CN111628860A - Method for generating and applying double-key system digital certificate - Google Patents

Method for generating and applying double-key system digital certificate Download PDF

Info

Publication number
CN111628860A
CN111628860A CN201910148673.4A CN201910148673A CN111628860A CN 111628860 A CN111628860 A CN 111628860A CN 201910148673 A CN201910148673 A CN 201910148673A CN 111628860 A CN111628860 A CN 111628860A
Authority
CN
China
Prior art keywords
certificate
public key
encryption
signature
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910148673.4A
Other languages
Chinese (zh)
Other versions
CN111628860B (en
Inventor
郑军
胡进
张庆勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WUHAN ARGUSEC TECHNOLOGY CO LTD
Original Assignee
WUHAN ARGUSEC TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WUHAN ARGUSEC TECHNOLOGY CO LTD filed Critical WUHAN ARGUSEC TECHNOLOGY CO LTD
Priority to CN201910148673.4A priority Critical patent/CN111628860B/en
Publication of CN111628860A publication Critical patent/CN111628860A/en
Application granted granted Critical
Publication of CN111628860B publication Critical patent/CN111628860B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a method for generating a double-key system digital certificate, which comprises the following steps: receiving a digital certificate application request from a user, and analyzing the digital certificate application request to obtain a signature public key or a temporary public key of a certificate; the method comprises the steps of obtaining a certificate encryption key pair, encrypting a private key in the certificate encryption key pair by using a randomly generated symmetric key to obtain a first encryption result, encrypting the randomly generated symmetric key by using a signature public key or a temporary public key of the obtained certificate to obtain a second encryption result, issuing a double-key system digital certificate to a user, wherein the double-key system digital certificate comprises the signature public key of the certificate and a public key in the certificate encryption key pair, and sending the encryption result to the user. The invention can solve the technical problem that the owner of the double-digital certificate is unnecessarily lost due to the lack of effective matching property between the double-digital certificates in the use process of the existing digital certificate.

Description

Method for generating and applying double-key system digital certificate
Technical Field
The invention belongs to the technical field of information security and the field of internet communication, and particularly relates to a generation method and an application method of a double-key system digital certificate.
Background
With the continuous improvement of the informatization degree, each government department or enterprise and public institution has deployed a large amount of business systems on the internet and carries out business data exchange with other branch institutions or partners in various regions through the internet. These business data are important digital assets of government departments or enterprises and public institutions, and need to ensure confidentiality, authenticity, integrity and non-repudiation, and digital certificates are mainly adopted to meet the requirements at present.
Digital certificates are authoritative electronic documents that prove the identity of entities (e.g., people, servers, etc.) that communicate information and conduct business over the internet. The digital certificate is divided into a signature certificate and an encryption certificate, wherein the signature certificate is used for identity verification in the communication process, and the encryption certificate is used for encryption of key data in the communication process. The existing digital certificate belongs to either a single certificate system, that is, a user only uses a signature certificate or an encryption certificate to perform signature or encryption operation, or a dual certificate system, that is, a user simultaneously uses a signature certificate and an encryption certificate to perform signature and encryption operation. At the same time, the country has also successively introduced the standards of the related digital certificates, and the concept of double certificates is proposed. In the national security SSL related standard, it is specified that a signed certificate and an encrypted certificate are to be used, wherein the key of the signed certificate comes from the user and the key of the encrypted certificate comes from a trusted third party authority (e.g. a key management center). Since the signature key and the encryption key are respectively stored in the two digital certificates.
Therefore, the existing digital certificates have some non-negligible technical problems in the using process: firstly, due to the lack of effective matching between the double digital certificates, any two digital certificates can be combined into the double digital certificates, so that a trusted third party authority user can easily replace any one of the double digital certificates, and meanwhile, the trusted third party authority user is not known by the owner of the double digital certificates, and further unnecessary loss is caused to the owner of the double digital certificates; secondly, when a user uses a double-digital certificate, a signature certificate and an encryption certificate need to be distinguished, but a simple and effective distinguishing mode is lacked at present, and when a lawbreaker uses the encryption certificate as the signature certificate and uses the signature certificate as the encryption certificate, a judicial organization is difficult to obtain relevant evidence of illegal transactions; thirdly, the user cannot determine whether the digital certificate belongs to a single certificate system or a double certificate system, thereby bringing about the problem of mixed use of the digital certificate; fourth, for a single certificate system, since the private key is only stored in the user's own hand and the data encrypted by the public key can only be decrypted by the user himself, there is a difficulty in obtaining evidence when the judicial organization wishes to obtain the data encrypted by the user.
Disclosure of Invention
In view of the above defects or improvement needs in the prior art, the present invention provides a method for generating a dual-key system digital certificate and a method for applying the same, which aim to solve the above technical problems in the existing digital certificate using process.
In order to achieve the above object, according to one aspect of the present invention, there is provided a method for generating a dual-key system digital certificate, which is applied to a CA, the method comprising the steps of:
(1) receiving a digital certificate application request from a user, and analyzing the digital certificate application request to obtain a signature public key or a temporary public key of a certificate;
(2) acquiring a certificate encryption key pair, encrypting a private key in the certificate encryption key pair by using a randomly generated symmetric key to obtain a first encryption result, and encrypting the randomly generated symmetric key by using the signature public key or the temporary public key of the certificate obtained in the step (1) to obtain a second encryption result;
(3) the user is issued a dual-key system digital certificate that includes the public signature key of the certificate and the public key of the certificate encryption key pair.
(4) And (3) sending the encryption result obtained in the step (2) to the user.
Preferably, encrypting the private key of the certificate encryption key pair is a combination of a symmetric encryption algorithm, which is SM2, RSA, or ECC, or an asymmetric encryption algorithm, which is AES, 3DES, or SM4, or the like, and encrypting the randomly generated symmetric key is the asymmetric encryption algorithm used, which includes SM2, RSA, or ECC.
According to another aspect of the present invention, there is provided a method for generating a dual-key system digital certificate, which is applied to a CA, the method comprising the steps of:
(1) receiving a digital certificate application request from a user, and analyzing the digital certificate application request to obtain a signature public key or a temporary public key of a certificate;
(2) acquiring a certificate encryption key pair, and encrypting a private key in the certificate encryption key pair by using the signature public key or the temporary public key of the certificate acquired in the step (1) to acquire an encryption result;
(3) the user is issued a dual-key system digital certificate that includes the public signature key of the certificate and the public key of the certificate encryption key pair.
(4) And (3) sending the encryption result obtained in the step (2) to the user.
Preferably, the encryption of the private key of the certificate encryption key pair is using an asymmetric encryption algorithm, including SM2, RSA, or ECC, among others.
Preferably, the dual-key system digital certificate includes a TBS field, a signature algorithm field, and a signature value field, signature public key information of the certificate and encryption public key information of the certificate are filled in the TBS field, where the signature public key information of the certificate includes a signature public key of the certificate, and the encryption public key information of the certificate includes a public key in a certificate encryption key pair, where a public key information subfield in the TBS field is an extension of a public key information subfield in the TBS field of an existing x.509 digital certificate, and is used to store the signature public key information of the certificate and the encryption public key information of the certificate.
Preferably, the dual-key system digital certificate includes a TBS field, a signature algorithm field, and a signature value field, the TBS field is filled with signature public key information of the certificate and encryption public key information of the certificate, where the signature public key information of the certificate includes a signature public key of the certificate, and the encryption public key information of the certificate includes a public key in a certificate encryption key pair, where a public key information subfield in the TBS field is a public key information subfield added in the TBS field of the existing x.509 digital certificate and used for storing public key information different from public key information stored in an original public key information subfield in the TBS field of the existing x.509 digital certificate.
Preferably, the dual-key system digital certificate includes a TBS field, a signature algorithm field, and a signature value field, the TBS field is filled with signature public key information of the certificate and encryption public key information of the certificate, where the signature public key information of the certificate includes a signature public key of the certificate, and the encryption public key information of the certificate includes a public key in a certificate encryption key pair, where a public key information subfield in the TBS field is a public key information filled in an extension subfield in the TBS field of the existing x.509 digital certificate, and the public key information is different from the public key information stored in an original public key information subfield in the TBS field of the existing x.509 digital certificate.
According to another aspect of the present invention, there is provided an application method of a dual-key system digital certificate generated by the above-described generation method of the dual-key system digital certificate, the application method including the steps of:
(1) a first user acquires a double-key system digital certificate and analyzes the double-key system digital certificate to acquire signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair;
(2) the first user signs data by using a private key corresponding to a public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain signed data, and sends the double-key system digital certificate and the signed data to the second user;
(3) the second user analyzes the double-key system digital certificate to obtain the signature public key information of the certificate and the encryption public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encryption public key information of the certificate comprises a public key in a certificate encryption key pair;
(4) the second user verifies the signed data from the first user by using the signature public key of the certificate obtained by analysis to determine whether the first user is a legal user, if so, the step (5) is carried out, otherwise, the process is ended;
(5) the second user encrypts the message to be sent to the first user by using the encrypted public key of the certificate obtained by analysis, and sends the encrypted result to the first user; (6) and (3) the first user decrypts the encryption result obtained in the step (5) by using a private key corresponding to the public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain the information plaintext.
According to another aspect of the present invention, there is provided an application method of a dual-key system digital certificate generated by the above-described generation method of the dual-key system digital certificate, the application method including the steps of:
(1) a first user acquires a double-key system digital certificate and analyzes the double-key system digital certificate to acquire signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair;
(2) the first user signs data by using a private key corresponding to a public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain signed data, and sends the double-key system digital certificate and the signed data to the second user;
(3) the second user analyzes the double-key system digital certificate to obtain the signature public key information of the certificate and the encryption public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encryption public key information of the certificate comprises a public key in a certificate encryption key pair;
(4) the second user verifies the signed data from the first user by using the signature public key of the certificate obtained by analysis to determine whether the first user is a legal user, if so, the step (5) is carried out, otherwise, the process is ended;
(5) the second user signs the data which needs to be sent to the first user by using the own private signature key to obtain a signature result, and sends the double-key system digital certificate and the signature result which are obtained in the step (3) to the first user;
(6) the first user analyzes the double-key system digital certificate from the second user to obtain a signature public key, and verifies the signature result from the second user by using the signature public key to determine whether the second user is a legal user, if so, the step (7) is carried out, otherwise, the process is ended;
(7) the second user encrypts the message to be sent to the first user by using the encrypted public key of the certificate obtained by analysis, and sends the encrypted result to the first user;
(8) and (3) the first user decrypts the encryption result obtained in the step (7) by using a private key corresponding to the public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain the information plaintext.
Preferably, the analyzing the dual-key system digital certificate specifically includes determining whether a public key information subfield in a TBS field of the x.509 digital certificate is extended, or two public key information subfields exist in the TBS field, or an extended subfield exists in the TBS field; if the public key information subfield in the TBS field is expanded, the analysis process is to directly acquire the signature public key information of the certificate and the encryption public key information of the certificate from the expanded public key information subfield; if two public key information subfields exist in the TBS field, acquiring signature public key information of the certificate and encryption public key information of the certificate from the two public key information subfields respectively; and if the TBS field has the extension subfield, acquiring the signature public key information of the certificate and the encryption public key information of the certificate from the public key information subfield and the extension subfield in the TBS field respectively, or acquiring the encryption public key information of the certificate and the signature public key information of the certificate.
In general, compared with the prior art, the above technical solution contemplated by the present invention can achieve the following beneficial effects:
(1) because the single certificate is adopted to realize the function of double certificates, the invention can solve the technical problem that any one of the double digital certificates is easy to replace by a trusted third party authority user due to poor matching in the existing double certificate system, thereby causing loss to a certificate owner;
(2) the digital certificate of the invention is specially provided with subfields for storing the public key in the certificate encryption key pair and the public key in the certificate signature key pair, so that the technical problem that the judicial organization cannot obtain the illegal transaction evidence because the encryption certificate and the signature certificate are mixed in the existing digital certificate can be solved.
(3) The invention is essentially a single digital certificate, but realizes the functions which can be realized by double digital certificates, thereby solving the technical problem that the existing users are easy to mix the digital certificates based on the existing digital certificate system.
(4) Because the private key corresponding to the public key in the certificate encryption key pair is stored in a third-party trusted authority (such as KMC or CA), the judicial organization can decrypt the data encrypted by the encrypted public key by the user in a mode of directly calling the private key from the third-party trusted authority, thereby directly obtaining evidence.
(5) The capacity of the digital certificate can realize the function of double certificates, and the capacity of the digital certificate is smaller than that of the double digital certificates, so that the requirement on the storage capacity of hardware is lower, and the equipment cost is reduced.
Drawings
Fig. 1 is a flowchart of a method of generating a dual-key system digital certificate according to a first embodiment of the present invention;
fig. 2 is a flowchart of a method of generating a dual-key system digital certificate according to a second embodiment of the present invention;
fig. 3 is a flowchart of an application method of a dual-key system digital certificate according to a first embodiment of the present invention;
fig. 4 is a flowchart of an application method of a dual-key system digital certificate according to a second embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
As shown in fig. 1, according to a first embodiment of the present invention, a method for generating a dual-key system digital Certificate is provided, which is applied in a Certificate Authority (CA), and includes the following steps:
(1) receiving a digital certificate application request from a user, and analyzing the digital certificate application request to obtain a signature public key of a certificate;
in this step, the obtained signature public key of the certificate is the public key in the signature key pair of the subsequent certificate.
Alternatively, the result after parsing in this step may also be a temporary public key of the certificate.
Specifically, a digital certificate application request sent by a user is received from a remote device or a local device.
(2) Acquiring a certificate encryption key pair, encrypting a private key in the certificate encryption key pair by using a randomly generated symmetric key to obtain a first encryption result, and encrypting the randomly generated symmetric key by using the signature public key of the certificate obtained in the step (1) to obtain a second encryption result;
specifically, the certificate encryption key pair may be acquired from a Key Management Center (KMC) or the CA itself.
The encryption of the private key in the certificate encryption key pair in this step is a combination of a symmetric encryption algorithm and an asymmetric encryption algorithm, wherein the asymmetric algorithm may be, for example: SM2, RSA, ECC, etc., and the symmetric algorithm may be, for example, AES, 3DES, SM4, etc., it should be noted that the algorithm is by no means limited to the above, and any combination of asymmetric encryption algorithms and the resulting algorithm is within the scope of the present invention.
The random symmetric key is encrypted in this step by using an asymmetric encryption algorithm, such as SM2, RSA, ECC, etc., and it should be noted that the algorithm is by no means limited to the above, and any asymmetric encryption algorithm is within the scope of the present invention.
Alternatively, this step may also be encrypting the randomly generated symmetric key by using the temporary public key of the certificate obtained in step (1) to obtain a second encryption result;
as shown in fig. 2, alternatively, the step (2) can be replaced by:
(2') obtaining a certificate encryption key pair, and encrypting a private key in the certificate encryption key pair by using the signature public key of the certificate obtained in the step (1) to obtain an encryption result;
the asymmetric encryption algorithm used for encrypting the private key in the certificate encryption key pair in this step may be, for example, SM2, RSA, ECC, etc., and it should be noted that the algorithm is by no means limited to the above, and any asymmetric encryption algorithm is within the scope of the present invention.
Alternatively, the encrypting the private key in the certificate encryption key pair in this step may also be encrypting the private key in the certificate encryption key pair by using the temporary public key of the certificate obtained in step (1) to obtain an encryption result;
(3) the user is issued a dual-key system digital certificate that includes the public signature key of the certificate and the public key of the certificate encryption key pair.
Specifically, the digital certificate in this step is modified from the structure of the conventional x.509 digital certificate defined in RFC5280 or RFC3280 international standards.
The existing x.509 digital certificate includes a To be signed certificate (TBS) field, a signature algorithm field, and a signature value field.
The invention modifies the structure by filling the signature public key information of the certificate and the encryption public key information of the certificate in the TBS field, wherein the signature public key information of the certificate comprises the signature public key of the certificate and can also comprise a corresponding public key algorithm and the like according to the requirement, and the encryption public key information of the certificate comprises the public key in the encryption key pair of the certificate and can also comprise a corresponding public key algorithm and the like according to the requirement.
The specific modification of the structure may be one of the following three types:
A. and expanding the public key information subfield in the TBS field of the X.509 digital certificate, and storing the signature public key information of the certificate and the encryption public key information of the certificate.
B. A public key information subfield is added in a TBS field of an X.509 digital certificate and is used for storing public key information different from the public key information stored in the public key information subfield in the TBS field.
Specifically, if the signature public key information of the certificate is already stored in the public key information subfield originally included in the TBS field, the encryption public key information of the certificate is stored in the newly added public key information subfield; if the encrypted public key information of the certificate is already stored in the public key information subfield originally included in the TBS certificate field, the signature public key information of the certificate is stored in the newly added public key information subfield.
C. Public key information different from the public key information stored in the public key information subfield originally in the TBS field is filled in the extension subfield in the TBS field of the x.509 digital certificate.
Specifically, if the signature public key information of the certificate is already stored in the public key information subfield originally included in the TBS field, the encryption public key information of the certificate is filled; and if the encrypted public key information of the certificate is already stored in the public key information subfield originally included in the TBS field, filling the signature public key information of the certificate in the newly added public key information subfield.
(4) And (3) sending the encryption result obtained in the step (2) to the user.
As shown in fig. 3, according to another embodiment of the present invention, there is provided an application method of a dual-key system digital certificate generated by the first embodiment, the application method including the steps of:
(1) a first user acquires a dual-key system digital certificate and analyzes the dual-key system digital certificate to acquire signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate and can also comprise a corresponding public key algorithm and the like as required, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair and can also comprise a corresponding public key algorithm and the like as required;
specifically, in the analysis process, it is first determined whether the public key information subfield in the TBS field of the x.509 digital certificate is extended, two public key information subfields exist in the TBS field, or an extension subfield exists in the TBS field; if the public key information subfield in the TBS field is expanded, the analysis process is to directly acquire the signature public key information of the certificate and the encryption public key information of the certificate from the expanded public key information subfield; if two public key information subfields exist in the TBS field, acquiring signature public key information of the certificate and encryption public key information of the certificate from the two public key information subfields respectively; and if the TBS field has the extension subfield, acquiring the signature public key information of the certificate and the encryption public key information of the certificate from the public key information subfield and the extension subfield in the TBS field respectively, or acquiring the encryption public key information of the certificate and the signature public key information of the certificate.
(2) The first user signs data by using a private key corresponding to a public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain signed data, and sends the double-key system digital certificate and the signed data to the second user;
(3) the second user analyzes the dual-key system digital certificate to obtain signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate and can also comprise a corresponding public key algorithm and the like as required, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair and can also comprise a corresponding public key algorithm and the like as required;
the process of parsing the certificate in this step is completely the same as that in step (1), and is not described herein again.
(4) The second user verifies the signed data from the first user by using the signature public key of the certificate obtained by analysis to determine whether the first user is a legal user, if so, the step (5) is carried out, otherwise, the process is ended;
(5) the second user encrypts the message to be sent to the first user by using the encrypted public key of the certificate obtained by analysis, and sends the encrypted result to the first user; (6) and (3) the first user decrypts the encryption result obtained in the step (5) by using a private key corresponding to the public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain the information plaintext.
As shown in fig. 4, in another embodiment, the steps (5) and (6) may be replaced by:
(5') the second user signs the data which needs to be sent to the first user by using the own private signature key to obtain a signature result, and sends the double-key system digital certificate and the signature result which are obtained in the step (3) to the first user;
(6 ') the first user analyzes the double-key system digital certificate from the second user to obtain a signature public key, and verifies the signature result from the second user by using the signature public key to determine whether the second user is a legal user, if so, the step (7') is carried out, otherwise, the process is ended;
(7') the second user encrypts the message to be sent to the first user by using the encrypted public key of the certificate obtained by analysis, and sends the encrypted result to the first user;
(8 ') the first user decrypts the encryption result obtained in the step (7') by using the private key corresponding to the public key in the certificate encryption key pair obtained by analyzing in the step (1) to obtain the information plaintext.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (10)

1. A method for generating a double-key system digital certificate is applied to CA, and is characterized by comprising the following steps:
(1) receiving a digital certificate application request from a user, and analyzing the digital certificate application request to obtain a signature public key or a temporary public key of a certificate;
(2) acquiring a certificate encryption key pair, encrypting a private key in the certificate encryption key pair by using a randomly generated symmetric key to obtain a first encryption result, and encrypting the randomly generated symmetric key by using the signature public key or the temporary public key of the certificate obtained in the step (1) to obtain a second encryption result;
(3) the user is issued a dual-key system digital certificate that includes the public signature key of the certificate and the public key of the certificate encryption key pair.
(4) And (3) sending the encryption result obtained in the step (2) to the user.
2. The method of generation of claim 1, wherein encrypting the private key of the certificate encryption key pair is a combination of a symmetric encryption algorithm and an asymmetric encryption algorithm, wherein the asymmetric algorithm is SM2, RSA, or ECC, the symmetric algorithm is AES, 3DES, or SM4, and wherein encrypting the randomly generated symmetric key is the asymmetric encryption algorithm used, including SM2, RSA, or ECC.
3. A method for generating a double-key system digital certificate is applied to CA, and is characterized by comprising the following steps:
(1) receiving a digital certificate application request from a user, and analyzing the digital certificate application request to obtain a signature public key or a temporary public key of a certificate;
(2) acquiring a certificate encryption key pair, and encrypting a private key in the certificate encryption key pair by using the signature public key or the temporary public key of the certificate acquired in the step (1) to acquire an encryption result;
(3) the user is issued a dual-key system digital certificate that includes the public signature key of the certificate and the public key of the certificate encryption key pair.
(4) And (3) sending the encryption result obtained in the step (2) to the user.
4. The generation method according to claim 1, wherein the encryption of the private key of the certificate encryption key pair is performed using an asymmetric encryption algorithm, including SM2, RSA, or ECC.
5. The generation method according to any one of claims 1 to 4,
the dual-key system digital certificate comprises a TBS field, a signature algorithm field and a signature value field;
the TBS field is filled with signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair;
the public key information subfield in the TBS field is an extension of the public key information subfield in the TBS field of an existing x.509 digital certificate, and is used to store signature public key information of the certificate and encryption public key information of the certificate.
6. The generation method according to any one of claims 1 to 4,
the dual-key system digital certificate comprises a TBS field, a signature algorithm field and a signature value field;
the TBS field is filled with signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair;
the public key information subfield in the TBS field is obtained by adding a public key information subfield in the TBS field of the existing x.509 digital certificate, and is used for storing public key information different from the public key information stored in the public key information subfield in the TBS field of the existing x.509 digital certificate.
7. The generation method according to any one of claims 1 to 4,
the dual-key system digital certificate comprises a TBS field, a signature algorithm field and a signature value field;
the TBS field is filled with signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair;
the public key information subfield in the TBS field is obtained by filling the extension subfield in the TBS field of the existing x.509 digital certificate with public key information different from the public key information subfield stored in the public key information subfield originally in the TBS field of the existing x.509 digital certificate.
8. A method for applying a dual-key system digital certificate generated by the method for generating a dual-key system digital certificate according to any one of claims 1 to 5, the method comprising the steps of:
(1) a first user acquires a double-key system digital certificate and analyzes the double-key system digital certificate to acquire signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair;
(2) the first user signs data by using a private key corresponding to a public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain signed data, and sends the double-key system digital certificate and the signed data to the second user;
(3) the second user analyzes the double-key system digital certificate to obtain the signature public key information of the certificate and the encryption public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encryption public key information of the certificate comprises a public key in a certificate encryption key pair;
(4) the second user verifies the signed data from the first user by using the signature public key of the certificate obtained by analysis to determine whether the first user is a legal user, if so, the step (5) is carried out, otherwise, the process is ended;
(5) the second user encrypts the message to be sent to the first user by using the encrypted public key of the certificate obtained by analysis, and sends the encrypted result to the first user;
(6) and (3) the first user decrypts the encryption result obtained in the step (5) by using a private key corresponding to the public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain the information plaintext.
9. A method for applying a dual-key system digital certificate generated by the method for generating a dual-key system digital certificate according to any one of claims 1 to 5, the method comprising the steps of:
(1) a first user acquires a double-key system digital certificate and analyzes the double-key system digital certificate to acquire signature public key information of the certificate and encrypted public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encrypted public key information of the certificate comprises a public key in a certificate encryption key pair;
(2) the first user signs data by using a private key corresponding to a public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain signed data, and sends the double-key system digital certificate and the signed data to the second user;
(3) the second user analyzes the double-key system digital certificate to obtain the signature public key information of the certificate and the encryption public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encryption public key information of the certificate comprises a public key in a certificate encryption key pair;
(4) the second user verifies the signed data from the first user by using the signature public key of the certificate obtained by analysis to determine whether the first user is a legal user, if so, the step (5) is carried out, otherwise, the process is ended;
(5) the second user signs the data which needs to be sent to the first user by using the own private signature key to obtain a signature result, and sends the double-key system digital certificate and the signature result which are obtained in the step (3) to the first user;
(6) the first user analyzes the double-key system digital certificate from the second user to obtain a signature public key, and verifies the signature result from the second user by using the signature public key to determine whether the second user is a legal user, if so, the step (7) is carried out, otherwise, the process is ended;
(7) the second user encrypts the message to be sent to the first user by using the encrypted public key of the certificate obtained by analysis, and sends the encrypted result to the first user;
(8) and (3) the first user decrypts the encryption result obtained in the step (7) by using a private key corresponding to the public key in the certificate encryption key pair obtained by analysis in the step (1) to obtain the information plaintext.
10. The method according to claim 8 or 9, wherein the parsing of the dual-key system digital certificate is performed by first determining whether the public key information subfield in the TBS field of the x.509 digital certificate is extended, whether there are two public key information subfields in the TBS field, or whether there is an extension subfield in the TBS field; if the public key information subfield in the TBS field is expanded, the analysis process is to directly acquire the signature public key information of the certificate and the encryption public key information of the certificate from the expanded public key information subfield; if two public key information subfields exist in the TBS field, acquiring signature public key information of the certificate and encryption public key information of the certificate from the two public key information subfields respectively; and if the TBS field has the extension subfield, acquiring the signature public key information of the certificate and the encryption public key information of the certificate from the public key information subfield and the extension subfield in the TBS field respectively, or acquiring the encryption public key information of the certificate and the signature public key information of the certificate.
CN201910148673.4A 2019-02-28 2019-02-28 Method for generating digital certificate of double-key system and application method Active CN111628860B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910148673.4A CN111628860B (en) 2019-02-28 2019-02-28 Method for generating digital certificate of double-key system and application method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910148673.4A CN111628860B (en) 2019-02-28 2019-02-28 Method for generating digital certificate of double-key system and application method

Publications (2)

Publication Number Publication Date
CN111628860A true CN111628860A (en) 2020-09-04
CN111628860B CN111628860B (en) 2023-08-08

Family

ID=72270782

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910148673.4A Active CN111628860B (en) 2019-02-28 2019-02-28 Method for generating digital certificate of double-key system and application method

Country Status (1)

Country Link
CN (1) CN111628860B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113239379A (en) * 2021-05-19 2021-08-10 郑州信大捷安信息技术股份有限公司 SCEP (secure certificate privacy protocol) -based national secret certificate issuing method and system
CN116155515A (en) * 2023-04-20 2023-05-23 中汽智联技术有限公司 Type-selectable double-key certificate generation method, electronic device and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105246071A (en) * 2014-07-11 2016-01-13 电信科学技术研究院 Message generation and authentication methods and equipment in Internet-of-vehicles system
CN106453330A (en) * 2016-10-18 2017-02-22 深圳市金立通信设备有限公司 Identity authentication method and system
US9660978B1 (en) * 2016-08-08 2017-05-23 ISARA Corporation Using a digital certificate with multiple cryptosystems
CN107360002A (en) * 2017-08-15 2017-11-17 武汉信安珞珈科技有限公司 A kind of application method of digital certificate
CN108270558A (en) * 2016-12-30 2018-07-10 上海格尔软件股份有限公司 A kind of private key introduction method based on temporary key pair
CN108683647A (en) * 2018-04-28 2018-10-19 重庆交通大学 A kind of data transmission method based on multi-enciphering

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105246071A (en) * 2014-07-11 2016-01-13 电信科学技术研究院 Message generation and authentication methods and equipment in Internet-of-vehicles system
US9660978B1 (en) * 2016-08-08 2017-05-23 ISARA Corporation Using a digital certificate with multiple cryptosystems
CN106453330A (en) * 2016-10-18 2017-02-22 深圳市金立通信设备有限公司 Identity authentication method and system
CN108270558A (en) * 2016-12-30 2018-07-10 上海格尔软件股份有限公司 A kind of private key introduction method based on temporary key pair
CN107360002A (en) * 2017-08-15 2017-11-17 武汉信安珞珈科技有限公司 A kind of application method of digital certificate
CN108683647A (en) * 2018-04-28 2018-10-19 重庆交通大学 A kind of data transmission method based on multi-enciphering

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113239379A (en) * 2021-05-19 2021-08-10 郑州信大捷安信息技术股份有限公司 SCEP (secure certificate privacy protocol) -based national secret certificate issuing method and system
CN113239379B (en) * 2021-05-19 2022-02-11 郑州信大捷安信息技术股份有限公司 SCEP (secure certificate privacy protocol) -based national secret certificate issuing method and system
CN116155515A (en) * 2023-04-20 2023-05-23 中汽智联技术有限公司 Type-selectable double-key certificate generation method, electronic device and storage medium

Also Published As

Publication number Publication date
CN111628860B (en) 2023-08-08

Similar Documents

Publication Publication Date Title
US10673632B2 (en) Method for managing a trusted identity
ES2851148T3 (en) Method and apparatus for obtaining input from a multipart secure computing protocol
CN106789080B (en) Digital signature generation method and device
US9813249B2 (en) URL-based certificate in a PKI
WO2017024934A1 (en) Electronic signing method, device and signing server
US20070127719A1 (en) Efficient management of cryptographic key generations
CN101212293B (en) Identity authentication method and system
US20080031459A1 (en) Systems and Methods for Identity-Based Secure Communications
CN113014392A (en) Block chain-based digital certificate management method, system, equipment and storage medium
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
CN103974255B (en) A kind of vehicle access system and method
CN113382002B (en) Data request method, request response method, data communication system, and storage medium
Win et al. Privacy enabled digital rights management without trusted third party assumption
CN110519040B (en) Anti-quantum computation digital signature method and system based on identity
TWI734729B (en) Method and device for realizing electronic signature and signature server
CN111628860B (en) Method for generating digital certificate of double-key system and application method
CN109784920B (en) Transaction information auditing method and device based on blockchain
CN109039599B (en) Attribute-based encryption and decryption method and system supporting blind key distribution
US7031469B2 (en) Optimized enveloping via key reuse
CN111342968B (en) Method and system for issuing double digital certificates
CN111343126A (en) Method and system for processing digital certificate application
KR102475434B1 (en) Security method and system for crypto currency
KR100377196B1 (en) System and method for key recovery using multiple agents
Springer et al. Blockchain-based PKI within a Corporate Organization: Advantages and Challenges
Chokhani et al. PKI and certificate authorities

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant