CN117692151A - Service network-based certificate revocation method and communication method - Google Patents
Service network-based certificate revocation method and communication method Download PDFInfo
- Publication number
- CN117692151A CN117692151A CN202410150012.6A CN202410150012A CN117692151A CN 117692151 A CN117692151 A CN 117692151A CN 202410150012 A CN202410150012 A CN 202410150012A CN 117692151 A CN117692151 A CN 117692151A
- Authority
- CN
- China
- Prior art keywords
- node
- public key
- service network
- pass
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 238000012795 verification Methods 0.000 claims description 18
- 230000001960 triggered effect Effects 0.000 description 10
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Abstract
The application discloses a certificate revocation method and a communication method based on a service network, which relate to the technical field of electronic signatures, wherein the service network comprises a central node, at least one proxy node and at least one electronic signature service platform, the central node is provided with a password management system based on identification and is connected with the at least one proxy node, each electronic signature service platform is connected with one proxy node, and each proxy node is connected with one or more electronic signature service platforms. When the electronic signature service network system is established based on the identification password, the proxy node cluster is established in addition to the identification password server of the center node, and the proxy node cluster and the center node manage network members together, so that the workload of the center node is reduced.
Description
Technical Field
The application relates to the technical field of electronic signatures, in particular to a service network-based certificate revocation method and a communication method.
Background
At present, in the electronic signature and the application field thereof, large-scale interconnection and mutual authentication have become a big trend, however, in the electronic signature field, a network system for cross-platform communication is lacking, so that transmission and mutual authentication of electronic signature application data cannot be carried out between different electronic signature service platforms.
However, when the conditions of key loss, key expiration and the like occur, the identifier corresponding to the key needs to be revoked, and the electronic signature service network based on the identifier password also faces a plurality of problems in terms of identifier management when facing to network member revocation, firstly, it generally takes the identifier as a basic field and adds other fields to generate multiple derived identifiers to achieve automatic revocation of the identifier, wherein the additional fields comprise validity period, use condition and the like, for example, the IDA 2023 is an identifier derived from the IDA, the identifier is valid in 2023, the automatic revocation is expired, and besides the automatic revocation, there is a case that a user actively revokes the identifier, in this case, in order to meet the instant revocation of the identifier by the user, the identifier password server needs to maintain a dynamically-changed identifier revocation list for querying by the network member. As can be seen from the above cases of automatic revocation and proactive revocation, revocation of the identifier also causes a series of problems, such as an increase in the amount of computation of the identifier password server.
The identification password also causes another major problem, namely, key escrow, and the private keys of all network members are generated by the identification password server, and the identification password server can decrypt and forge all messages of the network members, which causes new concern for the members joining the network, namely, worry about the security of own business data.
In summary, in order to establish an electronic signature service network system, an identification password is a preferred choice, but some problems caused by identification revocation and key escrow still need to be solved.
Disclosure of Invention
The application provides a service network-based certificate revocation method and a communication method, which aim to solve the problems of identifier revocation and key escrow caused by using an identifier password in the prior art.
In order to achieve the above purpose, the present application adopts the following technical scheme:
the utility model provides a pass revocation method based on service network, the service network includes central node, at least one agency node and at least one electronic signature service platform, wherein, the central node is disposed with password management system based on the sign, and connects at least one agency node, every electronic signature service platform connects one agency node, every agency node connects one or more electronic signature service platform, the method is applied to between the upper and lower level nodes that service network interconnect, includes:
the upper node records that the master public key pass card to be revoked is in a disabled state according to the pass card identifier of the master public key pass card to be revoked of the lower node, and records the disabling time of the master public key pass card to be revoked, wherein the master public key pass card to be revoked and the pass card identifier of the master public key pass card to be revoked are generated by the central node;
the upper node generates a new main public key and a new main private key which are special for the lower node, and determines a new pass identification of the lower node and a corresponding new main public key pass according to the new main public key;
the superior node calculates a new service network identification private key of the subordinate node according to the new master private key, and sends the new master public key certificate and the new service network identification private key to the subordinate node;
and the superior node records the new master public key certificate as an enabling state according to the new certificate identifier, and records the enabling time and the effective time of the new master public key certificate.
Preferably, when the upper node is a proxy node and the lower node is an electronic signature service platform connected with the proxy node, the method further comprises:
the superior node locally stores the new main private key, and sends the new main public key to the central node, and the central node generates a new pass identifier and a corresponding new main public key pass according to the new main public key after receiving the new main public key, and sends the new main public key pass to the superior node.
Preferably, before the upper node records that the master public key certificate to be revoked is in a disabled state according to the certificate identifier of the master public key certificate to be revoked of the lower node, the method further includes:
the upper node distributes an identity and a service network identifier for a lower node connected with the upper node, and generates a main public key and a main private key which are special for the lower node;
and the upper node respectively determines a service network identification private key and a main public key pass certificate of the lower node according to the main private key and the main public key, and issues the main public key pass certificate and the service network identification private key to the lower node.
Preferably, when the upper node is a proxy node and the lower node is an electronic signature service platform connected with the proxy node, the method for determining the master public key certificate of the lower node comprises the following steps:
the upper node locally stores the main private key and sends the main public key to the central node, the central node receives the main public key, generates a pass identifier according to the main public key, signs the pass identifier, service network identifiers of lower nodes and upper nodes, the main public key, the valid period and central node information, generates a main public key pass of the lower nodes according to the signature, the pass identifier, the service network identifiers of the lower nodes and the upper nodes, the main public key, the valid period and the central node information, and sends the main public key pass to the upper nodes.
Preferably, the method further comprises:
and triggering the primary public key certificate revocation flow of the subordinate node when the primary public key certificate validity period of the subordinate node expires or the primary private key corresponding to the primary public key is at risk.
Preferably, when the validity period of the master public key pass of the lower node expires or a risk occurs in the master private key corresponding to the master public key in the master public key pass, triggering the master public key pass revocation procedure of the lower node, including:
when the valid period of the master public key certificate of the lower node expires, triggering a master public key certificate revocation flow of the lower node by an upper node corresponding to the lower node;
when the risk of the main private key corresponding to the main public key in the main public key pass of the subordinate node occurs, the subordinate node triggers the main public key pass revocation process.
A service network-based communication method, the service network including a central node, at least one proxy node, and at least one electronic signature service platform, wherein the central node is deployed with an identifier-based password management system and is connected to the at least one proxy node, each electronic signature service platform is connected to one proxy node, each proxy node is connected to one or more electronic signature service platforms, the method being applied between proxy nodes of the service network, and comprising:
the two parties of the proxy node to be communicated respectively acquire and analyze the master public key pass of the opposite party to obtain the pass identification of the opposite party, the service network identifications of the proxy node and the center node of the opposite party, the master public key, the valid period, the center node information and the center node signature;
the two sides of the proxy node to be communicated respectively send the identification of the opposite side and the service network identification to the central node, the central node respectively judges whether the corresponding main public key passes the identification of the current main public key passes the identification of the proxy node to be communicated according to the received identification of the opposite side and the service network identification, and if so, the central node sends the judging result to the corresponding proxy node to be communicated;
and after receiving the corresponding judgment result, the two parties of the proxy node to be communicated verify the central node signature of the opposite party, and if the verification is passed, the master public key is respectively taken out from the master public key pass certificate of the opposite party, and an identification password parameter set of the opposite party is generated for communication.
Preferably, the method for respectively judging whether the corresponding master public key certificate is the current master public key certificate of the proxy node to be communicated according to the received certificate identifier and the service network identifier comprises the following steps:
and the central node inquires whether the received service network identifier is a child node of the service network identifier, if so, inquires a local master public key certificate passing operation record to confirm whether the received certificate passing identifier is the current master public key certificate of the to-be-communicated proxy node.
A service network-based communication method, the service network including a central node, at least one proxy node, and at least one electronic signature service platform, wherein the central node is deployed with an identifier-based password management system and is connected to the at least one proxy node, each electronic signature service platform is connected to one proxy node, each proxy node is connected to one or more electronic signature service platforms, the method is applied between electronic signature service platforms of the service network, and comprises:
the two parties of the platform to be communicated respectively acquire and analyze the master public key pass of the opposite party to obtain the pass identification of the opposite party, the service network identifications of the opposite party platform and the proxy node, the master public key, the valid period, the central node information and the central node signature;
the two parties of the platform to be communicated respectively send the identification of the other party, the service network identification of the other party platform and the service network identification of the proxy node to the corresponding proxy node, the corresponding proxy node communicates with the proxy node of the other party according to the received proxy node service network identification and judges whether the corresponding master public key passes the current master public key passes of the platform to be communicated according to the identification of the passing, if so, the judging result is sent to the corresponding platform to be communicated;
and after receiving the corresponding judgment result, the two parties of the platform to be communicated verify the center node signature of the other party, and if the verification is passed, the two parties respectively take out the main public key from the main public key pass certificate of the other party and generate the identification password parameter set of the other party to communicate.
Preferably, the communicating with the proxy node of the counterpart according to the received proxy node service network identifier and judging whether the corresponding master public key certificate is the current master public key certificate of the platform to be communicated according to the certificate identifier, includes:
the proxy node establishes communication with the opposite proxy node according to the received proxy node service network identifier, and the communication method is as described above, if the master public key of the opposite proxy node passes the certificate to be in a disabled state, the communication establishment fails, and the flow ends.
The invention has the following beneficial effects:
1. when the electronic signature service network system is built based on the identification password, an agent node cluster is built in addition to the identification password server of the central node, and network members are managed together with the central node, so that the work load of the central node is reduced, a large number of services for issuing and canceling inquiry of the identification private key are born, the central node is prevented from becoming a performance card point in the whole network system, and the authority of the central node is maintained by letting the central node issue a main public key certificate for a registered user, so that the whole network is still in the management and control of the central node;
2. according to the method and the system for managing the service platform, the proxy node trusted by the own party can be selectively built or added into the service platform, the proxy node helps the service platform to join the network through the center node on one hand, and the main private key controlled by the proxy node is used for issuing the identification private key for the service platform on the other hand, so that the key escrow problem of the center node is avoided, and the service platform reduces the worry about the safety of own party business data.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive faculty for a person skilled in the art.
FIG. 1 is an exemplary diagram of a service network of the present application;
FIG. 2 is a flow chart of a service network-based pass revocation method of the present application;
FIG. 3 is a first flow chart of a method of service network-based communication of the present application;
fig. 4 is a second flowchart of a communication method based on a service network of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
The terms "first," "second," and the like in the claims and the description of the present application are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order, and it should be understood that the terms so used may be interchanged, if appropriate, merely to describe the manner in which objects of the same nature are distinguished in the embodiments of the present application when described, and furthermore, the terms "comprise" and "have" and any variations thereof are intended to cover a non-exclusive inclusion such that a process, method, system, article, or apparatus that comprises a list of elements is not necessarily limited to those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
As shown in fig. 1, the present embodiment provides a service network, where the service network includes a central node, at least one proxy node, and at least one electronic signature service platform, where the central node is deployed with an identifier-based password management system and is connected to the at least one proxy node, each electronic signature service platform is connected to one proxy node, and each proxy node is connected to one or more electronic signature service platforms.
In this embodiment, the central node S is the core of the service network, and is deployed with an identifier-based password management system, and a fixed primary public key PKS and a primary private key SKS, where id_net_s is a service network identifier of S in the service network, and generates an S fixed identifier private key idks according to the fixed primary private key SKS, and at the same time, discloses an identifier password parameter ParamS including a PKS and a system parameter set as a parameter of authority of the whole network.
The electronic signature service platform is called as a service platform for short, is an existing service platform in the existing service system and is responsible for directly serving a large number of users, and for joining a unified service network, each service platform can indirectly access a communication system based on an identification code established by a center node through setting up or joining proxy nodes directly trusted by own parties, such as a service platform A and a proxy node PA trusted by the service platform A, and a service platform B and a proxy node PB trusted by the service platform B, wherein one proxy node can be butted with a plurality of service platforms, and each proxy node is established with a relatively independent communication system based on the identification code, so that various communication of the service platform in the system cannot be decrypted and forged by the center node.
The same system parameter set may be set for all nodes, i.e. all nodes use S system parameter set, or each node may use a different system parameter set, and since the system parameter sets are not sensitive information, each node may disclose a respective system parameter set, so that other members may easily obtain the system parameter set.
When the electronic signature service network system is built based on the identification password, the proxy node cluster is built in addition to the identification password server of the central node, so that the work load of the central node is reduced, a large number of services for issuing and canceling inquiry of the identification private key are mainly born, the central node is prevented from becoming a performance stuck point in the whole network system, the authority of the central node is maintained by enabling the central node to issue a main public key pass for a registered user, and the whole network is still in control of the central node.
Meanwhile, in the embodiment, the service platform added with the network can selectively build or add the proxy node trusted by the own party, the proxy node helps the service platform to join the network through the central node on one hand, and the main private key controlled by the proxy node is used for issuing the identification private key for the service platform on the other hand, so that the key escrow problem of the central node is avoided, and the service platform reduces the worry about the security of own party business data.
Example 2
As shown in fig. 2, the present embodiment provides a service network-based certificate revocation method, which is applied between upper and lower nodes connected to each other by the service network as described above, and includes:
s110, the upper node records that the master public key pass card to be revoked is in a disabled state according to the pass card identifier of the master public key pass card to be revoked of the lower node, and records the disabling time of the master public key pass card to be revoked, wherein the master public key pass card to be revoked and the pass card identifier thereof are generated by the central node;
s120, the superior node generates a new main public key and a new main private key which are special for the subordinate node, and determines a new pass identifier of the subordinate node and a corresponding new main public key pass according to the new main public key;
s130, the superior node calculates a new service network identification private key of the subordinate node according to the new main private key, and sends the new main public key certificate and the new service network identification private key to the subordinate node;
and S140, the superior node records the new main public key certificate as an enabling state according to the new certificate identifier, and records the enabling time and the effective time of the new main public key certificate.
Before the primary public key certificate revocation is performed, the registration of the proxy node in the central node and the registration of the service platform in the proxy node are also required.
The specific process of registering the proxy node in the central node is as follows:
after the verification of the registration material provided by the PA is passed, an identity identifier IDPA is distributed to the PA by the S, the IDPA is a random number or the real name of the PA or other rule character strings, the ID_NET_PA is globally unique in the whole management range of the S, namely, the service network identifier of the PA, the ID_NET_PA is the ID of the PA in the service network, namely, the service network identifier is 'IDPA', the S generates a main public key and a main private key which are specially used for the PA and accord with the identification cryptography, the main private key is stored locally, then the ID_NET_PA, the ID_NET_S, the main public key, the effective period and the information of an issuer S are marked by the ID_NET_PA, the signature is combined with the contents to form a main public key communication, wherein the ID is generated by the S, the main public key communication is uniquely determined, the main public key communication is indicated that the S can be used in the main public key communication period, the main public key is specially used for the PA, the main public key is matched with the main public key, the main public key is used in the effective period, the main public key is enabled by the main public key, the corresponding to the main public key, the main public key is enabled by the corresponding to the public key, and the corresponding to the public key, the main public key is enabled by the main public key, and the corresponding to the public key, and the time-private key is recorded by the main public key, and the time-public key is enabled by the corresponding to the main public network, and the ID, and the information of the main public key is recorded by the main public, and the information.
The specific process of registering the service platform in the proxy node is as follows:
setting the service platform as A, setting the agent node as PA, issuing a service network identifier for the PA after the PA passes the verification of the registration material provided by the A, and forwarding the service network identifier and the registration material to S; and after the verification of the registration material provided by the A is passed, the PA is informed to issue a service network identification private key and a main public key certificate.
Next, the PA assigns an identity IDA to a, where IDA is a random number or a real name of a or other rule string, and is generated by the PA, so as to ensure that the id_net_a is globally unique within the entire management range of the PA, where a is an ID of a in the service network, i.e. its service network identity, and the service network identity may also be a combination of IDA and IDPA, for example, "ida.idpa", where "" is a connector, and since IDA is globally unique within the entire service network and IDA is globally unique within the entire management range of the PA, id_net_a is also globally unique within the entire service network.
And then, the PA generates a main public key and a main private key which are special for A and accord with identification cryptography, the main private key is stored locally, meanwhile, the main public key is sent to S, S uses the S-fixed identification private key to carry out identification cryptography signature on the pass identification, the ID_NET_ A, ID _NET_PA, the main public key, the validity period and the information of an issuer S, and the signature is combined with the contents to obtain a main public key pass, wherein the pass identification is generated by S, a certain main public key pass can be uniquely determined, the main public key pass indicates that the S approves the A to use the main public key in the validity period, and the main public key belongs to a father node ID_NET_PA, so that the S is added into the network possession control capability of the service platform.
Next, the PA issues a service network identifier private key and a master public key pass corresponding to the id_net_a for the a through a secure path, wherein the service network identifier private key is obtained by calculating the id_net_a by the PA according to the master private key corresponding to the master public key in the master public key pass.
Finally, the PA records the master public key certificate as an enabling state according to the certificate identifier of the master public key certificate, and simultaneously records the enabling time and the effective time, and in order to ensure the credibility of the time, the enabling time is recorded by using a time stamp mode.
In an embodiment of the present application, the present application mainly relates to master public key certificate revocation of a proxy node, where the cases of master public key certificate revocation of the proxy node include the following three cases: firstly, when the validity period of the PA master public key certificate expires, the automatic revocation is triggered by S; secondly, when the risk of the main private key corresponding to the main public key in the PA main public key pass certificate occurs, the active revocation is triggered by the PA; thirdly, when the PA no longer participates in the service network, namely actively exits from the network, the situation of active revocation occurs and is triggered by the PA. The first two cases trigger the primary public key certificate revocation flow, and the primary public key certificate revocation flow is triggered when the network is actively exited, and in this embodiment, the primary description is that the primary public key certificate revocation flow is triggered and then the primary public key certificate revocation flow is revoked.
Firstly, S records the main public key pass as a stop state according to the pass identification of the main public key pass to be cancelled, simultaneously records stop time, regenerates a new main public key and a new main private key which are specially used for the PA and accord with identification cryptography, locally stores the new main private key, then generates the new main public key pass, and calculates ID_NET_PA according to the new main private key corresponding to the new main public key in the new main public key pass to generate a new service network identification private key of the PA, and sends the new main public key pass and the new service network identification private key to the PA. In the revocation process, the identity of the PA is not required to be revoked, only the main public key certificate is revoked, and the revocation flow is finished.
If the PA actively exits the network, the PA applies for exiting the network to S, and S records the main public key certificate of the PA as the stop state and the stop time.
In another embodiment of the present application, the primary public key certificate revocation of the service platform is mainly related to, and is the same as the proxy node primary public key certificate revocation, and there are three cases of primary public key certificate revocation of the service platform: when the expiration date of the A main public key certificate expires, the automatic revocation is triggered by the PA; secondly, when the risk of the main private key corresponding to the main public key in the A main public key pass certificate occurs, the situation of active revocation occurs and is triggered by the A; thirdly, when the A no longer participates in the service network, namely actively exits from the network, the situation of active revocation occurs and is triggered by the A. The first two cases trigger the primary public key certificate revocation flow, and the primary public key certificate revocation flow is triggered when the network is actively exited, and in this embodiment, the primary description is that the primary public key certificate revocation flow is triggered and then the primary public key certificate revocation flow is revoked.
Firstly, the PA records the main public key pass as a stop state according to the pass identification of the main public key pass to be cancelled, simultaneously records stop time, regenerates a new main public key and a new main private key which are specially used for A and accord with identification cryptography, locally stores the new main private key, then sends the new main public key to S so as to generate the new main public key pass, the new main public key pass generation method is as described above, S sends the new main public key pass to the PA, the PA calculates ID_NET_A according to the new main private key corresponding to the new main public key in the new main public key pass to generate a new service network identification private key of A, sends the new main public key pass and the new service network identification private key to A, finally, the PA records the new main public key pass as an enable state according to the pass identification of the new main public key pass, and simultaneously records the enable time and the effective time. In the revocation process, the identity of the A is not required to be revoked, only the main public key certificate is revoked, and the revocation flow is finished.
If the A actively exits the network, the A applies for the PA to exit the network, the PA forwards the message to S, and after the S agrees, the PA records the main public key certificate of the A as a stop state and simultaneously records the stop time.
In this embodiment, a unique identification password master public key pass is issued to each network member, and the pass is only required to be revoked when revoked, so that the identity can be maintained unchanged, and the requirement that the network member does not change the identity is better met.
Example 3
As shown in fig. 3, the present embodiment provides a service network-based communication method, which is applied between proxy nodes of the service network as described above, and includes:
s210, respectively acquiring and analyzing a master public key certificate of the opposite party by the two parties of the proxy node to be communicated to obtain a certificate identifier of the opposite party, service network identifiers of the proxy node and the center node of the opposite party, a master public key, validity period, center node information and a center node signature;
s220, the two parties of the proxy node to be communicated respectively send the pass identification and the service network identification of the other party to the central node, the central node respectively judges whether the corresponding main public key pass is the current main public key pass of the proxy node to be communicated according to the received pass identification and the service network identification, and if so, the judging result is sent to the corresponding proxy node to be communicated;
and S230, after receiving the corresponding judgment result, the two parties of the proxy node to be communicated verify the central node signature of the other party, and if the verification is passed, the two parties respectively take out the main public key from the main public key pass certificate of the other party and generate the identification password parameter set of the other party for communication.
In this embodiment, a trusted communication mechanism is established between the proxy node PA and the proxy node PB, that is, the PA and the PB exchange their own master public key pass-through records, and if so, the PB verifies the master public key of the other party, and takes PB verification TKNPA as an example, the PB parses the pass-through identifier of TKNPA, id_net_pa, id_net_s, master public key, validity period, issuer S information, and S signature, and then sends the pass-through identifier and id_net_pa to the S, and when the S inquires that the id_net_pa is a child node thereof, it inquires about whether TKNPA is the latest enabled master public key pass-through record of the PA, if so, sends the inquiry result to the PB, and at this time, the PB verifies that the npa is the valid master public key pass-through identifier of the PB, and then uses id_net_s and identifier parameter set to verify the signature of the public key, and the public key set is formed by the public key set, and the public key set is decrypted, and if the public key set is also decrypted, and the public key set is formed by the public key set is decrypted, and the public key set is decrypted and the public key set is formed.
If the message of a certain sender needs to be stored, firstly, the primary public key pass which is started by the sender at the time is stored so as to ensure the credibility of the primary public key in the primary public key pass; the message with the sender signature is then authenticated to ensure the trustworthiness of the message.
When the certificate is issued, the verification party firstly acquires a master public key certificate passing operation record with an S-used IDSKS signature from the S and verifies the signature, then confirms whether the master public key certificate is the master public key certificate in an enabled state at the time according to the master public key certificate passing operation record, if so, verifies the signature in the master public key certificate, then verifies the signature of the message by using an identification password parameter set generated by the master public key certificate passing, and if all the verification passes, the verification proves that the certificate is authentic.
Example 4
As shown in fig. 4, the present embodiment provides a service network-based communication method, where the method is applied between electronic signature service platforms of the service network, and includes:
s310, respectively acquiring and analyzing a master public key certificate of the opposite party by the two parties of the platform to be communicated to obtain a certificate identifier of the opposite party, service network identifiers of the platform and the proxy node of the opposite party, a master public key, validity period, central node information and a central node signature;
s320, the two parties of the platform to be communicated respectively send the identification of the other party, the service network identification of the platform of the other party and the service network identification of the proxy node to the corresponding proxy node, the corresponding proxy node communicates with the proxy node of the other party according to the received proxy node service network identification and judges whether the corresponding main public key identification is the current main public key identification of the platform to be communicated according to the identification of the other party, if so, the judging result is sent to the corresponding platform to be communicated;
s330, after receiving the corresponding judgment result, the two parties of the platform to be communicated verify the center node signature of the other party, and if the verification is passed, the two parties respectively take out the main public key from the main public key certificate of the other party and generate the identification password parameter set of the other party for communication.
In this embodiment, if a service platform a and a service platform B are ready for communication, a and B exchange respective master public key certificates TKNA and TKNB, then verify master public keys of the other party, taking B verification TKNA as an example, B first parses out a certificate identifier of TKNA, id_net_ A, ID _net_pa, master public key, validity period, information of an issuer S and a signature of S from TKNA, then sends the certificate identifier, id_net_a and id_net_pa to PB, PB finds PA according to id_net_pa, establishes a trusted communication mechanism as described in embodiment 3 with PA, and it should be noted that when B and a both correspond to the same proxy node, the proxy node does not need to establish a trusted communication mechanism with other nodes, if tka is in a deactivated state, the PB cannot pass verification, i.e. cannot establish a trusted communication mechanism between PB and PA, the process of verifying TKA by B is interrupted, so that B can not acknowledge that the trusted communication mechanism between A, PB and PA is successfully established, PB sends the authentication identification and ID_NET_A of TKA to PA, when PA inquires that ID_NET_A is a child node of the PA, local master public key authentication operation record is continuously inquired to confirm whether TKA is the latest enabled master public key authentication of A, if so, the inquiry result is sent to PB and then forwarded to B by PB, at the moment, B confirms that TKA is the valid master public key authentication of A, B then verifies the signature of S by ID_NET_S and the identification password parameter set Params, after verification is passed, the authentication is truly issued by S, and at the same time, whether TKA is in the valid period is verified according to the valid period, all the verification is passed, the master public key is taken out from the master public key authentication of the opposite party to form the identification password parameter set, namely B takes out the master public key PKA from TKA, and forming an identification password parameter set ParamA, wherein the set comprises a system parameter set A and PKA, the A takes out a master public key PKB from TKBB to form the identification password parameter set ParamB, the set also comprises a system parameter set B and PKB, and finally, the communication such as encryption and decryption, signature verification and the like between the A and the B can be performed according to the formed identification password parameter set.
In another embodiment of the present application, a trusted communication mechanism may also be established between the proxy node and the central node, and between the service platform and the proxy node.
Taking a process of establishing a trusted communication mechanism between the proxy node PA and the central node S as an example: s obtains a locally stored master private key SKPA special for the PA, and uses the SKPA to issue an identification private key IDSPKS_PA special for communicating with the PA for ID_NET_S, and the PA and the S use a parameter ParamPA special for the PA as a common parameter to carry out communication such as encryption, signature, key negotiation and the like.
Taking the process of establishing a trusted communication mechanism between the service platform A and the proxy node PA as an example: the PA acquires a locally stored master private key SKA special for A, and uses the SKA as ID_NET_PA to issue an identification private key IDSKA_A special for the PA to communicate with A, and the A and the PA use a parameter Parama special for A as a common parameter to carry out the communication such as encryption, signature, key negotiation and the like.
In these embodiments, the method for issuing a certificate according to embodiment 3 may be used, and each type of information requiring a certificate is provided with a digital signature of the sender, and the digital signature may be approved by any member in the network, so as to satisfy the certificate requirements of all members in the network system.
The foregoing is merely illustrative of specific embodiments of the present invention, and the scope of the present invention is not limited thereto, but any changes or substitutions within the technical scope of the present invention should be covered by the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. The utility model provides a general certificate revocation method based on service network, its characterized in that, service network includes central node, at least one agency node and at least one electronic signature service platform, wherein, the central node is disposed with password management system based on the sign, and connects at least one agency node, and each electronic signature service platform connects one agency node, and each agency node connects one or more electronic signature service platform, the method is applied between the upper and lower level nodes that service network interconnect, includes:
the upper node records that the master public key pass card to be revoked is in a disabled state according to the pass card identifier of the master public key pass card to be revoked of the lower node, and records the disabling time of the master public key pass card to be revoked, wherein the master public key pass card to be revoked and the pass card identifier of the master public key pass card to be revoked are generated by the central node;
the upper node generates a new main public key and a new main private key which are special for the lower node, and determines a new pass identification of the lower node and a corresponding new main public key pass according to the new main public key;
the superior node calculates a new service network identification private key of the subordinate node according to the new master private key, and sends the new master public key certificate and the new service network identification private key to the subordinate node;
and the superior node records the new master public key certificate as an enabling state according to the new certificate identifier, and records the enabling time and the effective time of the new master public key certificate.
2. The method for revocation of certificates based on a service network of claim 1, wherein when the upper node is a proxy node and the lower node is an electronic signature service platform to which the proxy node is connected, the method further comprises:
the superior node locally stores the new main private key, and sends the new main public key to the central node, and the central node generates a new pass identifier and a corresponding new main public key pass according to the new main public key after receiving the new main public key, and sends the new main public key pass to the superior node.
3. The service network-based pass revocation method of claim 1, wherein before the upper node records that the master public key pass to be revoked is in a disabled state according to a pass identifier of the master public key pass to be revoked by the lower node, further comprises:
the upper node distributes an identity and a service network identifier for a lower node connected with the upper node, and generates a main public key and a main private key which are special for the lower node;
and the upper node respectively determines a service network identification private key and a main public key pass certificate of the lower node according to the main private key and the main public key, and issues the main public key pass certificate and the service network identification private key to the lower node.
4. The method for verifying the master public key certificate of the lower node when the upper node is a proxy node and the lower node is an electronic signature service platform connected with the proxy node, as claimed in claim 3, wherein the method comprises the following steps:
the upper node locally stores the main private key and sends the main public key to the central node, the central node receives the main public key, generates a pass identifier according to the main public key, signs the pass identifier, service network identifiers of lower nodes and upper nodes, the main public key, the valid period and central node information, generates a main public key pass of the lower nodes according to the signature, the pass identifier, the service network identifiers of the lower nodes and the upper nodes, the main public key, the valid period and the central node information, and sends the main public key pass to the upper nodes.
5. The service network-based pass revocation method of claim 4, wherein the method further comprises:
and triggering the primary public key certificate revocation flow of the subordinate node when the primary public key certificate validity period of the subordinate node expires or the primary private key corresponding to the primary public key is at risk.
6. The service network-based certificate revocation method of claim 5, wherein triggering the master public key certificate revocation procedure of the lower node when the master public key certificate validity period of the lower node expires or a master private key corresponding to the master public key in the master public key certificate thereof is at risk comprises:
when the valid period of the master public key certificate of the lower node expires, triggering a master public key certificate revocation flow of the lower node by an upper node corresponding to the lower node;
when the risk of the main private key corresponding to the main public key in the main public key pass of the subordinate node occurs, the subordinate node triggers the main public key pass revocation process.
7. A service network-based communication method, wherein the service network comprises a central node, at least one proxy node and at least one electronic signature service platform, wherein the central node is deployed with an identifier-based password management system and is connected with the at least one proxy node, each electronic signature service platform is connected with one proxy node, each proxy node is connected with one or more electronic signature service platforms, and the method is applied between proxy nodes of the service network and comprises the following steps:
the two parties of the proxy node to be communicated respectively acquire and analyze the master public key pass of the opposite party to obtain the pass identification of the opposite party, the service network identifications of the proxy node and the center node of the opposite party, the master public key, the valid period, the center node information and the center node signature;
the two sides of the proxy node to be communicated respectively send the identification of the opposite side and the service network identification to the central node, the central node respectively judges whether the corresponding main public key passes the identification of the current main public key passes the identification of the proxy node to be communicated according to the received identification of the opposite side and the service network identification, and if so, the central node sends the judging result to the corresponding proxy node to be communicated;
and after receiving the corresponding judgment result, the two parties of the proxy node to be communicated verify the central node signature of the opposite party, and if the verification is passed, the master public key is respectively taken out from the master public key pass certificate of the opposite party, and an identification password parameter set of the opposite party is generated for communication.
8. The service network-based communication method according to claim 7, wherein the step of respectively judging whether the corresponding master public key certificate is the current master public key certificate of the proxy node to be communicated according to the received certificate identifier and the service network identifier comprises the steps of:
and the central node inquires whether the received service network identifier is a child node of the service network identifier, if so, inquires a local master public key certificate passing operation record to confirm whether the received certificate passing identifier is the current master public key certificate of the to-be-communicated proxy node.
9. A service network-based communication method, wherein the service network comprises a central node, at least one proxy node and at least one electronic signature service platform, wherein the central node is deployed with an identifier-based password management system and is connected with the at least one proxy node, each electronic signature service platform is connected with one proxy node, each proxy node is connected with one or more electronic signature service platforms, and the method is applied between the electronic signature service platforms of the service network and comprises the following steps:
the two parties of the platform to be communicated respectively acquire and analyze the master public key pass of the opposite party to obtain the pass identification of the opposite party, the service network identifications of the opposite party platform and the proxy node, the master public key, the valid period, the central node information and the central node signature;
the two parties of the platform to be communicated respectively send the identification of the other party, the service network identification of the other party platform and the service network identification of the proxy node to the corresponding proxy node, the corresponding proxy node communicates with the proxy node of the other party according to the received proxy node service network identification and judges whether the corresponding master public key passes the current master public key passes of the platform to be communicated according to the identification of the passing, if so, the judging result is sent to the corresponding platform to be communicated;
and after receiving the corresponding judgment result, the two parties of the platform to be communicated verify the center node signature of the other party, and if the verification is passed, the two parties respectively take out the main public key from the main public key pass certificate of the other party and generate the identification password parameter set of the other party to communicate.
10. The service network-based communication method according to claim 9, wherein the communicating with the proxy node of the counterpart according to the received proxy node service network identifier and judging whether the corresponding master public key certificate is the current master public key certificate of the platform to be communicated according to the certificate identifier, comprises:
the proxy node establishes communication with the opposite proxy node according to the received proxy node service network identifier, the communication method is as claimed in claim 9, if the master public key of the opposite proxy node is verified to be in a disabled state, the communication establishment fails, and the flow ends.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410150012.6A CN117692151A (en) | 2024-02-02 | 2024-02-02 | Service network-based certificate revocation method and communication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410150012.6A CN117692151A (en) | 2024-02-02 | 2024-02-02 | Service network-based certificate revocation method and communication method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117692151A true CN117692151A (en) | 2024-03-12 |
Family
ID=90135724
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410150012.6A Pending CN117692151A (en) | 2024-02-02 | 2024-02-02 | Service network-based certificate revocation method and communication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117692151A (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060193265A1 (en) * | 2005-02-25 | 2006-08-31 | Microsoft Corporation | Peer-to-peer name resolution protocol with lightweight traffic |
| KR101507572B1 (en) * | 2014-03-20 | 2015-03-31 | 충남대학교산학협력단 | ID-Based Key Authentication Method for Security of Sensor Data Communications |
| CN109150836A (en) * | 2018-07-21 | 2019-01-04 | 江苏飞搏软件股份有限公司 | Block chain entity identities management system and method |
| CN109981586A (en) * | 2019-02-27 | 2019-07-05 | 北京柏链基石科技有限公司 | A kind of vertex ticks method and device |
| CN110290094A (en) * | 2018-03-19 | 2019-09-27 | 华为技术有限公司 | A kind of control method and device of data access authority |
| CN110636500A (en) * | 2019-08-27 | 2019-12-31 | 西安电子科技大学 | Access control system and method supporting cross-domain data sharing and wireless communication system |
| CN110945833A (en) * | 2018-12-07 | 2020-03-31 | 北京大学深圳研究生院 | Method and system for multi-mode identification network privacy protection and identity management |
| CN111294379A (en) * | 2018-12-10 | 2020-06-16 | 北京沃东天骏信息技术有限公司 | Block chain network service platform, authority hosting method thereof and storage medium |
| CN112235331A (en) * | 2019-07-15 | 2021-01-15 | 中国移动通信有限公司研究院 | Data transmission processing method and equipment |
| CN112396421A (en) * | 2020-10-10 | 2021-02-23 | 安徽中科晶格技术有限公司 | Identity authentication system and method based on block chaining-through card |
| CN114629720A (en) * | 2022-04-12 | 2022-06-14 | 浙江工业大学 | Industrial Internet cross-domain authentication method based on block chain and Handle identification |
-
2024
- 2024-02-02 CN CN202410150012.6A patent/CN117692151A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060193265A1 (en) * | 2005-02-25 | 2006-08-31 | Microsoft Corporation | Peer-to-peer name resolution protocol with lightweight traffic |
| KR101507572B1 (en) * | 2014-03-20 | 2015-03-31 | 충남대학교산학협력단 | ID-Based Key Authentication Method for Security of Sensor Data Communications |
| CN110290094A (en) * | 2018-03-19 | 2019-09-27 | 华为技术有限公司 | A kind of control method and device of data access authority |
| CN109150836A (en) * | 2018-07-21 | 2019-01-04 | 江苏飞搏软件股份有限公司 | Block chain entity identities management system and method |
| CN110945833A (en) * | 2018-12-07 | 2020-03-31 | 北京大学深圳研究生院 | Method and system for multi-mode identification network privacy protection and identity management |
| CN111294379A (en) * | 2018-12-10 | 2020-06-16 | 北京沃东天骏信息技术有限公司 | Block chain network service platform, authority hosting method thereof and storage medium |
| CN109981586A (en) * | 2019-02-27 | 2019-07-05 | 北京柏链基石科技有限公司 | A kind of vertex ticks method and device |
| CN112235331A (en) * | 2019-07-15 | 2021-01-15 | 中国移动通信有限公司研究院 | Data transmission processing method and equipment |
| CN110636500A (en) * | 2019-08-27 | 2019-12-31 | 西安电子科技大学 | Access control system and method supporting cross-domain data sharing and wireless communication system |
| CN112396421A (en) * | 2020-10-10 | 2021-02-23 | 安徽中科晶格技术有限公司 | Identity authentication system and method based on block chaining-through card |
| CN114629720A (en) * | 2022-04-12 | 2022-06-14 | 浙江工业大学 | Industrial Internet cross-domain authentication method based on block chain and Handle identification |
Non-Patent Citations (2)
| Title |
|---|
| JING SUN; YULING CHEN; XIAO LV; XIAOBIN QIAN: "A Multipath Source Location Privacy Protection Scheme in Wireless Sensor Networks via Proxy Node", 2022 IEEE INTERNATIONAL CONFERENCES ON INTERNET OF THINGS (ITHINGS) AND IEEE GREEN COMPUTING & COMMUNICATIONS (GREENCOM) AND IEEE CYBER, PHYSICAL & SOCIAL COMPUTING (CPSCOM) AND IEEE SMART DATA (SMARTDATA) AND IEEE CONGRESS ON CYBERMATICS (CYBERMATIC, 4 October 2022 (2022-10-04) * |
| 柯钢;: "一种高效的无线网络组密钥管理方案", 西南师范大学学报(自然科学版), no. 01, 20 January 2017 (2017-01-20) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112039872B (en) | Cross-domain anonymous authentication method and system based on block chain | |
| CN109474584B (en) | Rule-based block chain network automatic permission joining method | |
| Coffey et al. | Non-repudiation with mandatory proof of receipt | |
| EP1989855B1 (en) | A system and method for establishing a secure group of entities in a computer network | |
| CN113194469B (en) | 5G unmanned aerial vehicle cross-domain identity authentication method, system and terminal based on block chain | |
| Weimerskirch et al. | A distributed light-weight authentication model for ad-hoc networks | |
| CN101631113B (en) | Security access control method of wired LAN and system thereof | |
| US20220217152A1 (en) | Systems and methods for network access granting | |
| JP5425314B2 (en) | Method and system for obtaining public key, verifying and authenticating entity's public key with third party trusted online | |
| US20040131187A1 (en) | Terminal apparatus, communication method, and communication system | |
| US20090158394A1 (en) | Super peer based peer-to-peer network system and peer authentication method thereof | |
| CN110581854A (en) | intelligent terminal safety communication method based on block chain | |
| JP2006520112A5 (en) | ||
| CN113824563B (en) | Cross-domain identity authentication method based on block chain certificate | |
| Tesei et al. | IOTA-VPKI: A DLT-based and resource efficient vehicular public key infrastructure | |
| CN109936509A (en) | A kind of equipment group authentication method and system based on diverse identities | |
| CN105493064A (en) | Identity management system | |
| CN114338242B (en) | Cross-domain single sign-on access method and system based on block chain technology | |
| CN102893579B (en) | For provide method, node and the equipment of bill in communication system | |
| CN113992418A (en) | IoT (Internet of things) equipment management method based on block chain technology | |
| CN110945833A (en) | Method and system for multi-mode identification network privacy protection and identity management | |
| Palomar et al. | Secure content access and replication in pure p2p networks | |
| CN117692151A (en) | Service network-based certificate revocation method and communication method | |
| Quercia et al. | Tata: Towards anonymous trusted authentication | |
| Wacker et al. | Towards an authentication service for peer-to-peer based massively multiuser virtual environments |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |