CN1756154A - A kind of digital signature method - Google Patents
A kind of digital signature method Download PDFInfo
- Publication number
- CN1756154A CN1756154A CN 200410079058 CN200410079058A CN1756154A CN 1756154 A CN1756154 A CN 1756154A CN 200410079058 CN200410079058 CN 200410079058 CN 200410079058 A CN200410079058 A CN 200410079058A CN 1756154 A CN1756154 A CN 1756154A
- Authority
- CN
- China
- Prior art keywords
- digital signature
- signature
- user
- carry out
- smart card
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of digital signature method.In the method, set in advance a signature indexed variable that is used to represent whether to allow to carry out digital signature, and this signature indexed variable of initialization is " allowing to carry out digital signature " when beginning in the system of customer acceptance.At first the value according to this signature indexed variable determines whether to allow to carry out digital signature when carrying out digital signature, if the value of signature indexed variable is revised as expression and does not allow to carry out the value of digital signature and carry out signature operation; Otherwise do not carry out digital signature and return miscue information.The present invention can prevent passive signature device, is repeatedly called without permission under the situation that the user has no to discover as IC-card etc., thereby guarantees the control of user to signature.
Description
Technical field
The present invention relates to information security technology, be specifically related to a kind of method of digital signature.
Background technology
Because developing rapidly of ecommerce and information security technology, smart card also arises at the historic moment and is developed rapidly gradually.Smart card can be connected to desktop computer (PC), portable computer, Apple computer (MAC) or other network equipment by its interface, and the user can realize multiple functions such as digital signature, authentication, data encryption, certificate storage by smart card.Present smart card generally comprises central processing unit (CPU) and memory, and its work mainly is based on card internal operating system (COS).
The major function of COS is mutual, the file system of diode-capacitor storage of Controlled CPU and external information and the processing of finishing various command in CPU.In order to prevent disabled user's access card internal information, COS also has security management mechanism, is used for various operations are controlled with the information in the protection card can not revealing away.COS and external information follow asynchronous character transmission agreement in the ISO/IEC 7816-3 standard alternately, management that COS finished and basic function are then followed ISO/IEC 7816-4 standard.The information that needed information and smart card were preserved when the memory in the smart card was used for storing the CPU operation, memory generally comprises random-access memory (ram) and EEPROM (Electrically Erasable Programmable Read Only Memo) (EEPROM).
If will utilize smart card to carry out digital signature present user, at first smart card is inserted into the card reader that is connected with computer interface, the user sends to smart card in the card reader with data to be signed by computer then, the COS operating system of CPU prompting user imports PIN (PIN) in the smart card, and after the PIN that verifies user's input is correct, call data to be signed are signed, if and the PIN of user's input is incorrect, then returns miscue information and abandon this data to the user.
In above-mentioned flow process, checking user's PIN is unique security mechanism that user identity is authenticated, and exists like this and pretends to be the problem of signature, thereby reduced the fail safe of digital signature.Specifically, when carrying out signature operation after the user has finished the checking of PIN, the user can not control and use key to sign, if the rogue program invasion is arranged this moment, rogue program can pretend to be the user to carry out one or many signature, and user and do not know to carry out signature several times; Perhaps, under the situation that user's PIN is obtained by rogue program, rogue program can pretend to be the user to carry out one or many signature and the user has no to discover.And it is well-known, digital signature may relate in actual applications such as a series of economy and legal issues such as contract signature, payment funding, identification of law, therefore its fail safe is at e-commerce and e-government, even all occupies important status in the whole country social economic order.Therefore,, will greatly reduce the fail safe of digital signature so, continue to bring harmful effect for the social economy of user and whole country if digital signature is repeatedly pretended to be and the user has no to discover.
Summary of the invention
In view of this, main purpose of the present invention provides a kind of digital signature method, repeatedly pretended to be under the situation that the user has no to discover to prevent digital signature, thus the fail safe that improves digital signature.
Above-mentioned purpose of the present invention is solved by the following technical solutions:
A kind of digital signature method comprises at least:
A. set in advance a signature indexed variable that is used to represent whether to allow to carry out digital signature, and this signature indexed variable of initialization is the value that expression allows to carry out digital signature before beginning to carry out digital signature;
B. the value according to this signature indexed variable determines whether to allow to carry out digital signature when carrying out digital signature, if the value of signature indexed variable is revised as expression and does not allow to carry out the value of digital signature and carry out signature operation; Otherwise process ends.
Preferably, further comprised before step b: whether the PIN PIN of checking user input is correct, if, execution in step b; Otherwise process ends.
Preferably, comprise further that after the PIN of checking user input the PIN according to user's input improves the level of security of smart card, and before execution in step b, further comprise: search user's private key file and verify user's private key rights of using according to the current safety rank of desired level of security of this private key file and smart card, if the user has the rights of using to private key in the file, execution in step b then; Otherwise process ends.Here verify that according to the current safety rank of desired level of security of private key file and smart card user's private key rights of using are: whether the current safety rank of intelligent card is more than or equal to the desired level of security of this private key file, if, determine that the user has the rights of using to private key in the file, otherwise determine that the user does not have the rights of using to private key in the file.
In the present invention, the signature indexed variable is stored on the memory of smart card, and step b is that the CPU by smart card carries out.
In this case, the initialization signature indexed variable carries out when smart card powers among the step a.Whether the order that further comprised judgement received before step b is the signature order, if, execution in step b; Otherwise undertaken corresponding to this process of commands by CPU.
Preferably, do not carry out digital signature and further comprise the step of returning miscue information before the process ends above-mentioned.
From technical scheme of the present invention as can be seen, the present invention at first is provided with the indexed variable whether an expression allows to carry out digital signature, and after smart card powers on, this value initialization is allowed to carry out the value of digital signature for expression, and after carrying out once signed, this value is revised as the value that does not allow to carry out digital signature.Like this, after smart card powers on, unless with smart card outage and re-power,, thereby prevented that rogue program pretends to be the user to carry out the situation that one or many is signed again after the validated user signature as long as carry out just not allowing to carry out again digital signature after a digital signature.In addition, thereby, rogue program pretend to be the user to sign even having obtained user's PIN, perhaps rogue program carries out digital signature prior to the user after the user imports PIN, also can only pretend to be once signed, and before signing, validated user can find oneself can not sign, thereby validated user can be known that the disabled user pretends to be and oneself carry out once signed, cooperates other measure to drop to minimum for the loss of validated user this personation.
Therefore, by the present invention, as long as validated user has carried out after the signature, rogue program just can not pretend to be the user to sign again.Even rogue program can pretend to be validated user to sign before the validated user signature, at most also can only pretend to be once signed and current signature to be discovered by validated user.Therefore, the present invention can prevent that digital signature from repeatedly being pretended to be under the situation that the user has no to discover, thus the fail safe that has improved digital signature.
Description of drawings
Fig. 1 is an overview flow chart of the present invention.
Fig. 2 is the flow chart of a specific embodiment of the present invention.
Fig. 3 is the schematic diagram of the data transmission format between computer and the smart card.
Embodiment
The present invention is described in detail below in conjunction with the drawings and specific embodiments.
A signature indexed variable at first is set in the present invention, this signature indexed variable has two values: allow to carry out digital signature and do not allow to carry out digital signature, and the initialization signature indexed variable is the value that expression allows to carry out digital signature before carrying out digital signature, after the user carries out digital signature, revise the signature indexed variable and do not allow to carry out the value of digital signature, thereby prevent that rogue program from pretending to be user's signature once more for expression.
Fig. 1 shows overall procedure of the present invention.As shown in Figure 1, digital signature method according to the present invention comprises the steps.
In step 101, set in advance a signature indexed variable that is used to represent whether to allow to carry out digital signature.
In step 102, this signature indexed variable of initialization allows to carry out the value of digital signature for expression before carrying out digital signature.
In step 103, when needs carry out digital signature, at first read this signature indexed variable.
In step 104, determine whether to allow to sign according to the value of the signature indexed variable that reads.If allow to sign, execution in step 105 and subsequent step thereof, otherwise process ends.
In step 105, the value of this signature indexed variable is revised as the value that expression does not allow to carry out digital signature.
In step 106, data to be signed are carried out digital signature.Finish then.
Above-mentioned is overview flow chart of the present invention.Further specify the present invention below by a specific embodiment.
As mentioned above, generally carry out digital signature and undertaken, and smart card comprises CPU and memory by smart card.Using smart card to carry out in the specific embodiment of the invention of digital signature, its operating process as shown in Figure 2.
In step 201, a signature indexed variable that is used to represent whether to allow to carry out digital signature is set in the memory of smart card in advance.The signature indexed variable here can be stored in the register among the RAM, initialization after smart card powers on like this, and its information is no longer preserved after the smart card power down.Perhaps, also can be stored among the EEPROM, the value of this signature indexed variable can continue to preserve like this.
In step 202, when needs carry out digital signature, in the card reader that smart card is inserted into computer is connected.
In step 203, smart card powers on, and carries out the initialization of smart card, in the initialization procedure of this smart card, the signature indexed variable in the memory is initialized as the value that an expression allows to carry out digital signature.
In step 204, when the user used the application program of smart card to operate, application prompts user imported PIN, and the PIN of user's input is sent to smart card.
In step 205, smart card judges behind the PIN that receives user's input whether user's input is correct, if correct, the expression user is a validated user, execution in step 206 and subsequent step thereof; Otherwise return miscue information, process ends in step 216.
In step 206, smart card promotes level of security.After smart card determined that the PIN of input is the PIN that imports of user, the lifting level of security was a user class; After smart card determined that the PIN of input is not the PIN of the PIN that imports of user but card issuer's input, promoting level of security was card issuer's rank.
In step 207, receiving from now on from the life of computer, smart card judges whether this order is a digital signature order.If the digital signature order, execution in step 208 and subsequent step thereof; If not the digital signature order, for example be authentication order, data encryption order etc., then carry out operation by CPU, then to computer return result to ordering in step 214.After the return result, smart card enters the preceding wait command state of order that receives once more.Just can repeated execution of steps 207.
In step 208, if the order that smart card receives is the digital signature order, at first search the private key for user file, determine desired level of security in the private key for user file.
In step 209, smart card judges according to the current safety rank of privately owned file of user and smart card whether the user has the rights of using to private key in the file, if, execution in step 210 and subsequent step thereof; Otherwise return miscue information in step 215, and then enter the wait command state that receives before ordering, just repeated execution of steps 207.Here judge that the rights of using whether user has private key in the file can be to judge that whether the current safety rank of smart card is more than or equal to desired level of security in the private key for user file, if, show that then the user has the rights of using to private key in the file, otherwise show that the user does not have the rights of using to private key in the file.
In step 210, the CPU of smart card reads the value of signature indexed variable.
In step 211, smart card judgement currency is represented to allow to carry out digital signature and is not still allowed to carry out digital signature; If allow to carry out digital signature, execution in step 212 and subsequent step thereof; Otherwise return miscue information in step 215, and then enter the wait command state that receives before ordering, just repeated execution of steps 207.
In step 212, smart card is revised the value of signature indexed variable, makes its expression not allow to carry out digital signature.
In step 213, smart card carries out digital signature to the data to be signed that send simultaneously from computer and digital signature order, and returns digital signature result to computer.And then enter the wait command state that receives before ordering, just repeated execution of steps 207.
In above-mentioned steps 202, in the card reader that smart card is inserted into computer is connected, carry out information interaction by card reader and computer.Be appreciated that, smart card also can be included in the digital signature device that designs separately, this digital signature device is connected with computer by for example general purpose interface bus (USB), smart card passes through the order of the interface receiving computer of digital signature device, and after fill order execution result is returned to computer.
In above-mentioned steps 207, smart card judges that whether an order is that the digital signature order is according to the byte of the data transmission format between computer and the smart card and definite.Fig. 3 shows an example of this data transmission format.In this transformat, if CLA is 0 then the order of expression read-write CPU, if INS is F2 then represents the digital signature order.Therefore judge whether an order is that the digital signature order is exactly to judge whether the INS field is F2 in the data that receive order.
Above-mentioned digital signature indexed variable is provided with two values, and the value that allows the value of signing and do not allow to sign, these two values can represent that for example 0 expression allows to sign by numeral, and 1 expression does not allow to sign.Perhaps, also can represent by other numeral or character.In addition, be appreciated that above-mentioned signature sign scalar also can be provided with three values or more value, just can reduce the fail safe of digital signature like this.
In addition, even the operation that the user uses smart card to carry out is not the digital signature operation, for example be the data encryption operation, the user preferably also carries out a digital signature operation again after finishing this operation, if rogue program pretends to be the user to carry out once signed like this, the user also can perceive.Here carrying out the operation of digital signature again can be that the data without any meaning are signed, and its purpose only is in order to determine whether that rogue program pretends to be the signature of oneself.If rogue program has been pretended to be user's signature, when insignificant data were encrypted, the user will find that smart card does not allow oneself to sign, and pretended to be and oneself had carried out once signed thereby can define rogue program.Same other measures of cooperation can be retrieved and pretend to be signature to give self-inflicted loss.By such operation, can further improve the fail safe of number signature.
Therefore be appreciated that the above only is preferred embodiment of the present invention,, all any modifications of being done within the spirit and principles in the present invention, be equal to replacement, improvement etc., all should be included within protection scope of the present invention not in order to restriction the present invention.
Claims (8)
1. digital signature method comprises at least:
A. set in advance a signature indexed variable that is used to represent whether to allow to carry out digital signature, and this signature indexed variable of initialization is the value that expression allows to carry out digital signature before beginning to carry out digital signature;
B. the value according to this signature indexed variable determines whether to allow to carry out digital signature when carrying out digital signature, if the value of signature indexed variable is revised as expression and does not allow to carry out the value of digital signature and carry out signature operation; Otherwise process ends.
2. digital signature method according to claim 1 is characterized in that, further comprises before step b: whether the PIN PIN of checking user input is correct, if, execution in step b; Otherwise process ends.
3. digital signature method according to claim 2, it is characterized in that, comprise further that after the PIN of checking user input the PIN according to user's input improves the level of security of smart card, and before execution in step b, further comprise: search user's private key file and verify user's private key rights of using according to the current safety rank of desired level of security of this private key file and smart card, if the user has the rights of using to private key in the file, execution in step b then; Otherwise process ends.
4. digital signature method according to claim 3, it is characterized in that, described current safety rank according to desired level of security of private key file and smart card verifies that user's private key rights of using are: whether the current safety rank of intelligent card is more than or equal to the desired level of security of this private key file, if, determine that the user has the rights of using to private key in the file, otherwise determine that the user does not have the rights of using to private key in the file.
5. according to any described digital signature method in the claim 1 to 4, it is characterized in that described signature indexed variable is stored on the memory of smart card, step b is that the CPU by smart card carries out.
6. digital signature method according to claim 5 is characterized in that the initialization signature indexed variable carries out among the step a when smart card powers on.
7. digital signature method according to claim 5 is characterized in that, whether the order that further comprised judgement received before step b is the signature order, if, execution in step b; Otherwise undertaken corresponding to this process of commands by CPU.
8. according to any described digital signature method in the claim 1 to 4, it is characterized in that, before described process ends, further comprise the step of returning miscue information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410079058 CN1756154B (en) | 2004-09-30 | 2004-09-30 | Digital signature method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410079058 CN1756154B (en) | 2004-09-30 | 2004-09-30 | Digital signature method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1756154A true CN1756154A (en) | 2006-04-05 |
| CN1756154B CN1756154B (en) | 2010-11-17 |
Family
ID=36689132
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410079058 Expired - Fee Related CN1756154B (en) | 2004-09-30 | 2004-09-30 | Digital signature method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1756154B (en) |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1274105C (en) * | 2003-06-12 | 2006-09-06 | 上海格尔软件股份有限公司 | Dynamic password authentication method based on digital certificate implement |
-
2004
- 2004-09-30 CN CN 200410079058 patent/CN1756154B/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1756154B (en) | 2010-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110663053B (en) | Securely providing uncertain data of an uncertain origin into a locked script of a blockchain transaction | |
| US6094656A (en) | Data exchange system comprising portable data processing units | |
| JP2000148567A (en) | Method for storing data object in memory of smart card | |
| WO2020181809A1 (en) | Data processing method and system based on interface checking, and computer device | |
| CN102625309A (en) | Access control method and device | |
| CN116210200A (en) | Blockchain communication syndrome | |
| EP2175393A1 (en) | Data exchange between protected memory cards | |
| CN1437739A (en) | Access control to data processing means | |
| JP4445718B2 (en) | IC card and IC card program | |
| CN1437808A (en) | Data processing with a key | |
| CN1756154A (en) | A kind of digital signature method | |
| CN102012978A (en) | Method and system for safely upgrading ISO (International Standard Code) file | |
| CN1845184A (en) | Intelligent key apparatus with electronic purse function | |
| CN1183495C (en) | Secret code security access to data processing means | |
| CN1845183A (en) | Intelligent key apparatus with debit/credit function | |
| CN114266072A (en) | Authority distribution control method and device, electronic equipment and storage medium | |
| CN2896370Y (en) | Intelligent key device | |
| CN112035867A (en) | Web application authority management method, system, equipment and storage medium | |
| JP2005011147A (en) | Ic card and ic card program | |
| JP4185715B2 (en) | IC card and IC card program | |
| KR20080039357A (en) | Smart card | |
| CN103198258A (en) | Composite system and data transfer method | |
| CN109637053B (en) | Server, self-service business system, business processing method and readable storage medium | |
| KR101017639B1 (en) | Intelligent Smart Card | |
| CN112532388B (en) | Encryption method and device for air issuing data of air issuing card |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| C56 | Change in the name or address of the patentee | ||
| CP03 | Change of name, title or address |
Address after: 100049 No. 19, Yuquanlu Road, Beijing, Shijingshan District Patentee after: University OF CHINESE ACADEMY OF SCIENCES Address before: 100039 Graduate University of Chinese Academy of Sciences, Beijing, Yuquanlu Road, 19 Patentee before: GRADUATE University OF CHINESE ACADEMY OF SCIENCES |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20151120 Address after: 100195 Beijing city Haidian District minzhuang Road No. 87 C Patentee after: INSTITUTE OF INFORMATION ENGINEERING, CHINESE ACADEMY OF SCIENCES Address before: 100049 No. 19, Yuquanlu Road, Beijing, Shijingshan District Patentee before: University of Chinese Academy of Sciences |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20101117 Termination date: 20190930 |