CN111628860B - Method for generating digital certificate of double-key system and application method - Google Patents

Method for generating digital certificate of double-key system and application method Download PDF

Info

Publication number
CN111628860B
CN111628860B CN201910148673.4A CN201910148673A CN111628860B CN 111628860 B CN111628860 B CN 111628860B CN 201910148673 A CN201910148673 A CN 201910148673A CN 111628860 B CN111628860 B CN 111628860B
Authority
CN
China
Prior art keywords
certificate
public key
encryption
key information
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910148673.4A
Other languages
Chinese (zh)
Other versions
CN111628860A (en
Inventor
郑军
胡进
张庆勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WUHAN ARGUSEC TECHNOLOGY CO LTD
Original Assignee
WUHAN ARGUSEC TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WUHAN ARGUSEC TECHNOLOGY CO LTD filed Critical WUHAN ARGUSEC TECHNOLOGY CO LTD
Priority to CN201910148673.4A priority Critical patent/CN111628860B/en
Publication of CN111628860A publication Critical patent/CN111628860A/en
Application granted granted Critical
Publication of CN111628860B publication Critical patent/CN111628860B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a method for generating a digital certificate of a double-key system, which comprises the following steps: receiving a digital certificate application request from a user, and analyzing the digital certificate application request to obtain a signature public key or a temporary public key of the certificate; the method comprises the steps of obtaining a certificate encryption key pair, encrypting a private key in the certificate encryption key pair by utilizing a symmetric key generated randomly to obtain a first encryption result, encrypting the symmetric key generated randomly by utilizing a signature public key or a temporary public key of the obtained certificate to obtain a second encryption result, issuing a digital certificate of a double-key system to a user, wherein the digital certificate of the double-key system comprises the signature public key of the certificate and the public key in the certificate encryption key pair, and sending the encryption result to the user. The invention can solve the technical problem that the owners of the double digital certificates are unnecessarily lost due to the lack of effective matching between the double digital certificates in the use process of the existing digital certificates.

Description

Method for generating digital certificate of double-key system and application method
Technical Field
The invention belongs to the technical field of information security and the field of Internet communication, and particularly relates to a method for generating a digital certificate of a double-key system and an application method.
Background
With the increasing degree of informatization, various government departments or enterprises and institutions have deployed a large number of business systems on the internet and conduct business data communication with branches or partners in other places through the internet. These business data are important digital assets for government or enterprises and institutions, and it is necessary to ensure confidentiality, authenticity, integrity and non-repudiation, and digital certificates are currently mainly used to meet these requirements.
Digital certificates are authoritative electronic documents that are used to prove the identity of various entities (e.g., people, servers, etc.) that conduct information exchange and business on a network. The digital certificate is classified into a signature certificate for authentication in a communication process and an encryption certificate for encryption of key data in the communication process. Existing digital certificates either belong to a single certificate system, i.e. the user uses only a signature certificate or an encryption certificate for signature or encryption operations, or belong to a double certificate system, i.e. the user uses both a signature certificate and an encryption certificate for signature and encryption operations. The country has also successively introduced the standards of related digital certificates, and has proposed the concept of double certificates. In the national security SSL-related standard, it is specified to use a signed certificate, the key of which is from the user, and an encrypted certificate, the key of which is from a trusted third party authority (e.g. a key management center). Since the signing key and the encryption key are respectively present in the two digital certificates.
Therefore, the existing digital certificates have some non-negligible technical problems in the use process: firstly, because of the lack of effective matching between the double digital certificates, any two digital certificates can be combined into the double digital certificate, so that a trusted third party authority user can easily replace any one of the double digital certificates, and meanwhile, the trusted third party authority user is not known by the owners of the double digital certificates, and further, unnecessary loss is caused to the owners of the double digital certificates; secondly, when a user uses the double digital certificates, the user needs to distinguish the signature certificates from the encryption certificates, but a simple and effective distinguishing mode is lacking at present, when an lawbreaker uses the encryption certificates as the signature certificates and uses the signature certificates as the encryption certificates, a judicial institution is difficult to obtain relevant evidence of illegal transactions; thirdly, a user cannot determine whether the digital certificate belongs to a single-certificate system or a double-certificate system, so that the problem of mixed use of the digital certificates is brought; fourth, for the single certificate system, since the private key is only stored in the user's own hand, only the user can decrypt the data encrypted by the public key, and when the judicial institution wishes to obtain the data encrypted by the user, there is a difficulty in obtaining evidence.
Disclosure of Invention
Aiming at the defects or improvement demands of the prior art, the invention provides a digital certificate generation method and an application method of a double-key system, which aim to solve the technical problems existing in the use process of the existing digital certificate.
In order to achieve the above object, according to one aspect of the present invention, there is provided a method for generating a digital certificate of a double-key system, which is applied to CA, the method comprising the steps of:
(1) Receiving a digital certificate application request from a user, and analyzing the digital certificate application request to obtain a signature public key or a temporary public key of the certificate;
(2) Obtaining a certificate encryption key pair, encrypting a private key in the certificate encryption key pair by utilizing a randomly generated symmetric key to obtain a first encryption result, and encrypting the randomly generated symmetric key by utilizing a signature public key or a temporary public key of the certificate obtained in the step (1) to obtain a second encryption result;
(3) A user is issued a double-key hierarchy digital certificate containing a signed public key of the certificate and a public key of a certificate encryption key pair.
(4) And (3) transmitting the encryption result obtained in the step (2) to a user.
Preferably, encrypting the private key in the certificate encryption key pair is a combination of a symmetric encryption algorithm and an asymmetric encryption algorithm, wherein the asymmetric algorithm is SM2, RSA, or ECC, and the symmetric algorithm is AES,3DES, or SM4, and the like, and encrypting the randomly generated symmetric key is an asymmetric encryption algorithm, including SM2, RSA, or ECC.
According to another aspect of the present invention, there is provided a method for generating a digital certificate of a double-key system, which is applied to CA, the method comprising the steps of:
(1) Receiving a digital certificate application request from a user, and analyzing the digital certificate application request to obtain a signature public key or a temporary public key of the certificate;
(2) Acquiring a certificate encryption key pair, and encrypting a private key in the certificate encryption key pair by using a signature public key or a temporary public key of the certificate obtained in the step (1) to obtain an encryption result;
(3) A user is issued a double-key hierarchy digital certificate containing a signed public key of the certificate and a public key of a certificate encryption key pair.
(4) And (3) transmitting the encryption result obtained in the step (2) to a user.
Preferably, encrypting the private key in the certificate encryption key pair is an asymmetric encryption algorithm used, including SM2, RSA, or ECC, etc.
Preferably, the digital certificate of the double-key system comprises a TBS field, a signature algorithm field and a signature value field, wherein the TBS field is filled with signature public key information of the certificate and encryption public key information of the certificate, the signature public key information of the certificate comprises a signature public key of the certificate, the encryption public key information of the certificate comprises a public key in a certificate encryption key pair, and the public key information subfield in the TBS field is used for expanding the public key information subfield in the TBS field of the existing X.509 digital certificate and storing the signature public key information of the certificate and the encryption public key information of the certificate.
Preferably, the digital certificate of the double-key system comprises a TBS field, a signature algorithm field and a signature value field, wherein the TBS field is filled with signature public key information of the certificate and encryption public key information of the certificate, the signature public key information of the certificate comprises a signature public key of the certificate, the encryption public key information of the certificate comprises a public key in an encryption key pair of the certificate, and a public key information subfield is added in the TBS field of the existing X.509 digital certificate and is used for storing public key information different from public key information stored in an original public key information subfield in the TBS field of the existing X.509 digital certificate.
Preferably, the digital certificate of the double key hierarchy includes a TBS field, a signature algorithm field, and a signature value field, the TBS field is filled with signature public key information of the certificate, and encryption public key information of the certificate, wherein the signature public key information of the certificate includes a signature public key of the certificate, and the encryption public key information of the certificate includes a public key in an encryption key pair of the certificate, wherein a public key information subfield in the TBS field is filled with public key information different from public key information stored in an original public key information subfield in the TBS field of the existing x.509 digital certificate.
According to another aspect of the present invention, there is provided a method for applying a digital certificate of a double key system, wherein the digital certificate of the double key system is generated by the method for generating the digital certificate of the double key system, the method comprising the steps of:
(1) The method comprises the steps that a first user obtains a digital certificate of a double-key system, analyzes the digital certificate of the double-key system to obtain signature public key information of the certificate and encryption public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encryption public key information of the certificate comprises a public key in a certificate encryption key pair;
(2) The first user uses the private key corresponding to the public key in the certificate encryption key pair obtained in the step (1) to sign the data so as to obtain signed data, and sends the digital certificate of the double-key system and the signed data to the second user;
(3) The second user analyzes the digital certificate of the double-key system to obtain signature public key information of the certificate and encryption public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encryption public key information of the certificate comprises a public key in a certificate encryption key pair;
(4) The second user verifies the signed data from the first user by using the signature public key of the certificate obtained through analysis to determine whether the first user is a legal user, if so, the step (5) is entered, and if not, the process is ended;
(5) The second user encrypts the message to be sent to the first user by using the encryption public key of the certificate obtained by analysis, and sends the encryption result to the first user; (6) And (3) decrypting the encryption result obtained in the step (5) by the first user by using the private key corresponding to the public key in the certificate encryption key pair obtained in the step (1) so as to obtain an information plaintext.
According to another aspect of the present invention, there is provided a method for applying a digital certificate of a double key system, wherein the digital certificate of the double key system is generated by the method for generating the digital certificate of the double key system, the method comprising the steps of:
(1) The method comprises the steps that a first user obtains a digital certificate of a double-key system, analyzes the digital certificate of the double-key system to obtain signature public key information of the certificate and encryption public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encryption public key information of the certificate comprises a public key in a certificate encryption key pair;
(2) The first user uses the private key corresponding to the public key in the certificate encryption key pair obtained in the step (1) to sign the data so as to obtain signed data, and sends the digital certificate of the double-key system and the signed data to the second user;
(3) The second user analyzes the digital certificate of the double-key system to obtain signature public key information of the certificate and encryption public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encryption public key information of the certificate comprises a public key in a certificate encryption key pair;
(4) The second user verifies the signed data from the first user by using the signature public key of the certificate obtained through analysis to determine whether the first user is a legal user, if so, the step (5) is entered, and if not, the process is ended;
(5) The second user signs the data to be sent to the first user by using the private signature key of the second user to obtain a signature result, and sends the digital certificate of the double-key system and the signature result obtained in the step (3) to the first user;
(6) The first user analyzes the digital certificate of the double-key system from the second user to obtain a signature public key, and verifies the signature result from the second user by using the signature public key to determine whether the second user is a legal user, if so, the step (7) is entered, otherwise, the process is ended;
(7) The second user encrypts the message to be sent to the first user by using the encryption public key of the certificate obtained by analysis, and sends the encryption result to the first user;
(8) And (3) decrypting the encryption result obtained in the step (7) by the first user by using the private key corresponding to the public key in the certificate encryption key pair obtained in the analysis in the step (1) so as to obtain an information plaintext.
Preferably, the method includes the steps of analyzing the digital certificate of the double-key system, namely, firstly judging whether public key information subfields in a TBS field of the X.509 digital certificate are expanded, whether two public key information subfields exist in the TBS field or an expansion subfield exists in the TBS field; if the public key information subfield in the TBS field is expanded, the resolving process directly acquires the signature public key information of the certificate and the encryption public key information of the certificate from the expanded public key information subfield; if the TBS field has two public key information subfields, respectively acquiring signature public key information of the certificate and encryption public key information of the certificate from the two public key information subfields; if the extended subfield exists in the TBS field, the signature public key information of the certificate and the encryption public key information of the certificate or the encryption public key information of the certificate and the signature public key information of the certificate are respectively obtained from the public key information subfield and the extended subfield in the TBS field.
In general, the above technical solutions conceived by the present invention, compared with the prior art, enable the following beneficial effects to be obtained:
(1) The invention adopts the function of realizing double certificates by adopting a single certificate, so that the technical problem that a trusted third party authority user is easy to replace any one of double digital certificates due to poor matching in the existing double certificate system can be solved, thereby bringing loss to a certificate owner;
(2) Because the subfields are specially arranged in the digital certificate and used for storing the public key in the certificate encryption key pair and the public key in the certificate signature key pair, the technical problem that the illegal transaction evidence cannot be acquired by a judicial institution due to the mixed use of the encryption certificate and the signature certificate in the existing digital certificate can be solved.
(3) The invention is essentially a single digital certificate, but realizes the functions realized by double digital certificates, thereby solving the technical problem that the existing user is easy to mix the digital certificates based on the existing digital certificate system.
(4) Because the private key corresponding to the public key in the certificate encryption key pair is stored in the third-party trusted authority (such as KMC or CA), the judicial institution can decrypt the data encrypted by the user by using the encryption public key by directly calling the private key from the third-party trusted authority, thereby directly obtaining evidence.
(5) The capacity of the digital certificate can realize the function of double certificates, and is smaller than that of double digital certificates, so that the requirement on the hardware storage capacity is lower, and the equipment cost is reduced.
Drawings
FIG. 1 is a flow chart of a method of generating a digital certificate of a dual key hierarchy in accordance with a first embodiment of the present invention;
FIG. 2 is a flow chart of a method of generating a digital certificate of a dual key hierarchy in accordance with a second embodiment of the present invention;
FIG. 3 is a flow chart of a method of application of a digital certificate of a dual key hierarchy in accordance with a first embodiment of the present invention;
fig. 4 is a flowchart of a method of applying a digital certificate of a double key hierarchy according to a second embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention. In addition, the technical features of the embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
As shown in fig. 1, according to a first embodiment of the present invention, there is provided a method for generating a digital certificate of a double-key system, which is applied to a certificate authority (Certificate authority, CA for short), and includes the steps of:
(1) Receiving a digital certificate application request from a user, and analyzing the digital certificate application request to obtain a signature public key of the certificate;
in this step, the obtained public signature key of the certificate is the public key of the subsequent certificate signing key pair.
Alternatively, the result after parsing in this step may also be the temporary public key of the certificate.
Specifically, a digital certificate application request sent by a user is received from a remote device or a local device.
(2) Obtaining a certificate encryption key pair, encrypting a private key in the certificate encryption key pair by utilizing a randomly generated symmetric key to obtain a first encryption result, and encrypting the randomly generated symmetric key by utilizing a signature public key of the certificate obtained in the step (1) to obtain a second encryption result;
specifically, the certificate encryption key pair may be acquired from a key management center (Keymanagement center, abbreviated as KMC) or the CA itself.
Encrypting the private key in the certificate encryption key pair in this step is a combination of a symmetric encryption algorithm and an asymmetric encryption algorithm, where the asymmetric algorithm may be, for example: SM2, RSA, ECC, etc., the symmetric algorithm may be, for example, AES,3DES,DES,SM4, etc., and it should be noted that the algorithm is by no means limited to the above, and any algorithm combining asymmetric encryption algorithms and the like is within the scope of the present invention.
The encryption of the randomly generated symmetric key in this step is an asymmetric encryption algorithm, which may be, for example, SM2, RSA, ECC, etc., and it should be noted that the algorithm is not limited to the above, and any asymmetric encryption algorithm is within the scope of the present invention.
Alternatively, the step may also be to encrypt the randomly generated symmetric key by using the temporary public key of the certificate obtained in the step (1) to obtain a second encryption result;
as shown in fig. 2, alternatively, the present step (2) may be replaced by:
(2') acquiring a certificate encryption key pair, and encrypting a private key in the certificate encryption key pair by using the signature public key of the certificate obtained in the step (1) so as to obtain an encryption result;
the encryption of the private key in the certificate encryption key pair in this step is an asymmetric encryption algorithm used, such as SM2, RSA, ECC, etc., and it should be noted that the algorithm is in no way limited to the above-mentioned several, and any asymmetric encryption algorithm is within the scope of the present invention.
Alternatively, the encrypting the private key in the certificate encryption key pair in this step may also be encrypting the private key in the certificate encryption key pair using the temporary public key of the certificate obtained in step (1), so as to obtain an encryption result;
(3) A user is issued a double-key hierarchy digital certificate containing a signed public key of the certificate and a public key of a certificate encryption key pair.
Specifically, the digital certificate in this step is a modification of the structure of the x.509 digital certificate specified in the existing RFC5280 or RFC3280 international standard.
The existing x.509 digital certificate includes a certificate to be signed (To be signed certificate, TBS for short) field, a signature algorithm field, and a signature value field.
The invention modifies the structure body, and fills the signing public key information of the certificate and the encrypting public key information of the certificate in the TBS field, wherein the signing public key information of the certificate comprises the signing public key of the certificate, the encrypting public key information of the certificate comprises the public key of the encrypting key pair of the certificate and the corresponding public key algorithm and the like according to the requirement.
The specific modification of the structure may be one of the following three:
A. the public key information subfields in the TBS field of the X.509 digital certificate are extended to store the signed public key information of the certificate and the encrypted public key information of the certificate.
B. And adding a public key information subfield in the TBS field of the X.509 digital certificate, wherein the public key information subfield is used for storing public key information different from the public key information stored in the original public key information subfield in the TBS field.
Specifically, if the public key information subfield of the certificate is already stored in the public key information subfield originally included in the TBS field, the encrypted public key information of the certificate is stored in the newly added public key information subfield; if the public key information sub-field of the certificate is already stored in the public key information sub-field included in the TBS certificate field, the signature public key information of the certificate is stored in the newly added public key information sub-field.
C. The extended subfield in the TBS field of the X.509 digital certificate is filled with public key information different from the public key information stored in the original public key information subfield in the TBS field.
Specifically, if the public key information sub-field of the public key information originally included in the TBS field already stores the signature public key information of the certificate, the encrypted public key information of the certificate is filled; if the public key information sub-field of the certificate is already stored in the public key information sub-field included in the TBS field, the signature public key information of the certificate is filled in the newly added public key information sub-field.
(4) And (3) transmitting the encryption result obtained in the step (2) to a user.
As shown in fig. 3, according to another embodiment of the present invention, there is provided a method for applying a digital certificate of a double key system, which is generated by the above first embodiment, the method comprising the steps of:
(1) The method comprises the steps that a first user obtains a digital certificate of a double-key system, analyzes the digital certificate of the double-key system to obtain signature public key information of the certificate and encryption public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, a corresponding public key algorithm and the like can be included according to requirements, and the encryption public key information of the certificate comprises a public key in an encryption key pair of the certificate, a corresponding public key algorithm and the like can be included according to requirements;
specifically, in the process of analyzing, firstly, judging whether a public key information subfield in a TBS field of the X.509 digital certificate is expanded, whether two public key information subfields exist in the TBS field or an expansion subfield exists in the TBS field; if the public key information subfield in the TBS field is expanded, the resolving process directly acquires the signature public key information of the certificate and the encryption public key information of the certificate from the expanded public key information subfield; if the TBS field has two public key information subfields, respectively acquiring signature public key information of the certificate and encryption public key information of the certificate from the two public key information subfields; if the extended subfield exists in the TBS field, the signature public key information of the certificate and the encryption public key information of the certificate or the encryption public key information of the certificate and the signature public key information of the certificate are respectively obtained from the public key information subfield and the extended subfield in the TBS field.
(2) The first user uses the private key corresponding to the public key in the certificate encryption key pair obtained in the step (1) to sign the data so as to obtain signed data, and sends the digital certificate of the double-key system and the signed data to the second user;
(3) The second user analyzes the digital certificate of the double-key system to obtain signature public key information of the certificate and encryption public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, can also comprise a corresponding public key algorithm and the like according to the requirement, and the encryption public key information of the certificate comprises a public key in a certificate encryption key pair, can also comprise a corresponding public key algorithm and the like according to the requirement;
the process of analyzing the certificate in this step is identical to the above step (1), and will not be described in detail here.
(4) The second user verifies the signed data from the first user by using the signature public key of the certificate obtained through analysis to determine whether the first user is a legal user, if so, the step (5) is entered, and if not, the process is ended;
(5) The second user encrypts the message to be sent to the first user by using the encryption public key of the certificate obtained by analysis, and sends the encryption result to the first user; (6) And (3) decrypting the encryption result obtained in the step (5) by the first user by using the private key corresponding to the public key in the certificate encryption key pair obtained in the step (1) so as to obtain an information plaintext.
In another embodiment, as shown in fig. 4, the steps (5) and (6) above may be replaced by:
the second user signs the data to be sent to the first user by using the own signature private key to obtain a signature result, and sends the digital certificate of the double-key system obtained in the step (3) and the signature result to the first user;
(6 ') the first user analyzes the digital certificate of the double-key system from the second user to obtain a signature public key, and verifies the signature result from the second user by using the signature public key to determine whether the second user is a legal user, if so, the step (7') is entered, otherwise, the process is ended;
(7') the second user encrypts the message required to be sent to the first user by using the encryption public key of the certificate obtained by analysis, and sends the encryption result to the first user;
and (8 ') the first user uses the private key corresponding to the public key in the certificate encryption key pair obtained in the step (1) to decrypt the encryption result obtained in the step (7') so as to obtain the information plaintext.
It will be readily appreciated by those skilled in the art that the foregoing description is merely a preferred embodiment of the invention and is not intended to limit the invention, but any modifications, equivalents, improvements or alternatives falling within the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims (2)

1. The method for generating the digital certificate of the double-key system is applied to the CA and is characterized by comprising the following steps:
(1) Receiving a digital certificate application request from a user, and analyzing the digital certificate application request to obtain a signature public key or a temporary public key of the certificate;
(2) Obtaining a certificate encryption key pair, encrypting a private key in the certificate encryption key pair by utilizing a randomly generated symmetric key to obtain a first encryption result, and encrypting the randomly generated symmetric key by utilizing a signature public key or a temporary public key of the certificate obtained in the step (1) to obtain a second encryption result;
(3) Issuing a digital certificate of a double-key system to a user, wherein the digital certificate of the double-key system comprises a signature public key of the certificate and a public key of a certificate encryption key pair, and the signature public key of the certificate or the public key of the certificate encryption key pair is stored in a public key information subfield originally included in a TBS field of a to-be-signed certificate of the X.509 digital certificate or a newly added public key information subfield in a TBS field of the X.509 digital certificate;
(4) Transmitting the encryption result obtained in the step (2) to a user;
step (3), comprising: if the public key information sub-field of the public key information originally included in the TBS field already stores the signature public key information of the certificate, the newly added public key information sub-field stores the encryption public key information of the certificate; if the public key information subfields included in the TBS certificate field already store the encrypted public key information of the certificate, the signature public key information of the certificate is stored in the newly added public key information subfields;
the digital certificate of the double-key system comprises a TBS field of the certificate to be signed, a signature algorithm field and a signature value field; the TBS field is filled with signature public key information of the certificate and encryption public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encryption public key information of the certificate comprises a public key in a certificate encryption key pair; the public key information subfield in the TBS field is used for expanding the public key information subfield in the TBS field of the existing X.509 digital certificate and storing the signature public key information of the certificate and the encryption public key information of the certificate; or alternatively, the process may be performed,
the digital certificate of the double-key system comprises a TBS field of the certificate to be signed, a signature algorithm field and a signature value field; the TBS field is filled with signature public key information of the certificate and encryption public key information of the certificate, wherein the signature public key information of the certificate comprises a signature public key of the certificate, and the encryption public key information of the certificate comprises a public key in a certificate encryption key pair; the public key information subfield in the TBS field is added with a public key information subfield in the TBS field of the existing X.509 digital certificate and is used for storing public key information different from public key information stored in the original public key information subfield in the TBS field of the existing X.509 digital certificate.
2. The method of claim 1, wherein encrypting the private key in the certificate encryption key pair is a combination of a symmetric encryption algorithm and an asymmetric encryption algorithm, wherein the asymmetric algorithm is SM2, RSA, or ECC, the symmetric algorithm is AES,3DES, or SM4, and encrypting the randomly generated symmetric key is an asymmetric encryption algorithm used, including SM2, RSA, or ECC.
CN201910148673.4A 2019-02-28 2019-02-28 Method for generating digital certificate of double-key system and application method Active CN111628860B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910148673.4A CN111628860B (en) 2019-02-28 2019-02-28 Method for generating digital certificate of double-key system and application method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910148673.4A CN111628860B (en) 2019-02-28 2019-02-28 Method for generating digital certificate of double-key system and application method

Publications (2)

Publication Number Publication Date
CN111628860A CN111628860A (en) 2020-09-04
CN111628860B true CN111628860B (en) 2023-08-08

Family

ID=72270782

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910148673.4A Active CN111628860B (en) 2019-02-28 2019-02-28 Method for generating digital certificate of double-key system and application method

Country Status (1)

Country Link
CN (1) CN111628860B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113239379B (en) * 2021-05-19 2022-02-11 郑州信大捷安信息技术股份有限公司 SCEP (secure certificate privacy protocol) -based national secret certificate issuing method and system
CN116155515B (en) * 2023-04-20 2023-07-28 中汽智联技术有限公司 Type-selectable double-key certificate generation method, electronic device and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105246071A (en) * 2014-07-11 2016-01-13 电信科学技术研究院 Message generation and authentication methods and equipment in Internet-of-vehicles system
CN106453330A (en) * 2016-10-18 2017-02-22 深圳市金立通信设备有限公司 Identity authentication method and system
US9660978B1 (en) * 2016-08-08 2017-05-23 ISARA Corporation Using a digital certificate with multiple cryptosystems
CN107360002A (en) * 2017-08-15 2017-11-17 武汉信安珞珈科技有限公司 A kind of application method of digital certificate
CN108270558A (en) * 2016-12-30 2018-07-10 上海格尔软件股份有限公司 A kind of private key introduction method based on temporary key pair
CN108683647A (en) * 2018-04-28 2018-10-19 重庆交通大学 A kind of data transmission method based on multi-enciphering

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105246071A (en) * 2014-07-11 2016-01-13 电信科学技术研究院 Message generation and authentication methods and equipment in Internet-of-vehicles system
US9660978B1 (en) * 2016-08-08 2017-05-23 ISARA Corporation Using a digital certificate with multiple cryptosystems
CN106453330A (en) * 2016-10-18 2017-02-22 深圳市金立通信设备有限公司 Identity authentication method and system
CN108270558A (en) * 2016-12-30 2018-07-10 上海格尔软件股份有限公司 A kind of private key introduction method based on temporary key pair
CN107360002A (en) * 2017-08-15 2017-11-17 武汉信安珞珈科技有限公司 A kind of application method of digital certificate
CN108683647A (en) * 2018-04-28 2018-10-19 重庆交通大学 A kind of data transmission method based on multi-enciphering

Also Published As

Publication number Publication date
CN111628860A (en) 2020-09-04

Similar Documents

Publication Publication Date Title
US10944575B2 (en) Implicitly certified digital signatures
CN107483212B (en) Method for generating digital signature by cooperation of two parties
CN111130803B (en) Method, system and device for digital signature
CN109559122A (en) Block chain data transmission method and block chain data transmission system
US10148422B2 (en) Implicitly certified public keys
US20080031459A1 (en) Systems and Methods for Identity-Based Secure Communications
CN113014392A (en) Block chain-based digital certificate management method, system, equipment and storage medium
Symeonidis et al. Sepcar: A secure and privacy-enhancing protocol for car access provision
EP1676281A1 (en) Efficient management of cryptographic key generations
CN101090316A (en) Identify authorization method between storage card and terminal equipment at off-line state
JP2014197885A (en) Efficient technique for achieving secure transactions by using tamper-resistance token
JP2015501110A (en) Group encryption method and device
CN109413116A (en) A kind of believable cloud identity identifying method and system
CN111628860B (en) Method for generating digital certificate of double-key system and application method
CN113382002A (en) Data request method, request response method, data communication system, and storage medium
CN101984626B (en) Method and system for safely exchanging files
TWI734729B (en) Method and device for realizing electronic signature and signature server
CN109784920B (en) Transaction information auditing method and device based on blockchain
Shen et al. An efficient public key management system: an application in vehicular ad hoc networks
CN112800462A (en) Method for storing confidential information in cloud computing environment
CN110519040B (en) Anti-quantum computation digital signature method and system based on identity
Symeonidis et al. HERMES: Scalable, secure, and privacy-enhancing vehicular sharing-access system
JP2006279269A (en) Information management device, information management system, network system, user terminal, and their programs
Hakeem et al. Authentication and encryption protocol with revocation and reputation management for enhancing 5G-V2X security
CN111342968B (en) Method and system for issuing double digital certificates

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant