TWI730549B - System for checking key pair generating algorithm during certificate applying process and method thereof - Google Patents
System for checking key pair generating algorithm during certificate applying process and method thereof Download PDFInfo
- Publication number
- TWI730549B TWI730549B TW108146347A TW108146347A TWI730549B TW I730549 B TWI730549 B TW I730549B TW 108146347 A TW108146347 A TW 108146347A TW 108146347 A TW108146347 A TW 108146347A TW I730549 B TWI730549 B TW I730549B
- Authority
- TW
- Taiwan
- Prior art keywords
- certificate
- client
- algorithm
- key pair
- authentication server
- Prior art date
Links
Images
Abstract
Description
一種憑證申請系統及其方法,特別係指一種於憑證申請過程中確認金鑰對產生演算法之系統及方法。A certificate application system and method, in particular, refers to a system and method for confirming the key pair generation algorithm in the certificate application process.
公鑰基礎架構(Public Key Infrastructure, PKI),又稱公開金鑰基礎架構、公開金鑰基礎建設、公鑰基礎建設、公鑰基礎設施、或公開密碼基礎建設等,是一組由硬體、軟體、參與者、管理政策與流程組成的基礎架構,其目的在於創造、管理、分配、使用、儲存以及復原數位憑證。由密碼學的角度,公鑰基礎建設藉著數位憑證認證機構(Certificate Authority, CA)將使用者的個人身分跟公開金鑰鏈結在一起。同時,對每個數位憑證認證機構而言,使用者的身分必須是唯一的。Public Key Infrastructure (PKI), also known as public key infrastructure, public key infrastructure, public key infrastructure, public key infrastructure, or public cryptographic infrastructure, is a group of hardware, An infrastructure composed of software, participants, management policies, and procedures is designed to create, manage, distribute, use, store, and restore digital certificates. From the perspective of cryptography, the public key infrastructure uses a digital certificate authority (CA) to link the personal identity of the user with the public key. At the same time, for each digital certificate certification authority, the user's identity must be unique.
使用者可以使用預定的演算法產生包含公開金鑰(簡稱公鑰)與私有金鑰(簡稱私鑰)的金鑰對,再使用公鑰產生憑證簽署請求,並透過憑證簽署請求向數位憑證認證機構申請數位憑證,如此,使用者便可以使用數位憑證透過公鑰基礎架構在網路上證明自己的身分。The user can use a predetermined algorithm to generate a key pair consisting of a public key (public key for short) and a private key (private key for short), then use the public key to generate a certificate signing request, and authenticate to the digital certificate through the certificate signing request The organization applies for a digital certificate so that users can use the digital certificate to prove their identity on the Internet through the public key infrastructure.
然而,隨著技術的進步,可能出現速度更快、效率更高的加解密演算法,或是某些加解密演算法可能出現漏洞,這表示加解密速度/效率不佳或出現漏洞的加解密演算法需要被淘汰。但公鑰基礎建設的數位憑證認證機構並沒有拒絕被使用者用來產生金鑰對之演算法的有效機制,當數位憑證認證機構接收到使用者的憑證簽署請求後,只要憑證簽署請求通過數位憑證認證機構的驗證,數位憑證認證機構便會核發數位憑證給使用者。However, with the advancement of technology, there may be faster and more efficient encryption and decryption algorithms, or some encryption and decryption algorithms may have loopholes, which means that the encryption and decryption speed/efficiency is not good or there are loopholes. Algorithms need to be eliminated. However, the digital certificate certification authority of the public key infrastructure does not reject the effective mechanism of the algorithm used by the user to generate the key pair. When the digital certificate authority receives the user’s certificate signing request, it will only pass the digital certificate signing request. Upon verification by the certificate certification authority, the digital certificate certification authority will issue a digital certificate to the user.
綜上所述,可知先前技術中長期以來一直存在數位憑證認證機構在核發數位憑證之過程中不會檢查使用者產生金鑰對之演算法的問題,因此有必要提出改進的技術手段,來解決此一問題。In summary, it can be seen that there has been a long-standing problem in the prior art that the digital certificate certification authority does not check the algorithm of the key pair generated by the user in the process of issuing digital certificates. Therefore, it is necessary to propose improved technical means to solve the problem. This question.
有鑒於先前技術存在數位憑證認證機構不會驗證使用者產生金鑰對之演算法的問題,本發明遂揭露一種於憑證申請過程中確認金鑰對產生演算法之系統及其方法,其中:In view of the problem in the prior art that the digital certificate certification authority does not verify the algorithm for generating the key pair by the user, the present invention discloses a system and method for confirming the algorithm for generating the key pair during the certificate application process, in which:
本發明所揭露之於憑證申請過程中確認金鑰對產生演算法之系統,至少包含:客戶端,用以使用演算法產生包含客戶端公鑰及客戶端私鑰之金鑰對,及用以產生包含該客戶端公鑰及演算法訊息之憑證簽署請求;憑證註冊主機,用以接收憑證簽署請求,及用以產生包含憑證簽署請求之憑證申請資料,並對憑證申請資料簽章以產生主機簽章資料;憑證認證伺服器,用以接收憑證申請資料及主機簽章資料,並依據主機簽章資料驗證憑證申請資料,及用以於憑證申請資料通過驗證時,檢查憑證申請資料,並於憑證申請資料通過檢查時,依據憑證簽署請求中之演算法訊息判斷客戶端所使用之演算法是否符合演算要求,及於演算法符合演算要求時,產生數位憑證,並透過憑證註冊主機傳送數位憑證至客戶端,使客戶端儲存數位憑證。The system for confirming the key pair generation algorithm in the certificate application process disclosed in the present invention at least includes: a client for generating a key pair including a client public key and a client private key by using the algorithm, and Generate a certificate signing request containing the client's public key and algorithm information; the certificate registration host is used to receive the certificate signing request, and to generate the certificate application data containing the certificate signing request, and sign the certificate application data to generate the host Signature data; the certificate authentication server is used to receive certificate application data and host signature data, and verify the certificate application data according to the host signature data, and to check the certificate application data when the certificate application data is verified, and When the certificate application data passes the check, the algorithm information in the certificate signing request is used to determine whether the algorithm used by the client meets the calculation requirements, and when the algorithm meets the calculation requirements, a digital certificate is generated and the digital certificate is sent through the certificate registration host To the client, make the client store the digital certificate.
本發明所揭露之於憑證申請過程中確認金鑰對產生演算法之方法,其步驟至少包括:客戶端使用演算法產生包含客戶端公鑰及客戶端私鑰之金鑰對;客戶端產生包含憑證簽署請求包含客戶端公鑰及演算法訊息之憑證簽署請求,並傳送憑證簽署請求至憑證註冊主機;憑證註冊主機產生包含憑證簽署請求之憑證申請資料,並對憑證申請資料簽章以產生主機簽章資料後,傳送憑證申請資料及主機簽章資料至憑證認證伺服器;憑證認證伺服器依據主機簽章資料成功驗證憑證申請資料後,檢查憑證申請資料;憑證認證伺服器於憑證申請資料通過檢查後,依據憑證簽署請求中之演算法訊息判斷客戶端使用之演算法符合演算要求時,產生數位憑證,並透過憑證註冊主機傳送數位憑證至客戶端;客戶端儲存數位憑證。The method for confirming the key pair generation algorithm in the certificate application process disclosed in the present invention includes at least the steps: the client uses the algorithm to generate a key pair including the client public key and the client private key; the client generation includes The certificate signing request includes a certificate signing request containing the client's public key and algorithm information, and sends the certificate signing request to the certificate registration host; the certificate registration host generates the certificate application data containing the certificate signing request, and signs the certificate application data to generate the host After signing the signature data, send the certificate application data and host signature data to the certificate authentication server; the certificate authentication server successfully verifies the certificate application data according to the host signature data, then checks the certificate application data; the certificate authentication server passes the certificate application data After checking, according to the algorithm information in the certificate signing request, when it is determined that the algorithm used by the client meets the calculation requirements, a digital certificate is generated, and the digital certificate is sent to the client through the certificate registration host; the client stores the digital certificate.
本發明所揭露之系統與方法如上,與先前技術之間的差異在於本發明透過在客戶端使用演算法產生金鑰對,並透過憑證註冊主機將包含產生金鑰對之演算法的演算法訊息的憑證簽署請求傳送至憑證認證伺服器後,憑證認證伺服器可以判斷憑證簽署請求中之演算法訊息是否符合演算要求,並在客戶端產生金鑰對之演算法符合演算要求時才產生數位憑證,藉以解決先前技術所存在的問題,並可以達成增加安全性與加解密效能之技術功效。The system and method disclosed in the present invention are as described above. The difference between the present invention and the prior art is that the present invention generates a key pair by using an algorithm on the client side, and the certificate registration host will include the algorithm information of the algorithm for generating the key pair. After the certificate signing request of is sent to the certificate authentication server, the certificate authentication server can determine whether the algorithm information in the certificate signing request meets the calculation requirements, and only generate a digital certificate when the algorithm of the key pair generated by the client meets the calculation requirements , In order to solve the problems of the prior art, and can achieve the technical effect of increasing security and encryption and decryption performance.
以下將配合圖式及實施例來詳細說明本發明之特徵與實施方式,內容足以使任何熟習相關技藝者能夠輕易地充分理解本發明解決技術問題所應用的技術手段並據以實施,藉此實現本發明可達成的功效。In the following, the features and implementation of the present invention will be described in detail with the drawings and embodiments. The content is sufficient to enable any person familiar with the relevant art to easily and fully understand the technical means used by the present invention to solve the technical problems and implement them accordingly. The achievable effect of the present invention.
本發明可以讓憑證認證伺服器在接收到客戶端所傳送的憑證簽署請求(Certificate Signing Request, CSR)後,判斷客戶端產生金鑰對所使用之演算法是否符合憑證認證伺服器所接受的演算要求,並在客戶端產生金鑰對所使用之演算法符合演算要求時,產生傳回客戶端的數位憑證(certificate)。其中,憑證認證伺服器為數位憑證認證機構(Certificate Authority, CA)中的一台或多台伺服器。The present invention allows the certificate authentication server to determine whether the algorithm used by the client to generate the key pair conforms to the algorithm accepted by the certificate authentication server after receiving the certificate signing request (Certificate Signing Request, CSR) sent by the client When the algorithm used by the client to generate the key pair meets the calculation requirements, a digital certificate (certificate) that is returned to the client is generated. Among them, the certificate authentication server is one or more servers in a digital certificate authority (CA).
以下先以「第1圖」本發明所提之於憑證申請過程中確認金鑰對產生演算法之系統架構圖來說明本發明的系統運作。如「第1圖」所示,本發明之系統含有客戶端110、憑證註冊主機120、及憑證認證伺服器130。其中,憑證註冊主機120與憑證認證伺服器130通常是數位設備;客戶端110則可以是手機、平板、電腦等數位設備,也可以是執行於數位設備上的特定軟體,但本發明並不以此為限。In the following, the system architecture diagram of the algorithm for verifying the key pair generation during the certificate application process mentioned in the "Figure 1" of the present invention is used to illustrate the system operation of the present invention. As shown in "Figure 1", the system of the present invention includes a
本發明所提之計算設備包含但不限於一個或多個處理器、一個或多個記憶體模組、以及連接不同元件(包括記憶體模組和處理器)的匯流排等元件。透過所包含之多個元件,計算設備可以載入並執行作業系統,使作業系統在計算設備上運行,也可以執行軟體或程式。另外,計算設備也包含一個外殼,上述之各個元件設置於外殼內。The computing device mentioned in the present invention includes, but is not limited to, one or more processors, one or more memory modules, and components such as buses connecting different components (including memory modules and processors). Through the included multiple components, the computing device can load and execute the operating system, make the operating system run on the computing device, and can also execute software or programs. In addition, the computing device also includes a housing, and the above-mentioned components are arranged in the housing.
本發明所提之計算設備的匯流排可以包含一種或多個類型,例如包含資料匯流排(data bus)、位址匯流排(address bus)、控制匯流排(control bus)、擴充功能匯流排(expansion bus)、及/或局域匯流排(local bus)等類型的匯流排。計算設備的匯流排包括但不限於並列的工業標準架構(ISA)匯流排、周邊元件互連(PCI)匯流排、視頻電子標準協會(VESA)局域匯流排、以及串列的通用序列匯流排(USB)、快速周邊元件互連(PCI-E)匯流排等。The bus of the computing device mentioned in the present invention may include one or more types, for example, including data bus, address bus, control bus, extended function bus ( expansion bus), and/or local bus (local bus). The bus of computing equipment includes, but is not limited to, parallel industry standard architecture (ISA) bus, peripheral component interconnect (PCI) bus, Video Electronics Standards Association (VESA) local bus, and serial universal serial bus (USB), PCI-E bus, etc.
本發明所提之計算設備的處理器與匯流排耦接。處理器包含暫存器(Register)組或暫存器空間,暫存器組或暫存器空間可以完全的被設置在處理晶片上,或全部或部分被設置在處理晶片外並經由專用電氣連接及/或經由匯流排耦接至處理器。處理器可為處理單元、微處理器或任何合適的處理元件。若計算設備為多處理器設備,也就是計算設備包含多個處理器,則計算設備所包含的處理器都相同或類似,且透過匯流排耦接與通訊。處理器可以解釋一連串的多個指令以進行特定的運算或操作,例如,數學運算、邏輯運算、資料比對、複製/移動資料等,藉以運行作業系統或執行各種程式、模組、及/或元件。The processor of the computing device provided by the present invention is coupled with the bus. The processor contains a register group or register space. The register group or register space can be completely set on the processing chip, or all or part of it can be set outside the processing chip and connected via a dedicated electrical connection. And/or coupled to the processor via the bus. The processor may be a processing unit, a microprocessor, or any suitable processing element. If the computing device is a multi-processor device, that is, the computing device includes multiple processors, the processors included in the computing device are all the same or similar, and they are coupled and communicated through a bus. The processor can interpret a series of multiple instructions to perform specific operations or operations, such as mathematical operations, logical operations, data comparison, copy/move data, etc., to run the operating system or execute various programs, modules, and/or element.
計算設備的處理器可以與晶片組耦接或透過匯流排與晶片組電性連接。晶片組是由一個或多個積體電路(IC)組成,包含記憶體控制器以及周邊輸出入(I/O)控制器,也就是說,記憶體控制器以及周邊輸出入控制器可以包含在一個積體電路內,也可以使用兩個或更多的積體電路實現。晶片組通常提供了輸出入和記憶體管理功能、以及提供多個通用及/或專用暫存器、計時器等,其中,上述之通用及/或專用暫存器與計時器可以讓耦接或電性連接至晶片組的一個或多個處理器存取或使用。The processor of the computing device can be coupled to the chipset or electrically connected to the chipset through a bus. The chipset is composed of one or more integrated circuits (ICs), including a memory controller and peripheral input/output (I/O) controllers, that is to say, the memory controller and peripheral input/output controllers can be included in In an integrated circuit, two or more integrated circuits can also be used. Chipsets usually provide I/O and memory management functions, as well as multiple general-purpose and/or special-purpose registers, timers, etc., among which the aforementioned general-purpose and/or special-purpose registers and timers can be coupled or One or more processors electrically connected to the chipset are accessed or used.
計算設備的處理器也可以透過記憶體控制器存取安裝於計算設備上的記憶體模組和大容量儲存區中的資料。上述之記憶體模組包含任何類型的揮發性記憶體(volatile memory)及/或非揮發性(non-volatile memory, NVRAM)記憶體,例如靜態隨機存取記憶體(SRAM)、動態隨機存取記憶體(DRAM)、快閃記憶體(Flash)、唯讀記憶體(ROM)等。上述之大容量儲存區可以包含任何類型的儲存裝置或儲存媒體,例如,硬碟機、光碟片、隨身碟(快閃記憶體)、記憶卡(memory card)、固態硬碟(Solid State Disk, SSD)、或任何其他儲存裝置等。也就是說,記憶體控制器可以存取靜態隨機存取記憶體、動態隨機存取記憶體、快閃記憶體、硬碟機、固態硬碟中的資料。The processor of the computing device can also access the data in the memory module and the mass storage area installed on the computing device through the memory controller. The above-mentioned memory modules include any type of volatile memory (volatile memory) and/or non-volatile memory (NVRAM), such as static random access memory (SRAM), dynamic random access Memory (DRAM), flash memory (Flash), read-only memory (ROM), etc. The above-mentioned large-capacity storage area can include any type of storage device or storage medium, such as hard disk drives, optical discs, flash drives (flash memory), memory cards, and solid state disks (Solid State Disk, SSD), or any other storage device, etc. In other words, the memory controller can access data in static random access memory, dynamic random access memory, flash memory, hard disk drives, and solid state drives.
計算設備的處理器也可以透過周邊輸出入控制器經由周邊輸出入匯流排與周邊輸出裝置、周邊輸入裝置、通訊介面、以及GPS接收器等周邊裝置或介面連接並通訊。周邊輸入裝置可以是任何類型的輸入裝置,例如鍵盤、滑鼠、軌跡球、觸控板、搖桿等,周邊輸出裝置可以是任何類型的輸出裝置,例如顯示器、印表機等,周邊輸入裝置與周邊輸出裝置也可以是同一裝置,例如觸控螢幕等。通訊介面可以包含無線通訊介面及/或有線通訊介面,無線通訊介面可以包含支援Wi-Fi、Zigbee等無線區域網路、藍牙、紅外線、近場通訊(NFC)、3G/4G/5G等行動通訊網路或其他無線資料傳輸協定的介面,有線通訊介面可為乙太網路裝置、非同步傳輸模式(ATM)裝置、DSL數據機、纜線(Cable)數據機等。處理器可以週期性地輪詢(polling)各種周邊裝置與介面,使得計算設備能夠透過各種周邊裝置與介面進行資料的輸入與輸出,也能夠與具有上面描述之元件的另一個計算設備進行通訊。The processor of the computing device can also connect and communicate with peripheral output devices, peripheral input devices, communication interfaces, and GPS receivers and other peripheral devices or interfaces through the peripheral I/O bus through the peripheral I/O controller. The peripheral input device can be any type of input device, such as a keyboard, mouse, trackball, touchpad, joystick, etc. The peripheral output device can be any type of output device, such as a display, a printer, etc., a peripheral input device It can also be the same device as the peripheral output device, such as a touch screen. The communication interface can include a wireless communication interface and/or a wired communication interface. The wireless communication interface can include a mobile communication network that supports Wi-Fi, Zigbee and other wireless local area networks, Bluetooth, infrared, near field communication (NFC), 3G/4G/5G, etc. The wired communication interface can be an Ethernet device, Asynchronous Transfer Mode (ATM) device, DSL modem, cable modem, etc. The processor can periodically poll various peripheral devices and interfaces, so that the computing device can input and output data through various peripheral devices and interfaces, and can also communicate with another computing device having the above-described components.
客戶端110可以透過有線或無線網路與憑證註冊主機120連接,並可以傳送資料或訊號給憑證註冊主機120,也可以接收憑證註冊主機120所傳送的資料或訊號。The
客戶端110負責使用預定的演算法(加解密演算法)產生包含一把公鑰(public key)及一把私鑰(private key)的金鑰對。一般而言,客戶端110可以呼叫預先安裝之可信任的安控元件使用預先定義的演算法產生金鑰對。The
在本發明中,客戶端110所產生之公鑰與私鑰也被稱為客戶端公鑰與客戶端私鑰。本發明所提之演算法可以是符合橢圓曲線密碼學(Elliptic Curve Cryptography, ECC)的演算法等,但本發明並不以此為限。In the present invention, the public key and private key generated by the
客戶端110也負責產生包含客戶端公鑰的憑證簽署請求,並可以將所產生的憑證簽署請求傳送給憑證註冊主機120。客戶端110所產生之憑證簽署請求中包含產生金鑰對所使用之演算法的演算法訊息。其中,演算法訊息包含演算法名稱等。The
客戶端110也負責接收憑證註冊伺服器120所傳送的數位憑證,並儲存所接收到的數位憑證。更詳細的,客戶端110可以依據申請數位憑證的用途將所申請的數位憑證匯入相對應的載具內儲存。其中,客戶端110申請數位憑證之用途包含但不限於身份識別或加解密等;客戶端110匯入數位憑證之載具包含但不限於晶片卡、電子檔案(如PFX檔)、瀏覽器程式的本地儲存(local storage)等。The
憑證註冊主機120為通過數位憑證認證機構審核(也就是獲得數位憑證認證機構簽發數位憑證)而可以做為憑證註冊中心(Registration Authority, RA)的數位設備。憑證註冊主機120可以透過有線或無線網路與客戶端110及/或憑證認證伺服器130連接,並可以接收客戶端110及/或憑證認證伺服器130所傳送的資料或訊號,也可以傳送資料或訊號給客戶端110及/或憑證認證伺服器130。The
憑證註冊主機120負責產生憑證申請資料,並使用所擁用之主機私鑰對所產生之憑證申請資料簽章以產生相對應之主機簽章資料。憑證註冊主機120所產生的憑證申請資料包含接收自客戶端110的憑證簽署請求。The
憑證註冊主機120也負責接收憑證認證伺服器130所傳送的數位憑證,並將所接收到的數位憑證轉送到客戶端110。一般而言,憑證註冊主機120也可以保存所接收到的數位憑證,也就是保存透過自身申請之客戶端110的數位憑證。The
憑證認證伺服器130可以透過有線或無線網路與憑證註冊主機120連接,並可以接收憑證註冊主機120所傳送的資料或訊號,也可以傳送資料或訊號給憑證註冊主機120。The
憑證認證伺服器130負責接收憑證註冊主機120所傳送的憑證申請資料與主機簽章資料,並可以依據所接收到之主機簽章資料驗證所接收到的憑證申請資料。The
憑證認證伺服器130也負責在接收自憑證註冊主機120之憑證申請資料通過驗證時,進一步檢查所接收到的憑證申請資料。舉例來說,憑證認證伺服器130可以讀出憑證申請資料中的憑證簽署請求,並依據憑證簽署請求中的客戶端簽章資料驗證憑證簽署請求。但憑證認證伺服器130檢查憑證申請資料之方式與過程並不上述為限。The
憑證認證伺服器130也負責在憑證申請資料通過檢查時,依據憑證申請資料中之憑證簽署請求所包含的演算法訊息判斷客戶端110產生金鑰對所使用之演算法是否符合憑證認證伺服器130預定的演算要求。舉例來說,演算要求可以是憑證認證伺服器130認可之演算法的演算法名稱,憑證認證伺服器130可以判斷演算要求中是否包含演算法訊息所包含之演算法名稱,若是,表示客戶端110產生金鑰對之演算法符合演算要求;反之,若憑證認證伺服器130所記錄的演算要求中不存在演算法訊息所包含的演算法名稱,則表示客戶端110產生金鑰對之演算法不符合演算要求。但憑證認證伺服器130判斷客戶端110產生金鑰對之演算法是否符合演算要求之方式並不以上述為限,例如,演算要求也可以是時間門檻值,憑證認證伺服器130可以使用一種或多種預定的算式組進行運算,若在時間門檻值內金鑰對被破解,則憑證認證伺服器130可以判斷產生金鑰對之演算法不符合演算要求。The
憑證認證伺服器130也負責在憑證申請資料中之憑證簽署請求所包含的演算法符合憑證認證伺服器130預定的演算要求時產生數位憑證。更詳細的,憑證認證伺服器130可以使用伺服器私鑰對憑證簽署請求中之客戶端公鑰簽章以產生相對應的伺服器簽章資料,並產生包含客戶端公鑰及伺服器簽章資料的數位憑證。一般而言,憑證認證伺服器130所產生之客戶端110的數位憑證為終端實體 (end-entity, EE)憑證,但本發明並不以此為限。The
憑證認證伺服器130也負責將所產生的數位憑證傳送給憑證註冊主機120,藉以透過憑證註冊主機120將所產生的數位憑證傳送給客戶端110。The
接著以一個實施例來解說本發明的運作系統與方法,並請參照「第2A圖」本發明所提之於憑證申請過程中確認金鑰對產生演算法之方法流程圖。在本實施例中,假設客戶端110為電腦,但本發明並不以此為限。Next, an embodiment is used to explain the operating system and method of the present invention, and please refer to "Figure 2A" the flow chart of the method for verifying the key pair generation algorithm in the certificate application process of the present invention. In this embodiment, it is assumed that the
首先,客戶端110使用演算法產生包含客戶端公鑰與客戶端私鑰的金鑰對,並接著產生包含被產生之金鑰對中之客戶端公鑰與產生金鑰對所使用之演算法的演算法訊息的憑證簽署請求,及將所產生之憑證簽署請求傳送給憑證註冊主機120(步驟210),藉以透過憑證註冊主機120向憑證認證伺服器130申請數位憑證。First, the
在憑證註冊主機120接收到客戶端110所傳送的憑證簽署請求後,憑證註冊主機120可以產生包含所接收之憑證簽署請求的憑證申請資料,並可以對所產生之憑證申請資料簽章,藉以在簽章後產生主機簽章資料。之後,憑證註冊主機120可以將所產生之憑證申請資料及主機簽章資料傳送給憑證認證伺服器130(步驟220)。After the
憑證認證伺服器130在接收到憑證註冊主機120所傳送的憑證申請資料及主機簽章資料後,可以使用所接收到之主機簽章資料驗證所接收之憑證申請資料,並可以依據驗證結果判斷憑證申請資料是否通過以主機簽章資料進行之驗證(步驟230)。After the
若憑證認證伺服器130判斷憑證申請資料沒有通過驗證,則憑證認證伺服器130可以拒絕客戶端110之憑證申請,並可以透過憑證註冊主機120將拒絕申請訊息傳送到客戶端110,使得客戶端110顯示憑證申請被拒絕的訊息;若憑證認證伺服器130判斷憑證申請資料通過驗證,則憑證認證伺服器130可以進一步檢查憑證申請資料,並可以判斷憑證申請資料是否通過檢查(步驟250)。在本實施例中,憑證認證伺服器130可以依據憑證簽署請求中的客戶端簽章資料驗證憑證簽署請求,若憑證簽署請求沒有通過驗證,則憑證認證伺服器130可以判斷憑證申請資料沒有通過檢查,而若憑證簽署請求通過驗證,則憑證認證伺服器130可以判斷憑證申請資料通過檢查。If the
若憑證認證伺服器130判斷憑證申請資料沒有通過檢查,憑證認證伺服器130可以拒絕客戶端110之憑證申請,並可以透過憑證註冊主機120將拒絕申請訊息傳送到客戶端110,使得客戶端110顯示憑證申請被拒絕的訊息;若憑證認證伺服器130判斷憑證申請資料通過檢查,則憑證認證伺服器130可以更進一步地判斷憑證簽署請求中之演算法訊息所表示的演算法是否符合預先設定的演算要求(步驟260)。在本實施例中,假設憑證認證伺服器130可以依據演算要求所記錄之演算法名稱中是否存在演算法訊息所包含的演算法名稱判斷客戶端110產生金鑰對所使用之演算法是否符合演算要求。If the
若憑證認證伺服器130判斷客戶端110所使用之演算法不符合演算要求,也就是憑證認證伺服器130預先設定之演算要求所包含的演算法名稱中不存在憑證簽署請求中之演算法訊息所包含的演算法名稱,憑證認證伺服器130可以拒絕客戶端110之憑證申請,並可以透過憑證註冊主機120將拒絕申請訊息傳送到客戶端110,使得客戶端110顯示憑證申請被拒絕的訊息;若憑證認證伺服器130判斷客戶端110所使用之演算法符合演算要求,也就是憑證簽署請求中之演算法訊息所包含的演算法名稱被記錄在憑證認證伺服器130預先設定之演算要求中,則憑證認證伺服器130可以產生數位憑證,並可以透過憑證註冊主機120將數位憑證傳送給客戶端110(步驟270)。在本實施例中,假設如「第2B圖」所示之流程,憑證認證伺服器130可以使用伺服器私鑰對憑證簽署請求中之客戶端公鑰簽章以產生相對應之伺服器簽章資料(步驟271),並可以產生包含客戶端公鑰及伺服器簽章資料之數位憑證(步驟273),之後,憑證認證伺服器130可以將所產生的數位憑證傳回憑證註冊主機120(步驟275),使得憑證註冊主機120將所接收到的數位憑證轉傳回客戶端110(步驟277)。If the
繼續回到「第2A圖」,在客戶端110所接收到憑證認證伺服器130透過憑證註冊主機120所傳送的數位憑證後,客戶端110可以儲存所接收到的數位憑證(步驟280)。在本實施例中,客戶端110可以依據申請數位憑證的用途將所接收到的數位憑證匯入晶片卡、特定檔案、或特定軟體等載具中。Continuing back to "Figure 2A", after the
如此,透過本發明,憑證認證伺服器130便可以在客戶端110申請憑證的過程中檢查客戶端110產生金鑰對所使用的演算法。In this way, through the present invention, the
綜上所述,可知本發明與先前技術之間的差異在於具有客戶端使用演算法產生金鑰對,並透過憑證註冊主機將包含產生金鑰對之演算法的演算法訊息的憑證簽署請求傳送至憑證認證伺服器後,憑證認證伺服器可以判斷憑證簽署請求中之演算法訊息是否符合演算要求,並在客戶端產生金鑰對之演算法符合演算要求時才產生數位憑證之技術手段,藉由此一技術手段可以解決先前技術所存在數位憑證認證機構在核發數位憑證之過程中不會檢查使用者產生金鑰對之演算法的問題,進而達成增加安全性與加解密效能之技術功效。In summary, it can be seen that the difference between the present invention and the prior art is that the client uses an algorithm to generate a key pair, and sends a certificate signing request including an algorithm message of the algorithm for generating the key pair through the certificate registration host. After reaching the certificate authentication server, the certificate authentication server can determine whether the algorithm information in the certificate signing request meets the calculation requirements, and only generates the digital certificate when the algorithm of the key pair generated by the client meets the calculation requirements. As a result, a technical method can solve the problem that the digital certificate certification authority in the prior art does not check the algorithm of the key pair generated by the user during the process of issuing the digital certificate, thereby achieving the technical effect of increasing security and encryption and decryption performance.
再者,本發明之於憑證申請過程中確認金鑰對產生演算法之方法,可實現於硬體、軟體或硬體與軟體之組合中,亦可在電腦系統中以集中方式實現或以不同元件散佈於若干互連之電腦系統的分散方式實現。Furthermore, the method of the present invention for confirming the key pair generation algorithm in the certificate application process can be implemented in hardware, software, or a combination of hardware and software, and can also be implemented in a centralized manner in a computer system or in different ways. The components are distributed in a number of interconnected computer systems in a decentralized manner.
雖然本發明所揭露之實施方式如上,惟所述之內容並非用以直接限定本發明之專利保護範圍。任何本發明所屬技術領域中具有通常知識者,在不脫離本發明所揭露之精神和範圍的前提下,對本發明之實施的形式上及細節上作些許之更動潤飾,均屬於本發明之專利保護範圍。本發明之專利保護範圍,仍須以所附之申請專利範圍所界定者為準。Although the embodiments of the present invention are disclosed as above, the content described is not intended to directly limit the scope of patent protection of the present invention. Any person with ordinary knowledge in the technical field to which the present invention belongs, without departing from the spirit and scope of the present invention, makes slight modifications to the form and details of the implementation of the present invention, all belong to the patent protection of the present invention. range. The scope of patent protection of the present invention shall still be determined by the scope of the attached patent application.
110:客戶端110: client
120:憑證註冊主機120: Credential registration host
130:憑證認證伺服器130: certificate authentication server
步驟210:客戶端使用演算法產生金鑰對,及產生包含客戶端公鑰及演算法訊息之憑證簽署請求,並傳送憑證簽署請求至憑證註冊主機Step 210: The client uses an algorithm to generate a key pair, generates a certificate signing request including the client's public key and algorithm information, and sends the certificate signing request to the certificate registration host
步驟220:憑證註冊主機產生包含憑證簽署請求之憑證申請資料,及對憑證申請資料以產生主機簽章資料,並傳送憑證申請資料及主機簽章資料至憑證認證伺服器Step 220: The certificate registration host generates certificate application data including the certificate signing request, generates host signature data for the certificate application data, and transmits the certificate application data and host signature data to the certificate authentication server
步驟230:憑證認證伺服器判斷憑證申請資料是否通過以主機簽章資料進行之驗證Step 230: The certificate authentication server determines whether the certificate application data passes the verification with the host signature data
步驟250:憑證認證伺服器判斷憑證申請資料是否通過檢查Step 250: The certificate authentication server determines whether the certificate application data passes the check
步驟260:憑證認證伺服器判斷演算法是否符合演算要求Step 260: The certificate authentication server determines whether the algorithm meets the calculation requirements
步驟270:憑證認證伺服器產生數位憑證,並透過憑證註冊主機傳送數位憑證至客戶端Step 270: The certificate authentication server generates a digital certificate and sends the digital certificate to the client through the certificate registration host
步驟271:憑證認證伺服器使用伺服器私鑰對憑證簽署請求中之客戶端公鑰簽章以產生伺服器簽章資料Step 271: The certificate authentication server uses the server private key to sign the client public key in the certificate signing request to generate server signature data
步驟273:憑證認證伺服器產生包含客戶端公鑰及伺服器簽章資料之數位憑證Step 273: The certificate authentication server generates a digital certificate containing the client public key and server signature data
步驟275:憑證認證伺服器傳送數位憑證至憑證註冊主機Step 275: The certificate authentication server sends the digital certificate to the certificate registration host
步驟277:憑證註冊主機傳送數位憑證至客戶端Step 277: The certificate registration host sends the digital certificate to the client
步驟280:客戶端儲存數位憑證Step 280: The client stores the digital certificate
第1圖為本發明所提之於憑證申請過程中確認金鑰對產生演算法之系統架構圖。 第2A圖為本發明所提之於憑證申請過程中確認金鑰對產生演算法之方法流程圖。 第2B圖為本發明所提之憑證認證伺服器產生數位憑證並傳回客戶端之方法流程圖。 Figure 1 is a system architecture diagram of the algorithm for verifying key pair generation during the certificate application process according to the present invention. Figure 2A is a flow chart of the method for confirming the key pair generation algorithm in the certificate application process according to the present invention. Figure 2B is a flow chart of the method for the certificate authentication server to generate a digital certificate and send it back to the client according to the present invention.
步驟210:客戶端使用演算法產生金鑰對,及產生包含客戶端公鑰及演算法訊息之憑證簽署請求,並傳送憑證簽署請求至憑證註冊主機 Step 210: The client uses an algorithm to generate a key pair, generates a certificate signing request including the client's public key and algorithm information, and sends the certificate signing request to the certificate registration host
步驟220:憑證註冊主機產生包含憑證簽署請求之憑證申請資料,及對憑證申請資料以產生主機簽章資料,並傳送憑證申請資料及主機簽章資料至憑證認證伺服器 Step 220: The certificate registration host generates certificate application data including the certificate signing request, generates host signature data for the certificate application data, and transmits the certificate application data and host signature data to the certificate authentication server
步驟230:憑證認證伺服器判斷憑證申請資料是否通過以主機簽章資料進行之驗證 Step 230: The certificate authentication server determines whether the certificate application data passes the verification with the host signature data
步驟250:憑證認證伺服器判斷憑證申請資料是否通過檢查 Step 250: The certificate authentication server determines whether the certificate application data passes the check
步驟260:憑證認證伺服器判斷演算法是否符合演算要求 Step 260: The certificate authentication server determines whether the algorithm meets the calculation requirements
步驟270:憑證認證伺服器產生數位憑證,並透過憑證註冊主機傳送數位憑證至客戶端 Step 270: The certificate authentication server generates a digital certificate and sends the digital certificate to the client through the certificate registration host
步驟280:客戶端儲存數位憑證 Step 280: The client stores the digital certificate
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW108146347A TWI730549B (en) | 2019-12-18 | 2019-12-18 | System for checking key pair generating algorithm during certificate applying process and method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW108146347A TWI730549B (en) | 2019-12-18 | 2019-12-18 | System for checking key pair generating algorithm during certificate applying process and method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TWI730549B true TWI730549B (en) | 2021-06-11 |
| TW202125295A TW202125295A (en) | 2021-07-01 |
Family
ID=77517208
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW108146347A TWI730549B (en) | 2019-12-18 | 2019-12-18 | System for checking key pair generating algorithm during certificate applying process and method thereof |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI730549B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200007347A1 (en) * | 2018-06-29 | 2020-01-02 | Canon Kabushiki Kaisha | Information processing apparatus, control method for information processing apparatus, and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7796751B2 (en) * | 2002-08-28 | 2010-09-14 | Ntt Docomo, Inc. | Certificate-based encryption and public key infrastructure |
| US8214637B2 (en) * | 2001-01-10 | 2012-07-03 | Sony Corporation | Public key certificate issuing system, public key certificate issuing method, digital certification apparatus, and program storage medium |
| TW201537937A (en) * | 2014-03-19 | 2015-10-01 | Beijing Anxunben Science & Technology Co Ltd | Unified identity authentication platform and authentication method thereof |
| TW201935357A (en) * | 2018-02-09 | 2019-09-01 | 玉山商業銀行股份有限公司 | Method and system for electrical transaction |
-
2019
- 2019-12-18 TW TW108146347A patent/TWI730549B/en active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8214637B2 (en) * | 2001-01-10 | 2012-07-03 | Sony Corporation | Public key certificate issuing system, public key certificate issuing method, digital certification apparatus, and program storage medium |
| US7796751B2 (en) * | 2002-08-28 | 2010-09-14 | Ntt Docomo, Inc. | Certificate-based encryption and public key infrastructure |
| TW201537937A (en) * | 2014-03-19 | 2015-10-01 | Beijing Anxunben Science & Technology Co Ltd | Unified identity authentication platform and authentication method thereof |
| TW201935357A (en) * | 2018-02-09 | 2019-09-01 | 玉山商業銀行股份有限公司 | Method and system for electrical transaction |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200007347A1 (en) * | 2018-06-29 | 2020-01-02 | Canon Kabushiki Kaisha | Information processing apparatus, control method for information processing apparatus, and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| TW202125295A (en) | 2021-07-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6151402B2 (en) | Inclusive verification of platform to data center | |
| WO2022179115A1 (en) | User authentication method and apparatus, server and storage medium | |
| US11790119B2 (en) | Application integrity attestation | |
| TWM594186U (en) | Device and system combining online rapid authentication and public key infrastructure to identify identity | |
| TWI644276B (en) | System for opening account and applying mobile banking account online and method thereof | |
| US20230120616A1 (en) | Baseboard management controller (bmc) for storing cryptographic keys and performing cryptographic operations | |
| TWI730549B (en) | System for checking key pair generating algorithm during certificate applying process and method thereof | |
| EP3847779A1 (en) | Hardware security module that enforces signature requirements | |
| CN116264861A (en) | Distributed secure communication system | |
| TWM592629U (en) | System to obtain appended data and execute corresponding operation when identity is confirmed | |
| TWM539668U (en) | System for opening account online and applying for mobile banking | |
| WO2021143027A1 (en) | Transaction endorsement processing method, server, and computer-readable storage medium | |
| US11416370B2 (en) | Platform measurement collection mechanism | |
| TWM618092U (en) | Certificate management system for automated domain verification | |
| TWI720738B (en) | System for combining architectures of fido and pki to identity user and method thereof | |
| TWM583978U (en) | System of using physical carrier to store digital certificate for performing online transaction | |
| TWI777105B (en) | System for obtaining additional data when identifying to execute operation and method thereof | |
| TWI691859B (en) | System for identifying according to instruction to execute service and method thereof | |
| TWM586390U (en) | A system for performing identity verification according to the service instruction to execute the corresponding service | |
| TWI767113B (en) | System for using certificate stored in carrier to conduct online transactions and method thereof | |
| US20240097918A1 (en) | Managing unique secrets in distributed systems | |
| TW201824129A (en) | System for applying for certificate online through carrier for transaction and method thereof | |
| TWI831029B (en) | System for confirming identity on different devices by verifying certification and verification code and method thereof | |
| TWI746920B (en) | System for using certificate to verify identity from different domain through portal and method thereof | |
| TW202117628A (en) | System for using financial account to confirm identity and method thereof |