CN113536284B - Digital certificate verification method, device, equipment and storage medium - Google Patents
Digital certificate verification method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN113536284B CN113536284B CN202110825226.5A CN202110825226A CN113536284B CN 113536284 B CN113536284 B CN 113536284B CN 202110825226 A CN202110825226 A CN 202110825226A CN 113536284 B CN113536284 B CN 113536284B
- Authority
- CN
- China
- Prior art keywords
- certificate
- party
- verified
- trusted
- center
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012795 verification Methods 0.000 title claims abstract description 49
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000012546 transfer Methods 0.000 claims abstract description 20
- 230000008569 process Effects 0.000 claims description 11
- 230000004044 response Effects 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 3
- 238000010276 construction Methods 0.000 claims description 3
- 230000001360 synchronised effect Effects 0.000 claims description 2
- 230000005540 biological transmission Effects 0.000 abstract description 14
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the invention discloses a method, a device, equipment and a storage medium for verifying a digital certificate. Wherein the method comprises the following steps: responding to a verification request of a digital certificate of a party to be verified by a requesting party, and determining a certificate center to be mutually trusted; constructing a corresponding mutual trust logic tree according to trust chain data formed by the certificate center to be mutually trusted after the mutual trust platform is registered, wherein each node of the mutual trust logic tree is the identifier of the certificate center or the mobile terminal contained in the trust chain data; and verifying whether the digital certificate of the party to be verified is trusted or not according to the mutual trust logic tree. According to the technical scheme provided by the embodiment of the invention, accurate mutual trust among different certificate centers to be mutually trusted is realized, the mutual trust logic tree visually represents trust transfer conditions of the different certificate centers, a trust chain among the different certificate centers to be mutually trusted is not required to be checked constantly, convenience and accuracy of digital certificate verification are improved, and the safety of information transmission is further ensured.
Description
Technical Field
The embodiment of the invention relates to the technical field of identity authentication, in particular to a method, a device, equipment and a storage medium for verifying a digital certificate.
Background
With the rapid development of mobile devices, when the mobile devices transmit information through electromagnetic waves, the situation that the mobile devices are intercepted or eavesdropped is generally considered, so that the information transmission of the mobile terminals has a great risk of tampering, and therefore digital certificates need to be introduced to sign the transmitted information so as to prevent tampering and loss of the transmitted information.
At present, when different Public key infrastructures (Public-Key Infrastructure, PKI) issue corresponding digital certificates for each mobile terminal, different encryption and decryption algorithms are adopted, some are internationally universal, and some are national encryption algorithms, so that in order to ensure the information transmission safety of the mobile terminal, different digital certificates issued by different certificate centers (CERTIFICATE AUTHORITY, CA) for the mobile terminal are adopted under different scenes to sign the transmitted information. At this time, supporting verification of digital certificates issued by different CA institutions is a problem to be solved.
Disclosure of Invention
The embodiment of the invention provides a method, a device, equipment and a storage medium for verifying a digital certificate, which are used for realizing accurate mutual trust among different certificate centers, improving the convenience and accuracy of digital certificate verification and ensuring the safety of information transmission.
In a first aspect, an embodiment of the present invention provides a method for verifying a digital certificate, which is applied to a mutually trusted platform registered with at least two certificate centers, including:
responding to a verification request of a digital certificate of a party to be verified by a requesting party, and determining a certificate center to be mutually trusted;
constructing a corresponding mutual trust logic tree according to trust chain data formed by the certificate center to be mutually trusted after the mutual trust platform is registered, wherein each node of the mutual trust logic tree is the identifier of the certificate center or the mobile terminal contained in the trust chain data;
And verifying whether the digital certificate of the party to be verified is trusted or not according to the mutual trust logic tree.
In a second aspect, an embodiment of the present invention provides a device for verifying a digital certificate, configured in a mutually trusted platform registered with at least two certificate centers, including:
The to-be-mutually-trusted determining module is used for responding to a verification request of a digital certificate of a to-be-verified party by a requesting party and determining a certificate center to be mutually trusted;
The mutual trust logic construction module is used for constructing a corresponding mutual trust logic tree according to trust chain data formed by the certificate center to be mutually trusted after the mutual trust platform is registered, wherein each node of the mutual trust logic tree is the identifier of the certificate center or the mobile terminal contained in the trust chain data;
and the certificate verification module is used for verifying whether the digital certificate of the party to be verified is trusted according to the mutually trusted logic tree.
In a third aspect, an embodiment of the present invention provides an electronic device, including:
one or more processors;
a storage means for storing one or more programs;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method for verifying digital certificates according to any embodiments of the present invention.
In a fourth aspect, an embodiment of the present invention provides a computer readable storage medium having stored thereon a computer program, which when executed by a processor, implements the method for verifying a digital certificate according to any embodiment of the present invention.
The embodiment of the invention provides a method, a device, equipment and a storage medium for verifying a digital certificate, which are used for determining a certificate center to be mutually trusted according to a verification request of the digital certificate of a requesting party, then constructing a corresponding mutually trusted logic tree by utilizing trust chain data formed by the certificate center to be mutually trusted after registration of a mutually trusted platform, wherein each node of the mutually trusted logic tree can be the identity of the certificate center or a mobile terminal contained in the trust chain data, and further the mutually trusted logic tree is used for verifying whether the digital certificate of the party to be verified is trusted, so that the accurate mutually trusted among different certificate centers to be mutually trusted is realized, the mutually trusted logic tree visually represents the trust transfer condition of the different certificate centers, the trust chain among the different certificate centers to be mutually trusted is not required to be checked, and the convenience and the accuracy of the digital certificate verification are improved; at this time, the digital certificate of the information transmitting party is accurately verified, so that the safety of information transmission is further ensured.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the accompanying drawings in which:
Fig. 1 is a flowchart of a method for verifying a digital certificate according to a first embodiment of the present invention;
Fig. 2A is a flowchart of a method for verifying a digital certificate according to a second embodiment of the present invention;
FIG. 2B is a schematic diagram of a mutually trusted logic tree constructed in the method according to the second embodiment of the present invention;
Fig. 3 is a schematic structural diagram of a verification device for digital certificates according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
Example 1
Fig. 1 is a flowchart of a method for verifying a digital certificate according to an embodiment of the present invention. The present embodiment is applicable to a case where authenticity and timeliness of a digital certificate of a party to be authenticated for transmitting information are authenticated at the time of information transmission. The method for verifying the digital certificate provided by the embodiment of the invention can be implemented by a device for verifying the digital certificate provided by the embodiment of the invention, and the device can be implemented in a software and/or hardware mode and is integrated in an electronic device for implementing the method, wherein the electronic device is provided with a pre-developed mutually trusted platform, and at least two certificate centers (namely CA institutions) are registered in the home type platform.
Specifically, referring to fig. 1, the method specifically includes the following steps:
s110, determining a certificate center to be mutually trusted in response to a verification request of a digital certificate of a party to be verified by a requester.
Specifically, in order to realize mutual trust between different certificate centers, so as to support that a certain certificate center can accurately verify authenticity and timeliness of a digital certificate issued by a sender when another certificate center is used for information transmission, the embodiment can develop a mutual trust platform in advance, a large number of certificate centers are registered in the mutual trust platform, and meanwhile mutual trust between different certificate centers is realized by adopting a cross-certification mode.
In this embodiment, when transmitting information to another terminal or a server during information transmission, in order to avoid that the transmitted information is tampered in the middle, the sender may be used as the party to be verified in this embodiment, and then a digital certificate of the party to be verified is used to sign the transmitted information, so as to ensure the confidentiality and integrity of data in the transmission process of the wireless device. Specifically, when the other terminal or the server receives the information transmitted by the party to be verified, the digital certificate of the party to be verified can be analyzed, and whether the received information is tampered or not is judged by verifying whether the digital certificate of the party to be verified is true or not. Therefore, the embodiment can take the other party of information transmission (such as another terminal or a server end for receiving the information transmitted by the party to be verified) as a request party, initiate a verification request of the digital certificate of the party to be verified to a pre-opened mutually trusted platform, and verify the authenticity and validity of the digital certificate of the party to be verified by the mutually trusted platform so as to judge whether the digital certificate of the party to be verified is trusted or not.
Because the mutually trusted platform registers a plurality of certificate centers, the certificate center for issuing the digital certificate for the party to be authenticated and the certificate center responsible for the party to be authenticated may not be the same certificate center, so that the certificate center corresponding to the party to be authenticated cannot directly verify whether the digital certificate of the party to be authenticated is trusted, in this embodiment, after receiving the verification request of the digital certificate of the party to be authenticated sent by the party to be authenticated, the mutually trusted platform firstly analyzes the verification request to obtain the digital certificate carried by the party to be authenticated when transmitting information, and the information of the certificate center responsible for the party to be authenticated to verify the certificate, and then analyzes the digital certificate of the party to be authenticated to obtain the certificate center for issuing the digital certificate for the party to be authenticated, thereby determining the certificate center to be mutually trusted. For example, if the mutually trusted platform receives a request of a requesting party for verifying a digital certificate of a party to be verified, the mutually trusted platform directly determines a first certificate center for issuing the digital certificate of the party to be verified and a second certificate center pointed by the requesting party, and then takes the first certificate center and the second certificate center as the certificate centers to be mutually trusted.
It should be noted that, the digital certificate of the party to be verified is issued by the registered certificate center in the mutually trusted platform, and in order to realize the accurate verification of the digital certificate of the party to be verified, the certificate center responsible for the verification of the certificate of the requesting party is also registered in the mutually trusted platform, so in this embodiment, the certificate centers to be mutually trusted are all registered certificate centers in the mutually trusted platform, and the corresponding mutually trusted is realized in a cross authentication manner between different registered certificate centers in the mutually trusted platform, so as to judge whether the digital certificate of the party to be verified is trusted or not by adopting a trust transfer manner.
It should be noted that, in this embodiment, the verification of the digital certificate of the party to be verified by the requester may refer to that the party to be verified actively sends a request to the requester to verify whether the digital certificate of the party to be verified is trusted, or may refer to that the requester logs in the mutually trusted platform in this embodiment on a local device (such as a mobile terminal or a computer terminal), and then actively verifies whether the digital certificate of the party to be verified is trusted. The specific verification scenario of the digital certificate of the party to be verified is not limited in this embodiment.
S120, constructing a corresponding mutual trust logic tree according to trust chain data formed by a certificate center to be mutually trusted after the mutual trust platform is registered.
Optionally, when each certificate center is registered in the mutual trust platform, corresponding cross authentication is established between each registered certificate center and the registered certificate center so as to realize trust transfer between different certificate centers, that is, a certain or a plurality of specific certificate centers are screened out from all registered certificate centers, then a private key of the specific certificate center is utilized to issue a corresponding digital certificate for the registered certificate center, so that equipment trusting the specific certificate center can trust the registered certificate center, at this time, through analyzing a trust transfer process of a certificate when each registered certificate center is registered, corresponding trust chain data is recorded, the trust chain data is used for indicating that after any certificate center is registered in the mutual trust platform, the trust transfer process of the certificate center is performed between different centers in a cross authentication mode, for example, certificate centers A, B, C and D are registered on the mutual trust platform, A is used as a certificate center which is registered first to the mutual trust platform, corresponding digital certificates are issued for B and C, and C is signed for D, at this time, and D is a trust chain is indicated as long as D is analyzed, and trust data can be obtained by D, namely, as long as D is a trust chain is B, C.
Taking a new certificate center registration by the mutual trust platform as an example, the mutual trust platform firstly receives a registration request of the new certificate center, responds to the registration request of the new certificate center, establishes cross authentication between the new certificate center and the registered certificate center, and generates trust chain data of the new certificate center. That is, for a new certificate center, a certain specific certificate center or several specific certificate centers are selected from registered certificate centers, and the specific certificate centers are used for issuing corresponding digital certificates for the new certificate centers so as to establish cross authentication between the new certificate centers and each specific certificate center, thereby realizing trust transfer from the registered certificate centers to the new certificate centers, and further adding the new certificate centers to trust chain data of each specific certificate center for issuing digital certificates for the new certificate centers, thereby generating trust chain data of the new certificate centers.
It should be noted that, when registering a new certificate center, the mutually trusted platform in this embodiment may randomly screen a specific certificate center for issuing a digital certificate for the new certificate center, or may issue a corresponding digital certificate for the new certificate center through the newly registered certificate center in the registered certificate centers according to the registration order, which is not limited in the trust transfer order between the registered certificate centers.
In this embodiment, after determining the certificate center to be mutually trusted, the self certificate issue condition of the certificate center to be mutually trusted may be analyzed and checked, and the trust chain data generated after the certificate centers to be mutually trusted are registered on the mutually trusted platform may be found, for example, the certificate centers A, B, C and D are registered on the mutually trusted platform, a is used as the first certificate center registered on the mutually trusted platform, and issues corresponding digital certificates for B and C, which represent a trust B and C, then C is used as D to issue corresponding digital certificates, represents C trust D, and if B is responsible for certificate management of the requesting party, D is used as the digital certificate corresponding to the to-be-authenticated party, then the trust chain data of B is used as B and D, and the trust chain data of D is used as a-C-D-to-be-authenticated party. Then, by analyzing the certificate centers and the trust transfer process contained in the trust chain data of each certificate center to be mutually trusted, a corresponding mutually trusted logic tree can be constructed, and at this time, each node of the mutually trusted logic tree can be the identification of the certificate center or the mobile terminal contained in the trust chain data of the certificate center to be mutually trusted, so that whether the digital certificate of the party to be verified is trusted can be judged according to the trust transfer process between the certificate centers to be mutually trusted represented in the mutually trusted logic tree.
S130, verifying whether the digital certificate of the party to be verified is trusted according to the mutual trust logic tree.
Specifically, the mutual trust logic tree represents a trust transfer process between certificate centers to be mutually trusted, so that whether the party to be authenticated is trusted can be firstly verified, when the party to be authenticated is trusted, whether the certificate center issuing the digital certificate for the party to be authenticated is trusted is continuously verified, if so, whether another certificate center issuing the digital certificate for the certificate center is trusted is continuously verified, and the process is sequentially circulated until whether the certificate center responsible for certificate management of a requester is trusted is verified, if the certificate center responsible for certificate management of the requester is determined to be trusted, the digital certificate of the party to be authenticated can be determined to be trusted for the requester, thereby realizing accurate verification of the digital certificate, and further ensuring the security of information transmission by accurately verifying the digital certificate.
It should be noted that, in this embodiment, the digital certificate of the party to be authenticated may be a mobile terminal certificate, and in this embodiment, the authentication mode of the mobile terminal certificate is mainly described.
According to the technical scheme provided by the embodiment, the certificate center to be mutually trusted is determined according to the verification request of the digital certificate of the party to be verified by the requesting party, then the trust chain data formed by the certificate center to be mutually trusted after the registration of the mutually trusted platform is utilized to construct a corresponding mutually trusted logic tree, each node of the mutually trusted logic tree can be the identifier of the certificate center or the mobile terminal contained in the trust chain data, and further the mutually trusted logic tree is adopted to verify whether the digital certificate of the party to be verified is trusted, so that accurate mutually trusted among different certificate centers to be mutually trusted is realized, the trust transfer condition of the different certificate centers is visually represented by the mutually trusted logic tree, the trust chains among the different certificate centers to be mutually trusted are not required to be checked continuously, and the convenience and the accuracy of digital certificate verification are improved; at this time, the digital certificate is accurately verified, so that the safety of information transmission is further ensured.
Example two
Fig. 2A is a flowchart of a method for verifying a digital certificate according to a second embodiment of the present invention. The embodiment of the invention is optimized based on the embodiment. Optionally, the digital certificate of the party to be authenticated may be a mobile terminal certificate, and this embodiment mainly explains a specific process of issuing the digital certificate for the mobile terminal adopted by the party to be authenticated and a specific authentication process of the digital certificate of the party to be authenticated in detail.
Specifically, referring to fig. 2A, the method of this embodiment may specifically include:
S210, determining a target certificate center which is selected by the party to be verified and is used for synchronously issuing the digital certificate in response to an application instruction of the digital certificate of the party to be verified.
Optionally, when the party to be verified applies for the digital certificate to the mutually trusted platform, the mutually trusted platform sends a corresponding application instruction, and at this time, the mutually trusted platform supports the party to be verified to apply for the corresponding digital certificate to the registered plurality of certificate centers respectively, that is, the mutually trusted platform is provided with a function of synchronously applying for the digital certificate issued by the plurality of certificate centers by one key. In this embodiment, the mutually trusted platform responds to an application instruction of a digital certificate of a party to be verified, and first analyzes the application instruction, so as to determine each target certificate center selected by the party to be verified and used for synchronously issuing the digital certificate for the party to be verified, so that corresponding digital certificates are respectively issued for the party to be verified by using trust chain data of each target certificate center after the mutually trusted platform is registered.
S220, synchronously issuing corresponding digital certificates for the party to be verified by utilizing trust chain data formed by each target certificate center after the registration of the mutually trusted platform and the equipment identification code of the mobile terminal where the party to be verified is located.
Optionally, after determining each target certificate center selected by the party to be verified and used for synchronously issuing the digital certificate for the party to be verified, trust chain data generated by each target certificate center after registering on a mutually trusted platform can be directly searched, and by analyzing hardware equipment information of a mobile terminal where the party to be verified is located, an equipment identification code of the party to be verified is determined, wherein the equipment identification code is used for indicating the equipment uniqueness of the party to be verified adopting the mobile terminal. Then, the trust chain data of each target certificate center can be utilized to synchronously issue corresponding digital certificates for the equipment identification codes of the to-be-verified parties, so that synchronous certificate issue for a plurality of certificate centers is realized.
It should be noted that, considering that the mobile terminal adopted by the party to be verified may be imitated, so that the device identification codes of different parties to be verified are repeated, so that the certificate center cannot distinguish the objects of certificate issue, and the problem that the mobile terminal applicable to the party to be verified represented by the digital certificate is not unique is caused.
That is, first, 64bit bits representing the device identification code of the party to be authenticated are divided into a plurality of parts in a manner of dividing the namespace as follows:
the 1 st bit occupies 1bit, and the value is always 0, and can be used as a symbol bit.
Bits 2 to 42 occupy 41 bits, which can be used as time stamp bits, and at this time, 41 bits can represent 2≡41 number, and represent millisecond, and then the available time period is (1L < < 41)/(1000L 360024 x 365) =69 years.
The 10bit occupied from the 43 rd bit to the 52 th bit can represent machine bits, namely 2+—10=1024 machines, wherein the first 4 bits in the 10bit can represent machine identification mapping, and the last 6 bits can represent working domains of the machines, so as to segment mobile terminals of different machine types and regions, and reduce the probability of equipment identification code repetition of the mobile terminals.
The last 12 bits can be used as the sequence number of the mobile terminal, and can represent 2≡12=4096 numbers.
Then, judging the timestamp, the machine number and the working region of the party to be verified by reading the hardware information of the mobile terminal used by the party to be verified, thereby setting the timestamp bit and the machine bit in each bit divided in the equipment identification code of the party to be verified; moreover, considering that the number of the mobile terminals is large, in this embodiment, a random algorithm may be used to generate the divided serial numbers in the device identifier codes of the party to be verified, instead of the serial numbers in the increment mode, so that corresponding device identifier codes are generated for multiple mobile terminals concurrently, and the generating efficiency of the device identifier codes is improved.
S230, determining a certificate center to be mutually trusted in response to a digital certificate verification request of a party to be verified by a requesting party.
S240, constructing a corresponding mutual trust logic tree according to trust chain data formed by a certificate center to be mutually trusted after the mutual trust platform is registered.
S250, determining public certificate centers of the requesting party and the party to be verified based on the mutual trust logic tree.
Optionally, in order to improve the efficiency of digital certificate verification, after the corresponding mutually trusted logic tree is constructed, the embodiment can intuitively find out the public certificate center which establishes the trust transfer relationship with the certificate centers corresponding to the requesting party and the party to be verified. For example, the mutually trusted platform has registered thereon the certificate centers A, B, C and D, a as the first certificate center registered to the mutually trusted platform, and issues corresponding digital certificates for B and C, indicating that a trusts B and C, and then C issues corresponding digital certificates for D, indicating that C trusts D, and if B is responsible for the certificate management of the requester, D issues corresponding digital certificates for the party to be authenticated, a mutually trusted logic tree as shown in fig. 2B may be constructed, and at this time, it may be determined that the public certificate centers of the requester and the party to be authenticated are a.
S260, verifying whether the public certificate center is trusted or not, and taking the trusted result of the public certificate center as the trusted result of the digital certificate of the party to be verified.
Optionally, because the certificate center responsible for the certificate management of the requesting party and the public certificate center have established a corresponding trust transfer relationship through the cross authentication mode between different certificate centers, that is to say, the certificate center responsible for the certificate management of the requesting party trusts the public certificate center, in order to improve the verification efficiency of the digital certificate, the embodiment can start from the party to be verified, firstly verify whether the party to be verified is trusted, continuously verify whether the certificate center issuing the digital certificate for the party to be verified is trusted when the party to be verified is trusted, continuously verify whether another certificate center issuing the digital certificate for the certificate center is trusted if the certificate center is trusted, and sequentially circulate until the certificate center is verified whether the public certificate center is trusted. Because the requesting party trusts the public certificate center, if the public certificate center is determined to be trusted, the digital certificate of the party to be verified can be directly determined to be trusted for the requesting party, so that accurate verification of the digital certificate is realized. In the cyclic verification process, if any certificate center is not trusted, the digital certificate of the party to be verified can be determined to be not trusted.
According to the technical scheme provided by the embodiment, the certificate center to be mutually trusted is determined according to the verification request of the digital certificate of the party to be verified by the requesting party, then the trust chain data formed by the certificate center to be mutually trusted after the registration of the mutually trusted platform is utilized to construct a corresponding mutually trusted logic tree, each node of the mutually trusted logic tree can be the identifier of the certificate center or the mobile terminal contained in the trust chain data, and further the mutually trusted logic tree is adopted to verify whether the digital certificate of the party to be verified is trusted, so that accurate mutually trusted among different certificate centers to be mutually trusted is realized, the mutually trusted logic tree visually represents the trust transfer condition of the different certificate centers, the trust chains among the different certificate centers to be mutually trusted do not need to be continuously checked, and the convenience and the accuracy of the verification of the mobile terminal certificate are improved; at this time, the security of the mobile terminal information transmission is further ensured by accurately verifying the mobile terminal certificate.
Example III
Fig. 3 is a schematic structural diagram of a verification device for digital certificates, provided in a third embodiment of the present invention, configured in a mutually trusted platform registered with at least two certificate centers, as shown in fig. 3, where the device may include:
a to-be-mutually trusted determining module 310, configured to determine a certificate center to be mutually trusted in response to a request for verifying a digital certificate of a party to be verified from a requesting party;
the mutual trust logic construction module 320 is configured to construct a corresponding mutual trust logic tree according to trust chain data formed by the certificate center to be mutually trusted after registration of the mutual trust platform, where each node of the mutual trust logic tree is an identifier of the certificate center or a mobile terminal included in the trust chain data;
and the certificate verification module 330 is configured to verify whether the digital certificate of the party to be verified is trusted according to the mutually trusted logic tree.
According to the technical scheme provided by the embodiment, the certificate center to be mutually trusted is determined according to the verification request of the digital certificate of the party to be verified by the requesting party, then the trust chain data formed by the certificate center to be mutually trusted after the registration of the mutually trusted platform is utilized to construct a corresponding mutually trusted logic tree, each node of the mutually trusted logic tree can be the identifier of the certificate center or the mobile terminal contained in the trust chain data, and further the mutually trusted logic tree is adopted to verify whether the digital certificate of the party to be verified is trusted, so that accurate mutually trusted among different certificate centers to be mutually trusted is realized, the trust transfer condition of the different certificate centers is visually represented by the mutually trusted logic tree, the trust chains among the different certificate centers to be mutually trusted are not required to be checked continuously, and the convenience and the accuracy of digital certificate verification are improved; at this time, the digital certificate is accurately verified, so that the safety of information transmission is further ensured.
Further, the certificate verification module 330 may be specifically configured to:
determining public certificate centers of the requesting party and the party to be verified based on the mutually trusted logic tree;
Verifying whether the public certificate center is trusted or not, and taking the trusted result of the public certificate center as the trusted result of the digital certificate of the party to be verified.
Further, the to-be-mutually trusted determining module 310 may be specifically configured to:
And if a request of a requesting party for verifying the digital certificate of the party to be verified is received, a first certificate center for issuing the digital certificate of the party to be verified and a second certificate center pointed by the requesting party are used as the certificate centers to be mutually trusted.
Further, the digital certificate of the party to be authenticated may be a mobile terminal certificate, and the authentication device of the digital certificate may further include:
The certificate application module is used for responding to an application instruction of the digital certificate of the party to be verified, and determining a target certificate center which is selected by the party to be verified and used for synchronously issuing the digital certificate;
And the certificate issuing module is used for synchronously issuing a corresponding digital certificate for the party to be verified by utilizing trust chain data formed by each target certificate center after the mutual trust platform is registered and the equipment identification code of the mobile terminal where the party to be verified is located.
Further, the device for verifying a digital certificate may further include:
The device identification generation module is used for setting the divided machine bits in the device identification code according to the hardware information of the mobile terminal where the party to be verified is located, and generating the divided serial numbers in the device identification code by adopting a random algorithm.
Further, the device for verifying a digital certificate may further include:
and the certificate center registration module is used for responding to a registration request of a new certificate center, establishing cross authentication between the new certificate center and the registered certificate center, and generating trust chain data of the new certificate center.
The verification device for the digital certificate provided by the embodiment is applicable to the verification method for the digital certificate provided by any embodiment, and has corresponding functions and beneficial effects.
Example IV
Fig. 4 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention. As shown in fig. 4, the electronic device includes a processor 40, a storage device 41, and a communication device 42; the number of processors 40 in the electronic device may be one or more, one processor 40 being taken as an example in fig. 4; the processor 40, the storage means 41 and the communication means 42 of the electronic device may be connected by a bus or other means, in fig. 4 by way of example.
The storage device 41 is used as a computer readable storage medium, and may be used to store a software program, a computer executable program, and modules, such as modules corresponding to the digital certificate verification method in the embodiment of the present invention (for example, the to-be-mutually-trusted determining module 310, the mutually-trusted logic constructing module 320, and the certificate verification module 330 in the digital certificate verification device). The processor 40 executes various functional applications of the electronic device and data processing, that is, implements the above-described digital certificate verification method, by running software programs, instructions, and modules stored in the storage device 41.
The storage device 41 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for functions; the storage data area may store data created according to the use of the terminal, etc. In addition, the storage 41 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, storage device 41 may further include memory remotely located relative to multifunction controller 40, which may be connected to the electronic device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The communication means 42 may be used to implement a network connection or a mobile data connection between devices.
The electronic device provided by the embodiment can be used for executing the verification method of the digital certificate provided by any embodiment, and has corresponding functions and beneficial effects.
Example five
The fifth embodiment of the present invention also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method for verifying a digital certificate in any of the above embodiments.
The method specifically comprises the following steps:
responding to a verification request of a digital certificate of a party to be verified by a requesting party, and determining a certificate center to be mutually trusted;
constructing a corresponding mutual trust logic tree according to trust chain data formed by the certificate center to be mutually trusted after the mutual trust platform is registered, wherein each node of the mutual trust logic tree is the identifier of the certificate center or the mobile terminal contained in the trust chain data;
And verifying whether the digital certificate of the party to be verified is trusted or not according to the mutual trust logic tree.
From the above description of embodiments, it will be clear to a person skilled in the art that the present invention may be implemented by means of software and necessary general purpose hardware, but of course also by means of hardware, although in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a FLASH Memory (FLASH), a hard disk, or an optical disk of a computer, etc., and include several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments of the present invention.
It should be noted that, in the embodiment of the verification apparatus for digital certificates, each unit and module included are only divided according to the functional logic, but not limited to the above-mentioned division, so long as the corresponding functions can be implemented; in addition, the specific names of the functional units are also only for distinguishing from each other, and are not used to limit the protection scope of the present invention.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, and various modifications and variations may be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (8)
1. A method for verifying a digital certificate, applied to a mutually trusted platform registered with at least two certificate centers, comprising:
Determining a certificate center to be mutually trusted in response to a verification request of a requesting party for a digital certificate of a party to be verified, wherein the certificate center to be mutually trusted is a first certificate center for issuing the digital certificate of the party to be verified and a second certificate center pointed by the requesting party;
Constructing a corresponding mutual trust logic tree according to trust chain data formed by the certificate centers to be mutually trusted after the mutual trust platform is registered, wherein each node of the mutual trust logic tree is a certificate center contained in the trust chain data, and the mutual trust logic tree is used for representing a trust transfer process between the certificate centers to be mutually trusted;
Verifying whether the digital certificate of the party to be verified is trusted or not according to the mutual trust logic tree;
The verifying whether the digital certificate of the party to be verified is trusted according to the mutual trust logic tree comprises the following steps:
Determining public certificate centers of the requesting party and the party to be verified based on the mutual trust logic tree, wherein the public certificate centers are certificate centers which have trust transfer relation with a certificate center B and a certificate center D, the certificate center B is responsible for certificate management of the requesting party, and the certificate center D is responsible for certificate management of the party to be verified;
Verifying whether the public certificate center is trusted or not, and taking the trusted result of the public certificate center as the trusted result of the digital certificate of the party to be verified.
2. The method of claim 1, wherein the determining a certificate authority to be mutually trusted in response to a request by a requesting party to verify a digital certificate of a party to be verified comprises:
And if a request of a requesting party for verifying the digital certificate of the party to be verified is received, a first certificate center for issuing the digital certificate of the party to be verified and a second certificate center pointed by the requesting party are used as the certificate centers to be mutually trusted.
3. The method of claim 1, wherein the digital certificate of the party to be authenticated is a mobile-end certificate, and further comprising, before determining the certificate authority to be mutually trusted in response to a request by the requesting party to authenticate the digital certificate of the party to be authenticated:
responding to an application instruction of the digital certificate of the party to be verified, and determining a target certificate center which is selected by the party to be verified and is used for synchronously issuing the digital certificate;
And synchronously issuing a corresponding digital certificate for the party to be verified by utilizing trust chain data formed by each target certificate center after the mutual trust platform is registered and a device identification code of the mobile terminal where the party to be verified is located.
4. The method of claim 3, further comprising, upon determining a target certificate authority selected by the party to be authenticated for synchronous issuance of digital certificates:
Setting divided machine bits in the equipment identification code according to the hardware information of the mobile terminal where the party to be verified is located, and generating a divided serial number in the equipment identification code by adopting a random algorithm;
The machine bits divided in the equipment identification code and the serial numbers divided in the equipment identification code are used for guaranteeing the uniqueness of the mobile terminal used by the party to be verified.
5. The method according to any one of claims 1-4, further comprising:
In response to a registration request of a new certificate authority, establishing cross-authentication between the new certificate authority and the registered certificate authority, and generating trust chain data of the new certificate authority.
6. A digital certificate verification apparatus, which is configured in a mutually trusted platform in which at least two certificate centers are registered, comprising:
The system comprises a to-be-mutually-trusted determining module, a to-be-mutually-trusted determining module and a request module, wherein the to-be-mutually-trusted determining module is used for responding to a verification request of a digital certificate of a to-be-verified party and determining a to-be-mutually-trusted certificate center, and the to-be-mutually-trusted certificate center is a first certificate center for issuing the digital certificate of the to-be-verified party and a second certificate center pointed by the request party;
The mutual trust logic construction module is used for constructing a corresponding mutual trust logic tree according to trust chain data formed by the certificate centers to be mutually trusted after the mutual trust platform is registered, each node of the mutual trust logic tree is a certificate center contained in the trust chain data, and the mutual trust logic tree is used for representing a trust transfer process between the certificate centers to be mutually trusted;
the certificate verification module is used for verifying whether the digital certificate of the party to be verified is trusted or not according to the mutually trusted logic tree;
The certificate verification module is specifically configured to:
Determining public certificate centers of the requesting party and the party to be verified based on the mutual trust logic tree, wherein the public certificate centers are certificate centers which have trust transfer relation with a certificate center B and a certificate center D, the certificate center B is responsible for certificate management of the requesting party, and the certificate center D is responsible for certificate management of the party to be verified;
Verifying whether the public certificate center is trusted or not, and taking the trusted result of the public certificate center as the trusted result of the digital certificate of the party to be verified.
7. An electronic device, the electronic device comprising:
one or more processors;
a storage means for storing one or more programs;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of verifying digital certificates of any of claims 1-5.
8. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements a method of verifying a digital certificate according to any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110825226.5A CN113536284B (en) | 2021-07-21 | 2021-07-21 | Digital certificate verification method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110825226.5A CN113536284B (en) | 2021-07-21 | 2021-07-21 | Digital certificate verification method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113536284A CN113536284A (en) | 2021-10-22 |
| CN113536284B true CN113536284B (en) | 2024-06-21 |
Family
ID=78100799
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110825226.5A Active CN113536284B (en) | 2021-07-21 | 2021-07-21 | Digital certificate verification method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113536284B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115378737B (en) * | 2022-10-24 | 2023-01-10 | 中汽数据(天津)有限公司 | Cross-domain device communication trust method, device, equipment and medium |
| CN115802350B (en) * | 2023-02-07 | 2023-05-05 | 中汽智联技术有限公司 | Certificate revocation status verification system, method and storage medium |
| CN117156440B (en) * | 2023-10-27 | 2024-01-30 | 中电科网络安全科技股份有限公司 | Certificate authentication method, system, storage medium and electronic equipment |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111683060A (en) * | 2020-05-20 | 2020-09-18 | 国汽(北京)智能网联汽车研究院有限公司 | Communication message verification method, device and computer storage medium |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1921557A1 (en) * | 2006-11-13 | 2008-05-14 | Jaycrypto Limited | Certificate handling method and system for ensuring secure identification of identities of multiple electronic devices |
| US20170063557A1 (en) * | 2015-08-28 | 2017-03-02 | Fortinet, Inc. | Detection of fraudulent certificate authority certificates |
| CN108696348A (en) * | 2017-04-06 | 2018-10-23 | ***通信有限公司研究院 | A kind of method, apparatus, system and electronic equipment for realizing CA mutual trusts |
| CN108737111B (en) * | 2018-05-24 | 2021-07-27 | 中国互联网络信息中心 | Digital certificate processing method and device |
| US11134065B2 (en) * | 2018-12-06 | 2021-09-28 | Visa International Service Association | Secured extended range application data exchange |
| CN110598422A (en) * | 2019-08-01 | 2019-12-20 | 浙江葫芦娃网络集团有限公司 | Trusted identity authentication system and method based on mobile digital certificate |
| CN111555885B (en) * | 2020-03-18 | 2021-11-30 | 西安电子科技大学 | Credible identity authentication method, system, storage medium and cloud computing terminal |
| CN111831996B (en) * | 2020-06-10 | 2024-03-01 | 北京国电通网络技术有限公司 | Service system of multiple digital certificate certification authorities |
| CN112435024B (en) * | 2020-11-17 | 2022-06-10 | 浙江大学 | Alliance chain cross-chain privacy protection method based on group signature and CA multi-party authentication |
-
2021
- 2021-07-21 CN CN202110825226.5A patent/CN113536284B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111683060A (en) * | 2020-05-20 | 2020-09-18 | 国汽(北京)智能网联汽车研究院有限公司 | Communication message verification method, device and computer storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113536284A (en) | 2021-10-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113536284B (en) | Digital certificate verification method, device, equipment and storage medium | |
| CN109714167B (en) | Identity authentication and key agreement method and equipment suitable for mobile application signature | |
| CN111131300B (en) | Communication method, terminal and server | |
| CN112351037B (en) | Information processing method and device for secure communication | |
| CN111880919B (en) | Data scheduling method, system and computer equipment | |
| CN112861106B (en) | Digital certificate processing method and system, electronic device and storage medium | |
| CN112887282A (en) | Identity authentication method, device and system and electronic equipment | |
| CN112039848A (en) | Web authentication method, system and device based on block chain public key digital signature | |
| CN114143108A (en) | Session encryption method, device, equipment and storage medium | |
| CN115664655A (en) | TEE credibility authentication method, device, equipment and medium | |
| US20240064011A1 (en) | Identity authentication method and apparatus, device, chip, storage medium, and program | |
| CN113824566B (en) | Certificate authentication method, code number downloading method, device, server and storage medium | |
| CN111414640A (en) | Key access control method and device | |
| CN114297678A (en) | Operation method, device, equipment and storage medium of union chain system | |
| CN114338091A (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN111225001B (en) | Block chain decentralized communication method, electronic equipment and system | |
| CN117240473A (en) | Electronic contract signing method, electronic contract signing device, electronic equipment and storage medium | |
| CN114172923B (en) | Data transmission method, communication system and communication device | |
| CN116074061A (en) | Data processing method and device for rail transit, electronic equipment and storage medium | |
| KR101256114B1 (en) | Message authentication code test method and system of many mac testserver | |
| CN114218558A (en) | Cross-domain identity authentication method and server in secure multi-party computing | |
| CN111163466B (en) | Method for 5G user terminal to access block chain, user terminal equipment and medium | |
| CN114124515A (en) | Bidding transmission method, key management method, user verification method and corresponding device | |
| CN114679284A (en) | Trusted remote attestation system, storage method, verification method and storage medium thereof | |
| CN111383110A (en) | Cross-block-chain evidence transfer method and device and hardware equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |