CN202696901U - Mobile terminal identity authentication system based on digital certificate - Google Patents
Mobile terminal identity authentication system based on digital certificate Download PDFInfo
- Publication number
- CN202696901U CN202696901U CN201120206248.5U CN201120206248U CN202696901U CN 202696901 U CN202696901 U CN 202696901U CN 201120206248 U CN201120206248 U CN 201120206248U CN 202696901 U CN202696901 U CN 202696901U
- Authority
- CN
- China
- Prior art keywords
- certificate
- terminal
- authentication
- unit
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Abstract
The utility model relates to a mobile terminal identity authentication system based on a digital certificate. The mobile terminal identity authentication system comprises a digital certificate authentication center, a mobile terminal and a mobile certificate relying party. The digital certificate authentication center comprises a certificate application unit, a CA certificate management unit and an authentication service unit. The certificate application unit comprises an application receiving unit and a certificate issuing unit. The CA certificate management unit comprises an external information bank. The authentication service unit comprises an information receiving and sending unit and an information authentication unit. The mobile terminal comprises a certificate generation unit, a terminal certificate management unit and a digital signature unit. The terminal certificate management unit comprises a terminal digital certificate bank. The system provided by the utility model solves the technical problems that an authentication mechanism specific to the mobile terminal is unavailable under a mobile Internet environment. The relaying party of the terminal digital certificate does not need to download and save numerous public key files of the mobile terminal certificate, but only needs to send the digital signature to be verified to the CA authentication center for verification, so that the popularization is facilitated.
Description
Technical field
The utility model relates to the identity identifying technology of mobile Internet, more specifically relates to a kind of system that portable terminal is carried out authentication by digital certificate.
Background technology
Along with the development of wireless communication technique, the portable terminal take mobile phone as representative is widely used in e-commerce field.In the process of using portable terminal transmission Transaction Information, the confidentiality of necessary guarantee information transmission, the integrality of exchanges data, the non repudiation that sends information and the certainty of dealer's identity.
Existing wireless data transmission protocols lacks the ID authentication mechanism to portable terminal, and the receiving party can only identify portable terminal by signs such as phone numbers, but can't determine the authenticity of portable terminal holder identity.The existence of this problem causes the transaction of movement-based terminal to face the multiple potential risks such as information is tampered, the transaction agent identity is falsely used, and greatly hinders the mobile e-business normal development.
Although the personal certificate application is accepted in existing digital certificate authentication service system support, its scope of application is confined to ordinary PC, not yet proposes a kind of authentication mechanism that comprises the various portable terminals of mobile phone that is specifically designed to.
The utility model content
The utility model purpose is to provide a kind of system that portable terminal is carried out authentication by digital certificate, to solve the technical problem that lacks under the mobile internet environment for mobile terminal authentication mechanism.
The utility model technical solution:
A kind of mobile terminal authentication system based on digital certificate, its special character is: it comprises digital certificate authentication center (ca authentication center), portable terminal and mobile certificate relying party,
Described digital certificate authentication center comprises certificate request unit, CA certificate administrative unit and authentication service unit,
Described certificate request unit comprise for accepting terminal applying digital certificate, the application that provides terminal identity identification information and portable terminal certificate control to download accept the unit and be used for the terminal digital certificate PKI file that mobile terminal receive uploads and use the file verification of CA root certificate private key after deposit the certificate issuance unit of external information bank in;
CA root certificate private key file is stored in CA certificate administrative unit (usually being stored in disk specific region or the movable storage device)
Described CA certificate administrative unit comprises be used to depositing terminal digital certificate PKI file, terminal identity identification information and the external information bank of download being provided to the mobile certificate relying party;
Described authentication service unit comprises for receiving signing messages to be certified, send the information transmit-receive unit of authentication signature information and extracting corresponding terminal digital certificate PKI file according to the terminal identity identification information of signing messages to be certified from the CA certificate administrative unit, and treat authentication signature information and carry out signature verification, the information that is proved to be successful add CA root certificate private key file signature generate authentication signature information and authentication signature information send to corresponding recipient's authentification of message unit by the information transmit-receive unit;
Described portable terminal comprises for the key that generates the terminal digital certificate according to portable terminal certificate control pair, and use CA root certificate PKI file to terminal digital certificate PKI file encryption, be uploaded to certificates constructing unit, terminal certificate administrative unit, digital signature unit and the end message authentication ' unit at ca authentication center:
The terminal certificate administrative unit comprises be used to the terminal numeral certificate repository of depositing terminal numeral certificate private key file, CA root certificate PKI file;
Described digital signature unit comprises as portable terminal and uses terminal numeral certificate private key file raw information to be sent and terminal identity identification information are signed and to be sent to the signature unit of authentication service unit and to use terminal numeral certificate private key file raw information to be sent and terminal identity identification information to be encrypted and to be sent to the ciphering unit of authentication service unit as portable terminal;
Described mobile certificate relying party comprises relying party's certificates snap-in and relying party's authentification of message unit,
Described relying party's certificates snap-in comprises be used to relying party's digital certificate storehouse of depositing relying party's identification digital certificate private key file and CA root certificate PKI file;
Described relying party's authentification of message unit comprises the authentication signature information that receives the transmission of ca authentication center, signing messages to be verified is sent to relying party's information transmit-receive unit and the authentication signature information that receives the transmission of relying party's information transmit-receive unit of the authentication service unit at ca authentication center, use CA root certificate PKI file to authentication signature information signature verification, the authentication ' unit of after the signature verification success information original contents and terminal identity identification information being presented to the relying party.
Above-mentioned CA certificate administrative unit also comprises the certificate revocation unit that the inquiry of terminal numeral CRL is provided to the mobile certificate relying party.
Above-mentioned terminal certificate administrative unit also comprises for to the external information bank inquiry terminal digital certificate state at ca authentication center and finish the terminal certificate updating block of the terminal digital certificate PKI file update of terminal numeral certificate repository.
Above-mentioned relying party's certificates snap-in also comprises for the external information bank inquiry and finish relying party's certificate update unit of relying party's digital certificate storehouse CA root certificate PKI file update to the ca authentication center.
Above-mentioned portable terminal also comprises the end message authentication ' unit,
Described end message authentication ' unit is used for after portable terminal is received the authentication signature information that is sent by the ca authentication service unit, use CA root certificate PKI file that the authentication signature information by the CA center certification is verified, after the signature verification success identification information of the information content and transmit leg is presented to portable terminal
Described information of mobile terminal authentication ' unit, original idea are with the authentification of message problem that solves when portable terminal serves as the certificate relying party.Its working mechanism is in full accord with " relying party's authentification of message unit ", but for the portable terminal that highlights in the native system both can be used as information sender, send authentication information, also can be used as the authentication information that the certificate relying party receives other portable terminals transmissions to the certificate relying party, namely can authenticate with certified.Can be regarded as, to the description of a kind of special case of certificate relying party, namely portable terminal is as the relying party herein.
A kind of mobile terminal authentication method based on the note digital certificate is provided as the authentication information transmit leg identity of certificate relying party's portable terminal, and its special character is: the method may further comprise the steps:
Only have certificate subscriber (certificate request and holder) just to have identification sign and certificate private key, the certificate relying party comes certifying signature without identify label and certificate private key, this subscriber's certificate PKI of can only the downloadable authentication subscriber uploading to the external information bank of CA.Explain in detail herein portable terminal is how to produce identification information and certificate PKI, private key file as the certificate subscriber, if deletion, can't illustrate portable terminal when the information of transmission, adds identification information and digital signature with what instrument in raw information.
Relate to a kind of special circumstances: portable terminal also may become the certificate relying party, and this moment, portable terminal only need to utilize CA digital signature in the authentication signature information that CA root certificate public key verifications ca authentication service unit sends, after being proved to be successful the information content and transmit leg identification information (information sender has identification information, holds the digital certificate private key file) was showed the portable terminal as the relying party.
In the traditional scheme, certificate subscriber limited amount, the certificate relying party can download whole certificate PKI files and be used for signature verification, but portable terminal is more special during as the certificate subscriber: the certificate relying party all downloads and manages ten hundreds of portable terminal certificate operation inconvenience, thereby proposes the solution of this patent.
A kind of mobile terminal authentication method based on the note digital certificate is used for the identity of portable terminal authorization information transmit leg when receiving authentication information, may further comprise the steps:
1] CA center certification signing messages:
1.1] authentication service unit at ca authentication center receives the information to be certified take portable terminal as the recipient;
1.2] authentication service unit at ca authentication center extracts the PKI file of corresponding transmit leg digital certificate from external information bank according to the transmit leg identification information of information to be certified, the digital signature information of using the PKI file of transmit leg digital certificate to treat authentication signature information is verified; If the verification passes, then execution in step 1.3] if checking is not passed through, then information is not done any processing, directly send to portable terminal;
1.3] the ca authentication center uses CA root certificate private key file to signing by the signing messages to be certified of checking, generates authentication signature information;
1.4] authentication service unit at ca authentication center carries out after the format conversion sending to destination mobile terminal according to included target recipient address in the authentication signature information to authentication signature information according to communications protocol;
2] the end message authentication ' unit of portable terminal receives the information of being sent by the ca authentication center, judges this information for authentication signature information or does not pass through authentication information according to whether carrying ca authentication center signature;
3] portable terminal receives authentication information:
3.1] the end message authentication ' unit of portable terminal receives the authentication signature information of being sent by the ca authentication center, and extracts CA root certificate PKI file from the digital certificate storehouse, the CA root certificate private key file signature of authentication signature information is verified;
3.2] if the signature verification of authentication signature information success then from extracting transmit leg identification information and the information content the authentication signature information, is finished authentication;
3.3] if the signature verification of authentication signature information failure, information extraction content from authentication signature information only then, and point out the transmit leg identity of this information to be authenticated to portable terminal;
4] portable terminal receives and does not pass through authentication information:
4.1] the end message authentication ' unit of portable terminal receive by the ca authentication center send not by authentication signature information, point out the transmit leg identity of this information to be authenticated never by information extraction content in the authentication signature information, and to portable terminal.
A kind of mobile terminal authentication method based on the note digital certificate supplies the certificate relying party to authenticate the identity of the portable terminal of transmission information, and it is characterized in that: the method may further comprise the steps:
1] generate the terminal digital certificate:
1.1] portable terminal submits the terminal applying digital certificate to the certificate request unit at ca authentication center;
1.2] after the certificate request unit accepts application, generate unique terminal identity identification information, and the storage terminal identification information is in the external information bank of CA;
1.3] portable terminal certificates constructing unit is from the certificate request unit download terminal identification information at ca authentication center and portable terminal certificate control and install, described portable terminal certificate control comprises CA root certificate PKI file; The certificate relying party downloads CA root certificate PKI file and is kept at the digital certificate storehouse of relying party's certificates snap-in from the ca authentication center;
1.4] the certificates constructing unit of portable terminal generates the key pair of terminal digital certificate according to portable terminal certificate control, the private key file of terminal digital certificate is deposited in the digital certificate storehouse of portable terminal;
1.5] the certificates constructing unit of portable terminal uses CA root certificate PKI file that the PKI file of terminal identity identification information and terminal digital certificate is encrypted, and the portable terminal certificate PKI file after encrypting sent to the certificate request unit at ca authentication center; The certificate request unit at ca authentication center uses CA root certificate private key file decryption after receiving the PKI file of terminal digital certificate, after the deciphering PKI file of terminal digital certificate is deposited in the external information bank at ca authentication center;
2] portable terminal sends signing messages:
2.1] portable terminal produce raw information to be sent (holder by interface input message content and recipient address (as, the editing short message content is also inputted recipient's phone number) and terminal identity identification information and raw information to be sent be sent to the digital signature unit, described raw information to be sent comprises the information content and target recipient address;
2.2] the digital signature unit extracts the private key file of terminal digital certificate from the digital certificate storehouse, terminal identity identification information and raw information to be sent are carried out digital signature, generates signing messages to be certified; Described signing messages to be certified comprises the digital signature of the private key file of terminal identity identification information, raw information to be sent and terminal digital certificate
2.3] the digital signature unit of portable terminal carries out signing messages to be certified to send to after the format conversion authentication service unit at ca authentication center according to communications protocol;
3] ca authentication center certifying signature information:
3.1] authentication service unit at ca authentication center receives the signing messages to be certified that is sent by portable terminal;
3.2] authentication service unit at ca authentication center extracts the PKI file of corresponding terminal digital certificate from external information bank according to the terminal identity identification information of information to be certified, the digital signature information of using the PKI file of terminal digital certificate to treat authentication signature information is verified; If the verification passes, then execution in step 3.3], if checking is not passed through, then execution in step 2]
3.3] the ca authentication center uses CA root certificate private key file to signing by the signing messages to be certified of checking, generates authentication signature information;
3.4] authentication service unit at ca authentication center carries out after the format conversion sending to the target recipient according to included target recipient address in the authentication signature information to authentication signature information according to communications protocol;
4] the certificate relying party receives authentication information:
4.1] certificate relying party's authentification of message unit receives the authentication signature information of being sent by the ca authentication center, and extracts CA root certificate PKI file from the digital certificate storehouse, the CA root certificate private key file signature of authentication signature information is verified;
If the signature verification of authentication signature information success then from extracting terminal identity identification information and the information content the authentication signature information, is finished authentication;
If the signature verification of authentication signature information failure, information extraction content from authentication signature information only then, and point out the transmit leg identity of this information to be authenticated to the certificate relying party.
Also comprise the certificate update step:
Regularly to the version information of the inquiry CA root certificate at ca authentication center, if CA root certificate upgrades, then the ca authentication center will notify portable terminal again to download portable terminal certificate control to described portable terminal according to the portable terminal certificate control of installing.
Also comprise the certificate revocation step:
Digital certificate meets the condition of revoking if terminal is confirmed at the ca authentication center, then will meet the terminal digital certificate of revoking and be added into the certificate revocation unit, and the notice portable terminal its count the terminal digital certificate and be revoked.
When CA evidence suggests the situations such as terminal digital certificate subscriber's the illegal third party of certificate quilt falsely uses, can confirm revoke certificate according to the digital certificate service regulation.
Above-mentioned terminal identity identification information is phone number, IMEI or IMSI.
The utility model has advantages of:
1, is applicable to comprise the various mobile terminal devices with wireless communication function of smart mobile phone, panel computer.
2, the relying party of terminal digital certificate does not need to download and preserve the portable terminal certificate PKI file of One's name is legion, only needs that digital signature to be verified is sent to the ca authentication center and verifies and get final product, and is convenient to popularize.
Description of drawings
Fig. 1 is the structural representation of system of the present utility model;
Embodiment
A kind of mobile terminal authentication system based on digital certificate, it comprises digital certificate authentication center (ca authentication center), portable terminal and mobile certificate relying party,
Digital certificate authentication center comprises certificate request unit, CA certificate administrative unit and authentication service unit,
The certificate request unit comprise for accepting terminal applying digital certificate, the application that provides terminal identity identification information and portable terminal certificate control to download accept the unit and be used for the terminal digital certificate PKI file that mobile terminal receive uploads and use the file verification of CA root certificate private key after deposit the certificate issuance unit of external information bank in;
CA root certificate private key file is stored in CA certificate administrative unit (usually being stored in disk specific region or the movable storage device)
The CA certificate administrative unit comprises be used to depositing terminal digital certificate PKI file, terminal identity identification information and the external information bank of download being provided to the mobile certificate relying party;
Authentication service unit comprises for receiving signing messages to be certified, send the information transmit-receive unit of authentication signature information and extracting corresponding terminal digital certificate PKI file according to the terminal identity identification information of signing messages to be certified from the CA certificate administrative unit, and treat authentication signature information and carry out signature verification, the information that is proved to be successful add CA root certificate private key file signature generate authentication signature information and authentication signature information send to corresponding recipient's authentification of message unit by the information transmit-receive unit;
Portable terminal comprises for the key that generates the terminal digital certificate according to portable terminal certificate control pair, and use CA root certificate PKI file to terminal digital certificate PKI file encryption, be uploaded to certificates constructing unit, terminal certificate administrative unit, digital signature unit and the end message authentication ' unit at ca authentication center:
The terminal certificate administrative unit comprises be used to the terminal numeral certificate repository of depositing terminal numeral certificate private key file, CA root certificate PKI file;
The digital signature unit comprises as portable terminal and uses terminal numeral certificate private key file raw information to be sent and terminal identity identification information are signed and to be sent to the signature unit of authentication service unit and to use terminal numeral certificate private key file raw information to be sent and terminal identity identification information to be encrypted and to be sent to the ciphering unit of authentication service unit as portable terminal;
The mobile certificate relying party comprises relying party's certificates snap-in and relying party's authentification of message unit,
Relying party's certificates snap-in comprises be used to relying party's digital certificate storehouse of depositing relying party's identification digital certificate private key file and CA root certificate PKI file;
Relying party's authentification of message unit comprises the authentication signature information that receives the transmission of ca authentication center, signing messages to be verified is sent to relying party's information transmit-receive unit and the authentication signature information that receives the transmission of relying party's information transmit-receive unit of the authentication service unit at ca authentication center, use CA root certificate PKI file to authentication signature information signature verification, the authentication ' unit of after the signature verification success information original contents and terminal identity identification information being presented to the relying party.
The CA certificate administrative unit also comprises the certificate revocation unit that the inquiry of terminal numeral CRL is provided to the mobile certificate relying party.
The terminal certificate administrative unit also comprises for to the external information bank inquiry terminal digital certificate state at ca authentication center and finish the terminal certificate updating block of the terminal digital certificate PKI file update of terminal numeral certificate repository.
Relying party's certificates snap-in also comprises for the external information bank inquiry and finish relying party's certificate update unit of relying party's digital certificate storehouse CA root certificate PKI file update to the ca authentication center.
Portable terminal also comprises the end message authentication ' unit,
The end message authentication ' unit is used for after portable terminal is received the authentication signature information that is sent by the ca authentication service unit, use CA root certificate PKI file that the authentication signature information by the CA center certification is verified, after the signature verification success identification information of the information content and transmit leg is presented to portable terminal
Information of mobile terminal authentication ' unit, original idea are with the authentification of message problem that solves when portable terminal serves as the certificate relying party.Its working mechanism is in full accord with " relying party's authentification of message unit ", but for the portable terminal that highlights in the native system both can be used as information sender, send authentication information, also can be used as the authentication information that the certificate relying party receives other portable terminals transmissions to the certificate relying party, namely can authenticate with certified.Can be regarded as, to the description of a kind of special case of certificate relying party, namely portable terminal is as the relying party herein.
A kind of mobile terminal authentication method based on the note digital certificate is provided as the authentication information transmit leg identity of certificate relying party's portable terminal, and the method may further comprise the steps:
Only have certificate subscriber (certificate request and holder) just to have identification sign and certificate private key, the certificate relying party comes certifying signature without identify label and certificate private key, this subscriber's certificate PKI of can only the downloadable authentication subscriber uploading to the external information bank of CA.Explain in detail herein portable terminal is how to produce identification information and certificate PKI, private key file as the certificate subscriber, if deletion, can't illustrate portable terminal when the information of transmission, adds identification information and digital signature with what instrument in raw information.
Relate to a kind of special circumstances: portable terminal also may become the certificate relying party, and this moment, portable terminal only need to utilize CA digital signature in the authentication signature information that CA root certificate public key verifications ca authentication service unit sends, after being proved to be successful the information content and transmit leg identification information (information sender has identification information, holds the digital certificate private key file) was showed the portable terminal as the relying party.
In the traditional scheme, certificate subscriber limited amount, the certificate relying party can download whole certificate PKI files and be used for signature verification, but portable terminal is more special during as the certificate subscriber: the certificate relying party all downloads and manages ten hundreds of portable terminal certificate operation inconvenience, thereby proposes the solution of this patent.
A kind of mobile terminal authentication method based on the note digital certificate is used for the identity of portable terminal authorization information transmit leg when receiving authentication information, may further comprise the steps:
1] CA center certification signing messages:
1.1] authentication service unit at ca authentication center receives the information to be certified take portable terminal as the recipient;
1.2] authentication service unit at ca authentication center extracts the PKI file of corresponding transmit leg digital certificate from external information bank according to the transmit leg identification information of information to be certified, the digital signature information of using the PKI file of transmit leg digital certificate to treat authentication signature information is verified; If the verification passes, then execution in step 1.3] if checking is not passed through, then information is not done any processing, directly send to portable terminal;
1.3] the ca authentication center uses CA root certificate private key file to signing by the signing messages to be certified of checking, generates authentication signature information;
1.4] authentication service unit at ca authentication center carries out after the format conversion sending to destination mobile terminal according to included target recipient address in the authentication signature information to authentication signature information according to communications protocol;
2] the end message authentication ' unit of portable terminal receives the information of being sent by the ca authentication center, judges this information for authentication signature information or does not pass through authentication information according to whether carrying ca authentication center signature;
3] portable terminal receives authentication information:
3.1] the end message authentication ' unit of portable terminal receives the authentication signature information of being sent by the ca authentication center, and extracts CA root certificate PKI file from the digital certificate storehouse, the CA root certificate private key file signature of authentication signature information is verified;
3.2] if the signature verification of authentication signature information success then from extracting transmit leg identification information and the information content the authentication signature information, is finished authentication;
3.3] if the signature verification of authentication signature information failure, information extraction content from authentication signature information only then, and point out the transmit leg identity of this information to be authenticated to portable terminal;
4] portable terminal receives and does not pass through authentication information:
4.1] the end message authentication ' unit of portable terminal receive by the ca authentication center send not by authentication signature information, point out the transmit leg identity of this information to be authenticated never by information extraction content in the authentication signature information, and to portable terminal.
A kind of mobile terminal authentication method based on the note digital certificate supplies the certificate relying party to authenticate the identity of the portable terminal of transmission information, and the method may further comprise the steps:
1] generate the terminal digital certificate:
1.1] portable terminal submits the terminal applying digital certificate to the certificate request unit at ca authentication center;
1.2] after the certificate request unit accepts application, generate unique terminal identity identification information, and the storage terminal identification information is in the external information bank of CA;
1.3] portable terminal certificates constructing unit is from the certificate request unit download terminal identification information at ca authentication center and portable terminal certificate control and install, described portable terminal certificate control comprises CA root certificate PKI file; The certificate relying party downloads CA root certificate PKI file and is kept at the digital certificate storehouse of relying party's certificates snap-in from the ca authentication center;
1.4] the certificates constructing unit of portable terminal generates the key pair of terminal digital certificate according to portable terminal certificate control, the private key file of terminal digital certificate is deposited in the digital certificate storehouse of portable terminal;
1.5] the certificates constructing unit of portable terminal uses CA root certificate PKI file that the PKI file of terminal identity identification information and terminal digital certificate is encrypted, and the portable terminal certificate PKI file after encrypting sent to the certificate request unit at ca authentication center; The certificate request unit at ca authentication center uses CA root certificate private key file decryption after receiving the PKI file of terminal digital certificate, after the deciphering PKI file of terminal digital certificate is deposited in the external information bank at ca authentication center;
2] portable terminal sends signing messages:
2.1] portable terminal produce raw information to be sent (holder by interface input message content and recipient address (as, the editing short message content is also inputted recipient's phone number) and terminal identity identification information and raw information to be sent be sent to the digital signature unit, described raw information to be sent comprises the information content and target recipient address;
2.2] the digital signature unit extracts the private key file of terminal digital certificate from the digital certificate storehouse, terminal identity identification information and raw information to be sent are carried out digital signature, generates signing messages to be certified; Described signing messages to be certified comprises the digital signature of the private key file of terminal identity identification information, raw information to be sent and terminal digital certificate
2.3] the digital signature unit of portable terminal carries out signing messages to be certified to send to after the format conversion authentication service unit at ca authentication center according to communications protocol;
3] ca authentication center certifying signature information:
3.1] authentication service unit at ca authentication center receives the signing messages to be certified that is sent by portable terminal;
3.2] authentication service unit at ca authentication center extracts the PKI file of corresponding terminal digital certificate from external information bank according to the terminal identity identification information of information to be certified, the digital signature information of using the PKI file of terminal digital certificate to treat authentication signature information is verified; If the verification passes, then execution in step 3.3], if checking is not passed through, then execution in step 2]
3.3] the ca authentication center uses CA root certificate private key file to signing by the signing messages to be certified of checking, generates authentication signature information;
3.4] authentication service unit at ca authentication center carries out after the format conversion sending to the target recipient according to included target recipient address in the authentication signature information to authentication signature information according to communications protocol;
4] the certificate relying party receives authentication information:
4.1] certificate relying party's authentification of message unit receives the authentication signature information of being sent by the ca authentication center, and extracts CA root certificate PKI file from the digital certificate storehouse, the CA root certificate private key file signature of authentication signature information is verified;
If the signature verification of authentication signature information success then from extracting terminal identity identification information and the information content the authentication signature information, is finished authentication;
If the signature verification of authentication signature information failure, information extraction content from authentication signature information only then, and point out the transmit leg identity of this information to be authenticated to the certificate relying party.
Also comprise the certificate update step:
Regularly to the version information of the inquiry CA root certificate at ca authentication center, if CA root certificate upgrades, then the ca authentication center will notify portable terminal again to download portable terminal certificate control to described portable terminal according to the portable terminal certificate control of installing.
Also comprise the certificate revocation step:
Digital certificate meets the condition of revoking if terminal is confirmed at the ca authentication center, then will meet the terminal digital certificate of revoking and be added into the certificate revocation unit, and the notice portable terminal its count the terminal digital certificate and be revoked.
When CA evidence suggests the situations such as terminal digital certificate subscriber's the illegal third party of certificate quilt falsely uses, can confirm revoke certificate according to the digital certificate service regulation.
Above-mentioned terminal identity identification information is phone number, IMEI or IMSI.
Embodiment:
In practical operation, to finish subscriber identity material affirmation work by registration center (RA), and participated in finishing the certificate request of portable terminal by RA, concrete steps are as follows:
1] generates the portable terminal certificate
1.1] submit the terminal applying digital certificate by the portable terminal people to the RA of registration center;
1.2] after the RA of registration center accepts application, with the unique terminal identity identification information of phone number as portable terminal;
1.3] cellphone subscriber obtains certificate control with phone number, CA root certificate PKI file and RA certificate PKI by downloading and installing or pre-install active mode;
1.4] the certificates constructing unit produces the key pair of terminal digital certificate according to the certificates constructing program, and the private key file of terminal digital certificate deposited in the terminal numeral certificate repository, the certificates constructing unit uses the RA of the registration center certificate PKI of implanting in advance that unique terminal identity identification information and terminal digital certificate PKI are encrypted, and the portable terminal certificate PKI file after encrypting is sent to the RA of registration center; The terminal identity identification information is the information that phone number, IMEI or IMSI etc. can the unique identification portable terminals;
1.5] RA of registration center receives the portable terminal certificate PKI file after the encryption that portable terminal uploads, use RA certificate private key file decryption, portable terminal after using RA certificate private key file to deciphering is uploaded portable terminal certificate PKI file and is signed, with the portable terminal certificate PKI file transfer behind the signature to the ca authentication center;
1.6] the certificate request unit at ca authentication center after receiving the portable terminal certificate PKI file that RA transmits, use RA certificate PKI file decryption, deposit terminal certificate PKI file in external information bank behind the successful decryption.
In reality is implemented, can finish forwarding and the request authentication that portable terminal sends signing messages to be certified by the existing wireless telecommunications basic network of operator.
2] portable terminal sends signing messages
2.1] portable terminal is sent to phone number and raw information to be sent the encrypted signature unit of certificate control;
2.2] from the digital certificate storehouse, extract corresponding terminal certificate private key file, phone number and raw information are carried out digital signature; The information transmit-receive unit carries out digital signature to the digital signature unit requests to information to be sent, obtains comprising the information to be certified of signature, the information content, three contents of terminal iidentification after signing successfully, information to be certified is sent to the authentication service unit at CA center.
2.3] the digital signature unit invests digital signature after the raw information to be sent, generates a signing messages to be verified; Signing messages to be verified comprises information sender phone number, digital signature and the information content to be verified;
2.4] portable terminal at first is sent to signing messages to be sent the operation system of operator by predetermined communications protocol;
3] operator's mobile terminal receive sends information, is forwarded to the signature verification of ca authentication center requests:
3.1] operator information extraction transmit leg phone number and digital signature to be verified from signing messages to be verified;
3.2] operator extracts corresponding terminal identity identification certificate private key file from the digital certificate storehouse, transmit leg phone number and digital signature to be verified are signed, to show the trust chain under the digital signature to be verified;
3.3] digital signature to be verified of adding operator's digital signature is sent to the checking of ca authentication center requests;
3.4] after the ca authentication center receives the signature to be verified that operator sends, from external information bank, extract the identification certificate PKI file verification operator identity of operator, if be proved to be successful then extract transmit leg phone number and digital signature to be verified, if authentication failed then refuse to provide signature verification service;
3.5] the ca authentication center extracts corresponding terminal digital certificate PKI file according to the transmit leg phone number from external information bank, digital signature to be verified is verified;
If be proved to be successful then the transmit leg digital signature replaced with CA root certificate signature, generate authentication signature information and return business system, operator authentication information continues to transfer to recipient (namely certificate relying party), proceeds step 4]
If authentication failed then will notify operator's authentication failed, operator only transfers to the recipient with raw information;
4] portable terminal receives authentication information
4.1] receive the authentication information of being sent by operator as relying party's portable terminal;
4.2] the authentification of message unit extracts the digital signature at ca authentication center from authentication information;
4.3] the CA root certification authentication digital signature at extraction ca authentication center from the digital certificate storehouse;
4.4] the demonstration the result;
The various functions of portable terminal certificate control can adopt respectively software, hardware dual mode to realize:
1, hardware based embodiment.
By being the cell phone intelligent SIM card realization certificate control repertoire of chief component by large capacity storage and high-speed CPU, its feature is as follows:
1) the CA root certificate file with the ca authentication center writes the SIM card memory space;
2) finish terminal digital certificate key to generating and the PKI File Upload by the high-speed CPU of SIM card;
3) finishing portable terminal by the high-speed CPU of SIM card sends the information encryption signature and receives the decrypts information sign test;
2, based on the embodiment of software.
Finish certificate control repertoire by the application software that is comprised of certificates constructing unit, certificates snap-in, digital signature unit, authentification of message unit, its feature is as follows:
1) the root certificate file with the ca authentication center writes the digital certificate storehouse, together activate with prepackage with certificate control application program or the mode that downloads and installs at running of mobile terminal;
2) finish terminal digital certificate key by the certificates constructing unit interpolation signature of finishing transmission information by the digital signature unit is uploaded in generation and certificate PKI;
3) finish the signature authentication of reception information by the authentification of message unit.
Claims (4)
1. mobile terminal authentication system based on digital certificate, it is characterized in that: it comprises digital certificate authentication center, portable terminal and mobile certificate relying party,
Described digital certificate authentication center comprises certificate request unit, CA certificate administrative unit and authentication service unit,
Described certificate request unit comprise for accepting terminal applying digital certificate, the application that provides terminal identity identification information and portable terminal certificate control to download accept the unit and be used for the terminal digital certificate PKI file that mobile terminal receive uploads and use the file verification of CA root certificate private key after deposit the certificate issuance unit of external information bank in;
Described CA certificate administrative unit comprises be used to depositing terminal digital certificate PKI file, CA root certificate private key file, terminal identity identification information and the external information bank of download being provided to the mobile certificate relying party;
Described authentication service unit comprises for receiving signing messages to be certified, send the information transmit-receive unit of authentication signature information and extracting corresponding terminal digital certificate PKI file according to the terminal identity identification information of signing messages to be certified from the CA certificate administrative unit, and treat authentication signature information and carry out signature verification, the information that is proved to be successful add CA root certificate private key file signature generate authentication signature information and authentication signature information send to corresponding recipient's authentification of message unit by the information transmit-receive unit;
Described portable terminal comprises for the key that generates the terminal digital certificate according to portable terminal certificate control pair, and use CA root certificate PKI file to terminal digital certificate PKI file encryption, be uploaded to certificates constructing unit, terminal certificate administrative unit, the digital signature unit at ca authentication center:
The terminal certificate administrative unit comprises be used to the terminal numeral certificate repository of depositing terminal numeral certificate private key file, CA root certificate PKI file;
Described digital signature unit comprises as portable terminal and uses terminal numeral certificate private key file raw information to be sent and terminal identity identification information are signed and to be sent to the signature unit of authentication service unit and to use terminal numeral certificate private key file raw information to be sent and terminal identity identification information to be encrypted and to be sent to the ciphering unit of authentication service unit as portable terminal;
Described mobile certificate relying party comprises relying party's certificates snap-in and relying party's authentification of message unit,
Described relying party's certificates snap-in comprises be used to relying party's digital certificate storehouse of depositing relying party's identification digital certificate private key file and CA root certificate PKI file;
Described relying party's authentification of message unit comprises the authentication signature information that receives the transmission of ca authentication center, signing messages to be verified is sent to relying party's information transmit-receive unit and the authentication signature information that receives the transmission of relying party's information transmit-receive unit of the authentication service unit at ca authentication center, use CA root certificate PKI file to authentication signature information signature verification, the authentication ' unit of after the signature verification success information original contents and terminal identity identification information being presented to the relying party.
2. the mobile terminal authentication system based on digital certificate according to claim 1 is characterized in that: described CA certificate administrative unit also comprises the certificate revocation unit that the inquiry of terminal numeral CRL is provided to the mobile certificate relying party.
3. the mobile terminal authentication system based on digital certificate according to claim 1 and 2 is characterized in that: described terminal certificate administrative unit also comprises for to the external information bank inquiry terminal digital certificate state at ca authentication center and finish the terminal certificate updating block of the terminal digital certificate PKI file update of terminal numeral certificate repository.
4. the mobile terminal authentication system based on digital certificate according to claim 3 is characterized in that: described relying party's certificates snap-in also comprises for the external information bank inquiry and finish relying party's certificate update unit of relying party's digital certificate storehouse CA root certificate PKI file update to the ca authentication center.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201120206248.5U CN202696901U (en) | 2011-06-17 | 2011-06-17 | Mobile terminal identity authentication system based on digital certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201120206248.5U CN202696901U (en) | 2011-06-17 | 2011-06-17 | Mobile terminal identity authentication system based on digital certificate |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN202696901U true CN202696901U (en) | 2013-01-23 |
Family
ID=47552450
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201120206248.5U Expired - Lifetime CN202696901U (en) | 2011-06-17 | 2011-06-17 | Mobile terminal identity authentication system based on digital certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN202696901U (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102202307A (en) * | 2011-06-17 | 2011-09-28 | 刘明晶 | Mobile terminal identity authentication system and method based on digital certificate |
| CN105635062A (en) * | 2014-10-31 | 2016-06-01 | 腾讯科技(上海)有限公司 | Network access equipment verification method and device |
| CN107070667A (en) * | 2017-06-07 | 2017-08-18 | 国民认证科技(北京)有限公司 | Identity identifying method, user equipment and server |
| CN109756339A (en) * | 2018-11-30 | 2019-05-14 | 航天信息股份有限公司 | A kind of method and system carrying out unified certification to the multiple applications of terminal based on real name certificate |
| CN110620763A (en) * | 2019-08-27 | 2019-12-27 | 广东南粤银行股份有限公司 | Mobile identity authentication method and system based on mobile terminal APP |
| WO2020035009A1 (en) * | 2018-08-15 | 2020-02-20 | 飞天诚信科技股份有限公司 | Authentication system and working method therefor |
| US10756898B2 (en) | 2017-06-12 | 2020-08-25 | Rebel AI LLC | Content delivery verification |
| CN112734407A (en) * | 2020-12-30 | 2021-04-30 | 银盛支付服务股份有限公司 | Financial payment channel digital certificate management method |
-
2011
- 2011-06-17 CN CN201120206248.5U patent/CN202696901U/en not_active Expired - Lifetime
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102202307B (en) * | 2011-06-17 | 2013-08-07 | 深圳一卡通新技术有限公司 | Mobile terminal identity authentication system and method based on digital certificate |
| CN102202307A (en) * | 2011-06-17 | 2011-09-28 | 刘明晶 | Mobile terminal identity authentication system and method based on digital certificate |
| CN105635062A (en) * | 2014-10-31 | 2016-06-01 | 腾讯科技(上海)有限公司 | Network access equipment verification method and device |
| CN105635062B (en) * | 2014-10-31 | 2019-11-29 | 腾讯科技(上海)有限公司 | The verification method and device of network access equipment |
| CN107070667B (en) * | 2017-06-07 | 2020-08-04 | 国民认证科技(北京)有限公司 | Identity authentication method |
| CN107070667A (en) * | 2017-06-07 | 2017-08-18 | 国民认证科技(北京)有限公司 | Identity identifying method, user equipment and server |
| US10756898B2 (en) | 2017-06-12 | 2020-08-25 | Rebel AI LLC | Content delivery verification |
| WO2020035009A1 (en) * | 2018-08-15 | 2020-02-20 | 飞天诚信科技股份有限公司 | Authentication system and working method therefor |
| US11811952B2 (en) | 2018-08-15 | 2023-11-07 | Feitian Technologies Co., Ltd. | Authentication system and working method thereof |
| CN109756339A (en) * | 2018-11-30 | 2019-05-14 | 航天信息股份有限公司 | A kind of method and system carrying out unified certification to the multiple applications of terminal based on real name certificate |
| CN110620763A (en) * | 2019-08-27 | 2019-12-27 | 广东南粤银行股份有限公司 | Mobile identity authentication method and system based on mobile terminal APP |
| CN110620763B (en) * | 2019-08-27 | 2021-11-26 | 广东南粤银行股份有限公司 | Mobile identity authentication method and system based on mobile terminal APP |
| CN112734407A (en) * | 2020-12-30 | 2021-04-30 | 银盛支付服务股份有限公司 | Financial payment channel digital certificate management method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102202307B (en) | Mobile terminal identity authentication system and method based on digital certificate | |
| CN202696901U (en) | Mobile terminal identity authentication system based on digital certificate | |
| CN102201919B (en) | System and method for realizing real-name information transmission of mobile terminal based on digital certificate | |
| JP5508428B2 (en) | Key distribution method and system | |
| AU2011309758B2 (en) | Mobile handset identification and communication authentication | |
| CN101222333B (en) | Data transaction processing method and apparatus | |
| CN100574180C (en) | Be used for the system and method that certificate is related with message addresses | |
| WO2012113189A1 (en) | Mobile payment system, mobile terminal and method for realizing mobile payment service | |
| WO2010045817A1 (en) | Key distribution method and system | |
| CN101136743A (en) | Digital certificate updating method and system | |
| CN101771973B (en) | Data short message processing method, data short message processing equipment and data short message processing system | |
| CN101527714B (en) | Method, device and system for accreditation | |
| CN101370248B (en) | Cryptographic key updating method, third party server and system for activating third party application | |
| CN101720071A (en) | Short message two-stage encryption transmission and secure storage method based on safety SIM card | |
| WO2010045824A1 (en) | A method and system for key distributing | |
| CN106921639A (en) | Mobile digital certificate application method and device | |
| WO2018207404A1 (en) | Authentication system, authentication server, authentication method and authentication program | |
| KR20080012402A (en) | Method for authenticating and decrypting of short message based on public key | |
| CN108259176B (en) | Digital signature method, system and terminal based on mobile phone card | |
| CN103905624B (en) | Generation method and the mobile phone terminal of digital signature | |
| CN115801287A (en) | Signature authentication method and device | |
| CN101969427A (en) | Set of core equipment for realizing gas station online payment system based on WPKI (Wireless Public Key Infrastructure) | |
| CN101867895A (en) | Consumption method based on mobile terminal and messages, mobile terminal and business system | |
| CN114493581A (en) | Label-based cash register code payment method and payment equipment | |
| CN102801527A (en) | Distributed general anti-counterfeiting system based on NFC and mobile communication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| AV01 | Patent right actively abandoned |
Granted publication date: 20130123 Effective date of abandoning: 20130807 |
|
| AV01 | Patent right actively abandoned |
Granted publication date: 20130123 Effective date of abandoning: 20130807 |
|
| RGAV | Abandon patent right to avoid regrant |