CN102447705A - Digital certificate revocation method and equipment - Google Patents
Digital certificate revocation method and equipment Download PDFInfo
- Publication number
- CN102447705A CN102447705A CN201110451508XA CN201110451508A CN102447705A CN 102447705 A CN102447705 A CN 102447705A CN 201110451508X A CN201110451508X A CN 201110451508XA CN 201110451508 A CN201110451508 A CN 201110451508A CN 102447705 A CN102447705 A CN 102447705A
- Authority
- CN
- China
- Prior art keywords
- digital certificate
- certificate revocation
- request message
- digital
- revocation request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a digital certificate revocation method. The method comprises the following steps: obtaining a digital certificate revocation command by a client side; constructing a digital certificate revocation request message according to the digital certificate revocation command; carrying out digital encryption on the digital certificate revocation request message, and setting identity identification for the digital certificate revocation request message after digital encryption; and sending the encrypted digital certificate revocation request message with the identity identification to a certificate server so as to request the certificate server to perform digital certificate revocation. In the digital certificate revocation method, after the digital certificate revocation command input by a user is received, the digital certificate revocation request message is constructed and sent to the certificate server so as to perform digital certificate revocation so that the revocation process is more direct and faster, which ensures timeliness for digital certificate revocation and improves the safety of user information.
Description
Technical field
The application relates to network safety filed, particularly relates to a kind of digital certificate revocation method and apparatus.
Background technology
Along with the development of Information technology, the raising of people's quality of life, the network technology has become the part of people's life, like the Net silver that people in the daily life often use, individual mailbox etc.The increasing life that changes people of the network technology, meanwhile, the also increasing people's attention that causes of the Communication Security Problem of the network technology, the PKI technology is adopted in existing communication security guarantee for the network technology mostly.
PKIX (English: Pubilc Key Infrastructure, be called for short: be through public-key technology and digital certificate the system information safety service to be provided PKI), and be responsible for a kind of system of checking digital certificate holder identity.PKI infrastructure adopts the certificate management PKI; Through certificate agency (English: Certificate Authority, abbreviation: CA), bundle other identity informations of user's PKI and user; It is a security infrastructure with versatility, is a system or service system.
The function of PKI is to come binding certificate holder's identity and relevant public-key cryptography through signing and issuing digital certificate, for the user obtains certificate, access certificate and cancellation of doucment approach easily is provided.Utilize digital certificate and relevant various services (certificate issuance, blacklist issue etc.) to realize each identity of entity authentication in the communication process simultaneously, guaranteed confidentiality, integrality and the non-repudiation of communication data.
Certificate agency CA is the mechanism that is responsible for the distribution & management of digital certificate; Its Core Feature is exactly the distribution & management digital certificate; Comprise: the inquiry of the cancelling of the renewal of the issuing of certificate, certificate, certificate, certificate, the filing of certificate, certificate revocation list (English: Certificate Revocation List, be called for short: issue CRL) etc.
Digital certificate abbreviates certificate as, and it is the one piece of data information of being signed and issued by certificate agency, is the basis of PKI technology.Digital certificate format is by X.509 definition, and it is that online identity of entity proves, proves the legitimacy of a certain entity identities and PKI and the binding relationship of entity and PKI.Certificate is the carrier of PKI, PKI on the certificate and sole entity identity binding.Digital certificate is exactly the encapsulation to entity public key with in short summarizing.Vivid says to be exactly the network identification card of end entity.
End entity is the requestor and the user of PKI service, and PKI user, and it can be equipment, system, software or service etc., and end entity is responsible for to certificate agency CA application certificate and cancellation of doucment usually.
Carry out in the process of network security guarantee in concrete Using P KI technology; Owing to change, the private key for user of user identity, user profile or client public key are revealed reasons such as perhaps customer service termination; The user need be with the digital certificate revocation of oneself, i.e. the binding relationship of revoked public key and subscriber identity information.The existing process of cancelling is made a phone call for the user or is sent E-mail to the keeper of certificate agency CA place, by the keeper user's digital certificate is carried out craft and cancels; When the keeper of certificate agency CA do not have for some reason timely listening user cancel phone or mail the time, the digital certificate that then can not at once cancel needs is cancelled, thereby causes network security hidden danger.
Summary of the invention
For solving the problems of the technologies described above, the embodiment of the invention provides a kind of digital certificate revocation method and apparatus.
On the one hand, a kind of digital certificate revocation method is provided, comprises:
Obtain the digital certificate revocation instruction;
According to said digital certificate revocation instruction structure digital certificate revocation request message;
Said digital certificate revocation request message is carried out digital encryption also identify label is set for said digital certificate revocation request message through digital encryption;
Be sent to certificate server with said through digital encryption and the digital certificate revocation request message that is provided with identify label, digital certificate cancelled to ask said certificate server.
On the other hand, a kind of digital certificate revocation equipment is provided also, comprises:
Receiver is used to obtain the digital certificate revocation instruction;
Processor is used for according to said digital certificate revocation instruction structure digital certificate revocation request message;
Encoder is used for that said digital certificate revocation request message is carried out digital encryption and also for said digital certificate revocation request message through digital encryption identify label is set;
Reflector is used for being sent to certificate server with said through digital encryption and the certificate revocation request message that is provided with identify label, to ask said certificate server digital certificate is cancelled.
On the other hand, a kind of digital certificate revocation method is provided also, comprises:
The digital certificate revocation request message that the receiving terminal entity sends;
Said digital certificate revocation request message is carried out digital decrypted and verifies the said identify label of passing through the certificate revocation request message of deciphering;
When verifying, to cancelling with the corresponding digital certificate of said digital certificate revocation request message when said digital certificate revocation request message successful decryption and through identify label.
On the other hand, a kind of digital certificate revocation equipment is provided also, comprises:
Receiver is used for the digital certificate revocation request message that the receiving terminal entity sends;
Processor is used for said digital certificate revocation request message is carried out digital decrypted and verifies the said identify label of passing through the certificate revocation request message of deciphering; And when verifying, to cancelling with the corresponding digital certificate of said digital certificate revocation request message when said digital certificate revocation request message successful decryption and through identify label.
A kind of digital certificate revocation method and apparatus provided by the invention is when the digital certificate revocation instruction that receives user's input, according to said digital certificate revocation instruction structure digital certificate revocation request message; Said digital certificate revocation request message is sent to certificate server; Said certificate server is searched and the corresponding digital certificate of said digital certificate revocation request when receiving said digital certificate revocation request message, and said digital certificate is cancelled.It is more directly quick to cancel process, has guaranteed the promptness of digital certificate revocation, makes user profile more safe.
Simultaneously; Digital certificate revocation method and apparatus provided by the invention; Before the digital certificate revocation request message with structure is sent to certificate server; Said digital certificate revocation request message is carried out digital encryption, and, guaranteed the fail safe of said digital certificate revocation request message process of transmitting for said digital certificate revocation request message through digital encryption is provided with identify label.
Description of drawings
In order to be illustrated more clearly in the technical scheme in the embodiment of the invention; The accompanying drawing of required use is done to introduce simply in will describing embodiment below; Obviously, the accompanying drawing in describing below only is some embodiment that put down in writing among the application, for those of ordinary skills; Under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
The flow chart of a kind of digital certificate revocation method that Fig. 1 provides for the embodiment of the invention one;
The flow chart of the another kind of digital certificate revocation method that Fig. 2 provides for the embodiment of the invention one;
The flow chart of a kind of digital certificate revocation method that Fig. 3 provides for the embodiment of the invention two;
The flow chart of the another kind of digital certificate revocation method that Fig. 4 provides for the embodiment of the invention two;
The structural representation of a kind of digital certificate revocation equipment that Fig. 5 provides for the embodiment of the invention three;
The structural representation of the another kind of digital certificate revocation equipment that Fig. 6 provides for the embodiment of the invention three;
The structural representation of the another kind of digital certificate revocation equipment that Fig. 7 provides for the embodiment of the invention three;
The flow chart of a kind of digital certificate revocation method that Fig. 8 provides for the embodiment of the invention four;
The flow chart of the another kind of digital certificate revocation method that Fig. 9 provides for the embodiment of the invention four;
The flow chart of the another kind of digital certificate revocation method that Figure 10 provides for the embodiment of the invention four;
The flow chart of a kind of digital certificate revocation equipment that Figure 11 provides for the embodiment of the invention five;
The flow chart of the another kind of digital certificate revocation equipment that Figure 12 provides for the embodiment of the invention five;
The flow chart of a kind of digital certificate revocation method that Figure 13 provides for the embodiment of the invention six.
Embodiment
In order to make those skilled in the art person understand the application's scheme better.To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the application's part embodiment, rather than whole embodiment.Based on the embodiment among the application, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all should belong to the scope of the application's protection.
Embodiment one
The process chart of the digital certificate revocation method that the embodiment of the invention provides is as shown in Figure 1, is applied to comprise in the end entity of PKI technology:
Step S101: obtain the digital certificate revocation instruction.
In the present embodiment; Obtain digital cancel an order; Can be to reveal reasons such as perhaps customer service termination when change, private key for user owing to user identity, user profile or client public key; When the user need be with oneself digital certificate revocation, end entity received the digital certificate revocation instruction that the user sends; Can also be the network equipment as end entity detect attacked after, the digital certificate revocation instruction that generates automatically.
Step S102: according to said digital certificate revocation instruction structure digital certificate revocation request message.
End entity is when the digital certificate revocation instruction that receives user's input, according to said digital certificate revocation instruction structure digital certificate revocation request message; Concrete construction process, as the embodiment of the invention provide shown in Figure 2, comprising:
Step S201: resolve the data message of waiting to cancel digital certificate that comprises in the said digital certificate revocation instruction;
Step S202: according to said data message structure digital certificate revocation request message.
Comprise following information in the said digital certificate revocation request message of structure: mutual ID, digital certificate revocation reason, wait to cancel digital certificate issuer name, wait to cancel digital certificate certificate serial number, wait to cancel the physical address of digital certificate in certificate server.Said mutual ID is used for the reciprocal process of cancelling of reference numbers certificate.
Step S103: said digital certificate revocation request message is carried out digital encryption also identify label is set for said digital certificate revocation request message through digital encryption;
Adopt the digital encryption mode that said digital certificate revocation request message is carried out digital encryption, prevent that the digital certificate revocation request message from being distorted and being lain in wait in process of transmitting; Simultaneously, the digital certificate revocation request message through digital encryption is provided with identify label, prevents that the digital certificate revocation request from being palmed off or forging, and effectively examine requestor's identity.
Step S104: be sent to certificate server with said through digital encryption and the digital certificate revocation request message that is provided with identify label, digital certificate cancelled to ask said certificate server.
The digital certificate revocation method that the embodiment of the invention provides can be applicable in the multiple digital certificate revocation agreement; Below the digital certificate revocation method in the embodiment of the invention is applied to explain for example in the scep protocol.
Scep protocol, promptly simple certificate log-in protocol (Simple Certificate Enrollment Protocol) is a simple certificate management protocol, is used for certificate registration, certificate acquisition, certificate registration status poll and CRL and obtains.This agreement is not supported the certificate revocation function.Scep protocol has defined two SCEP objects: SCEP client and SCEP server, and the SCEP server is born by certificate agency CA usually; The SCEP client is born by end entity.
Based on scep protocol; The digital certificate that the digital certificate revocation method that using the embodiment of the invention provides is cancelled needs is cancelled; When the user need cancel a certain digital certificate; Send digital certificate revocation and instruct, make the SCEP client according to said digital certificate revocation instruction structure digital certificate revocation request message to the SCEP client.
In the embodiment of the invention; On the basis of scep protocol; Newly-increased a kind of SCEP type of message: CertRevokeReq (the message code value is 28), and digital certificate revocation request message, this message is deferred to the format description of SCEP security message object (SCEP Secure Message Objects).
Peep for the digital certificate revocation request message victim that prevents to construct, in the SCEP client, the digital certificate revocation request message is carried out encryption and package through the digital envelope form.
The function class of digital envelope is similar to ordinary envelope capable, and digital envelope adopts the cryptographic technique assurance to have only the content of recipient's ability reading information of appointment.
Symmetric encipherment algorithm and rivest, shamir, adelman have been adopted in the digital envelope.Information transmitter is at first utilized and is produced at random or pre-configured symmetric cryptography enciphered message, utilizes recipient's public key encryption symmetric cryptography again, is referred to as digital envelope by the symmetric cryptography behind the public key encryption:
Encrypted?Data=EncryptedWithSymmetricalKey(Data)。
Digital?Envelope=EncryptedWithRecipientPubliKey(Symmetrical_Key)。
When the receiving party wants decryption information, must use the private key deciphering digital envelope of oneself, obtain symmetric cryptography, utilize symmetric cryptography to decipher resulting information then, so just guaranteed transfer of data authenticity and can not spying upon property.
On the basis of scep protocol, adopting the digital envelope form that the digital certificate revocation request message is carried out encryption and package in the embodiment of the invention is specially:
In the SCEP client, utilize the symmetric key that generates at random that the digital certificate revocation request message is encrypted, utilize the PKI of digital certificate in the SCEP server that the symmetric key that generates is at random encrypted the generation digital envelope then.Digital envelope is attached in the digital certificate revocation request message.
In order to prevent the forgery of digital certificate revocation request message victim or to distort, in the SCEP client, the digital certificate revocation request message through the digital envelope operation is carried out the digital signature operation.
Digital finger-print is meant the Serial No. of a regular length that data message is calculated through certain hash algorithm: Finger Print=HASH (Data).
Digital signature is meant the user encrypts the back gained with the private key of oneself to the digital finger-print of initial data data.Be that the user at first uses hash algorithm to calculate the digital finger-print of initial data, then digital finger-print carried out encrypted private key, generate digital signature: Digital Signature=EncryPted (HASH (Data)).
In the SCEP client, at first calculate the digital finger-print of digital certificate revocation request message, with the private key of oneself the data fingerprint is encrypted the generation digital signature then.Said digital signature is attached in the digital certificate revocation request message.
The digital certificate revocation request message that will pass through numeral encapsulation and digital signature is sent to the SCEP server, and the digital certificate that needs are cancelled is cancelled.
Embodiment two
On the basis of method shown in Figure 1, when the digital certificate revocation request message is sent to certificate server, optional; Also comprise and wait for that certificate server carries out response process to said digital certificate revocation request message; As shown in Figure 3, comprise step S101-S107, wherein:
Step 101-step 104 is identical with embodiment one, repeats no more here.
Step S105: wait for to receive the digital certificate revocation response message of the server response in the said certificate agency, and pick up counting when said digital certificate revocation request message is sent to said certificate server;
After the digital certificate revocation request message is sent to certificate server; The time point that sends out from the digital certificate revocation request message picks up counting, and record digital certificate revocation request message sent out to the time period of waiting for the digital certificate revocation response message that receives said certificate server response.
Step S106: judge whether to surpass Preset Time; When surpassing Preset Time, when not receiving the digital certificate revocation response message of said certificate server response yet, execution in step S107;
Step S107: resend said digital certificate revocation request message to said certificate server; Return execution in step S105 then, till the digital certificate revocation response message that receives the certificate server response;
A preset set time section; Pick up counting from sending digital certificate revocation request message to certificate server; When timing time surpasses said set time section; When not receiving the digital certificate revocation response message of said certificate server response yet, resend said digital certificate revocation request message to said certificate server, to guarantee in time cancelling of digital certificate.
The present invention is on the basis of method shown in Figure 3, and is optional, also comprises the number of times that resends digital certificate revocation request message to certificate server is counted, as shown in Figure 4, also comprises:
Step S108: record resends the number of times of said digital certificate revocation request message to said certificate server;
Step S109: when the number of times that resends surpasses presetly when sending number of times, stop to send said digital certificate revocation request message, and the failure of prompting digital certificate revocation;
Send the digital certificate revocation request message and to certificate server, digital certificate cancelled, if the digital certificate revocation request message in being sent to the process of certificate server by interception or since the network interruption fail normally to be sent in the certificate server; Or normally be sent in the certificate server; And certificate server is because fault is failed the said digital certificate revocation request message of correct handling; The mode through repeatedly sending then can be accomplished in time cancelling digital certificate when network recovery and certificate server are resumed work.
When network generation catastrophe failure; Or expendable fault takes place in certificate server; Or the digital certificate revocation request message of structure can not in time be cancelled digital certificate through the mode of repeatedly sending the digital certificate revocation request message when itself existing defective that certificate server is discerned it; Therefore, in the embodiment of the invention, the number of times that resends digital certificate revocation request message to certificate server is preset; When resending number of times above preset times; Stop to continue to send the digital certificate revocation request message, the failure of prompting digital certificate revocation is so that in time investigate failure cause; Guarantee at short notice, accomplish the digital certificate that needs are cancelled and cancel.
Embodiment three
The embodiment of the invention provides and the corresponding a kind of digital certificate revocation equipment of digital certificate revocation request message shown in the embodiment one, and its structural representation is as shown in Figure 5, comprising:
Acquiring unit 301, processor 302, encoder 303 and reflector 304;
Wherein:
Acquiring unit 301 is used to obtain the digital certificate revocation instruction;
On the basis of digital certificate revocation equipment shown in Figure 5, another structural representation of the digital certificate revocation equipment that the embodiment of the invention provides is as shown in Figure 6, comprises in the processor 303:
Optional, the digital certificate revocation equipment that the embodiment of the invention provides also comprises, and is as shown in Figure 7:
Optional, also comprise counter 309;
Digital certificate revocation equipment shown in the embodiment of the invention three can be applicable in the scep protocol, and basic scep protocol is cancelled digital certificate.Simultaneously; In the embodiment of the invention, timer 308 is a preferred timing device, in the practical implementation process; When the digital certificate revocation request message is sent in the certificate server; Can create timing to timer 308 immediately, when receiving the digital certificate revocation response message of certificate server response, can destroy the timer of establishment.
Embodiment four
As shown in Figure 8, the embodiment of the invention provides a kind of digital certificate revocation method, is applied to comprise in the certificate server of PKI technology:
Step S401: the digital certificate revocation request message that the receiving terminal entity sends;
Step S402: said digital certificate revocation request message is carried out digital decrypted and verifies the said identify label of passing through the certificate revocation request message of deciphering;
After receiving the digital certificate revocation request message that end entity sends, digital certificate request message is deciphered, with the related data information of the digital certificate that obtains to comprise in the digital certificate request message; After decrypting process was accomplished, checking was confirmed the transmission main body of said certificate through the identify label of the certificate revocation request message of deciphering, audit requestor's identity.
Step S403: when verifying, to cancelling with the corresponding digital certificate of said digital certificate revocation request message when said digital certificate revocation request message successful decryption and through identify label;
Saidly cancel process such as the application embodiment provides shown in Figure 9, comprising:
Step S501: resolve treating in the said digital certificate revocation request message and cancel the physical address of digital certificate in certificate server;
Step S502: search the corresponding digital certificate according to said physical address, and said digital certificate is cancelled.
The embodiment of the invention is cancelled in the process digital certificate; After certificate server receives the digital certificate revocation request message; In said certificate server, search and the corresponding digital certificate of said digital certificate revocation request message; Search procedure can adopt multiple mode, preferably adopts saidly to wait to cancel waiting of comprising in the digital certificate and cancel the physical address of digital certificate in certificate server, directly digital certificate said to be cancelled is searched.Also can be through adopting according to the said title of waiting to cancel digital certificate, multiple sign such as the name of date issued, issuer and with or the mode cert mechanism of use separately in digital certificate to be cancelled search.
On the basis of method shown in Figure 8, optional after digital certificate cancelled, comprise that also the response certificate revocation acknowledges message to said end entity, shown in figure 10, comprising:
Step S401-step S403 is identical with step shown in Figure 1, repeats no more here.
Step S404: the response certificate revocation acknowledges message to said end entity.
The digital certificate revocation method that the application embodiment four provides can be applicable in the multiple digital certificate revocation agreement; Below the digital certificate revocation method in the embodiment of the invention is applied in the scep protocol:
After the SCEP server is received the digital certificate revocation request message; Digital envelope in the digital certificate request message is sealed off; The opening process is following: the private key deciphering digital envelope (being that digital envelope is sealed off) that uses oneself; Obtain encrypted certificate and cancel the symmetric key of request message, use this symmetric key cert to cancel request message then and decipher.
After digital envelope was sealed off successfully, whether the digital signature of SCEP server authentication digital certificate revocation request message was correct; When the digital signature of digital certificate revocation request message is correct, treats and cancel digital certificate and cancel.
If the digital certificate revocation result is successfully, the SCEP server is according to issuer name and certificate serial number, issue CRL, cancellation of doucment, comprised among the CRL of issue cancellation of doucment sequence number, cancel reason and cancel information such as date.
Simultaneously, SCEP server constructs digital certificate revocation request response CertRep, comprising the certificate revocation result in the response message is that the PKI state is Success or Failure.If digital envelope is sealed off failure or certifying digital signature failure, then the certificate revocation result is failure.Otherwise cancel the result is successfully.
Embodiment five
The embodiment of the invention provides a kind of digital certificate revocation equipment, and its structural representation is shown in figure 11, comprising:
Wherein:
On the basis of digital certificate revocation equipment shown in Figure 11, another structural representation of the digital certificate revocation equipment that the embodiment of the invention provides is shown in figure 12, comprises in the processor 602:
What resolution unit 603 was used for resolving said digital certificate revocation request message waits to cancel the physical address of digital certificate in certificate server;
Cancel unit 604 and search the corresponding digital certificate, and said digital certificate is cancelled according to said physical address.
Optional, the digital certificate revocation equipment that the embodiment of the invention provides also comprises: responsor 605;
For said apparatus embodiment, because it is basically corresponding to method embodiment, so description is fairly simple, relevant part gets final product referring to the part explanation of method embodiment.
Embodiment six
The application embodiment provides on embodiment one and basis that embodiment four combines, and the digital certificate revocation method is applied to the digital certificate revocation flow chart in the scep protocol:
The executive agent of step S701~S704 is the SCEP client; Structure digital certificate revocation request message; After said digital certificate revocation request message carried out digital signature being set after the digital envelope encapsulation, said digital certificate revocation request message is sent in the SCEP server.After said digital certificate revocation request message sends out, execution in step S705, and in the Preset Time section, do not receive when the SCEP server does not respond said digital certificate revocation request message execution in step S706.
The executive agent of step S707~S709 is the SCEP server; When receiving the digital certificate revocation request message, it is sealed off digital envelope, verify its digital signature; When the success of opening process and digital signature authentication success, the issue certificate revocation list is treated and is cancelled digital certificate and cancel.While execution in step S710: the response certificate revocation acknowledges message to the SCEP client.After the SCEP client received said certificate revocation response message, execution in step S711 destroyed timer, accomplished whole digital certificate revocation process.
In the embodiment of the invention; Cancel requestor's identity for authentication certificate further; Prevent the identity personation; Certificate agency can be behind certificate authority, and certificate agency keeper or network manager are certificate revocation password of each certificate distribution, and the modes such as mail, SMS notification of for example sending through out-band method then notify the certificate revocation password to the certificate holder.
When the certificate holder is that the SCEP client wants is when cancelling its certificate; In the certificate revocation request message, carry the certificate revocation password, the SCEP server is except sealing off digital envelope, certifying digital signature, and whether also must authentication certificate cancel in the request message certificate revocation password correct; Promptly relatively in the certificate revocation request message certificate revocation password whether consistent with the certificate revocation password of SCEP server local terminal preservation; If consistent, then issue CRL and cancel this certificate, otherwise the failure of response certificate revocation.
Each embodiment in this specification all adopts the mode of going forward one by one to describe, and identical similar part is mutually referring to getting final product between each embodiment, and each embodiment stresses all is the difference with other embodiment.The above only is the application's a embodiment; Should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the application's principle; Can also make some improvement and retouching, these improvement and retouching also should be regarded as the application's protection range.
Claims (14)
1. a digital certificate revocation method is characterized in that, comprising:
Obtain the digital certificate revocation instruction;
According to said digital certificate revocation instruction structure digital certificate revocation request message;
Said digital certificate revocation request message is carried out digital encryption also identify label is set for said digital certificate revocation request message through digital encryption;
Be sent to certificate server with said through digital encryption and the digital certificate revocation request message that is provided with identify label, digital certificate cancelled to ask said certificate server.
2. method according to claim 1 is characterized in that, saidly comprises according to digital certificate revocation instruction structure digital certificate revocation request message:
Resolve the data message of waiting to cancel digital certificate that comprises in the said digital certificate revocation instruction;
According to said data message structure digital certificate revocation request message; Said digital certificate revocation request message comprises: saidly wait to cancel the physical address of digital certificate in said certificate server.
3. method according to claim 1 and 2 is characterized in that, said digital certificate revocation request message is sent to the server in the certificate agency after, said method also comprises:
Wait for to receive the digital certificate revocation response message of said certificate server response, and pick up counting when said digital certificate revocation request message is sent to said certificate server;
When not receiving the digital certificate revocation response message of said certificate server response yet above Preset Time, resend said digital certificate revocation request message to said certificate server.
4. method according to claim 3 is characterized in that, also comprises:
Record resends the number of times of said digital certificate revocation request message to said certificate server;
When the number of times that resends surpasses presetly when sending number of times, stop to send said digital certificate revocation request message, and the failure of prompting digital certificate revocation.
5. a digital certificate revocation equipment is characterized in that, comprising:
Acquiring unit is used to obtain the digital certificate revocation instruction;
Processor is used for according to said digital certificate revocation instruction structure digital certificate revocation request message;
Encoder is used for that said digital certificate revocation request message is carried out digital encryption and also for said digital certificate revocation request message through digital encryption identify label is set;
Reflector is used for being sent to certificate server with said through digital encryption and the certificate revocation request message that is provided with identify label, to ask said certificate server digital certificate is cancelled.
6. equipment according to claim 5 is characterized in that, said processor comprises:
Resolution unit is used for resolving the data message of waiting to cancel digital certificate that said digital certificate revocation instruction comprises;
Structural unit is used for according to said data message structure digital certificate revocation request message; Said digital certificate revocation request message comprises: wait to cancel the physical address of digital certificate in certificate server.
7. according to claim 5 or 6 described equipment, it is characterized in that, also comprise:
Respond receiver, be used for waiting for the digital certificate revocation response message of the server response that receives said certificate agency;
Timer is used for picking up counting when said digital certificate revocation request message is sent to said certificate server; And surpassing Preset Time; And when said response receiver does not receive the digital certificate revocation response message of said certificate server response yet; Sending controling instruction to said reflector is controlled said reflector and is resend said digital certificate revocation request message to said certificate server.
8. equipment according to claim 7 is characterized in that, also comprises:
Counter is used to write down the number of times that said reflector resends said digital certificate revocation request message to said certificate server; And surpass presetly when sending number of times at the number of times that resends when record, control said reflector and stop to send said digital certificate revocation request message, and the failure of prompting digital certificate revocation.
9. a digital certificate revocation method is characterized in that, comprising:
The digital certificate revocation request message that the receiving terminal entity sends;
Said digital certificate revocation request message is carried out digital decrypted and verifies the said identify label of passing through the certificate revocation request message of deciphering;
When verifying, to cancelling with the corresponding digital certificate of said digital certificate revocation request message when said digital certificate revocation request message successful decryption and through identify label.
10. method according to claim 9 is characterized in that, saidly comprises cancelling with the corresponding digital certificate of digital certificate revocation request message:
Resolve treating in the said digital certificate revocation request message and cancel the physical address of digital certificate in certificate server;
Search the corresponding digital certificate according to said physical address, and said digital certificate is cancelled.
11. according to claim 9 or 10 described methods, it is characterized in that, also comprise:
To said end entity response certificate revocation response message.
12. a digital certificate revocation equipment is characterized in that, comprising:
Receiver is used for the digital certificate revocation request message that the receiving terminal entity sends;
Processor is used for said digital certificate revocation request message is carried out digital decrypted and verifies the said identify label of passing through the certificate revocation request message of deciphering; And when verifying, to cancelling with the corresponding digital certificate of said digital certificate revocation request message when said digital certificate revocation request message successful decryption and through identify label.
13. equipment according to claim 12 is characterized in that, said processor comprises:
Resolution unit, what be used for resolving said digital certificate revocation request message waits to cancel the physical address of digital certificate in certificate server;
Cancel the unit, be used for searching the corresponding digital certificate, and said digital certificate is cancelled according to said physical address.
14. according to claim 12 or 13 described equipment, it is characterized in that, also comprise:
Responsor is used to respond certificate revocation and acknowledges message to said end entity.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110451508XA CN102447705A (en) | 2011-12-29 | 2011-12-29 | Digital certificate revocation method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110451508XA CN102447705A (en) | 2011-12-29 | 2011-12-29 | Digital certificate revocation method and equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102447705A true CN102447705A (en) | 2012-05-09 |
Family
ID=46009794
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110451508XA Pending CN102447705A (en) | 2011-12-29 | 2011-12-29 | Digital certificate revocation method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102447705A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014110828A1 (en) * | 2013-01-21 | 2014-07-24 | 华为技术有限公司 | Method, device, and system for improving network security |
| CN105472604A (en) * | 2014-09-09 | 2016-04-06 | 中兴通讯股份有限公司 | Digital certificate state processing method, device and system |
| CN106572082A (en) * | 2016-10-19 | 2017-04-19 | 凯美瑞德(苏州)信息科技股份有限公司 | Approval signature verifying method, mobile device, terminal device and system |
| CN107209882A (en) * | 2015-01-21 | 2017-09-26 | 微软技术许可有限责任公司 | For the multistage un-register for the equipment being under management |
| CN111566991A (en) * | 2017-12-01 | 2020-08-21 | 耐瑞唯信有限公司 | Capability revocation in content consumption devices |
| CN113239379A (en) * | 2021-05-19 | 2021-08-10 | 郑州信大捷安信息技术股份有限公司 | SCEP (secure certificate privacy protocol) -based national secret certificate issuing method and system |
| CN114430323A (en) * | 2020-10-29 | 2022-05-03 | 西门子股份公司 | Certificate management in a technical installation |
| CN117061251A (en) * | 2023-10-12 | 2023-11-14 | 兴原认证中心有限公司 | PKI certificate suspension revocation method and system for authentication platform |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1851608A (en) * | 2005-09-28 | 2006-10-25 | 华为技术有限公司 | Method and system for cancelling RO for DRM system |
| CN101853337A (en) * | 2009-03-31 | 2010-10-06 | 中国人民解放军信息工程大学 | Method, device and method for repealing public key certificate in trusted computing |
-
2011
- 2011-12-29 CN CN201110451508XA patent/CN102447705A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1851608A (en) * | 2005-09-28 | 2006-10-25 | 华为技术有限公司 | Method and system for cancelling RO for DRM system |
| CN101853337A (en) * | 2009-03-31 | 2010-10-06 | 中国人民解放军信息工程大学 | Method, device and method for repealing public key certificate in trusted computing |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9722802B2 (en) | 2013-01-21 | 2017-08-01 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for increasing network security |
| WO2014110828A1 (en) * | 2013-01-21 | 2014-07-24 | 华为技术有限公司 | Method, device, and system for improving network security |
| CN105472604A (en) * | 2014-09-09 | 2016-04-06 | 中兴通讯股份有限公司 | Digital certificate state processing method, device and system |
| CN107209882B (en) * | 2015-01-21 | 2022-02-15 | 微软技术许可有限责任公司 | Multi-stage de-registration for managed devices |
| CN107209882A (en) * | 2015-01-21 | 2017-09-26 | 微软技术许可有限责任公司 | For the multistage un-register for the equipment being under management |
| CN106572082A (en) * | 2016-10-19 | 2017-04-19 | 凯美瑞德(苏州)信息科技股份有限公司 | Approval signature verifying method, mobile device, terminal device and system |
| CN111566991A (en) * | 2017-12-01 | 2020-08-21 | 耐瑞唯信有限公司 | Capability revocation in content consumption devices |
| CN111566991B (en) * | 2017-12-01 | 2023-05-23 | 耐瑞唯信有限公司 | Capability revocation in content consumption devices |
| CN114430323A (en) * | 2020-10-29 | 2022-05-03 | 西门子股份公司 | Certificate management in a technical installation |
| CN113239379B (en) * | 2021-05-19 | 2022-02-11 | 郑州信大捷安信息技术股份有限公司 | SCEP (secure certificate privacy protocol) -based national secret certificate issuing method and system |
| CN113239379A (en) * | 2021-05-19 | 2021-08-10 | 郑州信大捷安信息技术股份有限公司 | SCEP (secure certificate privacy protocol) -based national secret certificate issuing method and system |
| CN117061251A (en) * | 2023-10-12 | 2023-11-14 | 兴原认证中心有限公司 | PKI certificate suspension revocation method and system for authentication platform |
| CN117061251B (en) * | 2023-10-12 | 2024-01-30 | 兴原认证中心有限公司 | PKI certificate suspension revocation method and system for authentication platform |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101508360B1 (en) | Apparatus and method for transmitting data, and recording medium storing program for executing method of the same in computer | |
| CN102447705A (en) | Digital certificate revocation method and equipment | |
| CN102932149B (en) | Integrated identity based encryption (IBE) data encryption system | |
| US10742426B2 (en) | Public key infrastructure and method of distribution | |
| NO326037B1 (en) | Data verification method and apparatus | |
| GB2404126A (en) | Secure communications using a secret key valid for a certain period and verified using a time stamp | |
| CN103166958A (en) | Protection method and protection system of file | |
| CN101090316A (en) | Identify authorization method between storage card and terminal equipment at off-line state | |
| CN103490881A (en) | Authentication service system, user authentication method, and authentication information processing method and system | |
| CN104424446A (en) | Safety verification and transmission method and system | |
| CN104200154A (en) | Identity based installation package signing method and identity based installation package signing device | |
| CN104202170A (en) | Identity authentication system and method based on identifiers | |
| KR20180000220A (en) | Method providing secure message service and apparatus therefor | |
| CN102571338A (en) | PKI (Public Key Infrastructure)-based method and system for certifying internet of things | |
| CN101296077B (en) | Identity authentication system based on bus type topological structure | |
| CN115174277B (en) | Data communication and file exchange method based on block chain | |
| CN101437228B (en) | Method, apparatus and system for implementing wireless business based on smart card | |
| JP6734802B2 (en) | Devices and device authentication systems | |
| JP2003087232A (en) | Method for detecting copied terminal | |
| CN113709158A (en) | Safety e-mail authentication method based on PKI | |
| JP2013236185A (en) | Electronic signature proxy server, electronic signature proxy system, and electronic signature proxy method | |
| JP3747394B2 (en) | Electronic data arrival guarantee method and program recording medium | |
| JP5643251B2 (en) | Confidential information notification system, confidential information notification method, program | |
| JP4976794B2 (en) | Station service system and security communication method | |
| JP3796528B2 (en) | Communication system for performing content certification and content certification site device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120509 |