JP2008252440A - Linkage electronic certificate issuing, utilization and verification system - Google Patents

Linkage electronic certificate issuing, utilization and verification system Download PDF

Info

Publication number
JP2008252440A
JP2008252440A JP2007090217A JP2007090217A JP2008252440A JP 2008252440 A JP2008252440 A JP 2008252440A JP 2007090217 A JP2007090217 A JP 2007090217A JP 2007090217 A JP2007090217 A JP 2007090217A JP 2008252440 A JP2008252440 A JP 2008252440A
Authority
JP
Japan
Prior art keywords
certificate
client
electronic
signature
issuing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
JP2007090217A
Other languages
Japanese (ja)
Inventor
Hisao Sakazaki
坂崎尚生
Mitsuhiro Oikawa
笈川光浩
Kazuyoshi Hoshino
星野和義
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Ltd
Original Assignee
Hitachi Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Ltd filed Critical Hitachi Ltd
Priority to JP2007090217A priority Critical patent/JP2008252440A/en
Publication of JP2008252440A publication Critical patent/JP2008252440A/en
Pending legal-status Critical Current

Links

Images

Abstract

<P>PROBLEM TO BE SOLVED: To allow a client being a portable terminal user to use a previously used client certificate as it is even when the client changes certificate authorities because the client certificate used in a carrier A can not be used and a new client certificate sometimes has to be reissued at a carrier B when the client changes the certificate authorities (carrier) for issuing an electronic certificate, for example, the carrier A is changed to the carrier B. <P>SOLUTION: A self signature certificate issued by the client himself/herself is made to be a client certificate, the certificate authority issues a linkage electronic certificate that links the client certificate with a root certificate, and when an electronic signature is performed, the client has a secret key corresponding to the client certificate to generate an electronic signature. Even when certificate authorities are changed, only the root certificate and the linkage certificate are changed, and the client certificate is used as it is. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

本発明は,電子証明書の発行方法,利用方法および検証方法に関する。   The present invention relates to an electronic certificate issuance method, usage method, and verification method.

近年のインターネットの普及により,電子商取引,電子申請などの需要が高まっている。これらのサービスを安全に利用する為のセキュリティ基盤として,個人の存在を証明する公開鍵基盤(PKI:Public Key Infrastructure)がある。PKIの実現により,電子文書の改竄やなりすましが防止され,安全に電子商取引等を実現することが可能となった。また,これらPKI技術はインターネットの世界だけでなく,モバイル網の世界でも利用されるようになっている。   With the spread of the Internet in recent years, the demand for electronic commerce and electronic applications has increased. As a security infrastructure for safely using these services, there is a public key infrastructure (PKI: Public Key Infrastructure) that proves the existence of an individual. With the implementation of PKI, falsification and spoofing of electronic documents are prevented, and electronic commerce and the like can be realized safely. These PKI technologies are used not only in the Internet world but also in the mobile network world.

PKIを実現するために,公開鍵証明書を利用する場合があるが,従来のPKI技術では,特定の認証局が,各利用者の公開鍵証明書を発行している(例えば,非特許文献1参照)。   In some cases, public key certificates are used to implement PKI. In the conventional PKI technology, a specific certificate authority issues public key certificates for each user (for example, non-patent literature). 1).

International Telecommunication Union著,「Information technology − Open systems interconnection − The Directory: Public−key and attribute certificate frameworks (ITU−T Recommendation X.509)」,(スイス),International Telecommunication Union,2000年3月31日,p.1−129International Telecommunication Union al., "Information technology - Open systems interconnection - The Directory: Public-key and attribute certificate frameworks (ITU-T Recommendation X.509)", (Switzerland), International Telecommunication Union, 3 May 31, 2000, p . 1-129

従来のPKIのシステムでは,公開鍵証明書は大きく分けて認証局自身のルート証明書とクライアントのクライアント証明書に分けられる。公開鍵証明書は,図4に示すように,バージョン番号,認証局名,シリアル番号,有効期間,公開鍵証明書の所有者名前,公開鍵,認証局の電子署名等の情報から構成される。尚,ここでは,公開鍵証明書に限らず,電子的な証明書を総じて電子証明書または単に証明書とも称する。   In the conventional PKI system, public key certificates are roughly divided into a root certificate of the certificate authority itself and a client certificate of the client. As shown in FIG. 4, the public key certificate is composed of information such as version number, certificate authority name, serial number, validity period, public key certificate owner name, public key, and certificate authority digital signature. . Here, not only public key certificates but also electronic certificates are collectively referred to as electronic certificates or simply certificates.

図4に示すように,電子的な契約書等(以下,単に電子データとも称する)に,クライアントが電子署名(以下,単に署名とも称する)を施す場合,クライアントはクライアント証明書70内の公開鍵に対応する秘密鍵(クライアントの秘密鍵)をもって電子的な契約書等に電子署名を施す。尚,クライアント証明書70はルート証明書60内の公開鍵に対応する秘密鍵(認証局の秘密鍵)にて電子署名を施されている。これにより,電子署名が施された電子的な契約書80等は,当該クライアントにより電子署名されたことを保証し,また,クライアント証明書70自身は,当該認証局により正当性が保証される。また,ルート証明書60は,自身の秘密鍵をもって自身の電子証明書に電子署名(以下,自己署名と称する。また,自己署名されている証明書を自己署名証明書と称する)を施すことにより,ルート証明書60自身が改ざんされていないこと等を保証している。   As shown in FIG. 4, when a client applies an electronic signature (hereinafter also simply referred to as a signature) to an electronic contract or the like (hereinafter also simply referred to as electronic data), the client uses the public key in the client certificate 70. An electronic signature is applied to an electronic contract or the like with a private key corresponding to (client private key). The client certificate 70 is digitally signed with a private key (certificate authority private key) corresponding to the public key in the root certificate 60. As a result, the electronic contract 80 or the like with the electronic signature is guaranteed to have been electronically signed by the client, and the validity of the client certificate 70 itself is guaranteed by the certificate authority. Further, the root certificate 60 is obtained by applying an electronic signature (hereinafter referred to as a self-signed certificate, and a self-signed certificate is referred to as a self-signed certificate) with its own private key. , It is guaranteed that the root certificate 60 itself has not been tampered with.

これらの仕組みはインターネットの世界だけでなく,モバイル網の世界でも利用されるようになっている。モバイル網の世界において,認証局はモバイル通信事業者(以下,キャリア,携帯会社とも称する)が運営し,各キャリアが発行したクライアント証明書を各キャリアの携帯端末に格納し,運用されることが多い。   These mechanisms are used not only in the Internet world but also in the mobile network world. In the world of mobile networks, certificate authorities are operated by mobile telecommunications carriers (hereinafter also referred to as carriers and mobile companies), and client certificates issued by each carrier are stored and operated on mobile terminals of each carrier. Many.

しかし,クライアントが,契約していた携帯会社を変えた場合,例えばキャリアAからキャリアBに変えた場合,キャリアA発行のクライアント証明書をキャリアBの携帯端末に格納し利用することは,キャリアBの携帯端末を利用しているのにもかかわらず,そのクライアント証明書自身はキャリアAが保証していることになり,運用上相応しくない場合がある。そのため,契約変更前に利用していたキャリアA発行のクライアント証明書を失効し,新たにキャリアBにクライアント証明書を発行し直してもらう必要がある。故に契約していた携帯会社を変えた場合,以前利用していた電子証明書を使いまわすことができず,不便であり,クライアントにとっては,携帯会社を変えた場合でも,以前利用していた電子証明書を利用したいという要求がある。   However, when the client changes the contracted mobile company, for example, from carrier A to carrier B, storing and using the client certificate issued by carrier A in the mobile terminal of carrier B is carrier B However, the client certificate itself is guaranteed by the carrier A, and may not be suitable for operation. For this reason, it is necessary to revoke the client certificate issued by carrier A that was used before the contract change, and to have carrier B reissue a client certificate. Therefore, if you change the contracted mobile company, you can not reuse the digital certificate that you used before, and it is inconvenient for the client, even if you change the mobile company, There is a request to use a certificate.

また,電子署名が施された電子的な契約書等の正当性を検証するためには,大きく分けて次の二つを検証する必要がある。一つ目は,電子的な契約書等に施された電子署名そのものが,正当なものであるかを確認する「署名の検証」であり,二つ目は,各証明書が正当なものであるかを確認する「証明書の検証」である。尚,証明書の検証とは,証明書に施されている電子署名の検証,有効期間の確認,失効確認等を行うことである。   In order to verify the validity of an electronic contract with an electronic signature, it is necessary to verify the following two broad categories. The first is “signature verification” to confirm whether the electronic signature itself applied to an electronic contract is valid, and the second is that each certificate is valid. It is “certificate verification” to check if it exists. Certificate verification means verification of an electronic signature applied to a certificate, confirmation of validity period, revocation confirmation, and the like.

しかし,ここで,もし,クライアントが携帯会社を変えた場合,例えばキャリアAからキャリアBに変え,キャリアA発行のクライアント証明書を失効し,キャリアBに新たにクライアント証明書を発行し直してもらった場合,変更以前にキャリアA発行のクライアント証明書を使って取引先等と交わした署名付電子契約書等は,現在,キャリアA発行のクライアント証明書を失効している為,検証者側(取引先等)では署名付電子契約書等の検証に失敗し,契約等が無効となる場合がある。それ故,クライアントが携帯会社を変えた場合,新しい証明書を使って,取引先と再契約等の手続きが必要となり,不便である。つまり,クライアント側(署名付与側)だけでなく,署名付電子契約書等を受取った側(署名検証側)にとっても,クライアントが携帯会社を変えた程度で,署名付電子契約書等が無効になるのは不都合であるため,クライアント側に以前利用していた電子証明書をそのまま利用してもらいたいという要求がある。   However, here, if the client changes the mobile company, for example, the carrier A is changed to the carrier B, the client certificate issued by the carrier A is revoked, and the carrier B is issued a new client certificate again. In the case of a signed electronic contract signed with a business partner using a client certificate issued by Carrier A before the change, the verifier ( (E.g., suppliers) may fail to verify signed electronic contracts, etc., and contracts may become invalid. Therefore, when the client changes the mobile phone company, it is inconvenient because it requires re-contracting with the business partner using a new certificate. In other words, not only on the client side (signature assigning side) but also on the side that received the signed electronic contract (signature verification side), the signed electronic contract etc. are invalidated to the extent that the client changes the mobile company. Since this is inconvenient, there is a request for the client side to use the digital certificate that has been used before.

本発明は,上記事情に鑑みてなされたものであり,本発明の目的は,クライアントが,信頼点となる認証局を変えた場合でも,以前利用していたクライアント証明書を利用することができる電子証明書発行・利用・検証システムを提供することである。   The present invention has been made in view of the above circumstances, and it is an object of the present invention to be able to use a client certificate that has been used before, even when the client changes the trust certificate authority. It is to provide an electronic certificate issuance / use / verification system.

具体的には,本発明は,公の電子証明書を発行する認証局証明書発行装置と,電子的な契約書等に電子署名を施すクライアント装置と,署名付電子データを検証する検証装置と,からなるシステムにおける電子証明書発行・利用・検証システムであって,証明書を発行する際,クライアント装置は,自己署名証明書を自身で作成し,これを自身のクライアント証明書とし,また,認証局証明書発行装置は,ルート証明書とクライアント装置からの自己署名されたクライアント証明書を連結する連結電子証明書を発行し,クライアント装置は,電子データに電子署名を施す際,自己署名されたクライアント証明書に対応する秘密鍵(クライアントの秘密鍵)をもって署名対象である電子データに電子署名を施した署名付電子データを作成し,ルート証明書,連結証明書,クライアント証明書,署名付電子データを組みとし,検証装置は,それらのデータを検証する際,電子署名の検証の他,クライアント証明書,連結証明書及びルート証明書の検証を行う,ことを特徴とする。   Specifically, the present invention includes a certificate authority certificate issuing device that issues a public electronic certificate, a client device that applies an electronic signature to an electronic contract, and a verification device that verifies signed electronic data. When issuing a certificate, the client device creates a self-signed certificate by itself and uses it as its own client certificate. The certificate authority certificate issuing device issues a concatenated electronic certificate that concatenates the root certificate and the self-signed client certificate from the client device, and the client device is self-signed when applying the electronic signature to the electronic data. Create signed electronic data by applying the electronic signature to the electronic data to be signed with the private key corresponding to the client certificate (client private key). When verifying such data, the verification device, in addition to verifying the electronic signature, the client certificate, the connection certificate, and the root certificate It is characterized by verifying.

また,連結証明書を発行した認証局発行装置を変更する際,変更先の認証局証明書発行装置は,自身のルート証明書とクライアント装置の既存のクライアント証明書を連結する連結証明書を発行し,クライアント装置が,電子データに電子署名を施す際には,既存のクライアント証明書に対応する秘密鍵(クライアントの既存の秘密鍵)をもって署名対象である電子データに電子署名を施した署名付電子データを作成し,新たなルート証明書,新たな連結証明書,既存のクライアント証明書,署名付電子データを組みとし,検証装置は,それらのデータを検証する際には,電子署名の検証の他,クライアント証明書,連結証明書及びルート証明書の検証を行う,ことを特徴とする。   Also, when changing the CA issuing device that issued the concatenated certificate, the target CA certificate issuing device issues a concatenated certificate that concatenates its root certificate and the existing client certificate of the client device. However, when a client device applies an electronic signature to electronic data, a signature with an electronic signature applied to the electronic data to be signed with a private key corresponding to an existing client certificate (an existing private key of the client) is attached. Electronic data is created, and a new root certificate, new connection certificate, existing client certificate, and signed electronic data are combined, and the verification device verifies the electronic signature when verifying the data. In addition to this, it is characterized by verifying the client certificate, the link certificate, and the root certificate.

尚,クライアント装置から検証装置へ送られるデータは,必ずしもルート証明書,連結証明書,クライアント証明書,署名付電子データを一塊にする必要はなく,署名付電子データから各情報を取得できるようにしてもよい。また,各証明書は,必ずしもクライアント装置の内部に格納されているのではなく,別の装置に格納し,各証明書の情報が必要な場合に,必要とする装置が取得できるようにしてもよい。   The data sent from the client device to the verification device does not necessarily need to be a bundle of a root certificate, a connection certificate, a client certificate, and signed electronic data, so that each piece of information can be acquired from the signed electronic data. May be. Also, each certificate is not necessarily stored inside the client device, but is stored in another device so that the required device can be obtained when the information of each certificate is required. Good.

上記態様によれば,クライアント装置は,自身で作成した自己署名証明書(クライアント証明書)に対応する秘密鍵をもって,電子データに電子署名を施しており,携帯会社等を変更した場合でも,認証局証明書発行装置が発行したルート証明書及び連結証明書のみを変更するだけでよく,電子データに電子署名を施した自己署名証明書(クライアント証明書)は変更しなくても署名の生成及び,署名の検証等が可能となる。   According to the above aspect, the client device applies the electronic signature to the electronic data with the private key corresponding to the self-signed certificate (client certificate) created by itself, and the authentication is performed even when the mobile company is changed. It is only necessary to change the root certificate and the concatenation certificate issued by the station certificate issuing device. The self-signed certificate (client certificate) with the electronic signature on the electronic data can be generated and changed without changing it. , Signature verification, etc. becomes possible.

また,携帯会社等を変更した場合でも,クライアント証明書を失効させていない為,携帯会社等の変更前に署名された電子的な契約書等を,変更後でも署名付電子データを検証することが可能となり,再契約等の手続きが不要となる。   Also, even if the mobile company is changed, the client certificate has not been revoked, so the electronic contract signed before the change of the mobile company etc. can be verified even after the change. It becomes possible, and procedures such as re-contract are unnecessary.

本発明によれば,クライアントが,信頼点となる認証局を変えた場合でも,以前利用していたクライアント証明書を利用することができるようになり,利便性が向上する。   According to the present invention, the client certificate that has been used before can be used even when the client changes the certificate authority as the trust point, and convenience is improved.

以下,図面を用いて,本発明の一実施形態について説明する。尚,これにより本発明が限定されるものではない。   Hereinafter, an embodiment of the present invention will be described with reference to the drawings. However, this does not limit the present invention.

図1は,本発明の一実施形態が適用されたネットワーク構成図である。本実施形態のシステムは,図1が示すように,認証局証明書発行装置10とクライアント装置20と検証装置30とがインターネットなどの通信網(以下,ネットワークという)40を介して,互いに接続されて構成されている。尚,図1では,認証局証明書発行装置が複数存在することを明確にする為,A認証局証明書発行装置10(1)とB認証局証明書発行装置10(2)と記す。   FIG. 1 is a network configuration diagram to which an embodiment of the present invention is applied. In the system of this embodiment, as shown in FIG. 1, a certificate authority certificate issuing device 10, a client device 20, and a verification device 30 are connected to each other via a communication network (hereinafter referred to as a network) 40 such as the Internet. Configured. In FIG. 1, in order to clarify that there are a plurality of certificate authority certificate issuing devices, they are denoted as A certificate authority certificate issuing device 10 (1) and B certificate authority certificate issuing device 10 (2).

認証局証明書発行装置10は,自身の自己署名証明書であるルート証明書およびクライアント装置発行のクライアント証明書とを連結する連結証明書を発行する。また,必要あれば当該連結証明書を失効し,失効情報を作成・更新する。また,検証装置30からの有効性確認依頼に対して,当該連結証明書の有効性を返答する。図2に示すように,認証局証明書発行装置10は,ルート証明書及び連結証明書を作成する証明書作成部102と,証明書失効情報を作成・更新する失効リスト作成部103と,各証明書及び失効情報に電子署名を施す為の秘密情報である秘密鍵105と,作成・更新された失効情報である失効リスト106と,各証明書及び失効リスト等を送受信するデータ送受信部104と,それらを制御する制御部101を含む。   The certificate authority certificate issuing device 10 issues a concatenated certificate that links the root certificate, which is its own self-signed certificate, and the client certificate issued by the client device. Also, if necessary, the linked certificate is revoked and revocation information is created / updated. In response to the validity check request from the verification device 30, the validity of the linked certificate is returned. As shown in FIG. 2, the certificate authority certificate issuance apparatus 10 includes a certificate creation unit 102 that creates a root certificate and a linked certificate, a revocation list creation unit 103 that creates and updates certificate revocation information, A secret key 105, which is secret information for applying a digital signature to the certificate and the revocation information, a revocation list 106, which is the revocation information created / updated, and a data transmission / reception unit 104 that transmits / receives each certificate, revocation list, etc. , A control unit 101 for controlling them.

クライアント装置20は,自身の自己署名証明書であるクライアント証明書を発行し,当該クライアント証明書を認証局証明書発行装置10に送信し,連結証明書の発行依頼を行う。また,クライアント装置20は,署名対象データを作成し,前記署名対象データに電子署名を施す。図2に示すように,クライアント装置20は,自己署名証明書であるクライアント証明書を発行する証明書作成部202と,署名対象データに電子署名を施す暗号演算部203と自己署名証明書及び署名対象データに電子署名を施す為の秘密情報である秘密鍵205と,各証明書及び署名付電子データ等を送受信するデータ送受信部204と,それらを制御する制御部201を含む。   The client device 20 issues a client certificate, which is its own self-signed certificate, transmits the client certificate to the certificate authority certificate issuing device 10, and issues a connection certificate issue request. Further, the client device 20 creates signature target data and applies an electronic signature to the signature target data. As shown in FIG. 2, the client device 20 includes a certificate creating unit 202 that issues a client certificate that is a self-signed certificate, a cryptographic operation unit 203 that applies a digital signature to data to be signed, a self-signed certificate, and a signature. A secret key 205, which is secret information for applying an electronic signature to the target data, a data transmission / reception unit 204 that transmits / receives each certificate, electronic data with a signature, and the like, and a control unit 201 that controls them are included.

検証装置30は,署名付電子データを受信し,電子署名の検証を行う。また,各証明書の検証(証明書の署名検証,有効期間確認,失効確認等)も行う。図2に示すように,検証装置30は,署名付電子データの電子署名の検証を行う暗号演算部303と,証明書の検証を行う証明書検証部302と,署名付電子データ及び失効リスト等を送受信するデータ送受信部304と,それらを制御する制御部301を含む。   The verification device 30 receives the electronic data with signature and verifies the electronic signature. Each certificate is also verified (certificate signature verification, validity period confirmation, revocation confirmation, etc.). As shown in FIG. 2, the verification device 30 includes a cryptographic operation unit 303 that verifies an electronic signature of signed electronic data, a certificate verification unit 302 that verifies a certificate, signed electronic data, a revocation list, and the like. Includes a data transmission / reception unit 304 for transmitting and receiving and a control unit 301 for controlling them.

また,認証局証明書発行装置10,クライアント装置20及び検証装置30は,それぞれ,図3が示すように,記憶媒体57と,記憶媒体57の読取装置51と,半導体を用いた一次記憶装置(以下,メモリという)52と,入出力装置53と,CPU54と,ハードディスクなどの二次記憶装置(以下,記憶装置という)55と,通信装置56とが,バスなどの内部通信線(以下,バスという)58で連結された情報処理装置50上に構成することができる。   Further, each of the certificate authority certificate issuing device 10, the client device 20, and the verification device 30 includes a storage medium 57, a reading device 51 of the storage medium 57, and a primary storage device using a semiconductor (see FIG. 3). (Hereinafter referred to as a memory) 52, an input / output device 53, a CPU 54, a secondary storage device (hereinafter referred to as a storage device) 55 such as a hard disk, and a communication device 56 are connected to an internal communication line (hereinafter referred to as a bus). It can be configured on the information processing apparatus 50 connected at 58.

上述の,暗号演算部203,303と,証明書作成部102,202と,失効リスト作成部103と,証明書検証部302と,データ送受信部104,204,304と,制御部101,201,301は,それぞれの装置のメモリ52または記憶装置55に格納されたプログラムをCPU54が実行することにより,当該装置上に具現化されるものである。また,これらのプログラム及び秘密鍵105,205,失効リスト106は,上記記憶装置55に格納されていても良いし,必要なときに,着脱可能な記憶媒体57又は通信媒体(ネットワーク40又はネットワーク40上の搬送波)を介して,前記情報処理装置50に導入されてもよい。   The above-described cryptographic operation units 203 and 303, certificate creation units 102 and 202, revocation list creation unit 103, certificate verification unit 302, data transmission / reception units 104, 204, and 304, control units 101, 201, 301 is embodied on the device by the CPU 54 executing a program stored in the memory 52 or the storage device 55 of each device. These programs, secret keys 105 and 205, and revocation list 106 may be stored in the storage device 55, and when necessary, a removable storage medium 57 or a communication medium (network 40 or network 40). It may be introduced into the information processing apparatus 50 via the upper carrier).

以下に,図面を参照して,本一実施形態のシステムにおける概略を説明する。   Hereinafter, an outline of the system according to the present embodiment will be described with reference to the drawings.

図7に示すように,認証局証明書発行装置10は,予め自己署名証明書であるルート証明書を作成する(ステップ001,S001と記す。以下同様)。   As shown in FIG. 7, the certificate authority certificate issuance apparatus 10 creates a root certificate that is a self-signed certificate in advance (denoted as step 001 and S001, and so on).

クライアント装置20は,図5に示すように,バージョン番号,認証局名(クライアント装置20又はクライアント装置20の所有者名),シリアル番号,有効期間,公開鍵証明書の所有者名(クライアント装置20又はクライアント装置20の所有者名),公開鍵等の情報に,クライアント装置20の秘密鍵205で自己署名した自己署名証明書(クライアント証明書)71を作成し(S002),認証局証明書発行装置10へ自己署名証明書(クライアント証明書)71を送付し,認証局証明書発行装置10へ連結証明書発行依頼を行う(S003)。   As shown in FIG. 5, the client device 20 includes a version number, a certificate authority name (client device 20 or owner name of the client device 20), a serial number, a validity period, and an owner name of the public key certificate (client device 20). Alternatively, a self-signed certificate (client certificate) 71 self-signed with the private key 205 of the client device 20 is created in information such as the owner name of the client device 20) and the public key (S002), and a certificate authority certificate is issued A self-signed certificate (client certificate) 71 is sent to the apparatus 10 and a connection certificate issuance request is made to the certificate authority certificate issuing apparatus 10 (S003).

認証局証明書発行装置10は,クライアント装置20からの連結証明書発行依頼の依頼内容を確認・審査し(S004),問題なければ,クライアント装置20から送られてきた自己署名証明書(クライアント証明書)71のハッシュ値を計算する(S005)。認証局証明書発行装置10は,更に図5が示すように,バージョン番号,認証局名(認証局証明書発行装置10の名前),シリアル番号,有効期間,連結証明書の所有者名(クライアント装置20又はクライアント装置20の所有者名),S005で計算したハッシュ値等の情報に,認証局証明書発行装置10の秘密鍵105で署名した連結証明書90を作成し(S006),ルート証明書60,連結証明書90をクライアント装置20に送付する。   The certificate authority certificate issuance apparatus 10 confirms and examines the request contents of the connection certificate issuance request from the client apparatus 20 (S004). If there is no problem, the self-signed certificate (client certificate) sent from the client apparatus 20 is obtained. The hash value of 71 is calculated (S005). As shown in FIG. 5, the certificate authority certificate issuing device 10 further includes a version number, a certificate authority name (name of the certificate authority certificate issuing device 10), a serial number, a validity period, and an owner name of the linked certificate (client). Device 20 or the owner name of the client device 20), and a link certificate 90 signed with the private key 105 of the certificate authority certificate issuing device 10 based on information such as the hash value calculated in S005 (S006) The certificate 60 and the connection certificate 90 are sent to the client device 20.

一方,クライアント装置20が管理している秘密鍵205が,漏洩等で危殆化し,連結証明書を失効させたい場合,クライアント装置20は,認証局証明書発行装置10へ連結証明書失効依頼を行い(S007),認証局証明書発行装置10は,依頼内容を確認・審査し(S008),失効すべき連結証明書のバージョン番号,認証局名,シリアル番号,失効日時等,失効確認に必要な情報を収集し,失効リストを作成・更新する(S008)。尚,前記失効リストは正当性を確保する為,認証局証明書発行装置10の秘密鍵105をもって,電子署名を施されているとする。   On the other hand, when the private key 205 managed by the client device 20 is compromised due to leakage or the like and the linked certificate is to be revoked, the client device 20 requests the certificate authority certificate issuing device 10 to revoke the linked certificate. (S007), the certificate authority certificate issuance apparatus 10 confirms and examines the contents of the request (S008), and is necessary for revocation confirmation, such as the version number, certificate authority name, serial number, and revocation date, etc. of the concatenated certificate to be revoked. Information is collected and a revocation list is created / updated (S008). It is assumed that the revocation list is digitally signed with the private key 105 of the certificate authority certificate issuing device 10 in order to ensure validity.

また,クライアント装置20が,認証局証明書発行装置10を変更する場合(ここでは,変更前の認証局証明書発行装置10をA認証局証明書発行装置10(1)とし,変更後の認証局証明書発行装置10をB認証局証明書発行装置10(2)とする),クライアント装置20は,B認証局証明書発行装置10(2)へ既存の自己署名証明書(クライアント証明書)71を送付し,B認証局証明書発行装置10(2)へ連結証明書発行依頼を行う(S003)。尚,B認証局証明書発行装置10(2)も予め自身のルート証明書を作成(S001)しているものとする。   Further, when the client device 20 changes the certificate authority certificate issuing device 10 (here, the certificate authority certificate issuing device 10 before the change is the A certificate authority certificate issuing device 10 (1), and the authentication after the change is performed. The station certificate issuing device 10 is assumed to be a B certificate authority certificate issuing device 10 (2)), and the client device 20 sends an existing self-signed certificate (client certificate) to the B certificate authority certificate issuing device 10 (2). 71 is sent, and a concatenated certificate issuance request is made to the B certificate authority certificate issuing apparatus 10 (2) (S003). It is assumed that the B certificate authority certificate issuing device 10 (2) has also created its own root certificate (S001).

B認証局証明書発行装置10(2)は,クライアント装置20からの連結証明書発行依頼の依頼内容を確認・審査し(S004),問題なければ,クライアント装置20から送られてきた自己署名証明書(クライアント証明書)71のハッシュ値を計算する(S005)。B認証局証明書発行装置10(2)は,更に図6が示すように,バージョン番号,認証局名(B認証局証明書発行装置10(2)の名前),シリアル番号,有効期間,連結証明書の所有者名(クライアント装置20又はクライアント装置20の所有者名),S005で計算したハッシュ値等の情報に,B認証局証明書発行装置10(2)の秘密鍵105で署名した連結証明書91を作成し(S006),ルート証明書61,連結証明書91をクライアント装置20に送付する。   The B certificate authority certificate issuing device 10 (2) confirms and examines the request contents of the connection certificate issuance request from the client device 20 (S004), and if there is no problem, the self-signed certificate sent from the client device 20 The hash value of the certificate (client certificate) 71 is calculated (S005). As shown in FIG. 6, the B certificate authority certificate issuing device 10 (2) further includes a version number, a certificate authority name (name of the B certificate authority certificate issuing device 10 (2)), a serial number, a validity period, and a connection. The certificate owner name (client device 20 or the owner name of the client device 20), the hash value calculated in S005, and the like signed with the private key 105 of the certificate authority certificate issuing device 10 (2) The certificate 91 is created (S006), and the root certificate 61 and the connection certificate 91 are sent to the client device 20.

また,電子的な契約書等に電子署名を施す場合,図7が示すように,クライアント装置20は,署名対象データを作成し(S011),クライアント装置20の秘密鍵205をもって,署名対象データに電子署名を付与する(S012)。また,クライアント装置20は,検証装置30へ自己署名証明書(クライアント証明書)71,連結証明書90,ルート証明書60を含んだ署名付電子データ81を送付する(S013)。   When an electronic signature is applied to an electronic contract or the like, as shown in FIG. 7, the client device 20 creates signature target data (S011), and uses the private key 205 of the client device 20 to sign the signature target data. An electronic signature is given (S012). In addition, the client device 20 sends the signed electronic data 81 including the self-signed certificate (client certificate) 71, the connection certificate 90, and the root certificate 60 to the verification device 30 (S013).

署名付電子データを受信した検証装置30が,当該署名付電子データの正当性を検証する際,図8が示すように,検証装置30は,各証明書71,90,60の有効期間の確認をし(S020),S020をパスした場合,自己署名証明書(クライアント証明書)71からクライアント装置20の公開鍵を取出し(S021),自己署名証明書(クライアント証明書)71自身が正当なものであるかをS021で取得した公開鍵をもって,自己署名証明書(クライアント証明書)71の電子署名を検証する(S022)。S022の検証をパスした場合,署名付電子データ81の電子署名をS021で取得した公開鍵をもって検証する(S023)。S023の検証をパスした場合,ルート証明書60から認証局証明書発行装置10の公開鍵を取出し(S024),ルート証明書60自身が正当なものであるかをS024で取得した公開鍵をもって,ルート証明書60の電子署名を検証する(S025)。   When the verification device 30 that has received the signed electronic data verifies the validity of the signed electronic data, the verification device 30 checks the validity period of each certificate 71, 90, 60 as shown in FIG. (S020), if S020 is passed, the public key of the client device 20 is extracted from the self-signed certificate (client certificate) 71 (S021), and the self-signed certificate (client certificate) 71 itself is valid. The electronic signature of the self-signed certificate (client certificate) 71 is verified with the public key acquired in S021 (S022). If the verification in S022 is passed, the digital signature of the signed electronic data 81 is verified with the public key acquired in S021 (S023). If the verification of S023 is passed, the public key of the CA certificate issuing device 10 is taken out from the root certificate 60 (S024), and whether the root certificate 60 itself is valid or not is obtained with the public key acquired in S024. The electronic signature of the root certificate 60 is verified (S025).

S025の検証をパスした場合,検証装置30は,自己署名証明書(クライアント証明書)71のハッシュ値を計算し,更に連結証明書90記載のハッシュ値と比較し,双方同じ値であるかを確認する(S026)。S026をパスした場合,連結証明書90の電子署名をS024で取得した認証局証明書発行装置10の公開鍵をもって検証し(S027),S027の検証をパスした場合,当該連結証明書90が失効されていなか判断する為,認証局証明書発行装置10へ,有効性確認依頼を行う(S028)。   If the verification of S025 is passed, the verification device 30 calculates the hash value of the self-signed certificate (client certificate) 71, and further compares it with the hash value described in the concatenated certificate 90 to determine whether both are the same value. Confirm (S026). If S026 is passed, the electronic signature of the concatenated certificate 90 is verified with the public key of the certificate authority certificate issuing device 10 acquired in S024 (S027). If the verification of S027 is passed, the concatenated certificate 90 is revoked. In order to determine whether or not it has been made, a validity check request is sent to the certificate authority certificate issuing device 10 (S028).

検証装置30から連結証明書90の有効性確認依頼を受信した認証局証明書発行装置10は,失効リスト106を検証装置30へ送信する(S029)。   The certificate authority certificate issuing device 10 that has received the validity check request for the linked certificate 90 from the verification device 30 transmits the revocation list 106 to the verification device 30 (S029).

失効リストを受信した検証装置30は,失効リストの正当性を確認する為にS024で取得した認証局証明書発行装置10の公開鍵をもって,失効リストの署名を検証し,更に,失効リストに当該連結証明書90が該当しないかを確認する(S030)。S030をパスした場合,当該署名付電子データは正当なものとみなし(S031),それ以外の場合,無効とみなし(S032),処理を終了する。   The verification device 30 that has received the revocation list verifies the signature of the revocation list with the public key of the CA certificate issuance device 10 acquired in S024 in order to confirm the validity of the revocation list, and further includes the revocation list in the revocation list. It is confirmed whether or not the concatenation certificate 90 is not applicable (S030). If S030 is passed, the electronic data with signature is regarded as valid (S031), otherwise it is regarded as invalid (S032), and the process is terminated.

以上に述べたように,本一実施形態によれば,クライアント装置20は,自身で作成した自己署名証明書(クライアント証明書)71に対応する秘密鍵205をもって,電子データに電子署名を施しており,A認証局証明書発行装置10(1)からB認証局証明書発行装置10(2)へ変更した場合であっても,A認証局証明書発行装置10(1)が発行したルート証明書60及び連結証明書90を,B認証局証明書発行装置10(2)が発行したルート証明書61及び連結証明書91に,それぞれ変更するだけでよく,電子データに電子署名を施した自己署名証明書(クライアント証明書)71は変更しなくても,署名の生成,署名の検証が可能となる。   As described above, according to the present embodiment, the client device 20 applies the electronic signature to the electronic data with the private key 205 corresponding to the self-signed certificate (client certificate) 71 created by itself. Even if the A certificate authority certificate issuing device 10 (1) is changed to the B certificate authority certificate issuing device 10 (2), the root certificate issued by the A certificate authority certificate issuing device 10 (1) The certificate 60 and the concatenated certificate 90 need only be changed to the root certificate 61 and concatenated certificate 91 issued by the B certificate authority certificate issuing device 10 (2), respectively, and the self-signed electronic signature is applied to the electronic data. Even if the signature certificate (client certificate) 71 is not changed, the signature can be generated and the signature can be verified.

また,A認証局証明書発行装置10(1)からB認証局証明書発行装置10(2)へ変更した場合であっても,自己署名証明書(クライアント証明書)71を失効させていない為,変更前に署名された電子的な契約書等を,変更後でも検証することが可能となり,再契約等の手続きが不要となる。   Further, even when the A certificate authority certificate issuing device 10 (1) is changed to the B certificate authority certificate issuing device 10 (2), the self-signed certificate (client certificate) 71 is not revoked. , Electronic contracts signed before the change can be verified even after the change, and procedures such as a re-contract are not required.

尚,本発明は,上記の一実施形態に限定されるものではなく,その要旨の範囲内で様々な変形が可能である。   In addition, this invention is not limited to said one Embodiment, A various deformation | transformation is possible within the range of the summary.

例えば,図7のS006で認証局証明書発行装置10は,クライアント装置20にルート証明書60及び連結証明書90を送付し,S013でクライアント装置20は,検証装置30へ自己署名証明書(クライアント証明書)71,連結証明書90,ルート証明書60を含めた署名付電子データ81を送付しているが,各証明書71,90,60を認証局証明書発行装置10,クライアント装置20,検証装置30がアクセスできる別装置に格納し,必要に応じて各装置10,20,30が必要な証明書71,90,60を取得できるようにしてもよい。   For example, the certificate authority certificate issuing device 10 sends the root certificate 60 and the connection certificate 90 to the client device 20 in S006 of FIG. 7, and the client device 20 sends the self-signed certificate (client) to the verification device 30 in S013. Certificate) 71, a concatenated certificate 90, and a signed electronic data 81 including a root certificate 60 are sent, and each certificate 71, 90, 60 is sent to the certificate authority certificate issuing device 10, the client device 20, It may be stored in a separate device that can be accessed by the verification device 30, and the necessary certificates 71, 90, 60 may be acquired by the devices 10, 20, 30 as necessary.

一実施形態におけるネットワーク構成を説明する図である。It is a figure explaining the network structure in one Embodiment. 図1に示す認証局証明書発行装置,クライアント装置,検証装置の構成例を示す図である。It is a figure which shows the structural example of the certification authority certificate issuing apparatus, client apparatus, and verification apparatus which are shown in FIG. 図1に示す認証局証明書発行装置,クライアント装置,検証装置のハード構成例を示す図である。It is a figure which shows the hardware structural example of the certification authority certificate issuing apparatus, client apparatus, and verification apparatus which are shown in FIG. 従来方式におけるクライアント証明書,ルート証明書及び署名付電子データの内容と関係を示す図である。It is a figure which shows the content and relationship of the client certificate in a conventional system, a root certificate, and electronic data with a signature. 一実施形態おけるクライアント証明書,連結証明書,ルート証明書及び署名付データの内容と関係を示す図(その一)である。FIG. 6 is a diagram (part 1) illustrating the contents and relationships of a client certificate, a connection certificate, a root certificate, and signed data in an embodiment. 一実施形態おけるクライアント証明書,連結証明書,ルート証明書及び署名付データの内容と関係を示す図(その二)である。FIG. 7 is a diagram (part 2) illustrating the contents and relationship of a client certificate, a connection certificate, a root certificate, and signed data in an embodiment. 一実施形態における証明書発行,失効及び署名生成の処理を説明するワークフロー図である。FIG. 6 is a workflow diagram illustrating certificate issuance, revocation, and signature generation processing according to an embodiment. 一実施形態における署名検証の処理を説明するワークフロー図である。It is a workflow figure explaining the process of signature verification in one Embodiment.

符号の説明Explanation of symbols

10:認証局証明書発行装置, 20:クライアント装置, 30:検証装置, 40ネットワーク, 50:情報処理装置, 51:読取装置, 52:メモリ, 53:入出力装置, 54:CPU, 55:記憶装置, 56:通信装置,57:記憶媒体, 58:バス, 60:ルート証明書,70,71:クライアント証明書, 80,81:署名付電子データ, 90,91:連結証明書, 101,201,301:制御部, 102,202:証明書作成部, 103:失効リスト作成部, 104,204,304:データ送受信部, 105,205:秘密鍵, 106:失効リスト, 203,303:暗号演算部,302:証明書検証部 10: CA certificate issuing device, 20: client device, 30: verification device, 40 network, 50: information processing device, 51: reading device, 52: memory, 53: input / output device, 54: CPU, 55: storage Device, 56: communication device, 57: storage medium, 58: bus, 60: root certificate, 70, 71: client certificate, 80, 81: electronic data with signature, 90, 91: connection certificate, 101, 201 , 301: Control unit, 102, 202: Certificate creation unit, 103: Revocation list creation unit, 104, 204, 304: Data transmission / reception unit, 105, 205: Private key, 106: Revocation list, 203, 303: Cryptographic operation Section 302: Certificate verification section

Claims (6)

電子証明書を発行する認証局証明書発行装置と,電子データに電子署名を施すクライアント装置と,署名付電子データを検証する検証装置と,からなるシステムにおける電子証明書の発行・利用・検証方法であって,
前記認証局証明書発行装置は,前記認証局証明書発行装置の存在を証明するルート証明書を発行し,更に,前記ルート証明書と前記クライアント装置の存在を証明するクライアント証明書を連結する連結証明書を発行し,
前記認証局証明書発行装置は,必要に応じて前記連結証明書を失効し,失効確認する為の情報を作成し,
前記認証局証明書発行装置は,前記検証装置からの前記連結証明書の有効性確認要求に応じて,前記失効確認する為の情報を提供し,
前記クライアント装置は,前記クライアント証明書を発行し,前記認証局証明書発行装置に前記クライアント証明書と前記ルート証明書を連結する前記連結証明書の発行を依頼し,
前記クライアント装置は,電子データを作成し,前記クライアント証明書に対応する秘密鍵をもって前記電子データに電子署名を施した署名付電子データを作成し,
前記検証装置は,前記署名付電子データの電子署名を前記クライアント証明書を利用して検証し,
前記検証装置は,前記認証局証明書発行装置に前記連結証明書の有効性確認を要求し,前記署名付電子データの正当性の確認と,を行う
ことを特徴とする電子証明書の発行・利用・検証方法。 A method for issuing / using / verifying an electronic certificate in a system comprising: a certificate authority certificate issuing device that issues an electronic certificate; a client device that applies an electronic signature to electronic data; and a verification device that verifies signed electronic data. Because
The certificate authority certificate issuing device issues a root certificate that proves the existence of the certificate authority certificate issuing device, and further connects the root certificate and a client certificate that proves the existence of the client device. Issue a certificate,
The certificate authority certificate issuing device revokes the connection certificate as necessary, and creates information for revocation confirmation,
The certificate authority certificate issuing device provides information for checking the revocation in response to a validity check request for the connection certificate from the verification device;
The client device issues the client certificate, requests the certificate authority certificate issuance device to issue the linked certificate that links the client certificate and the root certificate;
The client device creates electronic data, creates electronic data with a signature obtained by applying an electronic signature to the electronic data with a private key corresponding to the client certificate,
The verification device verifies the electronic signature of the signed electronic data using the client certificate;
The verification device requests the certificate authority certificate issuing device to check the validity of the connection certificate, and checks the validity of the electronic data with signature. Usage and verification methods. 請求項1記載の電子証明書の発行・利用・検証方法であって,
前記認証局証明書発行装置は,前記クライアント証明書のハッシュ値と前記認証局証明書発行装置と前記クライアント装置の関係を記載したデータに,前記認証局証明書発行装置の秘密鍵をもって電子署名を施した前記連結証明書を作成する
ことを特徴とする電子証明書の発行・利用・検証方法。 A method for issuing / using / verifying an electronic certificate according to claim 1,
The certificate authority certificate issuing device adds an electronic signature to the data describing the hash value of the client certificate and the relationship between the certificate authority certificate issuing device and the client device with the private key of the certificate authority certificate issuing device. A method for issuing / using / verifying an electronic certificate, characterized by creating the linked certificate. 請求項1記載の電子証明書の発行・利用・検証方法であって,
前記クライアント装置は,自身の存在を示す情報と公開鍵暗号方式における前記クライアント装置の公開鍵を紐付けした情報に,前記公開鍵の対となる秘密鍵にて電子署名を施した自己署名証明書を発行する機能を有し,前記認証局証明書発行装置へ前記連結証明書の発行依頼をする電子証明書発行方法および,電子データに対して前記自己証明書記載の公開鍵に対となる秘密鍵をもって電子署名を施した署名付電子データを作成する
ことを特徴とする電子証明書の発行・利用・検証方法。 A method for issuing / using / verifying an electronic certificate according to claim 1,
The client device has a self-signed certificate in which an electronic signature is applied to the information indicating the presence of the client device and the information obtained by associating the public key of the client device in the public key cryptosystem with a private key that is a pair of the public key An electronic certificate issuing method for requesting the CA certificate issuing device to issue the connection certificate, and a secret paired with the public key described in the self-certificate for electronic data An issuance / use / verification method for an electronic certificate, characterized by creating electronic data with a signature with an electronic signature using a key. 請求項1記載の電子証明書の発行・利用・検証方法であって,
前記検証装置は,前記署名付電子データに対して,電子署名を施すのに利用された前記クライアント証明書,連結証明書,ルート証明書を取得し,署名付電子データの電子署名を前記クライアント証明書記載の公開鍵にて検証し,前記クライアント証明書の電子署名を前記クライアント証明書記載の公開鍵にて検証し,前記連結証明書及びルート証明書の電子署名を前記ルート証明書記載の公開鍵にて検証し,前記連結証明書記載のハッシュ値と前記クライアント証明書のハッシュ値を比較し,前期認証局証明書発行装置へ前記連結証明書の有効性を確認する
ことを特徴とする電子証明書の発行・利用・検証方法。 A method for issuing / using / verifying an electronic certificate according to claim 1,
The verification device obtains the client certificate, the connection certificate, and the root certificate used to apply an electronic signature to the signed electronic data, and the electronic signature of the signed electronic data is obtained from the client certificate. The public key described in the certificate is verified, the digital signature of the client certificate is verified with the public key described in the client certificate, and the digital signature of the connection certificate and the root certificate is disclosed as described in the root certificate. And verifying with a key, comparing the hash value described in the concatenated certificate with the hash value of the client certificate, and confirming the validity of the concatenated certificate to the previous certificate authority certificate issuing device. How to issue / use / verify certificates. 前記認証局証明書発行装置発行のルート証明書を識別する情報,前記クライアント装置発行のクライアント証明書を識別する情報及び前記クライアント証明書を一意に確定する情報を含んだデータに対し,前記ルート証明書記載の公開鍵に対する秘密鍵にて電子署名を施された連結証明書の電子証明書のデータ形式。   The root certificate for data including information for identifying the root certificate issued by the certificate authority certificate issuing device, information for identifying the client certificate issued by the client device, and information for uniquely determining the client certificate Data format of the electronic certificate of the concatenation certificate that has been digitally signed with the private key for the public key described in the certificate. 電子データに対し,前記クライアント証明書記載の公開鍵の対となる秘密鍵にて電子署名を施した署名付電子データであり,前記クライアント証明書,前記連結証明書,前記ルート証明書の情報を含んだ電子署名データ形式。   The electronic data is a signed electronic data obtained by applying an electronic signature to the electronic data with a private key that is a public key pair described in the client certificate, and includes information on the client certificate, the connection certificate, and the root certificate. Includes electronic signature data format.
JP2007090217A 2007-03-30 2007-03-30 Linkage electronic certificate issuing, utilization and verification system Pending JP2008252440A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2007090217A JP2008252440A (en) 2007-03-30 2007-03-30 Linkage electronic certificate issuing, utilization and verification system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2007090217A JP2008252440A (en) 2007-03-30 2007-03-30 Linkage electronic certificate issuing, utilization and verification system

Publications (1)

Publication Number Publication Date
JP2008252440A true JP2008252440A (en) 2008-10-16

Family

ID=39976885

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2007090217A Pending JP2008252440A (en) 2007-03-30 2007-03-30 Linkage electronic certificate issuing, utilization and verification system

Country Status (1)

Country Link
JP (1) JP2008252440A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011091656A (en) * 2009-10-23 2011-05-06 Fujitsu Ltd Certificate authority device migration method, certificate authority device migration program, and certificate authority device
JP2013115619A (en) * 2011-11-29 2013-06-10 Chugoku Electric Power Co Inc:The Portable terminal and information protection method
JP2019053269A (en) * 2017-07-17 2019-04-04 エーオー カスペルスキー ラボAO Kaspersky Lab System and method for determining ballot of voter collected by electronic voting
JP2021179694A (en) * 2020-05-11 2021-11-18 凸版印刷株式会社 Management server, management system, management method, and program

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011091656A (en) * 2009-10-23 2011-05-06 Fujitsu Ltd Certificate authority device migration method, certificate authority device migration program, and certificate authority device
JP2013115619A (en) * 2011-11-29 2013-06-10 Chugoku Electric Power Co Inc:The Portable terminal and information protection method
JP2019053269A (en) * 2017-07-17 2019-04-04 エーオー カスペルスキー ラボAO Kaspersky Lab System and method for determining ballot of voter collected by electronic voting
JP2021179694A (en) * 2020-05-11 2021-11-18 凸版印刷株式会社 Management server, management system, management method, and program

Similar Documents

Publication Publication Date Title
KR100431210B1 (en) Validation Method of Certificate Validation Server using Certificate Policy Table and Certificate Policy Mapping Table in PKI
KR100860404B1 (en) Device authenticaton method and apparatus in multi-domain home networks
US9553726B2 (en) Method for distributed identification of a station in a network
CN101364876B (en) Method realizing public key acquiring, certificater verification and bidirectional identification of entity
CN114008968B (en) System, method, and storage medium for license authorization in a computing environment
JP2019519987A (en) Block chain based identity authentication method, device, node and system
US10742426B2 (en) Public key infrastructure and method of distribution
US20110145585A1 (en) System and method for providing credentials
CN101364875B (en) Method realizing public key acquiring, certificater verification and bidirectional identification of entity
JP2022532578A (en) Methods and equipment for public key management using blockchain
WO2014035748A1 (en) Method and device for dynamically updating and maintaining certificate path data across remote trust domains
JP2010520518A (en) Method, apparatus and system for distributed delegation and verification
US11184179B2 (en) Security using self-signed certificate that includes an out-of-band shared secret
CN109327309A (en) A kind of domain traversal key management method based on IBC Yu PKI mixed system
WO2011139135A1 (en) System and method for issuing endorsement key credential in trusted computing environment using local certificate authority
CN108683506B (en) Digital certificate application method, system, fog node and certificate authority
WO2008002081A1 (en) Method and apparatus for authenticating device in multi domain home network environment
US20080010448A1 (en) Delegated Certificate Authority
CN114598455A (en) Method, device, terminal entity and system for signing and issuing digital certificate
KR101383810B1 (en) System and method for certificating security smart grid devices
CN115622812A (en) Digital identity verification method and system based on block chain intelligent contract
JP2008252440A (en) Linkage electronic certificate issuing, utilization and verification system
CN102857497B (en) User access system and authentication method based on hybrid type content network of CDN (Content Distribution Network) and P2P (peer to peer)
CN113169953B (en) Method and apparatus for authenticating a device or user
KR101256114B1 (en) Message authentication code test method and system of many mac testserver