WO2018086515A1 - 可离线验证安全信息标签构造验证方法与装置 - Google Patents
可离线验证安全信息标签构造验证方法与装置 Download PDFInfo
- Publication number
- WO2018086515A1 WO2018086515A1 PCT/CN2017/109793 CN2017109793W WO2018086515A1 WO 2018086515 A1 WO2018086515 A1 WO 2018086515A1 CN 2017109793 W CN2017109793 W CN 2017109793W WO 2018086515 A1 WO2018086515 A1 WO 2018086515A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- digital certificate
- verification
- digital
- validity
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K17/00—Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K19/00—Record carriers for use with machines and with at least a part designed to carry digital markings
- G06K19/06—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
- G06K19/06009—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code with optically detectable marking
- G06K19/06037—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code with optically detectable marking multi-dimensional coding
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K19/00—Record carriers for use with machines and with at least a part designed to carry digital markings
- G06K19/06—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
- G06K19/06009—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code with optically detectable marking
- G06K19/06046—Constructional details
- G06K19/06056—Constructional details the marking comprising a further embedded marking, e.g. a 1D bar code with the black bars containing a smaller sized coding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Definitions
- the present invention relates to the field of information technology and security verification, and in particular to a method and apparatus for verifying the security of a security information tag.
- the present invention has generality for common information labels such as two-dimensional codes and radio frequency identification codes, and can be applied without substantial differences.
- common information labels such as two-dimensional codes and radio frequency identification codes
- a two-dimensional code is a specific geometric figure that records data information by distributing a number of symbols corresponding to binary on a two-dimensional plane according to a certain rule.
- the QR code uses graphical symbols to represent literal numerical information.
- the symbol representation technology has developed a variety of code systems, such as QR Code, Data Matrix, Maxi Code, PDF417, and so on.
- the two-dimensional code is recognized by the image input device or the photoelectric scanning device, and can deal with common problems such as symbol size and scale change, graphic rotation, and partial stain loss, and realize automatic identification of the encoded information, and has large capacity of coding information and fault tolerance and error correction capability. Strong, high decoding reliability, low production cost, easy to use and so on.
- QR codes are used as an information storage, delivery, identification, and interaction technology in electronic media, newspapers and magazines, commodity packaging, warehousing logistics, and individuals.
- Business cards, transportation tickets, certificate documents, mobile advertising, social apps, online shopping transactions, online banking payments, mobile payments, etc. have been widely used.
- the traditional Internet uses IP addresses or domain name URLs as access points, but lengthy textual and digital information is difficult to remember and input, and it is easy to access or mis-access due to input errors.
- the two-dimensional code encoding information has a large capacity, and can encode various data information such as text, picture, sound, etc., and the most widely used ones include text TXT type and URL URI type.
- QR code is easy to make, and any unit and individual can create and read QR code information. While having the advantages of being simple and easy to use, security has also become a major obstacle to the popularization of two-dimensional codes. QR codes with malware and virus links are often disguised as gifts, discounts, offers, etc. to promote QR codes, and it is difficult for people to recognize true and false. If these two-dimensional codes are scanned by mistake, the Trojan virus program will be downloaded, which will seriously endanger the security of the user's system and may lead to leakage of personal information and economic loss. For example, some fraudulent websites make their websites into a two-dimensional code counterfeit bank online trading website. If the user scans the QR code and logs into the fake website, the bank account number and password may be leaked.
- Some Trojan software download URLs are made into two-dimensional code fake links such as gift offers, if the wrong scan download may lead to the leakage of user privacy information, and pose a great hidden danger to the user system security.
- the two-dimensional code is a clear code. Although it has redundancy check for information fault tolerance, the information is easily modified and forged, and the verification of the release source is difficult.
- the current verification methods include two types: one is to use an application system similar to the scan code guard, after scanning and identifying the two-dimensional code information, the dedicated server of the application system is connected through the network, and the QR code website information and the database record in the server are retrieved. Comparison: If the matching record can be retrieved in the system database, the source of the QR code can be given according to the recorded attribute; if there is no matching record, the security cannot be judged.
- the other is to encrypt the QR code information, connect to a dedicated server through the network, read the authentication information, and compare it with the encrypted information in the QR code; such application is a closed system, encrypted
- the key information is stored in a dedicated server, and the QR code information can only be decrypted by an internal dedicated system, and cannot be read and verified by the mass user.
- the existing two-dimensional code and other information label security verification methods have the following main problems: they need to be authenticated through a network connection server, and cannot be verified in an environment where there is no network connection or inconvenient network connection; the verification method based on the URL retrieval comparison only It can verify that the tag information such as the two-dimensional code verified by the input has been scanned, and the tag information such as the newly generated two-dimensional code needs to be added to the database before verification.
- the present invention provides a method and device for verifying the security information label that can be verified offline, and can verify the source of the information label offline without the need of a network connection, and can be safely assured.
- the information embedded in the application information tag is not limited to the application information tag.
- the literature [1] mainly deals with the principle of symmetric key and asymmetric public key cryptosystem
- the literature [2] mainly deals with symmetric key and asymmetric public key algorithm implementation.
- the embodiments of the present invention provide a method and device for verifying the security information tag offline verification, and verify the release source of the security information tag in a universally applicable environment without network connection, so as to use the information securely and reliably. label.
- the information tag using the construction verification method of the present invention is called a security information tag.
- the invention can be applied to the common information label types such as two-dimensional code and radio frequency identification code without substantial difference. The following only uses a two-dimensional code as an example.
- the coded information it can be read by the public or read by specific users. It can be divided into public information, private information and mixed information types, which are called public information security QR code, private information security QR code and mixed information security. QR code.
- a first aspect of the embodiments of the present invention provides a method for verifying a secure two-dimensional code structure that can be verified offline.
- the method includes:
- the information to be encoded and the type information include but are not limited to:
- the coding information needs to be any of basic information, extended information, target information, and dynamic information;
- the basic information is any one of a name, an address, and a domain name information that does not change with a single application;
- the target information is any one of a destination URL and a publicity information;
- the dynamic information is a generation time that varies according to a single application, Any of the valid time, transaction information, and application parameter information;
- the extended information is any of the document number and the contact information;
- the type information is any one of public information, private information, and mixed information.
- the combination information includes but is not limited to:
- Input information encrypted information, digital signatures, digital certificates and their validity information
- the input information is the input information to be encoded and the type information;
- the encrypted information is the ciphertext and the encryption algorithm parameter information encrypted by the public key of the specific user or the symmetric key specified by the specific user, and the input information may be input information.
- the entire combined information is encrypted;
- the digital signature is the result of the signature operation of the information to be encoded by the publisher private key, and the digital input signature can be performed on the input information or the entire combined information;
- the digital certificate is digitally signed by the key issuing authority.
- the digital certificate validity information is the current state information of the digital certificate signed and authenticated by the validity verification authority specified by the key issuing institution root certificate;
- the structural combination and the analysis deconstruction method of the combined information include, but are not limited to:
- Preserving information such as security QR code identification, type, combination, compression mode, etc. in the combined information header;
- the input information, the digital signature, the digital certificate and the validity information thereof are connected by a separator symbol to form combined information; according to the type and combination of the combined information header during deconstruction Mode information, which decomposes the combined information into individual independent information by separating symbols.
- the two-dimensional code encoding identification and information input and output methods include, but are not limited to:
- the generated two-dimensional code pattern can embed a secure two-dimensional code identification pattern; using optical image scanning information transmission and optical imaging When the conditions are insufficient, the Bluetooth radio wireless information transmission method is adopted.
- the method for outputting the verification and verification result judgment information is:
- the digital certificate information is verified by the digital certificate issuing authority and the root certificate of the designated certificate validity verification institution, and the input information and the digital signature are verified by the digital certificate information; the verification method preferably uses the offline verification method or the specified validity verification institution.
- the method of verification if the digital certificate, input information and digital signature are all verified correctly, the secure QR code is verified correctly, the source of the encoded information is trusted, otherwise the source of the information is not trusted; the correctness of the secure QR code is displayed, and the encoded information is displayed.
- the QR code publisher information allowing the application operation related to the QR code; otherwise, the source of the QR code is not trusted, and the application operation related to the QR code is rejected.
- the cryptographic system used for the digital signature, the signature verification, and the digital certificate includes but is not limited to:
- Digital signature, signature verification, digital certificate using asymmetric public key cryptosystem using ECC elliptic curve cryptosystem, DSA cryptosystem, RSA cryptosystem;
- the information encryption and information decryption methods include but are not limited to:
- Information encryption and information decryption use a symmetric key cryptosystem and an asymmetric public key cryptosystem, using any of AES, 3DES, RC4, IDEA, ECC, RSA, ECDH; using a symmetric key specified by a specific user or its public
- the key and the private key encrypt and decrypt the information to be encrypted, or encrypt and decrypt the encrypted information with a first symmetric key generated by the user's public key or randomly generated, and use a symmetric key specified by a specific user or
- the public key and the private key encrypt and decrypt the first symmetric key used.
- the structural combination and the analysis deconstruction method of the combined information include, but are not limited to:
- Preserving information such as security QR code identification, type, combination, compression mode, etc. in the combined information header;
- the ciphertext information, the digital signature, the digital certificate and the validity information of the input information are connected by a delimiter symbol to form combined information; according to the combined information header during deconstruction
- the type and combination mode information is first decomposed into separate information by the delimiter symbol, and then the ciphertext information is decrypted according to the encryption algorithm parameter in the ciphertext information to obtain the original input information; the input information and the number may also be input first.
- the signature, the digital certificate and the validity information are connected by the delimiter symbol, and then the connected information is encrypted, and the encrypted information is used as the combined information; when deconstructing, according to the type and combination mode information of the combined information header, the ciphertext information is first passed.
- the encryption algorithm parameter information decrypts the encrypted information, and then decomposes the decrypted combined information into individual independent information according to the delimiter symbol.
- the structural combination and the analysis deconstruction method of the combination information include, but are not limited to:
- Preserving information such as security QR code identification, type, combination, compression mode, etc. in the combined information header;
- the extended information is subjected to independent signature encryption and verification decryption processing; the extended information and the extended information are Other information can be read by different categories of users.
- the constructing combination and the analysis deconstruction method of the combined information include, but are not limited to:
- Preserving information such as security QR code identification, type, combination, compression mode, etc. in the combined information header;
- the digital certificate may be cached in the digital certificate storage area of the verification device, and the digital certificate information may be omitted or only the digital certificate hash value information may be reserved in the combination information; if the offline verification mode is not used, the digital certificate validity information may be omitted or Only digital certificate hash value information is retained.
- UTF-8 or UTF-16 format For information containing multi-byte characters, Unicode encoding in UTF-8 or UTF-16 format can be used;
- the combined information is compressed or Base64 encoded; when decomposed, the compressed combined information is first decompressed or Base64 decoded, and then decomposed according to the combination thereof;
- a second aspect of the embodiments of the present invention provides an offline verification two-dimensional code structure verification device, where the device includes:
- An information input unit configured to input information to be encoded and type information
- An information storage unit configured to store input information and operation result information
- a security information storage unit for securely storing private key information
- a digital certificate storage unit for storing a digital certificate and its validity information
- a root certificate storage unit for storing a root certificate of the key issuing authority and its designated validity verification institution
- a digital signature and information encryption operation unit for calculating a digital signature, updating digital certificate validity information, and encrypting information
- An image display information output unit for displaying and outputting the security two-dimensional code information
- An image scanning information input unit for scanning and inputting secure two-dimensional code information
- Two-dimensional code recognition and combined information analysis deconstruction operation unit used for two-dimensional code recognition and analysis and deconstruction of combined information
- Digital signature verification and information decryption unit for digital decryption of information decryption and digital certificate validity and input information
- the result output information prompting unit is used for the safety two-dimensional code verification result output and the information prompt.
- the operation functions of the operation unit, the signature unit, and the verification unit are:
- the method for constructing the operation unit, the signature unit, the verification unit, the storage unit, and the secure storage unit includes but is not limited to:
- the present invention has the following beneficial effects:
- the embodiment of the invention provides a method and a device for verifying the security information label structure that can be verified offline.
- the source of the information label can be verified to use the information label safely and reliably.
- the security information tag using the construction verification method and apparatus of the present invention has the following advantages:
- the information of the security information label cannot be falsified, forged or denied
- Any modification of the information encoded by the security information label cannot be verified by security, and the integrity and consistency of the encoded information can be guaranteed.
- a third party cannot forge the information source to generate a security information label, and the publisher cannot deny the true source of the security information label.
- the security information label can be verified offline
- the integrity, consistency, and authenticity of the information source of the security information tag can be verified offline without connecting to the network. It can also be safely applied in an environment where there is no network or is not convenient for Internet access.
- the security information label can publish public information read by the public can also publish private information read by a specific user;
- the security information tag can publish a public information security information tag read by the public. It can also publish private information read by a specific one or more users and a mixed information security information tag, and can verify its security offline. At the same time, the private information security information label is also non-replicable based on the above security. It can only be verified by the specific user specified by the publisher. Other third parties cannot read the content or use the application credentials to copy and clone the private information.
- the information tag has no practical meaning.
- Figure 2 is a structural view of the structure verification device of the present invention.
- Embodiment 3 is a public information security two-dimensional code generated by Embodiment 1 of the present invention.
- Embodiment 4 is a public information security two-dimensional code generated in Embodiment 2 of the present invention.
- Embodiment 5 is a public information security two-dimensional code generated in Embodiment 3 of the present invention.
- Embodiment 8 is a mixed information security two-dimensional code generated in Embodiment 6 of the present invention.
- FIG. 1 and FIG. 2 The method and device for verifying the security information tag structure that can be offline verified according to the embodiment of the present invention are shown in FIG. 1 and FIG. 2 .
- the coded information may include any combination of basic information, extended information, target information, and dynamic information.
- the basic information is generally fixed information such as the publisher's URL, name, and so on. Dynamic information is generated according to the needs of specific applications, such as information generation time, expiration date, transaction number, transaction amount, application parameters and other information.
- the target information may include information such as a network address, text information, and the like.
- the extended information is any one of the document number and the contact information; the type information is any one of public information, private information, and mixed information.
- This function is constituted by an information input unit and an information storage unit in the apparatus of the present invention.
- the digital signature operation uses an asymmetric public key cryptosystem such as an ECC elliptic curve cryptosystem, a DSA cryptosystem, or an RSA cryptosystem.
- the asymmetric key cryptosystem uses a pair of key pairs of public and private keys for digital signature verification and encryption and decryption operations; the private key is stored by the key owner and can only be accessed by the owner; the public key is publicly released by the public medium, The public is freely available; generally, the key issuing authority uses its own root certificate to sign the public key and the information such as the owner and the issuer and then publish it as a digital certificate; the public key and the digital certificate are used for encryption and signature verification operations, and the private key is used for the private key. Decryption and digital signature operations.
- the verification authority specified by the certificate issuing authority root certificate can verify the validity of the certificate, and generate certificate status validity information within a set time period; when applying the digital certificate
- the validity information shall be checked whether the time limit has expired. If the time limit has expired, the certificate authority designated by the certificate issuing authority shall update the certificate validity information.
- the digital signature operation consists of two steps: (1) using the commonly used hash functions such as MD5, SHA1, SHA256, etc., to calculate the hash value of the information to be encoded, to form the fingerprint data of the information to be encoded; (2) to use the private key of the publisher Sign the fingerprint data of the information.
- hash functions such as MD5, SHA1, SHA256, etc.
- the elliptic curve public key cryptosystem has a shorter key length and faster computational speed.
- the method of the present invention preferably uses an ECC elliptic curve cryptosystem for digital signature operations.
- the method of the invention can perform digital signature operation only on the input information, and can also perform digital signature operation on all the combined information.
- the information encryption operation uses a symmetric key cryptosystem such as AES, 3DES, RC4, IDEA, or an asymmetric public key cryptosystem such as ECC or RSA, and an encryption method combining asymmetric ciphers and asymmetric ciphers such as ECDH and ECIES.
- a symmetric key cryptosystem such as AES, 3DES, RC4, IDEA, or an asymmetric public key cryptosystem such as ECC or RSA
- ECC public key cryptosystem
- RSA public key cryptosystem
- the present invention preferably uses an AES symmetric encryption method and an ECC asymmetric encryption method.
- the invention encrypts the information to be encoded when constructing the private information security two-dimensional code read by a specific user; and constructing the public information security two-dimensional code does not need to perform the information encryption operation.
- the symmetric key algorithm is used for encryption.
- a specific user has an asymmetric key pair issued by the key issuing authority, a symmetric key or asymmetric may be used. Keys and encryption methods that combine symmetric and asymmetric ciphers.
- the method of the present invention can perform only the encryption operation on the input information, and can also perform the encryption operation on all the combined information.
- the present invention can adopt the following two encryption methods: (1) encrypting the information to be encrypted with a symmetric key specified by a specific user or its public key; and (2) using the first symmetric generated by the user's public key or randomly generated.
- the key pair encrypts the encrypted information and encrypts the first symmetric key used with a symmetric key specified by the specific user or its public key.
- the encryption method (2) is used, the two-dimensional code of the private information read by one or more specified users can be generated, and the encryption algorithm parameter stores the symmetric key specified by each specific user or its public key pair first symmetric key.
- the ciphertext that the key encrypts; when the constructed private information security QR code only needs to be read by a specific user, one of the two encryption methods can be arbitrarily selected.
- This function is composed of a digital signature and information encryption operation unit, a security information storage unit, an information input unit, and an information storage unit in the apparatus of the present invention.
- the combination information includes the input information, the encryption information, the digital signature, the digital certificate and the validity information thereof in steps 1 and 2;
- the two-dimensional code type to be published is a public information or a private information two-dimensional code adopts different combinations;
- the information such as the security QR code identification, type, combination, and compression mode is stored in the combined information header.
- the information to be encoded is public information that can be read by any user: the input information, the digital signature, the digital certificate, and the validity information thereof are connected by a separator symbol to form combined information.
- the encrypted information, the digital signature, the digital certificate and the validity information of the input information are connected by a delimiter symbol to form a combined information; or the input information and the digital signature are first input.
- the digital certificate and the validity information thereof are connected by a delimiter symbol, and then the connected information is encrypted and operated, and the encrypted information is used as the combined information;
- the extended information is independently signed and encrypted; the extended information and other information other than the extended information Can be read by different categories of users.
- the combined information may be compressed or Base64 encoded
- This function is composed of a combined information construction arithmetic unit, an information storage unit, and a digital certificate storage unit in the apparatus of the present invention.
- QR code, Data Matrix, Maxi Code, PDF417 and other common two-dimensional code encoding methods are used to encode the combined information by using different size codes or multi-code forms to generate a secure two-dimensional code that can be verified offline.
- a secure two-dimensional code identification graphic can be embedded in the generated two-dimensional code graphic.
- This function is composed of a two-dimensional code encoding operation unit, an information storage unit, an image display, and an information output unit in the apparatus of the present invention.
- the public information security QR code can be read by any user, and the public combination information is identified according to the two-dimensional code encoding rule; the private information security two-dimensional code can only be read and identified by the specified user to obtain the encrypted combined information.
- the input of the security two-dimensional code can be transmitted by optical image scanning mode; when the optical imaging conditions are insufficient, the information transmission method such as Bluetooth radio frequency can also be adopted.
- This function is composed of an image scanning unit, an information input unit, a two-dimensional code recognition arithmetic unit, and an information storage unit in the apparatus of the present invention.
- the first combination information is first restored by decompression or Base64 decoding
- the combined information is decomposed into individual independent information according to the delimiter symbol during deconstruction;
- the decomposed first decomposes the combined information into individual independent information according to the delimiter symbol, and then uses the specific user private key or its specified according to the encryption algorithm parameter in the ciphertext information.
- the symmetric key decrypts the ciphertext information to obtain the original input information;
- the private information security two-dimensional code and the complete combination information are encrypted.
- the encrypted information is decrypted according to the encryption algorithm parameter in the ciphertext information, and the decrypted combined information is decomposed into independent information by the delimiter symbol.
- the specific user can separately decrypt and verify the extended information; other users cannot decrypt the extended information;
- This function is composed of a combined information analysis deconstruction operation unit, an information decryption operation unit, an information input unit, an information storage unit, and a digital certificate storage unit in the apparatus of the present invention.
- the digital certificate is used to verify the publisher's digital certificate validity information with the digital certificate issuing authority and its designated certificate validity authority, and the digital information is used to verify the input information and the digital signature.
- the fingerprint data of the digital certificate is calculated by the same hash algorithm, and compared with the fingerprint data in the validity information to determine whether it is consistent; according to the signature algorithm in the validity information of the digital certificate Parameters, using the hash algorithm to calculate the hash value of the validity information, using the signature algorithm and the certificate authority of the certificate validity verification authority to verify the signature; determining the input dynamic information according to the time limit of the validity information of the digital certificate Whether the generation time is within the generation time and expiration time of the validity information; if all the above tests pass, the digital certificate is a valid certificate.
- This function is composed of a digital signature verification operation unit, an information storage unit, a root certificate storage unit, and a digital certificate storage unit in the apparatus of the present invention.
- the secure QR code is verified correctly, and the source of the encoded information is trusted. Otherwise, the source of the information is not trusted; for verifying the correct secure QR code, the encoded information and the QR code are displayed.
- the publisher information allows application operations related to the QR code; otherwise the source of the QR code is not trusted, and the application operation associated with the QR code is rejected.
- This function is composed of a result output information presenting unit and an information storage unit in the apparatus of the present invention.
- the names, keys, certificates, and the like of the key issuing center, the publisher, the specific user, and the like in the embodiment are exemplary data.
- the private key information is also listed in the embodiment; in the actual application, the private key information is stored in the secure storage area, and only the owner can access it.
- the ECC asymmetric cryptosystem and the AES symmetric cryptosystem are preferably used in the embodiment; the ECC adopts the NIST-recommended prime domain 256-bit standard elliptic cipher curve; the remaining asymmetric public key cryptosystem Similar to the application of the symmetric key cryptosystem, it is only necessary to simply replace the corresponding signature verification and encryption and decryption operations, which will not be described in detail in the embodiments.
- a public information security QR code that can be read by the public user is generated, and the user can safely scan the code and access the online banking system.
- the information to be encoded includes basic information, target information, and dynamic information.
- the basic information is: Base: ⁇ Name: ABC Bank ⁇
- the target information is: OBJ: ⁇ URI: https://www.abc.com ⁇
- the dynamic information is: DYN: ⁇ Created: 2016-1-1 12:00:00
- the type information is a public information security QR code.
- the private key of the publisher ABC Bank is:
- the ECDSA signature algorithm is used to perform digital signature calculation on the hash value with the publisher private key, and the signature result is performed.
- Base64 encoding, getting the digital signature in text format is shown in Table 2.
- the two-dimensional code constructed in this embodiment is a public information security two-dimensional code, and no encryption operation is performed.
- the digital certificate of the publisher ABC Bank is shown in Table 3.
- the digital certificate validity information is shown in Table 4.
- Expired:2016-1-15 00:00]sha256ECDSA:MEUCIQDna4d8UCzwdRsAOMLRNfw332bfodiQ6gFMPP+6/PYAMAIgbWzfEtARWlxFp4s2427Z9OhCCwefUryCXc98ZGX+Wfk ⁇
- the security QR code identification, type, combination, and compression mode information are:
- SQR is the security QR code identifier
- P is the public information QR code
- 01 is the compression combination mode
- 00 For alternate information bits.
- the QR code format is used to encode the combined information into a two-dimensional code to form a two-dimensional code pattern.
- a secure two-dimensional code identification graphic can be embedded in the generated two-dimensional code graphic; whether the identification graphic is embedded in the two-dimensional code does not affect the verification and security of the secure two-dimensional code.
- the secure two-dimensional code as shown in FIG. 3 is scanned and decoded according to the QR encoding rule to obtain combined information as shown in Table 5.
- the combination information is analyzed and deconstructed by connecting the symbols with vertical lines and parentheses, and the input information, digital signature, digital certificate and the like as shown in Table 1 - Table 4 are obtained. Its validity information.
- This embodiment is a public information two-dimensional code that does not require a decryption operation.
- the root certificate of the digital certificate issuing authority and its designated certificate validity verification institution is shown in Table 6 and Table 7.
- the root certificates shown in Tables 6 and 7 are stored in the trusted root certificate storage area of the verification device.
- the hash data of the digital certificate information is calculated as:
- the signature information in the digital certificate validity information is:
- the hash value of the digital certificate validity information calculated using the SHA256 hash algorithm is:
- the time limit for digital certificate validity information is shown in Table 4: 2016-1-1 00:00 to 2016-1-15 00:00; the generation time in the input dynamic information is as shown in Table 1: 2016-1-1 12:00:00; the input information generation time is within the time limit of the validity information;
- the validity of the digital certificate may also use the above-mentioned preferred offline verification method, and the certificate validity verification authority specified by the certificate issuing authority root certificate performs online verification; when the offline verification method is used to verify the validity of the certificate, the certificate in the combined information
- the validity information may be omitted or only the certificate hash value may be retained;
- the publisher's digital certificate is a valid certificate.
- the hash and signature algorithm parameters in the digital signature are sha256ECDSA, as shown in Table 2.
- the sha256 hash algorithm is used to calculate the input information hash data as:
- Publisher digital certificate owner CN name is ABC Bank SQR Certificate, enter the basic information name ABC Bank, which is the security QR code special certificate of the organization ABC Bank; the effective time limit for inputting dynamic information is shown in Table 1: 2016-1-1 12:00:00 to 2026-1-1 12:00:00, the current time is within the valid time limit for entering information;
- the above digital certificate, input information and digital signature are all verified correctly.
- the security QR code is verified correctly and the source of the encoded information is trusted. Display input information and QR code publisher information, prompting QR code by ABC Bank released, allowing access to online banking websites. If the security QR code has undergone any tampering or forgery, it will not pass the above security verification, indicating that the security QR code may be tampered with or forged, and the access to the encoding related website is denied.
- the payment platform for the taxi mobile payment application, generates a public information security QR code that can be read by the public user for each taxi operator, and the passenger can safely scan the code to pay the rental fee.
- the information to be encoded includes basic information, target information, and dynamic information.
- the basic information is: Base: ⁇ TaxiID: Shanghai A12345
- the target information is: OBJ: ⁇ URI: https://sqr.abcpay.com/zrk1rjziurlr2w3ira ⁇
- the dynamic information is: DYN: ⁇ Created:2016-1-1 12:00:00
- the type information is a public information security QR code.
- the encoded information needs to include multi-byte character Chinese characters, and the information encoding uses UTF-8 encoding.
- This embodiment uses another possible combination form to sign the complete combined information.
- the digital signature process is incorporated into step 3 for illustration.
- the two-dimensional code constructed in this embodiment is a public information security two-dimensional code, and no encryption operation is performed.
- the information of the security QR code identification, type, combination and compression method is: SQR . P0200
- SQR is the security QR code identifier
- P is the public information QR code
- 02 is the signature of the overall information
- 00 For alternate information bits.
- the digital certificate and its validity information are the CERT and VALID parts respectively.
- the private key of the publisher ABC Pay is:
- the sha256ECDSA signature algorithm is used to perform digital signature calculation on the hash value with the publisher private key, and the signature result is performed.
- Base64 encoding, getting the digital signature in text format is shown in Table 10.
- the QR code format is used to encode the combined information into a two-dimensional code to form a two-dimensional code pattern, as shown in FIG.
- the secure two-dimensional code as shown in FIG. 4 is scanned and decoded in accordance with the QR encoding rule to obtain combined information as shown in Table 11.
- the combination information is analyzed and deconstructed through vertical lines and parentheses, and the input information, the digital certificate, the validity information and the digital signature information are obtained.
- This embodiment is a public information two-dimensional code that does not require a decryption operation.
- the overall information signature combination method is adopted.
- the above steps complete the information combination and the deconstruction operation.
- the digital certificate validity and the input information verification step are the same as those in the first embodiment.
- the device of the present invention When the user pays, the device of the present invention generates a public information security QR code including the name, date, amount, and effective time of the payment merchant in real time, and the user scans the code to securely pay.
- the information to be encoded includes basic information, target information, and dynamic information.
- the basic information is: Base: ⁇ Name: ABC Mall
- the target information is: OBJ: ⁇ URI: https://pay.abcpay.com/dkri67zin9oo8tzxy9ojquz8mcaedhzcljix1jeu ⁇
- the dynamic information is: DYN: ⁇ Created:2016-5-1 12:00:00
- the type information is a public information security QR code.
- the private key of the publisher ABC Mall is:
- the two-dimensional code constructed in this embodiment is a public information security two-dimensional code, and no encryption operation is performed.
- the information of the security QR code identification, type, combination and compression method is: SQR . P0100
- the QR code format is used to encode the combined information into a two-dimensional code to form a two-dimensional code pattern, as shown in FIG.
- Embodiments 1 and 2 have detailed the construction verification process of two different combinations.
- the verification procedure of this embodiment is the same as that of Embodiment 1, and reference may be made to Embodiment 1, and the detailed description is not repeated.
- the secure QR code is verified correctly and the source of the encoded information is trusted.
- the input information and the QR code publisher information are displayed, indicating that the QR code source is trusted, and the scan code payment operation is allowed. If the security QR code has undergone any tampering or forgery, it will not pass the above security verification, indicating that the security QR code may be tampered with or forged, the publishing source is not trusted, and the payment operation is refused.
- ABC Mall's payment certificate is issued by ABC Pay, ABC Pay.
- the certificate is issued by the issuing center's root certificate.
- the method of the invention can verify the digital certificate of the multi-level issuing institution offline, and the combined information only needs to include the digital certificate information of the publisher terminal.
- the validity of the certificate chain is periodically updated by the validity verification mechanism specified by the issuing institution root certificate by the constructing device of the present invention, and the verification device performs offline verification by using the certificate validity information in the combined information.
- the multi-level certificate structure of the embodiment can also be used, and the secure payment two-dimensional code including the rental car fee and the like can be generated in real time by the device of the present invention, and the passenger can verify the security scan code payment offline.
- the musical instrument manufacturing enterprise generates a private information security QR code for each product produced and sold, and the user scans the security QR code to identify the purchased product as a genuine or counterfeit product.
- the information to be encoded includes basic information, target information, and dynamic information.
- the basic information is: Base: ⁇ Name: ABC Instrument ⁇
- the target information is: OBJ: ⁇ URI: https://product.abcinstrument.com/e92eab1319a8cde0dc61636a2ffc8eeb918a554b ⁇
- the dynamic information is: DYN: ⁇ InstrumentID: DH698JM12345678
- the type information is a private information security QR code.
- the private key of the publisher ABC Instrument is:
- the ECDSA signature algorithm is used to perform digital signature calculation on the hash value with the publisher private key, and the signature result is performed.
- the manufacturer generates a product feature verification security two-dimensional code when the product production line has not been sold yet. At this time, each product does not have a specific user correspondence, and cannot be encrypted by using a specific user's public key or its specified symmetric key.
- a randomly generated symmetric key is used in the embodiment, as shown in Table 17. This random password can be created on the product quality certificate together with the generated secure QR code using the password area coating method.
- the AES128 symmetric key algorithm is used to perform the encryption operation on the information to be encoded shown in Table 15 using the key shown in Table 17.
- the ciphertext information of the Encrypted operation result after Base64 encoding is as shown in Table 18.
- the information of the security QR code identification, type, combination and compression method is: SQR . R0100
- R is the private information security QR code.
- the QR code format is used to encode the combined information into a two-dimensional code to form a two-dimensional code pattern, as shown in FIG. 6.
- the security two-dimensional code shown in FIG. 6 in the scan quality certificate is decoded according to the QR encoding rule, and the combined information as shown in Table 19 is obtained.
- the combination information is analyzed and deconstructed through vertical lines and parentheses to obtain ciphertext information, digital signature, digital certificate and validity information.
- the ciphertext information is decrypted using the random symmetric key obtained in the quality certificate obtained by the manufacturer, and the ciphertext information is decrypted to obtain the input information as shown in Table 15.
- the private information is used for the two-dimensional code type, and the input information is encrypted.
- the main difference is the encryption and decryption processing and the combined deconstruction processing operation.
- the digital certificate validity and the input information verification step are the same as those in the first embodiment, and can be implemented by reference. Example 1 is implemented and will not be repeated.
- the secure QR code is verified correctly and the source of the encoded information is trusted.
- Display input information and QR code publisher information suggest that the QR code source is trusted, allow access to the address published by the manufacturer to view the feature picture corresponding to the instrument and compare with the purchased instrument, and compare the instrument characteristics in the QR code information.
- the hash value of the image matches the hash value displayed in the URL image to confirm that the purchased item is genuine. If the security QR code has undergone any tampering or forgery, it will not pass the above security verification, suggesting that the security QR code may be tampered with or forged, the publishing source is not trusted, and the URL encoded in the QR code is denied access.
- the purchased product is Product.
- the private information security QR code that expresses the identification information such as the performance time and the seat position is generated on the tickets of the performances sold by the organization.
- the user scans the security QR code to verify the authenticity of the ticket.
- the company scans the security QR code to achieve fast and safe security. Checking tickets to prevent counterfeit tickets from causing economic losses to users and companies.
- the information to be encoded includes basic information, target information, and dynamic information.
- the basic information is: Base: ⁇ Name: ABC Inc
- the target information is: OBJ: ⁇ TXT: ABC Inc Ticket, Seat 15F, Room A1, 2016-1-10 12:00 ⁇
- the dynamic information is: DYN: ⁇ TicketSN: 10001234
- the type information is a private information security QR code.
- the private key of the publisher ABC Inc is:
- the ECDSA signature algorithm is used to perform digital signature calculation on the hash value with the publisher private key, and the signature result is performed.
- Base64 encoding, getting the digital signature in text format is shown in Table 21.
- the embodiment adopts a two-layer encryption form, and the generated private information security two-dimensional code can be read and recognized by two designated users of the company and the ticket purchase user.
- the randomly generated first symmetric key is used.
- the AES128 algorithm is used to encrypt the information to be encoded shown in Table 20.
- the first ciphertext information after the Base64 encoding of the encryption operation result is shown in Table 23.
- the symmetric key set when the user purchases a ticket is shown in Table 25.
- the first symmetric key is encrypted by the AES128 symmetric key algorithm, and the ciphertext information after the Base64 encoding is shown in Table 26.
- the algorithm parameters and ciphertext information of the above two levels of encryption are connected by a vertical line and a parenthesis, and the ciphertext information of the present embodiment is shown in Table 27.
- abcinc Elgamal: A0vrl0wByM6LGRA6xxY7RgEUPiSUO6qE + Nm9Z1BoSotaA3Hqw / LHWfVPmLb5S7hh + Eyq / gWaaFpWL + FchLTDE7jU
- user1: aes128cbc: U2FsdGVkX19nk + kW2oaV0Xzb2VdIlNReTITwxZURkuU [aes128cbc: U2FsdGVkX1 + bVU4RDHGr6FAVxpNqEnRFf3Y5XEoGpkkzHujSgw6g1yVXASsXSYWTHYDeJMNNwgvuu57w1GXvtpM1fxrX // WmEpE5bF3w7VdV4m68AR88kJB55
- the information of the security QR code identification, type, combination and compression method is: SQR . R0100
- R is the private information security QR code.
- the digital certificate and its validity information are the CERT and VALID parts respectively.
- the QR code format is used to encode the combined information into a two-dimensional code to form a two-dimensional code pattern, as shown in FIG.
- the secure two-dimensional code as shown in Fig. 7 is scanned and decoded in accordance with the QR encoding rule to obtain combined information as shown in Table 28.
- the combination information is analyzed and deconstructed through vertical lines and parentheses to obtain ciphertext information, digital signature, digital certificate and validity information.
- ABC Inc scans the security QR code on the user's ticket, using ABC Inc.'s private key and Elgamal algorithm perform ECC asymmetric key decryption operation on the ciphertext information corresponding to abcinc in the ciphertext information as shown in Table 24, and obtain the first symmetric key as shown in Table 22;
- the first symmetric key decrypts the first ciphertext information as shown in Table 23 in the ciphertext information, and obtains the input information as shown in Table 20.
- the user can also input the symmetric key set by the user, and then perform the decryption process in the same process as the user, and obtain the input information as shown in Table 20.
- the two-dimensional code type of the private information is used, and the input information is encrypted by the two-layer encryption method.
- the main difference is the encryption and decryption processing and the combined deconstruction processing operation, and then the digital certificate validity and the input information verification step and the embodiment 1
- the implementation of Embodiment 1 can be referred to, and the detailed description is not repeated.
- the digital certificate, input information and digital signature are all verified correctly.
- the security QR code is verified correctly and the source of the encoded information is trusted.
- the input information and the QR code publisher information are displayed, and the source code of the QR code is trusted, and the ticket is true and can be admitted. If the security QR code has undergone any tampering or forgery, the above security verification cannot be passed, indicating that the security QR code may be tampered with or forged, the source of the distribution is not trusted, the ticket is forged, and the admission is refused.
- the train ticket generates a safety information QR code for easy ticket checking and verification of passenger status. Tickets such as departure time and seat number of the ticket have been printed on the ticket surface for public information; however, the name and ID card information of the real-name ticket-purchasing user are private information, and the use of public forms such as dropping the ticket after boarding may result in passengers. Privacy information is leaked. Therefore, this embodiment adopts a hybrid information security two-dimensional code type.
- the hybrid information security QR code is based on the public information security two-dimensional code and the private information security two-dimensional code, and performs separate signature verification and encryption and decryption operations on the extended information in the input information.
- the algorithm and the processing flow are basically the same. This embodiment will not repeat the same processing procedure, and only the combination information of the different parts and the operation result and the security two-dimensional code pattern are given.
- the input information is:
- the EXT part is extended information.
- the private key of the publisher XYZ Inc is:
- the EXT information is signed by the sha256ECDSA algorithm, and the signature information is:
- the obtained ciphertext information is:
- the hybrid information security QR code can also be constructed on the basis of the private information QR code, and only the specific user can decrypt the verification extension information.
- the signature verification and encryption and decryption operations of the extended information may also adopt other symmetric keys and asymmetric key algorithms according to the present invention, and will not be further described.
- Some conventional modified application forms can cache the digital certificate in the digital certificate storage area of the verification device, and the two-dimensional code combination information.
- the digital certificate part can be omitted; in the case where the shape of the distribution area is limited, it can be distributed in a multi-code format; under the condition that the optical scanning imaging is not satisfied at night or high-speed movement, the transmission mode can be realized by Bluetooth radio frequency wireless transmission or the like. Transmission of code information.
- Embodiment 7 of an offline verification secure two-dimensional code structure verification apparatus according to the present invention, and is related to Embodiment 1-6.
- An information input unit S301 configured to input information to be encoded and type information
- a security information storage unit S302 configured to securely store private key information
- An information storage unit S303 configured to store input information and operation result information in the device
- a digital certificate storage unit S304 configured to store the digital certificate and its validity information in the constructing device
- a digital signature and information encryption operation unit S305 configured to calculate a digital signature, update digital certificate validity information, and encrypt information
- the coding operation unit S306 is configured to construct combined information and perform information tags such as two-dimensional codes. Coding operation
- the image display information output unit S307 is configured to display and output the secure two-dimensional code information
- An image scanning information input unit S401 configured to scan and input secure two-dimensional code information
- a root certificate storage unit S402 configured to store a key issuing authority and a root certificate of the specified validity verification institution
- the information storage unit S403 is configured to store the input information and the operation result information in the verification device
- a digital certificate storage unit S404 configured to verify, in the verification device, the digital certificate and the validity information thereof;
- Digital signature verification and information decryption unit S405 for digital signature verification of information decryption and digital certificate validity and input information
- Information tag such as two-dimensional code, identification and combination information analysis deconstruction operation unit S406, for information tags such as two-dimensional code Code recognition and analysis and deconstruction of combined information;
- the result output information prompting unit S407 is used for the secure two-dimensional code verification result output and the information prompt.
- the device can be divided into two independent sub-devices: a construction device and a verification device, wherein the construction device is composed of S301-S307 Unit composition, verification device by S401-S407 Unit composition; can also be implemented as a device, including all of the above units, wherein the units for information input, information storage, and information display in the construction and verification sub-devices can be combined to share the same unit.
- Information input unit S301 and image scanning information input unit S401 can be realized by common components such as keyboard, touch screen, camera, scanner, etc.
- the security information storage unit S302 can use secret information such as a secure storage chip, a smart card, an FPGA built-in ROM storage area, and the like to store private key information.
- the secure memory chip needs to cooperate with an external computing unit to operate and read and write a secure memory chip in an encrypted manner, and the security is relatively low; the smart card or the FPGA chip can be stored in the chip with its own internal computing unit, only the private key operation is performed. The input and output of the calculation data and the operation result are performed, and the private key information cannot be read from the chip, and the security of the private key information can be ensured.
- the information storage units S303, S403, the digital certificate storage units S304, S404, and the root certificate storage unit S402 can be implemented by using a general-purpose storage unit.
- the method of signature verification, encryption and decryption, combination deconstruction and the like in the embodiments 1-6 can be implemented by using a general-purpose CPU or a GPU operation unit, or by using a DSP, an FPGA, a CPLD, or an ASIC chip.
- the image display information output unit S307 and the result output information presentation unit S407 can be implemented using a general-purpose liquid crystal panel, a touch screen, a buzzer, an audio output unit, and the like.
- the method of the invention can be widely used in electronic media, newspapers and magazines, commodity packaging, warehousing logistics, personal business cards, transportation tickets, certificate documents, mobile advertisements, social APPs, online shopping transactions, online banking payments, mobile payment, etc., Internet of Things, mobile Internet related applications
- the implementation is simple and efficient, the application cost is low, and the industrial use value is high.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims (10)
- 可离线验证安全信息标签构造验证方法,其特征在于,所述方法包括:输入需编码的信息和类型信息;对需编码信息进行数字签名运算、加密运算;用输入信息、加密信息、数字签名、数字证书及其有效性信息构造组合信息;对组合信息进行信息编码,生成安全信息标签;输入安全信息标签信息,按信息标签编码规则识别内含的组合信息;分析解密组合信息,得到输入信息、数字签名、数字证书及其有效性信息;验证数字证书的有效性,并用数字证书验证输入信息和数字签名;验证结果判断和信息输出提示;所述方法包含在组合信息中的数字证书有效性信息是经数字证书密钥签发机构根证书指定的有效性验证机构签名认证的数字证书当前状态信息,此有效性信息可以离线验证多级签发结构的数字证书,组合信息中只需包含发布者终端数字证书信息;验证时用数字证书签发机构及其指定的证书有效性验证机构的根证书验证数字证书信息,并用数字证书信息验证输入信息和数字签名。
- 根据权利要求1所述的方法,其特征在于,所述输入的需编码信息和类型信息包括但不限于:需编码信息为基本信息、扩展信息、目标信息、动态信息中的任意几种;其中,基本信息为不随单次应用变化的名称、地址、域名信息中的任意几种;目标信息为目标网址、公示信息中的任意几种;动态信息为根据单次应用而变化的生成时间、有效时间、交易信息、应用参数信息中的任意几种;扩展信息为证件号码、联系方式信息中的任意几种;类型信息为公开信息、私密信息、混合信息中的任意一种。
- 根据权利要求1所述的方法,其特征在于,所述数字签名、签名验证、数字证书所用的密码系统包括但不限于:数字签名、签名验证、数字证书使用非对称公钥密码系统,采用ECC椭圆曲线密码系统、DSA密码系统、RSA密码系统中的任意一种。
- 根据权利要求1所述的方法,其特征在于,所述信息加密、信息解密所用的密码系统包括但不限于:信息加密、信息解密使用对称密钥密码系统及非对称公钥密码系统,采用AES、3DES、RC4、IDEA、ECC、RSA、ECDH中的任意几种;用特定用户指定的对称密钥或其公钥及私钥对需加密信息进行加密和解密运算,或者用由用户公钥产生的或随机产生的对称密钥对需加密信息进行加密和解密运算,并用特定用户指定的对称密钥或其公钥及私钥对所用的由用户公钥产生的或随机产生的对称密钥进行加密和解密运算。
- 根据权利要求1-4任意一项所述的方法,其特征在于,所述组合信息包括但不限于:输入信息、加密信息、数字签名、数字证书及其有效性信息;其中,输入信息为输入的需编码的信息和类型信息;加密信息为用特定用户的公钥或者其指定的对称密钥对需加密信息加密后的密文以及加密算法参数信息,可以对输入信息或者整个组合信息进行加密运算;数字签名是用发布者私钥对需认证信息进行签名运算的结果,可以对输入信息或者整个组合信息进行数字签名运算;数字证书是由密钥签发机构数字签名认证的发布者身份及公钥证书;数字证书有效性信息是经密钥签发机构根证书指定的有效性验证机构签名认证的数字证书当前状态信息;对于专用系统,数字证书可以缓存于验证装置的数字证书存储区,组合信息内可以省略数字证书信息或者只保留数字证书散列值信息;数字证书有效性信息可以离线验证多级签发结构的数字证书,组合信息中只需包含发布者终端数字证书信息;如果不使用优选的离线验证方式,数字证书有效性信息可以省略或者只保留数字证书散列值信息。
- 根据权利要求1-5所述的方法,其特征在于,所述组合信息的构造组合及分析解构方法包括但不限于:在组合信息头部保存安全信息标签标识、类型、组合、压缩方式等信息;当需要编码的信息为可供任何用户读取的公开信息时:将输入信息、数字签名、数字证书及其有效性信息通过分隔符号连接构成组合信息;解构时根据组合信息头部的类型和组合方式信息,通过分隔符号将组合信息分解为各个独立信息;当需要编码的信息为只由特定用户读取的私密信息时:将输入信息的密文信息、数字签名、数字证书及其有效性信息通过分隔符号连接构成组合信息;解构时根据组合信息头部的类型和组合方式信息,先通过分隔符号将组合信息分解为各个独立信息,再根据密文信息中的加密算法参数,对密文信息进行解密运算得到原始输入信息;也可以先将输入信息、数字签名、数字证书及其有效性信息通过分隔符号连接,再对连接后的信息进行加密运算,以加密信息作为组合信息;解构时根据组合信息头部的类型和组合方式信息,先通过密文信息中的加密算法参数对密文信息进行解密运算,再根据分隔符号将解密后的组合信息分解为各个独立信息;当需要编码的信息为可由多类用户读取的混合信息时:在以上公开信息或私密信息处理方法的基础上,对扩展信息进行独立的签名加密和验证解密处理;扩展信息及扩展信息之外的其它信息可分别由不同类别的用户读取;对包含多字节字符的信息,可以采用UTF-8或者UTF-16形式的Unicode编码;组合信息构造完成后,可以再对组合信息进行压缩运算或者转换为Base64编码;解构时先对压缩的组合信息进行解压缩运算或者Base64解码,再按其组合方式解构。
- 根据权利要求1所述的方法,其特征在于,所述信息标签编码识别和信息输入输出方法包括但不限于:采用二维码、射频识别码中任意一种编码识别方法;采用不同大小级别码制或者多码形式表示;生成的信息标签图形中可以嵌入一个安全信息标签标识图形;采用光学图像传输、蓝牙射频无线传输中任意一种信息传输方法。
- 根据权利要求1-6所述的方法,其特征在于,所述验证和结果判断信息输出方法为:用数字证书签发机构及其指定的证书有效性验证机构的根证书验证数字证书信息,并用数字证书信息验证输入信息和数字签名;验证方法优选使用离线验证方式,也可以使用指定的有效性验证机构验证的方式;数字证书、输入信息和数字签名全部验证正确,则安全信息标签验证正确,编码信息来源可信,否则其信息发布来源不可信;对验证正确的安全信息标签,显示编码信息和信息标签发布者信息,允许进行与此信息标签相关的应用操作;否则提示此信息标签发布来源不可信,拒绝与此信息标签相关的应用操作。
- 可离线验证安全信息标签构造验证装置,其特征在于,所述装置包括:信息输入单元,用于输入需编码信息和类型信息;信息存储单元,用于存储输入信息及运算结果信息;安全信息存储单元,用于安全存储私钥信息;数字证书存储单元,用于存储数字证书及其有效性信息;根证书存储单元,用于存储密钥签发机构及其指定有效性验证机构的根证书;数字签名和信息加密运算单元,用于计算数字签名、更新数字证书有效性信息和信息加密;组合信息构造及信息标签编码运算单元,用于构造组合信息并进行信息标签编码运算;图像显示信息输出单元,用于显示和输出安全信息标签信息;图像扫描信息输入单元,用于扫描和输入安全信息标签信息;信息标签识别及组合信息分析解构运算单元,用于信息标签编码识别并对组合信息进行分析解构运算;数字签名验证和信息解密单元,用于信息解密和数字证书有效性及输入信息的数字签名验证;结果输出信息提示单元,用于安全信息标签验证结果输出和信息提示;所述装置存储在在组合信息中的数字证书有效性信息是经数字证书密钥签发机构根证书指定的有效性验证机构签名认证的数字证书当前状态信息,此有效性信息可以离线验证多级签发结构的数字证书,组合信息中只需包含发布者终端数字证书信息;所述装置验证运算时用数字证书签发机构及其指定的证书有效性验证机构的根证书验证数字证书信息,并用数字证书信息验证输入信息和数字签名。
- 根据权利要求9所述的装置,其特征在于,所述运算单元、签名单元、验证单元、存储单元及安全存储单元的运算功能和构造方式包括但不限于:信息编码解码、签名验证、加密解密、构造解构运算单元运算功能为权利要求3-8所述运算;单元构造方式包括通用用途存储及运算器件、DSP芯片、FPGA芯片、CPLD芯片、ASIC芯片中的任意几种。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610979974.8A CN106452756B (zh) | 2016-11-08 | 2016-11-08 | 可离线验证安全二维码构造验证方法与装置 |
CN201610979974.8 | 2016-11-08 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018086515A1 true WO2018086515A1 (zh) | 2018-05-17 |
Family
ID=58207738
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2017/109793 WO2018086515A1 (zh) | 2016-11-08 | 2017-11-07 | 可离线验证安全信息标签构造验证方法与装置 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN106452756B (zh) |
WO (1) | WO2018086515A1 (zh) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111740839A (zh) * | 2020-05-26 | 2020-10-02 | 深圳市共进电子股份有限公司 | 一种证书验证方法、装置、终端设备及介质 |
CN112100983A (zh) * | 2020-08-14 | 2020-12-18 | 许继集团有限公司 | 一种用于系统中的标识码以及标识码的生成方法 |
CN112257046A (zh) * | 2020-11-06 | 2021-01-22 | 新大陆(福建)公共服务有限公司 | 一种用软件库实现可信数字身份解密和验签的方法、系统和设备 |
CN113704814A (zh) * | 2021-07-26 | 2021-11-26 | 维沃移动通信(杭州)有限公司 | 信息管理方法及装置 |
CN114900365A (zh) * | 2022-05-20 | 2022-08-12 | 帕特思科技咨询(杭州)有限公司 | 一种创新服务资源数据处理及安全交互方法 |
WO2022241531A1 (pt) * | 2021-05-21 | 2022-11-24 | Pixcard Plataforma De Inovações Financeiras Ltda | Sistema de captura de pagamentos eletrônicos via aplicativo vendedor adquirente |
CN116862204A (zh) * | 2023-08-31 | 2023-10-10 | 山东浪潮数字商业科技有限公司 | 一种质量检验的计划排程方法及工具 |
US11915077B2 (en) | 2021-08-31 | 2024-02-27 | Cisco Technology, Inc. | URL validation and redirection for scannable codes |
CN117971029A (zh) * | 2024-03-26 | 2024-05-03 | 安擎计算机信息股份有限公司 | 一种服务器系统和服务器 |
Families Citing this family (48)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106452756B (zh) * | 2016-11-08 | 2018-03-30 | 王栋 | 可离线验证安全二维码构造验证方法与装置 |
CN106897761A (zh) * | 2017-03-06 | 2017-06-27 | 山东渔翁信息技术股份有限公司 | 一种二维码生成方法及装置 |
CN107133526A (zh) * | 2017-04-06 | 2017-09-05 | 深圳奥联信息安全技术有限公司 | 应用数据保护方法及装置 |
CN107248919A (zh) * | 2017-06-23 | 2017-10-13 | 阿里巴巴集团控股有限公司 | 生成及应用图形编码的方法和装置 |
CN107301230A (zh) * | 2017-06-23 | 2017-10-27 | 广州聪明云软件科技有限公司 | 基于物联网物品标识的生成方法及系统、解析方法及系统 |
CN107276746A (zh) * | 2017-07-19 | 2017-10-20 | 河南神州数码索贝科技有限公司 | 一种中文字符加解密方法 |
CN107484032B (zh) * | 2017-09-08 | 2018-08-03 | 武汉斗鱼网络科技有限公司 | 防止被刷的验证方法及装置 |
CN107835079A (zh) * | 2017-11-02 | 2018-03-23 | 广州佳都数据服务有限公司 | 一种基于数字证书的二维码认证方法和设备 |
CN107682161B (zh) * | 2017-11-02 | 2020-12-22 | 广州佳都数据服务有限公司 | 一种二维码的离线认证方法和设备 |
CN107909133B (zh) * | 2017-11-15 | 2021-01-19 | 深圳大学 | 二维码生成方法、二维码解码方法以及终端 |
WO2019095170A1 (zh) * | 2017-11-15 | 2019-05-23 | 深圳大学 | 二维码生成方法、二维码解码方法以及终端 |
CN108257226B (zh) * | 2018-01-12 | 2020-11-27 | 深圳市海东青软件科技股份有限公司 | 扫码检票方法、系统、装置、计算机设备和存储介质 |
CN108256863A (zh) * | 2018-01-26 | 2018-07-06 | 鼎讯网络安全技术有限公司 | 基于se的二维码生成、存储、识别和相关加解密的方法 |
CN108462699A (zh) * | 2018-02-09 | 2018-08-28 | 苏州酷豆物联科技有限公司 | 基于时序加密的二维码生成及验证方法和系统 |
CN108777617B (zh) * | 2018-04-17 | 2021-04-06 | 新大陆(福建)公共服务有限公司 | 一种可扩展的结构化安全二维码生成方法以及系统 |
CN108734248A (zh) * | 2018-04-17 | 2018-11-02 | 新大陆(福建)公共服务有限公司 | 一种快速生成安全二维码的方法以及二维码的扫码方法 |
CN108712383A (zh) * | 2018-04-17 | 2018-10-26 | 新大陆(福建)公共服务有限公司 | 一种离线安全二维码的生成方法及计算机可读存储介质 |
CN108737394B (zh) * | 2018-05-08 | 2020-05-22 | 腾讯科技(深圳)有限公司 | 离线验证系统、扫码设备和服务器 |
CN108846650A (zh) * | 2018-05-24 | 2018-11-20 | 北京比特大陆科技有限公司 | 一种实现交易信息验证的方法和装置 |
CN108960385A (zh) * | 2018-06-29 | 2018-12-07 | 苏州酷豆物联科技有限公司 | 基于多重秘钥加密的二维码生成及验证方法和系统 |
CN109086621B (zh) * | 2018-07-23 | 2022-05-13 | 深圳市科陆精密仪器有限公司 | 电能表检定报告数据防篡改方法和系统、存储介质 |
CN109087085A (zh) * | 2018-07-26 | 2018-12-25 | 深圳市万通顺达科技股份有限公司 | 一种公交二维码的脱机支付方法及支付系统 |
CN109379181A (zh) * | 2018-08-10 | 2019-02-22 | 航天信息股份有限公司 | 生成、验证二维码的方法和装置,存储介质和电子设备 |
CN109447623A (zh) * | 2018-09-19 | 2019-03-08 | 新开普电子股份有限公司 | 一种基于二维码支付安全认证方法 |
CN109302292B (zh) * | 2018-11-01 | 2022-02-01 | 北京冠群信息技术股份有限公司 | 文件检验方法、装置、电子设备及存储介质 |
CN109766973A (zh) * | 2018-12-17 | 2019-05-17 | 南京熊猫电子股份有限公司 | 公共交通自动售检票系统移动支付的二维码 |
US11303450B2 (en) * | 2018-12-19 | 2022-04-12 | Visa International Service Association | Techniques for securely performing offline authentication |
CN109740717A (zh) * | 2018-12-30 | 2019-05-10 | 尤尼泰克(嘉兴)信息技术有限公司 | 一种数据自我核验的编码、解码方法 |
WO2020143567A1 (zh) * | 2019-01-07 | 2020-07-16 | 尤尼泰克(嘉兴)信息技术有限公司 | 一种自我核验的二维码及其编码方法 |
CN109862020A (zh) * | 2019-02-22 | 2019-06-07 | 金邦达有限公司 | 信息展示和验证方法、智能卡、服务器和系统 |
CN109886006A (zh) * | 2019-02-28 | 2019-06-14 | 尤尼泰克(嘉兴)信息技术有限公司 | 一种基于二维码的信息源核验方法和装置 |
CN111787369B (zh) * | 2019-04-03 | 2022-05-03 | 深圳Tcl数字技术有限公司 | 一种智能电视root权限控制方法、系统及存储介质 |
CN110400137B (zh) * | 2019-04-03 | 2020-12-18 | 深圳刷宝科技有限公司 | 免密支付验证系统 |
CN110008683A (zh) * | 2019-04-17 | 2019-07-12 | 尤尼泰克(嘉兴)信息技术有限公司 | 一种基于二维码的证书识别方法及设备 |
CN110197245B (zh) * | 2019-04-28 | 2023-06-09 | 新大陆(福建)公共服务有限公司 | 一种双码制二维码及其跨平台交互方法 |
CN110210270B (zh) * | 2019-05-28 | 2024-04-09 | 中国电力科学研究院有限公司 | 二维码信息安全加固方法及系统和二维码图像解析方法及系统 |
CN110189126A (zh) * | 2019-06-03 | 2019-08-30 | 飞天诚信科技股份有限公司 | 一种动态二维码的生成方法及装置 |
CN110533410B (zh) * | 2019-07-30 | 2022-02-15 | 河南兄弟科技发展有限公司 | 一种支付方法 |
CN110391914B (zh) * | 2019-09-18 | 2019-12-31 | 尤尼泰克(嘉兴)信息技术有限公司 | 一种基于二维码的文件获取方法及设备、二维码生成方法 |
CN110798319A (zh) * | 2019-10-25 | 2020-02-14 | 北京国信京宁信息安全科技有限公司 | 电子证照离线验真系统及方法 |
CN110930147B (zh) * | 2019-11-01 | 2021-12-03 | 北京三快在线科技有限公司 | 离线支付方法、装置、电子设备及计算机可读存储介质 |
CN111091430B (zh) * | 2019-11-29 | 2024-04-09 | 航天信息股份有限公司 | 一种开票二维码处理方法及系统 |
CN111160505A (zh) * | 2020-03-24 | 2020-05-15 | 绿漫科技有限公司 | 一种智慧社区通用二维码实现方法 |
CN111523867B (zh) * | 2020-07-06 | 2020-10-09 | 和宇健康科技股份有限公司 | 人员信息管理方法、计算机设备和存储介质 |
CN112200286B (zh) * | 2020-08-25 | 2023-10-03 | 中国物品编码中心 | 字符串编码的方法和装置 |
CN112861109B (zh) * | 2021-02-07 | 2022-03-25 | 新大陆(福建)公共服务有限公司 | 一种基于ctid平台和前置系统生成的数字身份码及交互方法 |
CN113312534B (zh) * | 2021-05-28 | 2022-08-05 | 中铁十一局集团第五工程有限公司 | 一种工程测量智慧管理平台 |
CN113610588A (zh) * | 2021-06-25 | 2021-11-05 | 惠州学院 | 一种二维码加密验证方法 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050138527A1 (en) * | 1999-02-24 | 2005-06-23 | Datastrip (Iom) Limited | Two-dimensional printed code for storing biometric information and integrated offline apparatus for reading same |
CN102202051A (zh) * | 2011-04-07 | 2011-09-28 | 华南农业大学 | 一种可信二维码系统及其应用方法 |
CN102779263A (zh) * | 2012-06-19 | 2012-11-14 | 袁开国 | 基于pki和数字签名的可信二维码方案 |
CN105024824A (zh) * | 2014-11-05 | 2015-11-04 | 祝国龙 | 基于非对称加密算法的可信标签的生成与验证方法及系统 |
CN106452756A (zh) * | 2016-11-08 | 2017-02-22 | 王栋 | 可离线验证安全二维码构造验证方法与装置 |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102932148B (zh) * | 2012-10-25 | 2016-05-11 | 成都市易恒信科技有限公司 | 基于cpk认证的安全二维码防伪系统与方法 |
KR20140108749A (ko) * | 2013-02-27 | 2014-09-15 | 한국전자통신연구원 | 프라이버시 보호형 문서 인증 정보 생성 장치 및 이를 이용한 프라이버시 보호형 문서 인증 방법 |
-
2016
- 2016-11-08 CN CN201610979974.8A patent/CN106452756B/zh active Active
-
2017
- 2017-11-07 WO PCT/CN2017/109793 patent/WO2018086515A1/zh active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050138527A1 (en) * | 1999-02-24 | 2005-06-23 | Datastrip (Iom) Limited | Two-dimensional printed code for storing biometric information and integrated offline apparatus for reading same |
CN102202051A (zh) * | 2011-04-07 | 2011-09-28 | 华南农业大学 | 一种可信二维码系统及其应用方法 |
CN102779263A (zh) * | 2012-06-19 | 2012-11-14 | 袁开国 | 基于pki和数字签名的可信二维码方案 |
CN105024824A (zh) * | 2014-11-05 | 2015-11-04 | 祝国龙 | 基于非对称加密算法的可信标签的生成与验证方法及系统 |
CN106452756A (zh) * | 2016-11-08 | 2017-02-22 | 王栋 | 可离线验证安全二维码构造验证方法与装置 |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111740839A (zh) * | 2020-05-26 | 2020-10-02 | 深圳市共进电子股份有限公司 | 一种证书验证方法、装置、终端设备及介质 |
CN111740839B (zh) * | 2020-05-26 | 2023-02-17 | 深圳市共进电子股份有限公司 | 一种证书验证方法、装置、终端设备及介质 |
CN112100983A (zh) * | 2020-08-14 | 2020-12-18 | 许继集团有限公司 | 一种用于系统中的标识码以及标识码的生成方法 |
CN112100983B (zh) * | 2020-08-14 | 2024-05-10 | 许继集团有限公司 | 一种用于系统中的标识码以及标识码的生成方法 |
CN112257046A (zh) * | 2020-11-06 | 2021-01-22 | 新大陆(福建)公共服务有限公司 | 一种用软件库实现可信数字身份解密和验签的方法、系统和设备 |
WO2022241531A1 (pt) * | 2021-05-21 | 2022-11-24 | Pixcard Plataforma De Inovações Financeiras Ltda | Sistema de captura de pagamentos eletrônicos via aplicativo vendedor adquirente |
CN113704814A (zh) * | 2021-07-26 | 2021-11-26 | 维沃移动通信(杭州)有限公司 | 信息管理方法及装置 |
US11915077B2 (en) | 2021-08-31 | 2024-02-27 | Cisco Technology, Inc. | URL validation and redirection for scannable codes |
CN114900365A (zh) * | 2022-05-20 | 2022-08-12 | 帕特思科技咨询(杭州)有限公司 | 一种创新服务资源数据处理及安全交互方法 |
CN116862204A (zh) * | 2023-08-31 | 2023-10-10 | 山东浪潮数字商业科技有限公司 | 一种质量检验的计划排程方法及工具 |
CN117971029A (zh) * | 2024-03-26 | 2024-05-03 | 安擎计算机信息股份有限公司 | 一种服务器系统和服务器 |
CN117971029B (zh) * | 2024-03-26 | 2024-06-07 | 安擎计算机信息股份有限公司 | 一种服务器系统和服务器 |
Also Published As
Publication number | Publication date |
---|---|
CN106452756A (zh) | 2017-02-22 |
CN106452756B (zh) | 2018-03-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2018086515A1 (zh) | 可离线验证安全信息标签构造验证方法与装置 | |
WO2020235782A1 (ko) | 분산 환경에서의 신원 인증 방법 | |
WO2014139403A1 (zh) | 一种终端主密钥tmk安全下载方法及系统 | |
WO2011149214A2 (ko) | 오티피를 생성하기 위해 홍채정보를 이용한 쓰리-팩터 사용자 인증방식과 무선통신단말기의 오티피 인증모듈을 이용한 안전한 상호인증시스템 | |
WO2017043904A1 (en) | Method and apparatus for performing payment | |
WO2016126052A2 (ko) | 인증 방법 및 시스템 | |
WO2018008800A1 (ko) | 블록체인을 기반으로 하는 공인인증서 인증시스템과 이를 이용한 블록체인을 기반으로 하는 공인인증서 인증방법 | |
WO2011066704A1 (zh) | 一种公交一卡通业务系统及其实现方法 | |
WO2011079753A1 (zh) | 认证方法、认证交易系统和认证装置 | |
WO2013067935A1 (zh) | 用于对用户身份进行认证的方法、系统及其使用的设备 | |
WO2014139342A1 (zh) | 密钥下载方法、管理方法、下载管理方法及装置和系统 | |
WO2017035695A1 (zh) | 信息传输方法及移动设备 | |
US20030115468A1 (en) | Assignment of user certificates/private keys in token enabled public key infrastructure system | |
WO2014139344A1 (zh) | 密钥下载方法、管理方法、下载管理方法及装置和系统 | |
US20020098830A1 (en) | Method for verifying in a mobile device the authenticity of electronic certificates issued by a certification authority and corresponding identification module | |
WO2010074383A1 (ko) | 물품관리방법 | |
WO2019001110A1 (zh) | 权限认证方法、系统、设备及计算机可读存储介质 | |
WO2019132555A1 (ko) | 이모지가 포함된 메시지를 송수신하는 전자 장치 및 그 전자 장치를 제어하는 방법 | |
WO2021075867A1 (ko) | 블록체인 기반 시스템을 위한 키의 저장 및 복구 방법과 그 장치 | |
WO2023106759A1 (ko) | Qr코드 스캔·셀픽형 웹중개제어로 이루어진 하이브리드식 사진인화키오스크형 오프라인 이지 결제장치 및 방법 | |
WO2018120459A1 (zh) | 验证图像真伪的方法、装置、设备、存储介质及服务端 | |
WO2006132143A1 (ja) | 認証システム、認証装置、端末装置及び検証装置 | |
WO2017188497A1 (ko) | 무결성 및 보안성이 강화된 사용자 인증방법 | |
WO2020105892A1 (ko) | 디바이스가 디지털 키를 공유하는 방법 | |
WO2017135537A1 (ko) | 근거리 통신을 이용한 결제 시스템 및 방법 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17869196 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 17869196 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 01.10.2019) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 17869196 Country of ref document: EP Kind code of ref document: A1 |