TWI746235B - System and method for exchanging new certificate based on current certificate and computer-readable medium - Google Patents

System and method for exchanging new certificate based on current certificate and computer-readable medium Download PDF

Info

Publication number
TWI746235B
TWI746235B TW109137669A TW109137669A TWI746235B TW I746235 B TWI746235 B TW I746235B TW 109137669 A TW109137669 A TW 109137669A TW 109137669 A TW109137669 A TW 109137669A TW I746235 B TWI746235 B TW I746235B
Authority
TW
Taiwan
Prior art keywords
certificate
serial number
existing
new
transaction serial
Prior art date
Application number
TW109137669A
Other languages
Chinese (zh)
Other versions
TW202218375A (en
Inventor
林韋丞
童韋豪
游菀瑄
林邦曄
繆嘉新
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW109137669A priority Critical patent/TWI746235B/en
Application granted granted Critical
Publication of TWI746235B publication Critical patent/TWI746235B/en
Publication of TW202218375A publication Critical patent/TW202218375A/en

Links

Images

Abstract

The present invention is a system for exchanging new certificate based on current certificate and a method thereof. A certificate exchanging server is established to receive an existing certificate in a certificate-owned device, and this existing certificate is used with the certificate request sent by a device without certificate to obtain a new legal certificate corresponding to the existing certificate from a Certification Authority. The new legal certificate is used for the device without certificate. The present invention solves the problem of limited signing ability of the certificate-owned device by exchanging the certificate. The present invention also provides a computer-readable medium for a method for exchanging new certificate based on current certificate.

Description

基於既有憑證換取新憑證之系統、方法及電腦可讀媒介 System, method and computer readable medium for exchanging new vouchers based on existing vouchers

本發明係關於憑證取得之技術,特別是指一種基於既有憑證換取新憑證之系統、方法及電腦可讀媒介。 The present invention relates to the technology of voucher acquisition, in particular to a system, method and computer-readable medium for exchanging new voucher based on existing voucher.

隨著科技進步與電子設備應用快速發展,許多網路互動或交易也頻繁產生,為了確保雙方身份確認,對於連網裝置和網路服務來說,數位憑證是進行授權和身份驗證的常用方法,透過數位憑證的使用以提升互動的安全性。一般來說,數位憑證可由憑證管理或註冊中心來頒發,目的是用於註冊裝置和應用程式(APP),藉此使裝置和應用程式使用上更具安全性。 With the advancement of technology and the rapid development of electronic device applications, many network interactions or transactions are also frequently generated. In order to ensure the identification of both parties, digital certificates are a common method for authorization and identity verification for connected devices and network services. Enhance the security of interaction through the use of digital certificates. Generally speaking, a digital certificate can be issued by a certificate management or registration center for the purpose of registering devices and applications (APP), thereby making the use of devices and applications more secure.

在數位憑證廣泛應用下,使用者的多個設備、實體組件或是應用程式都可能需要憑證,當每一個單獨去申請憑證,特別是需要立即進行互動或交易時,若要等待新的憑證註冊,恐費時且麻煩,若能讓同一使用者的裝置、實體組件或應用程式能快速取得憑證,當有利於降低使用者的困擾,惟上述的設備、實體組件或是應用程式的憑證恐無法輕易交換或 共用,可能是兩者演算法不同的因素;另外,有些裝置的簽章能力有限,可能只能手動輸入要簽章的值,當需要被簽章的明文是不可見碼時,即無法做簽章,又或者當需要簽章的字串過長時,不易手動操作、進行輸入,上述都將導致憑證申請受阻。舉例來說,電信業者的用戶識別模塊卡(SIM卡)具有憑證,若安卓(Android)系統手機內其他應用軟體想取得憑證時,可透過特殊軟體進行憑證擷取,但此方式對於蘋果iOS系統手機,恐因為安全性問題而無類似特殊軟體可使用,亦即無法輕易取得所需憑證。 With the widespread use of digital certificates, users’ multiple devices, physical components, or applications may require certificates. When each one applies for a certificate separately, especially when interaction or transaction is required immediately, it is necessary to wait for a new certificate to be registered. , It may be time-consuming and troublesome. If the same user’s device, physical component or application can quickly obtain the certificate, it will help reduce the user’s confusion, but the above-mentioned equipment, physical component or application certificate may not be easy Exchange or Sharing may be due to the different algorithms of the two. In addition, some devices have limited signing capabilities, and may only be able to manually enter the value to be signed. When the plaintext to be signed is an invisible code, it cannot be signed. Chapter, or when the string of characters that needs to be signed is too long, it is not easy to manually operate and input, and the above will cause the voucher application to be blocked. For example, the user identification module card (SIM card) of a carrier has a certificate. If other application software in the Android system phone wants to obtain the certificate, the certificate can be retrieved through special software, but this method is suitable for the Apple iOS system For mobile phones, there is no similar special software to use due to security issues, which means that the required credentials cannot be easily obtained.

因此,若能找出一種有關憑證取得之技術,特別是針對簽章能力有限或難以進行簽章的裝置或組件,藉由讓有簽章能力的設備或組件能取得具關連性之憑證,進而滿足相對應之簽章需求,此將成為本技術領域人員急欲追求解決方案之目標。 Therefore, if you can find a technology related to certificate acquisition, especially for devices or components with limited signing capabilities or difficult to sign, by enabling devices or components with signing capabilities to obtain related certificates, then Satisfying the corresponding signature requirements will become the goal of those skilled in the art who are eager to pursue solutions.

為解決上述現有技術之問題,本發明提出一種基於既有憑證去換取新憑證之技術,利用既有憑證為其做背書,去向註冊管理中心(Registration Authority,RA)換取新憑證,之後透過軟體來下載新憑證,透過以證換證之方式,以有效改進裝置本身簽章能力有限性之問題。 In order to solve the above-mentioned problems of the prior art, the present invention proposes a technology based on the existing certificate to exchange for a new certificate. The existing certificate is used to endorse it, and the new certificate is exchanged with the Registration Authority (RA). Download a new certificate and replace it with a new certificate to effectively improve the problem of the limited signature ability of the device itself.

本發明係揭露一種基於既有憑證換取新憑證之系統,係包括:待憑證裝置,係用於產生憑證請求檔,以及接收對應該憑證請求檔之交易序號;存有憑證裝置,係用於傳送該交易序號以及該存有憑證裝置所具有之既有憑證;換證伺服器,係接收來自該存有憑證裝置之該交易序號及該既有憑證,以由該既有憑證取得憑證序號,俾傳送該憑證序號及與該 交易序號相對應之該憑證請求檔;註冊管理中心,係接收來自該換證伺服器之該憑證序號及該憑證請求檔,以利用該憑證序號查詢該既有憑證,俾產生申請新憑證請求;以及憑證管理中心,係接收來自該註冊管理中心之該申請新憑證請求以產生新憑證,且透過該註冊管理中心回傳該新憑證至該換證伺服器,以供該待憑證裝置依據該交易序號下載該新憑證。 The present invention discloses a system for exchanging a new certificate based on an existing certificate, which includes: a certificate-waiting device, which is used to generate a certificate request file and receive a transaction serial number corresponding to the certificate request file; and a device that stores a certificate is used to transmit The transaction serial number and the existing certificate possessed by the credential device; the renewal server receives the transaction serial number and the existing credential from the credential device to obtain the credential serial number from the existing credential. Send the certificate serial number and the The certificate request file corresponding to the transaction serial number; the registration management center receives the certificate serial number and the certificate request file from the renewal server, and uses the certificate serial number to query the existing certificate to generate a new certificate request; And the certificate management center, which receives the request for applying for a new certificate from the registry to generate a new certificate, and sends the new certificate back to the renewal server through the registry, so that the device to be certified can rely on the transaction Download the new certificate by serial number.

於一實施例中,該換證伺服器收到來自該待憑證裝置之該憑證請求檔後,產生該交易序號,以傳送該交易序號至該待憑證裝置。 In one embodiment, the renewal server generates the transaction serial number after receiving the certificate request file from the device to be certified, and transmits the transaction serial number to the device to be certified.

於一實施例中,該存有憑證裝置復包括利用該交易序號做簽章以產生簽章值,其中,該簽章值隨著該交易序號及該既有憑證傳送至該換證伺服器,以供該換證伺服器進行簽章驗證。 In one embodiment, the certificate storage device further includes using the transaction serial number as a signature to generate a signature value, wherein the signature value is transmitted to the renewal server along with the transaction serial number and the existing certificate, For the renewal server to perform signature verification.

於一實施例中,該待憑證裝置復包括產生私密金鑰,以供該待憑證裝置取得該新憑證時,利用該私密金鑰進行簽章。 In one embodiment, the certificate-to-be-certified device includes generating a private key, so that when the certificate-to-be-certified device obtains the new certificate, the private key is used for signing.

本發明復提出一種基於既有憑證換取新憑證之系統,係包括:使用者裝置,係包含等待憑證之軟體模組以及具有憑證之實體組件,其中,該軟體模組係產生憑證請求檔以及接收對應該憑證請求檔之交易序號,該實體組件係傳送該交易序號以及該實體組件所具有之既有憑證;換證伺服器,係接收來自該實體組件之該交易序號及該既有憑證,以由該既有憑證取得憑證序號,俾傳送該憑證序號及與該交易序號相對應之該憑證請求檔;註冊管理中心,係接收來自該換證伺服器之該憑證序號及該憑證請求檔,以利用該憑證序號查詢該既有憑證,俾產生申請新憑證請求;以及憑證管理中心,係接收來自該註冊管理中心之該申請新憑證請求以產生 新憑證,且透過該註冊管理中心回傳該新憑證至該換證伺服器,以供該軟體模組依據該交易序號下載該新憑證。 The present invention provides a system for exchanging a new certificate based on an existing certificate, which includes: a user device, which includes a software module waiting for the certificate and a physical component with the certificate, wherein the software module generates a certificate request file and receives Corresponding to the transaction serial number of the certificate request file, the entity component transmits the transaction serial number and the existing certificate of the entity component; the renewal server receives the transaction serial number and the existing certificate from the entity component to Obtain the certificate serial number from the existing certificate to send the certificate serial number and the certificate request file corresponding to the transaction serial number; the registration management center receives the certificate serial number and the certificate request file from the renewal server to Use the certificate serial number to query the existing certificate to generate a request for applying for a new certificate; and the certificate management center receives the request for applying for a new certificate from the registration management center to generate New certificate, and return the new certificate to the renewal server through the registry management center, so that the software module can download the new certificate according to the transaction serial number.

於一實施例中,該換證伺服器收到來自該軟體模組之該憑證請求檔後,產生該交易序號,以傳送該交易序號至該軟體模組。 In one embodiment, after the certificate renewal server receives the certificate request file from the software module, it generates the transaction serial number to send the transaction serial number to the software module.

於一實施例中,該實體組件復包括利用該交易序號做簽章以產生簽章值,該簽章值隨著該交易序號及該既有憑證傳送至該換證伺服器,以供該換證伺服器進行簽章驗證。 In one embodiment, the entity component further includes using the transaction serial number as a signature to generate a signature value, and the signature value is sent to the renewal server along with the transaction serial number and the existing certificate for the exchange The certificate server performs signature verification.

於一實施例中,該軟體模組復包括產生私密金鑰,以供該軟體模組取得該新憑證時,利用該私密金鑰進行簽章。 In one embodiment, the software module includes generating a private key for the software module to use the private key for signing when obtaining the new certificate.

本發明復提出一種基於既有憑證換取新憑證之方法,係包括:令軟體模組提供憑證請求檔至換證伺服器,並接收該換證伺服器所回傳之交易序號;令具有既有憑證之實體組件傳送該交易序號及該既有憑證至該換證伺服器;令該換證伺服器由該既有憑證取得憑證序號,以傳送該憑證序號及與該交易序號相對應之該憑證請求檔至註冊管理中心;令該註冊管理中心利用該憑證序號以確認該既有憑證之合法性和有效性,以於該既有憑證合法且有效時,產生申請新憑證請求;令該註冊管理中心利用該既有憑證,向憑證管理中心申請新憑證;以及令該註冊管理中心傳送該新憑證至該換證伺服器,以供該軟體模組下載。 The present invention provides a method for exchanging a new certificate based on an existing certificate, which includes: ordering the software module to provide a certificate request file to the renewal server, and receive the transaction serial number returned by the renewal server; The physical component of the certificate transmits the transaction serial number and the existing certificate to the renewal server; the renewal server obtains the certificate serial number from the existing certificate to transmit the certificate serial number and the certificate corresponding to the transaction serial number The request file is sent to the registry; order the registry to use the certificate serial number to confirm the legitimacy and validity of the existing certificate, so that when the existing certificate is legal and valid, it generates a request for a new certificate; order the registration management The center uses the existing certificate to apply for a new certificate from the certificate management center; and makes the registration management center send the new certificate to the renewal server for the software module to download.

於上述方法中,該軟體模組與該實體組件係位於同一裝置內,或是分屬兩個不同裝置。 In the above method, the software module and the physical component are located in the same device or belong to two different devices.

於上述方法中,該實體組件復包括利用該交易序號做簽章以產生簽章值,其中,該簽章值隨著該交易序號及該既有憑證傳送至該換證伺服器,以供該換證伺服器進行簽章驗證。 In the above method, the entity component further includes using the transaction serial number as a signature to generate a signature value, wherein the signature value is sent to the renewal server along with the transaction serial number and the existing certificate for the The renewal server performs signature verification.

於上述方法中,該軟體模組復包括產生私密金鑰,以供該軟體模組取得該新憑證時,利用該私密金鑰進行簽章。 In the above method, the software module includes generating a private key for the software module to use the private key for signing when obtaining the new certificate.

本發明復提供一種電腦可讀媒介,應用於計算裝置或電腦中,係儲存有指令,以執行前述之基於既有憑證換取新憑證之方法。 The present invention further provides a computer-readable medium used in a computing device or a computer, which stores instructions to execute the aforementioned method of exchanging a new certificate based on an existing certificate.

由上可知,本發明提出一種基於既有憑證換取新憑證之系統、方法及電腦可讀媒介,相較於現有技術,本發明是基於既有憑證換取新憑證之技術,除了可以換取新憑證給予未持有憑證的軟體模組能進行簽章動作外,也可以解決即便裝置中存有憑證,但其簽章能力有限的受限性,讓簽章能力更佳的裝置去做簽章。另外,本發明所換取的新憑證跟既有憑證並非完全不相關,且換取到的新憑證植基於既有憑證的背書,所以裝置中所換取到的新憑證與既有憑證是有關連性的,而換取到的新憑證其簽章演算法可隨著應用需求變更,因而改善了既有憑證所使用的演算法的限制性,也讓取得新憑證的裝置能延伸其簽章演算法。 It can be seen from the above that the present invention proposes a system, method and computer-readable medium for exchanging existing certificates for new certificates. Compared with the prior art, the present invention is based on the technology of exchanging existing certificates for new certificates. In addition to being able to perform signing actions for software modules that do not hold a certificate, it can also solve the limitation of limited signing capabilities even if the certificate is stored in the device, allowing devices with better signing capabilities to do the signing. In addition, the new certificate exchanged in the present invention is not completely unrelated to the existing certificate, and the new certificate exchanged is based on the endorsement of the existing certificate, so the new certificate exchanged in the device is related to the existing certificate. , And the signature algorithm of the new certificate obtained in exchange can be changed with application requirements, thus improving the limitation of the algorithm used by the existing certificate, and also allowing the device that obtains the new certificate to extend its signature algorithm.

1、2:基於既有憑證換取新憑證之系統 1, 2: A system based on the exchange of existing vouchers for new vouchers

11:待憑證裝置 11: Device to be certificated

12:存有憑證裝置 12: Device with certificate

13、23:換證伺服器 13, 23: Renewal server

14、24:註冊管理中心 14, 24: Registration Management Center

15、25:憑證管理中心 15, 25: Certificate Management Center

20:使用者裝置 20: User device

21:軟體模組 21: Software module

22:實體組件 22: physical components

S31-S36:步驟 S31-S36: steps

S41-S47:流程 S41-S47: Process

圖1為本發明之基於既有憑證換取新憑證之系統一實施例的系統架構圖。 FIG. 1 is a system architecture diagram of an embodiment of the system for exchanging new certificates based on existing certificates of the present invention.

圖2為本發明之基於既有憑證換取新憑證之系統另一實施例的系統架構圖。 2 is a system architecture diagram of another embodiment of the system for exchanging new certificates based on existing certificates of the present invention.

圖3為本發明之基於既有憑證換取新憑證之方法的步驟圖。 Fig. 3 is a step diagram of the method of exchanging a new voucher based on an existing voucher according to the present invention.

圖4為本發明之本發明之基於既有憑證換取新憑證之方法一具體實施例的流程圖。 FIG. 4 is a flowchart of a specific embodiment of the method for exchanging a new voucher based on an existing voucher according to the present invention.

以下藉由特定的具體實施形態說明本發明之技術內容,熟悉此技藝之人士可由本說明書所揭示之內容輕易地瞭解本發明之優點與功效。然本發明亦可藉由其他不同的具體實施形態加以施行或應用。 The following describes the technical content of the present invention with specific specific embodiments. Those familiar with the art can easily understand the advantages and effects of the present invention from the content disclosed in this specification. However, the present invention can also be implemented or applied by other different specific embodiments.

圖1為本發明之基於既有憑證換取新憑證之系統一實施例的系統架構圖。本發明之基於既有憑證換取新憑證之系統1其目的為以既有憑證換取新憑證,利用擁有憑證的裝置為未持有憑證的裝置背書,進而使未持有憑證之裝置能獲取憑證,如圖所示,該基於既有憑證換取新憑證之系統1係包括待憑證裝置11、存有憑證裝置12、換證伺服器13、註冊管理中心14以及憑證管理中心15,其中,該待憑證裝置11中無憑證,而該存有憑證裝置12已存有憑證,但其簽章能力有限。 FIG. 1 is a system architecture diagram of an embodiment of the system for exchanging new certificates based on existing certificates of the present invention. The purpose of the system 1 for exchanging a new certificate based on an existing certificate of the present invention is to exchange an existing certificate for a new certificate, and use the device with the certificate to endorse the device without the certificate, so that the device without the certificate can obtain the certificate. As shown in the figure, the system 1 for exchanging new certificates based on existing certificates includes a certificate-to-be-certified device 11, a certificate-storing device 12, a certificate renewal server 13, a registration management center 14, and a certificate management center 15. There is no voucher in the device 11, and the voucher stored in the voucher device 12 already has a voucher, but its signing ability is limited.

待憑證裝置11用於產生憑證請求檔,以及接收對應該憑證請求檔之交易序號。詳言之,待憑證裝置11裡面沒有憑證,但其簽章能力較佳,可做延伸簽章演算法能力,能夠使用、支援不同演算法,做簽章可以直接複製、選擇要做簽章的項目。因此,待憑證裝置11因內無憑證,所以傳送憑證請求檔給換證伺服器13,以於之後向憑證管理中心15申請新憑證,另外,待憑證裝置11也用於之後下載、存放所換取的新憑證。 The voucher-waiting device 11 is used for generating a voucher request file and receiving a transaction serial number corresponding to the voucher request file. In detail, there is no certificate in the voucher device 11, but its signature ability is better. It can be used to extend the signature algorithm capability. It can use and support different algorithms. The signature can be copied directly, and the signature can be selected. project. Therefore, because the certificate-to-be-certified device 11 does not have a certificate in it, the certificate request file is sent to the renewal server 13 to apply for a new certificate from the certificate management center 15 later. In addition, the certificate-to-be-certified device 11 is also used to download and store the exchanged certificate later. New certificate.

於一實施例中,該換證伺服器13收到來自該待憑證裝置11之該憑證請求檔後,產生該交易序號並回傳至該待憑證裝置11。上述即說明當待憑證裝置11傳送憑證請求檔至換證伺服器13後,會由換證伺服器13取得一交易序號,此交易序號也是後續令待憑證裝置11和存有憑證裝置12兩者相關聯的主要機制。 In one embodiment, after the certificate renewal server 13 receives the certificate request file from the certificate waiting device 11, it generates the transaction serial number and sends it back to the certificate waiting device 11. The above means that after the certificate device 11 sends the certificate request file to the renewal server 13, the renewal server 13 will obtain a transaction serial number. This transaction serial number is also a follow-up order to both the certificate-waiting device 11 and the certificate-storing device 12 The main mechanism associated.

存有憑證裝置12用於傳送該交易序號以及該存有憑證裝置所具有之既有憑證。詳言之,存有憑證裝置12裡面存有憑證,但支援演算法固定、單一,簽章能力有限,裝置可能僅能手動輸入要簽章的值,當需要被簽章的明文是不可見碼時,即無法做簽章,又或是當需要簽章的字串過長時,不易手動操作、進行輸入。由上可知,待憑證裝置11無法使用存有憑證裝置12做簽章,且存有憑證裝置12其簽章能力有限,因而利用存有憑證裝置12與換證伺服器13通訊連結,該換證伺服器13能接收該存有憑證裝置12所傳送的既有憑證,以執行以證換證的程序。 The voucher storage device 12 is used to transmit the transaction serial number and the existing voucher possessed by the voucher storage device. In detail, the certificate is stored in the certificate storage device 12, but the support algorithm is fixed and single, and the signing ability is limited. The device may only be able to manually enter the value to be signed. When the plaintext to be signed is an invisible code When the time, it is impossible to sign, or when the string to be signed is too long, it is not easy to manually operate and input. It can be seen from the above that the voucher device 11 cannot use the voucher storage device 12 for signing, and the voucher storage device 12 has limited signing capabilities. Therefore, the voucher storage device 12 is used to communicate with the renewal server 13 and the renewal The server 13 can receive the existing certificate sent by the certificate storage device 12 to perform the process of certificate replacement.

於一實施例中,該存有憑證裝置12復包括利用該交易序號做簽章以產生簽章值,其中,該簽章值隨著該交易序號及該既有憑證傳送至該換證伺服器13,以供該換證伺服器13進行簽章驗證。換言之,該存有憑證裝置12會利用交易序號與裝置中的私密金鑰(Private Key)產生簽章值,此簽章值將隨著交易序號一併傳送到換證伺服器13,如此該換證伺服器13才能驗章,以確保交易正確性。 In one embodiment, the certificate storage device 12 further includes using the transaction serial number as a signature to generate a signature value, wherein the signature value is transmitted to the renewal server along with the transaction serial number and the existing certificate 13. For the certificate renewal server 13 to perform signature verification. In other words, the certificate storage device 12 will use the transaction serial number and the private key in the device to generate a signature value, and this signature value will be sent to the renewal server 13 along with the transaction serial number. Only the certificate server 13 can verify the seal to ensure the correctness of the transaction.

換證伺服器13係接收來自該存有憑證裝置12之該交易序號及該既有憑證,以由該既有憑證取得憑證序號,並傳送該憑證序號及與該交易序號相對應之該憑證請求檔。具體來說,換證伺服器13係接收待憑證 裝置11的憑證請求檔以及驗章存有憑證裝置12所傳來的既有簽章,換證伺服器13於收到憑證請求檔後提供交易序號給予待憑證裝置11,並利用交易序號使得待憑證裝置11跟存有憑證裝置12有關連性,其中,換證伺服器13會由既有憑證取得憑證序號,並搭配交易序號所對應的憑證請求檔,一同傳至給註冊管理中心14,須說明者,因為註冊管理中心14都有既有憑證的相關資料,故註冊管理中心14僅需有憑證序號即可找出所需的既有憑證,故為了減少傳輸資料量,換證伺服器13不會傳遞整個憑證至註冊管理中心14,而是僅有憑證序號。 The renewal server 13 receives the transaction serial number and the existing certificate from the storage device 12 to obtain the certificate serial number from the existing certificate, and transmits the certificate serial number and the certificate request corresponding to the transaction serial number files. Specifically, the renewal server 13 receives the pending certificate The certificate request file and the verification seal of the device 11 contain the existing signature from the certificate device 12. The renewal server 13 provides the transaction serial number to the certificate-to-be-certified device 11 after receiving the certificate request file, and uses the transaction serial number to make the The certificate device 11 is related to the storage certificate device 12. The renewal server 13 will obtain the certificate serial number from the existing certificate and send it to the registration management center 14 together with the certificate request file corresponding to the transaction serial number. Explain that because the registry 14 has relevant information about the existing certificate, the registry 14 only needs the certificate serial number to find the required existing certificate. Therefore, in order to reduce the amount of transmitted data, the renewal server 13 The entire certificate will not be passed to the registration management center 14, but only the certificate serial number.

另外,換證伺服器13於獲取新憑證後,讓待憑證裝置11能利用交易序號來下載。 In addition, after the renewal server 13 obtains the new certificate, the certificate-to-be-certified device 11 can use the transaction serial number to download it.

註冊管理中心14係接收來自該換證伺服器13之該憑證序號及該憑證請求檔,利用該憑證序號查詢該既有憑證是否存在,俾於確認該既有憑證存在時,產生申請新憑證請求。具體來說,註冊管理中心14會利用憑證序號以檢驗此既有憑證是否存在,並於驗證既有憑證存在下與憑證管理中心15連線去申請新憑證,同樣地,在申請到新憑證後,註冊管理中心14會將新憑證傳送到換證伺服器13。由上可知,註冊管理中心14會以憑證序號(Certificate Serial Number)查詢既有憑證是否存在,藉此檢驗該既有憑證的合法性與有效性,並於確認無誤後再向憑證管理中心15申請新憑證,回傳給換證伺服器13,以供待憑證裝置11能下載使用。 The registration management center 14 receives the certificate serial number and the certificate request file from the renewal server 13, uses the certificate serial number to query whether the existing certificate exists, and generates a request for applying for a new certificate when confirming the existence of the existing certificate . Specifically, the registration management center 14 will use the certificate serial number to check whether the existing certificate exists, and after verifying the existence of the existing certificate, it will connect with the certificate management center 15 to apply for a new certificate. Similarly, after applying for a new certificate , The registration management center 14 will send the new certificate to the renewal server 13. It can be seen from the above that the registration management center 14 will use the certificate serial number (Certificate Serial Number) to query whether the existing certificate exists, so as to verify the legitimacy and validity of the existing certificate, and then apply to the certificate management center 15 after confirming that it is correct The new certificate is sent back to the renewal server 13 for the certificate device 11 to download and use.

憑證管理中心15係接收來自該註冊管理中心14之該申請新憑證請求以產生新憑證,且透過該註冊管理中心14回傳該新憑證至該換證伺服器13,以供該待憑證裝置11依據該交易序號下載該新憑證。換言之, 憑證管理中心15收到註冊管理中心14所發出之新憑證請求後,會產出新憑證給予註冊管理中心14。 The certificate management center 15 receives the request for applying for a new certificate from the registration management center 14 to generate a new certificate, and sends the new certificate back to the renewal server 13 through the registration management center 14 for the certificate-to-be-certified device 11 Download the new certificate according to the transaction serial number. In other words, After the voucher management center 15 receives the new voucher request issued by the registration management center 14, it will generate a new voucher and give it to the registration management center 14.

於另一實施例中,該待憑證裝置11復包括產生私密金鑰,以供該待憑證裝置11取得該新憑證時,利用該私密金鑰進行簽章。上述說明待憑證裝置11產出憑證請求檔時會一併產生一私密金鑰,此私密金鑰可於待憑證裝置11取得新憑證後,進行簽章等憑證應用。 In another embodiment, the certificate-waiting device 11 further includes generating a private key for the certificate-waiting device 11 to use the private key for signing when the new certificate is obtained. As described above, when the certificate request file is generated by the certificate waiting device 11, a private key is also generated. This private key can be used for certificate applications such as signing after the certificate waiting device 11 obtains a new certificate.

另外,該私密金鑰也確保新憑證不被盜用,具體來說,在新憑證產生後,若交易序號被其他裝置知悉或猜測中而取得新憑證,基於其他裝置無該私密金鑰,故無法與該新憑證搭配而進行簽章應用。 In addition, the private key also ensures that the new certificate will not be stolen. Specifically, after the new certificate is generated, if the transaction serial number is known or guessed by other devices and the new certificate is obtained, the other device does not have the private key. The signature application is performed in conjunction with the new certificate.

於上述架構下,待憑證裝置11可為一行動裝置(如手機)的應用程式,其無憑證但具有簽章能力,而存有憑證裝置12可為另一行動裝置(如手機)內含的SIM卡,其具有憑證但簽章能力有限,由於SIM卡與應用程式兩者無法直接溝通,且SIM卡為RSA加密演算法的簽章,應用程式可能為橢圓曲線密碼編碼學(Elliptic Curves Cryptography,ECC)的簽章,兩者也無法共用,為了方便使用者進行憑證應用,本發明透過利用SIM卡的既有憑證去申請一個新憑證給應用程式使用,以便應用程式可利用新憑證進行簽章等應用,由於新憑證與既有憑證具有關聯性,故兩個憑證內部資訊多數相同。 Under the above-mentioned structure, the device to be certified 11 can be an application of a mobile device (such as a mobile phone), which has no certificate but has the ability to sign, and the device with a certificate 12 can be a built-in device of another mobile device (such as a mobile phone). The SIM card has a certificate but has limited signature capabilities. Since the SIM card and the application program cannot communicate directly, and the SIM card is the signature of the RSA encryption algorithm, the application program may be Elliptic Curves Cryptography (Elliptic Curves Cryptography, ECC) signature, the two cannot be shared. In order to facilitate the user to apply the certificate, the present invention uses the existing certificate of the SIM card to apply for a new certificate for use by the application, so that the application can use the new certificate to sign For other applications, since the new certificate is related to the existing certificate, the internal information of the two certificates is mostly the same.

由上可知,本發明之基於既有憑證換取新憑證之系統1可達到利用存有憑證裝置12中既有憑證當作背書,去換取一張有關連性的新憑證,新憑證將提供給無憑證但具有簽章的裝置,以利於改善簽章能力有限的存有憑證裝置12,有能執行簽章的替代方式。 It can be seen from the above that the system 1 for exchanging a new certificate based on an existing certificate of the present invention can use the existing certificate in the certificate storage device 12 as an endorsement to exchange for a related new certificate, and the new certificate will be provided to the company. A certificate but a device with a signature, in order to improve the storage of the certificate device 12 with limited signature capabilities, there is an alternative way to perform the signature.

圖2為本發明之基於既有憑證換取新憑證之系統另一實施例的系統架構圖。如圖所示,基於既有憑證換取新憑證之系統2中之換證伺服器23、註冊管理中心24以及憑證管理中心25與圖1中所示之換證伺服器13、註冊管理中心14以及憑證管理中心15相同,於本實施例中,主要是無憑證者與具有既有憑證者是位在單一裝置內,即使用者裝置20,該使用者裝置20可為一電子設備。 2 is a system architecture diagram of another embodiment of the system for exchanging new certificates based on existing certificates of the present invention. As shown in the figure, the renewal server 23, the registration management center 24, and the certificate management center 25 in the system 2 for exchanging new certificates based on existing certificates are the same as the renewal server 13, the registration management center 14, and the system shown in FIG. The certificate management center 15 is the same. In this embodiment, those without certificates and those with existing certificates are located in a single device, that is, the user device 20, which can be an electronic device.

使用者裝置20包含等待憑證之軟體模組21以及具有憑證之實體組件22,其中,該軟體模組21係產生憑證請求檔以及接收對應該憑證請求檔之交易序號,而該實體組件22則是傳送該交易序號以及該實體組件所具有之既有憑證,具體來說,該軟體模組21傳送憑證請求檔至換證伺服器13後,換證伺服器13會回傳一交易序號給予該軟體模組21。 The user device 20 includes a software module 21 waiting for a certificate and a physical component 22 with a certificate. The software module 21 generates a certificate request file and receives a transaction serial number corresponding to the certificate request file, and the physical component 22 is Send the transaction serial number and the existing certificate of the physical component. Specifically, after the software module 21 sends the certificate request file to the renewal server 13, the renewal server 13 will return a transaction serial number to the software Module 21.

換證伺服器23用於接收來自該實體組件22之該交易序號及該既有憑證,以由該既有憑證取得憑證序號,並傳送該憑證序號及與該交易序號相對應之該憑證請求檔至註冊管理中心24。 The renewal server 23 is used to receive the transaction serial number and the existing certificate from the entity component 22 to obtain the certificate serial number from the existing certificate, and transmit the certificate serial number and the certificate request file corresponding to the transaction serial number To the registration management center 24.

註冊管理中心24接收來自該換證伺服器23之該憑證序號及該憑證請求檔,以利用該憑證序號查詢該既有憑證是否存在,俾於確認該既有憑證存在時,產生申請新憑證請求並傳送給憑證管理中心25。 The registration management center 24 receives the certificate serial number and the certificate request file from the renewal server 23, and uses the certificate serial number to query whether the existing certificate exists, so as to generate a new certificate request request when confirming that the existing certificate exists And send it to the credential management center 25.

憑證管理中心25接收來自該註冊管理中心24之該申請新憑證請求以產生新憑證,且透過該註冊管理中心24回傳該新憑證至該換證伺服器23,以供該軟體模組21依據該交易序號下載該新憑證。 The certificate management center 25 receives the request for applying for a new certificate from the registry 24 to generate a new certificate, and sends the new certificate back to the renewal server 23 through the registry 24 for the software module 21 to follow Download the new certificate with the transaction serial number.

本實施例與圖1的最大差別在於需要新憑證和具有既有憑證的單元都在同一個裝置內,其餘換證伺服器23、註冊管理中心24以及憑證 管理中心25的運作皆與圖1所述相同。舉例來說,軟體模組21為手機中的APP應用程式,裡面沒有憑證,但其能有較佳的簽章能力,能複製、選擇要做簽章的項目,且具有延伸簽章演算法能力,能依照應用需求使用、支援不同演算法,而擁有既有憑證之實體組件22為手機裝置中的全球用戶識別卡(UMTS Subscriber Identity Module,USIM),其簽章能力有限,支援演算法固定、單一,且操作不便利,只能手動輸入要簽章的值,若需要被簽章的明文是不可見碼時,即無法進行簽章,又或者當需要簽章的字串過長時,不易手動操作、進行輸入。 The biggest difference between this embodiment and FIG. 1 is that the new certificate and the unit with the existing certificate are all in the same device, and the rest of the certificate renewal server 23, the registration management center 24, and the certificate The operation of the management center 25 is the same as that described in FIG. 1. For example, the software module 21 is an APP in a mobile phone. There is no certificate in it, but it has better signing ability, can copy and select items to be signed, and has the ability to extend the signing algorithm. , Can use and support different algorithms according to application requirements, and the entity component 22 with existing certificates is the global subscriber identity module (UMTS Subscriber Identity Module, USIM) in the mobile device, which has limited signing ability and supports fixed algorithm, Single, and the operation is not convenient, you can only manually enter the value to be signed. If the plaintext to be signed is an invisible code, it cannot be signed, or when the string to be signed is too long, it is not easy Manual operation and input.

使用者手機裝置中的全球用戶識別卡因具有憑證,為了快速讓手機中的APP應用程式也有憑證,甚至用於替全球用戶識別卡進行憑證應用,故利用全球用戶識別卡的既有憑證來產生新憑證,由於兩個憑證具有關聯性,故憑證內多數資訊相同。 Since the global user identification card in the user's mobile phone device has a certificate, in order to quickly make the APP application in the mobile phone also have a certificate, and even be used to perform a certificate application for the global user identification card, the existing certificate of the global user identification card is used to generate The new certificate, because the two certificates are related, most of the information in the certificate is the same.

於一實施例中,該實體組件22復包括利用該交易序號做簽章以產生簽章值,其中,該簽章值隨著該交易序號及該既有憑證傳送至該換證伺服器23,以供該換證伺服器進行簽章驗證。由上可知,該實體組件22利用交易序號與裝置中的私密金鑰產生簽章質,簽章值會隨著交易序號一併傳送到換證伺服器23,以供該換證伺服器23執行驗章,確保交易正確性。 In one embodiment, the entity component 22 further includes using the transaction serial number as a signature to generate a signature value, wherein the signature value is transmitted to the renewal server 23 along with the transaction serial number and the existing certificate. For the renewal server to perform signature verification. It can be seen from the above that the entity component 22 uses the transaction serial number and the private key in the device to generate the signature, and the signature value will be sent to the renewal server 23 along with the transaction serial number for execution by the renewal server 23 Verify the seal to ensure the correctness of the transaction.

於一實施例中,該軟體模組21復包括產生私密金鑰,以供該軟體模組21取得該新憑證時,利用該私密金鑰進行簽章。換言之,軟體模組21產出憑證請求檔時會一併產生一私密金鑰,以於取得新憑證後,能搭配進行簽章等憑證應用,同時也能避免他人以不合法方式取得新憑證時,也無法使用。 In one embodiment, the software module 21 further includes generating a private key for the software module 21 to use the private key for signing when obtaining the new certificate. In other words, when the software module 21 generates a certificate request file, it will also generate a private key, so that after obtaining a new certificate, it can be used with certificate applications such as signing, and it can also prevent others from obtaining a new certificate illegally. , Also cannot be used.

本發明重點在於透過建立一個換證伺服器23去接收既有憑證,利用這張既有憑證,搭配軟體模組21所發出的憑證請求檔(Certificate Signing Request,CSR)去向憑證管理中心(Certification Authority,CA)獲取一張與既有憑證互相對應且合法的新憑證,提供給軟體模組21使用,如此能改善擁有既有憑證的實體組件22其簽章能力有限的問題,藉此可有效解決裝置的受限性、不易操作,亦即本發明之技術為基於實體組件22中既有憑證作為背書,去向憑證管理中心15換取新憑證,儲存於無憑證的軟體模組21中以便使用,達到以證換證的效果。 The key point of the present invention is to establish a certificate renewal server 23 to receive the existing certificate, and use this existing certificate with the certificate request file (Certificate Signing Request, CSR) issued by the software module 21 to send it to the Certificate Management Center (Certification Authority). , CA) Obtain a new legal certificate that corresponds to the existing certificate and provide it to the software module 21. This can improve the problem of the limited signing ability of the physical component 22 with the existing certificate, thereby effectively solving The device is limited and difficult to operate, that is, the technology of the present invention is based on the existing certificate in the physical component 22 as an endorsement, and goes to the certificate management center 15 to exchange for a new certificate, which is stored in the non-certified software module 21 for use. The effect of certificate replacement.

圖3為本發明之基於既有憑證換取新憑證之方法的步驟圖。 Fig. 3 is a step diagram of the method of exchanging a new voucher based on an existing voucher according to the present invention.

於步驟S31,令軟體模組提供憑證請求檔至換證伺服器,並接收該換證伺服器所回傳之交易序號。本步驟係軟體模組提供憑證請求檔至換證伺服器,換證伺服器會回覆一交易序號。 In step S31, the software module is made to provide the certificate request file to the renewal server, and receive the transaction serial number returned by the renewal server. In this step, the software module provides the certificate request file to the renewal server, and the renewal server will reply with a transaction serial number.

於步驟S32,令具有既有憑證之實體組件傳送該交易序號及該既有憑證至該換證伺服器。本步驟係說明存有既有憑證之設備或組件會傳送交易序號和既有憑證到至換證伺服器,以供換證伺服器進行以證換證的程序,其中,本發明利用交易序號使得兩個設備或組件之間有所關聯性。 In step S32, the entity component with the existing certificate transmits the transaction serial number and the existing certificate to the renewal server. This step is to describe the process that the device or component with the existing certificate will send the transaction serial number and the existing certificate to the renewal server for the renewal server to perform the renewal process. The present invention uses the transaction serial number to make There is a correlation between two devices or components.

於一實施例中,該實體組件復包括利用該交易序號做簽章以產生簽章值,其中,該簽章值隨著該交易序號及該既有憑證傳送至該換證伺服器,以供該換證伺服器進行簽章驗證。也就是說,存有既有憑證之設備或組件會利用交易序號做簽章,並將交易序號、簽章值、既有憑證傳至換證伺服器中。 In one embodiment, the entity component further includes using the transaction serial number as a signature to generate a signature value, wherein the signature value is sent to the renewal server along with the transaction serial number and the existing certificate for use The renewal server performs signature verification. That is to say, the equipment or component with the existing certificate will use the transaction serial number as a signature, and the transaction serial number, signature value, and existing certificate will be transferred to the renewal server.

於步驟S33,令該換證伺服器由該既有憑證取得憑證序號,並傳送該憑證序號及與該交易序號相對應之該憑證請求檔至註冊管理中心。如前所述,換證伺服器會對簽章值進行驗章,在驗章後,換證伺服器會取出既有憑證的憑證序號,以利減少後續傳輸資料的大小,接著將憑證序號以及利用讓兩個裝置有所關聯的交易序號所對應的憑證請求檔,傳至註冊管理中心。 In step S33, the renewal server is made to obtain the certificate serial number from the existing certificate, and transmit the certificate serial number and the certificate request file corresponding to the transaction serial number to the registration management center. As mentioned earlier, the renewal server will verify the signature value. After the verification, the renewal server will retrieve the certificate serial number of the existing certificate to reduce the size of subsequent transmission data, and then the certificate serial number and Use the certificate request file corresponding to the transaction serial number that associates the two devices to the registration management center.

於步驟S34,令該註冊管理中心利用該憑證序號以確認該既有憑證之合法性和有效性,以於該既有憑證合法且有效時,產生申請新憑證請求。本步驟係說明註冊管理中心利用憑證序號確定此憑證是否存在。 In step S34, the registry is asked to use the certificate serial number to confirm the legitimacy and validity of the existing certificate, so that when the existing certificate is legal and valid, a request for applying for a new certificate is generated. This step is to explain that the registration management center uses the certificate serial number to determine whether the certificate exists.

於步驟S35,令該註冊管理中心利用該既有憑證,向憑證管理中心申請新憑證。接續前一步驟,本步驟即在驗證成功後,註冊管理中心向憑證管理中心申請新憑證。 In step S35, the registration management center is asked to use the existing certificate to apply for a new certificate from the certificate management center. Following the previous step, in this step, after the verification is successful, the registration management center applies for a new certificate from the credential management center.

於步驟S36,令該註冊管理中心回傳該新憑證至該換證伺服器,以供該軟體模組下載。本步驟係說明註冊管理中心會將申請到的新憑證傳至換證伺服器之中,讓軟體裝置能使用交易序號來下載新憑證於裝置之中。 In step S36, the registration management center is made to return the new certificate to the renewal server for the software module to download. This step means that the registration management center will transfer the new certificate applied for to the renewal server, so that the software device can use the transaction serial number to download the new certificate to the device.

圖4為本發明之本發明之基於既有憑證換取新憑證之方法一具體實施例的流程圖,請一併參考圖2,於此以需要新憑證和存有既有憑證的兩者皆在同一裝置的範例來作說明。 Figure 4 is a flow chart of a specific embodiment of the method of exchanging new vouchers based on existing vouchers of the present invention. Please refer to Figure 2 together, where both the new vouchers and the existing vouchers are required An example of the same device is used for illustration.

於流程S41,提出憑證請求檔。本流程為軟體模組產生金鑰,並提供憑證請求檔,最終作為註冊管理中心申請新憑證時使用,而金鑰搭配獲取的新憑證,可進行簽章等憑證應用。具體實施時,利用軟體模組(例 如APP應用程式)做投單的動作,進行投單之前,APP應用程式會產生憑證請求檔以及私密金鑰,在投單時會將憑證請求檔傳送給換證伺服器,從換證伺服器取得一交易序號。 In process S41, the certificate request file is presented. This process generates a key for the software module, and provides a certificate request file, which is ultimately used when applying for a new certificate by the registration management center. The key can be used with the obtained new certificate for certificate applications such as signing. In specific implementation, use software modules (e.g. For example, the APP application) performs the action of placing an order. Before placing an order, the APP application will generate a certificate request file and a private key. When placing the order, the certificate request file will be sent to the renewal server, from the renewal server Obtain a transaction serial number.

於流程S42,提供既有憑證。本流程為實體組件裡面存有既有憑證,提供既有憑證給予換證伺服器。具體實施時,利用流程S41所取得的交易序號,讓實體組件(例如USIM)將交易序號做簽章,將交易序號、簽章值以及USIM裡的既有憑證傳給換證伺服器,於此,透過交易序號使得APP應用程式與USIM之間有所關聯性。 In process S42, provide existing credentials. In this process, the existing certificate is stored in the physical component, and the existing certificate is provided to the renewal server. In specific implementation, use the transaction serial number obtained in process S41 to let the entity component (such as USIM) sign the transaction serial number, and transmit the transaction serial number, signature value, and the existing certificate in the USIM to the renewal server, here , Through the transaction serial number to make the APP application and USIM related.

於流程S43,取出憑證序號。本流程為換證伺服器取出既有憑證的憑證序號。具體實施時,換證伺服器會驗證簽章是否無誤,之後會取出憑證的序號來減少後續傳輸的資料量。 In process S43, the certificate serial number is taken out. This process is for the renewal server to retrieve the certificate serial number of the existing certificate. In specific implementation, the renewal server will verify whether the signature is correct, and then retrieve the serial number of the certificate to reduce the amount of subsequent transmission of data.

於流程S44,將憑證序號以及憑證請求檔傳至註冊管理中心。本流程為換證伺服器將憑證序號和軟體模組所提供的憑證請求檔,一併傳給註冊管理中心。具體實施時,換證伺服器透過讓APP應用程式以及USIM能建立關聯性的交易序號,從資料庫取出投單時所取得的憑證請求檔,搭配流程S43所取得的憑證序號一同傳送給註冊管理中心。 In the process S44, the certificate serial number and the certificate request file are transmitted to the registration management center. In this process, the renewal server sends the certificate serial number and the certificate request file provided by the software module to the registration management center. During the specific implementation, the renewal server takes out the certificate request file obtained when placing the order from the database by allowing the APP application and USIM to establish the associated transaction serial number, and sends it to the registration management together with the certificate serial number obtained in process S43 center.

於流程S45,確定是否存在憑證。本流程為註冊管理中心會利用憑證序號去查詢此憑證的合法性和有效性。具體實施時,註冊管理中心會利用所獲得的憑證序號去查看是否有這張憑證存在。 In process S45, it is determined whether there is a certificate. In this process, the registration management center will use the certificate serial number to check the legality and validity of the certificate. During the specific implementation, the registration management center will use the obtained certificate serial number to check whether this certificate exists.

於流程S46,向憑證管理中心申請新憑證。本流程為註冊管理中心以既有憑證資訊,向憑證管理中心申請一張新憑證。具體實施時,註冊管理中心利用憑證序號所查到的這張既有的憑證去做背書,向憑證管 理中心申請新憑證,而申請下來的新憑證與既有憑證彼此之間是有所關聯的。 In process S46, apply for a new certificate from the certificate management center. In this process, the registration management center uses the existing certificate information to apply for a new certificate from the certificate management center. During the specific implementation, the registration management center uses the existing certificate found by the certificate serial number to do endorsement and send it to the certificate management The management center applies for a new voucher, and the applied new voucher and the existing voucher are related to each other.

於流程S47,回傳新憑證讓裝置下載。本流程為註冊管理中心回傳新憑證給換證伺服器,讓軟體模組能下載新憑證。具體實施時,憑證管理中心將申請下來的新憑證傳給換證伺服器,讓其存於資料庫之中,之後APP應用程式可以利用交易序號向換證伺服器獲取新憑證於應用軟體中,便可利用新憑證以及先前產出的私密金鑰做簽章。 In process S47, the new certificate is returned for the device to download. This process is for the registration management center to return the new certificate to the renewal server so that the software module can download the new certificate. During the specific implementation, the certificate management center sends the new certificate applied for to the renewal server and stores it in the database. After that, the APP application can use the transaction serial number to obtain the new certificate from the renewal server in the application software. You can use the new certificate and the previously generated private key for signing.

由上可知,可解決當存有憑證裝置其簽章能力有限時,可以依交易序號建立裝置與軟體模組的關聯性,之後換取一張新憑證給予軟體模組,使其解決裝置簽章的受限性,讓簽章能力更佳的裝置去做簽章。另外,本發明所換取的新憑證因為是基於既有憑證去背書所換取的,所以彼此之間是有所關聯性的,而非一張完全全新、互不相關的新憑證。 From the above, it can be solved that when the certificated device has limited signing ability, the association between the device and the software module can be established based on the transaction serial number, and then a new certificate can be exchanged for the software module to solve the problem of device signing Restricted, allowing devices with better signing capabilities to sign. In addition, because the new voucher exchanged by the present invention is exchanged for endorsement based on the existing voucher, it is related to each other, rather than a completely new and unrelated new voucher.

另外,本發明還提供一種基於既有憑證換取新憑證之方法的電腦可讀媒介,係應用於具有處理器(例如,CPU、GPU等)及/或記憶體的計算裝置或電腦中,且儲存有指令,並可利用此計算裝置或電腦透過處理器及/或記憶體執行此電腦可讀媒介,以於執行此電腦可讀媒介時執行上述內容。 In addition, the present invention also provides a computer-readable medium based on an existing certificate in exchange for a new certificate, which is applied to a computing device or computer with a processor (for example, CPU, GPU, etc.) and/or memory, and stores There are instructions, and the computing device or computer can be used to execute the computer-readable medium through the processor and/or memory, so as to execute the above content when the computer-readable medium is executed.

綜上所述,本發明提出一種基於既有憑證換取新憑證之系統、方法及電腦可讀媒介,本發明係透過有憑證的裝置與憑證管理中心(CA)中間所建立的換證伺服器,取出憑證中的憑證序號,搭配裝置之前所做投單的憑證請求檔去向憑證管理中心申請新憑證,可以傳輸更少量資料至註冊管理中心,亦能加以比對既有憑證是否存在。另外,本發明為基於既有憑證換取新憑證之技術,所換取之新憑證與既有憑證有一對一的關聯性, 能有效的解決既有憑證裝置不易簽章的受限性,以及簽章演算法的受限性,讓未持有憑證的裝置能申請到合法憑證,進而做到對於簽章受限的改善。 In summary, the present invention proposes a system, method and computer-readable medium for exchanging new certificates based on existing certificates. The present invention is based on a certificate renewal server established between a certificated device and a certificate management center (CA). Take out the certificate serial number in the certificate and use it with the certificate request file made before the device to apply for a new certificate from the certificate management center. A smaller amount of data can be transferred to the registration management center, and the existing certificate can also be compared. In addition, the present invention is based on the technology of exchanging existing vouchers for new vouchers, and the exchanged new vouchers have a one-to-one correlation with the existing vouchers. It can effectively solve the limitation of the existing certificate devices that are not easy to sign and the limitation of the signature algorithm, so that devices that do not hold the certificate can apply for a legal certificate, thereby improving the limitation of the signature.

上述實施例僅為例示性說明,而非用於限制本發明。任何熟習此項技藝之人士均可在不違背本發明之精神及範疇下,對上述實施例進行修飾與改變。因此,本發明之權利保護範圍係由本發明所附之申請專利範圍所定義,只要不影響本發明之效果及實施目的,應涵蓋於此公開技術內容中。 The above-mentioned embodiments are only illustrative descriptions, and are not used to limit the present invention. Anyone who is familiar with this technique can modify and change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Therefore, the scope of protection of the rights of the present invention is defined by the scope of the patent application attached to the present invention. As long as it does not affect the effect and implementation purpose of the present invention, it should be covered in the technical content of this disclosure.

1:基於既有憑證換取新憑證之系統 1: A system based on an existing certificate to exchange for a new certificate

11:待憑證裝置 11: Device to be certificated

12:存有憑證裝置 12: Device with certificate

13:換證伺服器 13: Renewal server

14:註冊管理中心 14: Registration Management Center

15:憑證管理中心 15: Certificate Management Center

Claims (13)

一種基於既有憑證換取新憑證之系統,係包括: A system based on the exchange of existing vouchers for new vouchers, including: 待憑證裝置,係用於產生憑證請求檔,以及接收對應該憑證請求檔之交易序號; The certificate-waiting device is used to generate the certificate request file and receive the transaction serial number corresponding to the certificate request file; 存有憑證裝置,係用於傳送該交易序號以及該存有憑證裝置所具有之既有憑證; The voucher storage device is used to transmit the transaction serial number and the existing voucher possessed by the voucher storage device; 換證伺服器,係接收來自該存有憑證裝置之該交易序號及該既有憑證,以由該既有憑證取得憑證序號,俾傳送該憑證序號及與該交易序號相對應之該憑證請求檔; The renewal server receives the transaction serial number and the existing certificate from the storage device to obtain the certificate serial number from the existing certificate, and transmits the certificate serial number and the certificate request file corresponding to the transaction serial number ; 註冊管理中心,係接收來自該換證伺服器之該憑證序號及該憑證請求檔,以利用該憑證序號查詢該既有憑證,俾產生申請新憑證請求;以及 The registration management center receives the certificate serial number and the certificate request file from the renewal server, and uses the certificate serial number to query the existing certificate to generate a request for applying for a new certificate; and 憑證管理中心,係接收來自該註冊管理中心之該申請新憑證請求以產生新憑證,且透過該註冊管理中心回傳該新憑證至該換證伺服器,以供該待憑證裝置依據該交易序號下載該新憑證。 The certificate management center receives the request for applying for a new certificate from the registry to generate a new certificate, and sends the new certificate back to the renewal server through the registry, so that the device to be certified can use the transaction serial number Download the new certificate. 如請求項1所述之基於既有憑證換取新憑證之系統,其中,該換證伺服器收到來自該待憑證裝置之該憑證請求檔後,產生該交易序號,以傳送該交易序號至該待憑證裝置。 The system for exchanging a new certificate based on an existing certificate as described in claim 1, wherein the renewal server generates the transaction serial number after receiving the certificate request file from the device to be certificated, and transmits the transaction serial number to the Device to be certificated. 如請求項1所述之基於既有憑證換取新憑證之系統,其中,該存有憑證裝置復包括利用該交易序號做簽章以產生簽章值,而該簽章值隨著該交易序號及該既有憑證傳送至該換證伺服器,以供該換證伺服器進行簽章驗證。 For example, the system for exchanging new vouchers based on existing vouchers as described in claim 1, wherein the device for storing vouchers further includes using the transaction serial number as a signature to generate a signature value, and the signature value follows the transaction serial number and The existing certificate is sent to the renewal server for the renewal server to perform signature verification. 如請求項1所述之基於既有憑證換取新憑證之系統,其中,該待憑證裝置復包括產生私密金鑰,以供該待憑證裝置取得該新憑證時,利用該私密金鑰進行簽章。 The system for exchanging a new certificate based on an existing certificate as described in claim 1, wherein the device to be certificated includes generating a private key for the device to be certificated to obtain the new certificate and use the private key to sign . 一種基於既有憑證換取新憑證之系統,係包括: A system based on the exchange of existing vouchers for new vouchers, including: 使用者裝置,係包含等待憑證之軟體模組以及具有憑證之實體組件,其中,該軟體模組係產生憑證請求檔以及接收對應該憑證請求檔之交易序號,該實體組件係傳送該交易序號以及該實體組件所具有之既有憑證; The user device includes a software module waiting for a certificate and a physical component with a certificate. The software module generates a certificate request file and receives a transaction serial number corresponding to the certificate request file, and the physical component transmits the transaction serial number and Existing certificates possessed by the entity component; 換證伺服器,係接收來自該實體組件之該交易序號及該既有憑證,以由該既有憑證取得憑證序號,俾傳送該憑證序號及與該交易序號相對應之該憑證請求檔; The renewal server receives the transaction serial number and the existing certificate from the entity component to obtain the certificate serial number from the existing certificate, and transmits the certificate serial number and the certificate request file corresponding to the transaction serial number; 註冊管理中心,係接收來自該換證伺服器之該憑證序號及該憑證請求檔,以利用該憑證序號查詢該既有憑證,俾產生申請新憑證請求;以及 The registration management center receives the certificate serial number and the certificate request file from the renewal server, and uses the certificate serial number to query the existing certificate to generate a request for applying for a new certificate; and 憑證管理中心,係接收來自該註冊管理中心之該申請新憑證請求以產生新憑證,且透過該註冊管理中心回傳該新憑證至該換證伺服器,以供該軟體模組依據該交易序號下載該新憑證。 The certificate management center receives the request for applying for a new certificate from the registry to generate a new certificate, and sends the new certificate back to the renewal server through the registry for the software module to use the transaction serial number Download the new certificate. 如請求項5所述之基於既有憑證換取新憑證之系統,其中,該換證伺服器收到來自該軟體模組之該憑證請求檔後,產生該交易序號,以傳送該交易序號至該軟體模組。 The system for exchanging a new certificate based on an existing certificate as described in request item 5, wherein the certificate renewal server generates the transaction serial number after receiving the certificate request file from the software module to send the transaction serial number to the Software modules. 如請求項5所述之基於既有憑證換取新憑證之系統,其中,該實體組件復包括利用該交易序號做簽章以產生簽章值,而該簽章值隨著該交易序號及該既有憑證傳送至該換證伺服器,以供該換證伺服器進行簽章驗證。 For example, the system for exchanging new vouchers based on existing vouchers as described in claim 5, wherein the entity component includes using the transaction serial number as a signature to generate a signature value, and the signature value follows the transaction serial number and the existing certificate. A certificate is sent to the renewal server for signature verification by the renewal server. 如請求項5所述之基於既有憑證換取新憑證之系統,其中,該軟體模組復包括產生私密金鑰,以供該軟體模組取得該新憑證時,利用該私密金鑰進行簽章。 The system for exchanging a new certificate based on an existing certificate as described in claim 5, wherein the software module includes generating a private key for the software module to use the private key to sign when the new certificate is obtained . 一種基於既有憑證換取新憑證之方法,係包括: A method of exchanging existing certificates for new certificates includes: 令軟體模組提供憑證請求檔至換證伺服器,並接收該換證伺服器所回傳之交易序號; Make the software module provide the certificate request file to the renewal server, and receive the transaction serial number returned by the renewal server; 令具有既有憑證之實體組件傳送該交易序號及該既有憑證至該換證伺服器; Make the entity component with the existing certificate send the transaction serial number and the existing certificate to the renewal server; 令該換證伺服器由該既有憑證取得憑證序號,以傳送該憑證序號及與該交易序號相對應之該憑證請求檔至註冊管理中心; Order the renewal server to obtain the certificate serial number from the existing certificate to send the certificate serial number and the certificate request file corresponding to the transaction serial number to the registry; 令該註冊管理中心利用該憑證序號以確認該既有憑證之合法性和有效性,以於該既有憑證合法且有效時,產生申請新憑證請求; Order the registry to use the serial number of the certificate to confirm the legitimacy and validity of the existing certificate, so that when the existing certificate is legal and valid, it generates a request for a new certificate; 令該註冊管理中心利用該既有憑證,向憑證管理中心申請新憑證;以及 Make the registration management center use the existing certificate to apply for a new certificate from the certificate management center; and 令該註冊管理中心傳送該新憑證至該換證伺服器,以供該軟體模組下載。 Order the registry to send the new certificate to the renewal server for the software module to download. 如請求項9所述之基於既有憑證換取新憑證之方法,其中,該軟體模組與該實體組件係位於同一裝置內,或是分屬兩個不同裝置。 The method for exchanging a new certificate based on an existing certificate as described in claim 9, wherein the software module and the physical component are located in the same device or belong to two different devices. 如請求項9所述之基於既有憑證換取新憑證之方法,其中,該實體組件復包括利用該交易序號做簽章以產生簽章值,而該簽章值 隨著該交易序號及該既有憑證傳送至該換證伺服器,以供該換證伺服器進行簽章驗證。 As described in claim 9, the method for exchanging a new certificate based on an existing certificate, wherein the entity component includes using the transaction serial number as a signature to generate a signature value, and the signature value The transaction serial number and the existing certificate are sent to the renewal server for the renewal server to perform signature verification. 如請求項9所述之基於既有憑證換取新憑證之方法,其中,該軟體模組復包括產生私密金鑰,以供該軟體模組取得該新憑證時,利用該私密金鑰進行簽章。 The method for exchanging a new certificate based on an existing certificate as described in claim 9, wherein the software module includes generating a private key for the software module to use the private key for signing when obtaining the new certificate . 一種電腦可讀媒介,應用於計算裝置或電腦中,係儲存有指令,以執行如請求項9至12其中任一項所述之基於既有憑證換取新憑證之方法。 A computer-readable medium used in a computing device or computer, and storing instructions to execute the method of exchanging a new certificate based on an existing certificate as described in any one of request items 9 to 12.
TW109137669A 2020-10-29 2020-10-29 System and method for exchanging new certificate based on current certificate and computer-readable medium TWI746235B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW109137669A TWI746235B (en) 2020-10-29 2020-10-29 System and method for exchanging new certificate based on current certificate and computer-readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW109137669A TWI746235B (en) 2020-10-29 2020-10-29 System and method for exchanging new certificate based on current certificate and computer-readable medium

Publications (2)

Publication Number Publication Date
TWI746235B true TWI746235B (en) 2021-11-11
TW202218375A TW202218375A (en) 2022-05-01

Family

ID=79907503

Family Applications (1)

Application Number Title Priority Date Filing Date
TW109137669A TWI746235B (en) 2020-10-29 2020-10-29 System and method for exchanging new certificate based on current certificate and computer-readable medium

Country Status (1)

Country Link
TW (1) TWI746235B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9313033B2 (en) * 2011-12-02 2016-04-12 Blackberry Limited Derived certificate based on changing identity
TWI591991B (en) * 2016-01-29 2017-07-11 Chunghwa Telecom Co Ltd System and method for pre-signing vouchers for forecasting requests for traffic
TW201836322A (en) * 2017-07-10 2018-10-01 大陸商騰訊科技(深圳)有限公司 Certificate management method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9313033B2 (en) * 2011-12-02 2016-04-12 Blackberry Limited Derived certificate based on changing identity
TWI591991B (en) * 2016-01-29 2017-07-11 Chunghwa Telecom Co Ltd System and method for pre-signing vouchers for forecasting requests for traffic
TW201728132A (en) * 2016-01-29 2017-08-01 Chunghwa Telecom Co Ltd Certificate pre-signing system and method for forecasting request flow storing a pre-signed certificate status into the certificate database
TW201836322A (en) * 2017-07-10 2018-10-01 大陸商騰訊科技(深圳)有限公司 Certificate management method and system

Also Published As

Publication number Publication date
TW202218375A (en) 2022-05-01

Similar Documents

Publication Publication Date Title
US20220321359A1 (en) Methods and systems for ownership verification using blockchain
CA3049761C (en) Method for providing payment gateway service using utxo-based protocol and server using same
US20190251561A1 (en) Verifying an association between a communication device and a user
WO2020186827A1 (en) User authentication method and apparatus, computer device and computer-readable storage medium
CN112291245B (en) Identity authorization method, identity authorization device, storage medium and equipment
CN110851857B (en) Method and device for realizing identity endorsement on block chain
TWI718567B (en) Two-dimensional code generation method, data processing method, device, server and computer readable storage medium
US20120084565A1 (en) Cryptographic device that binds an additional authentication factor to multiple identities
CN112671720B (en) Token construction method, device and equipment for cloud platform resource access control
US20200412554A1 (en) Id as service based on blockchain
US20220321357A1 (en) User credential control system and user credential control method
WO2016173211A1 (en) Application identifier management method and device
US20210306135A1 (en) Electronic device within blockchain based pki domain, electronic device within certification authority based pki domain, and cryptographic communication system including these electronic devices
Abraham et al. SSI Strong Authentication using a Mobile-phone based Identity Wallet Reaching a High Level of Assurance.
CN101582876A (en) Method, device and system for registering user generated content (UGC)
JP5036500B2 (en) Attribute certificate management method and apparatus
LU93150B1 (en) Method for providing secure digital signatures
TWI746235B (en) System and method for exchanging new certificate based on current certificate and computer-readable medium
JP6983685B2 (en) Information processing system, client device, authentication / authorization server, control method and its program
CN115037480A (en) Method, device, equipment and storage medium for equipment authentication and verification
JP7222436B2 (en) Security control method, information processing device and security control program
WO2016165662A1 (en) Mobile phone quasi-digital certificate subsystem, and system and method thereof
TWI657382B (en) Equity document management method
US20240143730A1 (en) Multi-factor authentication using blockchain
US11849041B2 (en) Secure exchange of session tokens for claims-based tokens in an extensible system