@@H]1[C@@H]1CC[C@H]([C@H](C)CCCC(C)C)[C@@]1(C)CC2.O[C@H]1[C@@H](N)[C@H](O)[C@@H](C)O[C@H]1O[C@H]1/C=C/C=C/C=C/C=C/C=C/C=C/C=C/[C@H](C)[C@@H](O)[C@@H](C)[C@H](C)OC(=O)C[C@H](O)C[C@H](O)CC[C@@H](O)[C@H](O)C[C@H](O)C[C@](O)(C[C@H](O)[C@H]2C(O)=O)O[C@H]2C1 PCTMTFRHKVHKIS-BMFZQQSSSA-N 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000008094 contradictory effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention belongs to the technical field of electronic information, and discloses a layout file signing method and system supporting double algorithms: the method comprises the steps that a first user adds a first signature domain at a position to be signed of a first file, a second file is generated, and an SM3 algorithm is adopted to carry out abstract operation on the second file, so that a first abstract value of the second file is generated; encrypting the first abstract value by using an SM2 algorithm, generating a first digital signature value of the first file, and adding the SM2 digital certificate and the first digital signature value to a first signature domain to obtain a third file; and calculating a first hash value of the third file, encrypting the first hash value by adopting an RSA algorithm, and then transmitting the third file and the encrypted first hash value to a second user. The method solves the problems of low security and large calculation amount of the double-algorithm electronic file signature.
Description
Technical Field
The invention belongs to the technical field of electronic information, and particularly relates to a format file signing method supporting double algorithms.
Background
The domestic cryptographic algorithm is a cryptographic algorithm which is independently developed and realized in China, has higher security, and is approved and popularized by the national cryptographic administration. The RSA algorithm is the first international algorithm to be used for both encryption and digital signature, and is also the most widely studied public key algorithm.
The RSA and SM2 encryption algorithms belong to asymmetric encryption algorithms, namely public keys and private keys. Currently, the mainstream electronic signature in domestic and international markets respectively uses SM2, SM3 national cryptographic algorithm and RSA international algorithm. In general, the national cryptographic algorithm and the international algorithm are used independently, but in order to improve the universality of the national circulation and the security of electronic file signature, the adoption of two standards of RSA and SM2 for signing on electronic files is an important development direction. For example, chinese patent CN111368335a discloses an electronic signature method and an electronic signature verification method and system for PDF files, and creates a signature value region in a signature domain of a PDF file to be signed; taking the data outside the signature value area as a signature original text, and calculating a signature original text abstract by adopting SHA256 and SM3 algorithms; signing the SHA256 signature original text abstract based on an RSA algorithm, and signing the SM3 signature original text abstract based on an SM2 algorithm to obtain a signature value; the signature values are sequentially added to the signature value area. The method adopts RSA and SM2 to sign the electronic file respectively, but the two signature methods are mutually independent and have low safety. For example, chinese patent CN116451261a discloses a method for performing RSA and SM2 double standard signing and verification on a PDF document, respectively obtaining hash values of a PDF document text field and an RSA certificate, and performing SM2 encryption on the hash values of the PDF document text field and the hash values of the RSA certificate to obtain an SM2 encryption value of the hash values of the PDF document text field and an SM2 encryption value of the hash values of the RSA certificate; inserting an SM2 identification bit into the PDF document; inserting an SM2 encryption value of a hash value of a text field of the PDF document and an SM2 encryption value of a hash value of an RSA certificate into an SM2 identification bit to form the PDF document containing the SM2 encryption value; calculating a hash value of a text field of the PDF document containing the SM2 encryption value, and performing RSA encryption on the hash value to obtain an RSA encryption value of the SM2 signed PDF document; and inserting the RSA encryption value into the signature domain of the PDF document obtained in the step 103 to realize the RSA signature of the PDF document. The method adopts RSA and SM2 to sign the electronic file respectively, but the calculated amount is large.
Therefore, providing a layout file signing method supporting dual algorithms to reduce the amount of calculation while improving the signature security is a problem to be solved.
Disclosure of Invention
Aiming at the technical problems, the invention provides a layout file signing method supporting double algorithms.
The invention provides a layout file signing method supporting double algorithms, which comprises the following steps:
step 1, a first user adds a first signature domain at a position to be signed of a first file to generate a second file, and performs abstract operation on the second file by adopting an SM3 algorithm to generate a first abstract value of the second file;
step 2, encrypting the first abstract value by using an SM2 algorithm, generating a first digital signature value of the first file, and adding the SM2 digital certificate and the first digital signature value to the first signature domain to obtain a third file;
step 3, calculating a first hash value of the third file, encrypting the first hash value by adopting an RSA algorithm, and then sending the third file and the encrypted first hash value to a second user;
and 4, after the second user receives the third file and the encrypted first hash value, decrypting the encrypted first hash value by using a second public key, if the encrypted first hash value can be decrypted, verifying to pass, and after the verification passes, calculating a second hash value of the third file, and if the second hash value is consistent with the first hash value, the third file is not modified in the transmission process.
Specifically, before step 1, the method comprises the following steps:
step 11, a first user sends a verification request to a server, wherein the verification request comprises a first user identifier;
step 12, the server generates a first private key and a first public key according to the verification request, distributes a first identifier for the first public key, correspondingly stores the first identifier and the first private key in a first storage unit, and then sends the first identifier and the first public key to a first user;
step 13, the first user generates a verification code, encrypts the verification code by using the received first public key, and sends the first identifier and the encrypted verification code to the server;
step 14, the server searches the first storage unit based on the first identifier, decrypts the encrypted verification code by using the first private key, and then stores the verification code in the first storage unit corresponding to the first identifier.
Specifically, step 3 includes:
step 31, the first user calculates a first hash value of the third file, encrypts the first hash value and the verification code by using the first public key, and sends the first hash value, the third file, the encrypted first hash value and the verification code, and the first identifier to the server;
step 32, the server searches a first storage unit based on the first identifier, decrypts the encrypted first hash value and the verification code by using the first private key, obtains the decrypted first hash value and the verification code, and verifies when the decrypted first hash value is consistent with the received first hash value and the decrypted verification code is consistent with the verification code in the first storage unit;
step 33, the server generates a second identifier based on the third file, generates a second private key and a second public key, and then stores the second identifier in a second storage unit corresponding to the second public key;
and step 34, the server encrypts the first hash value by adopting an RSA algorithm and using the second private key, and the second private key is deleted after encryption is completed.
Specifically, step 33 includes: the server obtains time information of the third file, generates a random number based on the time information, and generates a second private key and a second public key based on the random number.
Specifically, step 4 includes:
step 41, after the second user receives the third file, sending a public key acquisition request to the server;
step 42, after receiving the public key obtaining request, the server extracts the second public key, calculates a third hash value of the second public key, and generates a first sub-public key and a second sub-public key based on the second public key;
step 43, the first sub-public key and the third hash value are sent to the second user through the first communication path, and the second sub-public key is sent to the second user through the second communication path;
step 44, the second user generates a fourth public key based on the first sub-public key and the second sub-public key, and then calculates a fourth hash value of the fourth public key, and if the fourth hash value is consistent with the third hash value, the fourth public key is the public key corresponding to the third file.
Specifically, step 42 includes:
step 421, the server converts the second public key into an encrypted public key according to a preset rule, and divides the encrypted public key into N data blocks;
step 422, acquiring transmission speeds of the first communication path and the second communication path, and calculating a ratio a of the transmission speeds of the first communication path and the second communication path: b, wherein the first communication path is a path with high transmission speed, and the second communication path is a path with low transmission speed;
step 423, according to a: b ratio divides N data blocks intoData block and->A number of data blocks;
step 424, willThe data blocks are combined according to a first combination rule to generate a first sub-public key, andthe data blocks are combined according to a second combination rule to generate a second sub-public key.
Specifically, in step 41, the second user generates a fifth private key and a fifth public key, and sends the fifth public key to the server, in step 43, the preset rule, the first combination rule and the second combination rule are encrypted by using the fifth public key, the encrypted preset rule and the encrypted second combination rule are sent to the second user through the first communication path, and the encrypted first combination rule is sent to the second user through the second communication path.
Specifically, step 44 includes:
step 441, combining the first sub-public key and the second sub-public key based on the first combination rule and the second combination rule to generate an encrypted public key;
step 442, converting the encrypted public key into a second public key according to a preset rule.
Specifically, step 4 further includes:
step 5, after the second user confirms that the third file is not modified, adding a second signature domain at the position to be signed of the third file to generate a fourth file, and performing abstract operation on the fourth file by adopting an SM3 algorithm to generate a second abstract value of the fourth file;
step 6, encrypting the second abstract value by using an SM2 algorithm to generate a second digital signature value of the third file, and adding the SM2 digital certificate and the second digital signature value to the second signature domain to obtain a fifth file;
step 7, calculating a fifth hash value of the fifth file, encrypting the fifth hash value by adopting an RSA algorithm, and then sending the fifth file and the encrypted fifth hash value to a third user;
and 8, after the third user receives the fifth file and the encrypted fifth hash value, decrypting the encrypted fifth hash value by using the public key of the second user, if the encrypted fifth hash value can be decrypted, verifying to pass, and after the verification passes, calculating a sixth hash value of the fifth file, and if the sixth hash value is consistent with the fifth hash value, the fifth file is not modified in the transmission process.
Compared with the prior art, the invention has the following beneficial effects:
in the invention, when signing an electronic file, two algorithms of RSA and SM2 are adopted, firstly, a national cryptographic algorithm SM2 is used for signing an original file, then, the file signed by the SM2 algorithm is used as a second original file, and then, an international algorithm RSA is used for signing the second original file, so that the advantages of the SM2 algorithm and the RSA algorithm are combined, a new application mode of 'SM 2/RSA' double certificates and double algorithms is provided, the application of the national cryptographic algorithm is promoted, the international algorithm is compatible, the signature security of the electronic file is improved, and the calculation amount is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a layout file signing method supporting dual algorithms according to the present invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be apparent that the particular embodiments described herein are merely illustrative of the present invention and are some, but not all embodiments of the present invention. All other embodiments, which can be made by one of ordinary skill in the art without undue burden on the person of ordinary skill in the art based on embodiments of the present invention, are within the scope of the present invention.
It should be noted that, if there is a description of "first", "second", etc. in the embodiments of the present invention, the description of "first", "second", etc. is only for descriptive purposes, and is not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be considered to be absent and not within the scope of protection claimed in the present invention.
FIG. 1 is a flowchart of an embodiment of a layout file signing method supporting dual algorithms according to the present invention, where the flowchart specifically includes:
step 1, a first user adds a first signature domain at a position to be signed of a first file, a second file is generated, and an SM3 algorithm is adopted to perform digest operation on the second file, so that a first digest value of the second file is generated.
And 2, encrypting the first digest value by adopting an SM2 algorithm, generating a first digital signature value of the first file, and adding the SM2 digital certificate and the first digital signature value to the first signature domain to obtain a third file.
Signing is carried out on the first file by adopting an SM2 algorithm. After the first digest value is encrypted by adopting an SM2 algorithm to generate a first digital signature value, the first digital signature value is converted into a pkcs#7 format, the format of the SM2 digital certificate is converted into a format of an x.509 digital certificate, and then the x.509 digital certificate and the first digital signature value in the pkcs#7 format are added into the first signature domain together to complete electronic signature, so as to obtain a third file.
And 3, calculating a first hash value of the third file, encrypting the first hash value by adopting an RSA algorithm, and then transmitting the third file and the encrypted first hash value to a second user.
When signing, firstly signing the original file by using a national encryption algorithm SM2 to obtain a third file, then calculating a first hash value of the third file, and encrypting the first hash value by adopting an RSA algorithm to obtain the third file. Based on the method, the same file is signed through an SM2 algorithm and an RSA algorithm, double encryption is realized, and the signature safety is improved.
Specifically, before step 1, the method comprises the following steps:
step 11, a first user sends a verification request to a server, wherein the verification request comprises a first user identification.
Step 12, the server generates a first private key and a first public key according to the verification request, distributes a first identifier for the first public key, correspondingly stores the first identifier and the first private key in a first storage unit, and then sends the first identifier and the first public key to the first user.
And 13, generating a verification code by the first user, encrypting the verification code by using the received first public key, and transmitting the first identifier and the encrypted verification code to the server.
Step 14, the server searches the first storage unit based on the first identifier, decrypts the encrypted verification code by using the first private key, and then stores the verification code in the first storage unit corresponding to the first identifier.
Before the first user applies for signing the first file, authentication is carried out on the server, and after the authentication is passed, the server distributes a first public key and a first private key for encrypting transmission data for the first user. After receiving the first public key and the first private key sent by the server, the first user inputs a verification code for signature authentication, encrypts the verification code by using the first public key and sends the encrypted verification code to the server, and the server stores the verification code in correspondence with the first private key. The verification code is sent to the server in an encrypted mode and stored, so that the verification code can be prevented from being maliciously modified by people. When the first user requests the server to sign the electronic file, the user is verified through the verification code, so that the signature safety is improved, and other personnel can misappropriate the user identity to sign the electronic file under the condition that the signing key of the user is prevented from being lost by way of example.
Specifically, step 3 includes:
step 31, the first user calculates a first hash value of the third file, encrypts the first hash value and the verification code by using the first public key, and sends the first hash value, the third file, the encrypted first hash value and the verification code, and the first identifier to the server.
Step 32, the server searches the first storage unit based on the first identifier, decrypts the encrypted first hash value and the verification code by using the first private key, obtains the decrypted first hash value and the verification code, and passes verification when the decrypted first hash value is consistent with the received first hash value and the decrypted verification code is consistent with the verification code in the first storage unit.
Step 33, the server generates a second identifier based on the third file, generates a second private key and a second public key, and then stores the second identifier in the second storage unit in correspondence with the second public key.
And step 34, the server encrypts the first hash value by adopting an RSA algorithm and using the second private key, and the second private key is deleted after encryption is completed.
When the first user signs the third file, the first public key is used for encrypting the first hash value and the verification code of the third file, the encrypted first hash value and the encrypted verification code are sent to the server, and when the first hash value and the verification code obtained through decryption are consistent with the first hash value and the verification code which are directly received, the signature operation is executed. And meanwhile, the first hash value and the verification code are verified, so that the fact that other people steal signature information of the first user can be avoided, and the fact that a server signs an incorrect hash value after the first hash value to be signed is tampered in the transmission process can also be avoided.
And deleting the second private key for signing after the third file is signed, so that the private key can be prevented from being stolen, and the electronic signature is forged. After the signature is finished, the signature is verified only by using the second public key, so that the signature cannot be influenced by deleting the private key, and the storage space can be reduced.
Specifically, step 33 includes: the server obtains time information of the third file, generates a random number based on the time information, and generates a second private key and a second public key based on the random number.
The number of digits of the random number may be set according to experience of a person skilled in the art or according to actual application scenarios, which is not limited in the embodiments of the present application. The random number has irregularity, and the second private key and the second public key are generated based on the random number, so that the private key can be prevented from being reproduced or stolen. The time is unrepeatable, and the random number is generated based on the time information, so that the security of a signature private key is further ensured, and the electronic signature is prevented from being forged by other people.
And 4, after the second user receives the third file and the encrypted first hash value, decrypting the encrypted first hash value by using a second public key, if the encrypted first hash value can be decrypted, verifying to pass, and after the verification passes, calculating a second hash value of the third file, and if the second hash value is consistent with the first hash value, the third file is not modified in the transmission process.
The second user uses the second public key to decrypt the encrypted first hash value, and if the second user can decrypt the encrypted first hash value, the received third file is indicated to be sent by the first user; and then, calculating a second hash value of the received third file, comparing the second hash value with the first hash value obtained by decryption (namely verifying the signature), and if the second hash value is consistent with the first hash value, indicating that the third file is not modified in the transmission process.
Specifically, step 4 includes:
step 41, after the second user receives the third file, the public key obtaining request is sent to the server.
Step 42, after receiving the public key obtaining request, the server extracts the second public key, calculates a third hash value of the second public key, and generates the first sub-public key and the second sub-public key based on the second public key.
Step 43, the first sub-public key and the third hash value are sent to the second user through the first communication path, and the second sub-public key is sent to the second user through the second communication path.
Step 44, the second user generates a fourth public key based on the first sub-public key and the second sub-public key, and then calculates a fourth hash value of the fourth public key, and if the fourth hash value is consistent with the third hash value, the fourth public key is the public key corresponding to the third file.
The public key of the verification signature is sent through the two communication paths, and even if data on one communication path is intercepted, the public key of the verification signature cannot be recovered, so that the possibility of tampering of the public key is reduced. Meanwhile, the public key is verified based on the third hash value, so that the wrong public key is prevented from being received, and wrong judgment is made for signature verification.
Specifically, step 42 includes:
step 421, the server converts the second public key into an encrypted public key according to a preset rule, and divides the encrypted public key into N data blocks;
step 422, acquiring transmission speeds of the first communication path and the second communication path, and calculating a ratio a of the transmission speeds of the first communication path and the second communication path: b, wherein the first communication path is a path with high transmission speed, and the second communication path is a path with low transmission speed;
step 423, according to a: b ratio dividing N data blocksIs thatData block and->A number of data blocks;
step 424, willThe data blocks are combined according to a first combination rule to generate a first sub-public key, andthe data blocks are combined according to a second combination rule to generate a second sub-public key.
The size of the number N may be set according to experience of a person skilled in the art or according to actual application scenarios, which is not limited in the embodiments of the present application.
Before the server sends the second public key to the second user, in order to protect the second public key, the second public key is deformed according to a preset rule, the second public key is converted into an encrypted public key, the second public key is an ABCD, and the second public key is converted into ABCD according to the preset rule.
After the second public key is deformed, the deformed encrypted public key is divided into N different data blocks. And dividing the N different data blocks into two parts according to the transmission speeds of the two communication lines for transmitting the public key. The data blocks to be transmitted are divided according to the transmission speed of the communication line, so that the communication line with high transmission speed can transmit more data blocks, the communication line with low transmission speed can transmit fewer data blocks, the data safety is ensured by transmitting the data blocks through two lines, the transmission time is reduced, and the transmission efficiency is improved.
Then according to the first combination ruleThe data blocks are combined to generate a first sub-public key, which is then +.>The data blocks are combined to generate a second sub-public key.
Specifically, in step 41, the second user generates a fifth private key and a fifth public key, and sends the fifth public key to the server, in step 43, the preset rule, the first combination rule and the second combination rule are encrypted by using the fifth public key, the encrypted preset rule and the encrypted second combination rule are sent to the second user through the first communication path, and the encrypted first combination rule is sent to the second user through the second communication path.
The first sub-public key and the first combination rule, and the second sub-public key and the second combination rule are transmitted through different communication paths, so that the possibility of restoring the public key for verifying the signature is only available when data on the two communication paths are intercepted at the same time, and the safety of data transmission is improved. Further, the public key cannot be restored, so that the private key cannot be broken, the safety of the signature is ensured, and the signature is prevented from being forged.
Specifically, step 44 includes:
step 441, combining the first sub-public key and the second sub-public key based on the first combination rule and the second combination rule to generate an encrypted public key;
step 442, converting the encrypted public key into a second public key according to a preset rule.
Specifically, step 4 further includes:
step 5, after the second user confirms that the third file is not modified, adding a second signature domain at the position to be signed of the third file to generate a fourth file, and performing abstract operation on the fourth file by adopting an SM3 algorithm to generate a second abstract value of the fourth file;
step 6, encrypting the second abstract value by using an SM2 algorithm to generate a second digital signature value of the third file, and adding the SM2 digital certificate and the second digital signature value to the second signature domain to obtain a fifth file;
step 7, calculating a fifth hash value of the fifth file, encrypting the fifth hash value by adopting an RSA algorithm, and then sending the fifth file and the encrypted fifth hash value to a third user;
and 8, after the third user receives the fifth file and the encrypted fifth hash value, decrypting the encrypted fifth hash value by using the public key of the second user, if the encrypted fifth hash value can be decrypted, verifying to pass, and after the verification passes, calculating a sixth hash value of the fifth file, and if the sixth hash value is consistent with the fifth hash value, the fifth file is not modified in the transmission process.
And simultaneously signing by using an SM2 algorithm and an RSA algorithm, if a plurality of users sign the same file, signing the file by using a national encryption algorithm SM2, then taking the file signed by using the SM2 algorithm as a second file, and signing the second file by using an international algorithm RSA.
Preferably, in order to avoid that the user does not verify the signature file, when the subsequent user verifies the signature of the file, all the electronic seals on the same file can be verified in reverse order.
It should be understood that, although the steps in the flowcharts of the embodiments of the present invention are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in various embodiments may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor do the order in which the sub-steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of the sub-steps or stages of other steps or other steps.
Those skilled in the art will appreciate that implementing all or part of the above-described methods may be accomplished by way of computer programs, which may be stored on a non-transitory computer readable storage medium, and which, when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
The foregoing examples have shown only the preferred embodiments of the invention, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Claims (7)
1. A layout file signing method supporting double algorithms is characterized by comprising the following steps:
step 1, a first user adds a first signature domain at a position to be signed of a first file to generate a second file, and performs abstract operation on the second file by adopting an SM3 algorithm to generate a first abstract value of the second file;
step 2, encrypting the first digest value by using an SM2 algorithm, generating a first digital signature value of the first file, and adding an SM2 digital certificate and the first digital signature value to the first signature domain to obtain a third file;
step 3, calculating a first hash value of the third file, encrypting the first hash value by adopting an RSA algorithm, and then sending the third file and the encrypted first hash value to a second user;
step 4, after the second user receives the third file and the encrypted first hash value, decrypting the encrypted first hash value by using a second public key, if the second user can decrypt the encrypted first hash value, verifying the encrypted first hash value, calculating a second hash value of the third file after the second user passes the verification, and if the second hash value is consistent with the first hash value, the third file is not modified in the transmission process;
before the step 1, the method comprises the following steps:
step 11, the first user sends a verification request to a server, wherein the verification request comprises a first user identifier;
step 12, the server generates a first private key and a first public key according to the verification request, distributes a first identifier for the first public key, correspondingly stores the first identifier and the first private key in a first storage unit, and then sends the first identifier and the first public key to the first user;
step 13, the first user generates a verification code, encrypts the verification code by using the received first public key, and sends the first identifier and the encrypted verification code to the server;
step 14, the server searches the first storage unit based on the first identifier, decrypts the encrypted verification code by using the first private key, and then stores the verification code in the first storage unit corresponding to the first identifier;
the step 3 comprises the following steps:
step 31, the first user calculates a first hash value of the third file, encrypts the first hash value and the verification code by using the first public key, and sends the first hash value, the third file, the encrypted first hash value and the verification code, and the first identifier to the server;
step 32, the server searches the first storage unit based on the first identifier, decrypts the encrypted first hash value and the verification code by using the first private key, obtains the decrypted first hash value and the verification code, and verifies when the decrypted first hash value is consistent with the received first hash value and the decrypted verification code is consistent with the verification code in the first storage unit;
step 33, the server generates a second identifier based on the third file, generates a second private key and the second public key, and then stores the second identifier in a second storage unit corresponding to the second public key;
and step 34, the server encrypts the first hash value by adopting an RSA algorithm and using the second private key, and the second private key is deleted after encryption is completed.
2. The method for signing a layout file in accordance with claim 1, wherein said step 33 comprises: the server obtains time information of the third file, generates a random number based on the time information, and generates the second private key and the second public key based on the random number.
3. The method for signing a layout file in accordance with claim 1, wherein said step 4 comprises:
step 41, after the second user receives the third file, sending a public key obtaining request to a server;
step 42, after receiving the public key obtaining request, the server extracts the second public key, calculates a third hash value of the second public key, and generates a first sub-public key and a second sub-public key based on the second public key;
step 43, transmitting the first sub-public key and the third hash value to the second user through a first communication path, and transmitting the second sub-public key to the second user through a second communication path;
step 44, the second user generates a fourth public key based on the first sub public key and the second sub public key, and then calculates a fourth hash value of the fourth public key, where if the fourth hash value is consistent with the third hash value, the fourth public key is a public key corresponding to the third file.
4. A layout file signing method according to claim 3, wherein said step 42 comprises:
step 421, the server converts the second public key into an encrypted public key according to a preset rule, and divides the encrypted public key into N data blocks;
step 422, obtaining transmission speeds of the first communication path and the second communication path, and calculating a ratio a of the transmission speeds of the first communication path and the second communication path: b, wherein the first communication path is a path with high transmission speed, and the second communication path is a path with low transmission speed;
step 423, according to a: b dividing the N data blocks intoData block and->A number of data blocks;
step 424, connect the aboveThe data blocks are combined according to a first combination rule to generate the first sub-public key, and the +.>And combining the data blocks according to a second combination rule to generate the second sub-public key.
5. The method for signing a layout file supporting double algorithms according to claim 4, wherein in the step 41, the second user generates a fifth private key and a fifth public key, and sends the fifth public key to the server, in the step 43, the preset rule, the first combination rule and the second combination rule are encrypted by using the fifth public key, the encrypted preset rule and the encrypted second combination rule are sent to the second user through the first communication path, and the encrypted first combination rule is sent to the second user through the second communication path.
6. The method of claim 4, wherein the step 44 includes:
step 441, combining the first sub-public key and the second sub-public key based on the first combination rule and the second combination rule to generate the encrypted public key;
step 442, converting the encrypted public key into the second public key according to the preset rule.
7. The method for signing a layout file in accordance with claim 1, wherein said step 4 further comprises:
step 5, after the second user confirms that the third file is not modified, adding a second signature domain at the position to be signed of the third file to generate a fourth file, and performing digest operation on the fourth file by adopting an SM3 algorithm to generate a second digest value of the fourth file;
step 6, encrypting the second digest value by using an SM2 algorithm, generating a second digital signature value of the third file, and adding an SM2 digital certificate and the second digital signature value to the second signature domain to obtain a fifth file;
step 7, calculating a fifth hash value of the fifth file, encrypting the fifth hash value by adopting an RSA algorithm, and then sending the fifth file and the encrypted fifth hash value to a third user;
and 8, after the third user receives the fifth file and the encrypted fifth hash value, decrypting the encrypted fifth hash value by using the public key of the second user, if the decryption is possible, verifying to pass, and after the verification is passed, calculating a sixth hash value of the fifth file, and if the sixth hash value is consistent with the fifth hash value, the fifth file is not modified in the transmission process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311048044.7A CN117040760B (en) | 2023-08-18 | 2023-08-18 | Layout file signing method supporting double algorithms |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311048044.7A CN117040760B (en) | 2023-08-18 | 2023-08-18 | Layout file signing method supporting double algorithms |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117040760A CN117040760A (en) | 2023-11-10 |
| CN117040760B true CN117040760B (en) | 2024-02-09 |
Family
ID=88629755
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311048044.7A Active CN117040760B (en) | 2023-08-18 | 2023-08-18 | Layout file signing method supporting double algorithms |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117040760B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109831302A (en) * | 2017-11-23 | 2019-05-31 | 杭州天谷信息科技有限公司 | PDF electronic signature method and system based on national secret algorithm |
| CN111552946A (en) * | 2020-04-24 | 2020-08-18 | 上海亘岩网络科技有限公司 | PDF file digital signature method, system and storage medium |
| CN111800260A (en) * | 2020-06-19 | 2020-10-20 | 深圳证券通信有限公司 | Intelligent key signature method compatible with RSA and domestic commercial cryptographic algorithm |
| CN113221190A (en) * | 2021-05-08 | 2021-08-06 | 国泰新点软件股份有限公司 | Electronic signature method, device and system of PDF file and storage medium |
| CN116451261A (en) * | 2023-06-16 | 2023-07-18 | 南京朗赢信息技术有限公司 | Method for carrying out RSA and SM2 double standard signature and verification on PDF document |
-
2023
- 2023-08-18 CN CN202311048044.7A patent/CN117040760B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109831302A (en) * | 2017-11-23 | 2019-05-31 | 杭州天谷信息科技有限公司 | PDF electronic signature method and system based on national secret algorithm |
| CN111552946A (en) * | 2020-04-24 | 2020-08-18 | 上海亘岩网络科技有限公司 | PDF file digital signature method, system and storage medium |
| CN111800260A (en) * | 2020-06-19 | 2020-10-20 | 深圳证券通信有限公司 | Intelligent key signature method compatible with RSA and domestic commercial cryptographic algorithm |
| CN113221190A (en) * | 2021-05-08 | 2021-08-06 | 国泰新点软件股份有限公司 | Electronic signature method, device and system of PDF file and storage medium |
| CN116451261A (en) * | 2023-06-16 | 2023-07-18 | 南京朗赢信息技术有限公司 | Method for carrying out RSA and SM2 double standard signature and verification on PDF document |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117040760A (en) | 2023-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111628868B (en) | Digital signature generation method and device, computer equipment and storage medium | |
| CN109067524B (en) | Public and private key pair generation method and system | |
| CN107483212B (en) | Method for generating digital signature by cooperation of two parties | |
| US11930103B2 (en) | Method, user device, management device, storage medium and computer program product for key management | |
| CN107425971B (en) | Certificateless data encryption/decryption method and device and terminal | |
| CN111147245A (en) | Algorithm for encrypting by using national password in block chain | |
| CN111970114B (en) | File encryption method, system, server and storage medium | |
| CN111614621A (en) | Internet of things communication method and system | |
| CN107566127B (en) | IKI trusted digital identifier generation method and application method | |
| CN110519226B (en) | Quantum communication server secret communication method and system based on asymmetric key pool and implicit certificate | |
| CN109905384B (en) | Data migration method and system | |
| CN114726546B (en) | Digital identity authentication method, device, equipment and storage medium | |
| CN108809936A (en) | A kind of intelligent mobile terminal auth method and its realization system based on Hybrid Encryption algorithm | |
| CN117155549A (en) | Key distribution method, key distribution device, computer equipment and storage medium | |
| CN113190860A (en) | Block chain sensor data authentication method and system based on ring signature | |
| CN110519040B (en) | Anti-quantum computation digital signature method and system based on identity | |
| CN117335989A (en) | Safety application method in internet system based on national cryptographic algorithm | |
| CN118337498A (en) | Data transmission method based on symmetric key pool | |
| CN112528309A (en) | Data storage encryption and decryption method and device | |
| CN109412799B (en) | System and method for generating local key | |
| CN117040760B (en) | Layout file signing method supporting double algorithms | |
| CN114189338B (en) | SM9 key secure distribution and management system and method based on homomorphic encryption technology | |
| CN110138547B (en) | Quantum communication service station key negotiation method and system based on asymmetric key pool pair and serial number | |
| CN110086627B (en) | Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp | |
| CN114257398A (en) | Data processing method, system, equipment and medium based on state cryptographic algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |