WO2018177045A1 - 数字证书管理方法及设备 - Google Patents
数字证书管理方法及设备 Download PDFInfo
- Publication number
- WO2018177045A1 WO2018177045A1 PCT/CN2018/076618 CN2018076618W WO2018177045A1 WO 2018177045 A1 WO2018177045 A1 WO 2018177045A1 CN 2018076618 W CN2018076618 W CN 2018076618W WO 2018177045 A1 WO2018177045 A1 WO 2018177045A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- digital certificate
- key
- issuing device
- data channel
- message
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Definitions
- the present invention relates to the field of network security technologies, and in particular, to a digital certificate management method and device.
- Digital certificates are a way to verify the identity of a network communication entity, and digital certificate technology can be used for data encryption, identity verification, and the like.
- the digital certificate is generally issued by the digital certificate issuing device to the digital certificate application device and can be used to identify the identity of the digital certificate application device.
- the invention provides a digital certificate management method and device, which can establish a secure channel for data transmission between a digital certificate application device and a digital certificate issuing device, and encrypt and transmit the messages transmitted by the two, thereby effectively improving the digital certificate management. safety.
- the present invention provides a digital certificate management method, including: a digital certificate application device uses a obtained authorization code to negotiate with a digital certificate issuing device to establish a secure data channel, and generate a security key; wherein the security key is at least Included as a data communication key; the digital certificate application device transmits a digital certificate management request message to the digital certificate issuing device by using the secure data channel, the digital certificate management request message is encrypted by the data communication key; digital certificate is issued The device receives the digital certificate management request message, and sends a digital certificate management response message to the digital certificate application device by using the secure data channel, where the digital certificate application device receives the digital certificate management response message by using the secure data channel.
- the digital certificate management response message is encrypted by the data communication key; the digital certificate application device processes the digital certificate management response message to obtain a processing result.
- the present invention provides a digital certificate application device, including: a secure data channel establishing unit, configured to establish a secure data channel by using a obtained authorization code and negotiate with a digital certificate issuing device to generate a security key;
- the security key includes a data communication key; an encryption unit configured to encrypt the digital certificate management request message by using the data communication key; and a sending unit, configured to issue the digital certificate by using the secure data channel
- the device sends a digital certificate management request message, and the digital certificate management request message is encrypted by the data communication key; and the receiving unit is configured to receive, by using the secure data channel, the digital certificate management response message sent by the digital certificate issuing device
- the digital certificate management response message is encrypted by the data communication key; and the processing unit is configured to process the digital certificate management response message to obtain a processing result.
- the present invention provides an apparatus for digital certificate application, comprising a memory, and one or more programs, wherein one or more programs are stored in the memory and configured to be processed by one or more Executing, by the one or more programs, an instruction for: establishing a secure data channel by using the acquired authorization code to negotiate with a digital certificate issuing device to generate a security key; wherein the security key includes data communication Decrypting the digital certificate management request message by using the data communication key; transmitting a digital certificate management request message to the digital certificate issuing device by using the secure data channel, where the digital certificate management request message is The data communication key encryption process; receiving, by the secure data channel, a digital certificate management response message sent by the digital certificate issuing device, where the digital certificate management response message is encrypted by the data communication key; Digital certificate management response message processing Get the results.
- the present invention provides a digital certificate issuing device, where the device includes: a secure data channel establishing unit, configured to establish a secure data channel by using an authorization code and a digital certificate applying device to generate a security key;
- the security key includes a data communication key;
- the receiving unit is configured to receive a digital certificate management request message sent by the digital certificate application device by using the secure data channel, where the digital certificate management request message is encrypted by the data communication key a processing unit, configured to process the received digital certificate management request message, and generate a digital certificate management response message;
- the encryption unit is configured to perform encryption processing on the digital certificate management response message by using the data communication key; And transmitting, by using the secure data channel, a digital certificate management response message to the digital certificate requesting device, where the digital certificate management response message is encrypted by the data communication key.
- the present invention provides an apparatus for digital certificate issuance, comprising a memory, and one or more programs, wherein one or more programs are stored in a memory and configured to be processed by one or more Executing, by the one or more programs, an instruction for: establishing, by using an authorization code, a secure data channel by using a digital certificate requesting device to generate a security key; wherein the security key includes a data communication key Receiving a digital certificate management request message sent by the digital certificate requesting device by using the secure data channel, the digital certificate management request message being encrypted by the data communication key; processing the received digital certificate management request message, and generating a number a certificate management response message; performing a encryption process on the digital certificate management response message by using the data communication key; and transmitting, by using the secure data channel, a digital certificate management response message to the digital certificate application device, where the digital certificate management response message is The data communication secret Encrypted.
- the digital certificate application device can use the obtained authorization code to negotiate with the digital certificate issuing device to establish a secure data channel, generate a security key, and use the digital certificate application device and the digital certificate issuing device.
- the generated data communication key is used to encrypt and process the message, which effectively improves the security of data transmission, and can be applied to automatic application, query, update, revocation and digital certificate in a variety of different types of scenarios. Revocation list acquisition, etc.
- FIG. 1 is a schematic application scenario of an embodiment of the present invention
- FIG. 2 is a flowchart of a digital certificate management method according to an embodiment of the present invention.
- FIG. 3 is a flowchart of a digital certificate management method according to another embodiment of the present invention.
- FIG. 4 is a schematic diagram of negotiation and establishment of a secure data channel according to an embodiment of the present invention.
- FIG. 5 is a schematic diagram of message content in a method for automatically applying, querying, updating, revoking, and revoking a digital certificate according to an embodiment of the present invention
- FIG. 6 is a block diagram of a digital certificate requesting device according to an exemplary embodiment
- FIG. 7 is a block diagram of an apparatus for digital certificate application, according to another exemplary embodiment.
- FIG. 8 is a block diagram of a digital certificate issuing device, according to an exemplary embodiment
- FIG. 9 is a block diagram of an apparatus for digital certificate issuance, according to another exemplary embodiment.
- the embodiment of the invention provides a digital certificate management method and device, which can establish a secure channel for data transmission between the digital certificate application device and the digital certificate issuing device, and encrypt and transmit the messages transmitted by the two, thereby effectively improving the digital certificate. Management security.
- FIG. 1 is an exemplary application scenario of an embodiment of the present invention.
- the method and device provided by the embodiments of the present invention may be applied to the scenario shown in FIG. 1 , where the digital certificate requesting device and the digital certificate issuing device may be connected through a network, and the connection may be any form of wired and/or wireless. Connection (eg WLAN, LAN, cellular, coaxial cable, etc.).
- the digital certificate application device includes, but is not limited to, an existing, developing, or future developed smartphone, a non-smart phone, a tablet, a laptop personal computer, a desktop personal computer, a small computer. , medium-sized computers, large computers, etc.
- the digital certificate application device can apply for downloading, updating a certificate, etc.
- a digital certificate issuing device for example, a certificate authority CA server
- a digital certificate issuing device for example, a certificate authority CA server
- the embodiments of the present invention can be applied to many industries such as wireless operation networks, aviation, transportation, electric power, broadcasting, finance, medical, education, industry and commerce.
- industries such as wireless operation networks, aviation, transportation, electric power, broadcasting, finance, medical, education, industry and commerce.
- embodiments of the present invention are not limited in this respect. Rather, embodiments of the invention may be applied to any scenario that is applicable.
- a digital certificate management method shown in an exemplary embodiment of the present invention will be described below with reference to FIGS. 2 to 6.
- FIG. 2 is a flowchart of a digital certificate management method according to an embodiment of the present invention. As shown in FIG. 2, it may include:
- the digital certificate application device establishes a secure data channel by using the obtained authorization code to negotiate with the digital certificate issuing device to generate a security key, where the security key includes a data communication key.
- the digital certificate applicant may request an authorization code for downloading the digital certificate from the digital certificate issuer.
- the digital certificate applicant may be, for example, a digital certificate application device, and the digital certificate issuer may be, for example, a digital certificate issuance device.
- the present invention does not limit the specific authorization code request mode.
- a digital certificate applicant may request an authorization code from a digital certificate issuer by means of a text message, a mail, a dedicated request, or the like.
- the digital certificate issuer can send the authorization code to the digital certificate applicant in a certain way.
- a digital certificate issuer can send an authorization code to a digital certificate applicant by means of a text message, an email, a dedicated message, or the like.
- the authorization code is generated by the digital certificate issuer itself, may be generated in real time when the digital certificate applicant requests the authorization code, or may be generated in advance, and may be in the form of letters and/or numbers and/or symbols. The combination of the other has a certain length requirement, and the authorization code also has a certain period of use. When the usage period is exceeded, the authorization code will be invalid.
- the authorization code assigned by the digital certificate issuer to different digital certificate applicants is different during use.
- the digital certificate application device may negotiate with the digital certificate issuing device to establish a secure data channel by using the obtained authorization code, where the secure data channel is used for secure data transmission.
- the digital certificate requesting device may generate a security key using an authorization code, which may include one or more keys, the one or more keys including a data communication key.
- the security key may also include a data session key.
- the data communication key is used to encrypt a message transmitted by the digital certificate application device and the digital certificate issuing device in a secure data channel.
- a security key is generated on both the digital certificate application device side and the digital certificate issuing device side to facilitate encryption and decryption of messages.
- the data session key can be used to encrypt certificate request data or certificate response data.
- the certificate request data is specifically data carried by the digital certificate management request message.
- the certificate response data is specifically data carried by the digital certificate management response message.
- the digital certificate application device sends a digital certificate management request message to the digital certificate issuing device by using the secure data channel, where the digital certificate management request message is encrypted by the data communication key.
- the digital certificate management request message is subjected to encryption processing.
- the data communication key generated in S201 is used for encryption processing, thereby effectively improving the security of message transmission.
- the data included in the digital certificate management request message may be processed once by encryption or may be processed by secondary encryption.
- the digital certificate management request message may be encrypted by the data communication key when transmitted in the secure data channel before being sent to the digital certificate issuing device.
- the digital certificate management request message has been encrypted by using a set of keys in the security key, such as a data session key, to encrypt the certificate request data carried in the digital certificate management request message.
- the second encryption process is performed when the data channel is transmitted.
- the digital certificate requesting device and the digital certificate issuing device may pre-agreed the number of encryptions, the encryption algorithm, and the type of key used for encryption (ie, the data communication key and the data session key).
- the digital certificate issuing device receives the digital certificate management request message, and sends a digital certificate management response message to the digital certificate applying device by using the secure data channel.
- the digital certificate management response message is encrypted by the data communication key.
- the digital certificate issuing device first decrypts the digital certificate management request message by using the generated security key, and processes the data according to the data carried by the digital certificate management request message. Generating a digital certificate management response message and transmitting a digital certificate management response message to the digital certificate requesting device.
- the digital certificate management response message is subjected to encryption processing.
- the data communication key generated in S201 is used for encryption processing, thereby effectively improving the security of message transmission.
- the digital certificate management response message may also be processed once by encryption or by secondary encryption.
- the digital certificate management request message in S202 is used before the transmission, the data contained in the digital certificate management request message has been encrypted by using a set of keys in the security key, such as a data session key, in the security data.
- the second encryption process is performed by the data communication key when the channel is transmitted.
- the digital certificate management response message may also perform encryption processing twice by using the data session key and the data communication key respectively.
- Digital Certificate Request The device and digital certificate issuing device can pre-agreed the number of encryptions, the encryption algorithm, and the type of key used for encryption (ie, data communication key and data session key).
- the digital certificate application device receives the digital certificate management response message sent by the digital certificate issuing device by using the secure data channel.
- the digital certificate management response message is encrypted by the data communication key.
- the present invention does not limit the message and interaction mode used by the digital certificate application device and the digital certificate issuance device, as long as the above information can be realized to realize automatic application, query, update, revocation, and revocation list acquisition of the digital certificate. It belongs to the scope of protection of the present invention.
- the digital certificate management request message may include digital certificate request information, digital certificate acquisition information, digital certificate revocation information, digital certificate revocation list information, and the like.
- the digital certificate management response message includes digital certificate response information.
- the digital certificate application device processes the digital certificate management response message, and obtains a processing result.
- the digital certificate application device decrypts and verifies the digital certificate management response message, obtains the message content, determines the used digital certificate according to the requirement, and performs processing such as installation and update of the digital certificate.
- the digital certificate management request message carries certificate request data
- the digital certificate management response message carries certificate response data. According to whether the certificate request data and/or the certificate response data are encrypted, the following implementation manners may be included:
- the certificate request data and the certificate response data are plaintext, and the digital certificate management request message and the digital certificate management response message are encrypted by the data communication key of the secure channel to complete one encryption.
- the digital certificate management request message is encrypted by the data communication key, and the digital certificate management request message is encrypted by a data communication key of the secure data channel; the digital certificate management response message is processed by The data communication key encryption process includes: the digital certificate management response message being encrypted by a data communication key of the secure data channel.
- the certificate request data is subjected to the first encryption process using the data session key, and the certificate response data is not encrypted and is in plaintext.
- the digital certificate management request message is encrypted a second time using the data communication key, and the digital certificate management response message is encrypted once using the data communication key.
- the digital certificate management request message is encrypted by the data communication key, and the digital certificate management request message is sent before the digital certificate management request message is encrypted by the data communication key of the secure data channel.
- the carried certificate request data is encrypted by the data session key.
- the digital certificate management response message is encrypted by the data communication key, and the digital certificate management response message is encrypted by the data communication key of the secure data channel.
- the certificate request data is subjected to the first encryption process using the data session key
- the certificate response data is also subjected to the first layer encryption process using the data session key.
- the certificate response data and the session key used by the certificate request data and the encryption method correspond to each other.
- the digital certificate management request message and the digital certificate management response message are respectively encrypted for a second time using the data communication key.
- the digital certificate management request message is encrypted by the data communication key, and the digital certificate management request message is sent before the digital certificate management request message is encrypted by the data communication key of the secure data channel.
- the carried certificate request data is encrypted by the data session key;
- the digital certificate management response message is encrypted by the data communication key, and the digital certificate management response message is sent before the digital certificate management response message is encrypted by the data communication key of the secure data channel.
- the carried certificate response data is encrypted by the data session key.
- the method may further include:
- the digital certificate application device sends a digital certificate management confirmation message to the digital certificate issuing device by using the secure data channel, where the digital certificate management confirmation message is encrypted by the data communication key.
- the digital certificate management confirmation message is encrypted.
- the data communication key generated in S201 is used for encryption processing, thereby effectively improving the security of message transmission.
- the digital certificate issuing device receives and processes the digital certificate management confirmation message.
- the digital certificate application device may use the obtained authorization code to negotiate with the digital certificate issuing device to establish a secure data channel, generate a security key, and interact with the digital certificate requesting device and the digital certificate issuing device message.
- the generated security key is used to encrypt and process the message, which effectively improves the security of data transmission, and can be applied to automatic application, query, update, revocation and revocation list acquisition of digital certificates in a plurality of different types of scenarios.
- the message in the process of interacting with the digital certificate application device and the digital certificate issuance device, if the message is not received within a certain period of time after the message is sent, it needs to be retransmitted.
- FIG. 3 is a flowchart of a digital certificate management method according to another embodiment of the present invention. As shown in FIG. 3, the following steps may be included:
- the digital certificate application device obtains an authorization code.
- the digital certificate application device requests an authorization code for downloading the digital certificate from the digital certificate issuing device, and acquires an authorization code sent by the digital certificate issuing device.
- the digital certificate application device uses the obtained authorization code to negotiate with the digital certificate issuing device to establish a secure data channel, and generate a security key.
- a secure data channel can be established between the digital certificate application device and the digital certificate issuing device.
- the digital certificate requesting device uses the authorization code to generate a security key for secure data channel data transmission.
- the present invention does not limit the manner in which the secure channel is established, as long as the shared security key for data transmission can be generated using the authorization code.
- the secure data channel can be established as follows:
- the digital certificate application device and the digital certificate issuing device perform secure data channel negotiation.
- S302B The digital certificate application device and the digital certificate issuing device use the authorization code and the random number and identity information obtained during the negotiation process to generate a security key of the secure channel.
- the security key may include a data communication key, and may further include a data session key.
- the data communication key is used by the data certificate application device and the digital certificate issuing device to encrypt and transmit the message when the secure data channel interacts with the message.
- the data session key is used to encrypt the certificate request data and/or the certificate response data carried by the message before transmitting the message.
- S302C The digital certificate application device and the digital certificate issuing device verify the secure channel confirmation message by using an integrity check code.
- the digital certificate requesting device and the digital certificate issuing device perform the secure data channel negotiation, where the digital certificate applying device sends the first random number, the first identity information, and the digital certificate issuing device to the digital certificate issuing device.
- the first random number is randomly generated by the digital certificate application device, and the first identity information may be an identifier of the digital certificate application device, such as an IP address, a MAC address, an email address, a full domain name string, or International Mobile Subscriber Identity (IMSI), etc.
- IMSI International Mobile Subscriber Identity
- the second random number is randomly generated by the digital certificate issuing device, and the second identity information may specifically be an identifier of the digital certificate issuing device, such as an IP address, a MAC address, an email address, a full domain name string, or an international mobile User Identification Number (IMSI), etc.
- the process of the interaction between the digital certificate application device and the digital certificate issuance device may be initiated by the digital certificate application device or may be initiated by the digital certificate issuance device.
- the present invention does not limit the specific interaction mode.
- the digital certificate requesting device and the digital certificate issuing device use the authorization code and the random number and the identity information obtained during the negotiation process to generate a security key of the secure channel, including: the digital certificate requesting device and the digital certificate issuance
- the device generates a security key by using an authorization code, the first random number, the first identity information, the second random number, and the second identity information.
- the security key may include one or more sets of keys.
- the security key may include a data communication key for data transmission, may also include an integrity check key for integrity verification, and may also include a data session for encrypting certificate request data and/or certificate response data. Key.
- the security key further includes an integrity check key
- the digital certificate requesting device and the digital certificate issuing device perform key confirmation of the secure channel by using an integrity check code, including: the digital certificate
- the application device and the digital certificate issuing device generate an integrity check code by using the random number, the integrity check key, and verify the secure channel acknowledgement message by using the integrity check code.
- the digital certificate application device sends a digital certificate management request message to the digital certificate issuing device by using the secure data channel.
- the digital certificate application device sends a certificate management request message to the digital certificate issuing device after the security data channel is kept secret. If the digital certificate application device does not have a digital certificate issued by the digital certificate issuing device, the certificate management request message carries the certificate information that needs to be included in the applied new digital certificate. If the digital certificate application device already contains the digital certificate issued by the digital certificate issuing device, the digital certificate management request message sent by the digital certificate application device carries the information of the existing digital certificate, and is used for the digital certificate issuing device to perform the certificate query and Update.
- the digital certificate management request message may include digital certificate application information, digital certificate acquisition information, digital certificate revocation information, digital certificate revocation list information, and the like.
- the digital certificate application information, the digital certificate acquisition information, the digital certificate revocation information or the digital certificate revocation list information may be adopted but not limited to the form shown in Table 1.
- the information type value of the digital certificate management request message is 2
- the information is specifically a certificate application information, and is used to apply for a new digital certificate.
- the information type value of the digital certificate management request message is 4
- the information is specifically the certificate obtaining information, which is used to query or update the existing digital certificate.
- the information type value of the digital certificate management request message is 5
- the information is specifically certificate revocation information, and is used to revoke the existing digital certificate.
- the information type value of the digital certificate management request message is 6
- the information is specifically certificate revocation list information, and is used to request a certificate revocation list.
- the field format of the certificate application information may be, but not limited to, the form shown in Table 2.
- the field format of the certificate obtaining information may be, but not limited to, the form shown in Table 3.
- the field format of the certificate revocation information may be, but not limited to, the form shown in Table 4.
- the field format of the certificate revocation list information may be, but not limited to, the form shown in Table 5.
- the present invention does not limit the certificate request data carried in the certificate application information.
- the certificate request data carried by the digital certificate management request message includes certificate request information, a signature algorithm identifier, and a signature value.
- the certificate request information may include: a version, a holder name, a holder public key information, and an extension. These information elements are concise and can meet the basic requirements for issuing certificates.
- the signature value is a value obtained by the digital certificate application device locally generating the public-private key pair, using the signature algorithm to identify the corresponding signature algorithm, and using the private key to calculate the certificate request information.
- the digital certificate issuing device verifies the signature according to the holder public key information in the certificate request information, and then determines whether the public private key belongs to the digital certificate application device.
- the signature algorithm identifier and signature value can be used to verify whether the public or private key belongs to the entity.
- the certificate request information in the certificate request data may further include more complete information: a serial number, an issuer name, and an expiration date.
- This information can extend the certificate issuance function, such as the specific information that the digital certificate applicant requires to limit the certificate.
- the certificate request data may be subjected to an encryption process.
- the certificate request data is a digital certificate requesting device, after the secure data channel is established, using the generated data session key to the certificate request information and the signature algorithm. The identification and the data obtained after the signature value is encrypted.
- the certificate request data should further include an encryption algorithm identifier, and accordingly, the certificate
- the request data specifically includes an encryption algorithm identifier, and the encryption algorithm is used to identify a corresponding encryption algorithm, and the data obtained by encrypting the certificate request information, the signature algorithm identifier, and the signature value by using the data session key .
- the certificate request data structure elements are more complete and more versatile, and the certificate request data is kept secret while verifying the entity to which the public and private keys belong.
- the use of such a certificate request data structure in the case of a secure data channel enables two times of confidentiality protection of the certificate request data, thereby further improving the security of data transmission.
- the digital certificate application device receives the digital certificate management response message sent by the digital certificate issuing device by using the secure data channel.
- the digital certificate issuing device sends a certificate management response message to the digital certificate application device after being secured by the secure data channel.
- the digital certificate management response message includes a new digital certificate generated by the digital certificate issuing device according to the certificate request data included in the digital certificate requesting information.
- the digital certificate management response message carries the queried or updated digital certificate.
- the digital certificate issuing device judges the processing according to the information type in the digital certificate management request message. If the digital certificate application information is received, and the certificate information to be protected is determined to exist, a new digital certificate is issued according to the certificate request data; if the existing digital certificate information included in the certificate obtaining information exists, the query is based on the issuing device name and the serial number. Some digital certificates; if the certificate revocation information contains the issuing device name and serial number, the existing digital certificate is revoked according to the issuing device name and serial number; if the certificate revocation list exists, the certificate revocation list is queried according to the issuing device name. .
- the digital certificate issuing device carries the above certificate in the digital certificate management response message.
- the digital certificate management response message may take the form shown in Table 6, but is not limited to it.
- the format of the certificate response information may be, but is not limited to, the form shown in Table 7.
- the certificate generation type can be as shown in Table 8, which lists the certificate types corresponding to different certificate owners.
- the AS certificate is an authentication server certificate
- the CA certificate is an authorization center certificate
- the digital certificate management response message is encrypted.
- the generated data communication key is used for encryption processing, thereby improving the security of message transmission.
- the digital certificate management response message may be processed once by encryption or may be processed by secondary encryption.
- the digital certificate management request message is encrypted before using the set of keys in the security key, such as the data session key
- the certificate request data contained in the digital certificate management request message is encrypted, in the security data.
- the second encryption process is performed by the data communication key when the channel is transmitted.
- the digital certificate management response message may also perform a second encryption process on the included certificate response data by using the data session key and the data communication key.
- the certificate response data should further include an encryption algorithm identifier, and correspondingly, the certificate response data specifically includes an encryption algorithm identifier. And using the encryption algorithm to identify a corresponding encryption algorithm, and using the data session key to encrypt the certificate response data.
- the digital certificate application device processes the digital certificate management response message, and obtains a processing result.
- the digital certificate application device determines the digital certificate to be used according to the requirements.
- the method may further include:
- the digital certificate application device sends a digital certificate management confirmation message to the digital certificate issuing device by using the secure data channel, where the digital certificate management confirmation message is encrypted by the data communication key.
- a secure and reliable data transmission channel is established through the foregoing S301, S302 messages, and the three applications S303, S304, and S305 are used to interact to realize automatic application, query, and update of the digital certificate, so that the digital certificate management is further improved. It is effective, safe and reliable.
- FIG. 5 it is a schematic diagram of the message contents in the method for automatically applying, querying, updating, revoking, and revoking the digital certificate.
- the digital certificate management request message CertReq may specifically include digital certificate application information, digital certificate acquisition information, digital certificate revocation information, and digital certificate revocation list information.
- the digital certificate management response message CertRes may include digital certificate response information and the like.
- the digital certificate management confirmation message CertConfirm can be used to disconnect the digital certificate requesting device and the digital certificate issuing device.
- the digital certificate management method provided by the present invention is described above from the digital certificate application device side. It will be understood by those skilled in the art that the method provided by the present invention can also be applied to the digital certificate issuing device side, and the processing therein can be performed corresponding to the examples shown in FIGS. 2 to 5. For example, the method may be further applied to: the digital certificate issuing device uses the authorization code to establish a secure data channel with the digital certificate application device to generate a security key, where the security key includes the data communication key.
- the method further comprises the digital certificate issuing device receiving and processing a digital certificate management confirmation message generated by the digital certificate requesting device and transmitted using the secure data channel.
- the digital certificate issuing device negotiates with the digital certificate requesting device to establish a secure data channel by using the authorization code
- the generating the security key includes: the digital certificate issuing device and the digital certificate applying device perform a secure data channel negotiation; The digital certificate issuing device and the digital certificate applying device use authorization code and the random number and the identity information obtained in the negotiation process to generate a security key of the secure channel; the digital certificate issuing device and the digital certificate applying device pass the integrity check code pair A secure channel confirmation message is verified.
- the digital certificate issuing device performs secure data channel negotiation with the digital certificate requesting device, where the digital certificate issuing device sends the second random number, the second identity information, and the receiving device to the digital certificate applying device.
- the first random number and the first identity information sent by the digital certificate application device are secure data channel negotiation with the digital certificate requesting device, where the digital certificate issuing device sends the second random number, the second identity information, and the receiving device to the digital certificate applying device. The first random number and the first identity information sent by the digital certificate application device.
- the digital certificate issuing device and the digital certificate requesting device use the authorization code and the random number and the identity information obtained during the negotiation process to generate a security key of the secure channel, including: the digital certificate issuing device utilizes an authorization code, The first random number, the first identity information, the second random number, and the second identity information generate a security key.
- FIG. 6 is a schematic diagram of a digital certificate application device according to an embodiment of the present invention.
- a digital certificate application device 600 includes:
- the secure data channel establishing unit 601 is configured to establish a secure data channel by using the obtained authorization code to negotiate with the digital certificate issuing device to generate a security key, where the security key includes a data communication key.
- the encryption unit 602 is configured to perform encryption processing on the certificate management request message by using the data communication key.
- the sending unit 603 is configured to send, by using the secure data channel, a digital certificate management request message to the digital certificate issuing device, where the digital certificate management request message is encrypted by the data communication key.
- the receiving unit 604 is configured to receive, by using the secure data channel, a digital certificate management response message sent by the digital certificate issuing device, where the digital certificate management response message is encrypted by the data communication key.
- the processing unit 605 is configured to process the digital certificate management response message, and obtain a processing result.
- the processing unit 605 is further configured to generate a digital certificate management confirmation message, where the sending unit 603 is further configured to send, by using the secure data channel, a digital certificate management confirmation message to the digital certificate issuing device,
- the digital certificate management confirmation message is encrypted by the data communication key.
- the digital certificate management request message is encrypted by the data communication key of the secure data channel.
- the encryption unit 602 is further configured to:
- the digital certificate management is performed by using the data session key before the digital certificate management request message is encrypted by the data communication key of the secure data channel
- the certificate request data carried in the request message is encrypted.
- the certificate request information further includes a serial number, an issuer name, and an expiration date.
- the certificate request data sent by the sending unit 603 further includes an encryption algorithm identifier, specifically including an encryption algorithm identifier, and using the encryption algorithm. Identifying the corresponding encryption algorithm, and the data obtained by encrypting the certificate request information, the signature algorithm identifier, and the signature value by using the data session key; correspondingly, the encryption unit 602 is further configured to:
- the sending unit 603 includes:
- a first sending unit configured to send digital certificate request information to the digital certificate issuing device by using the secure data channel, to apply for a new digital certificate, where the digital certificate request information includes a certificate generating manner and certificate request data; and/or ,
- a second sending unit configured to send the digital certificate obtaining information to the digital certificate issuing device by using the secure data channel, for querying or updating an existing digital certificate, where the digital certificate obtaining information includes an issuing device name and a serial number field; and / or,
- a third sending unit configured to send, by using the secure data channel, digital certificate revocation information to the digital certificate issuing device for applying for revoking an existing digital certificate, where the digital certificate revocation information includes an issuing device name, a serial number, and a revocation reason Field; and/or,
- a fourth sending unit configured to send, by using the secure data channel, digital certificate revocation list information to the digital certificate issuing device for requesting a digital certificate revocation list, where the digital certificate revocation list information includes an issuing device name field.
- the secure data channel establishing unit 601 includes:
- a key generation unit configured to generate a security key of the secure channel with the digital certificate issuing device using the authorization code and the random number and the identity information obtained during the negotiation process;
- the key confirmation unit is configured to verify the secure channel confirmation message with the digital certificate issuing device by using an integrity check code.
- the negotiating unit is specifically configured to:
- the key generation unit is specifically configured to:
- the digital certificate application device and the digital certificate issuing device generate a security key by using an authorization code, the first random number, the first identity information, the second random number, and the second identity information.
- the security key generated by the key generation unit further includes an integrity check key
- the key confirmation unit is specifically configured to:
- the digital certificate application device and the digital certificate issuing device generate an integrity check code by using a random number, the integrity check key, and verify the secure channel acknowledgement message by using the integrity check code.
- each unit or module of the device of the present invention can be implemented by referring to the methods shown in FIG. 2 to FIG. 5 , and details are not described herein.
- the digital certificate management device may be a stand-alone device, may be integrated with the digital certificate issuing device, or exist as a part of the digital certificate issuing device, and is not limited herein.
- FIG. 7 a block diagram of an apparatus for digital certificate application according to another embodiment of the present invention is shown.
- the processor 701 eg, a CPU
- the memory 702 may include a high speed random access memory (RAM: Random Access Memory), and may also include a non-volatile memory such as at least one disk memory.
- RAM Random Access Memory
- One or more programs are stored in the memory and configured to execute, by the one or more processors 701, instructions included in the one or more programs to: negotiate with the digital certificate issuing device using the obtained authorization code Establishing a secure data channel, generating a security key; wherein the security key includes a data communication key; encrypting the digital certificate management request message by using the data communication key; using the secure data channel to The digital certificate issuing device sends a digital certificate management request message, and the digital certificate management request message is encrypted by the data communication key; and the digital certificate management response message sent by the digital certificate issuing device is received by using the secure data channel, The digital certificate management response message is encrypted by the data communication key; the digital certificate management response message is processed to obtain a processing result.
- the processor 701 is further configured to execute the one or more programs including instructions for transmitting a digital certificate management confirmation message to the digital certificate issuing device using the secure data channel, the number The certificate management confirmation message is encrypted by the data communication key.
- the processor 701 is specifically configured to execute the one or more programs including instructions for: transmitting, by using the secure data channel, digital certificate request information to the digital certificate issuing device for application A new digital certificate, the digital certificate application information including a certificate generation method and certificate request data.
- the processor 701 is specifically configured to execute the one or more programs including instructions for: transmitting, by using the secure data channel, digital certificate acquisition information to the digital certificate issuing device for querying Or updating an existing digital certificate, the digital certificate obtaining information including an issuing device name and a serial number field.
- the processor 701 is specifically configured to execute the one or more programs including instructions for transmitting digital certificate revocation information to the digital certificate issuing device for applying by using the secure data channel.
- the existing digital certificate is revoked, and the digital certificate revocation information includes an issue device name, a serial number, and a revocation cause field.
- the processor 701 is specifically configured to execute the one or more programs including instructions for: transmitting, by using the secure data channel, digital certificate revocation list information to the digital certificate issuing device for A digital certificate revocation list is requested, the digital certificate revocation list information including an issue device name field.
- the processor 701 is specifically configured to execute the one or more programs including instructions for: performing secure data channel negotiation with a digital certificate issuing device; using an authorization code with a digital certificate issuing device, and negotiating The random number and identity information obtained in the process generate a security key of the secure channel; and the digital certificate issuing device verifies the secure channel confirmation message by using the integrity check code.
- the processor 701 is specifically configured to execute the one or more programs including instructions for: transmitting a first random number, first identity information to a digital certificate issuing device, and receiving the a second random number sent by the digital certificate issuing device, second identity information; and a digital certificate issuing device utilizing an authorization code, the first random number, the first identity information, the second random number, and the second The identity information generates a security key.
- the processor 701 is specifically configured to execute the one or more programs including instructions for: generating a integrity check with the digital certificate issuing device using the random number, the integrity check key The code verification uses the integrity check code to verify the secure channel acknowledgement message.
- FIG. 8 is a schematic diagram of a digital certificate issuing device according to an embodiment of the present invention.
- a digital certificate issuing device 800 includes:
- the secure data channel establishing unit 801 is configured to establish a secure data channel by using an authorization code to negotiate with the digital certificate requesting device to generate a security key, where the security key includes a data communication key.
- the receiving unit 802 is configured to receive a digital certificate management request message sent by the digital certificate application device by using the secure data channel, where the digital certificate management request message is encrypted by the data communication key.
- the processing unit 803 is configured to process the received digital certificate management request message and generate a digital certificate management response message.
- the encryption unit 804 is configured to perform encryption processing on the digital certificate management response message by using the data communication key
- the sending unit 805 is configured to send, by using the secure data channel, a digital certificate management response message to the digital certificate requesting device, where the digital certificate management response message is encrypted by the data communication key.
- the receiving unit 802 is further configured to receive a digital certificate management confirmation message sent by the digital certificate requesting device by using the secure data channel; the processing unit 803 is further configured to process the received digital certificate management confirmation message. .
- the digital certificate management response message sent by the sending unit 805 carries certificate response data;
- the encryption unit 804 is specifically configured to:
- the certificate request data carried by the digital certificate management request message received by the receiving unit 802 includes certificate request information, a signature algorithm identifier, and a signature value, where the certificate request information includes a version, a holder name, and a holder public. Key information and extensions.
- the encryption unit 804 is further configured to:
- the digital certificate management is performed by using the data session key before the digital certificate management response message is encrypted by the data communication key of the secure data channel Encrypting the certificate response data carried in the response message;
- the certificate request information further includes a serial number, an issuer name, and an expiration date.
- the certificate response data sent by the sending unit 805 further includes an encryption algorithm identifier, specifically including an encryption algorithm identifier, and a utilization
- the encryption algorithm identifies the corresponding encryption algorithm, and the data obtained by encrypting the certificate response data by using the data session key; correspondingly, the encryption unit 804 is further configured to:
- the encryption algorithm is used to identify a corresponding encryption algorithm, and the certificate response data is encrypted by using the data session key.
- the secure data channel establishing unit 801 includes:
- a negotiating unit configured to perform secure data channel negotiation with the digital certificate application device
- a key generation unit configured to generate a security key of the secure channel with the digital certificate application device using the authorization code and the random number and identity information obtained during the negotiation process
- the key confirmation unit is configured to verify the secure channel confirmation message with the digital certificate requesting device by using an integrity check code.
- the negotiating unit is specifically configured to:
- the key generation unit is specifically configured to:
- a security key is generated using the authorization code, the first random number, the first identity information, the second random number, and the second identity information.
- the security key generated by the key generation unit further includes an integrity check key
- the key confirmation unit is specifically configured to:
- the digital certificate requesting device generates the integrity check code by using the random number, the integrity check key, and uses the integrity check code to verify the secure channel acknowledgement message.
- FIG. 9 a block diagram of an apparatus for digital certificate issuance according to another embodiment of the present invention.
- the processor 901 is configured to execute an executable module, such as a computer program, stored in the memory 902.
- the memory 902 may include a high speed random access memory (RAM), and may also include a non-volatile memory such as at least one disk memory.
- One or more programs are stored in the memory and configured to execute, by the one or more processors 901, instructions included in the one or more programs to: establish a security by negotiating with the digital certificate requesting device using the authorization code a data channel, generating a security key; wherein the security key includes a data communication key; receiving a digital certificate management request message sent by the digital certificate requesting device by using the secure data channel, where the digital certificate management request message is Data communication key encryption processing; processing the received digital certificate management request message, and generating a digital certificate management response message; transmitting a digital certificate management response message to the digital certificate application device by using the secure data channel, the digital certificate management The response message is encrypted by the data communication key.
- the processor 901 is further configured to execute the one or more programs to include instructions for receiving and processing a digital certificate requesting device generated by the digital certificate requesting device and transmitted using the secure data channel. Message.
- the processor 901 is specifically configured to execute the one or more programs including instructions for: performing secure data channel negotiation with the digital certificate requesting device; using the digital certificate requesting device with the authorization code and negotiating The random number obtained by the process and the identity information generate a security key of the secure channel; and the digital certificate requesting device verifies the secure channel confirmation message by using the integrity check code.
- the processor 901 is specifically configured to execute the one or more programs to include an instruction to: send a second random number, second identity information to the digital certificate requesting device, and receive the The first random number and the first identity information sent by the digital certificate application device.
- the processor 901 is specifically configured to execute the one or more programs including instructions for: using an authorization code, the first random number, the first identity information, the first The second random number and the second identity information generate a security key.
- the invention may be described in the general context of computer-executable instructions executed by a computer, such as a program module.
- program modules include routines, programs, objects, components, data structures, and the like that perform particular tasks or implement particular abstract data types.
- the invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are connected through a communication network.
- program modules can be located in both local and remote computer storage media including storage devices.
- the various embodiments in the specification are described in a progressive manner, and the same or similar parts between the various embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
- the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
- the device embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, ie may be located A place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Abstract
Description
证书生成方式 | 证书请求数据 |
颁发设备名称 | 序列号 |
颁发设备名称 | 序列号 | 吊销原因 |
颁发设备名称 |
消息 | 类型值 | 含义(信息类型) |
数字证书管理响应消息 | 3 | 证书响应 |
证书生成类型 | 证书响应数据 |
类型值 | 含义 |
1 | 客户端证书 |
2 | AS证书 |
3 | CA证书 |
4 | 证书撤销列表 |
Claims (30)
- 一种数字证书管理方法,其特征在于,包括:数字证书申请设备利用获取的授权码与数字证书颁发设备协商建立安全数据通道,生成安全密钥;其中,所述安全密钥至少包括数据通信密钥;数字证书申请设备利用所述安全数据通道向所述数字证书颁发设备发送数字证书管理请求消息,所述数字证书管理请求消息经所述数据通信密钥加密处理;数字证书颁发设备接收所述数字证书管理请求消息,利用所述安全数据通道向数字证书申请设备发送数字证书管理响应消息,所述数字证书申请设备利用所述安全数据通道接收所述数字证书管理响应消息,所述数字证书管理响应消息经所述数据通信密钥加密处理;数字证书申请设备对所述数字证书管理响应消息进行处理,获取处理结果。
- 根据权利要求1所述的方法,其特征在于,所述方法还包括:所述数字证书申请设备利用所述安全数据通道向数字证书颁发设备发送数字证书管理确认消息,所述数字证书管理确认消息经所述数据通信密钥加密处理;所述数字证书颁发设备接收并处理所述数字证书管理确认消息。
- 根据权利要求1所述的方法,其特征在于,所述数字证书管理请求消息携带有证书请求数据,所述数字证书管理响应消息携带有证书响应数据,其中,所述证书请求数据包括证书请求信息、签名算法标识以及签名值,所述证书请求信息包括版本、持有者名称、持有者公钥信息和扩展;所述数字证书管理请求消息经所述数据通信密钥加密处理包括:所述数字证书管理请求消息经所述安全数据通道的数据通信密钥加密处理;所述数字证书管理响应消息经所述数据通信密钥加密处理包括:所述数字证书管理响应消息经所述安全数据通道的数据通信密钥加密处理。
- 根据权利要求3所述的方法,其特征在于,所述安全密钥还包括数据 会话密钥;相应的,所述数字证书管理请求消息经所述数据通信密钥加密处理还包括:所述数字证书管理请求消息经所述安全数据通道的数据通信密钥加密处理之前,所述数字证书管理请求消息携带的证书请求数据经所述数据会话密钥加密处理;其中,所述证书请求信息还包括序列号、颁发者名称和有效期。
- 根据权利要求4所述的方法,其特征在于,当所述数字证书申请设备和/或所述数字证书颁发设备支持两种以上的加密算法时,所述证书请求数据还进一步包括加密算法标识;相应的,所述证书请求数据具体包括加密算法标识,以及利用所述加密算法标识对应的加密算法、利用所述数据会话密钥对所述证书请求信息、所述签名算法标识和所述签名值加密处理后得到的数据。
- 根据权利要求4或5中任一项所述的方法,其特征在于,所述数字证书管理响应消息经所述数据通信密钥加密处理还包括:所述数字证书管理响应消息经所述安全数据通道的数据通信密钥加密处理之前,所述数字证书管理响应消息携带的证书响应数据经所述数据会话密钥加密处理。
- 根据权利要求6所述的方法,其特征在于,当所述数字证书申请设备和/或所述数字证书颁发设备支持两种以上的加密算法时,所述证书响应数据还进一步包括加密算法标识;相应的,所述证书响应数据具体包括加密算法标识,以及利用所述加密算法标识对应的加密算法、利用所述数据会话密钥对所述证书响应数据加密处理后得到的数据。
- 根据权利要求1所述的方法,其特征在于,所述数字证书申请设备利用所述安全数据通道向所述数字证书颁发设备发送数字证书管理请求消息包括:所述数字证书申请设备利用所述安全数据通道向所述数字证书颁发设备发送数字证书申请信息用于申请新数字证书,所述数字证书申请信息包括证书生成方式以及证书请求数据;和/或,所述数字证书申请设备利用所述安全数据通道向所述数字证书颁发设备 发送数字证书获取信息用于查询或更新已有数字证书,所述数字证书获取信息包括颁发设备名称和序列号字段;和/或,所述数字证书申请设备利用所述安全数据通道向所述数字证书颁发设备发送数字证书吊销信息用于申请吊销已有数字证书,所述数字证书吊销信息包括颁发设备名称、序列号和吊销原因字段;和/或,所述数字证书申请设备利用所述安全数据通道向所述数字证书颁发设备发送数字证书撤销列表信息用于请求数字证书撤销列表,所述数字证书撤销列表信息包括颁发设备名称字段。
- 根据权利要求1所述的方法,其特征在于,所述数字证书申请设备利用获取的授权码与数字证书颁发设备协商建立安全数据通道,生成安全密钥包括:数字证书申请设备与数字证书颁发设备进行安全数据通道协商;数字证书申请设备与数字证书颁发设备使用授权码以及协商过程中获得的随机数、身份信息生成安全通道的安全密钥;数字证书申请设备与数字证书颁发设备通过完整性校验码对安全通道确认消息进行验证。
- 根据权利要求9所述的方法,其特征在于,所述数字证书申请设备与数字证书颁发设备进行安全数据通道协商包括:数字证书申请设备向数字证书颁发设备发送第一随机数、第一身份信息,以及,接收所述数字证书颁发设备发送的第二随机数、第二身份信息;所述数字证书申请设备与数字证书颁发设备使用授权码以及协商过程中获得的随机数、身份信息生成安全通道的安全密钥包括:所述数字证书申请设备与数字证书颁发设备利用授权码、所述第一随机数、所述第一身份信息、所述第二随机数以及所述第二身份信息生成安全密钥。
- 根据权利要求9或10所述的方法,其特征在于,所述安全密钥还包括完整性校验密钥,所述数字证书申请设备与数字证书颁发设备通过完整性校验码对安全通道确认消息进行验证包括:所述数字证书申请设备与数字证书颁发设备利用随机数、所述完整性校验密钥生成完整性校验码,利用所述完整性校验码对安全通道确认消息进行验证。
- 一种数字证书申请设备,其特征在于,所述设备包括:安全数据通道建立单元,用于利用获取的授权码与数字证书颁发设备协商建立安全数据通道,生成安全密钥;其中,所述安全密钥包括数据通信密钥;加密单元,用于利用所述数据通信密钥对所述证书管理请求消息进行加密处理;发送单元,用于利用所述安全数据通道向所述数字证书颁发设备发送数字证书管理请求消息,所述数字证书管理请求消息经所述数据通信密钥加密处理;接收单元,用于利用所述安全数据通道接收所述数字证书颁发设备发送的数字证书管理响应消息,所述数字证书管理响应消息经所述数据通信密钥加密处理;处理单元,用于对所述数字证书管理响应消息进行处理,获取处理结果。
- 根据权利要求12所述的设备,其特征在于,所述处理单元还用于生成数字证书管理确认消息;所述发送单元,还用于利用所述安全数据通道向所述数字证书颁发设备发送数字证书管理确认消息,所述数字证书管理确认消息经所述数据通信密钥加密处理。
- 根据权利要求12所述的设备,其特征在于,所述发送单元发送的所述数字证书管理请求消息携带的证书请求数据包括证书请求信息、签名算法标识以及签名值,所述证书请求信息包括版本、持有者名称、持有者公钥信息和扩展;所述加密单元具体用于:利用所述安全数据通道的数据通信密钥对所述数字证书管理请求消息进行加密处理。
- 根据权利要求14所述的设备,其特征在于,所述加密单元还用于:当所述安全密钥还包括数据会话密钥时,在所述数字证书管理请求消息经所述安全数据通道的数据通信密钥加密处理之前,利用所述数据会话密钥对所述数字证书管理请求消息携带的证书请求数据进行加密处理;其中,所述证书请求信息还包括序列号、颁发者名称和有效期。
- 根据权利要求15所述的设备,其特征在于,当所述数字证书申请设 备支持两种以上的加密算法时,所述发送单元发送的所述证书请求数据还进一步包括加密算法标识,具体包括加密算法标识,以及利用所述加密算法标识对应的加密算法、利用所述数据会话密钥对所述证书请求信息、所述签名算法标识和所述签名值加密处理后得到的数据;相应的,所述加密单元还具体用于:利用所述加密算法标识对应的加密算法、利用所述数据会话密钥对所述证书请求信息、所述签名算法标识以及所述签名值进行加密处理。
- 根据权利要求12所述的设备,其特征在于,所述发送单元包括:第一发送单元,用于利用所述安全数据通道向所述数字证书颁发设备发送数字证书申请信息用于申请新数字证书,所述数字证书申请信息包括证书生成方式以及证书请求数据;和/或,第二发送单元,用于利用所述安全数据通道向所述数字证书颁发设备发送数字证书获取信息用于查询或更新已有数字证书,所述数字证书获取信息包括颁发设备名称和序列号字段;和/或,第三发送单元,用于利用所述安全数据通道向所述数字证书颁发设备发送数字证书吊销信息用于申请吊销已有数字证书,所述数字证书吊销信息包括颁发设备名称、序列号和吊销原因字段;和/或,第四发送单元,用于利用所述安全数据通道向所述数字证书颁发设备发送数字证书撤销列表信息用于请求数字证书撤销列表,所述数字证书撤销列表信息包括颁发设备名称字段。
- 根据权利要求12所述的设备,其特征在于,所述安全数据通道建立单元包括:协商单元,用于与数字证书颁发设备进行安全数据通道协商;密钥生成单元,用于与数字证书颁发设备使用授权码以及协商过程中获得的随机数、身份信息生成安全通道的安全密钥;密钥确认单元,用于与数字证书颁发设备通过完整性校验码对安全通道确认消息进行验证。
- 根据权利要求18所述的设备,其特征在于,所述协商单元具体用于:向数字证书颁发设备发送第一随机数、第一身份信息,以及,接收所述数字证书颁发设备发送的第二随机数、第二身份信息;所述密钥生成单元具体用于:与数字证书颁发设备利用授权码、所述第一随机数、所述第一身份信息、所述第二随机数以及所述第二身份信息生成安全密钥。
- 根据权利要求18或19所述的设备,其特征在于,所述密钥生成单元生成的安全密钥还包括完整性校验密钥,所述密钥确认单元具体用于:与数字证书颁发设备利用随机数、所述完整性校验密钥生成完整性校验码,利用所述完整性校验码对安全通道确认消息进行验证。
- 一种用于数字证书申请的设备,其特征在于,包括有存储器,以及一个或者一个以上的程序,其中一个或者一个以上程序存储于存储器中,且经配置由一个或者一个以上处理器执行所述一个或者一个以上程序包含的用于进行以下操作的指令:利用获取的授权码与数字证书颁发设备协商建立安全数据通道,生成安全密钥;其中,所述安全密钥至少包括数据通信密钥;利用所述数据通信密钥对所述数字证书管理请求消息进行加密处理;利用所述安全数据通道向所述数字证书颁发设备发送数字证书管理请求消息,所述数字证书管理请求消息经所述数据通信密钥加密处理;利用所述安全数据通道接收所述数字证书颁发设备发送的数字证书管理响应消息,所述数字证书管理响应消息经所述数据通信密钥加密处理;对所述数字证书管理响应消息进行处理,获取处理结果。
- 一种数字证书颁发设备,其特征在于,所述设备包括:安全数据通道建立单元,用于利用授权码与数字证书申请设备协商建立安全数据通道,生成安全密钥;其中,所述安全密钥至少包括数据通信密钥;接收单元,用于接收数字证书申请设备利用所述安全数据通道发送的数字证书管理请求消息,所述数字证书管理请求消息经所述数据通信密钥加密处理;处理单元,用于处理收到的所述数字证书管理请求消息,并生成数字证书管理响应消息;加密单元,用于利用所述数据通信密钥对数字证书管理响应消息进行加密处理;发送单元,用于利用所述安全数据通道向所述数字证书申请设备发送数字证书管理响应消息,所述数字证书管理响应消息经所述数据通信密钥加密处 理。
- 根据权利要求22所述的设备,其特征在于,所述接收单元还用于接收数字证书申请设备利用所述安全数据通道发送的数字证书管理确认消息,所述数字证书管理确认消息经所述数据通信密钥加密处理;所述处理单元,还用于处理收到的数字证书管理确认消息。
- 根据权利要求22所述的设备,其特征在于,所述发送单元发送的所述数字证书管理响应消息携带证书响应数据;所述加密单元具体用于:利用所述安全数据通道的数据通信密钥对所述数字证书管理响应消息进行加密处理;其中,所述接收单元接收的所述数字证书管理请求消息携带的证书请求数据包括证书请求信息、签名算法标识以及签名值,所述证书请求信息包括版本、持有者名称、持有者公钥信息和扩展。
- 根据权利要求24所述的设备,其特征在于,所述加密单元还用于:当所述安全密钥还包括数据会话密钥时,在所述数字证书管理响应消息经所述安全数据通道的数据通信密钥加密处理之前,利用所述数据会话密钥对所述数字证书管理响应消息携带的证书响应数据进行加密处理;其中,所述证书请求信息还包括序列号、颁发者名称和有效期。
- 根据权利要求25所述的设备,其特征在于,当所述数字证书颁发设备支持两种以上的加密算法时,所述发送单元发送的所述证书响应数据还进一步包括加密算法标识,具体包括加密算法标识,以及利用所述加密算法标识对应的加密算法、利用所述数据会话密钥对所述证书响应数据加密处理后得到的数据;相应的,所述加密单元还具体用于:利用所述加密算法标识对应的加密算法、利用所述数据会话密钥对所述证书响应数据进行加密处理。
- 根据权利要求22所述的设备,其特征在于,所述安全数据通道建立单元包括:协商单元,用于与数字证书申请设备进行安全数据通道协商;密钥生成单元,用于与数字证书申请设备使用授权码以及协商过程中获得的随机数、身份信息生成安全通道的安全密钥;密钥确认单元,用于与数字证书申请设备通过完整性校验码对安全通道确认消息进行验证。
- 根据权利要求27所述的设备,其特征在于,所述协商单元具体用于:向数字证书申请设备发送第二随机数、第二身份信息,以及,接收所述数字证书申请设备发送的第一随机数、第一身份信息;所述密钥生成单元具体用于:利用授权码、所述第一随机数、所述第一身份信息、所述第二随机数以及所述第二身份信息生成安全密钥。
- 根据权利要求27或28所述的设备,其特征在于,所述密钥生成单元生成的安全密钥还包括完整性校验密钥,所述密钥确认单元具体用于:与数字证书申请设备利用随机数、所述完整性校验密钥生成完整性校验码,利用所述完整性校验码对安全通道确认消息进行验证。
- 一种用于数字证书颁发的设备,其特征在于,包括有存储器,以及一个或者一个以上的程序,其中一个或者一个以上程序存储于存储器中,且经配置由一个或者一个以上处理器执行所述一个或者一个以上程序包含的用于进行以下操作的指令:利用授权码与数字证书申请设备协商建立安全数据通道,生成安全密钥;其中,所述安全密钥包括数据通信密钥;接收数字证书申请设备利用所述安全数据通道发送的数字证书管理请求消息,所述数字证书管理请求消息经所述数据通信密钥加密处理;处理收到的数字证书管理请求消息,并生成数字证书管理响应消息;利用所述数据通信密钥对数字证书管理响应消息进行加密处理;利用所述安全数据通道向所述数字证书申请设备发送数字证书管理响应消息,所述数字证书管理响应消息经所述数据通信密钥加密处理。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP18775669.7A EP3609121B1 (en) | 2017-04-01 | 2018-02-13 | Method and device for managing digital certificate |
KR1020197022430A KR102290342B1 (ko) | 2017-04-01 | 2018-02-13 | 디지털 인증서 관리 방법 및 장치 |
JP2019539969A JP7014806B2 (ja) | 2017-04-01 | 2018-02-13 | デジタル証明書管理方法及び装置 |
US16/482,463 US11363010B2 (en) | 2017-04-01 | 2018-02-13 | Method and device for managing digital certificate |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710211816.2 | 2017-04-01 | ||
CN201710211816.2A CN108667609B (zh) | 2017-04-01 | 2017-04-01 | 一种数字证书管理方法及设备 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018177045A1 true WO2018177045A1 (zh) | 2018-10-04 |
Family
ID=63675125
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2018/076618 WO2018177045A1 (zh) | 2017-04-01 | 2018-02-13 | 数字证书管理方法及设备 |
Country Status (6)
Country | Link |
---|---|
US (1) | US11363010B2 (zh) |
EP (1) | EP3609121B1 (zh) |
JP (1) | JP7014806B2 (zh) |
KR (1) | KR102290342B1 (zh) |
CN (1) | CN108667609B (zh) |
WO (1) | WO2018177045A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020149536A1 (ko) * | 2019-01-17 | 2020-07-23 | 삼성전자 주식회사 | 공유된 디지털 키를 관리하기 위한 장치 및 방법 |
US11516020B2 (en) * | 2018-06-06 | 2022-11-29 | Tencent Technology (Shenzhen) Company Limited | Key management method, apparatus, and system, storage medium, and computer device |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102287921B1 (ko) * | 2015-01-22 | 2021-08-09 | 에스케이씨 주식회사 | 그라파이트 시트 및 이의 제조방법 |
CN108667781A (zh) * | 2017-04-01 | 2018-10-16 | 西安西电捷通无线网络通信股份有限公司 | 一种数字证书管理方法及设备 |
CN110046515B (zh) * | 2019-04-18 | 2021-03-23 | 杭州尚尚签网络科技有限公司 | 一种基于短效数字证书的安全的电子签名方法 |
CN110401535B (zh) * | 2019-07-19 | 2023-03-10 | 广州优路加信息科技有限公司 | 数字证书生成、安全通信、身份认证方法及装置 |
CN110737920B (zh) * | 2019-09-25 | 2021-11-09 | 哈尔滨哈工智慧嘉利通科技股份有限公司 | 一种数字证书管控方法、装置和注册审核服务器 |
US11381403B2 (en) * | 2019-12-09 | 2022-07-05 | Sap Se | Integrating blockchain with off-chain services |
CN113765668A (zh) * | 2020-06-03 | 2021-12-07 | 广州汽车集团股份有限公司 | 一种车辆数字证书在线安装方法及车辆数字证书管理装置 |
JP2022020143A (ja) * | 2020-07-20 | 2022-02-01 | 富士通株式会社 | 通信プログラム、通信装置、及び通信方法 |
KR102421562B1 (ko) * | 2020-12-21 | 2022-07-15 | 한전케이디엔주식회사 | 암호 라이브러리 관리 시스템 및 방법 |
CN113301523B (zh) * | 2021-04-14 | 2022-09-16 | 江铃汽车股份有限公司 | 一种v2x车载终端数字证书的申请、更新方法及系统 |
CN115942314A (zh) * | 2021-08-06 | 2023-04-07 | 华为技术有限公司 | 一种证书管理方法和装置 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060269061A1 (en) * | 2001-01-11 | 2006-11-30 | Cardinalcommerce Corporation | Mobile device and method for dispensing authentication codes |
CN101640590A (zh) * | 2009-05-26 | 2010-02-03 | 深圳市安捷信联科技有限公司 | 一种获取标识密码算法私钥的方法和密码中心 |
CN102624531A (zh) * | 2012-04-25 | 2012-08-01 | 西安西电捷通无线网络通信股份有限公司 | 一种数字证书自动申请方法和装置及系统 |
CN103973696A (zh) * | 2014-05-16 | 2014-08-06 | 天地融科技股份有限公司 | 一种语音通话的数据处理方法 |
CN104160656A (zh) * | 2012-03-01 | 2014-11-19 | 塞尔蒂卡姆公司 | 用于将客户端设备与网络相连的系统和方法 |
Family Cites Families (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH08316951A (ja) | 1995-05-23 | 1996-11-29 | Hitachi Ltd | 無線通信端末、無線基地局及びこれらを有する通信システム |
IL125516A0 (en) | 1998-07-26 | 1999-10-28 | Vanguard Security Technologies | Secure message management system |
US20020165912A1 (en) * | 2001-02-25 | 2002-11-07 | Storymail, Inc. | Secure certificate and system and method for issuing and using same |
JP4043860B2 (ja) | 2002-06-27 | 2008-02-06 | 株式会社日立コミュニケーションテクノロジー | 暗号化通信装置 |
JP4617763B2 (ja) | 2003-09-03 | 2011-01-26 | ソニー株式会社 | 機器認証システム、機器認証サーバ、端末機器、機器認証方法、および機器認証プログラム |
US9331990B2 (en) * | 2003-12-22 | 2016-05-03 | Assa Abloy Ab | Trusted and unsupervised digital certificate generation using a security token |
JP4802539B2 (ja) | 2005-04-11 | 2011-10-26 | ソニー株式会社 | 通信システム、通信装置、および通信方法 |
US8583929B2 (en) | 2006-05-26 | 2013-11-12 | Alcatel Lucent | Encryption method for secure packet transmission |
KR100853182B1 (ko) * | 2006-09-29 | 2008-08-20 | 한국전자통신연구원 | 다중 도메인에서 대칭키 기반 인증 방법 및 장치 |
CN100488099C (zh) | 2007-11-08 | 2009-05-13 | 西安西电捷通无线网络通信有限公司 | 一种双向接入认证方法 |
CN101521883B (zh) * | 2009-03-23 | 2011-01-19 | 中兴通讯股份有限公司 | 一种数字证书的更新和使用方法及系统 |
KR101326530B1 (ko) * | 2011-11-11 | 2013-11-08 | 고려대학교 산학협력단 | 원격 검침 시스템, 그 시스템에서의 아이디를 이용한 상호 인증을 위한 장치 및 방법 |
JP6573880B2 (ja) | 2014-06-16 | 2019-09-11 | 富士通株式会社 | 更新プログラム及び方法、及び、管理プログラム及び方法 |
CN105812136A (zh) * | 2014-12-30 | 2016-07-27 | 北京握奇智能科技有限公司 | 一种更新方法及系统、安全认证设备 |
KR101724401B1 (ko) * | 2015-05-29 | 2017-04-07 | 한국정보인증주식회사 | 생체 정보 인식과 키 분할 방식을 이용한 공인인증 시스템 및 그 방법, 그 방법을 수행하는 프로그램이 기록된 기록매체 |
CN105208044A (zh) * | 2015-10-29 | 2015-12-30 | 成都卫士通信息产业股份有限公司 | 一种适用于云计算的密钥管理方法 |
SG10201606164TA (en) | 2016-07-26 | 2018-02-27 | Huawei Int Pte Ltd | System and method for obtaining a common session key between devices |
US11153297B2 (en) * | 2016-12-06 | 2021-10-19 | Vmware, Inc. | Systems and methods to facilitate certificate and trust management across a distributed environment |
-
2017
- 2017-04-01 CN CN201710211816.2A patent/CN108667609B/zh active Active
-
2018
- 2018-02-13 KR KR1020197022430A patent/KR102290342B1/ko active IP Right Grant
- 2018-02-13 WO PCT/CN2018/076618 patent/WO2018177045A1/zh unknown
- 2018-02-13 EP EP18775669.7A patent/EP3609121B1/en active Active
- 2018-02-13 US US16/482,463 patent/US11363010B2/en active Active
- 2018-02-13 JP JP2019539969A patent/JP7014806B2/ja active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060269061A1 (en) * | 2001-01-11 | 2006-11-30 | Cardinalcommerce Corporation | Mobile device and method for dispensing authentication codes |
CN101640590A (zh) * | 2009-05-26 | 2010-02-03 | 深圳市安捷信联科技有限公司 | 一种获取标识密码算法私钥的方法和密码中心 |
CN104160656A (zh) * | 2012-03-01 | 2014-11-19 | 塞尔蒂卡姆公司 | 用于将客户端设备与网络相连的系统和方法 |
CN102624531A (zh) * | 2012-04-25 | 2012-08-01 | 西安西电捷通无线网络通信股份有限公司 | 一种数字证书自动申请方法和装置及系统 |
CN103973696A (zh) * | 2014-05-16 | 2014-08-06 | 天地融科技股份有限公司 | 一种语音通话的数据处理方法 |
Non-Patent Citations (1)
Title |
---|
See also references of EP3609121A4 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11516020B2 (en) * | 2018-06-06 | 2022-11-29 | Tencent Technology (Shenzhen) Company Limited | Key management method, apparatus, and system, storage medium, and computer device |
WO2020149536A1 (ko) * | 2019-01-17 | 2020-07-23 | 삼성전자 주식회사 | 공유된 디지털 키를 관리하기 위한 장치 및 방법 |
Also Published As
Publication number | Publication date |
---|---|
CN108667609A (zh) | 2018-10-16 |
US20210314170A1 (en) | 2021-10-07 |
CN108667609B (zh) | 2021-07-20 |
EP3609121A4 (en) | 2020-04-01 |
US11363010B2 (en) | 2022-06-14 |
KR102290342B1 (ko) | 2021-08-17 |
EP3609121A1 (en) | 2020-02-12 |
EP3609121B1 (en) | 2021-10-27 |
KR20190099066A (ko) | 2019-08-23 |
JP2020505849A (ja) | 2020-02-20 |
JP7014806B2 (ja) | 2022-02-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2018177045A1 (zh) | 数字证书管理方法及设备 | |
WO2019047927A1 (zh) | 数字证书管理方法及设备 | |
US10855668B2 (en) | Wireless device authentication and service access | |
CN106487765B (zh) | 授权访问方法以及使用该方法的设备 | |
WO2017020452A1 (zh) | 认证方法和认证系统 | |
TW201709691A (zh) | 用於支援多用戶集群身份驗證的方法和設備 | |
JP6125523B2 (ja) | グループメンバーによるグループシークレットの単純化された管理 | |
WO2014146609A1 (zh) | 信息处理方法、信任服务器及云服务器 | |
Dougherty et al. | APECS: A distributed access control framework for pervasive edge computing services | |
WO2014194818A1 (zh) | 一种用于发现设备的用户的方法和用户设备 | |
CN109995723B (zh) | 一种域名解析系统dns信息交互的方法、装置及系统 | |
Li et al. | Itls/idtls: Lightweight end-to-end security protocol for iot through minimal latency | |
TW201426597A (zh) | 基於群組的用戶管理方法及用戶管理系統 | |
CN105791301A (zh) | 一种面向多用户组群信密分离的密钥分发管理方法 | |
JP2022522555A (ja) | セミトラステッドな中継者を使用したセキュアなメッセージ受け渡し | |
US11736462B1 (en) | Hybrid content protection architecture for email | |
Hwang et al. | A Study on Secure Data Access Scheme Based on CP-ABE in Cloud Environments | |
WO2023004261A1 (en) | Remote attestation transport layer security and split trust encryption | |
CN107104925A (zh) | 用于安全通信的方法、装置及系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18775669 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2019539969 Country of ref document: JP Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 20197022430 Country of ref document: KR Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2018775669 Country of ref document: EP Effective date: 20191104 |