TW200805982A - Infrastructure of key authority in the XKMS (XML key management specification) - Google Patents

Infrastructure of key authority in the XKMS (XML key management specification) Download PDF

Info

Publication number
TW200805982A
TW200805982A TW95124957A TW95124957A TW200805982A TW 200805982 A TW200805982 A TW 200805982A TW 95124957 A TW95124957 A TW 95124957A TW 95124957 A TW95124957 A TW 95124957A TW 200805982 A TW200805982 A TW 200805982A
Authority
TW
Taiwan
Prior art keywords
key
markup language
message
extensible markup
voucher
Prior art date
Application number
TW95124957A
Other languages
Chinese (zh)
Other versions
TWI317597B (en
Inventor
Yung-Hsiang Liu
Ching-Wen Chang
Original Assignee
Formosoft Internat Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Formosoft Internat Inc filed Critical Formosoft Internat Inc
Priority to TW95124957A priority Critical patent/TWI317597B/en
Publication of TW200805982A publication Critical patent/TW200805982A/en
Application granted granted Critical
Publication of TWI317597B publication Critical patent/TWI317597B/en

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

An infrastructure of key authority in the XKMS (XML key management specification) includes: an X-KRSS (XML Key Registration Service Spec.) modules group receiving a request message from a communication link and outputting a key message to a CA (Certificate Authority) for a key authority, or generating a register message to a VA (Validation Authority); an X-KISS (XML Key Information Service Spec.) modules group receiving a request message from a user via the communication link for a public key's location and validation, and sending a key name or key certificate to the CA or VA, then the X-KISS responses a result and certificate to the user; and a database storing data and key information of the XKMS for the X-KRSS's and X-KISS's PKI processing.

Description

200805982 九、發明說明: 【發明所屬之技術領域】 本發明係有關一種金鑰憑證架構,特別是一種可延伸標示 語言金鑰管理規格(XML Key Management Specification,XKMS)之 金鑰憑證架構,可使一般使用者透過可延伸標示語言金鑰管理規袼 (XKMS)的網路服矛务(web services)到憑證管理中心(CA)申請 數位憑證或驗證憑證的有效性,以及將既有的數位憑證註冊到憑證驗 證中心(VA)或透過憑證驗證中心(VA)查詢及驗證使用者的憑證 是否有效與合法。 【先前技術】 可延伸標示語言(extensible Markup Language, XML)規格是由 『全球資訊網標準製定組織』(W3C)制定,並於1998年2月,成 為推薦規格。目前已有許多家廠商採用,且視為關鍵性技術。例如: Adobe,EBM,微軟,Netscape,Oracle,Sun及這個領域中的重要廠 商。目岫許多的新版的軟體,例如:Navigator,Internet Explorer及 RealPlayer,都已經在軟體内部使用可延伸標示語言(XML)的技術。 公開金鑰基礎建設(public Key Infrastructure,PKI)是運用公開 金鑰及憑證進行網路交易或傳輸,以提高安全性並確認對方身分之機 制。基本上,它必須雙方均同意相互信任其憑證機構及所簽發憑證, 並藉此進行身份核驗、數位簽章等相關應用,以提供資料完整性 (Integrity )、資料來源鑑別(Authentication )、資料隱密性 (Confidentiality)、不可否認性(N〇n_Repudiati〇n)等安全保證。 可延伸標示語言金鑰管理規格(XKMS)為W3C所提出來,以 可延伸標示語言(XML)為基礎的公開金鑰(public key)配置與註 冊的規袼,目標是提供公開金鑰配置及註冊的規範,並且結合可延伸 5 200805982 標示語言(XML)簽章標準及可延伸標示語言(χ^)加密法標準 的應用。该規袼主要制定了兩個協定,分別是可延伸標示語言金鑰資 訊服務規格(XML Key Information Service Spec” X-KISS)與可延伸 標示语a金鑰註冊服務規格(XML Key Registration Service Spec., X-KRSS)。可延伸標示語言金鑰資訊服務規格(X_KISS)主要定義 可供佗任服務機制所用之協定,其可將公開金鍮資訊置於可延伸標示 語言(XML)簽章元素中。使得使用者端可代理部份或全部處理金鑰 資讯元素所需的動作。此規格主要目的之一是減少使用者端應用程式 建置的複雜度,因此可以避免與公開金鑰基礎建設(PKI)之間建立 信任關係時的複雜度。可延伸標示語言金鑰註冊服務規格(X—KRSS) 定義了網路服務接受註冊公開金鑰資訊的協定,當金鑰完成註冊時, 此一公開金鑰便可以使用於連接其它符合可延伸標示語言金鑰資訊 服務規格(X-KISS)規範的網路服務(web services),其接受金鑰的 註冊、註銷及回覆。可延伸標示語言金鑰管理規格(XKMS)定義了 使用者端之網路服務(web services)與可延伸標示語言金鑰管理規格 (XKMS)主機端的協定,在可延伸標示語言金鑰管理規格(XKMS) 書中,只規定使用者端與可延伸標示語言金鑰管理規格(XKMS)伺 服器端之間的訊息格式,並沒有制訂出後端的公開金鑰基礎建設 (PKI)架構應如何界接。 【發明内容】 為了解決上述問題,本發明目的之一係提供一種可延伸 標示語言金鑰管理規格(XKMS)之金鑰憑證架構,其能夠而且安全 的界接憑證管理中心(CA)、註冊管理中心(ra),讓一般使用者可 以透過可延伸標示語言金鑰管理規格(XKMS)的網路服務(web services)方式到憑證管理中心(CA)申請數位憑證或驗證憑證的有 200805982 效性,以及將既有的數位憑證注冊到憑證驗證中心(VA)或經由憑 證驗證中心(VA)查詢及驗證使用者的憑證是否有效合法。 本發明目的之一係提供一種可延伸標示語言金鑰管理规格 (XKMS)之金鑰憑證架構,其註冊動作使得有金鑰或無金鑰之使用 者,能夠很方便的執行憑證簽發或憑證查詢驗證的功能,使驗證的過 程簡化。 本發明目的之一係提供一種可延伸標示語言金鑰管理規格 (XKMS)之金鑰憑證架構,透過可延伸標示語言金鑰管理規格 (XKMS)的介面’讓所有的網路服務(we]3Services)都能使用公開 金餘基礎建設(PKI)中憑證管理中心(CA)、註冊管理中心(RA)、 憑證驗證中心(VA)的功能,而不需透過特定的應用程式介面 (Application Programming Interface, API)。 為了達到上述目的,本發明一實施例之可延伸標示語言金 鍮管理規格(XKMS)之金鑰憑證架構,包括:一可延伸標示語言 金錄註冊服務模組(X-KRSS)群,其從一通訊網路接收一請求訊息 並對遠請求訊息提供一網路服務,最後產生一金鑰註冊訊息至一憑證 管理中心(CA)以簽發一金鑰憑證,或者產生一憑證註冊訊息至一 憑證驗證中心(VA)以將請求訊息登錄至該憑證驗證中心(VA); 一 可延伸標示語言金鑰資訊服務模組(X_KISS )群可由該通訊網路接收 一使用者提出之公開金鑰查詢及驗證之請求,然後產生一金鑰憑證查 洵驗澄息至憑證管理中心(CA),或透過憑證驗證中心(va)查詢 相對應之金餘憑證及金输憑證之有效性;以及一記憶體連接可延伸標 示語言金鑰註冊服務模組(X-KRSS)群及可延伸標示語言金鑰資訊 服務模組(x-kis s)群,可儲存可延伸標示語言金鑰管理規格(XKMS) 之金鑰憑證架構之資料。 7 200805982 【實施方式】 第-圖所示為本發明-實施例可延伸標示語言金錄管理規 袼(XKMS)之金錄憑證架構示意圖。於本實施例中,可延伸標 示語言金鑰管賴格(XKMS)之金·、證轉1G硕_可延伸桿 示語言金離舰務觀(X_KRSS) 12,其難―職睛,接收 -具有公開金鑰之使帛者31所提供之請魏息,並騎求訊息提供 網路服務,最後產生-金鑰註冊訊息至—憑證管理中心(ca) 22以 簽發-金鑰憑證,或者產生-憑證註冊訊息至—憑證驗證巾心(va) 23以將請求訊息登錄至憑證驗證中心(VA)幻,·另外,一外部之註 冊管理中心(RA)24亦可接收-具有公開金鑰之使用者%所提狀 請求訊息,經處理後傳送-可延伸標示語言(舰)袼式之 封包至可延伸標示語言金鑰註冊服務模組(1极沾)i2,使具有公 開金鑰之使用者32亦可經由註冊管理中心(^)24使用可延伸標示 語言金鑰註冊服務模組(X_KrSS) 12之網路服務。 另有一可延伸標示語言金鎗資訊服務模組(X-KISS) 14,由通訊 _接收-無金鑰之使用者33提出之金鑰錢及驗證之請求,其為 %可延伸標示語言(XML)格式之xwss封包,然後產生一金鍮憑 也查雜證訊息至憑證管理巾々(CA) 22,或透過該憑證驗證中心 (VA) 23查詢相對應之金鍮憑證及其有效性。 在實施例中,本發明之金鑰憑證架構建立在一伺服器上,〈司服 时上具有一資料庫16連接可延伸標示語言金鑰註冊服務模組 、(尤KRSS) 12及可延伸標示語言金鑰資訊服務模組(X-KISS) 14, 以,存可延伸標示語言金鑰管理規格之金鑰憑證架構1〇 =資料。另外,金鑰憑證架構使用無線網路或有線之網路,連接憑證 吕理中心(CA) 22、憑證驗證中心(VA) 23、註冊管理中心(RA) 24、無金鑰使用者33,以及使用者31。 200805982 一接續上述說日月,使用者31之請求訊息為一X4crss封包,其 ,一_ (reglste〇訊息、重發(rei隱)訊息、撤消(斷如)訊 心或恢復(recovery)訊息等。請參閱第二圖所示為可延伸桿示語言 金鑰註冊Μ模組U_KRSS) 12接用者31或註冊管^心^ 傳送之X_KRSS封包後之網路服務流程圖,包括:步驟s X-KRSS封包;步驟S22判別χ都s封包所顯示之公開金_類; 步驟S231若公開金鑰種類為可延伸標示語言金鑰管理規袼(X讀幻 之金鑰憑證雜核發之㈣公開金鑰,則傳送金鑰註冊封包至憑證管 理系統41,_證管理中心(CA) 22簽發金输憑證,最後將=输憑 證組成一回傳訊息給使用者31,或註冊管理中心(RA)24;步驟幻32 若公開金鑰種類為一外部公開金鑰,則傳送一憑證註冊封包至憑證驗 證系統42進行憑證註冊後,憑證驗證中心(VA) 23將一註冊回傳訊 息回傳給可延伸標示語言金鑰管理規格之金鑰憑證架構(xkms) 1〇 ’最後將註冊回傳訊息組成一回傳訊息給使用者31。 於上述實施例中,可延伸標示語言金鑰註冊服務模組 (X-KRSS)群12提供各種公開金鑰基礎建設(ρκι)功能,以對應 X-KRSS封包所指示之訊息,其功能包含: 註冊(Register)功能:讓使用者31可以註冊自己的公開金鑰 (public key)的資訊,如 key name, key value, X509Cert, X509CertChain…等的資訊,而且也提供使用者31產生的金鑰 (key)或是註冊管理中心(ra)之伺服器端產生金鑰(key) 的註冊服務,此外還提供使用者申請憑證的服務。當可延伸標示 語言金鑰管理規格(XKMS)之金鑰憑證架構10收到註冊 (Register)要求時,將可延伸標示語言(xml)訊息解開後, 依照標籤“Keylnfo”之值自動判別使用者提供的資料,若為「金 鑰註冊」,則經由憑證管理程式介面(CA-API)呼叫憑證管理系 統41將金鑰註冊到憑證管理中心22,而憑證管理中心22將回 傳金鑰憑證;若為「憑證註冊」,則經由多憑證驗證程式介面 9 2〇〇8〇5982 (VA-API)使用多憑證驗證系統42,進行使用者憑證登記,將 憑證寫入憑證驗證中心(VA) 23之資料庫中,以作為可延伸標 示語言金鑰資訊服務模組(X-KISS) 14查詢時的依據,然後將 成功與否的訊息,回傳給可延伸標示語言金鑰管理規袼(XKMS) 之金鑰憑證架構’再組成回傳訊息(ReSp〇nse )回傳給使用者3 ^、 32 ; 重發(Reissue)功能:提供給使用者重新發給憑證與更新相關 key的資訊。當可延伸標示語言金鑰管理規袼(XKMS)之金鑰 憑證架構10收到重發(Reissue)要求,將可延伸標示語言 汛息解開後,經由憑證管理程式介面(CA-API)呼叫憑證管理 系統41,重新簽發憑證,然後將成功與否的訊息,回傳給可延 伸標示浯§金鑰管理規袼(XKMS)之金錄憑證架構1〇,再組成 回傳訊息(Response)回傳給使用者31、32 ; 撤銷(Revoke)功能:提供給使用者要撤銷相關憑證的服務;當 可延伸標示語言金鑰管理規格(XKMS)之金鑰憑證架構收到撤 銷(Revoke)要求,將可延伸標示語言訊息解開後,依照標 籤’’Keylnfo”之值自動判別使用者提供的資料,若為内部的憑證 撤銷,則經由憑證管理程式介面(CA-API)呼叫憑證管理系統 41將金鑰憑證撤銷,並登記到憑證註銷清單(Certificate Revocation List ’ CRL)中;若為其他外部之的憑證撤銷,則經由 多憑證驗證程式介面(VA-API)使用多憑證驗證系統42,註銷 使用者憑證,將憑證由憑證驗證中心(VA ) 23之資料庫中註銷, 然後將成功與否的訊息,回傳給可延伸標示語言金鑰管理規格 (XKMS)之金鑰憑證架構,再組成回傳訊息(Resp〇nse)回傳 給使用者31、32 ;以及 恢復(Recovery)功能:提供給使用者重新產生RSA (Rivest、 Shamir和Adelman)對稱金鑰(key pair)或是更新對稱金鑰(key 200805982 pair)的服務。當可延伸標示語言金鑰管理規格(xkms)之金 鑰憑證架構收到恢復(Rec〇very)要求,將可延伸標示語言(腿) 訊息解開後,經由憑證管理程式介面呼叫憑證管理 糸、、先41重新簽發憑證,然後將成功與否的訊息,回傳給可延 伸標示語言金鑰管理規格(XKMS)之金餘憑證架構,再組成回 傳訊息(Response)回傳給使用者31、32。 接績上述說明,使用者33所提供之公開金鑰查詢要求為一 x-kiss封包,其為一搜尋(locate)訊息或驗證(validate)訊息等。 請參閱第三圖所示為可延伸標示語言金餘資訊服務模組(x_Klss)i4 處理公開金餘查詢要求流程圖,包括:步驟S31解析X_KISS封包; 步驟S32判別X-KISS封包所顯示之公開金鑰種類;步驟S331若公 開金鑰種類為可延伸標示語言金鑰管理規袼(XKMS)之金鑰憑證架 構核發之内部公開金鑰,則傳送金鑰註冊封包至一憑證管理系統51, 由憑證管理中心(CA) 22簽發金鑰憑證,最後將該憑證組成一回傳 訊息給使用者33 ,或註冊管理中心(RA)23 ;步驟S332若公開金鑰 種類為一外部公開金鑰,則傳送憑證註冊封包至一憑證驗證系統52 進行憑證註冊後,憑證驗證中心(VA) 23將一註冊回傳訊息回傳給 該可延伸標示語言金鑰管理規袼(XKMS)之金鑰憑證架構,最後將 註冊回傳訊息組成一回傳訊息;以及步驟S35將回傳訊息傳送給無金 鑰之使用者33。 於上述實施例中,可延伸標示語言金鑰資訊服務模組 (X-KISS) 14提供各種公開金鑰基礎建設(ρκι)功能對應X_KISS 封包所指示之訊息,包含: 搜哥(Locate )功能:讓使用者可以利用一些公開金鑰(pUbHc key ) 的資訊,如key name, X509Cert…等的資料來找到公開金鑰值 (public key value)。當可延伸標示語言金鑰管理規格(XKMS) 金鑰憑證架構收到搜尋(Locate)要求,將可延伸標示語言(xml) 11 200805982 汛息解開後,依照標籤”Keylnfo”之值自動判別種類,若為内部 之金鑰,則經由憑證管理程式介面(CA-APU使用憑證管理系 統51 ;若為外部之金鑰,則經由多憑證驗證程式介面 使用憑tr丘驗e丘糸統52,進行主機認證、憑證查詢後,將憑證回 傳給可延伸標示語言金鑰管理規格(XKMS)金鑰憑證架構,再 組成回傳訊息(Response)回傳給使用者33或憑證管理中心(CA) 22 〇 驗證(Validate)功能:則是除了憑證的查詢外,再提供給使用 者查詢金鑰憑證是否有效的驗證。當可延伸標示語言金鑰管理規 格(XKMS)金鑰憑證架構收到驗證(Validate)要求後,將可 延伸標示語言(XML)訊息解開後,依照標籤”Keyinf0,,之值自 動判別種類,若為内部所發行之金鑰,則經由憑證管理程式介面 (CA-API)使用憑證管理系統51 ;若為外部所發行之金餘,則 經由多憑證驗證程式介面(VA-API)使用憑證驗證系統52,進 行主機認證、憑證查詢及驗證後,將憑證回傳給可延伸標示語言 金输管理規格(XKMS)金鍮憑證架構,再組成回傳訊息 (Response)回傳給使用者33。 公開金鑰基礎建設(PKI)在網路服務(web services)上是重要 的,包括認證、簽驗章等,但是對很多應用來說相當複雜。本發明 特徵之一為可延伸標示語言金鑰管理規格(XKMS)之金鑰憑證架 構簡化了很多公開金鑰基礎建設(PKI)的整合工作,而把這些工作 交給可延伸標示語言金鑰管理規格(XKMS)之金鑰憑證架構之主機 來做,此外,公開金鑰基礎建設(PKI)對很多小型裝置來說太沉重 了,可延伸標示語言金鑰管理規格(XKMS)之金鑰憑證架構把很 多公開金鑰基礎建設(ΡΚΙ)運算的過程都交給可延伸標示語言金鑰 管理規袼(XKMS)之金鑰憑證架構主機處理,減低小型裝置的運算 量,可延伸標示語言金鑰管理規格(XKMS)之金鑰憑證架構之主機 提供了使用者在網路服務上一個金鑰管理的信任服務,透過金鑰憑證 12 200805982 « 架構的介面,讓所有的網路服務(web services)都能使用PKI中憑證 管理中心(CA)、註冊管理中心(RA)、憑證驗證中心(VA)的功能, 而不需透過特定的應用程式介面(API)。 本系統主要特徵在將可延伸標示語言金鑰管理規格(XKMS)協 定在實務上與憑證管理中心(CA)、憑證驗證中心(VA)做一個結合, 使得可延伸標示語言金鑰管理規格(XKMS)之金鑰憑證架構能不單 單只是網路服務(Web Services)世界中的註冊管理中心(RA),而 可以成為一個多功能的金鍮管理系統,結合憑證管理中心(CA)、註 冊管理中心(RA)及憑證驗證中心(VA)的應用程式介面(API), 使得可延伸標示語言金鑰管理規格(XKMS)之金鑰憑證架構能夠一 次整合内部憑證管理中心(CA)及透過憑證驗證中心(VA)整合外 部憑證管理中心(CA),完成註冊管理中心(RA)及多憑證的驗證 系統,透過應用程式介面(API)的使用,讓實作的過程簡化,達到 模組化容易維護的效果。 以上所述之實施例僅係為說明本發明之技術思想及特 點’其目的在使熟習此項技藝之人士能夠瞭解本發明之内容 並據以實施,當不能以之限定本發明之專利範圍,即大凡依 本發明所揭示之精神所作之均等變化或修飾,仍應涵蓋在本 發明之專利範圍内。 【圖式簡單說明】 第一圖所示為根據本發明一實施例之可延伸標示語言金鑰管理 規袼之金鑰憑證架構示意圖。 第二圖所示為根據本發明一實施例之可延伸標示語言金鑰註冊服 , 務模組群之網路服務流程圖。 . 第三圖所示為根據本發明一實施例之可延伸標示語言金鑰資訊服 13 200805982 務規格模組處理公開金鑰查詢要求流程圖。 【主要元件符號說明】 10 金鑰憑證架構 12 可延伸標示語言金鑰註冊服務模組 14 可延伸標示語言金鑰資訊服務模組 16 資料庫 3卜 32、33 使用者 22 憑證管理中心 23 憑證驗證中心 24 註冊管理中心 S21〜S25 為可延伸標示語言金鑰註冊服務模組群之網路服務 流程步驟 41 憑證管理系統 42 多憑證驗證系統 S31〜S35 為可延伸標示語言金鑰資訊服務規格模組處理公開 金鑰查詢要求流程步驟 51 憑證管理系統 52 多憑證驗證系統 14200805982 IX. Description of the invention: [Technical field of the invention] The present invention relates to a key certificate architecture, in particular to a key certificate architecture of an XML Key Management Specification (XKMS). The general user applies for the validity of the digital voucher or verification voucher through the Web services of the Extensible Markup Language Key Management (XKMS) to the voucher management center (CA), and the existing digital voucher Register with the Voucher Verification Center (VA) or through the Voucher Verification Center (VA) to query and verify that the user's credentials are valid and legal. [Prior Art] The extensible Markup Language (XML) specification was developed by the World Wide Web Standards Development Organization (W3C) and became the recommended specification in February 1998. It has been adopted by many manufacturers and is regarded as a key technology. For example: Adobe, EBM, Microsoft, Netscape, Oracle, Sun and important manufacturers in this field. Many newer versions of software, such as Navigator, Internet Explorer and RealPlayer, have been used in the software to extend the markup language (XML). Public Key Infrastructure (PKI) is a mechanism for using the public key and credentials for online transactions or transmissions to improve security and confirm the identity of the other party. Basically, it must both agree to trust each other's vouchers and the issued vouchers, and use them to conduct identity verification, digital signature and other related applications to provide information integrity (Integrity), data source authentication (Authentication), data hiding Security guarantees such as Confidentiality and Non-repudiation (N〇n_Repudiati〇n). The Extensible Markup Language Key Management Specification (XKMS) is a W3C proposed public key configuration and registration based on Extensible Markup Language (XML). The goal is to provide public key configuration and The specification of the registration, combined with the extension of the 5 200805982 Markup Language (XML) Signature Standard and the Extensible Markup Language (χ^) encryption standard. The rules mainly establish two agreements, namely XML Key Information Service Spec (X-KISS) and Extensible Marker a Key Key Registration Service Spec. , X-KRSS). The Extensible Markup Language Key Information Service Specification (X_KISS) primarily defines the agreements that can be used by the Service Mechanism to place publicly available information in the Extensible Markup Language (XML) signature element. Enables the client to proxy some or all of the actions required to process the key information element. One of the main purposes of this specification is to reduce the complexity of client application builds, thus avoiding public key infrastructure The complexity of establishing a trust relationship between (PKI). The Extensible Markup Language Key Registration Service Specification (X-KRSS) defines an agreement for a network service to accept registration public key information. When the key is registered, this one The public key can be used to connect to other web services that conform to the Extensible Markup Language Key Service Specification (X-KISS) specification, which accepts Key registration, deregistration, and reply. The Extensible Markup Language Key Management Specification (XKMS) defines the agreement between the client's web services and the XKMS host. The Extended Markup Language Key Management Specification (XKMS) only specifies the format of the message between the client and the XKMS server, and does not develop a public key infrastructure for the backend. SUMMARY OF THE INVENTION In order to solve the above problems, one of the objects of the present invention is to provide a key certificate architecture of an Extensible Markup Language Key Management Specification (XKMS), which can be and securely interfaced. The Credential Management Center (CA) and the Registration Management Center (RA) allow general users to apply for digital certificates through the Web Services of the Extensible Markup Language Key Management Specification (XKMS) to the Credential Management Center (CA). Or verify that the voucher has 200805982 validity, and register the existing digital voucher to the voucher verification center (VA) or through the voucher verification center (VA) Verifying that the user's credentials are valid and legal. One of the objects of the present invention is to provide a key certificate architecture for the Extensible Markup Language Key Management Specification (XKMS), the registration action of which enables a user with or without a key to be able to It is convenient to perform the function of voucher issuance or voucher inquiry verification, which simplifies the verification process. One of the objects of the present invention is to provide a key certificate structure of the Extensible Markup Language Key Management Specification (XKMS) through the extensible markup language gold. The Key Management Specification (XKMS) interface 'allows all network services (we)3Services) to use the Public Certificate Infrastructure (PKI) Credential Management Center (CA), Registration Authority (RA), and Credential Verification Center ( VA) functionality without the need for a specific application programming interface (API). In order to achieve the above object, an extensible markup language management specification (XKMS) key certificate structure according to an embodiment of the present invention includes: an extensible markup language registration service module (X-KRSS) group, which A communication network receives a request message and provides a network service for the far request message, and finally generates a key registration message to a certificate management center (CA) to issue a key certificate, or generates a voucher registration message to a voucher verification The center (VA) registers the request message with the voucher verification center (VA); an extensible markup language key information service module (X_KISS) group can receive a public key query and verification by the user from the communication network. Request, and then generate a key certificate to check the certificate to the voucher management center (CA), or through the voucher verification center (va) to check the validity of the corresponding gold voucher and the gold voucher; and a memory connection can be Extended Markup Language Key Registration Service Module (X-KRSS) Group and Extensible Markup Language Key Information Service Module (x-kis s) group for storing Extensible Markup Language Keys Information on the key certificate structure of the specification (XKMS). 7 200805982 [Embodiment] FIG. 1 is a schematic diagram showing the architecture of the golden record voucher of the Extensible Markup Language Recording Management (XKMS) of the present invention. In this embodiment, the gold of the XKMS can be extended to mark the language, and the card is transferred to the 1G master. The extension can show the language of the ship to the ship (X_KRSS) 12, which is difficult to focus on, receive - Have the public key to provide the request, and ride the message to provide the network service, and finally generate the key registration message to the certificate management center (ca) 22 to issue the key certificate, or generate - voucher registration message to - voucher verification towel (va) 23 to log the request message to the voucher verification center (VA), in addition, an external registration management center (RA) 24 can also receive - with a public key The request message sent by the user % is processed, and the packet of the extension-markable language (ship) type is transmitted to the extensible markup language key registration service module (1 pole) i2, so that the use of the public key is enabled. The user 32 can also use the Extensible Markup Language Key Registration Service Module (X_KrSS) 12 network service via the Registry (^) 24. There is also an extendable markup language Golden Gun Information Service Module (X-KISS) 14, a request for the key money and verification by the user of the communication_received-no-key, which is a % extensible markup language (XML) The xwss packet of the format is then generated by a voucher to check the miscellaneous message to the voucher management device (CA) 22, or through the voucher verification center (VA) 23 to query the corresponding voucher and its validity. In an embodiment, the key certificate architecture of the present invention is established on a server, and has a database 16 connected to an extendable markup language key registration service module, (KRSS) 12 and an extendable identifier. The Language Key Information Service Module (X-KISS) 14 has a key certificate structure that can be extended to mark the language key management specification. In addition, the key credential architecture uses a wireless network or a wired network to connect to the Credential Center (CA) 22, the Credential Verification Center (VA) 23, the Registration Authority (RA) 24, the Keyless User 33, and User 31. 200805982 The continuation of the above-mentioned day and month, the user 31's request message is an X4crss packet, which is a _ (reglste〇 message, resend (rei) message, undo (break) message or recovery message, etc. Please refer to the second figure for the extension of the language key registration module U_KRSS) 12 receiver 31 or the registration tube ^ heart ^ transmitted X_KRSS packet network service flow chart, including: step s X - KRSS packet; step S22 discriminates the public gold _ class displayed by the χ s packet; step S231 if the public key type is an extensible markup language key management rule (X read illusion key certificate nucleus issued (4) public gold The key is transmitted to the voucher management system 41, the certificate management center (CA) 22 issues a voucher, and finally the v=0 is composed of a return message to the user 31, or a registration management center (RA) 24 Step Magic 32 If the public key type is an external public key, after transmitting a voucher registration packet to the voucher verification system 42 for voucher registration, the voucher verification center (VA) 23 returns a registration return message to the extendable Markup language key management rules The key certificate structure (xkms) 1〇' finally registers the backhaul message into a backhaul message to the user 31. In the above embodiment, the extensible markup language key registration service module (X-KRSS) group 12 provides various public key infrastructure (ρκι) functions to correspond to the information indicated by the X-KRSS packet, and its functions include: Register function: allows user 31 to register his own public key (public key) Information, such as key name, key value, X509Cert, X509CertChain..., etc., and also provides the key generated by the user 31 or the registration of the server (ra) of the registry (ra) The service, in addition, provides a service for the user to apply for a voucher. When the certificate authority 10 of the Extensible Markup Language Key Management Specification (XKMS) receives the registration request, the extensible markup language (xml) message is unpacked. After that, the user-provided data is automatically determined according to the value of the label "Keylnfo". If it is "key registration", the key is registered to the certificate via the credential management program interface (CA-API) call credential management system 41. The certificate management center 22, and the voucher management center 22 will return the key certificate; if it is "voucher registration", the multi-voucher verification system 42 is used via the multi-voucher verification program interface 9 2〇〇8〇5982 (VA-API), The user credentials are registered, and the voucher is written into the database of the voucher verification center (VA) 23 as the basis for the query of the extensible markup language key information service module (X-KISS) 14 and then succeeded or not. The message is passed back to the Keyword Credential Scheme (XKMS) of the Extensible Markup Language Key Management (XKMS) and then back to the user 3^, 32; Reissue function : Provides the user with information to re-issue the voucher and update the relevant key. When the Extensible Markup Key Management Rule (XKMS) key certificate architecture 10 receives the Reissue request, the Extensible Markup Language message is unpacked and then called through the Credential Manager Interface (CA-API). The voucher management system 41 re-issues the voucher, and then returns the success or failure message to the extensible mark 浯 金 Key Management Rule (XKMS) vouchers structure 1 〇, and then forms a return message (Response) Passed to users 31, 32; Revoke function: provides the user with the service to revoke the relevant credentials; when the Keyword Credential Architecture of the Extensible Markup Language Key Management Specification (XKMS) receives the Revoke request, After the extensible markup language message is unpacked, the data provided by the user is automatically determined according to the value of the tag ''Keylnfo'', and if the internal voucher is revoked, the voucher management program interface (CA-API) is used to call the voucher management system 41. The key certificate is revoked and registered in the Certificate Revocation List 'CRL'; if it is revoked for other external documents, it is passed through the multi-credential verification program interface (VA-API) With the multi-voucher verification system 42, the user credentials are revoked, the credentials are logged out of the database of the voucher verification center (VA) 23, and the success or failure message is transmitted back to the Extensible Markup Language Key Management Specification (XKMS). The key certificate structure, which is composed of a return message (Resp〇nse), is transmitted back to the user 31, 32; and a recovery function: the user is provided with a RSA (Rivest, Shamir, and Adelman) symmetric key ( Key pair) or a service that updates the symmetric key (key 200805982 pair). When the key certificate architecture of the extendable markup language key management specification (xkms) receives a recovery (Rec〇very) request, the markup language is extended ( After the message is unpacked, the voucher is managed via the voucher management program interface, and the voucher is re-issued, and then the message of success or failure is transmitted back to the exaggerated markup language key management specification (XKMS). The architecture then reassembles the reply message (Response) back to the user 31, 32. According to the above description, the public key query request provided by the user 33 is an x-kiss packet, which is a search (loca). Te) message or verification (validate) message, etc. Please refer to the third figure for the extensible markup language information service module (x_Klss) i4 processing public information query requirements flow chart, including: step S31 parsing X_KISS packet; Step S32 discriminates the public key type displayed by the X-KISS packet; and if the public key type is the internal public key issued by the key certificate structure of the Extensible Markup Language Key Management (XKMS), the transfer key is transmitted in step S331. The key registration packet is sent to a voucher management system 51, and the voucher is issued by the voucher management center (CA) 22, and finally the voucher is combined into a return message to the user 33 or the registration management center (RA) 23; if the step S332 is disclosed The key type is an external public key, and after the voucher registration packet is transmitted to a voucher verification system 52 for voucher registration, the voucher verification center (VA) 23 returns a registration return message to the extensible markup language key management. The key certificate structure of the XKMS is finally configured to form a backhaul message by registering the backhaul message; and the backhaul message is transmitted to the user 33 without the key by step S35. In the above embodiment, the extendable markup language key information service module (X-KISS) 14 provides various public key infrastructure (pκι) functions corresponding to the information indicated by the X_KISS packet, including: Locate function: Let users use some public key (pUbHc key) information, such as key name, X509Cert... and other data to find the public key value. When the Extensible Markup Language Key Management Specification (XKMS) key credential architecture receives the Locate request, the Extensible Markup Language (xml) 11 200805982 is released, and the type is automatically determined according to the value of the label "Keylnfo". If it is an internal key, it is used by the credential management program interface (CA-APU uses the credential management system 51; if it is an external key, it is used by the multi-credential verification program interface to use the truncation test After the host authentication and the voucher query, the voucher is sent back to the Extensible Markup Language Key Management Specification (XKMS) key credential structure, and then the return message is sent back to the user 33 or the credential management center (CA). Validation function: In addition to the query of the voucher, it is provided to the user to check whether the key certificate is valid. When the Extensible Markup Language Key Management Specification (XKMS) key certificate structure receives the verification (Validate) After the request, after the Extendable Markup Language (XML) message is unpacked, the type is automatically determined according to the value of the label "Keyinf0", and if it is an internally issued key, the certificate is passed through The CA-API uses the credential management system 51; if it is externally issued, the voucher verification system 52 is used via the multi-voucher verification program interface (VA-API) for host authentication, voucher query and verification. The voucher is returned to the Extensible Markup Language Gold Management Specification (XKMS) voucher structure, and then the return message (Response) is sent back to the user 33. Public Key Infrastructure (PKI) is in the network service ( Web services) are important, including authentication, signature verification, etc., but are quite complicated for many applications. One of the features of the present invention is that the key certificate architecture of the Extensible Markup Language Key Management Specification (XKMS) is simplified a lot. Public Key Infrastructure (PKI) integration work, and these tasks are handed over to the host of the Keyword Credential Architecture of the Extensible Markup Language Key Management Specification (XKMS). In addition, the Public Key Infrastructure (PKI) pair Many small devices are too heavy, and the key certificate architecture that extends the Markup Key Management Specification (XKMS) gives many public key infrastructure (ΡΚΙ) operations to the process. The key certificate authority (XKMS) key certificate architecture host processing is implemented to reduce the computational complexity of the small device, and the host of the key certificate architecture extending the markup language key management specification (XKMS) provides the user on the network. Trust service of a key management on the road service, through the key certificate 12 200805982 « The interface of the architecture, all the web services can use the PKI credential management center (CA), the registration management center (RA) , Voucher Verification Center (VA) functionality, without the need for a specific application interface (API). The main feature of this system is to combine the Extensible Markup Language Key Management Specification (XKMS) protocol with the Credential Management Center (CA) and the Credential Verification Center (VA) in practice to make the Extensible Markup Language Key Management Specification (XKMS). The key certificate architecture can be used not only as a registry (RA) in the world of Web services, but also as a multifunctional management system, combined with a certificate management center (CA) and a registry. (RA) and the Application Center (API) of the Credential Verification Center (VA), enabling the Extended Key Language Key Management Specification (XKMS) key credential architecture to integrate the internal credential management center (CA) and the credential verification center at one time. (VA) Integrate an external credential management center (CA) to complete the registration management center (RA) and multi-voucher verification system. Through the use of the application interface (API), the implementation process is simplified and modularized and easy to maintain. effect. The embodiments described above are merely illustrative of the technical spirit and the characteristics of the present invention. The purpose of the present invention is to enable those skilled in the art to understand the contents of the present invention and to implement the present invention. That is, the equivalent variations or modifications made by the spirit of the present invention should still be included in the scope of the present invention. BRIEF DESCRIPTION OF THE DRAWINGS The first figure shows a schematic diagram of a key certificate architecture of an extensible markup language key management rule according to an embodiment of the present invention. The second figure shows a flow chart of the network service of the extensible markup language key registration service module group according to an embodiment of the invention. The third figure shows a flowchart for processing the public key query request according to an extensible markup language key service according to an embodiment of the present invention. [Key component symbol description] 10 Key voucher architecture 12 Extensible markup language key registration service module 14 Extensible markup language key information service module 16 Database 3b 32, 33 User 22 Credential Management Center 23 Credential Verification Center 24 Registration Management Center S21~S25 is a network service process for the Extensible Markup Language Key Registration Service Module Group. Step 41 Voucher Management System 42 Multi-Voucher Verification System S31~S35 is an Extensible Markup Language Key Information Service Specification Module Processing Public Key Query Requirement Process Step 51 Credential Management System 52 Multiple Credential Verification System 14

Claims (1)

200805982 十、申請專利範圍: 1. 一種可延伸標示語言金鑰管理規袼(XKMS)i金鑰憑證架構,包含: 一可延伸標示語言金鑰註冊服務模組(Χ-KRSS)群,其從一通 訊網路接收一請求訊息並對該請求訊息提供一網路服務,最後產生一 金鑰註冊訊息至一憑證管理中心(CA)以簽發一金鑰憑證,或者產 生一憑證註冊訊息至一憑證驗證中心(VA)以將該請求訊息登錄至該 憑證驗證中心(VA); 一可延伸標示語言金鑰資訊服務模組(X-KISS)群,其可由該通 訊網路接收一使用者提出之公開金鑰查詢及驗證之請求,然後產生一 金鑰憑證查詢驗證訊息至該憑證管理中心(CA),或透過該憑證驗證 中心(VA)查詢相對應之金鑰憑證及該金鑰憑證之有效性;以及 一 §己憶體’其連接該可延伸標示語言金鑰註冊服務模組 (X-KRSS)群及該可延伸標示語言金鑰資訊服務模組(乂犯⑻群, 可儲存該可延伸標示語言金鑰管理規格(XKMS)之金鑰憑證架構之 資料。 2·如請求項丨所述之可延伸標示語言金鑰管理規格之金鑰憑證架 構,其中該請求訊息係從一使用者所提供之公開金鑰註冊訊息,或 一註冊官理中心(RA)傳送之可延伸標示語言(χ^)格式之χ—jQ^ss 封包。 3. 如睛求項2所述之可延伸標示語言金鑰管理規格之金鑰憑證架 構’其中該公開金鑰註冊訊息為一可延伸標示語言格式之 X-KRSS 封包。 4. 如請求項2及3所述之可延伸標示語言金鑰管理規格之金鑰憑證 木構,其中4些X-KRSS封包可為一註冊(register)訊息、重發 (reissue)訊息、撤銷(rev〇ke)訊息或恢復(rec〇very)訊息。 5·如睛求項4所述之可延伸標示語言金鑰管理規格之金鑰憑證架 構,其中對該清求訊息提供一網路服務包括下列步驟: 解析該X-KRSS封包並判別其所顯示之公開金錄種類; 15 200805982 w力若該公開金鑰種類為該可延伸標示語言金鑰管理規格之金鑰憑 4構核發之内部糾金錄,則傳送金餘註冊封包至該憑證管理系統 jCA) ’由该憑證管理中心(CA)簽發該金鑰憑證,最後將該金鑰憑 證組成一回傳訊息給該使用者,或一註冊管理中心(RA);以及 右該公開金鑰種類為一外部公開金鑰,則傳送一憑證註冊封包至 心n驗證中心(VA)進行憑證註冊後,將一註冊回傳訊息回傳給該 可延伸標示語言金鑰管理規格之金鑰憑證架構(XKMS),最後將該 注冊回傳訊息組成一回傳訊息給該使用者。 6.如請求項1所述之可延伸標示語言金鑰管理規格之金鑰憑證架 構,其中該些公開金鑰查詢及驗證分別為一可延伸標示語言(XML) 袼式之X-KISS封包。 7·如請求項6所述之可延伸標示語言金鑰管理規格之金鑰憑證架 構,其中δ亥些X-KISS封包分別為一搜尋(i〇cate)訊息或驗證 (validate)訊息。 8·如請求項7所述之可延伸標示語言金鑰管理規格之金鑰憑證架 構,其中該可延伸標示語言金鑰資訊服務模組處理該些公開金鍮查 詢及驗證之請求包括下列步驟: 解析該X-KISS封包並判別其所顯示之公開金鑰查詢要求之公鑰 種類; 若該公開金鑰種類為該可延伸標示語言金鑰管理規格(XKMS) 之金鑰憑證架構核發之内部公開金鑰,則傳送金鑰註冊封包至一憑證 管理中心(CA) ’由憑證管理中心簽發金鍮憑證,最後將該憑證組成 一回傳訊息給該使用者,或一註冊管理中心(RA);以及 若該公開金鑰種類為一外部公開金鑰,則傳送一憑證註冊封包至 一憑證驗證中心(VA)進行憑證註冊後,將一註冊回傳訊息回傳給該 可延伸標示語言金鑰管理規格(XKMS)之金鑰憑證架構,最後將該 註冊回傳訊息組成一回傳訊息給該使用者。 16 200805982 9. 如請求項1所述之可延伸標示語言金鑰管理規格之金鑰憑證架 構,其中該通訊網路為一有線網路或無線網路。 10. 如請求項1所述之可延伸標示語言金鑰管理規格之金鑰憑證架 構,其中該金鑰憑證架構係在至少一伺服器上執行。 17200805982 X. Patent application scope: 1. An extensible markup language key management (XKMS) i-key certificate architecture, comprising: an extendable markup language key registration service module (Χ-KRSS) group, which A communication network receives a request message and provides a network service for the request message, and finally generates a key registration message to a certificate management center (CA) to issue a key certificate, or generates a voucher registration message to a voucher verification The center (VA) logs the request message to the voucher verification center (VA); an extensible markup language key information service module (X-KISS) group, which can receive a public payment from a user via the communication network Key query and verification request, and then generate a key certificate query verification message to the certificate management center (CA), or through the certificate verification center (VA) to query the corresponding key certificate and the validity of the key certificate; And a suffix body that connects the X-KRSS group and the extensible markup language key information service module (乂) (8) group The data of the key certificate structure storing the Extensible Markup Language Key Management Specification (XKMS). 2. The key certificate structure of the extensible markup language key management specification as described in the claim item, wherein the request message is A public key registration message provided by a user, or a Q^jsss package in an extensible markup language (χ^) format transmitted by a registered official authority (RA). 3. As described in item 2 The key certificate architecture of the extensible language key management specification 'where the public key registration message is an X-KRSS packet in an extendable markup language format. 4. Extensible markup language gold as claimed in claims 2 and 3. Key management specification key certificate structure, in which some X-KRSS packets can be a register message, a reissue message, a rev〇ke message or a recovery message. The key certificate architecture of the extensible markup language key management specification according to item 4, wherein providing the network service to the request message comprises the following steps: parsing the X-KRSS packet and discriminating the displayed Type of public record; 15 200805982 If the public key type is the internal key of the extensible markup language key management specification, the transfer of the golden registration package to the voucher management system (jCA) is managed by the voucher. The central (CA) issues the key certificate, and finally forms the return key to the user, or a registration management center (RA); and the right public key type is an external public key, then After transmitting a voucher registration packet to the heart verification center (VA) for voucher registration, a registration return message is transmitted back to the key certificate structure (XKMS) of the extensible markup language key management specification, and finally the registration is returned. The message is composed of a return message to the user. 6. The key certificate architecture of the extensible markup language key management specification of claim 1, wherein the public key query and verification are respectively an X-KISS packet of an Extensible Markup Language (XML). 7. The key certificate architecture of the extensible markup language key management specification according to claim 6, wherein the X-KISS packets are respectively a search message or a validate message. 8. The key certificate architecture of the extensible markup language key management specification of claim 7, wherein the request for processing the public funds query and verification by the extensible markup language key information service module comprises the following steps: Parsing the X-KISS packet and discriminating the public key type of the public key query request displayed by the public key; if the public key type is the internal disclosure of the key certificate structure of the Extensible Markup Language Key Management Specification (XKMS) Key, then transfer the key registration packet to a voucher management center (CA) 'issued by the voucher management center, and finally form the return message to the user, or a registration management center (RA); And if the public key type is an external public key, transmitting a voucher registration packet to a voucher verification center (VA) for voucher registration, and transmitting a registration return message to the extensible markup language key management The key certificate structure of the specification (XKMS) finally forms a return message to the user. The method of claim 1, wherein the communication network is a wired network or a wireless network. 10. The key certificate architecture of the extensible markup language key management specification of claim 1, wherein the key credential architecture is executed on at least one server. 17
TW95124957A 2006-07-07 2006-07-07 System of key authority in the xkms (xml key management specification) TWI317597B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW95124957A TWI317597B (en) 2006-07-07 2006-07-07 System of key authority in the xkms (xml key management specification)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW95124957A TWI317597B (en) 2006-07-07 2006-07-07 System of key authority in the xkms (xml key management specification)

Publications (2)

Publication Number Publication Date
TW200805982A true TW200805982A (en) 2008-01-16
TWI317597B TWI317597B (en) 2009-11-21

Family

ID=44766204

Family Applications (1)

Application Number Title Priority Date Filing Date
TW95124957A TWI317597B (en) 2006-07-07 2006-07-07 System of key authority in the xkms (xml key management specification)

Country Status (1)

Country Link
TW (1) TWI317597B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI472949B (en) * 2013-03-20 2015-02-11 Ind Tech Res Inst Method, apparatus and computer-readable storage medium for certificate generation and revocation with privacy preservation
US10069634B2 (en) 2014-03-05 2018-09-04 Industrial Technology Research Institute Apparatuses and methods for certificate generation, certificate revocation and certificate verification

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011119554A1 (en) * 2010-03-22 2011-09-29 Echostar Technologies Llc Systems and methods for securely streaming media content

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI472949B (en) * 2013-03-20 2015-02-11 Ind Tech Res Inst Method, apparatus and computer-readable storage medium for certificate generation and revocation with privacy preservation
US9425967B2 (en) 2013-03-20 2016-08-23 Industrial Technology Research Institute Method for certificate generation and revocation with privacy preservation
US10069634B2 (en) 2014-03-05 2018-09-04 Industrial Technology Research Institute Apparatuses and methods for certificate generation, certificate revocation and certificate verification

Also Published As

Publication number Publication date
TWI317597B (en) 2009-11-21

Similar Documents

Publication Publication Date Title
JP4731624B2 (en) Assertion message signature
CN101414909B (en) System, method and mobile communication terminal for verifying network application user identification
CN107767267B (en) Virtual resource transfer method and device
EP2545676B1 (en) System and method for using a portable security device to cryptographically sign a document in response to signature requests from a relying party to a digital signature service
KR100501095B1 (en) Terminal communication system
US8621206B2 (en) Authority-neutral certification for multiple-authority PKI environments
US8117459B2 (en) Personal identification information schemas
KR101405509B1 (en) Method and system for entity public key acquiring, certificate validation and authentication by introducing an online credible third party
US20070204168A1 (en) Identity providers in digital identity system
US20100138662A1 (en) Digital signature assurance system, method, program and apparatus
KR102280061B1 (en) Corporation related certificate issue system and method using did based on blockchain
KR20050066522A (en) System and method for managing encryption key for mobile terminal
TW201027384A (en) Digital rights management (DRM)-enabled policy management for an identify provider in a federated environment
JP2009118110A (en) Method and system for provisioning meta data of authentication system, its program and recording medium
US7644270B1 (en) Web services security architecture
US20080082818A1 (en) Symmetric key-based authentication in multiple domains
TW200805982A (en) Infrastructure of key authority in the XKMS (XML key management specification)
JP2009031849A (en) Certificate issuing system for electronic application, electronic application reception system, and method and program therefor
US20240031341A1 (en) Methods, devices and system related to a distributed ledger and user identity attribute
Jorns et al. A privacy enhancing service architecture for ticket-based mobile applications
TWM607988U (en) Hardware carrier authentication and signature system using rapid online authentication
Rech et al. A distributed framework towards local and online service access
JP2002217899A (en) Portable terminal, certificate verifying server, system and method for verifying effectiveness of electronic certificate
WO2024070315A1 (en) Authentication system, user terminal, authentication method, and program
Park et al. XML key information system for secure e-trading.

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees