TWI618026B - Mail decryption system and method based on document serial number - Google Patents

Mail decryption system and method based on document serial number Download PDF

Info

Publication number
TWI618026B
TWI618026B TW106106660A TW106106660A TWI618026B TW I618026 B TWI618026 B TW I618026B TW 106106660 A TW106106660 A TW 106106660A TW 106106660 A TW106106660 A TW 106106660A TW I618026 B TWI618026 B TW I618026B
Authority
TW
Taiwan
Prior art keywords
voucher
recipient
mail
information
serial number
Prior art date
Application number
TW106106660A
Other languages
Chinese (zh)
Other versions
TW201833866A (en
Inventor
Wei Hao Tung
Hang Geng Tsai
Tsung Han Yang
Bon Yeh Lin
Original Assignee
Chunghwa Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chunghwa Telecom Co Ltd filed Critical Chunghwa Telecom Co Ltd
Priority to TW106106660A priority Critical patent/TWI618026B/en
Application granted granted Critical
Publication of TWI618026B publication Critical patent/TWI618026B/en
Publication of TW201833866A publication Critical patent/TW201833866A/en

Links

Abstract

本發明有關於一種郵件解密系統及方法,其主要係透過一接收者端平台以根據憑證序號之變更實施的郵件解密方法,其主要係透過獲取寄件者端寄來之加密郵件中的密碼訊息語法資訊中的接收者資訊,以與自收件者端安全載具獲取的即時憑證資訊比對,以確認收件者憑證是否在郵件寄發後展期,若憑證確經展期,本發明可更新接收者資訊以獲取私鑰來解密加密郵件,透過本發明,可以有效解決收件者無法解密憑證經展期後之加密郵件的困擾。 The invention relates to a mail decryption system and method, which mainly comprises a mail decryption method implemented according to a change of a certificate serial number through a receiver end platform, which mainly obtains a password message in an encrypted mail sent by a sender side. The recipient information in the grammar information is compared with the instant credential information obtained from the secure carrier of the recipient to confirm whether the recipient voucher is renewed after the mail is sent. If the voucher is renewed, the present invention may be updated. The recipient information is used to obtain the private key to decrypt the encrypted mail. Through the invention, the problem that the recipient cannot decrypt the encrypted mail after the extension of the voucher can be effectively solved.

Description

基於憑證序號的郵件解密系統及方法 Mail decryption system and method based on certificate serial number

本發明有關於一種郵件解密系統及方法,特別是關於一種基於憑證序號,以將憑證經展期之加密郵件正常解密之系統及方法。 The present invention relates to a mail decryption system and method, and more particularly to a system and method for decrypting an encrypted mail of a voucher based on a voucher serial number.

在目前公知技術的公開金鑰基礎建設(Public Key Infrastructure,PKI)架構下,因應不同之使用情境,各種使用者身分取得的憑證皆可能有不同之效期;而為了確保憑證之可用性,正常狀況下,憑證的擁有者會需要在其使用之憑證到期前,向憑證中心(Certificate authority,CA)提出憑證展期申請。而在憑證展期後,憑證序號會與展期前憑證不同,但新舊憑證的金鑰對則不變,且其對應之相關資訊會存放在各種安全載具內供存取。 Under the public key infrastructure (PKI) architecture of the prior art, the vouchers obtained by various user identities may have different validity periods according to different usage scenarios; and in order to ensure the availability of vouchers, the normal situation The owner of the voucher will need to submit a voucher renewal application to the Certificate Authority (CA) before the voucher for its use expires. After the voucher extension period, the voucher serial number will be different from the voucher voucher, but the key pair of the old and new voucher will remain unchanged, and the corresponding information will be stored in various security vehicles for access.

然而,在現行機制之框架下,憑證擁有者只能解密憑證展期後使用其所申請新憑證加密之已加密郵件,若想要解密憑證展期前所收到的加密郵件就會失敗,其原因在於憑證序號不同,而導致客戶端的郵件系統無法存取到私鑰進行解密。而對於一般的郵件收件者而言,其表面上僅見到對應使用者的安全載具並無更換,但卻只能用以解密憑證展期後收到的加密郵件,而無法對展期前的郵件進行解密,無法 理解更深層之原因,郵件收件者可能會對憑證的有效性產生質疑而不做他想。有鑑於現今的商業書信來往數量繁多,且亦非所有使用者都有快速收信的習慣,此種無法開啟加密郵件狀況實屬困擾,相關領域中亦有研究者嘗試針對此問題進行改良,但所提出之方法仍存有安全疑慮。 However, under the current mechanism, the voucher owner can only decrypt the encrypted mail encrypted with the new voucher applied for after the voucher is renewed. If the encrypted mail received before the voucher renewal is cancelled, the reason is that The voucher serial number is different, and the client's mail system cannot access the private key for decryption. For the general mail recipient, only the security vehicle corresponding to the user is not replaced on the surface, but it can only be used to decrypt the encrypted mail received after the certificate is extended, and the mail before the extension cannot be used. Decrypted, can't To understand the deeper reasons, the recipient of the mail may question the validity of the voucher without thinking about it. In view of the large number of business correspondences in the world today, and not all users have the habit of quickly receiving letters, this kind of inability to open encrypted mail is a problem, and researchers in related fields have tried to improve this problem, but There are still security concerns in the proposed method.

為解決前揭問題,本發明提出一種基於憑證序號的郵件解密系統及方法,其主要目的在於,若寄件者在郵件寄出後才進行了憑證展期等變更動作,要如何透過本發明使收件者在用以加密電子郵件之憑證經展期而憑證序號已變化之狀況下,仍能夠順利地解密電子郵件以獲取其內容,其中,本發明之基於憑證序號的郵件解密方法,係實施於與一寄件者端平台通訊連結的一接收者端平台上,該接收者端平台經組態以執行至少包含下列步驟:1.接收一加密郵件,其中該加密郵件係經該寄件者端平台以一收件者憑證的一公鑰加密後,再透過一郵件使用者代理程式寄發,其中,該加密郵件之格式(PKCS#7)係符合密碼訊息語法(Cryptographic Message Syntax,CMS)之規範(Standard);2.剖析該加密郵件,以取出該加密郵件中密碼訊息語法(CMS)資訊中的封裝檔(Enveloped Data),再自封裝檔中獲取接收者標識符,來確認接收者資訊類型,並獲取接收者資訊中的關於該收件者憑證的一第一憑證序號以及憑證資訊;3.透過該接收者端平台存取收件者端安全載具,以自目 前的該收件者憑證的資訊中獲取一第二憑證序號及一主體密鑰標識符;4.透過該郵件接收者端平台比對該第一憑證序號以及該第二憑證序號以及兩憑證序號對應的公鑰,以確認該收件者憑證是否已展期,若該郵件接收者端平台比對該第一憑證序號以及該第二憑證序號相異,但兩憑證序號對應公鑰相同,則可確認該收件者憑證在該加密郵件寄發後已展期;5.透過該接收者端平台啟動一接收者資訊更新模組,以將該加密郵件中接收者資訊內的該第一憑證序號更新為憑證展期後的該主體密鑰標識符,即係置換密碼訊息語法(Cryptographic Message Syntax)規範的封裝檔(Enveloped Data)中的接收者資訊;以及6.透過該接收者端平台以更新過的接收者資訊存取目前的收件者端安全載具,以獲取展期後的該收件者憑證對應的私鑰,進而解密該加密郵件以取得內容。 In order to solve the above problems, the present invention provides a mail decryption system and method based on a voucher serial number, the main purpose of which is to make a change in the voucher extension, etc., after the mail is sent, how to use the present invention to collect In the case that the voucher used to encrypt the e-mail is extended and the voucher number has changed, the e-mail can still be decrypted smoothly to obtain the content thereof. The method for decrypting the e-mail based on the voucher number of the present invention is implemented in A recipient-side platform of a sender-side platform communication link configured to perform at least the following steps: 1. Receiving an encrypted message, wherein the encrypted message is via the sender-side platform It is encrypted by a public key of a recipient's voucher and then sent by a mail user agent. The format of the encrypted mail (PKCS#7) is in accordance with the Cryptographic Message Syntax (CMS) specification. (Standard); 2. Analyze the encrypted mail to retrieve the Enveloped Data in the CMS information in the encrypted mail, and then self-package the file. Obtaining a receiver identifier to confirm a recipient information type, and obtaining a first document serial number and credential information about the recipient credential in the recipient information; 3. accessing the recipient end through the receiver end platform Safety vehicle to self-seeking Obtaining a second voucher serial number and a body key identifier in the information of the former recipient voucher; 4. comparing the first voucher serial number and the second voucher serial number and the two voucher serial numbers through the e-mail receiver platform Corresponding public key, to confirm whether the recipient's voucher has been renewed, if the e-mail receiver platform is different from the first voucher serial number and the second voucher serial number, but the two voucher serial numbers are the same as the public key, Confirming that the recipient voucher has been renewed after the encrypted mail is sent; 5. launching a recipient information update module through the receiver platform to update the first voucher number in the recipient information in the encrypted mail The subject key identifier after the extension of the voucher, that is, the recipient information in the Enveloped Data of the Cryptographic Message Syntax specification; and 6. updated by the receiver platform The recipient information accesses the current recipient-side security vehicle to obtain the private key corresponding to the recipient's voucher after the extension, and then decrypts the encrypted email to obtain the content.

對應以實施本發明基於憑證序號的郵件解密方法的,係一種基於憑證序號的郵件解密系統,其係經組態以設置於電子郵件傳遞網路中的一接收者端平台,其包含:1.一憑證資訊存取模組,該憑證資訊存取模組係經組態以接收該加密郵件並進行剖析,其中,該加密郵件係由該寄件者端平台以即時的該收件者憑證中的公鑰加密後寄發的。而該憑證資訊存取模組經組態以取出該加密郵件中密碼訊息語法資訊(Cryptographic Message Syntax,CMS)中的封裝檔,再自封裝檔中獲取接收者標識符,並用以確認接收者資訊類型,該憑證資訊存取 模組進而獲取接收者資訊中的關於該收件者憑證的一第一憑證序號,該憑證資訊存取模組更能存取收件者端安全載具,以獲取目前該收件者憑證中的一第二憑證序號及一主體密鑰標識符;2.一憑證查詢模組,與該憑證資訊存取模組以及一憑證資料庫通訊連接,該憑證資訊存取模組係透過該憑證查詢模組輸入該第一憑證序號來獲取關於該收件者憑證的資訊;3.一憑證資訊分析模組,與該憑證資訊存取模組通訊連接,經組態以比對該憑證資訊存取模組取得的該第一憑證序號以及該第二憑證序號,以確認該收件者憑證是否經展期;以及4.一接收者資訊更新模組,與該憑證資訊分析模組通訊連接,以將該加密郵件中接收者資訊內的該第一憑證序號更新為憑證展期後的該主體密鑰標識符,即係置換密碼訊息語法(Cryptographic Message Syntax)規範的封裝檔(Enveloped Data)中的接收者資訊,以使更新後的該加密郵件能經由該憑證資訊存取模組取得展期後的該收件者憑證對應的私鑰以解密。 Corresponding to the mail decryption method based on the voucher serial number of the present invention, there is a mail decryption system based on the voucher serial number, which is configured to be disposed in a recipient end platform in the e-mail delivery network, comprising: 1. a voucher information access module configured to receive and parse the encrypted mail, wherein the encrypted mail is in the instant recipient's voucher by the sender end platform The public key is encrypted and sent. The voucher information access module is configured to retrieve the encapsulation file in the Cryptographic Message Syntax (CMS) of the encrypted e-mail, and obtain the receiver identifier from the package file, and confirm the recipient information. Type, the credential information access The module further obtains a first voucher number in the recipient information about the recipient voucher, and the credential information access module can further access the recipient end security vehicle to obtain the current recipient voucher. a second voucher serial number and a body key identifier; 2. a voucher query module, which is in communication with the voucher information access module and a voucher database, and the voucher information access module queries through the voucher The module inputs the first document serial number to obtain information about the recipient voucher; 3. a voucher information analysis module, which is in communication with the voucher information access module, configured to access the voucher information The first voucher serial number obtained by the module and the second voucher serial number to confirm whether the recipient voucher has been renewed; and 4. a recipient information update module, and the credential information analysis module is communicatively connected to The first voucher number in the recipient information in the encrypted mail is updated to the subject key identifier after the voucher extension, that is, in the Enveloped Data of the Cryptographic Message Syntax specification. The recipient information is such that the updated encrypted email can be decrypted by the voucher information access module to obtain the private key corresponding to the extended recipient's voucher.

1‧‧‧郵件解密系統 1‧‧‧Mail decryption system

11‧‧‧憑證資訊存取模組 11‧‧‧Voucher Information Access Module

12‧‧‧憑證查詢模組 12‧‧‧Voucher Inquiry Module

13‧‧‧憑證資訊分析模組 13‧‧‧Voucher Information Analysis Module

14‧‧‧接收者資訊更新模組 14‧‧‧Recipient Information Update Module

21‧‧‧寄件者端瀏覽器 21‧‧‧Sender browser

22‧‧‧寄件者端郵件代理程式 22‧‧‧Sender-side mail agent

31‧‧‧收件者端瀏覽器 31‧‧‧Recipient browser

32‧‧‧收件者端郵件代理程式 32‧‧‧Recipient-side mail agent

33‧‧‧收件者端安全載具 33‧‧‧Receiver safety carrier

41‧‧‧公鑰資料庫 41‧‧‧ Public Key Database

42‧‧‧憑證資料庫 42‧‧‧Voucher database

S11~S17‧‧‧方法步驟 S11~S17‧‧‧ method steps

圖1為本發明基於憑證序號的郵件解密系統架構之第一示意圖。 FIG. 1 is a first schematic diagram of an architecture of a mail decryption system based on a certificate serial number according to the present invention.

圖2為本發明基於憑證序號的郵件解密系統架構之第二示意圖。 2 is a second schematic diagram of an architecture of a mail decryption system based on a certificate serial number according to the present invention.

圖3為本發明基於憑證序號的郵件解密方法之步驟流程圖。 3 is a flow chart showing the steps of a method for decrypting a mail based on a voucher number according to the present invention.

以下將以實施例結合圖式,以對本發明進行進一步說明,首先請參照圖1,揭露一實施例係為一種基於憑證序號之郵件解密系統1,其架構如圖中所示,郵件解密系統1係由一憑證資訊存取模組11、一憑證查詢模組12、一憑證資訊分析模組13以及一接收者資訊更新模組14之間通訊連結所組成。在本實施例中,郵件解密系統1所接收的加密郵件之格式係符合PKCS #7密碼訊息語法(CMS)規範。 The present invention will be further described with reference to the embodiments in the following. Referring first to FIG. 1 , an embodiment is disclosed as a mail decryption system 1 based on a certificate serial number. The architecture of the mail decryption system 1 is shown in the figure. It consists of a communication link between a voucher information access module 11, a voucher query module 12, a voucher information analysis module 13 and a recipient information update module 14. In the present embodiment, the format of the encrypted mail received by the mail decryption system 1 conforms to the PKCS #7 cryptographic message syntax (CMS) specification.

郵件解密系統1中包含一憑證資訊存取模組11,其主要功能係為用以剖析加密郵件,以取出密碼訊息語法訊息中的封裝檔(Enveloped Data),另外,憑證資訊存取模組11更可存取客戶端的安全載具以取出客戶端的憑證資訊。 The mail decryption system 1 includes a voucher information access module 11 whose main function is to parse the encrypted mail to retrieve the Enveloped Data in the cryptographic message grammar message. In addition, the voucher information access module 11 More secure access to the client's security vehicle to retrieve the client's credential information.

郵件解密系統1中包含一憑證查詢模組12,其係與憑證資訊存取模組11通訊連結,其提供了一介面以存取一憑證資料庫,透過以憑證序號作為輸入值輸入該憑證資料庫,進而獲取憑證序號相對應之憑證,或獲取相對應憑證內公鑰之主體密鑰標識符。 The mail decryption system 1 includes a voucher query module 12, which is in communication with the voucher information access module 11, and provides an interface for accessing a voucher database, and inputting the voucher data by using the voucher serial number as an input value. The library, in turn, obtains the voucher corresponding to the voucher number, or obtains the subject key identifier of the public key in the corresponding voucher.

郵件解密系統1中包含一憑證資訊分析模組13,其係與憑證資訊存取模組11通訊連接,其係用以分析和比對自客戶端安全載具中取得之憑證資訊以及自憑證查詢模組12取得之憑證資訊,即為如前揭發明內容中所述之比對該憑證資訊存取模組取得的該第一憑證序號以及該第二憑證序號,來確認收件者的憑證是否已經展期變更。 The mail decryption system 1 includes a voucher information analysis module 13 which is in communication with the voucher information access module 11 for analyzing and comparing the voucher information obtained from the client security vehicle and the self-voucher query. The voucher information obtained by the module 12 is the first voucher serial number and the second voucher serial number obtained by the voucher information access module as described in the foregoing disclosure, to confirm whether the voucher's voucher is It has been changed by extension.

接收者資訊更新模組14,該接收者資訊更新模組14與憑證資訊存取模組11通訊連接,該接收者資訊更新模組可在確認憑證經展期後,將加密郵件中的PKCS #7密碼訊息語法訊息中的封裝檔(Enveloped Data)中的接收者資訊更新。 Receiver information update module 14, the recipient information update module 14 is in communication with the credential information access module 11, and the recipient information update module can encrypt the PKCS #7 in the encrypted mail after the confirmation voucher is extended. Recipient information update in the Enveloped Data in the cryptographic message syntax message.

經過上述模組之組合,本發明之郵件解密系統1可以將經憑證展期過產生憑證序號變更中的加密郵件解密,以獲取其內容資訊。 Through the combination of the above modules, the mail decryption system 1 of the present invention can decrypt the encrypted mail in the certificate serial number change by the voucher extension to obtain the content information.

再請參閱圖2,其係為本發明之系統架構第二示意圖。如圖中所示,其展示了本發明之另一較佳實施例,郵件解密系統1如同圖1的架構包含了憑證資訊存取模組11、憑證查詢模組12、憑證資訊分析模組13以及接收者資訊更新模組14,各模組之功能敘述同於圖1中對應之模組,加密郵件格式之符合PKCS #7 CMS Standard規範。另外,本實施例之架構中,更包含有寄件者端瀏覽器21、寄件者端郵件代理程式22、收件者端瀏覽器31、收件者端郵件代理程式32、收件者端安全載具33、公鑰資料庫41以及憑證資料庫42。其中,寄件者端瀏覽器21和公鑰資料庫41連結至寄件者端郵件代理程式22,而寄件者端郵件代理程式22連結至收件者端郵件代理程式32,收件者端郵件代理程式32則可傳輸郵件至本發明的郵件解密系統1中的憑證資訊存取模組11,而收件者端安全載具33亦與憑證資訊存取模組11連結。而憑證資料庫42則與本發明的郵件解密系統1中的憑證查詢模組12連結,收件者端瀏覽器31與接收者資訊更新模組14連結。 Please refer to FIG. 2 again, which is a second schematic diagram of the system architecture of the present invention. As shown in the figure, another preferred embodiment of the present invention is shown. The mail decryption system 1 includes a voucher information access module 11, a voucher query module 12, and a voucher information analysis module 13 as in the architecture of FIG. And the receiver information update module 14, the function description of each module is the same as the corresponding module in FIG. 1, and the encrypted mail format conforms to the PKCS #7 CMS Standard specification. In addition, the architecture of the embodiment further includes a sender browser 21, a sender mail agent 22, a recipient browser 31, a recipient mail agent 32, and a recipient end. The secure carrier 33, the public key database 41, and the voucher database 42. The sender-side browser 21 and the public key database 41 are linked to the sender-side mail agent 22, and the sender-side mail agent 22 is linked to the recipient-side mail agent 32, the recipient side. The mail agent 32 can transmit the mail to the voucher information access module 11 in the mail decryption system 1 of the present invention, and the recipient security device 33 is also connected to the voucher information access module 11. The voucher database 42 is coupled to the voucher query module 12 of the mail decryption system 1 of the present invention, and the recipient browser 31 is coupled to the recipient information update module 14.

而圖2中系統架構中的各模組的資訊傳遞與運作流程大致如下: The information transfer and operation process of each module in the system architecture in Figure 2 is as follows:

1.郵件寄件者透過操作寄件者端瀏覽器21,其使用郵件 接收者的憑證展期前之公鑰來對欲寄出之郵件進行加密,而對應憑證之公鑰可以透過存取公鑰資料庫41來取得。郵件寄件者透過寄件者端郵件代理程式22將加密郵件寄出後,郵件接收者向憑證中心(CA)提出憑證展期之申請。一般來說,憑證展期將不影響原憑證的金鑰對,但憑證序號會產生變更。 1. The mail sender uses the mail from the sender's browser 21, which uses the mail The public key of the recipient's voucher extension is used to encrypt the mail to be sent, and the public key of the corresponding voucher can be obtained by accessing the public key database 41. After the mail sender sends the encrypted mail through the sender-side mail agent 22, the mail recipient submits an application for the voucher renewal to the certificate center (CA). In general, the voucher rollover will not affect the key pair of the original voucher, but the voucher serial number will change.

2.若干時間過後,郵件接收者透過操作收件者端瀏覽器31,嘗試接收經由收件者端郵件代理程式32傳來的加密郵件,但此時郵件收件者的憑證已經展期。 2. After a certain amount of time, the mail recipient attempts to receive the encrypted mail transmitted via the recipient's mail agent 32 by operating the recipient's browser 31, but at this time the mail recipient's credentials have been renewed.

3.因為郵件接收者在收件者的憑證展期後,才欲解密憑證展期前收到的加密郵件,此時,加密郵件封裝檔(Enveloped Data)中的接收者資訊仍係展期前憑證之憑證序號,而非展期後的新憑證序號,在此狀況下,並無法存取收件者端安全載具33內之收件者私鑰來解密加密郵件。 3. Because the recipient of the mail only wants to decrypt the encrypted mail received before the voucher extension, the recipient information in the encrypted mail package (Enveloped Data) is still the certificate of the pre-extension certificate. The serial number, rather than the new voucher number after the extension, in which case the recipient's private key in the recipient's secure carrier 33 cannot be accessed to decrypt the encrypted message.

4.若透過本發明之實施,郵件接收者可透過憑證資訊存取模組11剖析憑證展期前寄出的該加密郵件,從中取出CMS訊息中的封裝檔,找出接收者標識符,進而判斷接收者資訊是否為憑證序號類型,然後,再更進一步取得憑證序號值。 4. Through the implementation of the present invention, the mail recipient can analyze the encrypted mail sent before the voucher extension through the voucher information access module 11, extract the package file in the CMS message, find the receiver identifier, and then judge Whether the recipient information is the certificate serial number type, and then further obtain the certificate serial number value.

5.郵件接收者可透過憑證資訊存取模組11讀取收件者端安全載具33中即時的憑證資訊,取出的憑證資訊包含有憑證序號和主體密鑰標識符。 5. The mail recipient can read the instant credential information in the secure carrier 33 of the recipient through the credential information access module 11, and the extracted credential information includes the voucher serial number and the subject key identifier.

6.憑證資訊存取模組11將自加密郵件內取出的憑證序號傳遞至憑證查詢模組12,以經憑證查詢模組12存取憑證資料庫42,來取得與憑證序號相對應之憑證,此憑 證係為收件者實施憑證展期前之憑證。 The voucher information access module 11 passes the voucher number extracted from the encrypted e-mail to the voucher query module 12, and accesses the voucher database 42 via the voucher query module 12 to obtain a voucher corresponding to the voucher serial number. This The certificate is the voucher for the recipient to implement the voucher extension.

7.透過憑證資訊分析模組13分析並比對收件者端安全載具33中的憑證資訊和郵件寄件者加密郵件時所用的憑證資訊,並根據分析結果判斷是否需啟動接收者資訊更新模組14。 7. The voucher information analysis module 13 analyzes and compares the voucher information in the recipient security device 33 with the voucher information used by the mail sender to encrypt the mail, and determines whether the recipient information update needs to be initiated according to the analysis result. Module 14.

8.當分析結果為展期前後憑證之憑證序號不一致,但兩者之公鑰卻一致,則判斷為需要更新之情形,也就是須更新加密郵件中的接收者資訊,將其憑證序號更改為主體密鑰標識符。 8. When the analysis result is that the voucher numbers of the voucher before and after the extension are inconsistent, but the public keys of the two are the same, it is judged that the situation needs to be updated, that is, the recipient information in the encrypted mail must be updated, and the voucher serial number is changed to the main body. Key identifier.

9.由於郵件接收者已透過接收者資訊更新模組14執行接收者資訊更新,因此,目前之加密郵件資訊足以自收件者端安全載具33存取展期後憑證對應的私鑰,用以解密由展期前憑證加密之已加密郵件。 9. Since the recipient of the email has performed the recipient information update through the recipient information update module 14, the current encrypted email information is sufficient to access the private key corresponding to the post-expansion voucher from the recipient-side secure carrier 33. Decrypt encrypted messages encrypted by pre-deployment credentials.

再,請見圖3,其係為本發明基於憑證序號的郵件解密方法之步驟流程圖流程圖,本發明方法主要包含下述步驟:(步驟S11)加密郵件、(步驟S12)已加密郵件內容剖析、(步驟S13)存取客戶端安全載具、(步驟S14)存取憑證查詢模組、(步驟S15)分析憑證資訊、(步驟S16)更新已加密郵件之接收者資訊、(步驟S17)解密已加密郵件。對應本發明之系統,本方法之目的,係用於解決接收到的加密郵件之新憑證公鑰與之前使用於已加密郵件的公鑰一致,但憑證序號不同導致無法進行解密之問題,其步驟詳細分述如下: 3 is a flow chart of the steps of the method for decrypting the mail based on the voucher number of the present invention. The method of the present invention mainly comprises the following steps: (step S11) encrypting the mail, (step S12) the encrypted mail content. Parsing, (step S13) accessing the client security vehicle, (step S14) accessing the voucher query module, (step S15) analyzing the voucher information, (step S16) updating the recipient information of the encrypted mail, (step S17) Decrypt the encrypted message. Corresponding to the system of the present invention, the purpose of the method is to solve the problem that the new voucher public key of the received encrypted mail is consistent with the public key previously used for the encrypted mail, but the voucher serial number is different, and the decryption cannot be performed. The details are as follows:

1.步驟S11、加密郵件:郵件寄件者使用展期前憑證之公鑰產生加密郵件後寄出,日後,郵件接收者可能因收到憑證到期通知而有憑證展期需求,因此向憑證中心提出憑證展期申請。 1. Step S11: Encrypted mail: The mail sender uses the public key of the pre-extension certificate to generate an encrypted mail and sends it. In the future, the mail recipient may have a voucher renewal request due to the receipt of the voucher expiration notice, so the voucher center is presented to the voucher center. Voucher extension application.

2.步驟S12、已加密郵件內容剖析:郵件接收者端平台取得加密郵件,並對其內容進行剖析,取出其中的CMS資訊中的接收者資訊後,進一步分析接收者資訊是否為憑證序號類型,若是,則取得所屬憑證序號值。 2. Step S12: Analysis of the encrypted mail content: the mail receiver platform obtains the encrypted mail, and analyzes the content thereof, and takes out the receiver information in the CMS information, and further analyzes whether the recipient information is the certificate serial number type. If yes, the value of the certificate number is obtained.

3.步驟S13、存取客戶端安全載具:接收者端平台存取客戶端安全載具中的憑證,或憑證中公鑰的主體密鑰標識符。 3. Step S13: Accessing the client security vehicle: The recipient platform accesses the credentials in the client security vehicle, or the principal key identifier of the public key in the credentials.

4.步驟S14、存取憑證查詢模組:依照加密郵件中接收者資訊內的憑證序號存取憑證查詢模組,以取得寄發加密郵件時所使用之憑證。 4. Step S14: Accessing the voucher query module: accessing the voucher query module according to the voucher serial number in the recipient information of the encrypted mail to obtain the voucher used when sending the encrypted mail.

5.步驟S15、分析憑證資訊:分析寄件者加密郵件時所用的憑證與客戶端安全載具中的憑證,比對是否其憑證序號不一致但公鑰卻一致,若確有此情形,則代表收件者的憑證在郵件寄出後已經展期,故需啟動接收者資訊更新模組。 5. Step S15: Analyze the voucher information: analyze the voucher used by the sender to encrypt the mail and the voucher in the client security vehicle, and compare whether the voucher number is inconsistent but the public key is consistent. If this is the case, the representative The recipient's voucher has been renewed after the mail has been sent, so the recipient information update module needs to be activated.

6.步驟S16、更新加密郵件之接收者資訊:將加密郵件的CMS的接收者資訊內的憑證序號值進行變更,更改為相對應公鑰之主體密鑰標識符。 6. Step S16: Update the recipient information of the encrypted mail: change the certificate serial number value in the recipient information of the CMS of the encrypted mail, and change it to the subject key identifier of the corresponding public key.

7.步驟S17、解密加密郵件:經步驟S16後,郵件接收者端平台即可存取收件者端安全載具,以獲取憑證展期後憑證對應之私鑰,以此私鑰,即可解密透過舊憑證加密之加密郵件,令收件者可獲取其中內容。 7. Step S17, decrypting the encrypted mail: After step S16, the mail receiver platform can access the recipient security vehicle to obtain the private key corresponding to the voucher after the voucher extension, and the private key can be used to decrypt Encrypted mail encrypted with old credentials, so that the recipient can get the content.

若與先前技術相比,本發明具有以下優點: The present invention has the following advantages when compared to the prior art:

1.本發明能使得郵件的收件者在進行收件者憑證展期後,仍能正常解密由展期前憑證加密之加密郵件。 1. The present invention enables the recipient of the mail to normally decrypt the encrypted mail encrypted by the pre-deployment credential after the recipient's voucher is renewed.

2.本發明之系統(或稱平台)可剖析加密郵件的PKCS #7 CMS訊息以及即時的憑證訊息,以判斷憑證是否經展期。 2. The system (or platform) of the present invention can parse encrypted mail PKCS #7 CMS messages and instant voucher messages to determine if the voucher has been renewed.

3.本發明不會改變加解密郵件時之既有工作流,或對既存之公開金鑰基礎建設(Public Key Infrastructure,PKI)架構產生影響,當不會產生額外的安全疑慮。 3. The present invention does not change the existing workflow when encrypting and decrypting mail, or has an impact on the existing Public Key Infrastructure (PKI) architecture, without incurring additional security concerns.

綜上所述,本發明於技術思想上實屬創新,也具備先前技術不及的多種功效,已充分符合新穎性及進步性之法定發明專利要件,爰依法提出專利申請,懇請 貴局核准本件發明專利申請案以勵發明,至感德便。 In summary, the present invention is innovative in terms of technical ideas, and also has various functions that are not in the prior art, and has fully complied with the statutory invention patent requirements of novelty and progressiveness, and has filed a patent application according to law, and invites you to approve the invention. The patent application was inspired to invent, and it was a matter of feeling.

Claims (6)

一種基於憑證序號的郵件解密方法,其係由與一寄件者端平台通訊連結的一接收者端平台經組態以執行,包含下列步驟:接收由該寄件者端平台以一收件者憑證的公鑰加密後寄發的一加密郵件;剖析以取出該加密郵件中密碼訊息語法資訊中的封裝檔,自封裝檔中獲取接收者標識符,以確認該加密郵件的接收者資訊,並自接收者資訊中獲取該收件者憑證對應的一第一憑證序號以及憑證資訊;存取一收件者端安全載具,以獲取即時的該收件者憑證資訊中的一第二憑證序號及公鑰的一主體密鑰標識符;比對該第一憑證序號以及該第二憑證序號和兩憑證序號各自對應的公鑰,以確認該收件者憑證是否在該加密郵件寄發後已展期;啟動一接收者資訊更新模組以將該加密郵件中接收者資訊內的該第一憑證序號更新為憑證展期後的該主體密鑰標識符;以及根據更新過的接收者資訊存取該收件者端安全載具,獲取展期後的該收件者憑證對應的私鑰以解密該加密郵件。 A mail decryption method based on a voucher serial number, which is configured to be executed by a receiver end platform communicatively coupled with a sender end platform, comprising the steps of: receiving a recipient by the sender end platform An encrypted mail sent by the public key of the voucher after being encrypted; parsing to extract the package file in the cryptographic message syntax information of the encrypted mail, obtaining the recipient identifier from the package file, to confirm the recipient information of the encrypted mail, and Obtaining a first voucher serial number and voucher information corresponding to the recipient voucher from the recipient information; accessing a recipient security device to obtain an instant second voucher serial number in the recipient voucher information And a public key identifier of the public key; a public key corresponding to the first voucher serial number and the second voucher serial number and the two voucher serial numbers respectively to confirm whether the recipient voucher has been sent after the encrypted mail is sent Expanding a recipient information update module to update the first voucher number in the recipient information in the encrypted mail to the subject key identifier after the voucher extension; and The recipient through recipient terminal information access security vehicle, obtaining the extension of the document recipient to decrypt the private key corresponding to the encrypted message. 如申請專利範圍第1項的基於憑證序號的郵件解密方法,其中,若該郵件接收者端平台比對該第一憑證序號以及該第二憑證序號相異,但兩憑證序號對應公鑰相同,則確認該收件者憑證在該加密郵件寄發後已展期。 The method for decrypting a mail based on a document serial number according to claim 1, wherein if the mail receiver platform is different from the first document serial number and the second document serial number, but the two document serial numbers correspond to the public key, Then confirm that the recipient's voucher has been renewed after the encrypted mail has been sent. 如申請專利範圍第1項的基於憑證序號的郵件解密方法,其中,該加密郵件係由該寄件者端平台透過一郵件使用者 代理程式寄發。 The method for decrypting a mail based on a voucher serial number according to claim 1, wherein the encrypted mail is transmitted by the sender end platform through a mail user The agent sends it. 一種基於憑證序號的郵件解密系統,其係經組態設置於電子郵件傳遞網路中的接收者端平台,其至少包含:一憑證資訊存取模組,用於接收並剖析由一寄件者端平台以一收件者憑證的一公鑰加密後寄發的一加密郵件,該憑證資訊存取模組經組態以取出該加密郵件中密碼訊息語法資訊中的封裝檔,再自封裝檔中獲取接收者標識符來確認接收者資訊類型,以獲取接收者資訊中的關於該收件者憑證的一第一憑證序號,該憑證資訊存取模組更能存取收件者端安全載具,以獲取目前該收件者憑證中的一第二憑證序號及一主體密鑰標識符;一憑證查詢模組,與該憑證資訊存取模組以及一憑證資料庫通訊連接,該憑證資訊存取模組係透過該憑證查詢模組輸入該第一憑證序號來獲取關於該收件者憑證的資訊;一憑證資訊分析模組,與該憑證資訊存取模組通訊連接,以比對該憑證資訊存取模組取得的該第一憑證序號以及該第二憑證序號,以確認該收件者憑證是否經展期;一接收者資訊更新模組,與該憑證資訊分析模組通訊連接,以將該加密郵件中接收者資訊內的該第一憑證序號更新為憑證展期後的該主體密鑰標識符,以使該加密郵件能經由該憑證資訊存取模組取得展期後的該收件者憑證對應的私鑰以解密。 A mail decryption system based on a voucher serial number, configured to be configured on a recipient end platform in an e-mail delivery network, comprising at least: a voucher information access module for receiving and parsing a sender The encrypted platform sent by the end platform is encrypted by a public key of the recipient's voucher, and the voucher information access module is configured to take out the package file in the cryptographic message grammar information of the encrypted mail, and then self-package the file. Obtaining a receiver identifier to confirm a recipient information type, to obtain a first document serial number of the recipient information in the recipient information, and the credential information access module can further access the recipient security payload Having a second voucher serial number and a body key identifier in the current recipient voucher; a voucher query module, communicating with the voucher information access module and a voucher database, the credential information The access module receives the first voucher number through the voucher query module to obtain information about the voucher's voucher; a voucher information analysis module is communicably connected to the credential information access module. Comparing the first voucher serial number obtained by the voucher information access module with the second voucher serial number to confirm whether the recipient voucher has been renewed; a recipient information update module communicating with the voucher information analysis module Connecting to update the first voucher number in the recipient information in the encrypted mail to the subject key identifier after the voucher extension, so that the encrypted mail can obtain the post-expansion via the voucher information access module The private key corresponding to the recipient's voucher is decrypted. 如申請專利範圍第4項的基於憑證序號的郵件解密系統,其中,若該郵件接收者端平台比對該第一憑證序號以及該第二憑證序號相異,但兩者對應公鑰相同,則可確認該收件者憑證在該加密郵件寄發後已展期。 The document decryption system based on the voucher serial number of claim 4, wherein if the mail recipient platform is different from the first voucher serial number and the second voucher serial number, but the two corresponding public keys are the same, It can be confirmed that the recipient's voucher has been renewed after the encrypted mail has been sent. 如申請專利範圍第4項的基於憑證序號的郵件解密系統,其中,該加密郵件係由該寄件者端平台透過一郵件使用者代理程式寄發。 For example, the document number-based mail decryption system of claim 4, wherein the encrypted mail is sent by the sender-side platform through a mail user agent.
TW106106660A 2017-03-01 2017-03-01 Mail decryption system and method based on document serial number TWI618026B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW106106660A TWI618026B (en) 2017-03-01 2017-03-01 Mail decryption system and method based on document serial number

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW106106660A TWI618026B (en) 2017-03-01 2017-03-01 Mail decryption system and method based on document serial number

Publications (2)

Publication Number Publication Date
TWI618026B true TWI618026B (en) 2018-03-11
TW201833866A TW201833866A (en) 2018-09-16

Family

ID=62189325

Family Applications (1)

Application Number Title Priority Date Filing Date
TW106106660A TWI618026B (en) 2017-03-01 2017-03-01 Mail decryption system and method based on document serial number

Country Status (1)

Country Link
TW (1) TWI618026B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7936873B2 (en) * 2007-05-07 2011-05-03 Apple Inc. Secure distribution of content using decryption keys
TW201447635A (en) * 2013-06-10 2014-12-16 Jie Chen Content verification method based on digital signature codes
TWI473488B (en) * 2011-08-25 2015-02-11 Mxtran Inc Method and storage device for protecting digital content

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7936873B2 (en) * 2007-05-07 2011-05-03 Apple Inc. Secure distribution of content using decryption keys
TWI473488B (en) * 2011-08-25 2015-02-11 Mxtran Inc Method and storage device for protecting digital content
TW201447635A (en) * 2013-06-10 2014-12-16 Jie Chen Content verification method based on digital signature codes

Also Published As

Publication number Publication date
TW201833866A (en) 2018-09-16

Similar Documents

Publication Publication Date Title
US20210258288A1 (en) Secure multi-party protocol
US10554420B2 (en) Wireless connections to a wireless access point
JP5432999B2 (en) Encryption key distribution system
US8117459B2 (en) Personal identification information schemas
US9130758B2 (en) Renewal of expired certificates
US8104074B2 (en) Identity providers in digital identity system
US7890634B2 (en) Scalable session management
US8788811B2 (en) Server-side key generation for non-token clients
CN101247232B (en) Encryption technique method based on digital signature in data communication transmission
US20050144439A1 (en) System and method of managing encryption key management system for mobile terminals
US20060053280A1 (en) Secure e-mail messaging system
WO2019109097A1 (en) Identity verification document request handling utilizing a user certificate system and user identity document repository
US20050138365A1 (en) Mobile device and method for providing certificate based cryptography
US20110113240A1 (en) Certificate renewal using enrollment profile framework
US20070288746A1 (en) Method of providing key containers
US20040186998A1 (en) Integrated security information management system and method
CN113051540B (en) Application program interface safety grading treatment method
JP2003188874A (en) System for secure data transmission
US20230299973A1 (en) Service registration method and device
JP3711931B2 (en) E-mail system, processing method thereof, and program thereof
KR20130039745A (en) System and method for authentication interworking
KR100848966B1 (en) Method for authenticating and decrypting of short message based on public key
TWI618026B (en) Mail decryption system and method based on document serial number
CN115906117A (en) Trusted application implementation method based on blockchain transaction
CN112035820B (en) Data analysis method used in Kerberos encryption environment