CN118157871A - Method, device, storage medium and electronic equipment for issuing and applying digital certificate - Google Patents

Method, device, storage medium and electronic equipment for issuing and applying digital certificate Download PDF

Info

Publication number
CN118157871A
CN118157871A CN202410265928.6A CN202410265928A CN118157871A CN 118157871 A CN118157871 A CN 118157871A CN 202410265928 A CN202410265928 A CN 202410265928A CN 118157871 A CN118157871 A CN 118157871A
Authority
CN
China
Prior art keywords
certificate
information
quantum
public key
digital certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410265928.6A
Other languages
Chinese (zh)
Inventor
高文华
李向锋
夏鲁宁
夏冰冰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING CERTIFICATE AUTHORITY
Original Assignee
BEIJING CERTIFICATE AUTHORITY
Filing date
Publication date
Application filed by BEIJING CERTIFICATE AUTHORITY filed Critical BEIJING CERTIFICATE AUTHORITY
Publication of CN118157871A publication Critical patent/CN118157871A/en
Pending legal-status Critical Current

Links

Abstract

The application provides a method, a device, a storage medium and electronic equipment for issuing and applying a digital certificate, wherein the method can comprise the following steps: storing the target information into a target database, and acquiring verification data corresponding to the target information; filling the classical signature algorithm public key and classical signature algorithm information of the certificate applying entity into a main body public key field of a certificate domain, and acquiring extension information related to verification data; filling the extension information into an extension field of the certificate domain; signing the certificate domain by using a private key of a local classical signature algorithm to obtain a classical signature value; a digital certificate corresponding to the certificate applying entity is generated. The digital certificate can be applied to a classical password system and an anti-quantum password system. The digital certificate can meet the application requirements of different systems, reduces the size of the certificate, and reduces the transmission and storage pressures.

Description

Method, device, storage medium and electronic equipment for issuing and applying digital certificate
Technical Field
The present application relates to the field of digital certificates, and in particular, to a method, an apparatus, a storage medium, and an electronic device for issuing and applying a digital certificate.
Background
In recent years, quantum computing has evolved rapidly. Once a general quantum computer appears, the influence on the conventional public key cryptosystem widely used at present is great. Certificate issuing and application related to public key infrastructure are the greatest risk concentration after quantum computing is put into practical use. Digital certificates in widespread use today are based primarily on the x.509 format.
To address the security threat of quantum computing to PKI x.509 certificates in widespread use today, several hybrid digital certificate issuing schemes have been proposed in succession. Hybrid certificates are applicable to classical cryptographic systems and quantum-resistant cryptographic systems. In the prior art, on the basis of the existing X.509 digital certificate format, related information such as main body public key information and signature value based on another cryptographic algorithm is added. However, the public key and signature size of the anti-quantum signature algorithm are usually much larger than those of the classical signature algorithm, so that the size of the mixed certificate of the scheme is much larger than that of the certificate based on the pure classical password algorithm, and the mixed certificate occupies a large bandwidth in the transmission process, so that a large storage pressure and cost are brought to the certificate generation and application party.
Therefore, how to provide a method for issuing or applying a digital certificate that is easy to store is a technical problem to be solved.
Disclosure of Invention
The technical scheme of the online target database provided by the embodiment of the application can reduce the size ratio of the hybrid digital certificate, reduce the occupied bandwidth resources when the digital certificate and the certificate chain are transmitted, and reduce the storage pressure.
In a first aspect, some embodiments of the present application provide a method of digital certificate issuance, comprising: storing target information into a target database, and acquiring verification data corresponding to the target information, wherein the target information comprises: a local anti-quantum cryptographic signature algorithm, initial subject public key information and a first signature value; filling a certificate application entity's classical signature algorithm public key and classical signature algorithm information into a certificate domain's main body public key field, and obtaining extension information related to the verification data, wherein the extension information includes: the address of the target database, the certificate revocation list distribution point and the access information; filling the extension information into an extension field of the certificate domain; signing the certificate domain by using a private key of a local classical signature algorithm to obtain a classical signature value; generating a digital certificate corresponding to the certificate applying entity, wherein the digital certificate comprises: the certificate domain, the classical signature algorithm information and the classical signature value.
Some embodiments of the present application store the target information related to the generation of the digital certificate in an online target database, and obtain verification data thereof, and then fill the corresponding key and algorithm information into the certificate domain, and sign the certificate domain to generate the corresponding digital certificate. When meeting the requirements of different application systems, some data can be stored in a target database instead of being placed in the digital certificate, so that the size of the mixed digital certificate can be greatly reduced, and the bandwidth consumption and the storage pressure of a certificate application party caused by the mixed digital certificate and the mixed digital certificate chain transmission are reduced.
In some embodiments, prior to the storing the target information to the target database, the method includes: receiving certificate request information sent by the certificate applying entity, wherein the certificate request information carries the classical signature algorithm public key and the quantum resistant public key; filling the anti-quantum public key and the anti-quantum signature algorithm information into fields corresponding to the initial main body public key information, wherein the initial main body public key information and other fields form an initial certificate domain; and signing the initial certificate domain by using a local anti-quantum private key of the local anti-quantum password signing algorithm to obtain the first signature value.
According to the method and the device, after the certificate request information of the certificate applying entity is received, relevant content can be filled into corresponding fields to obtain an initial certificate domain, and finally, a first signature value is obtained through the local quantum private key resistant signature, so that trusted data support is provided for the generation of subsequent digital certificates.
In some embodiments, the acquiring verification data corresponding to the target information includes: taking a certificate serial number of the digital certificate to be generated as the verification data; or inputting the target information into a preset algorithm to obtain the verification data.
According to the method and the device, the related information can be timely obtained in the target database by combining the verification data with the address of the target database, and compared with the traditional method that the related information is placed in the digital certificate, the size of the subsequent digital certificate can be reduced.
In some embodiments, the method further comprises: the extension field is set to a non-critical field.
Some embodiments of the present application set the extension field to a non-critical field so that the digital certificate can be adapted to different application scenarios.
In some embodiments, the digital certificate is applied to a certificate applicator; the certificate application party is a classical password system without anti-quantum password computing capability or anti-quantum password protection requirement, or an anti-quantum password system with anti-quantum password computing capability or anti-quantum password protection requirement.
The digital certificate of some embodiments of the application can be applied to systems of different certificate application parties, and has wider adaptability.
In a second aspect, some embodiments of the present application provide a method for digital certificate application for a certificate authority having anti-quantum cryptography computing capability or having anti-quantum cryptography protection requirements, comprising: receiving query data sent by a certificate issuing mechanism, wherein the query data is obtained by the certificate issuing mechanism by querying from a target database based on verification data of a digital certificate and an address of the target database, and the query data comprises: the local anti-quantum cryptographic signature algorithm of the certificate issuing authority, the initial main body public key information and the first signature value; the digital certificate is obtained by any method embodiment of the first aspect; after the query data is confirmed to pass verification, quantum-resistant password information in the digital certificate is used, wherein the quantum-resistant password information comprises: anti-quantum public key and anti-quantum signature algorithm information.
According to the method and the device, the query data sent by the certificate issuing mechanism can be processed and verified, so that quantum-resistant password content in the digital certificate can be applied to the quantum-resistant password system, and the service application requirements can be met while the digital certificate storage pressure of a certificate application party is reduced.
In some embodiments, said validating said query data is validated, comprising: inputting the query data into a preset algorithm to obtain data to be verified; under the condition that the data to be verified and the verification data are confirmed to be consistent, generating an initial certificate domain through a certificate domain in the digital certificate and the query data; verifying the first signature value by using the initial certificate domain, the local anti-quantum cryptographic signature algorithm and a local anti-quantum public key of the local anti-quantum cryptographic signature algorithm to obtain a verification result; and after the verification result is confirmed to be passed, the query data passes the verification.
According to the method and the device, the integrity and the safety of the key data can be ensured by carrying out subsequent processing and verification after carrying out integrity verification on the query data, and the application safety is ensured.
In some embodiments, the certificate revocation list distribution point in the digital certificate is configured to cause the certificate applicator to query the data state in the target database, and the access information in the digital certificate is configured to cause the certificate applicator to query certificate issuing authority information and services.
Some embodiments of the present application can query the data state in the target database and the information and services of the certificate issuer through the certificate revocation list distribution points and the access information, which is convenient and efficient.
In a third aspect, some embodiments of the present application provide an apparatus for digital certificate issuance, comprising: the storage module is configured to store target information into a target database and acquire verification data corresponding to the target information, wherein the target information comprises: a local anti-quantum cryptographic signature algorithm, initial subject public key information and a first signature value; the first filling module is configured to fill the classical signature algorithm public key and classical signature algorithm information of the certificate applying entity into a main body public key field of a certificate domain, and acquire extension information related to the verification data, wherein the extension information comprises: the address of the target database, the certificate revocation list distribution point and the access information; a second population module configured to populate the extension information into an extension field of the certificate domain; the signature module is configured to sign the certificate domain by utilizing a private key of a local classical signature algorithm to obtain a classical signature value; a generation module configured to generate a digital certificate corresponding to the certificate applying entity, wherein the digital certificate includes: the certificate domain, the classical signature algorithm information and the classical signature value.
In a fourth aspect, some embodiments of the present application provide an apparatus for digital certificate application for a certificate authority having anti-quantum cryptography computation capability or having anti-quantum cryptography protection requirements, the apparatus comprising: a query module configured to receive query data sent by a certificate issuing authority, where the query data is queried by the certificate issuing authority from a target database based on verification data of a digital certificate and an address of the target database, the query data including: the local anti-quantum cryptographic signature algorithm of the certificate issuing authority, the initial main body public key information and the first signature value; the digital certificate is obtained by any method embodiment of the first aspect; and a verification module configured to confirm that the query data passes verification and then use anti-quantum cryptography information in the digital certificate, wherein the anti-quantum cryptography information comprises: anti-quantum public key and anti-quantum signature algorithm information.
In a fifth aspect, some embodiments of the application provide a computer readable storage medium having stored thereon a computer program which when executed by a processor performs a method according to any of the embodiments of the first aspect.
In a sixth aspect, some embodiments of the application provide an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor is capable of implementing a method according to any of the embodiments of the first aspect when executing the program.
In a seventh aspect, some embodiments of the application provide a computer program product comprising a computer program, wherein the computer program, when executed by a processor, is adapted to carry out the method according to any of the embodiments of the first aspect.
Drawings
In order to more clearly illustrate the technical solutions of some embodiments of the present application, the drawings that are required to be used in some embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be construed as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort to those of ordinary skill in the art.
FIG. 1 is a schematic diagram of a digital certificate format provided in some embodiments of the present application;
FIG. 2 is a flow chart of a method for digital certificate issuance provided by some embodiments of the present application;
FIG. 3 is a second diagram of a digital certificate format according to some embodiments of the present application;
FIG. 4 is a flow chart of a method for digital certificate application provided by some embodiments of the present application;
FIG. 5 is a block diagram of a digital certificate application provided in some embodiments of the present application;
FIG. 6 is a block diagram of a digital certificate issuing apparatus according to some embodiments of the present application;
FIG. 7 is a block diagram of the apparatus components of a digital certificate application provided in some embodiments of the present application;
fig. 8 is a schematic diagram of an electronic device according to some embodiments of the present application.
Detailed Description
The technical solutions of some embodiments of the present application will be described below with reference to the drawings in some embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
In the related art, the post quantum cryptography (Post Quantum Cryptography, PQC) is also a new algorithm generated based on mathematical problem design such as lattice theory, polynomial ring and error correction code, which can resist quantum computing attack. However, compared to traditional public key cryptography, classical security against quantum cryptography algorithms remains to be checked in time. Thus, in terms of PQC migration for existing cryptographic applications, one mainstream view is: the transitional phase should use a hybrid scheme of traditional public key cryptography and the PQC algorithm for security and compatibility reasons before the PQC algorithm is subjected to more and more thorough security analysis scrutiny.
Digital certificates in widespread use today are based primarily on the x.509 format. The x.509 digital certificate format is shown in fig. 1: including TBS fields, signature algorithm fields, signature value fields, etc.
The TBS domain includes a "version" to "extension" field. The "subject public key information" field is used to store the public key of the subject (i.e., entity, also the certificate owner) and the corresponding public key algorithm. The "extension" field is a sequence of one or more certificate extensions that provides a method of associating some additional attributes with a user or public key and a method of managing the structure of the certificate. An extension contains three parts, namely an extension type, an extension criticality and an extension item value, wherein the extension criticality is used for telling whether a user of a certificate can ignore a certain extension type or not and is divided into a critical one and a non-critical one. If the application system of the certificate can not identify the key expansion, the certificate should be refused to accept; if a non-critical extension cannot be identified, the information for that extension may be ignored. The "signature algorithm" field contains the cryptographic algorithm identifier used by the certificate issuing authority (CA) to issue the certificate, as well as the parameters selected for the respective cryptographic algorithm. The signature value includes a result of digitally signing the TBS domain information using the cryptographic algorithm identified by the signature algorithm field.
In order to cope with the security threat of quantum computation to the PKI X.509 certificate widely used at present, related information such as main body public key information and signature value based on another cryptographic algorithm is added in an extension field of the existing X.509 digital certificate format in the prior art.
However, the public key and signature size of the anti-quantum signature algorithm is usually much larger than that of the classical signature algorithm, so that the hybrid digital certificate (hybrid certificate for short) generated by the scheme is much larger than that of the certificate based on the pure classical cryptographic algorithm. For example, the sum of the public key and the signature value of the SM2 algorithm is 60 bytes, and the corresponding digital certificate issued based on the SM2 signature algorithm is about 700 bytes in size; the sum of public key and signature value of RSA-2048 algorithm is 500 bytes, and the corresponding digital certificate issued based on RSA-2048 is about 1000 bytes. However, some common anti-quantum signature algorithms such as NIST standard signature algorithm Dilithium have a sum of public key and signature result above 3000 bytes, falcon public key and signature result above 1500 bytes, SPHINCS + public key and signature result even on the order of tens of kilobytes. Therefore, on the basis of classical digital certificates, the public key of the anti-quantum signature of the entity and the result of the anti-quantum signature of the CA are put in extension, so that the size of the certificate is greatly increased. In addition, the application of the mixed certificate also needs the verification of the mixed certificate chain, and the mixed certificate chain refers to a complete certificate trust chain formed by the root CA, the middle CA and the entity certificate, and is used for establishing a trust relationship. An increase in the size of the certificate also corresponds to an increase in the size of the certificate chain. However, in the quantum migration resistant transition stage of the digital certificate, the quantum computing threat is not really coming, and a certificate application party without quantum cryptography resistant computing capability or quantum cryptography resistant protection requirement and a certificate application party with quantum cryptography resistant computing capability and protection requirement exist at the same time. For certificate applications that do not have the ability to perform anti-quantum cryptography calculations, the oversized size of the hybrid certificate and hybrid certificate chain will result in meaningless large bandwidth consumption for the transmission of certificates and certificate chains, as well as a certain storage pressure.
In view of this, some embodiments of the present application provide a method of digital certificate issuance and application that incorporates a target database at the certificate issuing authority side. When the digital certificate is issued, the related information of the anti-quantum password can be stored in a target database, and then verification data corresponding to the target information is acquired, so that the method replaces the direct placement of related data such as the anti-quantum signature public key of an entity in the expansion of the digital certificate. The certificate application party with the quantum cipher resisting computing capability and quantum cipher resisting application requirement can download and acquire target information based on the verification data in the digital certificate to an online target database, and is applied to the quantum cipher resisting system. Compared with the prior art, the application can greatly reduce the size of the digital certificate, and reduce the bandwidth consumption and the storage pressure of a certificate application party caused by the transmission of the digital certificate and the mixed digital certificate chain.
The implementation of digital certificate issuing performed by the certificate issuing authority CA provided in some embodiments of the present application is exemplarily described below with reference to fig. 2.
Referring to fig. 2, fig. 2 is a flowchart of a method for issuing a digital certificate according to some embodiments of the present application, where the method for issuing a digital certificate may include:
S210, receiving certificate request information sent by a certificate applying entity, wherein the certificate request information carries the classical signature algorithm public key and the quantum resistant public key.
For example, in some embodiments of the application, a credential applying entity (e.g., an enterprise) issues a credential request message to the CA containing classical cryptographic algorithm public key pk en1 and quantum cryptographic algorithm resistant public key pk en2 (as one specific example of a quantum resistant public key). The CA receives the certificate request information sent by the certificate applying entity.
S220, filling the anti-quantum public key and the anti-quantum signature algorithm information into a field corresponding to the initial main body public key information, wherein the initial main body public key information and other fields form an initial certificate domain.
For example, in some embodiments of the present application, the CA populates the initial body public key information field of the TBS domain with the quantum-resistant cryptographic algorithm public key pk en2 of the certificate applying entity and corresponding quantum-resistant signature algorithm information, and then concatenates the version, sequence number, etc. fields in the TBS domain to obtain TBS 1.
S230, signing the initial certificate domain by using a local anti-quantum private key of the local anti-quantum password signing algorithm to obtain a first signature value.
For example, in some embodiments of the present application, the CA signs TBS 1 with its own private key sk ca2 (as a specific example of a local anti-quantum private key) of the PQC signature algorithm (i.e., a local anti-quantum cryptographic signature algorithm) and a corresponding PQC signature algorithm, resulting in a PQC signature value (as a specific example of a first signature value), at which point a TBS 1 domain (as a specific example of an initial certificate domain) as shown in fig. 3 (a) of fig. 3 is obtained.
S240, storing target information into a target database, and acquiring verification data corresponding to the target information, wherein the target information comprises: a local anti-quantum cryptographic signature algorithm, initial subject public key information, and a first signature value.
For example, in some embodiments of the present application, the CA stores initial subject public key information such as pk en2 in the TBS 1 domain, the PQC signature algorithm that signed the TBS 1 domain, and the PQC signature value in the CA's online database (as one specific example of a target database). And then acquiring verification data corresponding to the information.
In some embodiments of the present application, S240 may include: and taking a certificate serial number of the digital certificate to be generated as the verification data.
For example, in some embodiments of the application, the CA may have a unique certificate serial number for each digital certificate when generating the digital certificate, and may bind the certificate serial number directly as verification data to the target information. It should be noted that, the certificate serial number may be obtained through a hash algorithm and the target information, or may be obtained through calculation through other algorithms, and embodiments of the present application are not limited herein specifically.
In other embodiments of the present application, S240 may include: and inputting the target information into a preset algorithm to obtain the verification data.
For example, in other embodiments of the present application, the CA may simply connect the initial public key information such as pk en2, the pQC signature algorithm for performing signature calculation on the TBS 1 domain, and the pQC signature value of the CA, and then use the obtained hash value as verification data of the above information stored in the online database as input of a hash algorithm (as a specific example of a preset algorithm).
The acquisition mode of the verification data in practical application can be flexibly adjusted, and the embodiment of the application is not limited to the method.
S250, filling a classical signature algorithm public key and classical signature algorithm information of a certificate applying entity into a main body public key field of a certificate domain, and acquiring extension information related to the verification data, wherein the extension information comprises: the address of the target database, the certificate revocation list distribution point and the access information.
For example, in other embodiments of the present application, the CA populates the body public key information field of the TBS 2 domain (as a specific example of a certificate domain) as shown in fig. 3 (b) with the classical signature algorithm public key (i.e., classical cryptographic algorithm public key) pk en1 of the certificate applying entity and the corresponding classical signature algorithm information. And then acquiring the extension information based on the obtained verification data.
In some embodiments of the present application, S250 may include: the extension field is set to a non-critical field.
For example, in some embodiments of the present application, the extension field is set to a non-critical field so that a subsequently generated digital certificate may be applied in a different system.
And S260, filling the extension information into an extension field of the certificate domain.
For example, in some embodiments of the present application, the hash value (i.e., the hash result in FIG. 3 (b)), the URL, the CDP PQC、AIAPQC, are placed in the extension field, and this extension field is set to a non-critical field, as shown in FIG. 3 (b).
S270, signing the certificate domain by using a private key of a local classical signature algorithm to obtain a classical signature value.
For example, in some embodiments of the present application, the CA signs TBS 2 of fig. 3 (b) using its own local classical signature algorithm private key sk ca1 and a corresponding local classical signature algorithm to obtain a classical signature value.
S280, generating a digital certificate corresponding to the certificate applying entity, wherein the digital certificate comprises: the certificate domain, the classical signature algorithm information and the classical signature value.
For example, in some embodiments of the application, the TBS 2 field, the classical signature algorithm information field, and the classical signature value field constitute a hybrid certificate (as one specific example of a digital certificate) that is suitable for use in classical and anti-quantum cryptography systems as shown in fig. 3 (c). Finally, the CA sends the mixed certificate of the entity and the mixed certificate chain required by the application of the mixed certificate to the certificate applying entity.
In some embodiments of the application, the digital certificate is applied to a certificate authority; the certificate application party is a classical password system without anti-quantum password computing capability or anti-quantum password protection requirement, or an anti-quantum password system with anti-quantum password computing capability or anti-quantum password protection requirement.
For example, in some embodiments of the application, the credential application may include a credential applying entity and other credential application parties. The certificate application party can be free of anti-quantum password computing capability or free of anti-quantum password protection requirement, and can also be free of anti-quantum password computing capability or free of anti-quantum password protection requirement. The certificate application without anti-quantum password computing capability or anti-quantum password protection requirement can ignore the fields related to the anti-quantum password in the mixed certificate extension, and the mixed certificate can be normally applied to a classical password system of a certificate application party.
The mixed certificate according to the present application is applicable to the transition phase of PQC. At this stage, there will be both a credential applicator with no anti-quantum cryptography computing capability or no anti-quantum cryptography protection requirement, and a credential applicator with anti-quantum cryptography computing capability and protection requirement. If the migration is not completed at the same time by the server and the client, and the application of the PQC algorithm greatly increases the storage pressure and the bandwidth consumption, the certificate application party can utilize the digital certificate generated by the scheme of the application to adaptively select whether to use the PQC cryptographic algorithm according to the requirement and the computing capability in view of compatibility and saving storage and bandwidth resources. It should be understood that the embodiments provided by the present application are not limited thereto.
However, after the mixed certificate is obtained, the certificate application party with anti-quantum cryptography computing capability and protection requirement needs to query the target database through the content in the mixed certificate and then verify the content, so that the mixed certificate can be applied to the anti-quantum cryptography system of the certificate application party. Based on this, a specific procedure for digital certificate application provided in some embodiments of the present application is exemplarily described below with reference to fig. 4.
Referring to fig. 4, fig. 4 is a flowchart of a method for applying a digital certificate according to some embodiments of the present application, where the method for applying a digital certificate may include:
s410, receiving query data sent by a certificate issuing mechanism, wherein the query data is obtained by the certificate issuing mechanism by querying from a target database based on verification data of a digital certificate and an address of the target database, and the query data comprises: a local anti-quantum cryptographic signature algorithm of a certificate issuing authority, initial subject public key information, and a first signature value.
For example, in some embodiments of the present application, for convenience of explanation, the present application further provides a structure diagram as shown in fig. 5, where the certificate authority 100 in fig. 5 may send verification data and URL to the CA, so that the CA may query in the CA online database 200 by using the verification data in the mixed certificate and the URL provided by the CA, to obtain query data, where the query data is the initial body public key information such as pk en2, the pQC signature algorithm for performing signature calculation on the TBS 1 domain, and the pQC signature value. The CA sends the query data to the certificate authority 100.
S420, after the query data is confirmed to pass verification, quantum-resistant password information in the digital certificate is used, wherein the quantum-resistant password information comprises: anti-quantum public key and anti-quantum signature algorithm information.
For example, in some embodiments of the present application, to use security, the certificate authority 100 also needs to verify the query data, and the anti-quantum cryptography-related content such as pk en2 in the verified-passed mixed certificate may be applied to the anti-quantum cryptography system.
In some embodiments of the present application, S420 may include: inputting the query data into a preset algorithm to obtain data to be verified; under the condition that the data to be verified and the verification data are confirmed to be consistent, generating an initial certificate domain through a certificate domain in the digital certificate and the query data; verifying the first signature value by using the initial certificate domain, the local anti-quantum cryptographic signature algorithm and a local anti-quantum public key of the local anti-quantum cryptographic signature algorithm to obtain a verification result; and after the verification result is confirmed to be passed, the query data passes the verification.
For example, in some embodiments of the present application, the credential application 100, upon receiving the query data, first verifies the integrity of the query data. The hash value to be verified is obtained by inputting the query data into a hash algorithm (as a specific example of the data to be verified). If the hash value to be verified and the hash value calculated above (as one specific example of verification data) agree, then it is confirmed that the query data is complete. Then, the certificate application 100 reorganizes the TBS 2 domain and the retrieved data in the mixed certificate to obtain a TBS 1 as shown in fig. 3 (a), and verifies the PQC signature value in the returned data by using the TBS 1, the PQC signature algorithm and the local anti-quantum public key pk ca2, and after the verification is passed, the query data is verified. It will be appreciated that other ways of verifying the integrity of query data may be used, and embodiments of the present application are not limited in this regard.
In some embodiments of the application, a certificate revocation list distribution point in a digital certificate is used to cause the certificate applicator to query data states in the target database, and access information in the digital certificate is used to cause the certificate applicator to query certificate issuing authority information and services.
For example, in some embodiments of the application, the credential application 100 may query the online database for status and credential issuer (i.e., credential issuer) information and services based on the CDP PQC and the AIA PQC for related data that matches the digital credential.
From the above embodiments of the present application, it is apparent that the hybrid certificate of the present application can be applied to both classical cryptographic systems and quantum-resistant cryptographic systems, and is fully compatible with existing systems. The mixed certificate in the application contains all data information required by a complete classical digital certificate and a complete pure quantum-resistant digital certificate, so that the mixed certificate can be simultaneously applied to a classical cryptographic system and a quantum-resistant cryptographic system. The mixed certificate format is still the standard X.509 certificate format, the information related to the anti-quantum public key of the main body, the anti-quantum signature of the CA and the like is placed in the expansion and is set as a non-key expansion, and the information of the expansion item can be ignored by certificate application which cannot execute anti-quantum password calculation or has no anti-quantum password protection requirement, so that the scheme provided by the application can be fully compatible with the existing system.
In addition, compared with the original scheme, the application can reduce the bandwidth consumption caused by the transmission of the mixed certificate and the mixed certificate chain and the storage pressure of a certificate application party. In the scheme of the application, the hash result of the related data such as the anti-quantum signature result of the CA and the anti-quantum public key of the main body is used for replacing the related data such as the anti-quantum signature result of the CA and the anti-quantum public key of the main body to be placed in the expansion of the certificate, so that the size of the mixed certificate is greatly reduced, and the size of a mixed certificate chain required by certificate application is further reduced.
In terms of storage resource consumption of an application side, the mixed certificate and the mixed certificate chain size are reduced, and the storage resource requirement of the certificate application side is reduced. In terms of transmission bandwidth consumption, for certificate application parties without anti-quantum cryptography computation capability or anti-quantum cryptography protection requirements, the reduction of the mixed certificates and mixed certificate chain sizes avoids meaningless bandwidth consumption; for certificate applications with quantum cryptography resistant computing power and protection requirements, the sum of the bandwidths occupied by the transmission of the hybrid certificate and hybrid certificate chain and the data required in the online database is basically equivalent to the bandwidth occupied by the transmission of the hybrid certificate and hybrid certificate chain of the original scheme. In summary, compared with the existing scheme, the scheme of the application reduces the bandwidth consumption occupied by the transmission of the mixed certificate and the mixed certificate chain and the storage space requirement of the certificate application party on the mixed certificate.
It should be noted that, in a digital certificate, a plurality of extension fields may be included as described above, so as to facilitate correct verification of the certificate by using other algorithms when a specific algorithm is problematic, and it should be understood that embodiments of the present application are not limited to the embodiments provided above. In addition, in the digital signature service, if the method similar to the method of the present application is used to save traffic and improve efficiency, the method should also be considered as being within the protection scope of the present application.
Referring to fig. 6, fig. 6 is a block diagram illustrating a digital certificate issuing apparatus according to some embodiments of the present application. It should be understood that the apparatus for issuing a digital certificate corresponds to the above method embodiment, and is capable of performing the steps involved in the above method embodiment, and specific functions of the apparatus for issuing a digital certificate may be referred to the above description, and detailed descriptions thereof are omitted herein as appropriate to avoid redundancy.
The digital certificate issuing apparatus of fig. 6 includes at least one software functional module that can be stored in a memory in the form of software or firmware or cured in the digital certificate issuing apparatus, the digital certificate issuing apparatus comprising: a storage module 610, configured to store target information to a target database, and obtain verification data corresponding to the target information, where the target information includes: a local anti-quantum cryptographic signature algorithm, initial subject public key information and a first signature value; a first populating module 620 configured to populate a body public key field of a certificate domain with a classical signature algorithm public key and classical signature algorithm information of a certificate applying entity, and obtain extension information related to the verification data, wherein the extension information includes: the address of the target database, the certificate revocation list distribution point and the access information; a second population module 630 configured to populate the extension information into an extension field of the certificate domain; a signature module 640 configured to sign the certificate domain with a local classical signature algorithm private key, resulting in a classical signature value; a generation module 650 configured to generate a digital certificate corresponding to the certificate applying entity, wherein the digital certificate includes: the certificate domain, the classical signature algorithm information and the classical signature value.
Referring to fig. 7, fig. 7 illustrates a block diagram of an apparatus for digital certificate application provided by some embodiments of the present application. It should be understood that the apparatus for digital certificate application corresponds to the above method embodiments, and is capable of performing the steps involved in the above method embodiments, and specific functions of the apparatus for digital certificate application may be referred to the above description, and detailed descriptions thereof are omitted herein as appropriate to avoid redundancy.
The apparatus of the digital certificate application of fig. 7 includes at least one software functional module that can be stored in a memory in the form of software or firmware or cured in the apparatus of the digital certificate application that is applied to a certificate application having anti-quantum cryptography computing capability or having anti-quantum cryptography protection requirements, comprising: a query module 710 configured to receive query data sent by a certificate issuing authority, where the query data is queried by the certificate issuing authority from a target database based on verification data of a digital certificate and an address of the target database, the query data including: the local anti-quantum cryptographic signature algorithm of the certificate issuing authority, the initial main body public key information and the first signature value; a verification module 720 configured to confirm that the query data passes verification, and use anti-quantum cryptography information in the digital certificate, wherein the anti-quantum cryptography information includes: anti-quantum public key and anti-quantum signature algorithm information.
It will be clear to those skilled in the art that, for convenience and brevity of description, reference may be made to the corresponding procedure in the foregoing method for the specific working procedure of the apparatus described above, and this will not be repeated here.
Some embodiments of the present application also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the operations of the method according to any of the above-described methods provided by the above-described embodiments.
Some embodiments of the present application also provide a computer program product, where the computer program product includes a computer program, where the computer program when executed by a processor may implement operations of a method corresponding to any of the above embodiments of the above method provided by the above embodiments.
As shown in fig. 8, some embodiments of the application provide an electronic device 800, the electronic device 800 comprising: memory 810, processor 820, and a computer program stored on memory 810 and executable on processor 820, wherein processor 820 may implement a method as in any of the embodiments described above when reading a program from memory 810 and executing the program via bus 830.
Processor 820 may process digital signals and may include various computing structures. Such as a complex instruction set computer architecture, a reduced instruction set computer architecture, or an architecture that implements a combination of instruction sets. In some examples, processor 820 may be a microprocessor.
Memory 810 may be used for storing instructions to be executed by processor 820 or data related to execution of instructions. Such instructions and/or data may include code to implement some or all of the functions of one or more of the modules described in embodiments of the present application. Processor 820 of embodiments of the present disclosure may be configured to execute instructions in memory 810 to implement the methods shown above. Memory 810 includes dynamic random access memory, static random access memory, flash memory, optical memory, or other memory known to those skilled in the art.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Claims (13)

1. A method of digital certificate issuance, comprising:
Storing target information into a target database, and acquiring verification data corresponding to the target information, wherein the target information comprises: a local anti-quantum cryptographic signature algorithm, initial subject public key information and a first signature value;
Filling a certificate application entity's classical signature algorithm public key and classical signature algorithm information into a certificate domain's main body public key field, and obtaining extension information related to the verification data, wherein the extension information includes: the address of the target database, the certificate revocation list distribution point and the access information;
Filling the extension information into an extension field of the certificate domain;
signing the certificate domain by using a private key of a local classical signature algorithm to obtain a classical signature value;
Generating a digital certificate corresponding to the certificate applying entity, wherein the digital certificate comprises: the certificate domain, the classical signature algorithm information and the classical signature value.
2. The method of claim 1, wherein prior to said storing the target information to the target database, the method comprises:
Receiving certificate request information sent by the certificate applying entity, wherein the certificate request information carries the classical signature algorithm public key and the quantum resistant public key;
Filling the anti-quantum public key and the anti-quantum signature algorithm information into fields corresponding to the initial main body public key information, wherein the initial main body public key information and other fields form an initial certificate domain;
And signing the initial certificate domain by using a local anti-quantum private key of the local anti-quantum password signing algorithm to obtain the first signature value.
3. The method according to claim 1 or 2, wherein the acquiring verification data corresponding to the target information includes:
Taking a certificate serial number of the digital certificate to be generated as the verification data; or alternatively
And inputting the target information into a preset algorithm to obtain the verification data.
4. The method of claim 1 or 2, wherein the method further comprises:
the extension field is set to a non-critical field.
5. The method of claim 1 or 2, wherein the digital certificate is applied to a certificate applicator; the certificate application party is a classical password system without anti-quantum password computing capability or anti-quantum password protection requirement, or an anti-quantum password system with anti-quantum password computing capability or anti-quantum password protection requirement.
6. A method for digital certificate applications, for use by a certificate authority having anti-quantum cryptography computing capabilities or having anti-quantum cryptography protection requirements, the method comprising:
Receiving query data sent by a certificate issuing mechanism, wherein the query data is obtained by the certificate issuing mechanism by querying from a target database based on verification data of a digital certificate and an address of the target database, and the query data comprises: the local anti-quantum cryptographic signature algorithm of the certificate issuing authority, the initial main body public key information and the first signature value; the digital certificate being obtained by the method of any one of claims 1 to 5;
after the query data is confirmed to pass verification, quantum-resistant password information in the digital certificate is used, wherein the quantum-resistant password information comprises: anti-quantum public key and anti-quantum signature algorithm information.
7. The method of claim 6, wherein said validating said query data is validated, comprising:
inputting the query data into a preset algorithm to obtain data to be verified;
under the condition that the data to be verified and the verification data are confirmed to be consistent, generating an initial certificate domain through a certificate domain in the digital certificate and the query data;
Verifying the first signature value by using the initial certificate domain, the local anti-quantum cryptographic signature algorithm and a local anti-quantum public key of the local anti-quantum cryptographic signature algorithm to obtain a verification result;
and after the verification result is confirmed to be passed, the query data passes the verification.
8. The method of claim 6 or 7, wherein a certificate revocation list distribution point in the digital certificate is used to cause the certificate applicator to query data states in the target database, and wherein access information in the digital certificate is used to cause the certificate applicator to query certificate issuer information and services.
9. An apparatus for issuing a digital certificate, comprising:
The storage module is configured to store target information into a target database and acquire verification data corresponding to the target information, wherein the target information comprises: a local anti-quantum cryptographic signature algorithm, initial subject public key information and a first signature value;
The first filling module is configured to fill the classical signature algorithm public key and classical signature algorithm information of the certificate applying entity into a main body public key field of a certificate domain, and acquire extension information related to the verification data, wherein the extension information comprises: the address of the target database, the certificate revocation list distribution point and the access information;
a second population module configured to populate the extension information into an extension field of the certificate domain;
The signature module is configured to sign the certificate domain by utilizing a private key of a local classical signature algorithm to obtain a classical signature value;
A generation module configured to generate a digital certificate corresponding to the certificate applying entity, wherein the digital certificate includes: the certificate domain, the classical signature algorithm information and the classical signature value.
10. An apparatus for digital certificate applications, for use with a certificate authority having anti-quantum cryptography computation capability or having anti-quantum cryptography protection requirements, the apparatus comprising:
a query module configured to receive query data sent by a certificate issuing authority, where the query data is queried by the certificate issuing authority from a target database based on verification data of a digital certificate and an address of the target database, the query data including: the local anti-quantum cryptographic signature algorithm of the certificate issuing authority, the initial main body public key information and the first signature value; the digital certificate being obtained by the method of any one of claims 1 to 5;
And a verification module configured to confirm that the query data passes verification and then use anti-quantum cryptography information in the digital certificate, wherein the anti-quantum cryptography information comprises: anti-quantum public key and anti-quantum signature algorithm information.
11. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program, wherein the computer program when run by a processor performs the method according to any of claims 1-8.
12. An electronic device comprising a memory, a processor, and a computer program stored on the memory and running on the processor, wherein the computer program when run by the processor performs the method of any one of claims 1-8.
13. A computer program product, characterized in that the computer program product comprises a computer program, wherein the computer program, when run by a processor, performs the method according to any of claims 1-8.
CN202410265928.6A 2024-03-08 Method, device, storage medium and electronic equipment for issuing and applying digital certificate Pending CN118157871A (en)

Publications (1)

Publication Number Publication Date
CN118157871A true CN118157871A (en) 2024-06-07

Family

ID=

Similar Documents

Publication Publication Date Title
CN110264200B (en) Block chain data processing method and device
US9219602B2 (en) Method and system for securely computing a base point in direct anonymous attestation
CN112671720B (en) Token construction method, device and equipment for cloud platform resource access control
CN111680324A (en) Certificate verification method, management method and issuing method for block chain
CN109272316B (en) Block implementing method and system based on block chain network
CN110601816A (en) Lightweight node control method and device in block chain system
CN111311258B (en) Block chain-based trusted transaction method, device, system, equipment and medium
AU2021370924A1 (en) Certificate based security using post quantum cryptography
US20230299975A1 (en) Time-based digital signature
CN112311779B (en) Data access control method and device applied to block chain system
WO2021059057A1 (en) Computer implemented method and system for storing certified data on a blockchain
CN114127724A (en) Integrity audit for multi-copy storage
CN111950032A (en) Block chain-based data storage method, terminal device and storage medium
CN107171788A (en) A kind of identity-based and the constant online offline aggregate signature method of signature length
CN114615642A (en) Vehicle identity authentication method and device in vehicle-to-vehicle communication, vehicle and storage medium
CN111241492A (en) Product multi-tenant secure credit granting method, system and electronic equipment
CN114900316A (en) Block chain-based rapid identity authentication method and system for Internet of things equipment
CN110266478B (en) Information processing method and electronic equipment
CN115426106B (en) Identity authentication method, device and system, electronic equipment and storage medium
CN104158662A (en) XAdEs-based multi-user electronic voucher and implementation method
CN117155549A (en) Key distribution method, key distribution device, computer equipment and storage medium
WO2022205961A1 (en) Method and apparatus for updating blockchain domain name configuration
CN118157871A (en) Method, device, storage medium and electronic equipment for issuing and applying digital certificate
WO2023221350A1 (en) Blockchain-based code copyright registration system, method and platform
CN111585756B (en) Certificate-free cloud auditing method suitable for multi-copy-multi-cloud situation

Legal Events

Date Code Title Description
PB01 Publication