Summary of the invention
The utility model purpose provides a kind of note authenticated encryption system based on digital certificate, and it has solved the technical problem that existing short message receiving-transmitting mode lacks authentication mechanism and can't encrypt transmission.
Technical solution of the present utility model is:
A kind of note authenticated encryption system based on digital certificate, its special character is: described note authenticated encryption system comprises note authentication center, certified mechanism sms center and mobile phone; Described note authentication center comprises digital certificate management service unit and public digital certificates storehouse; Described digital certificate management service unit is used for the managing digital certificate generator and generates user's sign of certified mechanism; Described public digital certificates storehouse is used to deposit PKI and user's sign of digital certificate; Described certified mechanism sms center comprises short message receiving-transmitting server, digital signature server, certificate generation unit and certified mechanism digital certificate storehouse; Described short message receiving-transmitting server is used to receive and dispatch note; Described digital signature server can be carried out digital signature to the note that is sent; Described certificate generation unit is used for the downloading digital certificate generator and generates the PKI and the private key of digital certificate according to the digital certificate generator; Described certified mechanism digital certificate storehouse is used to deposit the private key of digital certificate; Described mobile phone comprises mobile phone body, is arranged on the note authentication in the mobile phone body and encrypts client and mobile phone digital certificate storehouse; Described mobile phone digital certificate storehouse is used to deposit the PKI of digital certificate; Described note authentication and encryption client can authenticate note that mobile phone body receives according to the PKI of digital certificate.
Above-mentioned certified mechanism sms center also can comprise decrypting device, and described decrypting device can send note to the cellphone subscriber according to the private key of digital certificate and be decrypted; Described note authentication and encryption client also can realize the encryption of sending short message by mobile phone according to the PKI in the mobile phone digital certificate storehouse.
The utility model system has the following advantages:
1, the utility model can authenticate the short message content of receiving, guarantees that the content that sends is not distorted and the true and false of transmit leg.The utility model provides certified mechanism unique digital certificate generator by the digital certificate management service unit of note authentication center according to user ID, guarantees the uniqueness and the confidentiality at certified center, thereby has guaranteed the fail safe of digital certificate; The utility model digital certificate comprises PKI and private key, and in internal system transmission, PKI does not transmit in internal system private key, has guaranteed the reliable of the fail safe of certificate and verification process, guarantees that the content that sends is not distorted and the true and false of transmit leg.In addition, the utility model is that digital certificate is provided with the term of validity, can effectively prevent the leakage of digital certificate.
2, the utility model can make mobile phone send the encryption note of having only certified mechanism to decipher.Mobile phone of the present utility model utilizes PKI that short message content is encrypted, and has only the decrypting device of certified mechanism to utilize private key to decipher, and has guaranteed the safety of the up transmission short message content of cellphone subscriber.
3, the utility model can authenticate SMS, can carry out encrypting and decrypting to up transmission note, has guaranteed the safety of two-way short message communication, can be applicable to fields such as financial transaction.
4, the utility model only need be installed a note authentication and encipheror as note authentication and encryption client in regular handset, just can realize with the short signal being that the basis realizes that a plurality of different recipients encrypt the mode of transmission respectively according to the key of oneself, use and use very convenient.
5, the utility model is used for reference the digital certificate mode of HTTPS agreement, is used for the authentication that SMS sends content and transmit leg, and the up transmission encrypted content of mobile phone, good confidentiality, and less to the change of existing note system, it is few to take resource, is easy to realize.
The note of reminding the non-Notified body of this note (certified mechanism) to send when 6, the literal of certified mechanism can appear in the utility model in normal short message prevents the note swindle.
Embodiment
The utility model is a kind of note authenticated encryption system based on digital certificate, comprises note authentication center, certified mechanism sms center and mobile phone.
Note authentication center comprises digital certificate management service unit and public digital certificates storehouse; The digital certificate management service unit is used for the managing digital certificate generator and generates user's sign of certified mechanism; The public digital certificates storehouse is used to deposit PKI and user's sign of digital certificate.
Certified mechanism sms center comprises short message receiving-transmitting server, digital signature server, certificate generation unit and certified mechanism digital certificate storehouse; The short message receiving-transmitting server is used to receive and dispatch note; Digital signature server can be carried out digital signature to the note that is sent; The certificate generation unit is used for the downloading digital certificate generator and generates the PKI and the private key of digital certificate according to the digital certificate generator; Certified mechanism digital certificate storehouse is used to deposit the private key of digital certificate.
Mobile phone comprises mobile phone body, is arranged on the note authentication in the mobile phone body and encrypts client and mobile phone digital certificate storehouse; The mobile phone digital certificate storehouse is used to deposit the PKI of digital certificate; Note authentication and encryption client can authenticate note that mobile phone body receives according to the PKI of digital certificate.
In order to maintain secrecy to the short message content of the up transmission of mobile phone, SMS authentication in the utility model system and encryption client can realize the encryption of sending short message by mobile phone according to the PKI in the mobile phone digital certificate storehouse, simultaneously at certified mechanism sms center a decrypting device is set, this decrypting device can send note to the cellphone subscriber according to the private key of digital certificate and be decrypted.
When the utility model carries out the note authenticated encryption, may further comprise the steps:
1] digital certificate of the certified mechanism of generation:
1.1] certified mechanism sms center submits the note authentication application to short breath authentication center;
1.2] user that generates certified mechanism of note authentication center indicates;
1.3] the certificate generation unit of certified mechanism indicates and the digital certificate generator from note authentication center download user;
1.4] the certificate generation unit of certified mechanism is right according to the key that the digital certificate generator generates digital certificate; Wherein the right private key of key leaves in the certified mechanism digital certificate storehouse;
1.5] the certificate generation unit sends to user ID and the right PKI of key in the public digital certificates storehouse of note authentication center;
2] mobile phone digital certificate is downloaded:
2.1] certified mechanism sms center sends the note with the download address of making an appointment sign to mobile phone;
2.2] download address that provides according to short message content of mobile phone is from the PKI of certified mechanism digital certificate storehouse downloading digital certificate;
3] certified mechanism sends the authentication note:
3.1] certified mechanism sms center delivers to digital signature server with phone number and short message content;
3.2] digital signature server carries out digital signature according to the private key of digital certificate to phone number and short message content;
3.3] digital signature server constitutes the digital signature character string with the back that the digital signature content is put into short message content, is sent to certified mechanism sms center;
3.4] certified mechanism sms center is sent to the short message receiving-transmitting server with the digital signature character string;
3.5] the short message receiving-transmitting server with the digital signature character string be sent to the corresponding mobile phone of phone number on;
4] note authentication:
4.1] mobile phone receives note and monitor short message content and send number;
4.2] note authenticates and the encryption client is found out the digital certificate that sends the number correspondence from the mobile phone digital certificate storehouse, the note of receiving is authenticated;
4.3] the demonstration authentication result.
During concrete authentication, the particular content that mobile phone receives note and monitors short message content and send number; If sending number is the sender that need authenticate, check then whether this note has the digital signature character string; If the digital signature character string is arranged, then do signature authentication according to the digital certificate of this sender's number correspondence, if authentication is passed through, then point out this note credible; If send number not in tabulation but send the title that content comprises needs authenticating party default, perhaps note does not have the digital signature character string, and perhaps authentication is not passed through, and then points out this note insincere.
In order to prevent to use same digital certificate to cause certificate to reveal for a long time, the utility model can carry out regular update to digital certificate.Accordingly, the step of note authentication also can comprise the preceding step of checking validity period of certificate of authentication:
Before using digital certificate authentication, check whether the current date time surpasses the term of validity of this certificate; If do not surpass the term of validity of certificate, then carry out the note authenticating step; If surpass the term of validity of certificate, and downloaded new digital certificate, then delete current digital certificate, and the new digital certificate that will download renames the current effective digital certificate as, carry out the note authenticating step then; If current digital certificate has surpassed the term of validity of certificate, and does not download new digital certificate, then carry out updating digital certificate, carry out the note authenticating step then.
Wherein, the step of updating digital certificate comprises:
Certified mechanism sms center in certificate expired for the previous period, generates new digital certificate;
Certified mechanism sms center sends to note authentication center with newly-generated digital certificate PKI;
The authentication of mobile phone and encrypt the new digital certificate of client downloads requires the title of this newly downloaded digital certificate or suffix with current still different at the digital certificate of use; Delete current digital certificate then, and the new digital certificate that will download renames the current effective digital certificate as.
Mobile phone authentication for convenience and encrypt the discriminating of client to short message content, digital signature server also can increase a sign that is expressed as encrypted content when according to the private key of digital certificate phone number and note being carried out digital signature before short message content.
Improve short message receiving-transmitting efficient when realizing maintaining secrecy, it is to adopt the http protocol request to sending number and short message content carries out digital signature that digital signature server is carried out digital signature according to the private key of digital certificate to phone number and note.
The user that note authentication center is generated indicates and can be a random number.
Be convenient management, certified mechanism can adopt the movable flashing dish in the digital certificate storehouse.
When needing to reply after the cellphone subscriber needs up transmission short message initiatively or receives the note of certified mechanism, can adopt and encrypt short message mode and carry out, concrete steps are as follows
1] cellphone subscriber sends the encryption note:
1.1] cellphone subscriber imports short message content;
1.2] mobile phone authentication and encrypt the number whether client check dight certificate repository has the recipient that the user imports; If no, then directly send; If have, then note authentication and encryption client are according to the public key encryption of digital certificate short message content to be sent;
1.3] short message content after mobile phone body will be encrypted sends to the short message receiving-transmitting server of certified mechanism;
2] certified mechanism receives and the deciphering note:
2.1] the short message receiving-transmitting server of certified mechanism receives note;
2.2] decrypting device of certified mechanism is decrypted the note that the cellphone subscriber sends according to the private key of digital certificate.
Equally, the cellphone subscriber also should check validity period of certificate before sending and encrypting note, and is specific as follows:
Before using digital certificate to encrypt, check whether the current date time surpasses the term of validity of this certificate; If do not surpass the term of validity of certificate, then send and encrypt note; If surpass the term of validity of certificate, and downloaded new digital certificate, then delete current certificate, and the new digital certificate that will download renames current digital certificate effectively as according to the updating digital certificate step; If current digital certificate has surpassed the term of validity of certificate, and this mobile phone is not downloaded new digital certificate, then before encryption, downloads new digital certificate from note authentication center server, delete current certificate then, and the new digital certificate that will download renames the current effective digital certificate as.
The utility model is applied in and utilizes note as follows at the process of exchange that bank extracts cash:
The signatory cellphone subscriber of bank imports short message contents such as the drawings account and the amount of money, encrypts the up bank short message center that is sent to, back; Sms center will be sent to user mobile phone after will working as inferior drawing encrypted message signature, after the user mobile phone authentication is passed through, demonstrate the drawing password, and the user realizes that according to drawing password and drawing number of the account no bankbook does not have card and extracts cash before sales counter or self-service ATM (automatic teller machine).