CN109672537A - Anti- quantum certificate acquisition system and acquisition methods based on public key pond - Google Patents

Anti- quantum certificate acquisition system and acquisition methods based on public key pond Download PDF

Info

Publication number
CN109672537A
CN109672537A CN201910048329.8A CN201910048329A CN109672537A CN 109672537 A CN109672537 A CN 109672537A CN 201910048329 A CN201910048329 A CN 201910048329A CN 109672537 A CN109672537 A CN 109672537A
Authority
CN
China
Prior art keywords
key
public key
public
random number
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910048329.8A
Other languages
Chinese (zh)
Other versions
CN109672537B (en
Inventor
富尧
钟民
钟一民
余秋炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruban Quantum Technology Co Ltd
Original Assignee
Ruban Quantum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruban Quantum Technology Co Ltd filed Critical Ruban Quantum Technology Co Ltd
Priority to CN201910048329.8A priority Critical patent/CN109672537B/en
Publication of CN109672537A publication Critical patent/CN109672537A/en
Application granted granted Critical
Publication of CN109672537B publication Critical patent/CN109672537B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to the anti-quantum certificate acquisition method based on public key pond and obtain system, participant includes certificate authority and user, each participant is each equipped with key card, the public key pointer random number in public key pond, private key unit and certificate authority is stored in each key card, it is also stored with client public key pointer random number in the key card of user, the anti-quantum certificate acquisition method includes carrying out in user terminal: generating the solicited message comprising certificate request, client public key pointer random number and User Identity;It is signed using signature private key to solicited message;A true random number is generated, solicited message and signature are encrypted using true random number, obtain the first ciphertext;The encrypted public key of certificate of utility authorization center encrypts true random number, obtains the second ciphertext;First ciphertext and the second ciphertext are sent to certificate authority;Receive and verify the certificate of authority of certificate authority.

Description

Anti- quantum certificate acquisition system and acquisition methods based on public key pond
Technical field
The present invention relates to secure communications, especially a kind of anti-quantum certificate acquisition system and acquisition based on public key pond Method.
Background technique
Digital signature (also known as public key digital signature, electronic signature etc.) is a kind of common on paper similar to writing in theory Physical signature, but the technology in public key encryption field has been used to realize, the method for identifying digital information.A set of number label Name usually defines two kinds of complementary operations, and one is used to sign, another is for verifying.
Digital signature is exactly others the number of segment word string that can not forge that the sender of only information could generate, this section Numeric string is also the valid certificates that information authenticity is sent to the sender of information simultaneously.
The file integrality of digital signature is it is easily verified that (not needing seal on the perforation, junction of the edges of two sheets of paper signature does not need person's handwriting yet Expert), and digital signature has non repudiation (non-repudiation).
Briefly, so-called digital signature is just attached to some data in data cell, or to data cell institute The cryptographic transformation of work.This data or transformation allow source and data sheet of the recipient of data cell to confirm data cell The integrality of member simultaneously protects data, prevents from being forged by people (such as recipient).It is signed to the message of electronic form A kind of method of name, a signature information can be transmitted in a communication network.Based on public-key cryptosystem and private key cryptographic body System can obtain digital signature, be mainly based upon the digital signature of public-key cryptosystem, including ordinary numbers signature and special Digital signature.
Ordinary numbers signature algorithm have RSA, ElGamal, Fiat-Shamir, Guillou-Quisquarter, Schnorr, Ong-Schnorr-Shamir Digital Signature Algorithm, DSA, elliptic curve digital signature algorithm and finite automata number Word signature algorithm etc..Special number signature has Proxy Signature, allograph, group ranking, undeniable signature, fair Proxy Signature, door Signature, signature with Message Recovery etc. are limited, it is closely related with specific application environment.Obviously, the application of digital signature It is related to legal issue, U.S. Federal Government has formulated the digital signature standard of oneself based on the discrete logarithm problem in finite field (DSS)。
In field of cryptography of today, there are mainly two types of cryptographic systems, first is that symmetric key cryptosystem, that is, encrypt close Key and decruption key use same;The other is asymmetric key cipher system, i.e. public key cryptosystem, namely encryption Key and decruption key difference, one of them can be disclosed, and digital certificate is exactly to be realized based on asymmetric cryptography system.
But with the development of quantum computer, classical asymmetric-key encryption algorithm will be no longer safe, no matter encryption and decryption, Private key can be calculated in digital signature or key exchange method, quantum computer by public key, therefore classical at present Digital certificate will become cannot withstand a single blow in the quantum epoch.
Summary of the invention
The present invention provides a kind of security performance the higher anti-quantum certificate acquisition method and system based on public key pond, can It avoids being cracked by quantum computer.
Anti- quantum certificate acquisition method based on public key pond, participant include certificate authority and user, each participant Be each equipped with key card, be stored in each key card the public key pointer in public key pond, private key unit and certificate authority with Machine number is also stored with client public key pointer random number in the key card of user,
The public key pond includes 1~N public key unit, the encrypted public key of one user of corresponding storage in each public key unit And public signature key;Corresponding encryption key and signature private key are stored in private key unit;
The anti-quantum certificate acquisition method includes carrying out in user terminal:
Generate the solicited message comprising certificate request, client public key pointer random number and User Identity;
It is signed using signature private key to solicited message;
A true random number is generated, solicited message and signature are encrypted using true random number, obtain the first ciphertext;
The encrypted public key of certificate of utility authorization center encrypts true random number, obtains the second ciphertext;
First ciphertext and the second ciphertext are sent to certificate authority;
Receive and verify the certificate of authority of certificate authority.
Several optional ways also provided below, but be not intended as the additional qualification to above-mentioned overall plan, only into The supplement of one step is preferred, and under the premise of no technology or logical contradiction, each optional way can be individually for above-mentioned totality side Case is combined, and be can also be and is combined between multiple optional ways.
Optionally, the anti-quantum certificate acquisition method further includes carrying out in certificate authority:
Receive first ciphertext and the second ciphertext;
The encryption key of certificate of utility authorization center decrypts the second ciphertext, obtains true random number;
The first ciphertext is decrypted using true random number, obtains solicited message and signature;
The public signature key of user is taken out in public key pond according to the client public key pointer random number in solicited message;
Public signature key according to user verifies signature, is verified the generation certificate of authority;
Generate replying message comprising certificate request and the certificate of authority;
The signature private key of certificate of utility authorization center is signed to replying message;
A true random number is generated, using true random number to replying message and signature encrypts, obtains third ciphertext;
True random number is encrypted using the encrypted public key of user, obtains the 4th ciphertext;
Third ciphertext and the 4th ciphertext are replied into user.
Optionally, the anti-quantum certificate acquisition method further includes carrying out in user terminal:
The 4th ciphertext is decrypted using encryption key, obtains true random number;
Third ciphertext is decrypted using true random number, is replied message and is signed;
The public signature key decrypted signature of certificate of utility authorization center, is replied message;
Whether the certificate request verified in replying message is consistent with the certificate request of transmission;
Save the certificate of authority being verified.
Optionally, the anti-quantum certificate acquisition method further includes public and private key renewal process, and public and private key renewal process includes It is carried out in user terminal:
It generates comprising public key after User Identity, public and private key update request, client public key pointer random number and update Update solicited message;
It is signed using user's signature private key to solicited message is updated;
A true random number is generated, update solicited message and signature are encrypted using true random number, it is close to obtain the 5th Text;
The public signature key of certificate of utility authorization center encrypts true random number, obtains the 6th ciphertext;
5th ciphertext and the 6th ciphertext are sent into certificate authority;
The feedback result of certificate authority is received and verifies, to update public and private key.
Optionally, the public and private key renewal process further includes carrying out in certificate authority:
Receive the 5th ciphertext and the 6th ciphertext;
The encryption key of certificate of utility authorization center decrypts the 6th ciphertext, obtains true random number;
The 5th ciphertext is decrypted using true random number, obtains updating solicited message and signature;
The public signature key of user is taken out in public key pond according to the client public key pointer random number updated in solicited message;
Signature is verified according to the public signature key of user, corresponding public key unit and public key pond are updated after being verified Timestamp;
The update for updating request, updated timestamp and update result comprising public and private key is generated to reply message;
The signature private key of certificate of utility authorization center, which replies message update, signs;
A true random number is generated, update is replied message using true random number and signature encrypts, it is close to obtain the 7th Text;
True random number is encrypted using the encrypted public key of user, obtains the 8th ciphertext;
7th ciphertext and the 8th ciphertext are replied into user.
Optionally, the public and private key renewal process further includes carrying out in user terminal:
The 8th ciphertext is decrypted using encryption key, obtains true random number;
The 7th ciphertext is decrypted using true random number, update is obtained and replies message and sign;
The public signature key decrypted signature of certificate of utility authorization center obtains update and replies message;
Whether verifying updates the request of the public and private key in replying message consistent with the public and private key request of transmission;
Original public and private key is replaced using the public and private key after being verified, and renewal time stabs.
Optionally, the anti-quantum certificate acquisition method further includes the public key pond renewal process of user, the public key pond of user Renewal process includes carrying out in user terminal:
When generating comprising User Identity, the update request of public key pond, client public key pointer random number and client public key pond Between the update solicited message stabbed;
It is signed using user's signature private key to solicited message is updated;
A true random number is generated, update solicited message and signature are encrypted using true random number, it is close to obtain the 9th Text;
The public signature key of certificate of utility authorization center encrypts true random number, obtains the tenth ciphertext;
9th ciphertext and the tenth ciphertext are sent into certificate authority;
The feedback result of certificate authority is received and verifies, to update the public key pond of user.
Optionally, the public key pond renewal process of the user further includes carrying out in certificate authority:
Receive the 9th ciphertext and the tenth ciphertext;
The encryption key of certificate of utility authorization center decrypts the 9th ciphertext, obtains true random number;
The tenth ciphertext is decrypted using true random number, obtains updating solicited message and signature;
The public signature key of user is taken out in public key pond according to the client public key pointer random number updated in solicited message;
Public signature key according to user verifies signature, and update is generated after being verified and is replied message, this is renewed back to Multiple message includes that the update of public key pond is requested, all timestamps are greater than in the public key pond timestamp of certificate authority and public key pond The public key unit set of client public key pond timestamp;
The signature private key of certificate of utility authorization center, which replies message update, signs;
Generate a true random number, update is replied message using true random number, sign and public key pond in all timestamps Public key unit set greater than client public key pond timestamp is encrypted, and the 11st ciphertext is obtained;
True random number is encrypted using the encrypted public key of user, obtains the 12nd ciphertext;
11st ciphertext and the 12nd ciphertext are replied into user.
Optionally, the public key pond renewal process of the user further includes carrying out in user terminal:
The 12nd ciphertext is decrypted using encryption key, obtains true random number;
The 11st ciphertext is decrypted using true random number, obtain update reply message, sign and public key pond in institute's having time Stamp is greater than the public key unit set of client public key pond timestamp;
The public signature key decrypted signature of certificate of utility authorization center obtains update and replies message;
Whether verifying updates the request of the public key pond in replying message consistent with the public key pond request of transmission;
After being verified, the public key pond of user and the public key pond timestamp of user are updated.
The anti-quantum certificate acquisition system based on public key pond that the present invention also provides a kind of, participant includes in certificate granting The heart and user, each participant are each equipped with key card, and public key pond, private key unit and certificate are stored in each key card and is awarded The public key pointer random number at power center is also stored with client public key pointer random number in the key card of user,
The public key pond includes 1~N public key unit, the encrypted public key of one user of corresponding storage in each public key unit And public signature key;Corresponding encryption key and signature private key are stored in private key unit;
Each participant includes memory and processor, is stored with computer program in memory, which executes calculating The anti-quantum certificate acquisition method based on public key pond is realized when machine program.
In the present invention, the key card used is independent hardware isolated equipment.Other phases such as public key, private key and true random number It closes parameter to generate in CA, be stored in key card after key distribution, user can generate the key after key card is issued Block distinctive private key, CA does not possess the distinctive private key yet, therefore user using when stolen by Malware or malicious operation A possibility that key, substantially reduces, and will not be obtained and be cracked by quantum computer.It is updated in digital certificate request of the invention Public key and related algorithm parameter pass through encryption and participate in network transmission, and encrypt the public and private key that uses and be stored in key card It is interior, it is not related to network transmission, a possibility that cracking is lower so the public and private key of communicating pair is stolen.Public key is used in the present invention Pointer random number carries out the negotiation of public and private key, increases the accuracy of certification authentication, also ensures the safety of public key.Public key pond Cryptographic means involved in updating are realized also by key card, are encrypted public key used and are not related to external disclosure, even if in quantum In the presence of computer, it is also difficult to be derived private key.In conclusion the present invention has ensured the public and private of digital certificate system The safety of key and certificate.
Detailed description of the invention
Fig. 1 is the distribution map of CA (i.e. certificate authority) key card key zone of the invention;
Fig. 2 is the distribution map in user key card key area of the invention;
Fig. 3 is the structure chart of digital certificate of the invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
In order to better describe and illustrate embodiments herein, one or more attached drawing can refer to, but attached for describing The additional detail or example of figure are not construed as to present invention creation, current described embodiment or preferred side The limitation of the range of any one in formula.
It should be understood that there is no stringent sequences to limit for the execution of each step unless expressly stating otherwise herein, These steps can execute in other order.Moreover, at least part step may include multiple sub-steps or multiple ranks Section, these sub-steps or stage are not necessarily to execute completion in synchronization, but can execute at different times, this The execution sequence in a little step perhaps stage be also not necessarily successively carry out but can be with other steps or other steps Sub-step or at least part in stage execute in turn or alternately.
Anti- quantum certificate acquisition method based on public key pond, participant include certificate authority and user, each participant Be each equipped with key card, be stored in each key card the public key pointer in public key pond, private key unit and certificate authority with Machine number is also stored with client public key pointer random number in the key card of user,
The public key pond includes 1~N public key unit, the encrypted public key of one user of corresponding storage in each public key unit And public signature key;Corresponding encryption key and signature private key are stored in private key unit;
The anti-quantum certificate acquisition method includes carrying out in user terminal:
Generate the solicited message comprising certificate request, client public key pointer random number and User Identity;
It is signed using signature private key to solicited message;
A true random number is generated, solicited message and signature are encrypted using true random number, obtain the first ciphertext;
The encrypted public key of certificate of utility authorization center encrypts true random number, obtains the second ciphertext;
First ciphertext and the second ciphertext are sent to certificate authority;
Receive and verify the certificate of authority of certificate authority.
The anti-quantum certificate acquisition method further includes carrying out in certificate authority in one of the embodiments:
Receive first ciphertext and the second ciphertext;
The encryption key of certificate of utility authorization center decrypts the second ciphertext, obtains true random number;
The first ciphertext is decrypted using true random number, obtains solicited message and signature;
The public signature key of user is taken out in public key pond according to the client public key pointer random number in solicited message;
Public signature key according to user verifies signature, is verified the generation certificate of authority;
Generate replying message comprising certificate request and the certificate of authority;
The signature private key of certificate of utility authorization center is signed to replying message;
A true random number is generated, using true random number to replying message and signature encrypts, obtains third ciphertext;
True random number is encrypted using the encrypted public key of user, obtains the 4th ciphertext;
Third ciphertext and the 4th ciphertext are replied into user.
The anti-quantum certificate acquisition method further includes carrying out in user terminal in one of the embodiments:
The 4th ciphertext is decrypted using encryption key, obtains true random number;
Third ciphertext is decrypted using true random number, is replied message and is signed;
The public signature key decrypted signature of certificate of utility authorization center, is replied message;
Whether the certificate request verified in replying message is consistent with the certificate request of transmission;
Save the certificate of authority being verified.
The anti-quantum certificate acquisition method further includes public and private key renewal process, public and private key in one of the embodiments, Renewal process includes carrying out in user terminal:
It generates comprising public key after User Identity, public and private key update request, client public key pointer random number and update Update solicited message;
It is signed using user's signature private key to solicited message is updated;
A true random number is generated, update solicited message and signature are encrypted using true random number, it is close to obtain the 5th Text;
The public signature key of certificate of utility authorization center encrypts true random number, obtains the 6th ciphertext;
5th ciphertext and the 6th ciphertext are sent into certificate authority;
The feedback result of certificate authority is received and verifies, to update public and private key.
The public and private key renewal process further includes carrying out in certificate authority in one of the embodiments:
Receive the 5th ciphertext and the 6th ciphertext;
The encryption key of certificate of utility authorization center decrypts the 6th ciphertext, obtains true random number;
The 5th ciphertext is decrypted using true random number, obtains updating solicited message and signature;
The public signature key of user is taken out in public key pond according to the client public key pointer random number updated in solicited message;
Signature is verified according to the public signature key of user, corresponding public key unit and public key pond are updated after being verified Timestamp;
The update for updating request, updated timestamp and update result comprising public and private key is generated to reply message;
The signature private key of certificate of utility authorization center, which replies message update, signs;
A true random number is generated, update is replied message using true random number and signature encrypts, it is close to obtain the 7th Text;
True random number is encrypted using the encrypted public key of user, obtains the 8th ciphertext;
7th ciphertext and the 8th ciphertext are replied into user.
The public and private key renewal process further includes carrying out in user terminal in one of the embodiments:
The 8th ciphertext is decrypted using encryption key, obtains true random number;
The 7th ciphertext is decrypted using true random number, update is obtained and replies message and sign;
The public signature key decrypted signature of certificate of utility authorization center obtains update and replies message;
Whether verifying updates the request of the public and private key in replying message consistent with the public and private key request of transmission;
Original public and private key is replaced using the public and private key after being verified, and renewal time stabs.
The anti-quantum certificate acquisition method further includes the public key pond renewal process of user in one of the embodiments, The public key pond renewal process of user includes carrying out in user terminal:
When generating comprising User Identity, the update request of public key pond, client public key pointer random number and client public key pond Between the update solicited message stabbed;
It is signed using user's signature private key to solicited message is updated;
A true random number is generated, update solicited message and signature are encrypted using true random number, it is close to obtain the 9th Text;
The public signature key of certificate of utility authorization center encrypts true random number, obtains the tenth ciphertext;
9th ciphertext and the tenth ciphertext are sent into certificate authority;
The feedback result of certificate authority is received and verifies, to update the public key pond of user.
The public key pond renewal process of the user further includes carrying out in certificate authority in one of the embodiments, :
Receive the 9th ciphertext and the tenth ciphertext;
The encryption key of certificate of utility authorization center decrypts the 9th ciphertext, obtains true random number;
The tenth ciphertext is decrypted using true random number, obtains updating solicited message and signature;
The public signature key of user is taken out in public key pond according to the client public key pointer random number updated in solicited message;
Public signature key according to user verifies signature, and update is generated after being verified and is replied message, this is renewed back to Multiple message includes that the update of public key pond is requested, all timestamps are greater than in the public key pond timestamp of certificate authority and public key pond The public key unit set of client public key pond timestamp;
The signature private key of certificate of utility authorization center, which replies message update, signs;
Generate a true random number, update is replied message using true random number, sign and public key pond in all timestamps Public key unit set greater than client public key pond timestamp is encrypted, and the 11st ciphertext is obtained;
True random number is encrypted using the encrypted public key of user, obtains the 12nd ciphertext;
11st ciphertext and the 12nd ciphertext are replied into user.
The public key pond renewal process of the user further includes carrying out in user terminal in one of the embodiments:
The 12nd ciphertext is decrypted using encryption key, obtains true random number;
The 11st ciphertext is decrypted using true random number, obtain update reply message, sign and public key pond in institute's having time Stamp is greater than the public key unit set of client public key pond timestamp;
The public signature key decrypted signature of certificate of utility authorization center obtains update and replies message;
Whether verifying updates the request of the public key pond in replying message consistent with the public key pond request of transmission;
After being verified, the public key pond of user and the public key pond timestamp of user are updated.
The present invention realizes a kind of digital certificate system of anti-quantum calculation based on public key pond.The scene that the present invention is realized Possess the group of same public key pond member composition for one.CA (i.e. certificate authority) in group possesses CA key card, and Other members possess user key card.Key card in the present invention not only can store a large amount of data, also have processing letter The ability of breath.In the present invention, all there is the algorithm of corresponding demand in all key cards.
The description of key card is visible, and application No. is the patents of " 201610843210.6 ".When for mobile terminal, key card Preferably key SD card;When for fixed terminal, key card is preferably key USBkey or host key board.
With application No. is compared with the patent of " 201610843210.6 ", key card to issue mechanism different.This patent The key card side of issuing be key card supervisor side, the generally administrative department of group, such as the pipe of certain enterprise or public institution Reason department;The member's that the key card side of being awarded is managed by the supervisor side of key card, generally certain enterprise or public institution is each Grade employee.Supervisor side's application that user terminal arrives key card first is opened an account.After user terminal carries out registering granted, it will obtain close Key card (has unique key card ID).Key card stores client enrollment register information.User side key in key card is all Under be downloaded from the service station CA, and for the supervisor side of the same key card, the pool of keys that is stored in each key card for issuing It is completely the same.Preferably, the pool of keys size stored in key card can be 1G, 2G, 4G, 8G, 16G, 32G, 64G, 128G, 256G, 512G, 1024G, 2048G, 4096G etc..
Key card is developed from smart card techniques, is combined with real random number generator (preferably quantum random number Generator), cryptological technique, the authentication of hardware security isolation technology and encryption and decryption product.The embedded chip of key card and Operating system can provide the functions such as secure storage and the cryptographic algorithm of key.Due to it with independent data-handling capacity and Good safety, key card become the safety barrier of private key and pool of keys.Each key card has the protection of hardware PIN code, PIN code and hardware constitute two necessary factors that user uses key card, i.e., so-called " double factor authentication ", and user is only simultaneously The key card and user's PIN code for saving relevant authentication information are obtained, it just can be with login system.Even if the PIN code of user is let out Dew, as long as the key card that user holds is not stolen, the identity of legitimate user would not be counterfeit;If the key card of user is lost It loses, the person of picking up also cannot counterfeit the identity of legitimate user due to not knowing user's PIN code.
Present invention will now be described in detail with reference to the accompanying drawings..
1.PK unit
Public key pond is made of n PK unit, PK unit, that is, public key unit, and n indicates the number of all members in group, packet Include CA and other users.PK unit includes seven PKR, FPOS information, PKE, PKE algorithm, PKS, PKS algorithm and timestamp portions Point, as shown in table 1.Wherein PKR is public key pointer random number (the storage location parameter of public key), and FPOS is public key pointer function, PKE is encrypted public key, and PKS is public signature key, and time stamp T is existing PK unit entry time.
Table 1
PKR FPOS information PKE PKE algorithm PKS PKS algorithm Timestamp
Wherein FPOS information includes FPOS algorithm ID and inner parameter, as shown in table 2.
Table 2
FPOS algorithm ID Inner parameter
The algorithm of FPOS can there are many calculations, for example, FPOS (PKR)=(a*PKR+b) %n.Wherein % is to take Modular arithmetic;PKR is input variable;N (number of PK unit) is external parameter;A, b is inner parameter.Or FPOS (PKR)= (PKR^c) * d%n;Wherein ^ is power operation, and % is modulo operation;PKR is input variable;N (number of PK unit) is outside Parameter;C, d is inner parameter.Above two algorithm is for reference only, is not limited to two kinds of calculations to the present invention.
PKE algorithm and PKS algorithm all refer to specific public key algorithm (asymmetric cryptographic algorithm).Can there are many public key calculate Method, such as RSA/DSA/ECC etc..There are also respective algorithm parameters for various public key algorithms, are also stored in the memory block of public key algorithm In domain.
2. key card
Key card is divided into two kinds of key cards in the present invention, one is the CA key card for CA system, there are also one is with Family key card.CA key card includes public key pond, CA private key unit and CA public key pointer random number;User key card includes public key Pond, private key for user unit, client public key pointer random number and CA public key pointer random number.In key card initialization, CA key The public key pond of card is identical with the public key pond in user key card.The distribution of pool of keys such as Fig. 1 and Fig. 2.
CA server (i.e. certificate authority) will create the public affairs of an at least n*sp size before issuing key card The private key pond file of at least n*ss size of key pond file and one.Sp is the size of 1 PK unit, and ss is 1 private key unit Size.Private key unit is made of SKE and SKS, therefore the sum of size, that is, SKE of private key unit and the size of SKS, wherein SKE For encryption key, SKS is signature private key.CA server will generate n PKE/SKE to and n PKS/SKS pairs.CA server can To provide a variety of asymmetric arithmetics, when generating each public private key pair, CA server can select a kind of asymmetric arithmetic.
CA server carries out assignment to each public key unit, private key unit.Firstly, CA server generates PKR, PKR is true Random number, preferably quantum random number.CA server generates FPOS algorithm ID and FPOS inner parameter at random, is calculated PKPOS, PKPOS are public key position indicator pointer.CA server carries out assignment to the public key position position indicator pointer PKPOS, that is, is written PKR, FPOS information, PKE, PKE algorithm, PKS, PKS algorithm and corresponding time stamp T.CA server is to private key pond file The position PKPOS carries out assignment, i.e. write-in SKE and SKS.If the position PKPOS has been assigned, then replace PKR, One or more in FPOS algorithm ID, FPOS inner parameter, re-execute this process, until finding the position not being assigned.
CA server randomly selects a PK unit from public key pond file, using the public key of the PK unit as CA public key, i.e., PKECA(encrypted public key of CA) and PKSCA(public signature key of CA), and the PKR of the PK unit is random as CA public key pointer Number, i.e. PKRCA.Simultaneously take out private key pond file with position private key as CA private key unit, i.e. SKECAAnd SKSCA.The public affairs of CA Private key unit can be one or more, for example multiple, then foregoing schemes are performed a plurality of times.CA server passes through safe sending method Public key pond file, private key and CA public key pointer random number are sent to CA key card, CA key card stores association key to CA Inside key card.If the corresponding PK unit timestamp of CA is TCA, record time TCAFor the initial time stamp T P=T in public key pondCA。 CA is by safe sending method PKR, PKRCA, the corresponding private key unit of PKR, public key pond file be sent to user key card, use Family key card stores association key to inside user key card.
The method sent safely may be:
(1) user key card is connected directly to CA key card, and transmitted by CA key card by USB or network interface etc. Information;
(2) user key card and CA key card pass through USB or network interface etc., certain safety for being connected to CA approval is main Machine, by host transfer information;
(3) CA key card and user key card are assigned wildcard, CA key card wildcard to information into Row encrypts, and is decrypted after network transmission to user key card by user key card;
(4) there are quantum key distribution network, CA key card quantum key distribution between CA key card and user key card Cipher key pair information encrypted, decrypted after being transmitted to user key card by user key card;
(5) by secure storage medium, information is copied directly in user key card;
(6) other unmentioned safety send means.
User receives user key card successively.CA issues user key card according to user demand successively, often issues a use Family key card, and after the key zone in user to user key card is updated, the public key pond in CA also will do it update, i.e., The content of the corresponding public key unit of the user, public key pond timestamp are updated.It is subsequent with the variation in the public key pond in CA The user key card that different moments user receives will possess different public key ponds and different public key pond timestamps.
After user obtains user key card, since the public/private keys of user are generated to by CA, user is safe for improving The reason of property, the key zone in user key card is updated.Update, that is, the user generates the public/private keys pair of oneself, and The public key of oneself and private key are replaced respectively in public key unit and private key unit in key card corresponding to access customer.
3. digital certificate
The structure of digital certificate is as shown in Figure 3.
Digital certificate includes four certificate information, issuer information, holder information and issuer digital signature parts.Its Middle certificate information includes version number, sequence number and validity period;Issuer information is issuer title, i.e. CA title;Holder's letter The public key timestamp of public key pointer random number PKR and user of the breath including holder names, public key algorithm and holder, wherein Public key algorithm includes the encrypted public key algorithm and public signature key algorithm of holder;Issuer digital signature includes PKRCA, signature calculate The CA digital signature of method and encryption.Wherein the encryption of CA digital signature is as described below: setting certificate information, the issuer of digital certificate Information and holder information are M, and the abstract of M is MD, CA server by utilizing private key SKSCASignature MD obtains signature MS=SIGNCA {MD}.Wherein SIGNCAIndicate the corresponding signature algorithm of CA.CA server generates a true random number R, is added using R to signature MS It is close to obtain { MS } R.CA server recycles private key SKECAEncryption R obtains { R } SKECA.Final ciphering signature is PKRCA||{MS}R ||{R}SKECA
Digital certificate authentication process is as follows:
User goes in key card public key pond to match according to the public key pointer random number PKR in holder information first, Whether PK unit with identical PKR can be found, and then authentication failed, process terminate if it is not found,.If it is found, root again The PKR is calculated according to the FPOS information in matched PK unit, obtained value is compared with the PKPOS of the PK unit. If identical, PKR is verified.Then the public key timestamp of timestamp and certificate in PK unit is compared, if The timestamp of PK unit is less than the timestamp, then first carries out the update of public key pond.Public key pond updates the 6th part that sees below.It is on the contrary Then carry out next step verifying.Then the public key algorithm in certificate is compared with the public key algorithm of the PK unit.If identical, Then public key algorithm is verified.Then user is according to the CA public key pointer random number PKR in the CA digital signature of encryptionCA, verifying Whether it is located at the CA public key pointer random number region in key card;If it is not, then authentication failed, process terminates.Such as find PKRCA, then CA public key PKE is taken out from key card public key pondCA.User utilizes PKECABy the issuer digital signature of digital certificate In { R } SKECADecryption obtains R.User obtains MS using R decryption { MS } R, uses PKSCASignature verification is carried out to MS.If card The digital signature authentication of book passes through, then illustrates that certificate is legal, i.e., the certificate is actually from CA.Finally whether verifying certificate is located at and has In the effect phase.
4. user updates public and private key
Step 1: key card provides a variety of asymmetric arithmetics, and user side selects one of algorithm, specifically can be one kind Encrypted public key algorithm or public signature key algorithm, the public private key pair of the algorithm, i.e., PKi/SKi pairs are generated by key card.User key Card is written to private key SKi in user key card, but does not cover SKE and SKS.Since SKi does not go out key card, (i.e. Ski is always Exist only in the key card of user), safety is guaranteed.
Step 2: setting REQK as public and private key and update request;If MC=ID | | PKR | | REQK | | PKD, wherein ID is CA service Device distributes to the ID of key card when issuing key card, PKD contains the information and algorithm ID of public key PKi and corresponding algorithm. Digest algorithm is carried out to MC, MCD=Hash (MC) is calculated.MCD is signed using SKS to obtain signature MCS=SIGN {MCD}.Wherein SIGN indicates the corresponding signature algorithm of user.SKS is the signature private key in user key.User key card generates One true random number KMC carries out symmetric cryptography to MC and MCS using KMC and obtains { MC | | MCS } KMC.Then, user key card Utilize CA public key PKECAAsymmetric encryption is carried out to KMC and obtains { KMC } PKECA.User sends public and private key to CA server and updates Request: MC | | MCS } KMC | | { KMC } PKECA
The public and private key that step 3:CA server receives user updates request.CA key card utilizes CA private key SKECAIt is right {KMC}PKECADecryption obtains true random number KMC.CA key card carries out symmetry algorithm to { MC | | MCS } KMC using KMC and decrypts To MC | | MCS.CA key card finds corresponding PK unit according to the PKR in MC, believes further according to the FPOS in matched PK unit Breath calculates the PKR, and obtained value is compared with the PKPOS of the PK unit.If identical, PKR is verified.CA Key card carries out sign test to MCS using PKS.
CA server parses ID from MC | | PKR | | REQK | | PKD.CA key card is according to the algorithm ID in REQK and PKD It determines the encrypted public key part or public signature key part replaced in corresponding PK unit, and updates the timestamp of the PK unit, The timestamp in public key pond is updated simultaneously.
Step 4: setting KTC as symmetric cryptographic key, be true random number;If TU is updated PK unit timestamp;If RESPK is that public and private key updates reply, may include that REQK and public and private key update result information, such as success/failure/failure cause Deng;If MCA=MC | | TU | | RESPK.CA key card carries out digest algorithm to MCA and is calculated MCAD=Hash (MCA), and benefit With CA private key SKSCASignature MCAD obtains signature MCAS=SIGNCA{MCAD}.CA key card is using KTC to MCA | | MCAS is carried out Symmetric cryptography obtains { MCA | | MCAS } KTC.If PKi is encrypted public key, CA key card carries out KTC using PKi asymmetric Encryption obtains { KTC } PKi.Otherwise, CA key card carries out asymmetric encryption to KTC using PKE and obtains { KTC } PKE.Namely if Encrypted public key PKi with update is then encrypted using encrypted public key, if it does not exist, then being encrypted using PKE.
CA server issues the reply that the public and private key of user updates request: { MCA | | MCAS } KTC | | { KTC } PKi or MCA | | MCAS}KTC||{KTC}PKE。
Step 5: user key Cali carries out { KTC } PKi or { KTC } PKE with corresponding encryption key SKi or SKE non- Symmetry algorithm decrypts to obtain KTC, and decrypts to obtain MCA to { MCA | | MCAS } KTC using KTC | | MCAS.It uses user key Cali CA public key pointer random number takes out CA public key PKS from public key pondCA.User key Cali PKSCASignature MCAS is verified. User key card decryption MCA obtains MC | | TU | | RESPK.Whether user key card first verifies MC consistent with the MC locally issued. Then the public and private key checked in RESPK updates result.If result is that successfully, user key Cali is with PKi/SKi by key card Interior corresponding public private key pair is replaced, including the public key algorithm information in corresponding PK unit;It simultaneously will be in corresponding PK unit Update of time stamp be TU.
As needed, the replacement of encryption public private key pair and public private key pair of signing can be simultaneously in a digital certificate request It completes, specifically only needs to increase the content of PKD.
5. user applies for digital certificate
Step 1: setting REQC as certificate request, may include some information for needing to be written certificate;If MQ=ID | | PKR | | REQC, wherein ID is the ID (i.e. User Identity) that key card is distributed to when CA server issues key card.MQ is plucked Want algorithm that MQD=Hash (MQ) is calculated.MQD is signed using SKS to obtain signature MQS=SIGN { MQD }.Wherein SIGN indicates the corresponding signature algorithm of user.SKS is the signature private key in user key card.User key card generate one very with Machine number KMQ carries out symmetric cryptography to MQ and MQS using KMQ and obtains { MQ | | MQS } KMQ.Then, user key Cali CA public affairs Key PKECAAsymmetric encryption is carried out to KMQ and obtains { KMQ } PKECA.User sends certificate request to CA server: and MQ | | MQS } KMQ||{KMQ}PKECA
Step 2:CA server receives the digital certificate request of user.CA key card utilizes CA private key SKECATo { KMQ } PKECADecryption obtains true random number KMQ.CA key card carries out symmetry algorithm to { MQ | | MQS } KMQ using KMQ and decrypts to obtain MQ | | MQS.CA server parses ID from MQ | | PKR | | REQC.CA key card finds corresponding PK unit according to the PKR in MQ, then The PKR is calculated according to the FPOS information in matched PK unit, obtained value and the PKPOS of the PK unit are compared Compared with.If identical, PKR is verified.CA key card finds corresponding PK unit using PKR, be taken out PKS to MQS into Row sign test.
CA server generates the digital certificate CERT of the user.The content that digital certificate is included sees above third portion.
Step 3: setting KTQ as symmetric cryptographic key, be true random number;If MQA=MQ | | CERT.CA key card to MQA into Row digest algorithm is calculated MQAD=Hash (MQA), and utilizes CA private key SKSCASignature MQAD obtains signature MQAS= SIGNCA{MQAD}.CA key card is using KTQ to MQA | | MQAS carries out symmetric cryptography and obtains { MQA | | MQAS } KTQ.CA key card Asymmetric encryption is carried out to KTQ using the public key PKE of the user and obtains { KTQ } PKE.CA server issues customer digital certificate and asks The reply asked: MQA | | MQAS } KTQ | | { KTQ } PKE.
Step 4: user key Cali carries out asymmetric arithmetic to { KTQ } PKE with SKE and decrypts to obtain KTQ, and utilizes KTQ MQA is decrypted to obtain to { MQA | | MQAS } KTQ | | MQAS.CA is taken out from public key pond with CA public key pointer random number in user key Cali Public key PKSCA.User key Cali PKSCASignature MQAS is verified.User key card decryption MQA obtains MQ | | CERT. Whether user key card verifies MQ consistent with the MQ locally issued.If consistent, user side carries out digital certificate CERT Verifying, verification process see above third portion.After CERT is proved to be successful, digital certificate CERT is saved.
6. user updates public key pond
Step 1: setting REQP as public key pond and update request;If TPU is the public key pond timestamp of user key card;If PKR is Client public key pointer random number;If MP=ID | | PKR | | TPU | | REQP, wherein ID is distribution when CA server issues key card To the ID of key card.Digest algorithm is carried out to MP, MPD=Hash (MP) is calculated.Utilize SKS pairs of user of user key card MPD is signed to obtain signature MPS=SIGN { MPD }.User key card generates a true random number KMP, using KMP to MP and MPS carries out symmetric cryptography and obtains { MP | | MPS } KMP.Then, user key Cali CA public key PKECAKMP is carried out asymmetric Encryption obtains { KMP } PKECA.User sends to CA server updates the request of public key pond: and MP | | MPS } KMP | | { KMP } PKECA
Step 2:CA server receives the update public key pond request of user.CA key card utilizes CA private key SKECAIt is right {KMP}PKECADecryption obtains true random number KMP.CA key card carries out symmetry algorithm to { MP | | MPS } KMP using KMP and decrypts To MP | | MPS.CA server parses ID from MP | | PKR | | TPU | | REQP.It is mono- that CA key card according to PKR finds corresponding PK Member calculates the PKR further according to the FPOS information in matched PK unit, the PKPOS of obtained value and the PK unit into Row compares.If identical, PKR is verified.CA key card finds corresponding PK unit using PKR, is taken out PKS pairs MPS carries out sign test.
Step 3: setting KTP as symmetric cryptographic key, be true random number;If PKV is that all timestamps are big in current public key pond In the set of the PK unit of TPU.If PKVD is the abstract of PKV.TPCAFor the timestamp in public key pond in CA.If MPA=MP | | TPCA ||PKVD.CA key card carries out digest algorithm to MPA and is calculated MPAD=Hash (MPA), and utilizes CA private key SKSCASignature MPAD obtains signature MPAS=SIGNCA{MPAD}.CA key card is using KTP to PKV | | MPA | | MPAS carries out symmetric cryptography and obtains {PKV||MPA||MPAS}KTP.CA key card carries out asymmetric encryption to KTP using the public key PKE of the user and obtains { KTP } PKE.CA server issues the reply that user updates the request of public key pond: and PKV | | MPA | | MPAS } KTP | | { KTP } PKE.
Step 4: user key Cali carries out asymmetric arithmetic to { KTP } PKE with SKE and decrypts to obtain KTP, and utilizes KTP To PKV | | MPA | | MPAS } KTP decrypt to obtain PKV | | MPA | | MPAS.User key Cali with CA public key pointer random number from Take out CA public key PKS in public key pondCA.User key Cali PKSCASignature MPAS is verified.User key card parses MPA Obtain MP | | TPCA||PKVD.Whether user key card first verifies MP consistent with the MP locally issued.Then with abstract PKVD with The abstract of PKV compares, to verify the correctness of PKV.If PKV is verified, PKV is substituted into phase in public key pond The PK unit answered.TP is utilized simultaneouslyCAUpdate local public key pond timestamp.
Wherein in an embodiment, a kind of anti-quantum certificate acquisition system based on public key pond is provided, participant includes certificate Authorization center and user, each participant are each equipped with key card, be stored in each key card public key pond, private key unit and The public key pointer random number of certificate authority is also stored with client public key pointer random number in the key card of user,
The public key pond includes 1~N public key unit, the encrypted public key of one user of corresponding storage in each public key unit And public signature key;Corresponding encryption key and signature private key are stored in private key unit;
The anti-quantum certificate acquisition system includes that user terminal is arranged in:
First module includes asking for certificate request, client public key pointer random number and User Identity for generating Seek information;
Second module, for being signed using signature private key to solicited message;
Third module encrypts solicited message and signature using true random number, obtains for generating a true random number To the first ciphertext;
4th module, the encrypted public key for certificate of utility authorization center encrypt true random number, and it is close to obtain second Text;
5th module, for the first ciphertext and the second ciphertext to be sent to certificate authority;
6th module, for receiving and verifying the certificate of authority of certificate authority.
Specific restriction about anti-quantum certificate acquisition system may refer to above for anti-quantum certificate acquisition method Restriction, details are not described herein.Above-mentioned modules can be realized fully or partially through software, hardware and combinations thereof.It is above-mentioned Each module can be embedded in the form of hardware or independently of in the processor in computer equipment, can also be stored in a software form In memory in computer equipment, the corresponding operation of the above modules is executed in order to which processor calls.
In one embodiment, provide a kind of computer equipment, i.e., a kind of anti-quantum certificate acquisition system, the computer Equipment can be terminal, and internal structure may include the processor connected by system bus, memory, network interface, show Display screen and input unit.Wherein, the processor of the computer equipment is for providing calculating and control ability.The computer equipment Memory includes non-volatile memory medium, built-in storage.The non-volatile memory medium is stored with operating system and computer Program.The built-in storage provides environment for the operation of operating system and computer program in non-volatile memory medium.The meter The network interface for calculating machine equipment is used to communicate with external terminal by network connection.When the computer program is executed by processor To realize anti-quantum certificate acquisition method.The display screen of the computer equipment can be liquid crystal display or electric ink is shown Screen, the input unit of the computer equipment can be the touch layer covered on display screen, be also possible on computer equipment shell Key, trace ball or the Trackpad of setting can also be external keyboard, Trackpad or mouse etc..
Wherein in an embodiment, a kind of anti-quantum certificate acquisition system based on public key pond is provided, participant includes certificate Authorization center and user, each participant are each equipped with key card, be stored in each key card public key pond, private key unit and The public key pointer random number of certificate authority is also stored with client public key pointer random number in the key card of user,
The public key pond includes 1~N public key unit, the encrypted public key of one user of corresponding storage in each public key unit And public signature key;Corresponding encryption key and signature private key are stored in private key unit;
Each participant includes memory and processor, is stored with computer program in memory, which executes calculating The anti-quantum certificate acquisition method based on public key pond is realized when machine program.
Each technical characteristic of embodiment described above can be combined arbitrarily, for simplicity of description, not to above-mentioned reality It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited In contradiction, all should be considered as described in this specification.
The embodiments described above only express several embodiments of the present invention, and the description thereof is more specific and detailed, but simultaneously The limitation to invention scope therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art, Under the premise of not departing from present inventive concept, various modifications and improvements can be made, and these are all within the scope of protection of the present invention. Therefore, protection scope of the present invention should be determined by the appended claims.

Claims (10)

1. the anti-quantum certificate acquisition method based on public key pond, which is characterized in that participant includes certificate authority and user, Each participant is each equipped with key card, and the public affairs in public key pond, private key unit and certificate authority are stored in each key card Key pointer random number is also stored with client public key pointer random number in the key card of user,
The public key pond includes 1~N public key unit, the encrypted public key and label of one user of corresponding storage in each public key unit Name public key;Corresponding encryption key and signature private key are stored in private key unit;
The anti-quantum certificate acquisition method includes carrying out in user terminal:
Generate the solicited message comprising certificate request, client public key pointer random number and User Identity;
It is signed using signature private key to solicited message;
A true random number is generated, solicited message and signature are encrypted using true random number, obtain the first ciphertext;
The encrypted public key of certificate of utility authorization center encrypts true random number, obtains the second ciphertext;
First ciphertext and the second ciphertext are sent to certificate authority;
Receive and verify the certificate of authority of certificate authority.
2. the anti-quantum certificate acquisition method based on public key pond as described in claim 1, which is characterized in that the anti-quantum card Book acquisition methods further include carrying out in certificate authority:
Receive first ciphertext and the second ciphertext;
The encryption key of certificate of utility authorization center decrypts the second ciphertext, obtains true random number;
The first ciphertext is decrypted using true random number, obtains solicited message and signature;
The public signature key of user is taken out in public key pond according to the client public key pointer random number in solicited message;
Public signature key according to user verifies signature, is verified the generation certificate of authority;
Generate replying message comprising certificate request and the certificate of authority;
The signature private key of certificate of utility authorization center is signed to replying message;
A true random number is generated, using true random number to replying message and signature encrypts, obtains third ciphertext;
True random number is encrypted using the encrypted public key of user, obtains the 4th ciphertext;
Third ciphertext and the 4th ciphertext are replied into user.
3. the anti-quantum certificate acquisition method based on public key pond as claimed in claim 2, which is characterized in that the anti-quantum card Book acquisition methods further include carrying out in user terminal:
The 4th ciphertext is decrypted using encryption key, obtains true random number;
Third ciphertext is decrypted using true random number, is replied message and is signed;
The public signature key decrypted signature of certificate of utility authorization center, is replied message;
Whether the certificate request verified in replying message is consistent with the certificate request of transmission;
Save the certificate of authority being verified.
4. the anti-quantum certificate acquisition method based on public key pond as described in claim 1, which is characterized in that the anti-quantum card Book acquisition methods further include public and private key renewal process, and public and private key renewal process includes carrying out in user terminal:
Generate the update comprising public key after User Identity, public and private key update request, client public key pointer random number and update Solicited message;
It is signed using user's signature private key to solicited message is updated;
A true random number is generated, update solicited message and signature are encrypted using true random number, obtain the 5th ciphertext;
The public signature key of certificate of utility authorization center encrypts true random number, obtains the 6th ciphertext;
5th ciphertext and the 6th ciphertext are sent into certificate authority;
The feedback result of certificate authority is received and verifies, to update public and private key.
5. the anti-quantum certificate acquisition method based on public key pond as claimed in claim 4, which is characterized in that the public and private key is more New process further includes carrying out in certificate authority:
Receive the 5th ciphertext and the 6th ciphertext;
The encryption key of certificate of utility authorization center decrypts the 6th ciphertext, obtains true random number;
The 5th ciphertext is decrypted using true random number, obtains updating solicited message and signature;
The public signature key of user is taken out in public key pond according to the client public key pointer random number updated in solicited message;
Public signature key according to user verifies signature, and the time of corresponding public key unit and public key pond is updated after being verified Stamp;
The update for updating request, updated timestamp and update result comprising public and private key is generated to reply message;
The signature private key of certificate of utility authorization center, which replies message update, signs;
A true random number is generated, update is replied message using true random number and signature encrypts, obtains the 7th ciphertext;
True random number is encrypted using the encrypted public key of user, obtains the 8th ciphertext;
7th ciphertext and the 8th ciphertext are replied into user.
6. the anti-quantum certificate acquisition method based on public key pond as claimed in claim 5, which is characterized in that the public and private key is more New process further includes carrying out in user terminal:
The 8th ciphertext is decrypted using encryption key, obtains true random number;
The 7th ciphertext is decrypted using true random number, update is obtained and replies message and sign;
The public signature key decrypted signature of certificate of utility authorization center obtains update and replies message;
Whether verifying updates the request of the public and private key in replying message consistent with the public and private key request of transmission;
Original public and private key is replaced using the public and private key after being verified, and renewal time stabs.
7. the anti-quantum certificate acquisition method based on public key pond as described in claim 1, which is characterized in that the anti-quantum card Book acquisition methods further include the public key pond renewal process of user, and the public key pond renewal process of user includes carrying out in user terminal:
It generates and updates request, client public key pointer random number and client public key pond timestamp comprising User Identity, public key pond Update solicited message;
It is signed using user's signature private key to solicited message is updated;
A true random number is generated, update solicited message and signature are encrypted using true random number, obtain the 9th ciphertext;
The public signature key of certificate of utility authorization center encrypts true random number, obtains the tenth ciphertext;
9th ciphertext and the tenth ciphertext are sent into certificate authority;
The feedback result of certificate authority is received and verifies, to update the public key pond of user.
8. the anti-quantum certificate acquisition method based on public key pond as claimed in claim 7, which is characterized in that the public affairs of the user Key pond renewal process further includes carrying out in certificate authority:
Receive the 9th ciphertext and the tenth ciphertext;
The encryption key of certificate of utility authorization center decrypts the 9th ciphertext, obtains true random number;
The tenth ciphertext is decrypted using true random number, obtains updating solicited message and signature;
The public signature key of user is taken out in public key pond according to the client public key pointer random number updated in solicited message;
Public signature key according to user verifies signature, and update is generated after being verified and is replied message, and update reply disappears Breath is updated comprising public key pond requests, all timestamps are greater than user in the public key pond timestamp of certificate authority and public key pond The public key unit set of public key pond timestamp;
The signature private key of certificate of utility authorization center, which replies message update, signs;
Generate a true random number, update is replied message using true random number, sign and public key pond in all timestamps be greater than The public key unit set of client public key pond timestamp is encrypted, and the 11st ciphertext is obtained;
True random number is encrypted using the encrypted public key of user, obtains the 12nd ciphertext;
11st ciphertext and the 12nd ciphertext are replied into user.
9. the anti-quantum certificate acquisition method based on public key pond as claimed in claim 8, which is characterized in that the public affairs of the user Key pond renewal process further includes carrying out in user terminal:
The 12nd ciphertext is decrypted using encryption key, obtains true random number;
The 11st ciphertext is decrypted using true random number, obtain update reply message, sign and public key pond in all timestamps it is big In the public key unit set of client public key pond timestamp;
The public signature key decrypted signature of certificate of utility authorization center obtains update and replies message;
Whether verifying updates the request of the public key pond in replying message consistent with the public key pond request of transmission;
After being verified, the public key pond of user and the public key pond timestamp of user are updated.
10. the anti-quantum certificate acquisition system based on public key pond, which is characterized in that participant includes certificate authority and use Family, each participant are each equipped with key card, public key pond, private key unit and certificate authority are stored in each key card Public key pointer random number, be also stored with client public key pointer random number in the key card of user,
The public key pond includes 1~N public key unit, the encrypted public key and label of one user of corresponding storage in each public key unit Name public key;Corresponding encryption key and signature private key are stored in private key unit;
Each participant includes memory and processor, is stored with computer program in memory, which executes computer journey The anti-quantum certificate acquisition method according to any one of claims 1 to 9 based on public key pond is realized when sequence.
CN201910048329.8A 2019-01-18 2019-01-18 Anti-quantum certificate acquisition system and method based on public key pool Active CN109672537B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910048329.8A CN109672537B (en) 2019-01-18 2019-01-18 Anti-quantum certificate acquisition system and method based on public key pool

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910048329.8A CN109672537B (en) 2019-01-18 2019-01-18 Anti-quantum certificate acquisition system and method based on public key pool

Publications (2)

Publication Number Publication Date
CN109672537A true CN109672537A (en) 2019-04-23
CN109672537B CN109672537B (en) 2021-08-10

Family

ID=66149619

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910048329.8A Active CN109672537B (en) 2019-01-18 2019-01-18 Anti-quantum certificate acquisition system and method based on public key pool

Country Status (1)

Country Link
CN (1) CN109672537B (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110212991A (en) * 2019-06-06 2019-09-06 江苏亨通问天量子信息研究院有限公司 Quantum wireless network communications system
CN110213245A (en) * 2019-05-15 2019-09-06 如般量子科技有限公司 Application system short distance energy-saving communication method and system based on unsymmetrical key pond and allograph
CN110213044A (en) * 2019-05-15 2019-09-06 如般量子科技有限公司 Anti- quantum calculation HTTPS based on multiple unsymmetrical key ponds signs close communication means and system
CN110519226A (en) * 2019-07-16 2019-11-29 如般量子科技有限公司 Quantum communications server-side secret communication method and system based on unsymmetrical key pond and implicit certificate
CN110519225A (en) * 2019-07-16 2019-11-29 如般量子科技有限公司 Anti- quantum calculation https traffic method and system based on unsymmetrical key pond and cryptographic certificate
CN110572256A (en) * 2019-07-16 2019-12-13 如般量子科技有限公司 Anti-quantum computation asymmetric key management method and system based on asymmetric key pool and implicit certificate
CN110650004A (en) * 2019-08-28 2020-01-03 如般量子科技有限公司 Anti-quantum computation RFID authentication method and system based on symmetric key pool and online and offline signature
CN110661613A (en) * 2019-09-26 2020-01-07 如般量子科技有限公司 Anti-quantum-computation implicit certificate issuing method and system based on alliance chain
CN110838918A (en) * 2019-08-09 2020-02-25 如般量子科技有限公司 Anti-quantum certificate issuing method and system based on public key pool and signature offset
CN110880969A (en) * 2019-10-18 2020-03-13 如般量子科技有限公司 Method and system for generating QKD network authentication key based on alliance chain and implicit certificate
CN111211910A (en) * 2019-12-30 2020-05-29 南京如般量子科技有限公司 Anti-quantum computation CA (certificate Authority) and certificate issuing system based on secret shared public key pool and issuing and verifying method thereof
CN111404675A (en) * 2020-02-21 2020-07-10 江苏亨通问天量子信息研究院有限公司 Quantum U shield
CN112861089A (en) * 2021-03-17 2021-05-28 北京数字医信科技有限公司 Method, resource server, resource user side, device and medium for authorization authentication
CN114022964A (en) * 2021-09-24 2022-02-08 北京中交国通智能交通***技术有限公司 ETC application key updating method, device and system
CN114155632A (en) * 2021-11-30 2022-03-08 深圳市同创新佳科技有限公司 Encryption communication key distribution method for electronic door lock of networked hotel
CN115237943A (en) * 2022-09-21 2022-10-25 南京易科腾信息技术有限公司 Data retrieval method and device based on encrypted data and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110142242A1 (en) * 2009-12-16 2011-06-16 Sony Corporation Quantum public key encryption system, key generation apparatus, encryption apparatus, decryption apparatus, key generation method, encryption method, and decryption method
CN105871538A (en) * 2015-01-22 2016-08-17 阿里巴巴集团控股有限公司 Quantum key distribution system, quantum key distribution method and device
US9660978B1 (en) * 2016-08-08 2017-05-23 ISARA Corporation Using a digital certificate with multiple cryptosystems
CN107959566A (en) * 2016-10-14 2018-04-24 阿里巴巴集团控股有限公司 Quantal data key agreement system and quantal data cryptographic key negotiation method
CN108540436A (en) * 2018-01-10 2018-09-14 如般量子科技有限公司 The communication system and communication means of the transmission of information encryption and decryption are realized based on quantum network
CN108768652A (en) * 2018-06-06 2018-11-06 杭州趣链科技有限公司 It is a kind of can the attack of anti-quantum alliance's block chain bottom encryption method
CN108985099A (en) * 2018-07-31 2018-12-11 如般量子科技有限公司 It is a kind of that cloud storage method of controlling security and system are acted on behalf of based on public keys pond
CN109150519A (en) * 2018-09-20 2019-01-04 如般量子科技有限公司 Anti- quantum calculation cloud storage method of controlling security and system based on public keys pond

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110142242A1 (en) * 2009-12-16 2011-06-16 Sony Corporation Quantum public key encryption system, key generation apparatus, encryption apparatus, decryption apparatus, key generation method, encryption method, and decryption method
CN105871538A (en) * 2015-01-22 2016-08-17 阿里巴巴集团控股有限公司 Quantum key distribution system, quantum key distribution method and device
US9660978B1 (en) * 2016-08-08 2017-05-23 ISARA Corporation Using a digital certificate with multiple cryptosystems
CN107959566A (en) * 2016-10-14 2018-04-24 阿里巴巴集团控股有限公司 Quantal data key agreement system and quantal data cryptographic key negotiation method
CN108540436A (en) * 2018-01-10 2018-09-14 如般量子科技有限公司 The communication system and communication means of the transmission of information encryption and decryption are realized based on quantum network
CN108768652A (en) * 2018-06-06 2018-11-06 杭州趣链科技有限公司 It is a kind of can the attack of anti-quantum alliance's block chain bottom encryption method
CN108985099A (en) * 2018-07-31 2018-12-11 如般量子科技有限公司 It is a kind of that cloud storage method of controlling security and system are acted on behalf of based on public keys pond
CN109150519A (en) * 2018-09-20 2019-01-04 如般量子科技有限公司 Anti- quantum calculation cloud storage method of controlling security and system based on public keys pond

Cited By (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110213245A (en) * 2019-05-15 2019-09-06 如般量子科技有限公司 Application system short distance energy-saving communication method and system based on unsymmetrical key pond and allograph
CN110213044A (en) * 2019-05-15 2019-09-06 如般量子科技有限公司 Anti- quantum calculation HTTPS based on multiple unsymmetrical key ponds signs close communication means and system
CN110213245B (en) * 2019-05-15 2021-06-22 如般量子科技有限公司 Application system short-distance energy-saving communication method and system based on asymmetric key pool and proxy signature
CN110213044B (en) * 2019-05-15 2023-08-04 如般量子科技有限公司 Quantum-computation-resistant HTTPS signcryption communication method and system based on multiple asymmetric key pools
CN110212991A (en) * 2019-06-06 2019-09-06 江苏亨通问天量子信息研究院有限公司 Quantum wireless network communications system
CN110519226A (en) * 2019-07-16 2019-11-29 如般量子科技有限公司 Quantum communications server-side secret communication method and system based on unsymmetrical key pond and implicit certificate
CN110572256A (en) * 2019-07-16 2019-12-13 如般量子科技有限公司 Anti-quantum computation asymmetric key management method and system based on asymmetric key pool and implicit certificate
CN110519225A (en) * 2019-07-16 2019-11-29 如般量子科技有限公司 Anti- quantum calculation https traffic method and system based on unsymmetrical key pond and cryptographic certificate
CN110572256B (en) * 2019-07-16 2023-06-06 如般量子科技有限公司 Anti-quantum computing asymmetric key management method and system based on asymmetric key pool and implicit certificate
CN110519226B (en) * 2019-07-16 2021-12-07 如般量子科技有限公司 Quantum communication server secret communication method and system based on asymmetric key pool and implicit certificate
CN110519225B (en) * 2019-07-16 2021-08-31 如般量子科技有限公司 Anti-quantum computation HTTPS communication method and system based on asymmetric key pool and certificate cryptography
CN110838918A (en) * 2019-08-09 2020-02-25 如般量子科技有限公司 Anti-quantum certificate issuing method and system based on public key pool and signature offset
CN110838918B (en) * 2019-08-09 2023-02-03 如般量子科技有限公司 Anti-quantum certificate issuing method and system based on public key pool and signature offset
CN110650004A (en) * 2019-08-28 2020-01-03 如般量子科技有限公司 Anti-quantum computation RFID authentication method and system based on symmetric key pool and online and offline signature
CN110661613A (en) * 2019-09-26 2020-01-07 如般量子科技有限公司 Anti-quantum-computation implicit certificate issuing method and system based on alliance chain
CN110661613B (en) * 2019-09-26 2021-10-22 如般量子科技有限公司 Anti-quantum-computation implicit certificate issuing method and system based on alliance chain
CN110880969B (en) * 2019-10-18 2021-10-22 如般量子科技有限公司 Method and system for generating QKD network authentication key based on alliance chain and implicit certificate
CN110880969A (en) * 2019-10-18 2020-03-13 如般量子科技有限公司 Method and system for generating QKD network authentication key based on alliance chain and implicit certificate
CN111211910A (en) * 2019-12-30 2020-05-29 南京如般量子科技有限公司 Anti-quantum computation CA (certificate Authority) and certificate issuing system based on secret shared public key pool and issuing and verifying method thereof
CN111404675A (en) * 2020-02-21 2020-07-10 江苏亨通问天量子信息研究院有限公司 Quantum U shield
CN112861089A (en) * 2021-03-17 2021-05-28 北京数字医信科技有限公司 Method, resource server, resource user side, device and medium for authorization authentication
CN112861089B (en) * 2021-03-17 2024-02-20 北京数字医信科技有限公司 Authorization authentication method, resource server, resource user, equipment and medium
CN114022964A (en) * 2021-09-24 2022-02-08 北京中交国通智能交通***技术有限公司 ETC application key updating method, device and system
CN114022964B (en) * 2021-09-24 2024-05-17 北京中交国通智能交通***技术有限公司 ETC application key updating method, device and system
CN114155632B (en) * 2021-11-30 2023-10-31 深圳市同创新佳科技有限公司 Method for distributing encryption communication keys of networking hotel electronic door locks
CN114155632A (en) * 2021-11-30 2022-03-08 深圳市同创新佳科技有限公司 Encryption communication key distribution method for electronic door lock of networked hotel
CN115237943B (en) * 2022-09-21 2022-12-09 南京易科腾信息技术有限公司 Data retrieval method and device based on encrypted data and storage medium
CN115237943A (en) * 2022-09-21 2022-10-25 南京易科腾信息技术有限公司 Data retrieval method and device based on encrypted data and storage medium

Also Published As

Publication number Publication date
CN109672537B (en) 2021-08-10

Similar Documents

Publication Publication Date Title
CN109672537A (en) Anti- quantum certificate acquisition system and acquisition methods based on public key pond
CN106961336B (en) A kind of key components trustship method and system based on SM2 algorithm
CN113014392B (en) Block chain-based digital certificate management method, system, equipment and storage medium
CN107769922B (en) Block chain safety management system and method
US6553493B1 (en) Secure mapping and aliasing of private keys used in public key cryptography
US7571324B2 (en) Method and device for anonymous signature with a shared private key
CN109150539A (en) A kind of Distributed CA System based on block chain, method and device
CN109792381A (en) Method and apparatus for storing with sharing integrated data
Lueks et al. Fast revocation of attribute-based credentials for both users and verifiers
CN111211910B (en) Anti-quantum computation CA (certificate Authority) and certificate issuing system based on secret shared public key pool and issuing and verifying method thereof
CN109918888A (en) Anti- quantum certificate authority method based on public key pond and issue system
CN109614802B (en) Anti-quantum-computation signature method and signature system
US20110264917A1 (en) Method for two step digital signature
US8661251B2 (en) Method and device for creating a group signature and related method and device for verifying a group signature
CN101183439A (en) Electronic bill processing system and processing method
CN106897879A (en) Block chain encryption method based on the PKI CLC close algorithms of isomerization polymerization label
JP2002534701A (en) Auto-recoverable, auto-encryptable cryptosystem using escrowed signature-only keys
CN109660338A (en) Anti- quantum calculation digital signature method and anti-quantum calculation digital signature system based on pool of symmetric keys
CN109728906A (en) Anti- quantum calculation asymmet-ric encryption method and system based on unsymmetrical key pond
WO2014068427A1 (en) Reissue of cryptographic credentials
CN110830244A (en) Anti-quantum computing vehicle networking method and system based on identity secret sharing and alliance chain
CN110690957A (en) Anti-quantum-computation private key backup, loss reporting and recovery method and system based on alliance chain and implicit certificate
CN110380845A (en) Quantum secret communication alliance chain method of commerce based on group's pool of symmetric keys, system, equipment
CN108712259A (en) Identity-based acts on behalf of the efficient auditing method of cloud storage for uploading data
CN109936456A (en) Anti- quantum calculation digital signature method and system based on private key pond

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant