200910896 九、發明說明: 【發明所屬之技術領域】 本發明涉及一種電子文檔數位簽核系統及方法。 【先前技術】 電子文檔數位簽核主要應用摘要演算法和公鑰密碼 演算法對電子文檔進行加密、解密變換實現的,摘要演算 法(如MD5、SHA-1等),也叫單向散列演算法,其作用 是將任何不定長的檔變換為一個定長的字串或比特串,一 般為128比特、160比特、256比特或512比特等,目的是 為了縮短電子簽名檔的長度,提高簽名的效率。 公鑰密碼演算法(如RSA、ECC等),也叫非對稱密 碼演算法,加密和解密使用不同的密錄,通信雙方各有一 對密鑰(公鑰和私鑰),各方將私鑰嚴格保密,將公鑰公 開給對方。在電子簽名時發信人用自己的私鑰簽名,收信 人用發信人的公鑰驗證。公鑰的可信性是“信任關係”的基 礎,一般需要指定一個共同信任的第三方認證授權單位 (CA,Certification Authority)對公錄進行簽名和發佈, 這種經過第三方認證授權單位簽名並發佈的公鑰及相關資 訊的統稱就是通常所說的數位證書。 電子簽核的特點是:它代表了檔的特徵。檔如發生改 變,電子簽核的值也將隨之而發生改變,不同的檔得到的 是不同的數位簽核值。在傳輸過程中,如有第三人對檔進 行篡改,但他並不知道發送方的私鑰,因此,解密得到的 電子簽核值與經過計算後的電子簽核值必然不同,這就提 200910896 供了一個安全的確認發送方身份的辦法。 電子簽核的流程為:報文的發送方從報文文本中生成 一個報文摘要(或散列值),發送方用自己的私鑰對這個 散列值進行加密來形成發送方的電子簽核值;然後,這個 電子簽核值將作為報文的附件和報文一起發送給報文的接 收方;報文的接收方首先從接收到的原始報文中計算出報 文摘要(或散列值),接著再用發送方的公鑰來對報文附 加的電子簽核值進行解密,如果兩個摘要相同,那麼接收 方就能確認該電子簽核是發送方的。 通常情況下,一般的電子文檔數位簽核必須在個人電 腦上才能完成,這種方式的缺點是簽核主管不能隨時隨地 進行電子文檔的數位簽核。 【發明内容】 鑒於以上内容,有必要提供一種電子文檔數位簽核系 統及方法,其可透過移動設備隨時隨地進行電子文檔的數 位簽核。 一種電子文檔數位簽核系統,包括移動設備、應用伺 服器和資料庫,所述應用伺服器與所述移動設備及資料庫 相連,其特徵在於,所述資料庫中存儲有待簽核的電子檔, 所述移動設備中安裝有用戶進行電子文檔數位簽核的數位 證書,所述數位證書中含有用於數位簽核的私鑰;所述移 動設備用於當用戶選擇待簽核的電子檔後,向所述應用伺 服器發送數位簽核請求;所述應用伺服器根據所述數位簽 核請求從所述資料庫中獲取所述待簽核的電子檔,根據單 200910896 向散列演算法生成所述待簽检 待簽核的電子檔的摘要值傳二 =:摘:值,並將該 設備根據公綱演算法,用=多=;所述移動 待簽核的電子㈣摘要值生,'數U私输加密該 簽桉估捕 成第-簽核值,並將所述第 僉杉值傳送給所述應用伺服誘. 弟一 消息語法標準將所述第一簽二 伺服器根據加密 成所、然後,根據單向散列演算法峰 成所述合成檔的摘要值,將該人点pm始產盾#去生 移動〇成檔的摘要值傳送給所述 2書:所繼設備根據公輪密碼演算法,用所2 所、成、加&該合成檔要值生成第 一簽核值,將 = 傳送給應㈣服器;所述應用伺服器^ 核的電二:核值、第二簽核值和待簽 __田σ成在起,生成簽核完的電子檔。 動执供種電子文龍位簽核方^',包括如下步驟:透過移 ^選擇待簽核的電子檔,發送數位簽核請求給與之相 ★、應用伺服态,所述移動設備中安裝有用於電子文檔數 位簽核的數位證書,所述數位證書中含有用於數位簽核的 私鑰,所述應用伺服器根據所述數位簽核請求從與之相連 的貝料庫中獲取所述待簽核的電子檔,根據單向散列演算 法生成所述待簽核的電子檔的摘要值,並將該待簽核的電 子檔的摘要值傳送給所述移動設備;所述移動設備根據公 鑰密碼演算法,用所述數位證書的私鑰加密該符簽核的電 子私的摘要值生成第—簽核值,並將所述第一簽核值傳送 給所述應用伺服器;所述應用伺服器根據加密消息語法標 200910896 =所核值和所述待蒼核的電子槽合成在-起獲 : :::檔’然後,根據單向散列演算法生成所述合成 。、、.^將讀合成檔的摘要值傳送給所述移動設備; 所述移動<備根據公輪密碼演算法’用所述數位證書的私 鑰加密該合成檔的_要值生成第二簽核值,將所述第二簽 枱值傳送、°應用伺服器;所述應用伺服器根據加密消息語 法心準將㈣第〜⑼值、第二卿值和待簽核的電子檔 合成在-起,生成簽核完的電子檔。200910896 IX. Description of the Invention: [Technical Field] The present invention relates to an electronic document digital signing system and method. [Prior Art] The electronic document digital sign-off is mainly implemented by the application of the digest algorithm and the public key cryptographic algorithm to encrypt and decrypt the electronic document. The digest algorithm (such as MD5, SHA-1, etc.) is also called one-way hash. Algorithm, its function is to transform any variable length file into a fixed length string or bit string, generally 128 bits, 160 bits, 256 bits or 512 bits, etc., in order to shorten the length of the electronic signature file, improve The efficiency of the signature. Public key cryptography algorithms (such as RSA, ECC, etc.), also known as asymmetric cryptographic algorithms, use different ciphers for encryption and decryption. Each pair has a pair of keys (public and private), and the parties have private keys. Strictly confidential, the public key is disclosed to the other party. At the time of electronic signature, the sender signs with his private key and the recipient verifies with the sender's public key. The credibility of the public key is the basis of the "trust relationship". Generally, a third-party authentication authority (CA) is required to sign and publish the public record. This third-party authentication and authorization unit signs and The collective name of the published public key and related information is the so-called digital certificate. The feature of the electronic sign-off is that it represents the characteristics of the file. If the file changes, the value of the electronic sign-off will change accordingly. Different files get different digital sign-off values. In the transmission process, if a third person tampers with the file, but he does not know the sender's private key, therefore, the decrypted electronic sign-off value is inevitably different from the calculated electronic sign-off value, which is 200910896 provides a secure way to confirm the identity of the sender. The process of the electronic sign-off is as follows: the sender of the message generates a message digest (or hash value) from the message text, and the sender encrypts the hash value with its own private key to form the sender's electronic signature. The core value; then, the electronic sign-off value will be sent to the receiver of the message as an attachment to the message and the message; the receiver of the message first calculates the message digest (or hash) from the original message received. Value), then use the sender's public key to decrypt the electronic sign-off value attached to the message. If the two digests are the same, the receiver can confirm that the e-signature is the sender. Under normal circumstances, the general electronic document digital signing must be completed on the personal computer. The disadvantage of this method is that the signing supervisor cannot perform digital signing of the electronic document anytime and anywhere. SUMMARY OF THE INVENTION In view of the above, it is necessary to provide an electronic document digital sign-off system and method for digitally signing electronic documents anytime and anywhere through a mobile device. An electronic document digital signing system, comprising a mobile device, an application server and a database, wherein the application server is connected to the mobile device and a database, wherein the database stores an electronic file to be signed a digital certificate for digital signing of the electronic document by the user is installed in the mobile device, where the digital certificate includes a private key for digital signing; the mobile device is used when the user selects the electronic file to be signed Sending a digital sign-off request to the application server; the application server acquires the electronic file to be signed from the database according to the digital sign-off request, and generates a hash algorithm according to the single 200910896 The digest value of the electronic file to be checked and signed is transmitted by two =: extracting the value, and the device is used according to the public algorithm, with = more =; the mobile to be signed electronic (four) digest value, ' The number U private encryption encrypts the signature to be the first-signature value, and transmits the scorpion value to the application servo. The message-syntax standard encrypts the first-sign server according to Then, then According to the one-way hash algorithm peaking into the summary value of the synthesized file, the summary value of the person's point pm production shield #de-transportation file is transmitted to the two books: the succeeding device is calculated according to the public round password In the method, the first signing value is generated by the value of the combined file, the sum, the sum is sent to the (4) server, and the application server is the second: the core value, the second sign The nuclear value and the pending __ Tian σ Cheng are in the process of generating the signed electronic file. The mobile electronic domain dragon signing party ^' includes the following steps: selecting the electronic file to be signed by moving ^, sending a digital signing request to the user, applying the servo state, and installing the mobile device There is a digital certificate for electronic document digital signing, the digital certificate includes a private key for digital signing, and the application server obtains the selected from the connected billet according to the digital signing request An electronic file to be signed, generating a digest value of the electronic file to be signed according to a one-way hash algorithm, and transmitting a digest value of the electronic file to be signed to the mobile device; the mobile device Decrypting the electronic private digest value of the signature core with a private key of the digital certificate to generate a first signing value, and transmitting the first signing value to the application server according to a public key cryptographic algorithm; The application server generates the composition according to the one-way hash algorithm according to the encrypted message syntax mark 200910896=the core value and the electronic slot of the core to be synthesized. Transferring the digest value of the read synthesis file to the mobile device; the mobile <preparation according to the public round password algorithm 'encrypting the composite file with the private key of the digital certificate to generate a second value Signing the value, transmitting the second sign value, and applying the server; the application server synthesizes the (4)th (9) value, the second value, and the electronic file to be signed according to the encrypted message syntax. From the beginning, generate a signed electronic file.
”技術,所述的電子文標數位 法,可以透過較i V 拔,接古了兩7動設備隨時隨地進行電子文檔的數位簽 文檔數位簽核的靈活性。 【實施方式】 參閱圖1 $ + 實施例的线_„ 明電子文傭位簽核系統較佳 飼服器20及資;^。㈣毅要包鄉㈣備1◦、應用 備tTT用伺服器2G和所述移動設 技術(-種短^ 所述移動設備1G透過藍牙 、無線通訊技術)和所述應用伺服器20 所述庫計Ί 2述移紐備1G也可以透過物理連接方式和 所述應用伺服器2〇相連。 所述移動設備10中安裝有用戶進行電子文標數位簽 核的數位證書,料數錄書包括好㈣訊、私錄和有 效期等H⑽用於對電子文制摘要值進行加密。 所述移動設備1G可以是手機及掌上電腦(PDA,Pe_ai Digital Assistant)等。 200910896 所述資料庠、 設備ίο用於向所述於存儲待簽核的電子檔,所述移動 請求待簽核的電子产w用词服器20發送數位簽核請求,即 備10發送的數位簽述應用伺服器20根據所述移動設 核的電子檔,生成二求、,從資料庫30中獲取所述待簽 簽核的電子㈣_ 簽核的電子㈣摘要值,將該待 用所述數位證書的私傳送給移動設備10。移動設備1〇 成第—簽核值,將所、該待簽核的電子檔的摘要值生 應用伺服器2〇將所弟簽核值傳送給應用伺服器2〇。 合成在一起,獲得〜述第一簽核值和所述待簽核的電子檔 值,將該合成槽合成檔,並生成所述合成槽的摘要 用所述數位證書的私值傳送給移動設備10。移動設備10 核值,將所述第二鑰加岔该合成檔的摘要值生成第二簽 用伺服器20將所述j亥值傳送給應用伺服器2〇。然後,應 子檔合成在一起/生簽核值、第二簽核值和待簽核的電 的電子檔保存到資料=簽核完的電子檔,並將所述簽核完 參閱圖2所示0中。 實施例的功能模紐關=本發明電子文檔數位簽核系統較佳 110和摘要加密模聯圖。所述移動設備10包括請求模組 組21〇、摘要生成模/11。所述應用伺服态20包括獲取模 本發明所稱的模:f 211、合成模組212和保存模組213。 式更適合於描述敕Z成—特定功㈣電腦程式段,比程 以下對軟體描述中^電射的執行過程’因此在本發明 平都以模組描述。 啟移動設備10,選擇待簽核的電子槽。 11 200910896 然後,請求模、组110向所述應用飼服器20發送數位簽核請 求’即請求待簽核的電子檔。所述移動設備1Q中安裝有用 戶進行電子文檔數位簽核的數位證書,所述數位證書包括 用戶的資訊'私鑰和有效期等。其中,私鑰用於對電子文 標的摘要值進行加密。 應用伺服器20接收所述移動設備1〇發送的數位簽核 請求後,獲取模組210根據所述數位簽核請求從資料庫3〇 中獲取所述待簽核的電子檔。摘要生成模組211根據單向 散列演异法(如安全散列演算法SHA1,Secure Hash"Technology, the electronic text-based digital method, can be compared with the i V, and the flexibility of the digital signing of digital documents for electronic documents can be performed anytime and anywhere. [Embodiment] See Figure 1 $ + The line of the embodiment _ „ 电子 电子 文 文 签 签 较佳 较佳 较佳 较佳 较佳 较佳 较佳 较佳 较佳 较佳 较佳 较佳 较佳 较佳 较佳(4) Yizhibao Township (4) Preparing 1◦, applying the tTT server 2G and the mobile device technology (the short type ^ the mobile device 1G through Bluetooth, wireless communication technology) and the application server 20 The mobile device 1G can also be connected to the application server 2 through a physical connection. The mobile device 10 is equipped with a digital certificate for the user to perform digital signature verification. The material number record includes a good (four) message, a private record, and an expiration date, etc. H (10) is used to encrypt the electronic document abstract value. The mobile device 1G may be a mobile phone and a PDA (Pe_ai Digital Assistant) or the like. 200910896 The data 设备, the device ίο is used to store the electronic file to be signed, the mobile request to be signed by the electronic product w to send the digital signing request, that is, the digital number sent by the device 10 The signature application server 20 generates an electronic (four) digest value of the electronic (four)_signature of the to-be-signed core from the database 30 according to the electronic file of the mobile core, and the to-be-used The private transfer of the digital certificate to the mobile device 10. The mobile device 1 generates a first sign-off value, and transmits the digest value of the electronic file to be signed to the application server 2 to transmit the signed value to the application server 2 . Synthesizing together, obtaining the first sign-off value and the electronic file value to be signed, synthesizing the synthesizing slot, and generating a digest of the synthesizing slot, transmitting the private value of the digital certificate to the mobile device 10. The mobile device 10 plays a core value, and the second key is added to the digest value of the synthesized file to generate a second signing server 20 to transmit the j-hai value to the application server 2〇. Then, the electronic files of the sub-files synthesized/birth check value, the second sign-off value, and the electric power to be signed are saved to the data=signed electronic file, and the signing is completed as shown in FIG. Show 0. The functional module of the embodiment is the preferred embodiment of the electronic document digital signing system of the present invention and the digest encryption mode. The mobile device 10 includes a request module group 21 and a digest generating module/11. The application servo state 20 includes a module called f 211, a synthesis module 212, and a save module 213. The formula is more suitable for describing the 敕Z into a specific work (4) computer program segment, the specific process of the following is a description of the execution process of the software in the software description. The mobile device 10 is activated to select an electronic slot to be signed. 11 200910896 Then, the request module, group 110 sends a digital sign-off request to the application feeder 20, that is, requests the electronic file to be signed. The mobile device 1Q installs a digital certificate for the electronic document digital signing by the user, and the digital certificate includes the user's information 'private key and expiration date. The private key is used to encrypt the digest value of the electronic document. After the application server 20 receives the digital sign-off request sent by the mobile device, the obtaining module 210 obtains the electronic file to be signed from the database 3 according to the digital sign-off request. The digest generation module 211 performs a different method according to one-way hashing (such as the secure hash algorithm SHA1, Secure Hash).
Algorithm 1)生成所述待簽核的電子檔的摘要值,將該待 簽核的電子檔的摘要值傳送給移動設備1〇。 摘要加密模组111根據公鑰密碼演算法(如rSA演算 法)’用所述數位證書的私鑰加密該待簽核的電子檔的摘要 值生成第一簽核值,將所述第一簽核值傳送給應用伺服器 20 ° 合成模組212根據加密消息語法標準(PKCS7)將所 述第一簽核值和所述待簽核的電子檔合成在一起,獲得一 個合成檔。所述PKCS7使用在ρκΐ ( Public Key Infrastructure ’公開密鑰基礎設施)架構下。 摘要生成模組211根據單向散列演算法(如安全散列 演算法SHA1,Secure Hash Algorithm 1)生成所述合成槽 的摘要值’將該合成檐的摘要值傳送給移動設備1〇。 摘要加密模組111根據公鑰密碼演算法(如rSA演算 法)’用所述數位證書的私錄加密該合成槽的摘要值生成第 12 200910896 一簽核值’將所述第二簽核值傳送給應用伺服器2〇。 然後,合成模組212根據加密消息語法標準(PKCS7) 將所述第-簽核值、第二簽核值和待簽核的電子檔合成在 一起,生成簽核完的電子檔,並將所述簽核完的電子檔 存到貧料庫30中。 y' 參閱圖3所示’係本發明電子文槽數位簽核方法較户 實施例的流程圖。首先,步驟s碰,用戶開啟 1〇 ’選擇待簽核的電子槽。然後,請求模組加向所;^ ㈣服盗20發达數位簽核請求,即請求待簽核的電子槽。 所述移動設備1G中安裝有用戶進行電子文檔數位簽核田 數位證書,所述數位證書包括用戶的資訊、⑽和有效期 等。其中’私糾於對電子文檔的摘要值進行加密。/ 步驟S 40 2,應用伺服器2 〇接收所述移動設備卿送 =位純請求後,獲取额训轉所述數衫核請求 從貝料庫3〇巾獲取料待簽核的電子槽。摘要生成模也 211根據單向散列演算法(如安全散列演算法shai,s㈣£The algorithm 1) generates a digest value of the electronic file to be signed, and transmits the digest value of the electronic file to be signed to the mobile device. The cryptographic module 111 generates a first sign-off value by encrypting the digest value of the electronic file to be signed with the private key of the digital certificate according to a public key cryptographic algorithm (such as an rSA algorithm), and the first sign is generated. The core value is transmitted to the application server 20 ° The synthesis module 212 synthesizes the first sign-off value and the electronic file to be signed according to the encrypted message syntax standard (PKCS7) to obtain a composite file. The PKCS7 is used under the ρκΐ (Public Key Infrastructure) public key infrastructure. The digest generating module 211 generates a digest value of the synthesizing slot according to a one-way hash algorithm (such as a secure hash algorithm SHA1, Secure Hash Algorithm 1) to transmit the digested digest value to the mobile device 1 . The abstract encryption module 111 generates a 12th 200910896 sign-off value by using a public key cryptographic algorithm (such as an rSA algorithm) to encrypt the digest value of the synthesis slot with the private record of the digital certificate. Transfer to the application server 2〇. Then, the synthesizing module 212 synthesizes the first sign-on value, the second sign-off value, and the electronic file to be signed according to the encrypted message syntax standard (PKCS7) to generate the signed electronic file, and The signed electronic file is stored in the poor stock 30. y' Referring to Figure 3, there is shown a flow chart of an embodiment of the electronic sign slot digital sign-off method of the present invention. First, the step s touches, and the user opens 1 〇 ’ to select the electronic slot to be signed. Then, the request module is added to the location; ^ (4) service theft 20 developed digital signing request, that is, requesting the electronic slot to be signed. The mobile device 1G is installed with a digital certificate for the digital signature of the electronic document, the digital certificate including the user's information, (10), and expiration date. Among them, 'privacy is to encrypt the digest value of the electronic document. / Step S40 2, the application server 2 receives the mobile device to send a bit pure request, and obtains the amount of training to transfer the number of shirts to request the electronic slot from the shell library 3 wipes to be checked. The abstract generation model is also based on a one-way hash algorithm (such as the secure hash algorithm shai, s (four) £
Hash AlgGrithm i )生成所述待簽核的電子檔的摘要值,將 該待簽核的電子檔的摘要值傳送給移動設備1〇。 步驟s·’摘要加密模組ηι根據公^密碼演算法(如 RSA演算法),料述數錄書的私^密該待簽核的電 子檔的摘要值生成第一簽核值,將所述第一簽核值傳送給 應用伺服器20。 、口 步驟S404,合成模組212根據加密消息語法標準 (PKCS7)將所述第-簽核值和所述待簽核的電子檀合成 13 200910896 在一起,獲得一個合成檔。所述PKCS7使用在pKl(Pubi· Key Infrastructure,公開密鑰基礎設施)架構下。摘^ lc 成模組211根據單向散列演算法(如安全散列演眢= SHA1 ’ Secure Hash Alg0rithm丄)生成所述合成構的:2 值,將該合成檔的摘要值傳送給移動設備1〇。 步驟S405,摘要加密模組lu根據公鑰密碼演算法 RSA演算法)’賴述數㈣書的减加魏合成槽 =〇生成第二簽核值’將所述第二·值傳送給應用田祠服 根據加在、消息語法標準 第二簽核值和待簽核的電 電子檔,並將所述簽核完 步驟S406 ’合成模組212 (PKCS7)將所述第一簽核值、 子檔合成在一起,生成簽核完的 的電子檔保存到資料庫3〇中。 例揭位簽核系統及方法’雖以較佳實施 =在=Γ:Χ限定本發明。任何熟悉此項技 與潤飾,因此本發明之保護範 +更動 所界定者為準。 視細之申請專利範圍 【圖式簡單說明】 圖1 架構圖 係本發明電子文檔數位簽核㈣較佳實施例的硬 圖2係本發明電子文槽 能模組關聯圖。 數位簽核系統較佳實施例的功 實施例的流 圖3係本㈣電子《難簽核方法較佳 14 200910896 程圖。 【主要元件符號說明】 移動設備 10 應用伺服器 20 資料庫 30 請求模組 110 摘要加密模組 111 獲取模組 210 摘要生成模組 211 合成模組 212 保存模組 213 15Hash AlgGrithm i) generates a digest value of the electronic file to be signed, and transmits the digest value of the electronic file to be signed to the mobile device. Step s·'summary encryption module ηι according to the public cryptographic algorithm (such as RSA algorithm), the private key of the digital book is reported to generate the first signing value of the electronic file to be signed, and the The first sign-off value is transmitted to the application server 20. Step S404, the synthesizing module 212 combines the first sign-off value with the to-be-signed electronic synthesizer according to the encrypted message syntax standard (PKCS7) to obtain a synthesized file. The PKCS7 is used under the pKl (Pubi Key Infrastructure) architecture. The module 211 is generated according to a one-way hash algorithm (such as secure hash deduction = SHA1 'Secure Hash Alg0rithm丄) to generate the synthesized value: 2 value, and the digest value of the synthesized file is transmitted to the mobile device. 1〇. Step S405, the digest encryption module lu transmits the second value to the application field according to the public key cryptographic algorithm (RSA algorithm), the reliance on the number (4) of the book, and the second signature value. The service is based on the second sign-off value added to the message grammar standard and the electronic file to be signed, and the signing step S406 'synthesis module 212 (PKCS7) sets the first sign-off value, sub- The files are combined and the electronic file that has been signed and signed is saved in the database. The example disclosure system and method 'is preferably implemented in the present invention. Any familiarity with this technique and retouching is therefore defined by the protection of the invention. BRIEF DESCRIPTION OF THE DRAWINGS [Brief Description] FIG. 1 is a diagram showing the electronic document digital signing of the present invention. (IV) The hard disk of the preferred embodiment is the associated diagram of the electronic document slot module of the present invention. The flow chart of the preferred embodiment of the digital sign-off system is shown in Fig. 3, which is a diagram of the (4) electronic "difficult signing method". [Key component symbol description] Mobile device 10 Application server 20 Database 30 Request module 110 Abstract encryption module 111 Acquisition module 210 Summary generation module 211 Synthesis module 212 Storage module 213 15