WO2017067490A1 - Sous-système de certificat numérique - Google Patents

Sous-système de certificat numérique Download PDF

Info

Publication number
WO2017067490A1
WO2017067490A1 PCT/CN2016/102781 CN2016102781W WO2017067490A1 WO 2017067490 A1 WO2017067490 A1 WO 2017067490A1 CN 2016102781 W CN2016102781 W CN 2016102781W WO 2017067490 A1 WO2017067490 A1 WO 2017067490A1
Authority
WO
WIPO (PCT)
Prior art keywords
digital certificate
subsystem
digital
establishment
certificate subsystem
Prior art date
Application number
PCT/CN2016/102781
Other languages
English (en)
Chinese (zh)
Inventor
李京海
Original Assignee
李京海
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 李京海 filed Critical 李京海
Publication of WO2017067490A1 publication Critical patent/WO2017067490A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to the field of digital certificate application technologies, and more particularly to a digital certificate subsystem.
  • the idea of the present invention stems from the analysis of "integrating a digital certificate subsystem and its application in a mobile phone.”
  • the existing digital certificate subsystem (such as the USB Key digital certificate subsystem) is a commercial password product specially controlled by the CA and its application system that issue digital certificates; the digital certificate subsystem of each CA is independent. Development, incompatibility. According to the prior art, the existing digital certificate subsystems of CAs and their applications are difficult to be integrated into the mobile phone system.
  • each CA is independently developed and incompatible with each other, so that the USB Key user digital certificate issued by each CA can only be used for the designated service provider, and cannot be used universally.
  • many users have USB Key digital certificates from different banks such as China Merchants Bank, ICBC, and CCB. This not only has high waste and high cost, but also has troublesome management.
  • ICBC China Merchants Bank
  • CCB China Merchants Bank
  • This not only has high waste and high cost, but also has troublesome management.
  • the digital certificate subsystem and its mobile phone system are integrated with strong design; the mobile phone manufacturer hopes to add the mobile digital certificate subsystem and its application to the mobile phone, and increase the functional highlights of the mobile phone for the user. Promote the expansion of the mobile phone market; however, according to the existing technology, the digital certificate subsystem is completely controlled by CA special control, so that mobile phones and their manufacturers are not only restricted by CA, but it is more difficult to open their hands and expand the market; therefore, existing mobile phone manufacturers are No mobile phone digital certificate subsystem and its application have been designed in mobile phones.
  • the present invention provides a digital certificate subsystem, which can solve the above There are technical problems.
  • the present invention is an improvement over the prior art based on the prior art.
  • Hash which is generally translated as “hash”, can also be transliterated directly into “hash”. This article uses its English directly.
  • Hash algorithm is an algorithm that maps binary values of arbitrary length into shorter fixed-length binary values.
  • Hash digest using the hash algorithm to map binary values of arbitrary length to shorter fixed-length binary values. This small binary value is called a hash summary or a hash value. It is a unique and extremely compact numerical representation of a piece of data. Finding two different inputs for the Hash digest to the same value is basically computationally impossible, so the Hash digest of the data can verify the integrity of the data.
  • a symmetric encryption algorithm refers to an encryption algorithm in which the encryption key and the decryption key are the same or can be derived from each other.
  • the key used by the symmetric encryption algorithm is called a symmetric key.
  • the encryption key of the symmetric encryption algorithm can be derived from the decryption key, and the decryption key can also be derived from the encryption key. In most symmetric algorithms, the encryption key and the decryption key are the same.
  • An asymmetric encryption algorithm refers to an encryption algorithm in which the encryption key and the decryption key are different.
  • the two keys used by the asymmetric encryption algorithm are a public key (public key) and a private key (private key). They are a pair, but it is basically impossible to calculate each other. It is calculated from each other and is called an asymmetric key pair.
  • the data is encrypted with the public key and the algorithm, only the corresponding private key and the algorithm can be used for decryption; if the data is encrypted with the private key and the algorithm, only the corresponding public key and the algorithm can be used for decryption.
  • a digital certificate is a file that is digitally signed by a certificate authority and contains public key and public key owner information.
  • the sender first calculates a message digest (also called: HASH digest) according to the agreed HASH algorithm; and then encrypts the message digest with the sender's private key and asymmetric encryption algorithm to obtain the ciphertext. It is called "the sender's digital signature of the message.” The digital signature needs to be bound to the original message and sent to the recipient.
  • a message digest also called: HASH digest
  • the receiver After receiving the digital signature and the original message, the receiver uses the same HASH algorithm to calculate the message digest for the original message, abbreviated as A; then use the "public key in the sender's digital certificate” and “same” "Asymmetric encryption algorithm", the original message digest obtained by decrypting the digital signature, abbreviated as B". Compare the message digest A and the message digest B; if the two are equal, the digital signature verification is successful, indicating the message and The digital signature comes from the "owner of the public key in the digital certificate", which is the sender.
  • the existing USB Key digital certificate subsystem is a computer subsystem including an independent processor, memory and software system, and encryption and decryption module, and a key generation module; the hardware is mainly adopted by a national third-party certification body. Certified SOC security chip.
  • the existing USB Key digital certificate subsystem is a commercial password product specially controlled by the CA that issues the digital certificate and its application system. It does not need to be authenticated when registering to establish a user digital certificate.
  • USB Key digital certificate which is a user digital certificate issued by CA based on the USB Key digital certificate subsystem.
  • the user's private key is uniquely stored and applied to the USB Key digital certificate subsystem and cannot be exported, so it is very secure. It has been widely used in banking and other fields.
  • the basic idea of the invention is to change the technical scheme of "special control digital certificate subsystem by a single CA special control" in the prior art, and provide an innovative "digital certificate subsystem management unit and CA jointly control digital certificate subsystem "Technical solution.”
  • a digital certificate subsystem provided by the present invention can have a variety of different solutions under the general concept. To fully describe the various aspects of the present general inventive concept, various different aspects of the digital certificate subsystem of the present invention are described below in a hierarchical modular structure.
  • a digital certificate subsystem provided by the present invention is a computer subsystem comprising: a processor, a memory and software system, and an encryption and decryption module, and a key generation module, characterized in that it comprises a "digital certificate” Establishing a management module” and a “authentication key for the authentication data of the digital certificate subsystem administrator” and "a verification key for the authentication data of the digital certificate authenticator” for managing the establishment of "required numbers" in the digital certificate subsystem Digital certificate application can be established only by the certificate subsystem administrator and the digital certificate authenticator; if there is no "dual certificate subsystem and digital certificate authenticator's two-factor authentication", the digital certificate subsystem cannot be established in the digital certificate subsystem. Certificate application
  • the "Digital Certificate Subsystem” receives the "Request to establish a digital certificate in the digital certificate subsystem", the "information data to be authenticated by the protocol”, and the authentication key of the digital certificate subsystem management party. Data, and authentication data of the authentication key of the digital certificate authenticator";
  • the authentication data of the digital certificate authenticator or the digital certificate subsystem management party refers to: the authentication key of the digital certificate authenticator or the digital certificate subsystem administrator, and the "Hash summary of the information data to be authenticated" Encrypted encrypted data;
  • the "digital certificate establishment management module" of the digital certificate subsystem applies the "authentication key of the authentication data of the digital certificate subsystem management party" stored in the digital certificate subsystem to the "digital certificate” according to the protocol. The authentication data of the authentication key of the system administrator is verified;
  • the verification method of "authentication key” to "authentication data of authentication key” is:
  • the "authentication key” is used to decrypt the "authentication data of the authentication key", and the “hash summary of the information data to be authenticated” is obtained, which is denoted by A;
  • the digital certificate authenticator may be a CA or a CA computer authentication management system having the same certification effect as the CA;
  • CA is the third-party authority responsible for the certification, issuance and management of digital certificates
  • CA is the management of the issuance of user digital certificates through the CA computer certification management system
  • the digital certificate subsystem management party may be a digital certificate subsystem management organization, or may be a computer management system of a 'digital certificate subsystem management institution' having the same management effect as the 'digital certificate subsystem management institution';
  • the "Digital Certificate Subsystem Authority” is the management organization that manages the establishment of a digital certificate application in the digital certificate subsystem; it may or may not be a CA; it is characterized in that it is managed jointly with "a different CA” The governing body for “establishing a digital certificate application in the digital certificate subsystem”;
  • the “Digital Certificate Subsystem Management Organization” manages “Building a Digital Certificate Application in the Digital Certificate Subsystem” through the “Computer Management System of the Digital Certificate Subsystem Authority”; the “Computer Management System of the Digital Certificate Subsystem Management Organization”, Referred to as: digital certificate subsystem management platform;
  • the authentication key and the verification key of the digital certificate authenticator or the digital certificate subsystem administrator are a pair of mutually uniquely authenticated keys, which may be symmetric keys or asymmetric keys.
  • the digital certificate subsystem comprising: a "digital certificate establishment management module” and a “authentication key of the authentication data of the digital certificate subsystem management party" and “authentication of the authentication data of the digital certificate authenticator” "key” for managing the establishment of a digital certificate application that requires dual authentication by a digital certificate subsystem administrator and a digital certificate authenticator in the digital certificate subsystem; if there is no "digital certificate subsystem manager and number" The two-factor authentication of the certificate certifying party cannot establish a digital certificate application in the digital certificate subsystem;
  • the "Digital Certificate Subsystem” receives the "Request to establish a digital certificate in the digital certificate subsystem", the "information data to be authenticated by the protocol”, and the authentication key of the digital certificate subsystem management party. Data, and authentication data of the authentication key of the digital certificate authenticator'";
  • the "digital certificate establishment management module" of the digital certificate subsystem applies the "authentication key of the authentication data of the digital certificate authenticator" stored in the digital certificate subsystem to the "digital certificate authenticator” according to the protocol. Authentication data of the authentication key is verified;
  • the authentication key and the verification key of the digital certificate authenticator or the digital certificate subsystem administrator are a pair of mutually uniquely authenticated keys, which may be symmetric keys or asymmetric keys.
  • the digital certificate subsystem according to 2 above characterized in that it comprises a "digital certificate establishment management module" and a "public key of a digital certificate of a digital certificate subsystem management party" and a "national root CA digital certificate” Public key” is used to manage the establishment of a digital certificate application that requires the digital certificate subsystem management and CA dual authentication to be established in the digital certificate subsystem; if there is no "digital certificate subsystem management party and CA” "Authentication", it is impossible to establish a digital certificate application in the digital certificate subsystem;
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a digital signature of the digital certificate subsystem management party, and operation CA's digital signature, and the digital certificate of the operating CA";
  • the "digital certificate establishment management module" of the digital certificate subsystem applies the "public key of the national root CA digital certificate” stored in the digital certificate subsystem according to the protocol, and the received "operating CA number” Certificate” for verification;
  • the verification method is:
  • the national root CA is the national authoritative certification body that issues digital certificates to the operating CA;
  • the digital certificate of the national root CA is the root digital certificate, which is the digital certificate issued by the national root CA to itself; the number of the national root CA and the national root CA Certificate, the starting point of a national trust chain based on digital certificates;
  • the operation CA is a third-party authoritative certification body that is certified by the national root CA and can issue and manage digital certificates to specific individuals and legal persons outside the CA.
  • the digital certificate subsystem according to 2 above characterized in that it comprises a "digital certificate establishment management module" and a "public key of a digital certificate of the digital certificate subsystem management party" and a "national root CA digital certificate” Public key” is used to manage the establishment of a digital certificate application that requires the digital certificate subsystem management and CA dual authentication to be established in the digital certificate subsystem; if there is no "digital certificate subsystem management party and CA” "Authentication", it is impossible to establish a digital certificate application in the digital certificate subsystem;
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a digital signature of the digital certificate subsystem management party, and operation CA's digital signature, and the digital certificate of the operating CA";
  • the "digital certificate establishment management module" of the digital certificate subsystem applies the "public key of the national root CA digital certificate” stored in the digital certificate subsystem according to the protocol, and the received "operating CA number” Certificate” for verification;
  • the verification method is:
  • Hash summary shorthand with B;
  • the "digital certificate establishment management module” applies the "public key of the digital certificate of the operating CA” to verify the received "digital signature of the operating CA";
  • the national root CA is the national authoritative certification body that issues digital certificates to the operating CA;
  • the digital certificate of the national root CA is the root digital certificate, which is the digital certificate issued by the national root CA to itself; the number of the national root CA and the national root CA Certificate, the starting point of a national trust chain based on digital certificates;
  • the operation CA is a third-party authoritative certification body that is certified by the national root CA and can issue and manage digital certificates to specific individuals and legal persons outside the CA.
  • the digital certificate subsystem of the above 2 further characterized in that it comprises a "digital certificate establishment management module” and a "public key of a digital certificate subsystem digital certificate” and a plurality of different "operations” The public key of the digital certificate of the CA”; wherein each "public key of the digital certificate of the operating CA” is retrieved and called according to its unique ID data;
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a digital signature of the digital certificate subsystem management party, and operation The digital signature of the CA and the unique ID data of the operational CA in the digital certificate subsystem";
  • the "digital certificate establishment management module" of the digital certificate subsystem retrieves the call in the digital certificate subsystem according to the received "unique ID data of the operating CA in the digital certificate subsystem” according to the protocol.
  • the digital certificate subsystem according to 2 above characterized in that it comprises a "digital certificate establishment management module" and a "public key of a digital certificate of a digital certificate subsystem management party" and "operating a CA digital certificate” Public key" is used to manage the establishment of a digital certificate application that can be established by the digital certificate subsystem management and the operational CA dual authentication in the digital certificate subsystem; if there is no "digital certificate subsystem management party and operational CA” Double authentication, it is impossible to establish a digital certificate application in the digital certificate subsystem;
  • the operating CA is a registered authentication service that establishes a user digital certificate in the digital certificate subsystem through the "Registration Center (RA) of the operating CA";
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a digital signature of the digital certificate subsystem management party, and ' The digital signature 'of the RA of the operating CA', and 'the digital certificate of the RA issued by the operational CA'";
  • the verification method is:
  • the "digital certificate establishment management module” applies the "public key in the RA digital certificate” to verify the received "RA digital signature";
  • the RA is an abbreviation of the Registration Authority, is a registered service center (institution) of the operating CA, and is a part of the overall system of the CA; it is used to handle the registration authentication service in the "establishing a digital certificate of the user in the digital certificate subsystem";
  • the digital certificate of the RA that operates the CA is issued and certified by the operating CA.
  • the digital certificate subsystem of one of the above 2, 3, 4, 5, 6 comprising a "digital certificate establishment management module” and a "public key of a digital certificate subsystem digital certificate” and " The public key of the CA digital certificate is used to manage the establishment of a digital certificate application that requires the digital certificate subsystem management and CA dual authentication to be established in the digital certificate subsystem; if there is no "digital certificate subsystem management party and The CA's dual authentication" cannot establish a digital certificate application in the digital certificate subsystem;
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a digital signature of the digital certificate subsystem management party, and CA Digital signature";
  • the digital certificate subsystem of one of the above 2, 3, 4, 5, 6 further characterized in that it comprises a "digital certificate establishment management module" and a digital certificate of the digital certificate subsystem management party.
  • Public "key” and "public key of CA digital certificate” are used to manage the establishment of a digital certificate application that can be established by the digital certificate subsystem management and CA dual authentication in the digital certificate subsystem; if there is no "digital certificate” The system administrator and the CA's two-factor authentication cannot establish a digital certificate application in the digital certificate subsystem;
  • the “digital certificate subsystem management party” is a registration authentication service for “establishing a user digital certificate in the digital certificate subsystem” through “the registration center (RA) of the digital certificate subsystem management party”;
  • the "Digital Certificate Subsystem” receives the "Request to establish a digital certificate in the digital certificate subsystem", the "information data to be authenticated by the protocol” and the digital signature of the operating CA, and the management of the digital certificate subsystem.
  • the "digital certificate establishment management module” applies the "public key in the digital certificate of the RA of the digital certificate subsystem management party" to the received "digital certificate subsystem management".
  • the digital signature of the party RA is verified;
  • RA is the abbreviation of Registration Authority, is the registration service center of “digital certificate subsystem management party”, and is part of the overall system of “digital certificate subsystem management party”; it is used to establish in the “digital certificate subsystem” User digital certificate” registration certification business;
  • the digital certificate of the RA of the digital certificate subsystem management party needs to be signed and authenticated by the digital certificate subsystem management party before it can be applied to the registration authentication service of “establishing a user digital certificate in the digital certificate subsystem”.
  • the digital certificate subsystem according to 2 above, characterized in that it comprises a "digital certificate establishment management module" and a "public key of a digital certificate of a digital certificate subsystem management party" and a national root CA digital certificate.
  • the public key is used to manage the establishment of a digital certificate that can be established by the digital certificate subsystem management and the operational CA dual authentication in the digital certificate subsystem; if there is no "digital certificate subsystem management party and the operation CA's two-factor authentication" ", you cannot establish a digital certificate in the digital certificate subsystem;
  • the operation CA is through the “Registration Center (RA) of the operation CA", and the registration authentication service of "establishing the user digital certificate in the digital certificate subsystem” is handled; for the difference, the following is the registration center of the operation CA ( RA)", abbreviated as CRA;
  • the "digital certificate subsystem management party” is through the “registration center (RA) of the digital certificate subsystem management party", and the registration authentication service of "establishing a user digital certificate in the digital certificate subsystem” is handled;
  • the following is the “Registration Center (RA) of the digital certificate subsystem management party”, referred to as MRA;
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a "digital signature of the CRA of the operating CA", and ' The digital certificate of the operating CA', and the digital certificate of the CRA issued by the operating CA, and the digital signature of the MRA of the digital certificate subsystem management, and the digital certificate of the MRA and its digital certificate subsystem management Party digital signature '";
  • the "digital certificate establishment management module” applies the public key in the "digital certificate of the MRA” to verify the received "digital signature of the MRA";
  • the "digital certificate establishment management module” continues to apply the "public key of the national root CA digital certificate” stored in the digital certificate subsystem according to the protocol, and the received "operation" CA's digital certificate” is verified;
  • the "digital certificate establishment management module” applies the "public key in the received operational CA digital certificate” according to the protocol, and receives the received "CRA digital certificate issued by the operational CA”. authenticating;
  • the "digital certificate establishment management module” applies the public key in the "CRA digital certificate issued by the operation CA” to verify the received "digital signature of the CRA”;
  • the “digital certificate establishment management module” starts a process of establishing a digital certificate in the digital certificate subsystem according to the protocol; the process includes:
  • the "digital certificate establishment management module” outputs the public key of the key pair to the CA according to the protocol for the CA to issue a digital certificate based on the public key.
  • the digital certificate subsystem as described in 2 above characterized in that it comprises a "digital certificate establishment management module" and a "public certificate of a digital certificate of a digital certificate subsystem management party" and a national root CA digital certificate.
  • the public key and the “public key of the operational CA digital certificate” are used to manage the establishment of a digital certificate in the digital certificate subsystem that requires the digital certificate subsystem management and the operational CA to be dual-certified to be downloaded and established;
  • the digital certificate subsystem and the operating CA's two-factor authentication cannot establish a digital certificate in the digital certificate subsystem;
  • the operation CA is through the “Registration Center (RA) of the operation CA", and the registration authentication service of "establishing the user digital certificate in the digital certificate subsystem” is handled; for the difference, the following is the registration center of the operation CA ( RA)", abbreviated as CRA;
  • the "digital certificate subsystem management party” is through the “registration center (RA) of the digital certificate subsystem management party", and the registration authentication service of "establishing a user digital certificate in the digital certificate subsystem” is handled;
  • the following is the “Registration Center (RA) of the digital certificate subsystem management party”, referred to as MRA;
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a "digital signature of the CRA of the operating CA", and ' The digital certificate of the CRA issued by the operating CA, and the digital signature of the MRA of the digital certificate subsystem manager, and the digital certificate of the MRA and the digital signature of its digital certificate subsystem management party";
  • the "digital certificate establishment management module” applies the public key in the "digital certificate of the MRA” to verify the received "digital signature of the MRA";
  • the "digital certificate establishment management module” continues to apply the "public key in the operational CA digital certificate” stored in the digital certificate subsystem according to the protocol, and the received "the operation CA” The issued CRA digital certificate is verified;
  • the "digital certificate establishment management module” applies the public key in the "CRA digital certificate issued by the operating CA” to verify the received "digital signature of the CRA”;
  • the “digital certificate establishment management module” initiates a process of establishing a digital certificate in the digital certificate subsystem according to the protocol; the process includes:
  • the "digital certificate establishment management module” outputs the public key of the key pair to the CA according to the protocol for the CA to issue a digital certificate based on the public key.
  • the invention provides a digital certificate subsystem, which solves the problems existing in the existing digital certificate technology, enables the digital certificate subsystem to be integrated into a mobile phone and is widely used at low cost; and is compatible with "application of digital certificates issued by each CA" And more reliable and safer; at the same time, mobile phone manufacturers can also use the mobile phone digital certificate subsystem and its application features highlights to fully expand the mobile phone market.
  • FIG. 1 is a schematic structural diagram of a conventional digital certificate subsystem.
  • FIG. 2 is a schematic structural view of a digital certificate subsystem of the present invention. .
  • FIG. 3 is a schematic structural diagram of a digital certificate subsystem according to Embodiment 1 of the present invention.
  • FIG. 4 is a schematic structural diagram of a digital certificate subsystem according to Embodiment 2 of the present invention.
  • FIG. 5 is a schematic structural diagram of a registration and authentication system for a user digital certificate based on the digital certificate subsystem of the present invention.
  • the digital certificate subsystem of the first embodiment of the present invention is a mobile phone digital certificate subsystem designed and integrated by a mobile phone manufacturer into a matched mobile phone system; meanwhile, the mobile phone manufacturer is a management party of the digital certificate subsystem, and is associated with the CA. Working together to establish a digital certificate and its application in the digital certificate subsystem;
  • a digital certificate subsystem is characterized in that it includes a "digital certificate establishment management module" and a "public key of a digital certificate of a digital certificate subsystem management party" and a national root CA number.
  • the public key of the certificate is used to manage the establishment of a digital certificate in the digital certificate subsystem that requires dual authentication of the digital certificate subsystem and the operating CA. If there is no "digital certificate subsystem management party and operating CA" Double authentication, it is impossible to establish a digital certificate in the digital certificate subsystem;
  • the operation CA is through the “Registration Center (RA) of the operation CA", and the registration authentication service of "establishing the user digital certificate in the digital certificate subsystem” is handled; for the difference, the following is the registration center of the operation CA ( RA)", abbreviated as CRA;
  • the "digital certificate subsystem management party (ie: mobile phone manufacturer)" is through the “registration center (RA) of the digital certificate subsystem management party", the registration of "establishing a user digital certificate in the digital certificate subsystem” Authentication service; for the difference, the following is the “Registration Center (RA) of the digital certificate subsystem management party”, referred to as MRA;
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a "digital signature of the CRA of the operating CA", and ' The digital certificate of the operating CA', and the digital certificate of the CRA issued by the operating CA, and the digital signature of the MRA of the digital certificate subsystem management, and the digital certificate of the MRA and its digital certificate subsystem management Party digital signature '";
  • the "digital certificate establishment management module” applies the public key in the "digital certificate of the MRA” to verify the received "digital signature of the MRA";
  • the "digital certificate establishment management module” continues to apply the "public key of the national root CA digital certificate” stored in the digital certificate subsystem according to the protocol, and the received "operating CA” Digital certificate” for verification;
  • the "digital certificate establishment management module” applies the "public key in the received operational CA digital certificate” according to the protocol, and receives the received "CRA digital certificate issued by the operational CA”. authenticating;
  • the "digital certificate establishment management module” applies the public key in the "CRA digital certificate issued by the operation CA” to verify the received "digital signature of the CRA”;
  • the “digital certificate establishment management module” starts a process of establishing a digital certificate in the digital certificate subsystem according to the protocol; the process includes:
  • the "digital certificate establishment management module” outputs the public key of the key pair to the CA according to the protocol for the CA to issue a digital certificate based on the public key.
  • the digital certificate subsystem of Embodiment 2 of the present invention is a mobile phone digital certificate subsystem, which is composed of a mobile phone.
  • the manufacturer design is integrated in the matching mobile phone system; at the same time, the mobile phone manufacturer is the management party of the digital certificate subsystem, and manages to establish a digital certificate and its application in the digital certificate subsystem together with the CA;
  • a digital certificate subsystem is characterized in that it includes a "digital certificate establishment management module" and a "public key of a digital certificate of a digital certificate subsystem management party" and a plurality of different "The public key of the digital certificate of the operating CA" is used to manage the establishment of a digital certificate in the digital certificate subsystem that requires both the digital certificate subsystem management and the operational CA to be downloaded and created; if there is no "digital certificate” The two-factor authentication of the system administrator and the operating CA cannot establish a digital certificate in the digital certificate subsystem;
  • each "public key of the digital certificate of the operating CA” is retrieved and called according to its unique ID data
  • the operation CA is through the “Registration Center (RA) of the operation CA", and the registration authentication service of "establishing the user digital certificate in the digital certificate subsystem” is handled; for the difference, the following is the registration center of the operation CA ( RA)", abbreviated as CRA;
  • the "digital certificate subsystem management party” is through the “registration center (RA) of the digital certificate subsystem management party", and the registration authentication service of "establishing a user digital certificate in the digital certificate subsystem” is handled;
  • the following is the “Registration Center (RA) of the digital certificate subsystem management party”, referred to as MRA;
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a "digital signature of the CRA of the operating CA", the operation The unique ID data of the CA in the digital certificate subsystem, and the 'digital certificate of the CRA issued by the operating CA', and the digital signature of the MRA of the digital certificate subsystem administrator, and the digital certificate of the MRA The digital signature of the administrator of its digital certificate subsystem'";
  • the "digital certificate establishment management module” applies the public key in the "digital certificate of the MRA” to verify the received "digital signature of the MRA";
  • the "digital certificate establishment management module” retrieves the call in the digital certificate subsystem according to the received "unique ID data of the operation CA in the digital certificate subsystem” according to the protocol.
  • the "digital certificate establishment management module” applies the public key in the "CRA digital certificate issued by the operating CA” to verify the received "digital signature of the CRA”;
  • the “digital certificate establishment management module” initiates a process of establishing a digital certificate in the digital certificate subsystem according to the protocol; the process includes:
  • the "digital certificate establishment management module” outputs the public key of the key pair to the CA according to the protocol for the CA to issue a digital certificate based on the public key.
  • the technical solution of the digital certificate subsystem can solve the problems existing in the existing digital certificate technology, so that the digital certificate subsystem can be integrated into a mobile phone and widely used at low cost; and is compatible with "CA"
  • the application of issued digital certificates is more reliable and safer; at the same time, mobile phone manufacturers can also take advantage of the functional highlights of the mobile digital certificate subsystem and its applications to fully expand the mobile phone market.
  • the technical solution of the digital certificate subsystem provided by the present invention is applicable not only to mobile phones, but also to the application of digital certificate technology of various computer systems such as computer notebooks and servers.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Un sous-système de certificat numérique est un sous-système informatique comprenant un processeur, une mémoire, un système logiciel, un module de chiffrement et de déchiffrement, et un module de génération de clé. Le sous-système comprend un module de création et de gestion de certificat numérique, une clé de vérification de données d'authentification d'un gestionnaire de sous-système de certificat numérique, et une clé de vérification de données d'authentification d'un certificateur de certificat numérique, qui sont utilisés pour gérer, dans le sous-système de certificat numérique, la création d'une application de certificat numérique qui ne peut être créée que lorsque les authentifications du gestionnaire de sous-système de certificat numérique et du certificateur de certificat numérique sont obtenues. Si les authentifications du gestionnaire de sous-système de certificat numérique et du certificateur de certificat numérique ne sont pas obtenues, l'application de certificat numérique ne peut pas être créée dans le sous-système de certificat numérique.
PCT/CN2016/102781 2015-10-22 2016-10-20 Sous-système de certificat numérique WO2017067490A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201520818176.8 2015-10-22
CN201520818176 2015-10-22

Publications (1)

Publication Number Publication Date
WO2017067490A1 true WO2017067490A1 (fr) 2017-04-27

Family

ID=58556715

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/102781 WO2017067490A1 (fr) 2015-10-22 2016-10-20 Sous-système de certificat numérique

Country Status (1)

Country Link
WO (1) WO2017067490A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050149733A1 (en) * 2003-12-31 2005-07-07 International Business Machines Corporation Method for securely creating an endorsement certificate utilizing signing key pairs
CN101521883A (zh) * 2009-03-23 2009-09-02 中兴通讯股份有限公司 一种数字证书的更新和使用方法及系统
CN101651540A (zh) * 2008-08-12 2010-02-17 中国移动通信集团公司 一种数字证书更新的方法、装置及系统
CN104462965A (zh) * 2014-11-14 2015-03-25 华为技术有限公司 应用程序完整性验证方法及网络设备

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050149733A1 (en) * 2003-12-31 2005-07-07 International Business Machines Corporation Method for securely creating an endorsement certificate utilizing signing key pairs
CN101651540A (zh) * 2008-08-12 2010-02-17 中国移动通信集团公司 一种数字证书更新的方法、装置及系统
CN101521883A (zh) * 2009-03-23 2009-09-02 中兴通讯股份有限公司 一种数字证书的更新和使用方法及系统
CN104462965A (zh) * 2014-11-14 2015-03-25 华为技术有限公司 应用程序完整性验证方法及网络设备

Similar Documents

Publication Publication Date Title
WO2020192773A1 (fr) Procédé, dispositif, appareil et système d'authentification d'identité numérique, et support de stockage
US11496310B2 (en) Methods and systems for universal storage and access to user-owned credentials for trans-institutional digital authentication
CN108292402B (zh) 用于信息的安全交换的公共秘密的确定和层级确定性密钥
US11356280B2 (en) Personal device security using cryptocurrency wallets
US20210367795A1 (en) Identity-Linked Authentication Through A User Certificate System
CN109951489B (zh) 一种数字身份认证方法、设备、装置、系统及存储介质
CN110537346B (zh) 安全去中心化域名系统
WO2019233204A1 (fr) Procédé, appareil et système de gestion de clef, support de stockage, et dispositif informatique
US20190173873A1 (en) Identity verification document request handling utilizing a user certificate system and user identity document repository
US8185938B2 (en) Method and system for network single-sign-on using a public key certificate and an associated attribute certificate
WO2020062668A1 (fr) Procédé d'authentification d'identité, dispositif d'authentification d'identité et support lisible par ordinateur
US8438385B2 (en) Method and apparatus for identity verification
WO2020073513A1 (fr) Procédé d'authentification d'utilisateur fondé sur une chaîne de blocs et dispositif terminal
US8397281B2 (en) Service assisted secret provisioning
JP2005527900A (ja) データセンタへのプラットフォームの内包検証
WO2016054990A1 (fr) Procédé, dispositif, terminal et serveur de contrôle de sécurité
WO2016173211A1 (fr) Procédé et dispositif de gestion d'identificateur d'application
WO2016165662A1 (fr) Sous-système de certificat quasi-numérique de téléphone mobile, et système et procédé associés
WO2017067490A1 (fr) Sous-système de certificat numérique
AU2015271650A1 (en) Identity verification
WO2023077280A1 (fr) Authentification sans certificat et communication sécurisée
TW201103297A (en) Application and verification method of electronic seal software system
WO2023027730A1 (fr) Authentification
GB2621504A (en) Authenticating a device
CN117997559A (zh) 基于区块链的身份验证方法、装置和计算机设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16856921

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WPC Withdrawal of priority claims after completion of the technical preparations for international publication

Ref document number: 201520818176.8

Country of ref document: CN

Date of ref document: 20180703

Free format text: WITHDRAWN AFTER TECHNICAL PREPARATION FINISHED

122 Ep: pct application non-entry in european phase

Ref document number: 16856921

Country of ref document: EP

Kind code of ref document: A1