CN116827542B - Digital certificate management method and system of intelligent device - Google Patents

Digital certificate management method and system of intelligent device Download PDF

Info

Publication number
CN116827542B
CN116827542B CN202311092185.9A CN202311092185A CN116827542B CN 116827542 B CN116827542 B CN 116827542B CN 202311092185 A CN202311092185 A CN 202311092185A CN 116827542 B CN116827542 B CN 116827542B
Authority
CN
China
Prior art keywords
certificate
intelligent
digital certificate
terminal
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311092185.9A
Other languages
Chinese (zh)
Other versions
CN116827542A (en
Inventor
何丹
王玮
卢正华
吴晓舟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Guoxin Digital Technology Co ltd
Original Assignee
Jiangsu Guoxin Digital Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Guoxin Digital Technology Co ltd filed Critical Jiangsu Guoxin Digital Technology Co ltd
Priority to CN202311092185.9A priority Critical patent/CN116827542B/en
Publication of CN116827542A publication Critical patent/CN116827542A/en
Application granted granted Critical
Publication of CN116827542B publication Critical patent/CN116827542B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a digital certificate management method and a digital certificate management system of intelligent equipment, which specifically comprise the following steps: the system is provided with an intelligent equipment terminal, a certificate server and external password hardware; the certificate server adopts an application server and is connected with external password hardware; the external cipher hardware adopts cipher machine hardware conforming to national commercial cipher standard; the certificate server issues a device digital certificate for communication to the intelligent device terminal through the unique identifier of the intelligent device terminal, and is used for carrying out encryption protection on communication between the intelligent device terminal and the certificate server; the certificate server applies for the user digital certificate to the CA mechanism according to the user digital certificate application, and partial key information is respectively stored in the external password hardware and the intelligent equipment terminal; the certificate server performs collaborative signature and encryption and decryption of the user digital certificate through external password hardware; and outputting the final signature and the decryption result at the intelligent equipment terminal. The invention ensures the safety of the device digital certificate application of the intelligent device terminal.

Description

Digital certificate management method and system of intelligent device
Technical Field
The invention relates to the technical field of secure communication, in particular to a digital certificate management method and system of intelligent equipment.
Background
Along with the development and popularization of intelligent equipment terminals, the requirements for data authentication and security of the intelligent equipment terminals are increasing, and the traditional method for protecting the data security is to encrypt and sign the data by adopting a digital certificate and matching with an SM2 key algorithm, so that the data security is protected. SM2 is national public key cryptography algorithm standard (GM/T0003-2012).
Because the environment of the intelligent equipment terminal has a plurality of uncontrollable factors, such as spyware, system loopholes and the like, the leakage of key information can be caused; meanwhile, uncontrollable factors exist in the communication environment, and secret leakage is possible in the communication process. The above factors cause many security risks to the application of digital certificates on intelligent devices.
Disclosure of Invention
The invention aims to provide a digital certificate management method and a digital certificate management system for intelligent equipment, so as to ensure the safety of digital certificate application of the intelligent equipment.
The technical solution for realizing the purpose of the invention is as follows:
a digital certificate management method of intelligent equipment comprises the following steps:
the method comprises the steps that an intelligent equipment terminal, a certificate server and external password hardware are set, wherein the certificate server adopts an application server and is connected with the external password hardware; the external password hardware adopts password machine hardware conforming to national commercial password standards;
the certificate server issues a digital certificate of the communication equipment for the intelligent equipment terminal through the unique identifier of the intelligent equipment terminal, and the communication between the intelligent equipment terminal and the certificate server is encrypted and protected by the digital certificate of the communication equipment;
a user applies for a user digital certificate to a certificate server through an intelligent equipment terminal;
the certificate server applies for the user digital certificate to the CA institution according to the user digital certificate application request, and partial key information is respectively stored in the external password hardware and the intelligent equipment terminal by utilizing a key separation algorithm;
the certificate server performs collaborative signature and encryption and decryption of the user digital certificate by using an external password hardware and a key separation algorithm;
and outputting the final signature and the decryption result at the intelligent equipment terminal.
The system is used for realizing the digital certificate management method of the intelligent equipment, and comprises an intelligent equipment terminal, a certificate server and external password hardware, wherein:
the intelligent equipment terminal is intelligent equipment carrying a mobile OS;
the certificate server adopts an application server and is connected with external password hardware; the certificate server performs collaborative signature and encryption and decryption of the user digital certificate by using an external password hardware and a key separation algorithm;
the external cipher hardware adopts cipher machine hardware conforming to national commercial cipher standard.
Compared with the prior art, the invention has the remarkable advantages that:
(1) Issuing a device digital certificate for communication to the intelligent device terminal, ensuring the safety of communication data, wherein an attacker cannot decrypt the communication data even if the attacker steals the communication data;
(2) The method comprises the steps that a user applies for a user digital certificate, partial key information is respectively stored in external password hardware and an intelligent equipment terminal, a small amount of operation is completed in an assisted mode by the external key hardware in the signing and decrypting processes, a collaborative signing/decrypting mode is formed, a final signing and decrypting result is output at the intelligent equipment terminal, corresponding operation cannot be completed by a single equipment terminal or a single service end, an attacker cannot sign and decrypt data even if the attacker obtains the local key information of the intelligent equipment terminal, and therefore the user digital certificate application of the intelligent equipment terminal is guaranteed in safety;
(3) The encryption processing of the communication is carried out by using the equipment digital certificate for communication, so that the communication safety between the intelligent equipment terminal and the server is also ensured, and the complete guarantee is provided for the application of the user digital certificate of the intelligent equipment terminal;
(4) The external password hardware provides a small amount of operation, so that the system load requirement is met; the communication between the intelligent equipment terminal and the external password hardware is encrypted, so that the communication safety requirement is met.
Drawings
Fig. 1 is a communication flow chart of a digital certificate management method for communication of an intelligent device according to the present invention.
Fig. 2 is a flow chart of a signing application of a user digital certificate.
Fig. 3 is a flowchart of a decryption application for a user digital certificate.
Detailed Description
It is easy to understand that various embodiments of the present invention can be envisioned by those of ordinary skill in the art without altering the true spirit of the present invention in light of the present teachings. Accordingly, the following detailed description and drawings are merely illustrative of the invention and are not intended to be exhaustive or to limit or restrict the invention.
Various exemplary embodiments of the present invention will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless it is specifically stated otherwise.
The following description of at least one exemplary embodiment is merely exemplary in nature and is in no way intended to limit the invention, its application, or uses.
Techniques, methods, and apparatus known to one of ordinary skill in the relevant art may not be discussed in detail, but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any specific values should be construed as merely illustrative, and not a limitation. Thus, other examples of exemplary embodiments may have different values.
The invention relates to a digital certificate management method of an intelligent equipment terminal, which is applied to the intelligent equipment terminal and can effectively protect the key application and communication safety of a user digital certificate. Specifically, firstly, an intelligent equipment terminal is issued with an equipment digital certificate for communication, so that the safety of communication data is ensured, and an attacker cannot decrypt the communication data even if stealing the communication data; and secondly, applying for the user digital certificate, respectively storing partial key information in the external password hardware and the intelligent equipment terminal, and performing a small amount of operation with the assistance of the external password hardware in the signing and decrypting processes to form collaborative signing/decrypting, and outputting a final signing and decrypting result at the intelligent equipment terminal, wherein an attacker cannot sign and decrypt data even if obtaining the local key information of the intelligent equipment. The external cipher hardware provides a small amount of operation in the whole process, thereby meeting the system load requirement. The communication between the intelligent terminal equipment and the external password hardware is encrypted, so that the communication safety requirement is met. The digital certificate management method and system of the intelligent device are described in detail below.
The invention discloses a digital certificate management method of intelligent equipment, which comprises the following steps:
the method comprises the steps that an intelligent equipment terminal, a certificate server and external password hardware are set, wherein the certificate server adopts an application server and is connected with the external password hardware; the external password hardware adopts password machine hardware conforming to national commercial password standards;
the certificate server issues a digital certificate of the communication equipment for the intelligent equipment terminal through the unique identifier of the intelligent equipment terminal, and the communication between the intelligent equipment terminal and the certificate server is encrypted and protected by the digital certificate of the communication equipment;
a user applies for a user digital certificate to a certificate server through an intelligent equipment terminal;
the certificate server applies for the user digital certificate to the CA institution according to the user digital certificate application request, and partial key information is respectively stored in the external password hardware and the intelligent equipment terminal by utilizing a key separation algorithm;
the certificate server performs collaborative signature and encryption and decryption of the user digital certificate by using an external password hardware and a key separation algorithm;
and outputting the final signature and the decryption result at the intelligent equipment terminal.
As a specific example, the communication flow of the intelligent device terminal, the certificate server and the external password hardware is specifically as follows:
(1.1) in order to ensure the communication safety of the intelligent equipment terminal, when the communication is established for the first time, the intelligent equipment terminal initiates an access request to a certificate server;
the method comprises the steps that (1.2) a certificate service end marks an intelligent equipment terminal through a unique identifier of the intelligent equipment terminal, and based on the unique identifier, a communication equipment digital certificate is issued for the intelligent equipment terminal, and the equipment digital certificate is used for communication encryption and authentication between the intelligent equipment terminal and the certificate service end so as to protect safety and effectiveness of data;
(1.3) the intelligent equipment terminal stores the equipment digital certificate for communication to the local;
(1.4) when the intelligent equipment terminal communicates with the certificate server, firstly, generating a random encryption symmetric key at the intelligent equipment terminal, and encrypting communication data; encrypting the encryption symmetric key by using a digital certificate of the communication equipment, carrying out digital envelope on the encrypted communication data and the encrypted symmetric key, attaching a signature, and sending the digital envelope to a certificate server;
after acquiring a request of an intelligent equipment terminal, the certificate server decrypts the communication digital envelope through the equipment digital certificate for communication to obtain a random encryption symmetric key, and decrypts the encrypted communication information by using the obtained random encryption symmetric key to obtain original service data;
(1.6) the certificate server performs business processing, including a signature application of the user digital certificate and a decryption application of the user digital certificate;
(1.7) after the business processing is completed, encrypting the return value by using an encryption symmetric key, digitally signing the encrypted content, and returning the data to the intelligent equipment terminal;
and (1.8) the intelligent equipment terminal verifies the digital signature a priori, and after the signature is correct, the data decryption is carried out by using the encryption symmetric key, so that service processing result data is obtained, and the whole communication interaction flow is completed.
As a specific example, the smart device terminal is a smart device with a mobile OS, and includes a smart phone and a vehicle-mounted smart central control terminal.
As a specific example, the user digital certificate is classified into a signature certificate and an encryption certificate according to GM/T0034, certificate authentication system password based on SM2 password algorithm and related security specifications thereof; the signature certificate is used for digitally signing and verifying the data, and the encryption certificate is used for encrypting and decrypting the data.
As a specific example, the signing application flow of the user digital certificate is implemented by using a signing certificate, the signing application of the user digital certificate is based on an SM2 multiparty collaborative signing method, a part of secret keys are stored in external cryptographic hardware, and the signing of the intelligent terminal device and the signing of the certificate server are combined into a collaborative signature by using the user signing certificate secret key in the intelligent device terminal and the part of secret keys stored in the external cryptographic hardware.
As a specific example, the encryption certificate in the user digital certificate is based on the public key cryptography algorithm standard GM/T0003-2012, and the data is encrypted using the standard public key cryptography algorithm.
As a specific example, the signature application flow of the device digital certificate is as follows:
the intelligent terminal equipment initiates a user digital certificate application request to the certificate server, and after the certificate server applies for the user digital certificate to the CA institution, the external password hardware is called to generate a part of secret key, and the part of secret key and the user digital certificate are paired and identified;
the pairing identification is to perform one-to-one binding storage on a partial key generated by external password hardware and a user digital certificate in a server database, namely each user digital certificate generates a partial key and stores the partial key in the server database; finding out a corresponding partial key in a server database as an identifier according to the user digital certificate;
(2.2) after the application of the user digital certificate and the generation of the partial secret key are completed, returning the equipment digital certificate to the intelligent terminal equipment, wherein the user digital certificate comprises a signature certificate, if the user digital certificate is completed, entering the next step, otherwise, ending abnormally;
(2.3) the intelligent terminal equipment obtains a signature certificate and a secret key of the user digital certificate, and performs localized storage;
(2.4) the intelligent terminal device performs digital signature on the data according to the service requirement;
(2.5) generating a first random number t1 by the intelligent terminal equipment according to the signing certificate key factor a at a base point G with the upper order of n on the same elliptic curve, and obtaining a first variable Q1=t1.G by a point multiplication method; wherein n is the order of elliptic curve determined according to the signing certificate key factor a, and the random number t1 satisfies t1 epsilon [1, n-1];
(2.6) the intelligent terminal equipment sends Q1 and a message digest e to a certificate server to execute collaborative signature, the certificate server calculates by using a partial key factor of external password hardware as a2 to obtain two random numbers t2 and t3, wherein the random number t2 satisfies t2 epsilon [1, n-1], and the random number t3 satisfies t3 epsilon [1, n-1];
the collaborative signature radius r and collaborative signature components s2 and s3 are obtained according to the point multiplication calculation, and the method specifically comprises the following steps:
calculating t2×q1+t3×g= (x 1, y 1) to obtain r= (x1+e) mod n, wherein mod n is modulo n operation, r satisfies r is not 0, otherwise, abnormal ending is performed;
calculating s2=a2×t2 and s3=a2×r+t3;
(2.7) the certificate server returns r, s2 and s3 to the intelligent equipment terminal, and the intelligent equipment terminal calculates a second signature component s according to r, s2 and s3, wherein s= (a x t 1) x s2+ a x s3-r, and combines the collaborative signature radius r and the second signature component s to obtain a complete signature component (r, s) to complete collaborative signature; s satisfies (r+s) mod n not to be 0, otherwise the exception ends.
As a specific example, the decryption flow of data by an encrypted certificate in a user digital certificate is as follows:
the intelligent terminal equipment initiates a user digital certificate application request to the certificate server, and after the certificate server applies for the user digital certificate to the CA institution, the external password hardware is called to generate a part of secret key, and the part of secret key and the user digital certificate are paired and identified;
the pairing identification is to perform one-to-one binding storage on a partial key generated by external password hardware and a user digital certificate in a server database, namely each user digital certificate generates a partial key and stores the partial key in the server database; finding out a corresponding partial key in a server database as an identifier according to the user digital certificate;
(3.2) after the application of the user digital certificate and the generation of the partial secret key are completed, returning the user digital certificate to the intelligent terminal equipment, wherein the user digital certificate comprises an encryption certificate and an encryption certificate secret key, if the user digital certificate is completed, entering the next step, otherwise, ending abnormally;
(3.3) the intelligent terminal equipment generates the encrypted random numberηThe encrypted random numberηGenerated by using an SM2 key random number generation algorithm meeting national cryptographic requirements,ηsatisfy the following requirementsη∈[1,n’-1]N' is the order on the elliptic curve of the cryptographic certificate key factor, which does not satisfyη∈[1,n’-1]Then regenerateη
(3.4) the intelligent terminal equipment encrypts and stores the encryption certificate key, wherein the original key is K, the encrypted key is K', and the encryption certificate key is encrypted according to the encrypted random numberηDetermining K' =k ·η -1 Subsequently encrypting the random numberηThe encrypted data is obtained by using partial secret key of external cipher hardware through certificate serverP
(3.5) the intelligent terminal device encrypts the dataPStoring and executing decryption according to the encrypted data;
(3.6) the intelligent device terminal firstly encrypts the dataPTransmitting to the certificate server, and resolving the encrypted random number by using a partial key of the external cipher hardwareηReturning to the intelligent equipment terminal;
(3.7) the intelligent device terminal uses the formula K' =k·η -1 Obtaining an original key K from the stored K';
(3.8) the decryption is completed by using the original key K.
The invention relates to a digital certificate management system of intelligent equipment, which is used for realizing a digital certificate management method of the intelligent equipment, and comprises an intelligent equipment terminal, a certificate service end and external password hardware, wherein:
the intelligent equipment terminal is intelligent equipment carrying a mobile OS;
the certificate server adopts an application server and is connected with external password hardware; the certificate server performs collaborative signature and encryption and decryption of the user digital certificate by using an external password hardware and a key separation algorithm;
the external cipher hardware adopts cipher machine hardware conforming to national commercial cipher standard.
As a specific example, the smart device terminal includes a smart phone and a vehicle-mounted intelligent central control terminal.
The invention will be described in further detail with reference to the accompanying drawings and specific examples.
Examples
The embodiment provides a digital certificate management system of intelligent equipment, which comprises an intelligent equipment terminal, a certificate server and external password hardware, wherein:
the intelligent equipment terminals comprise intelligent equipment such as intelligent mobile phones and vehicle-mounted intelligent central control terminals and are provided with mobile OS;
the certificate server can adopt a standard application server to connect with external password hardware, and the certificate server processes the cooperative signature and encryption and decryption of the user's certificate by using a key separation algorithm through the external password hardware;
the external cipher hardware can adopt cipher machine hardware conforming to national commercial cipher standard, and ensures compliance and safety of the system.
Referring to fig. 1, the communication flow of the digital certificate management method of the intelligent device of the embodiment includes the following steps:
(1.1) in order to ensure the communication safety of the intelligent equipment terminal, when the communication is established for the first time, the intelligent equipment terminal initiates an access request to the certificate server.
And (1.2) marking the equipment by the certificate server through the unique identification of the intelligent equipment terminal, and issuing a digital certificate of the equipment for communication for the intelligent equipment terminal based on the unique identification.
The communication equipment digital certificate is used for communication encryption and authentication between the intelligent equipment terminal and the certificate server to protect the safety and effectiveness of data. The certificate server does not generate a unique identifier, but uses the unique identifier of the intelligent device terminal to manufacture a digital certificate of the communication device.
And (1.3) the intelligent equipment terminal stores the equipment digital certificate for communication to the local.
(1.4) when the intelligent equipment terminal communicates with the certificate server, firstly, generating a random encryption symmetric key at the intelligent equipment terminal, and encrypting communication data; encrypting the encryption symmetric key by using a digital certificate of the communication equipment, carrying out digital envelope on the encrypted communication data and the encrypted symmetric key, attaching a signature, and sending the digital envelope to a certificate server;
and (1.5) after the certificate server acquires the request of the intelligent equipment terminal, decrypting the communication digital envelope through the equipment digital certificate to obtain the random encryption symmetric key. And decrypting the encrypted communication information by using the encryption symmetric key to obtain the original service data.
And (1.6) the certificate server performs business processing. Such as signing and decrypting application of the user digital certificate.
And (1.7) after the business processing is finished, encrypting the return value by using an encryption symmetric key, digitally signing the encrypted content, and returning the data to the intelligent equipment terminal.
And (1.8) the intelligent equipment terminal verifies the digital signature a priori, and after the signature is correct, the data decryption is carried out by using the encryption symmetric key, so that service processing result data is obtained, and the whole communication interaction flow is completed.
In order to achieve application security of user data of the smart device, digital signatures using user digital certificates are required to achieve the relevant security applications. The invention is suitable for related application of SM2 type device digital certificate. On the premise of encryption communication, a certificate server provides equipment digital certificate application service for an intelligent equipment terminal, and a user digital certificate is divided into a signature certificate and an encryption certificate according to GM/T0034, a certificate authentication system password based on SM2 password algorithm and related safety technical specifications. The signature certificate is used for digitally signing and verifying the data. The encryption certificate is used for encrypting and decrypting data. The signature application flow of the device digital certificate uses the signature certificate therein to implement the digital signature application. According to the GM/T0034 standard, the certificate, the secret key and the application need to use external password equipment for secret treatment. The signature application of the user digital certificate is based on an SM2 multiparty collaborative signature method, partial secret keys are stored in the external password equipment, and the signature of the intelligent terminal equipment and the signature of the certificate server are combined into a collaborative signature by utilizing the signature certificate secret key in the intelligent equipment terminal and the partial secret keys stored in the external password equipment, so that the safety and the effectiveness of the whole digital signature application are ensured.
In connection with fig. 2, the signature application flow of the user digital certificate is as follows:
and (2.1) carrying out digital certificate application processing of the user under the support of a communication encryption flow. And the intelligent terminal equipment initiates a user digital certificate application request to the certificate server, and the certificate server calls the external password equipment to generate a part of secret key after applying the user digital certificate to the CA organization, and performs pairing identification on the part of secret key and the user digital certificate.
The pairing identifier means that the partial key generated by the external password hardware and the user digital certificate are bound and stored in a one-to-one mode in the database, namely, each user digital certificate needs to generate a partial key and is stored in the database. The corresponding partial key can then be found in the server database as an identification from the user digital certificate.
(2.2) after the application and generation of the digital user certificate are completed, returning the digital user certificate to the intelligent terminal equipment, wherein the digital user certificate comprises a signature certificate; if the process is finished, the next step is carried out, otherwise, the process is abnormally finished;
and (2.3) the intelligent terminal equipment obtains the signature certificate and the secret key of the user digital certificate and performs localized storage.
And (2.4) the intelligent terminal equipment performs digital signature on the data according to the service requirement.
(2.5) generating a first random number t1 by the intelligent terminal equipment according to the signing certificate key factor a at a base point G with the upper order of n on the same elliptic curve, and obtaining a first variable Q1=t1.G by a point multiplication method; wherein n is the order of elliptic curve determined according to the signing certificate key factor a, and the random number t1 satisfies t1 epsilon [1, n-1];
n refers to the order on the elliptic curve, is a mathematical concept, and the SM2 national encryption standard is based on elliptic curve encryption.
(2.6) the intelligent terminal equipment sends Q1 and a message digest e to a certificate server to execute collaborative signature, the certificate server calculates by using a partial key factor of external password hardware as a2 to obtain two random numbers t2 and t3, wherein the random number t2 satisfies t2 epsilon [1, n-1], and the random number t3 satisfies t3 epsilon [1, n-1];
the collaborative signature radius r and collaborative signature components s2 and s3 are obtained according to the point multiplication calculation, and the method specifically comprises the following steps:
calculating t2×q1+t3×g= (x 1, y 1) to obtain r= (x1+e) mod n, wherein mod n is modulo n operation, r satisfies r is not 0, otherwise, abnormal ending is performed;
calculating s2=a2×t2 and s3=a2×r+t3;
(2.7) the certificate server returns r, s2 and s3 to the intelligent equipment terminal, and the intelligent equipment terminal calculates a second signature component s according to r, s2 and s3, wherein s= (a x t 1) x s2+ a x s3-r, and combines the collaborative signature radius r and the second signature component s to obtain a complete signature component (r, s) to complete collaborative signature; s satisfies (r+s) mod n not to be 0, otherwise the exception ends.
The complete signature component (r, s) is the signature component of the national secret SM2 digital signature standard, and the digital signature result can be calculated according to the national secret standard, and is the final output data of the current processing.
In order to realize the data security of the user of the intelligent equipment, the encryption certificate in the digital certificate of the user can be used for carrying out data encryption and decryption to realize the related data security. Based on the public key cryptography algorithm standard (GM/T0003-2012) in China, the data encryption adopts the standard public key cryptography algorithm standard, and the description is omitted.
Referring to fig. 3, the decryption application flow of the digital certificate of the user is specifically as follows:
and (3.1) carrying out digital certificate application processing of the user under the support of the communication encryption flow. And the intelligent terminal equipment initiates a user digital certificate application request to the certificate server, and the certificate server calls the external password equipment to generate a part of secret key after applying the user digital certificate to the CA organization, and performs pairing identification on the part of secret key and the user digital certificate.
The pairing identifier means that the partial key generated by the external password hardware and the user digital certificate are bound and stored in a one-to-one mode in the database, namely, each user digital certificate needs to generate a partial key and is stored in the database. The corresponding partial key can then be found in the server database as an identification from the user digital certificate.
(3.2) after the application of the user digital certificate and the generation of the partial secret key are completed, returning the user digital certificate to the intelligent terminal equipment, wherein the user digital certificate comprises an encryption certificate and an encryption certificate secret key, if the user digital certificate is completed, entering the next step, otherwise, ending abnormally;
(3.3) the intelligent terminal equipment generates the encrypted random numberηThe encrypted random numberηGenerated by using an SM2 key random number generation algorithm meeting national cryptographic requirements,ηsatisfy the following requirementsη∈[1,n’-1]N' is the order on the elliptic curve of the cryptographic certificate key factor, which does not satisfyη∈[1,n’-1]Then regenerateη
(3.4) the intelligent terminal equipment encrypts and stores the encryption certificate key, wherein the original key is K, the encrypted key is K', and the encryption certificate key is encrypted according to the encrypted random numberηDetermining K' =k ·η -1 Subsequently encrypting the random numberηThe encrypted data is obtained by using partial secret key of external cipher hardware through certificate serverP
(3.5) the intelligent terminal device encrypts the dataPStoring and executing decryption according to the encrypted data;
(3.6) the intelligent device terminal firstly encrypts the dataPTransmitting to the certificate server, and resolving the encrypted random number by using a partial key of the external cipher hardwareηReturning to the intelligent equipment terminal;
(3.7) Intelligent device terminalUsing the formula K' =k ·η -1 Obtaining an original key K from the stored K';
(3.8) the decryption is completed by using the original key K.
In summary, the signature and decryption application of the user digital certificate of the intelligent device terminal must be cooperatively output through the external password device of the server, and the single device terminal or the single server cannot complete the corresponding operation, so that the security of the user digital certificate application of the intelligent device terminal is ensured. Meanwhile, the encryption processing of the communication is carried out by using the equipment digital certificate for communication, so that the communication safety between the intelligent equipment terminal and the server is also ensured, and the complete guarantee is provided for the equipment digital certificate application of the intelligent equipment terminal.
The present invention is not limited to the above-mentioned embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention.
It should be appreciated that in the above description of exemplary embodiments of the invention, various features of the invention are sometimes described in the context of a single embodiment or with reference to a single figure in order to streamline the invention and aid those skilled in the art in understanding the various aspects of the invention. The present invention should not, however, be construed as including features that are essential to the patent claims in the exemplary embodiments.

Claims (8)

1. The digital certificate management method of the intelligent equipment is characterized by comprising the following steps of:
the method comprises the steps that an intelligent equipment terminal, a certificate server and external password hardware are set, wherein the certificate server adopts an application server and is connected with the external password hardware; the external password hardware adopts password machine hardware conforming to national commercial password standards;
the certificate server issues a digital certificate of the communication equipment for the intelligent equipment terminal through the unique identifier of the intelligent equipment terminal, and the communication between the intelligent equipment terminal and the certificate server is encrypted and protected by the digital certificate of the communication equipment;
a user applies for a user digital certificate to a certificate server through an intelligent equipment terminal;
the certificate server requests to apply for the user digital certificate to the CA institution according to the user digital certificate application, and partial key information is respectively stored in external password hardware and the intelligent equipment terminal by utilizing a key separation algorithm;
the certificate server performs collaborative signature and encryption and decryption of the user digital certificate by using an external password hardware and a key separation algorithm;
outputting a final signature and a decryption result at the intelligent equipment terminal;
the signature application flow of the user digital certificate is as follows:
the intelligent terminal equipment initiates a user digital certificate application request to the certificate server, and after the certificate server applies for the user digital certificate to the CA institution, the external password hardware is called to generate a part of secret key, and the part of secret key and the equipment user digital certificate are paired and identified;
the pairing identification is to perform one-to-one binding storage on a partial key generated by external password hardware and a user digital certificate in a server database, namely each user digital certificate generates a partial key and stores the partial key in the server database; finding out a corresponding partial key in a server database as an identifier according to the user digital certificate;
(2.2) after the application of the user digital certificate and the generation of the partial secret key are completed, returning the user digital certificate to the intelligent terminal equipment, wherein the user digital certificate comprises a signature certificate, if the user digital certificate is completed, entering the next step, otherwise, ending abnormally;
(2.3) the intelligent terminal equipment obtains a signature certificate and a secret key of the user digital certificate, and performs localized storage;
(2.4) the intelligent terminal device performs digital signature on the data according to the service requirement;
(2.5) generating a first random number t1 by the intelligent terminal equipment according to the signing certificate key factor a at a base point G with the upper order of n on the same elliptic curve, and obtaining a first variable Q1=t1.G by a point multiplication method; wherein n is the order of elliptic curve determined according to the signing certificate key factor a, and the random number t1 satisfies t1 epsilon [1, n-1];
(2.6) the intelligent terminal equipment sends Q1 and a message digest e to a certificate server to execute collaborative signature, the certificate server calculates by using a partial key factor of external password hardware as a2 to obtain two random numbers t2 and t3, wherein the random number t2 satisfies t2 epsilon [1, n-1], and the random number t3 satisfies t3 epsilon [1, n-1];
the collaborative signature radius r and collaborative signature components s2 and s3 are obtained according to the point multiplication calculation, and the method specifically comprises the following steps:
calculating t2×q1+t3×g= (x 1, y 1) to obtain r= (x1+e) mod n, wherein mod n is modulo n operation, r satisfies r is not 0, otherwise, abnormal ending is performed;
calculating s2=a2×t2 and s3=a2×r+t3;
(2.7) the certificate server returns r, s2 and s3 to the intelligent equipment terminal, and the intelligent equipment terminal calculates a second signature component s according to r, s2 and s3, wherein s= (a x t 1) x s2+ a x s3-r, and combines the collaborative signature radius r and the second signature component s to obtain a complete signature component (r, s) to complete collaborative signature; s satisfies (r+s) mod n not being 0, otherwise, the exception is ended;
the decryption flow of the encrypted certificate in the user digital certificate to the data is as follows:
the intelligent terminal equipment initiates a user digital certificate application request to the certificate server, and after the certificate server applies for the user digital certificate to the CA institution, the external password hardware is called to generate a part of secret key, and the part of secret key and the user digital certificate are paired and identified;
the pairing identification is to perform one-to-one binding storage on a partial key generated by external password hardware and a user digital certificate in a server database, namely each user digital certificate generates a partial key and stores the partial key in the server database; finding out a corresponding partial key in a server database as an identifier according to the user digital certificate;
(3.2) after the application of the user digital certificate and the generation of the partial secret key are completed, returning the user digital certificate to the intelligent terminal equipment, wherein the user digital certificate comprises an encryption certificate and an encryption certificate secret key, if the user digital certificate is completed, entering the next step, otherwise, ending abnormally;
(3.3) the intelligent terminal equipment generates the encrypted random numberηThe encrypted random numberηGenerated by using an SM2 key random number generation algorithm meeting national cryptographic requirements,ηsatisfy the following requirementsη∈[1,n’-1]N' is the order on the elliptic curve of the cryptographic certificate key factor, which does not satisfyη∈[1,n’-1]Then regenerateη
(3.4) the intelligent terminal equipment encrypts and stores the encryption certificate key, wherein the original key is K, the encrypted key is K', and the encryption certificate key is encrypted according to the encrypted random numberηDetermining K' =k ·η -1 Subsequently encrypting the random numberηThe encrypted data is obtained by using partial secret key of external cipher hardware through certificate serverP
(3.5) the intelligent terminal device encrypts the dataPStoring and executing decryption according to the encrypted data;
(3.6) the intelligent device terminal firstly encrypts the dataPTransmitting to the certificate server, and resolving the encrypted random number by using a partial key of the external cipher hardwareηReturning to the intelligent equipment terminal;
(3.7) the intelligent device terminal uses the formula K' =k·η -1 Obtaining an original key K from the stored K';
(3.8) the decryption is completed by using the original key K.
2. The method for managing digital certificates of the intelligent device according to claim 1, wherein the communication flow of the intelligent device terminal, the certificate server and the external password hardware is specifically as follows:
(1.1) when communication is established for the first time, an intelligent equipment terminal initiates an access request to a certificate server;
the method comprises the steps that (1.2) a certificate service end marks an intelligent equipment terminal through a unique identifier of the intelligent equipment terminal, and based on the unique identifier, a communication equipment digital certificate is issued for the intelligent equipment terminal, and the communication equipment digital certificate is used for communication encryption and authentication between the intelligent equipment terminal and the certificate service end;
(1.3) the intelligent equipment terminal stores the equipment digital certificate for communication to the local;
(1.4) when the intelligent equipment terminal communicates with the certificate server, firstly, generating a random encryption symmetric key at the intelligent equipment terminal, and encrypting communication data; encrypting the encryption symmetric key by using a digital certificate of the communication equipment, carrying out digital envelope on the encrypted communication data and the encrypted symmetric key, attaching a signature, and sending the digital envelope to a certificate server;
after acquiring a request of an intelligent equipment terminal, the certificate server decrypts the communication digital envelope through the equipment digital certificate for communication to obtain a random encryption symmetric key, and decrypts the encrypted communication information by using the obtained random encryption symmetric key to obtain original service data;
(1.6) the certificate server performs business processing, including a signature application of the user digital certificate and a decryption application of the user digital certificate;
(1.7) after the business processing is completed, encrypting the return value by using an encryption symmetric key, digitally signing the encrypted content, and returning the data to the intelligent equipment terminal;
and (1.8) the intelligent equipment terminal verifies the digital signature a priori, and after the signature is correct, the data decryption is carried out by using the encryption symmetric key, so that service processing result data is obtained, and the whole communication interaction flow is completed.
3. The method for managing digital certificates of the intelligent device according to claim 2, wherein the intelligent device terminal is an intelligent device with a mobile OS, and the intelligent device terminal comprises a smart phone and a vehicle-mounted intelligent central control terminal.
4. The digital certificate management method of an intelligent device according to claim 2, wherein the user digital certificate is classified into a signature certificate and an encryption certificate according to GM/T0034, certificate authentication system password based on SM2 password algorithm and related security specifications; the signature certificate is used for digitally signing and verifying the data, and the encryption certificate is used for encrypting and decrypting the data.
5. The method for managing digital certificates of intelligent devices according to claim 4, wherein the signing application process of the digital certificates of the user is implemented by using signing certificates, the signing application of the digital certificates of the user is based on an SM2 multiparty collaborative signing method, a part of secret keys are stored in external cryptographic hardware, and the combination of the signature of the intelligent terminal device and the signature of the certificate server is implemented by using the signing certificate secret keys in the intelligent device terminal and the part of secret keys stored in the external cryptographic hardware.
6. The method according to claim 4, wherein the encrypted certificate in the user digital certificate is based on the public key cryptography algorithm standard GM/T0003-2012, and the data is encrypted by using the standard public key cryptography algorithm.
7. The digital certificate management system of the intelligent device is characterized in that the system is used for realizing the digital certificate management method of the intelligent device according to any one of claims 1-6, and the system comprises an intelligent device terminal, a certificate service end and external password hardware, wherein:
the intelligent equipment terminal is intelligent equipment carrying a mobile OS;
the certificate server adopts an application server and is connected with external password hardware; the certificate server performs collaborative signature and encryption and decryption of the digital certificate of the communication equipment by using an external password hardware and a key separation algorithm;
the external cipher hardware adopts cipher machine hardware conforming to national commercial cipher standard.
8. The digital certificate management system of a smart device of claim 7, wherein the smart device terminal comprises a smart phone, a vehicle-mounted smart central control terminal.
CN202311092185.9A 2023-08-29 2023-08-29 Digital certificate management method and system of intelligent device Active CN116827542B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311092185.9A CN116827542B (en) 2023-08-29 2023-08-29 Digital certificate management method and system of intelligent device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311092185.9A CN116827542B (en) 2023-08-29 2023-08-29 Digital certificate management method and system of intelligent device

Publications (2)

Publication Number Publication Date
CN116827542A CN116827542A (en) 2023-09-29
CN116827542B true CN116827542B (en) 2023-11-07

Family

ID=88122468

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311092185.9A Active CN116827542B (en) 2023-08-29 2023-08-29 Digital certificate management method and system of intelligent device

Country Status (1)

Country Link
CN (1) CN116827542B (en)

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102299793A (en) * 2010-06-22 2011-12-28 清大安科(北京)科技有限公司 Certificate authentication system based on trusted computing password support platform
CN102932136A (en) * 2007-09-14 2013-02-13 安全第一公司 Systems and methods for managing cryptographic keys
CN105323062A (en) * 2014-06-03 2016-02-10 北京收付宝科技有限公司 Mobile terminal digital certificate electronic signature method
CN106961336A (en) * 2017-04-18 2017-07-18 北京百旺信安科技有限公司 A kind of key components trustship method and system based on SM2 algorithms
CN110932851A (en) * 2019-11-29 2020-03-27 四川省数字证书认证管理中心有限公司 PKI-based multi-party cooperative operation key protection method
CN111431719A (en) * 2020-04-20 2020-07-17 山东确信信息产业股份有限公司 Mobile terminal password protection module, mobile terminal and password protection method
CN112469003A (en) * 2021-02-04 2021-03-09 南京理工大学 Traffic sensor network data transmission method, system and medium based on hybrid encryption
WO2021127577A1 (en) * 2019-12-20 2021-06-24 HYPR Corp. Secure mobile initiated authentications to web-services
CN113242134A (en) * 2021-05-08 2021-08-10 国泰新点软件股份有限公司 Digital certificate signature method, device, system and storage medium
CN114036544A (en) * 2021-11-16 2022-02-11 中易通科技股份有限公司 System and method for improving encryption performance of hardware password equipment
CN114567470A (en) * 2022-02-21 2022-05-31 北京创原天地科技有限公司 SDK-based key splitting verification system and method under multiple systems
CN115002759A (en) * 2022-06-14 2022-09-02 北京电子科技学院 Cloud collaborative signature system and method based on cryptographic algorithm
CN115314205A (en) * 2022-10-11 2022-11-08 中安网脉(北京)技术股份有限公司 Collaborative signature system and method based on key segmentation

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9137480B2 (en) * 2006-06-30 2015-09-15 Cisco Technology, Inc. Secure escrow and recovery of media device content keys

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932136A (en) * 2007-09-14 2013-02-13 安全第一公司 Systems and methods for managing cryptographic keys
CN102299793A (en) * 2010-06-22 2011-12-28 清大安科(北京)科技有限公司 Certificate authentication system based on trusted computing password support platform
CN105323062A (en) * 2014-06-03 2016-02-10 北京收付宝科技有限公司 Mobile terminal digital certificate electronic signature method
CN106961336A (en) * 2017-04-18 2017-07-18 北京百旺信安科技有限公司 A kind of key components trustship method and system based on SM2 algorithms
CN110932851A (en) * 2019-11-29 2020-03-27 四川省数字证书认证管理中心有限公司 PKI-based multi-party cooperative operation key protection method
WO2021127577A1 (en) * 2019-12-20 2021-06-24 HYPR Corp. Secure mobile initiated authentications to web-services
CN111431719A (en) * 2020-04-20 2020-07-17 山东确信信息产业股份有限公司 Mobile terminal password protection module, mobile terminal and password protection method
CN112469003A (en) * 2021-02-04 2021-03-09 南京理工大学 Traffic sensor network data transmission method, system and medium based on hybrid encryption
CN113242134A (en) * 2021-05-08 2021-08-10 国泰新点软件股份有限公司 Digital certificate signature method, device, system and storage medium
CN114036544A (en) * 2021-11-16 2022-02-11 中易通科技股份有限公司 System and method for improving encryption performance of hardware password equipment
CN114567470A (en) * 2022-02-21 2022-05-31 北京创原天地科技有限公司 SDK-based key splitting verification system and method under multiple systems
CN115002759A (en) * 2022-06-14 2022-09-02 北京电子科技学院 Cloud collaborative signature system and method based on cryptographic algorithm
CN115314205A (en) * 2022-10-11 2022-11-08 中安网脉(北京)技术股份有限公司 Collaborative signature system and method based on key segmentation

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
A Secure And High Concurrency SM2 Cooperative Signature Algorithm For Mobile Network;Wenfei Qian;2021 17th International Conference on Mobility, Sensing and Networking (MSN);全文 *
卿林 ; 詹永照 ; 祖宝明 ; 周元 ; .Ad Hoc网络中一种有效的(t,n)门限密钥管理方案.计算机工程.2007,(21),全文. *
可信计算密码支撑平台中的密钥管理技术研究;艾俊;吴秋新;;北京信息科技大学学报(自然科学版)(04);全文 *

Also Published As

Publication number Publication date
CN116827542A (en) 2023-09-29

Similar Documents

Publication Publication Date Title
CN109274503B (en) Distributed collaborative signature method, distributed collaborative signature device and soft shield system
CN107358441B (en) Payment verification method and system, mobile device and security authentication device
US11349675B2 (en) Tamper-resistant and scalable mutual authentication for machine-to-machine devices
CN101720071B (en) Short message two-stage encryption transmission and secure storage method based on safety SIM card
US20210152370A1 (en) Digital signature method, device, and system
CN103067160A (en) Method and system of generation of dynamic encrypt key of encryption secure digital memory card (SD)
EP3695561B1 (en) Secure provisioning of data to client device
CN103036880A (en) Network information transmission method, transmission equipment and transmission system
CN114697040B (en) Electronic signature method and system based on symmetric key
CN111669271B (en) Certificate management method and certificate verification method for block chain and related device
CN112766962A (en) Method for receiving and sending certificate, transaction system, storage medium and electronic device
CN112564906A (en) Block chain-based data security interaction method and system
CN112507296B (en) User login verification method and system based on blockchain
CN109218251B (en) Anti-replay authentication method and system
CN111245594B (en) Homomorphic operation-based collaborative signature method and system
CN111553686A (en) Data processing method and device, computer equipment and storage medium
CN116827542B (en) Digital certificate management method and system of intelligent device
CN114554485B (en) Asynchronous session key negotiation and application method, system, electronic equipment and medium
CN113839786B (en) Key distribution method and system based on SM9 key algorithm
CN113422753B (en) Data processing method, device, electronic equipment and computer storage medium
US11570008B2 (en) Pseudonym credential configuration method and apparatus
CN112019351B (en) Mobile terminal information interaction method based on SDKey
CN110213764B (en) Wireless safety communication method and device
Yoon et al. Security enhancement scheme for mobile device using H/W cryptographic module
CN114765544A (en) Trusted execution environment data offline migration method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant