WO2014187208A1 - Procédé et système de sauvegarde de clé privée d'un jeton de signature électronique - Google Patents

Procédé et système de sauvegarde de clé privée d'un jeton de signature électronique Download PDF

Info

Publication number
WO2014187208A1
WO2014187208A1 PCT/CN2014/075747 CN2014075747W WO2014187208A1 WO 2014187208 A1 WO2014187208 A1 WO 2014187208A1 CN 2014075747 W CN2014075747 W CN 2014075747W WO 2014187208 A1 WO2014187208 A1 WO 2014187208A1
Authority
WO
WIPO (PCT)
Prior art keywords
electronic signature
private key
signature token
matching code
data packet
Prior art date
Application number
PCT/CN2014/075747
Other languages
English (en)
Chinese (zh)
Inventor
李东声
Original Assignee
天地融科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 天地融科技股份有限公司 filed Critical 天地融科技股份有限公司
Publication of WO2014187208A1 publication Critical patent/WO2014187208A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Definitions

  • the present invention relates to the field of electronic technologies, and in particular, to a method and system for backing up a private key in an electronic signature token. Background technique
  • the user's private key and the digital certificate are stored in the electronic signature token, and the user identity is authenticated by using the public key algorithm built into the USB Key.
  • the user private key cannot be read theoretically in any way to ensure the security of user authentication.
  • the electronic signature token cannot be obtained, and the user must re-apply the electronic signature token.
  • the key information such as the private key and the serial number must be redistributed and acquired, and the electronic signature token needs to be triggered.
  • the update process increases the maintenance cost of the electronic signature token. Therefore, how to efficiently maintain electronic signature tokens is an urgent problem to be solved. Summary of the invention
  • the present invention provides a method and system for backing up a private key in an electronic signature token, aiming to solve one of the above problems.
  • the technical solution of the present invention is specifically implemented as follows:
  • a method for backing up a private key in an electronic signature token comprising: a first electronic signature token and a second electronic signature token acquiring a matching code; the first electronic signature token encrypting the matching code, and performing a sending private key backup a process of requesting a data packet, wherein the private key backup request data packet includes an encrypted matching code and a first signature issued by the CA server for the first electronic signature token; and the second electronic signature token receives the private key backup request data
  • the second electronic signature token verifies the first signature of the first electronic signature token; if the verification is passed, the second electronic signature token decrypts the encrypted matching code, and the decrypted matching code is treated as Verifying the matching code; the second electronic signature token compares the to-be-verified matching code with the locally obtained matching code; if the to-be-verified matching code is the same as the locally obtained matching code, the second electronic signature token performs the sending of the private key
  • the process of backing up the response packet wherein the private key backup response packet includes private key information; the first electronic signature
  • the first electronic signature token encrypts the matching code, including: the first electronic signature token encrypts the matching code by using a key in the first signature to obtain an encrypted matching code; and the second electronic signature token pair
  • the encrypted matching code is decrypted, including:
  • the second electronic signature token obtains the key from the private key backup request packet, and decrypts the encrypted matching code by using the key.
  • the first electronic signature token performs a process of sending a private key backup request data packet, including: the first electronic signature token signing the private key backup request data packet, and sending the signature processed private key backup request data packet; Before the second electronic signature token verifies the first signature of the first electronic signature token, the method further includes: after receiving the signature private key backup request data packet, the second electronic signature token is processed by the signature The private key backup request packet is checked, and if the check is passed, the operation of verifying the first signature of the first electronic signature token is performed.
  • the second electronic signature token performs a process of sending a private key backup response data packet, including: the second electronic signature token signatures the private key backup response data packet, and sends the signature processed private key backup response data packet; Before the first electronic signature token performs the process of acquiring the private key, the method further includes: after receiving the signature-processed private key backup request data packet, the first electronic signature token performs the signature processing of the private key backup response data packet. Verification; If the verification passes, the process of obtaining the private key is performed.
  • the process of sending the private key backup response data packet by the second electronic signature token includes: acquiring a private key encryption policy by using the second electronic signature token, and encrypting the private key by using the encryption policy, and performing the sending encryption
  • the process of obtaining the private key by the first electronic signature token includes: obtaining a decryption policy of the private key by the first electronic signature token, and decrypting the encrypted private key by using the decryption policy to obtain the private key.
  • the encryption policy and the decryption policy of the private key are determined by the first electronic signature token and the second electronic signature token by using a matching code.
  • the encryption policy and the decryption policy of the private key are determined by the matching code by the first electronic signature token and the second electronic signature token, including: using the matching code obtained by the first electronic signature token as the to-be-verified code, An electronic signature token performs an operation of sending the to-be-verified code to the second electronic signature token; after obtaining the to-be-verified code, the second electronic signature token determines whether the to-be-verified code is identical to the locally obtained matching code; If the to-be-verified code is the same as the locally obtained matching code, the second electronic signature token generates an encryption policy of the private key and a decryption policy corresponding to the encryption policy; and the second electronic signature token transmits at least the decryption policy to the first electronic Signing token.
  • the encryption policy and the decryption policy of the private key are determined by the matching code by the first electronic signature token and the second electronic signature token, including: the second electronic signature token and the first electronic signature token obtain a matching code, and the encryption Corresponding relationship between the policy and the decryption policy; the second electronic signature token and the first electronic signature token look up the encryption policy and the decryption policy corresponding to the matching code in the corresponding relationship; if found, the encrypted policy and the decryption strategy to be found The encryption policy used as the private key and the decryption policy corresponding to the encryption policy.
  • the encryption policy and the decryption policy of the private key are the same as the encryption policy and the decryption policy stored in the first signature.
  • the private key backup response data packet further includes a second signature issued by the CA server for the second electronic signature token.
  • the first electronic signature token performs the process of acquiring the private key, including: the first electronic signature token is obtained. After the private key backup response packet, verify the second signature; if the verification is passed, the first electronic signature token performs the acquisition of the private key Process.
  • a system for backing up a private key in an electronic signature token comprising: a first acquisition module in a first electronic signature token and a second acquisition module in a second electronic signature token, each used to obtain a matching code; An encryption module in the electronic signature token, configured to encrypt the matching code; a first sending module in the first electronic signature token, configured to execute a process of sending a private key backup request data packet, where the private key backup request data packet And including the encrypted matching code and the first signature issued by the CA server for the first electronic signature token; the first verification module of the second electronic signature token, configured to receive the private key backup on the second electronic signature token After requesting the data packet, verifying the first signature of the first electronic signature token; and the decrypting module in the second electronic signature token is configured to decrypt the encrypted matching code if the verification is passed, and the decrypted matching is performed.
  • the second sending module of the second electronic signature token is configured to: if the to-be-verified matching code is the same as the locally obtained matching code, perform a process of sending a private key backup response data packet, where the private key backup response data packet includes a private key
  • the third obtaining module of the first electronic signature token is configured to perform a process of acquiring a private key after obtaining the private key backup response data packet.
  • the encryption module is configured to encrypt the matching code by using a key in the first signature to obtain an encrypted matching code
  • the decrypting module is configured to obtain a key from the private key backup request packet, and use the key pair.
  • the encrypted matching code is decrypted.
  • the first sending module is configured to sign the private key backup request data packet, and send the signature processed private key backup request data packet;
  • the second electronic signature token further includes a third verification module, configured to use the signature The processed private key backup request packet is checked, and if the check is passed, the first signature of the first electronic signature token is verified.
  • the second sending module is configured to sign the private key backup response data packet, and send the signature processed private key backup response data packet.
  • the first electronic signature token further includes a second verification module, configured to receive After the signature processing of the private key backup request packet, the signature processing of the private key backup response packet is verified; if the verification is passed, the process of obtaining the private key is performed.
  • the second sending module is configured to obtain an encryption policy of the private key, and encrypt the private key by using the encryption policy, and execute a process of sending the encrypted private key.
  • the third obtaining module is configured to obtain the decryption of the private key. The policy, and decrypting the encrypted private key by using a decryption strategy to obtain a private key.
  • the encryption policy and the decryption policy of the private key are determined by the first electronic signature token and the second electronic signature token by using a matching code.
  • the system further includes: a first negotiation module of the first electronic signature token and a second negotiation module of the second electronic signature token, where the first negotiation module is configured to obtain the first electronic signature token
  • the matching code is used as the code to be verified. And performing the operation of sending the to-be-verified code to the second negotiation module; the second negotiation module is configured to determine, after obtaining the to-be-verified code, whether the to-be-verified code is the same as the locally obtained matching code; If the locally obtained matching code is the same, the encryption policy of the private key and the decryption policy corresponding to the encryption policy are generated; and at least the decryption policy is sent to the first negotiation module.
  • the system further includes: a first negotiation module in the first electronic signature token and a second negotiation module in the second electronic signature token, where the first negotiation module and the second negotiation module are both used to obtain a matching code, Correspondence between the encryption policy and the decryption policy; and finding the encryption policy and the decryption policy corresponding to the matching code in the correspondence relationship; if found, the encryption policy and the decryption policy that are found as the encryption policy used by the private key and the encryption The decryption strategy corresponding to the policy.
  • the encryption policy and the decryption policy of the private key are the same as the encryption policy and the decryption policy stored in the first signature.
  • the private key backup response data packet further includes a second signature issued by the CA server for the second electronic signature token.
  • the third obtaining module is configured to: after obtaining the signature backup response data packet, perform the second signature Verification; If the verification passes, the process of obtaining the private key is performed.
  • the second electronic signature token determines whether the first electronic signature token is legally set to the first electronic signature token by verifying the first signature, and then determining the first electronic signature token by using the matching code. Whether it has the right to back up the private key stored locally, and after the above two conditions are met, the private key information is transmitted to ensure the security of the private key backup.
  • FIG. 1 is a schematic flowchart of a method for backing up a private key in an electronic signature token according to the present invention
  • FIG. 2 is a schematic structural diagram of a system embodiment for backing up a private key in an electronic signature token according to the present invention. detailed description
  • connection In the description of the present invention, it should be noted that the terms “installation”, “connected”, and “connected” are to be understood broadly, and may be fixed or detachable, for example, unless otherwise explicitly defined and defined. Connected, or connected integrally; can be mechanical or electrical; can be directly connected, or indirectly connected through an intermediate medium, can be the internal communication of the two components.
  • Connected, or connected integrally can be mechanical or electrical; can be directly connected, or indirectly connected through an intermediate medium, can be the internal communication of the two components.
  • the specific meaning of the above terms in the present invention can be understood in a specific case by those skilled in the art.
  • FIG. 1 is a schematic flowchart diagram of a method for backing up a private key in an electronic signature token according to the present invention.
  • the method embodiment shown in Figure 1 includes:
  • Step 101 The first electronic signature token and the second electronic signature token obtain a matching code.
  • the matching code may include at least one of a character, a number, and a character; the second electronic signature token and the first electronic signature token may obtain the matching code through a manual input, a data transmission interface, or a network; A matching code is generated by the second electronic signature token according to the pre-stored generation policy, and the matching code is outputted, wherein the output mode can be displayed or played, and the matching code is obtained by the first electronic signature token.
  • the first electronic signature token can obtain the matching code through wireless or wired transmission, or can be manually input by the user.
  • the first electronic signature token and the second electronic signature token may be obtained by the bank backend server by sending the matching code to the first electronic signature token and the second electronic signature token.
  • the method of generating the matching code by the second electronic signature token and acquiring by the first electronic signature token does not require the participation of the bank background server, and the interaction process is simpler than that of the bank background server.
  • Step 102 The first electronic signature token encrypts the matching code, and performs a process of sending a private key backup request data packet, where the private key backup request data packet includes the encrypted matching code and is certified by a CA (Certificate Authority) The first signature issued by the server for the first electronic signature token;
  • CA Certificate Authority
  • the signature issued by the CA server is an authoritative electronic document, which is issued by the authoritative and impartial third-party institution center using the CA server private key, which includes the key and the identification information.
  • Step 103 After the second electronic signature token receives the private key backup request data packet, the second electronic signature token verifies the first signature of the first electronic signature token. Specifically, the second electronic signature token uses the CA server public key to verify the digital certificate, and if the verification is passed, it indicates that the first electronic signature token is legal, and the first electronic signature token is set, and step 104 is performed; Otherwise, it means that the first electronic signature token is illegally set, and the process ends.
  • Step 104 If the verification is passed, the second electronic signature token decrypts the matching code in the private key backup request data packet, and uses the decrypted matching code as the to-be-verified matching code.
  • Step 105 The second electronic signature token compares the to-be-verified matching code with the locally obtained matching code. Step 106: If the to-be-verified matching code is the same as the locally obtained matching code, the second electronic signature token is sent. The process of responding to the data packet by the private key backup, wherein the private key backup response data packet includes private key information;
  • Step 107 After obtaining the private key backup response data packet, the first electronic signature token performs a process of acquiring the private key.
  • the second electronic signature token determines whether the first electronic signature token is legally set to the first electronic signature token by verifying the first signature, and then determining the first electronic signature token by using the matching code. Whether it has the right to back up the private key stored locally, and after the above two conditions are met, the private key information is transmitted to ensure the security of the private key backup.
  • the first electronic signature token encrypts the matching code, including:
  • the first electronic signature token encrypts the matching code by using the key in the first signature to obtain the encrypted matching code; and the second electronic signature token decrypts the encrypted matching code, including:
  • the second electronic signature token obtains the key from the private key backup request packet, and decrypts the encrypted matching code by using the key.
  • the encryption of the matching code uses the key in the first signature, and the key for decrypting the encrypted matching code can also be directly obtained from the private key backup request packet, that is, the first signature.
  • the plaintext therefore, the above method makes the encryption and decryption operation of the matching code simple.
  • the encryption and decryption policy may be pre-stored in the corresponding electronic signature token or determined by two electronic signature tokens.
  • the first electronic signature token performs an operation of sending a private key backup request packet, including:
  • the first electronic signature token signs the private key backup request data packet, and sends the signature processed private key backup request data packet;
  • the method further includes: after receiving the signature private key backup request data packet, the second electronic signature token performs processing on the signature Private The signature of the key backup request packet is verified. If the verification passes, the second electronic signature token is executed to verify the first signature in the private key backup request packet.
  • the private key used for signing the private key backup request packet and the public key used by the second electronic signature token to verify the signature of the private key backup request packet are pre-negotiated, and the respective settings are written. In the first electronic signature token.
  • the private key backup request data packet is signed by the first electronic signature token, and the second electronic signature token is used to verify the private key backup request data packet, so that the first electronic device that initiates the backup request is implemented.
  • the identity of the signature token is such that the electronic signature token with the first signature cannot spoof the private key of the second electronic signature token, thereby improving the security of the private key backup.
  • the second electronic signature token performs an operation of sending a private key backup response data packet, including:
  • the second electronic signature token signs the private key backup response data packet, and sends the signature processed private key backup response data packet;
  • the method further includes: after receiving the signature private key backup response data packet, the first electronic signature token is processed after the signature The private key backup verifies the signature of the data packet, and if the verification passes, performs the operation of verifying the digital signature in the private key backup response packet by the first electronic signature token.
  • the private key backup response data packet is signed by the second electronic signature token, and then the first electronic signature token is used to verify the private key backup response data packet, so as to implement the first electronic response to initiate the backup response.
  • the identity authentication of the signature token enables the legal electronic signature token with the second signature to prevent the first electronic signature token from acquiring the correct private key, and ensures that the first electronic signature token can back up the correct private key.
  • the private key used by the private key backup response packet and the public key used by the first electronic signature token to verify the signed private key backup response packet are pre-negotiated, and the respective settings are written. In the first electronic signature token.
  • the private key is encrypted and transmitted during the transmission process, and the private key is encrypted and transmitted, including:
  • the second electronic signature token performs a process of sending a private key backup response data packet, including:
  • the second electronic signature token acquires an encryption policy of the private key, and encrypts the private key by using the encryption policy, and executes a process of transmitting the encrypted private key;
  • the first electronic signature token performs a process of obtaining a private key, including: The first electronic signature token acquires a decryption policy of the private key, and decrypts the encrypted private key by using a decryption policy to obtain a private key.
  • the encryption policy and the decryption policy may be pre-negotiated, and the encryption policy used by one of the second electronic signature token and the first electronic signature token to communicate with the other query may be decrypted corresponding to the encryption policy.
  • Strategy another one can select one set of encryption and decryption strategies from the pre-stored encryption and decryption strategy to respond to the query request, and the two are consistent. The latter increases the randomness of the encryption and decryption strategy than the former.
  • the method is not limited thereto, and the encryption policy and the decryption strategy of the private key are determined by the matching code by the first electronic signature token and the second electronic signature token, and the identification of the private key is increased due to the high randomness of the matching code.
  • the randomness of the decryption strategy improves the security of the information.
  • the encryption policy and decryption strategy of the private key include the following two types:
  • Manner 1 The encryption policy and the decryption policy of the private key are determined by the first electronic signature token and the second electronic signature token by using a matching code;
  • the second electronic signature token acquires a key, which is the same as the key stored in the first signature of the first electronic signature token, and encrypts the private key of the second electronic signature token by using the key to obtain The private key of the encrypted second electronic signature token;
  • the key obtained by the second electronic signature token in the second mode may also be obtained by querying the first electronic signature token, or may be obtained from the bank background server.
  • mode 1 determines the encryption and decryption strategy by matching code encryption and decryption strategy, and increases the randomness of the encryption and decryption strategy.
  • the second method uses the key in the first signature of the first electronic signature token, which is convenient for the first
  • the electronic signature token acquires the decryption strategy and is simple to implement.
  • matching code negotiation encryption and decryption strategies has the following two types, including:
  • the matching code obtained by the first electronic signature token is used as a code to be verified, and the first electronic signature token performs an operation of sending the to-be-verified code to the second electronic signature token; the second electronic signature token is acquired After the to-be-verified code, it is determined whether the to-be-verified code is the same as the locally obtained matching code; if the to-be-verified code is the same as the locally obtained matching code, the second electronic signature token generates a private key encryption policy and the encryption policy. Corresponding decryption strategy; the second electronic signature token sends at least the decryption policy to the first electronic signature token.
  • the second electronic signature token determines the initiation and negotiation of the encryption and decryption policy with the second electronic signature token by comparing the to-be-verified code with the locally obtained matching code. Whether an electronic signature token is the first electronic signature token to verify the identity of the first electronic signature token, determining that the first electronic signature token is the first electronic signature token, and then sending the decryption algorithm to the first An electronic signature token guarantees the transmission of the private key All.
  • the first electronic signature token performs an operation of sending the to-be-verified code to the second electronic signature token, including:
  • the first electronic signature token signs the to-be-verified code, and sends the signature-processed to-be-verified code to the second electronic signature token;
  • the method further includes:
  • the second electronic signature token After receiving the signature-processed to-be-verified code, the second electronic signature token verifies the second electronic signature token to be verified by the signature-processed to-be-verified code, and if the verification passes, determines the to-be-verified code and the locally acquired code. Whether the matching code is the same.
  • the private key used by the first electronic signature token to sign the verification code may be the same as the private key used when the first electronic signature token signs the private key backup request packet.
  • the second electronic signature order The public key used by the card to verify the signed code to be verified is the same as the public key used to back up the request packet for the signed private key.
  • the second electronic signature token and the first electronic signature token obtain a correspondence between the matching code, the encryption policy, and the decryption policy; and the second electronic signature token and the first electronic signature token find a matching code corresponding to the matching
  • the encryption policy and the decryption policy; if found, the encryption policy and the decryption policy that are found are used as the encryption policy used by the private key and the decryption policy corresponding to the encryption policy.
  • both parties substitute the matching code as an input parameter into the preset algorithm, and calculate a unique pair of encryption and decryption strategies, and use the preset algorithm as a strategy for encrypting and decrypting the private key.
  • the first electronic signature token and the second electronic signature token determine the encryption and decryption strategy used for communication by querying the locally obtained correspondence relationship, and the implementation is simple, and the first electronic signature token and the first The information exchange between the two electronic signature tokens reduces the possibility of information being stolen.
  • the private key backup response data packet further includes a second signature of the second electronic signature token, which is used to identify that the private key is sent by the legal first electronic signature token.
  • the private key backup request packet further includes a second signature issued by the CA server for the second electronic signature token; wherein the first electronic signature token performs the process of acquiring the private key, including: the first electronic signature token is received After the private key backup request packet, the second signature is verified; if the verification is passed, the first electronic signature token performs a process of acquiring the private key.
  • the first electronic signature token may include the following key information: a key for encrypting the matching code, a private key for signing the information locally sent to the master, a public key for verifying the signature data sent by the master, and a key for decrypting the encrypted private key of the master; correspondingly, the master includes a private key for requesting backup by the first electronic signature token, and further includes: decrypting the key of the matching code, and performing local information to the master The signed private key, sent to the first electronic signature token The public key of the signature data is verified and the key of the private key of the encryption master.
  • FIG. 2 is a schematic structural diagram of a system embodiment of a private key in the backup electronic signature token provided by the present invention.
  • the system embodiment shown in Figure 2 includes:
  • the first obtaining module 201 of the first electronic signature token and the second obtaining module 202 of the second electronic signature token are both used to obtain a matching code
  • the first sending module 204 of the first electronic signature token is configured to perform a process of sending a private key backup request data packet, where the private key backup request data packet includes the encrypted matching code and the first electronic signature command by the CA server The first signature issued by the card;
  • the first verification module 205 is configured to: after the second electronic signature token receives the private key backup request data packet, verify the first signature of the first electronic signature token;
  • the decryption module 206 in the second electronic signature token is configured to decrypt the encrypted matching code if the verification succeeds, and use the decrypted matching code as the to-be-verified matching code;
  • the comparing module 207 in the second electronic signature token is configured to compare the to-be-verified matching code with the locally obtained matching code
  • the second sending module 208 of the second electronic signature token is configured to: if the to-be-verified matching code is the same as the locally obtained matching code, perform a process of sending a private key backup response data packet, where the private key backup response data packet includes Private key letter from E.;
  • the third obtaining module 209 of the first electronic signature token is configured to perform a process of acquiring the private key after obtaining the private key backup response data packet.
  • the encryption module is configured to encrypt the matching code by using a key in the first signature to obtain an encrypted matching code
  • the decrypting module is configured to obtain a key from the private key backup request packet, and use the key pair.
  • the encrypted matching code is decrypted.
  • the first sending module is configured to sign the private key backup request data packet, and send the signature processed private key backup request data packet;
  • the second electronic signature token further includes a third verification module, configured to use the signature The processed private key backup request packet is checked, and if the check is passed, the first signature of the first electronic signature token is verified.
  • the second sending module is configured to sign the private key backup response data packet, and send the signature processed private key backup response data packet.
  • the first electronic signature token further includes a second verification module, configured to receive After the signature processing of the private key backup request packet, the signature processing of the private key backup response packet is verified; if the verification is passed, Then the process of obtaining the private key is performed.
  • the second sending module is configured to obtain an encryption policy of the private key, and encrypt the private key by using the encryption policy, and execute a process of sending the encrypted private key.
  • the third obtaining module is configured to obtain the decryption of the private key. The policy, and decrypting the encrypted private key by using a decryption strategy to obtain a private key.
  • the encryption policy and the decryption policy of the private key are determined by the first electronic signature token and the second electronic signature token by using a matching code.
  • the system further includes: a first negotiation module of the first electronic signature token and a second negotiation module of the second electronic signature token, where the first negotiation module is configured to obtain the first electronic signature token
  • the matching code is used as the code to be verified, and the operation of sending the to-be-verified code to the second negotiation module is performed.
  • the second negotiation module is configured to determine whether the code to be verified and the locally obtained matching code are obtained after the code to be verified is obtained. If the code to be verified is the same as the locally obtained matching code, the encryption policy of the private key and the decryption policy corresponding to the encryption policy are generated; and at least the decryption policy is sent to the first negotiation module.
  • the system further includes: a first negotiation module in the first electronic signature token and a second negotiation module in the second electronic signature token, where the first negotiation module and the second negotiation module are both used to obtain a matching code, Correspondence between the encryption policy and the decryption policy; and finding the encryption policy and the decryption policy corresponding to the matching code in the correspondence relationship; if found, the encryption policy and the decryption policy that are found as the encryption policy used by the private key and the encryption The decryption strategy corresponding to the policy.
  • the encryption policy and the decryption policy of the private key are the same as the encryption policy and the decryption policy stored in the first signature.
  • the private key backup response data packet further includes a second signature issued by the CA server for the second electronic signature token.
  • the third obtaining module is configured to: after obtaining the signature backup response data packet, perform the second signature Verification; If the verification passes, the process of obtaining the private key is performed.
  • the second electronic signature token determines whether the first electronic signature token is legally set to the first electronic signature token by verifying the first signature, and then determining the first electronic signature token by using the matching code. Whether it has the right to back up the private key stored locally, and after the above two conditions are met, the private key information is transmitted to ensure the security of the private key backup.
  • portions of the invention may be implemented in hardware, software, firmware or a combination thereof.
  • multiple steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system.
  • a suitable instruction execution system For example, if implemented in hardware, as in another embodiment, it can be implemented with any one or combination of the following techniques well known in the art: having logic gates for implementing logic functions on data signals Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), etc.
  • each functional unit in each embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module.
  • the above integrated modules can be implemented in the form of hardware or in the form of software functional modules.
  • the integrated modules, if implemented in the form of software functional modules and sold or used as separate products, may also be stored in a computer readable storage medium.
  • the above-mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • the description of the terms “one embodiment”, “some embodiments”, “example”, “specific example”, or “some examples” and the like means a specific feature described in connection with the embodiment or example.
  • a structure, material or feature is included in at least one embodiment or example of the invention.
  • the schematic representation of the above terms does not necessarily mean the same embodiment or example.
  • the particular features, structures, materials, or characteristics described may be combined in a suitable manner in any one or more embodiments or examples.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un procédé et un système destinés à sauvegarder la clé privée d'un jeton de signature électronique, le procédé comprenant les étapes suivantes : un premier jeton de signature électronique et un second jeton de signature électronique acquièrent un code de correspondance (101); le premier jeton de signature électronique chiffre le code de correspondance, et transmet un paquet de données de demande de sauvegarde de clé privée comprenant le code de correspondance chiffré et une première signature émise par un serveur d'autorité de certification (CA) au premier jeton de signature électronique (102); après avoir reçu le paquet de données de demande de sauvegarde de clé privée, le second jeton de signature électronique authentifie la première signature du premier jeton de signature électronique (103); si la première signature passe l'authentification, alors le second jeton de signature électronique déchiffre le code de correspondance dans le paquet de données de demande de sauvegarde de clé privée, et utilise le code de correspondance obtenu par déchiffrement comme code de correspondance à authentifier (104); le second jeton de signature électronique compare le code de correspondance à authentifier avec un code de correspondance obtenu localement (105); si le code de correspondance à authentifier est le même que le code de correspondance obtenu localement, le second jeton de signature électronique transmet un paquet de données de réponse de sauvegarde de clé privée comprenant les informations de clé privée (106); et le premier jeton de signature électronique acquiert la clé privée après avoir obtenu le paquet de données de réponse de sauvegarde de clé privée (107).
PCT/CN2014/075747 2013-05-23 2014-04-18 Procédé et système de sauvegarde de clé privée d'un jeton de signature électronique WO2014187208A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310194189.8 2013-05-23
CN201310194189.8A CN103281188B (zh) 2013-05-23 2013-05-23 一种备份电子签名令牌中私钥的方法和系统

Publications (1)

Publication Number Publication Date
WO2014187208A1 true WO2014187208A1 (fr) 2014-11-27

Family

ID=49063647

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/075747 WO2014187208A1 (fr) 2013-05-23 2014-04-18 Procédé et système de sauvegarde de clé privée d'un jeton de signature électronique

Country Status (2)

Country Link
CN (1) CN103281188B (fr)
WO (1) WO2014187208A1 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103281188B (zh) * 2013-05-23 2016-09-14 天地融科技股份有限公司 一种备份电子签名令牌中私钥的方法和系统
WO2015094326A1 (fr) * 2013-12-20 2015-06-25 Intel Corporation Importation et exportation sécurisées de matériel de mise à la clé
CN105939194B (zh) * 2015-11-11 2019-06-25 天地融科技股份有限公司 一种电子密钥设备私钥的备份方法和系统
CN114039734B (zh) * 2018-03-16 2023-03-24 腾讯科技(深圳)有限公司 设备重置方法和装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101272616A (zh) * 2008-05-07 2008-09-24 广州杰赛科技股份有限公司 一种无线城域网的安全接入方法
CN102413132A (zh) * 2011-11-16 2012-04-11 北京数码视讯软件技术发展有限公司 基于双向安全认证的数据下载方法及系统
CN103117855A (zh) * 2012-12-19 2013-05-22 福建联迪商用设备有限公司 一种生成和备份数字证书及私钥的方法
CN103269271A (zh) * 2013-05-23 2013-08-28 天地融科技股份有限公司 一种备份电子签名令牌中私钥的方法和系统
CN103281188A (zh) * 2013-05-23 2013-09-04 天地融科技股份有限公司 一种备份电子签名令牌中私钥的方法和系统

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20010023602A (ko) * 1997-09-02 2001-03-26 케이코 우다 디지털서명 생성서버 및 디지털서명 생성방법
US6249867B1 (en) * 1998-07-31 2001-06-19 Lucent Technologies Inc. Method for transferring sensitive information using initially unsecured communication
CN101989991B (zh) * 2010-11-24 2013-09-18 天地融科技股份有限公司 安全导入密钥的方法及电子签名工具、认证设备及系统
CN102739401B (zh) * 2012-06-05 2015-03-25 北京工业大学 一种基于身份公钥密码体制的私钥安全管理方法

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101272616A (zh) * 2008-05-07 2008-09-24 广州杰赛科技股份有限公司 一种无线城域网的安全接入方法
CN102413132A (zh) * 2011-11-16 2012-04-11 北京数码视讯软件技术发展有限公司 基于双向安全认证的数据下载方法及系统
CN103117855A (zh) * 2012-12-19 2013-05-22 福建联迪商用设备有限公司 一种生成和备份数字证书及私钥的方法
CN103269271A (zh) * 2013-05-23 2013-08-28 天地融科技股份有限公司 一种备份电子签名令牌中私钥的方法和系统
CN103281188A (zh) * 2013-05-23 2013-09-04 天地融科技股份有限公司 一种备份电子签名令牌中私钥的方法和系统

Also Published As

Publication number Publication date
CN103281188B (zh) 2016-09-14
CN103281188A (zh) 2013-09-04

Similar Documents

Publication Publication Date Title
JP7175269B2 (ja) モノのインターネットデバイスの記録検証方法及び装置、ならびにid認証方法及び装置
WO2018050081A1 (fr) Procédé et appareil d'authentification d'identité de dispositif, et support de stockage
CN109150548B (zh) 一种数字证书签名、验签方法及系统、数字证书系统
CN108551455B (zh) 智能卡的配置方法及装置
WO2014187206A1 (fr) Procédé et système pour sauvegarder une clé privée dans un jeton de signature électronique
US7552322B2 (en) Using a portable security token to facilitate public key certification for devices in a network
WO2017071496A1 (fr) Procédé et dispositif pour réaliser une synchronisation d'identificateur de session
US9021255B1 (en) Techniques for multiple independent verifications for digital certificates
WO2019020051A1 (fr) Procédé et appareil d'authentification de sécurité
WO2018076365A1 (fr) Procédé et dispositif de négociation de clés
WO2014187210A1 (fr) Procédé et système de sauvegarde de la clé privée d'un jeton de signature électronique
US9544299B2 (en) Information processing apparatus, server, method for controlling the same and storage medium
CN110990827A (zh) 一种身份信息验证方法、服务器及存储介质
WO2020173332A1 (fr) Procédé et appareil d'activation d'application basée sur un environnement d'exécution de confiance
CN104836784B (zh) 一种信息处理方法、客户端和服务器
WO2010069180A1 (fr) Procédé, système et dispositif de distribution de clef
TW201735578A (zh) 受控的安全碼認證
EP2608477A1 (fr) Autorité de certificat sécurisée pour créer des certificats d'après des capacités de procédés
WO2014201907A1 (fr) Procédé et système de signature électronique
WO2016011588A1 (fr) Entité de gestion de mobilité, serveur domestique, terminal, et système et procédé d'authentification d'identité
CN114374522B (zh) 一种可信设备认证方法、装置、计算机设备及存储介质
WO2014187208A1 (fr) Procédé et système de sauvegarde de clé privée d'un jeton de signature électronique
KR101515312B1 (ko) 네트워크 액세스의 제어 방법 및 시스템
CN106953731A (zh) 一种终端管理员的认证方法及系统
KR20200043855A (ko) Dim을 이용한 드론 인증 방법 및 장치

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14801248

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14801248

Country of ref document: EP

Kind code of ref document: A1