CN117749360A - Collaborative key management method, collaborative key management system, storage medium and electronic equipment - Google Patents
Collaborative key management method, collaborative key management system, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN117749360A CN117749360A CN202311659414.0A CN202311659414A CN117749360A CN 117749360 A CN117749360 A CN 117749360A CN 202311659414 A CN202311659414 A CN 202311659414A CN 117749360 A CN117749360 A CN 117749360A
- Authority
- CN
- China
- Prior art keywords
- key
- component
- certificate
- collaborative
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 58
- 238000000034 method Methods 0.000 claims abstract description 30
- 230000006870 function Effects 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 abstract description 12
- 238000004891 communication Methods 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- VBMOHECZZWVLFJ-GXTUVTBFSA-N (2s)-2-[[(2s)-6-amino-2-[[(2s)-6-amino-2-[[(2s,3r)-2-[[(2s,3r)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-2-[[(2s)-2,6-diaminohexanoyl]amino]-5-(diaminomethylideneamino)pentanoyl]amino]propanoyl]amino]hexanoyl]amino]propanoyl]amino]hexan Chemical compound NC(N)=NCCC[C@@H](C(O)=O)NC(=O)[C@H](CCCCN)NC(=O)[C@H](CCCCN)NC(=O)[C@H]([C@@H](C)O)NC(=O)[C@H]([C@H](O)C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCN=C(N)N)NC(=O)[C@@H](N)CCCCN VBMOHECZZWVLFJ-GXTUVTBFSA-N 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 108010068904 lysyl-arginyl-alanyl-lysyl-alanyl-lysyl-threonyl-threonyl-lysyl-lysyl-arginine Proteins 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000002194 synthesizing effect Effects 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The application provides a collaborative key management method, a collaborative key management system, a storage medium and electronic equipment, and relates to the technical field of information security, wherein the collaborative key management method comprises the following steps: based on the SM2 key pair with the encrypted private key part generated by the first functional interface of the security device, the first device and the second device cooperatively complete the certificate application, and a signed SM2 certificate application is generated; and carrying out key splitting on the private key of the encryption certificate based on the second functional interface of the security device to obtain a cooperative decryption key component of the first device of the encryption certificate, a cooperative decryption key component of the second device of the encryption certificate and a public key of the encryption certificate. The collaborative key management method, the collaborative key management system, the storage medium and the electronic equipment are used for encrypting the private key plaintext in the collaborative key component key generation, key splitting and use processes, and preventing the private key plaintext from being revealed.
Description
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to a collaborative key management method, a collaborative key management system, a storage medium, and an electronic device.
Background
The national secret cooperative key signature and cooperative key decryption are realized based on the national secret SM2 algorithm, and the key operation method is introduced aiming at the problem that the soft certificate key is easy to copy or the scene that the two parties cooperate or the multiparty users are required to sign or decrypt, so that the cooperative key is ensured to be scattered on the two parties or the multiparty parties, the safety of cooperative key operation is further improved, and the application requirement scene is wide.
However, when performing collaborative key splitting, a complete private key plaintext and a key component private key plaintext are generated in the collaborative key system memory, which results in a risk of leakage of the private key. Once an attacker successfully attacks the system, the attacker can obtain the complete private key plaintext from the system memory, thereby causing the possibility of revealing the private key plaintext.
Based on this, there is a need for a collaborative key management scheme to protect collaborative keys in a collaborative key system from being completely present in a system memory in a plaintext form, thereby improving security of collaborative keys.
Disclosure of Invention
The purpose of the application is to provide a collaborative key management method, a collaborative key management system, a storage medium and electronic equipment, which are used for encrypting a private key plaintext in the collaborative key component key generation, key splitting and use processes, so as to prevent the private key plaintext from being revealed.
The application provides a collaborative key management method, which comprises the following steps:
based on an SM2 key pair with a private key part encrypted, which is generated by a first functional interface of the security device, the first device and the second device cooperate to complete a certificate application, and a signed SM2 certificate application is generated; the SM2 certificate with the signature is applied for acquiring a national encryption signature certificate, a national encryption certificate and a ciphertext of an encryption certificate private key; the secret key of the encryption certificate is split based on a second functional interface of the security device, so that an encryption certificate first device cooperative decryption secret key component, an encryption certificate second device cooperative decryption secret key component and an encryption certificate public key are obtained; the encrypted private key in the SM2 key pair can only carry out key operation through the security device; the function interface of the safety device is called by the second device; the encryption certificate public key is used for encrypting user data; the first device of the encryption certificate cooperates with the decryption key component and the second device of the encryption certificate cooperates with the decryption key component to decrypt the encrypted data of the user.
Optionally, after the second function interface based on the security device performs key splitting on the encrypted certificate private key to obtain the encrypted certificate first device cooperative decryption key component and the encrypted certificate second device cooperative decryption key component, the method further includes: decrypting the user encrypted data based on the third functional interface of the secure device and the encrypted certificate second device in cooperation with a private key ciphertext of a decryption key component; the user encrypted data is encrypted data obtained by encrypting the public key of the encryption certificate.
Optionally, the decrypting the user encrypted data based on the third functional interface of the secure device and the encrypted certificate second device in cooperation with the private key ciphertext of the decryption key component includes: the first device analyzes the user encrypted data to obtain a C1 value of an SM2 asymmetric encryption result, and sends the C1 value to the second device; the second device uses the C1 value and the private key ciphertext of the cooperative decryption key component of the second device of the encryption certificate as input parameters to call the third functional interface of the security device to obtain a cooperative decryption component, and sends the cooperative decryption component to the first device; and the first device decrypts the user encrypted data based on the cooperative decryption key component of the encrypted certificate and the cooperative decryption component to obtain the user data original text.
Optionally, the SM2 key pair, which is encrypted based on the private key portion generated by the first functional interface of the secure device, is used by the first device and the second device to cooperatively complete a certificate application, and generate a signed SM2 certificate application, which includes: the first device takes the generated SM2 key component as a collaborative signature first key component; the second device calls the first functional interface of the security device to obtain a first SM2 key pair as a collaborative signature second key component; the first device sending the co-signed first key component public key to the second device, and the second device sending the co-signed second key component public key to the first device; the first device synthesizes a cooperative signature certificate complete public key based on the cooperative signature first key component private key and the cooperative signature second key component public key; and the second device calls a fourth functional interface of the security device by taking the public key of the collaborative signature first key component and the private key ciphertext of the key component of the collaborative signature second key component as input parameters to synthesize a complete public key of the collaborative signature certificate.
Optionally, the SM2 key pair, which is encrypted based on the private key portion generated by the first functional interface of the secure device, is used by the first device and the second device to cooperatively complete a certificate application, and generate a signed SM2 certificate application, which includes: the first device generates a certificate application without signature based on the cooperative signature certificate complete public key; the second device invokes the first functional interface of the security device to obtain a collaborative signature SM2 random key pair, and sends a key public key of the collaborative signature SM2 random key pair to the first device; the first device calculates a first device collaborative signature component based on a key component private key of the SM2 key component and a key public key of the collaborative signature SM2 random key pair, and sends the first device collaborative signature component to the second device; the second device calls a fifth functional interface of the security device by taking the first device collaborative signature component, the private key ciphertext of the second device collaborative signature key component and the private key ciphertext of the collaborative signature SM2 random key pair as input parameters to obtain a second device collaborative signature component, and sends the second device collaborative signature component to the first device; the first device generates the signed SM2 certificate application based on the first device collaborative signature component, the second device collaborative signature component, and the unsigned certificate application.
Optionally, the performing key splitting on the encrypted certificate private key based on the second functional interface of the secure device to obtain an encrypted certificate first device cooperative decryption key component, an encrypted certificate second device cooperative decryption key component, and an encrypted certificate public key, including: the first device applies for and acquires the encrypted certificate private key ciphertext from a certificate issuing authority by using the signed SM2 certificate application; the first device uses the collaborative signature first key component to perform collaborative decryption on the first device portion on the encrypted certificate private key ciphertext to generate a first device decryption component; the first device generates an SM2 temporary key and sends the first device decryption component, the encrypted certificate private key ciphertext and the SM2 temporary key public key to the second device; and the second device calls the second function interface of the security device by taking the first device decryption component, the encrypted certificate private key ciphertext, the SM2 temporary key public key and the collaborative signature second key component as input parameters to obtain an encrypted certificate first device collaborative decryption key component with an encrypted private key, an encrypted certificate second device collaborative decryption key component with an encrypted private key and an encrypted certificate public key, and sends the encrypted certificate first device collaborative decryption key component to the first device.
Optionally, after the second function interface based on the security device performs key splitting on the encrypted certificate private key to obtain the encrypted certificate first device cooperative decryption key component and the encrypted certificate second device cooperative decryption key component, the method further includes: the second device calls the first functional interface of the security device to obtain a third SM2 key pair, and sends a key public key of the third SM2 key pair to the first device; the first device calculates a co-signed first device component based on a key component private key of the co-signed first key component and a key public key of the third SM2 key pair, and sends the co-signed first device component to the second device; the second device calls a fifth functional interface of the security device by taking the collaborative signature first device component, the private key ciphertext of the collaborative signature second key component and the private key ciphertext of the third SM2 key pair as input parameters to obtain a collaborative signature second device component, and sends the collaborative signature second device component to the first device; the first device generates a signature result of the user data based on the collaborative-signature first device component and the collaborative-signature second device component.
The application also provides a collaborative key management system, comprising: a first device, a second device, and a security device communicatively coupled to the second device; the collaborative key management system is configured to implement the steps of the collaborative key management method as described in any of the preceding claims.
The present application also provides a computer program product comprising computer programs/instructions which when executed by a processor implement the steps of a collaborative key management method as described in any of the above.
The present application also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the collaborative key management method as described in any one of the above when executing the program.
The present application also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of a collaborative key management method as described in any of the above.
According to the collaborative key management method, the collaborative key management system, the storage medium and the electronic equipment, firstly, a certificate application is completed by collaboration of a first equipment and a second equipment on the basis of an SM2 key pair with a private key part encrypted generated by a first functional interface of the security equipment, and a signed SM2 certificate application is generated; the SM2 certificate with signature is applied for obtaining a national encryption signature certificate, a national encryption certificate and a ciphertext of an encryption certificate private key; then, the secret key of the encryption certificate is split based on a second functional interface of the security device, so that a first device cooperative decryption secret key component of the encryption certificate, a second device cooperative decryption secret key component of the encryption certificate and a public key of the encryption certificate are obtained; the encrypted private key in the SM2 key pair can only carry out key operation through the security device; the functional interface of the security device is invoked by the second device; the encryption certificate public key is used for encrypting the user data; the encryption certificate first device cooperates with the decryption key component and the encryption certificate second device cooperates with the decryption key component for decrypting user encrypted data. Therefore, the secret key plaintext in the processes of secret key component secret key generation, secret key splitting and use can be encrypted through the safety device, and the secret key plaintext can only be decrypted by the safety device, so that the disclosure of the secret key plaintext is prevented.
Drawings
In order to more clearly illustrate the technical solutions of the present application or the prior art, the following description will briefly introduce the drawings used in the embodiments or the description of the prior art, and it is obvious that, in the following description, the drawings are some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of a collaborative key management system provided in the present application
FIG. 2 is a flow chart of a collaborative key management method provided herein;
fig. 3 is a schematic structural diagram of an electronic device provided in the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the present application more apparent, the technical solutions in the present application will be clearly and completely described below with reference to the drawings in the present application, and it is apparent that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
The terms first, second and the like in the description and in the claims, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged, as appropriate, such that embodiments of the present application may be implemented in sequences other than those illustrated or described herein, and that the objects identified by "first," "second," etc. are generally of a type and not limited to the number of objects, e.g., the first object may be one or more. Furthermore, in the description and claims, "and/or" means at least one of the connected objects, and the character "/", generally means that the associated object is an "or" relationship.
The following description is made with respect to terms related to embodiments of the present application:
the collaborative key management system (CKMS, collaborative Key Management System) is a system for centralized management and distribution of encryption keys, and can realize safe, efficient and controllable management of the keys in an encryption scenario where multiple parties participate together. CKMS can handle multiple key types such as symmetric keys, asymmetric keys, certificates, proxy re-encryption, etc.
In order to solve the technical problem that in the related art, the private key is stored in a plaintext form and stored in a memory, so that the private key plaintext may be leaked, the embodiment of the application provides a collaborative key management system, as shown in fig. 1, the system includes a first device, a second device and a security device communicatively connected with the second device, in the system, all computations related to the private key plaintext are performed in a closed security device, and the encrypted private key can only be decrypted by the security device, so that the possibility of the private key plaintext leakage is avoided.
The cooperative key management method provided by the embodiment of the application is described in detail below through specific embodiments and application scenarios thereof with reference to the accompanying drawings.
As shown in fig. 2, a collaborative key management method provided in an embodiment of the present application may include the following steps 201 and 202:
step 201, based on the SM2 key pair with the encrypted private key part generated by the first functional interface of the security device, the first device and the second device cooperate to complete the certificate application, and generate the signed SM2 certificate application.
The SM2 certificate with the signature is applied for acquiring a national encryption signature certificate, a national encryption certificate and a ciphertext of an encryption certificate private key. The private key encrypted in the SM2 key pair can only be keyed by the security device.
Illustratively, the above-described certificate application is a certificate application generated based on the pkcs#10 standard. In an embodiment of the present application, the signed SM2 certificate application may be cooperatively generated by the first device and the second device based on an SM2 key pair whose private key portion generated by the first functional interface of the secure device is encrypted.
The first functional interface is one of a plurality of functional interfaces provided by the secure device, and is used for generating an encrypted SM2 key pair, and the cooperative key management system can obtain a key pair encrypted by a private key through the interface, wherein the encrypted private key can only be decrypted by the secure device by a related key in the secure device when performing cooperative key operation. In this way, it is ensured that in case of an attack on the system, the user key cannot be used even if it is copied.
Specifically, the step 201 may include the following steps 201a1 to 201a5:
step 201a1, the first device uses the generated SM2 key component as a co-signed first key component.
Step 201a2, the second device invokes the first functional interface of the secure device to obtain a first SM2 key pair as a co-signed second key component.
Step 201a3, the first device transmitting the co-signed first key component public key to the second device, and the second device transmitting the co-signed second key component public key to the first device.
Step 201a4, the first device synthesizes a public key of the collaborative signature certificate based on the private key of the collaborative signature first key component and the public key of the collaborative signature second key component.
In step 201a5, the second device invokes a fourth functional interface of the security device with the public key of the first key component of the collaborative signature and the private key ciphertext of the private key component of the second key component of the collaborative signature as input parameters, and synthesizes the public key into a complete public key of the collaborative signature certificate.
Illustratively, to be able to generate a signed SM2 certificate application, first a co-signed certificate full public key of the first device and the second device needs to be generated.
The specific steps are as follows:
s1.1.1, the first device generates an SM2 key component.
S1.1.2 the second device invokes the first functional interface of the secure device to generate a first SM2 key pair with the encrypted private key, and uses the first SM2 key pair as the key component of the second device, i.e. the key component of the second device. The key component private key ciphertext in the key component can only be key operated by the security device.
S1.1.3 the first device transmits the key component public key in the SM2 key component to the second device.
S1.1.4 the second device transmits the key component public key in the second device key component to the first device.
S1.1.5 the first device synthesizes the system signature certificate complete public key using the key component in the SM2 key component and the key component public key in the second device key component.
S1.1.6 the second device uses the public key of the key component of the SM2 key component and the private key ciphertext of the key component of the second device as input parameters to call the fourth functional interface of the security device, and synthesizes the public key into the complete public key of the collaborative signature certificate.
The fourth functional interface is an interface of the secure device for synthesizing the public key of the cooperative key, and the interface synthesizes and outputs the public key of the complete cooperative key certificate by taking the public key of the cooperative signed first key component and the private key ciphertext of the key component of the cooperative signed second key component as inputs.
Illustratively, the generation of the certificate application pkcs#10 may be accomplished by the first device and the second device interaction after obtaining the co-signed certificate complete public key.
Specifically, after the step 201a5, the step 201 may further include the following steps 201b1 to 201b5:
Step 201b1, the first device generates a certificate application without signature based on the cooperative signature certificate complete public key.
Step 201b2, the second device invokes the first functional interface of the secure device to obtain a co-signed SM2 random key pair, and sends a key public key of the co-signed SM2 random key pair to the first device.
Step 201b3, the first device calculates a first device collaborative signature component based on a key component private key of the SM2 key component and a key public key of the collaborative signature SM2 random key pair, and sends the first device collaborative signature component to the second device.
Illustratively, in the calculation of the actual collaborative-signature component, the signed data digest value needs to be used in addition to the private key of the key component of SM2 and the public key of the collaborative-signature SM2 random key pair, that is, in step 201b3, the first device may calculate the first device collaborative-signature component based on the private key of the key component of SM2, the public key of the collaborative-signature SM2 random key pair, and the signed data digest value.
Step 201b4, the second device calls a fifth functional interface of the secure device with the first device collaborative signature component, the private key ciphertext of the second device collaborative signature key component, and the private key ciphertext of the collaborative signature SM2 random key pair as input parameters, obtains a second device collaborative signature component, and sends the second device collaborative signature component to the first device.
The fifth functional interface is an interface of the security device for calculating the collaborative signature, and takes parameters such as a private key ciphertext of the collaborative key component of the second device, a private key ciphertext of the random key, a signature component of the first device and the like as input to complete calculation and output of the collaborative signature component of the second device.
Step 201b5, the first device generates the signed SM2 certificate application based on the first device collaborative signature component, the second device collaborative signature component, and the unsigned certificate application.
The specific steps are as follows:
s1.2.1, the first device takes the complete public key of the collaborative signature certificate obtained in the S1.5 as one of parameters of the certificate application PKCS#10, and encapsulates the certificate application without signature.
S1.2.2 the second device invokes the first functional interface of the secure device to obtain a second SM2 key pair, and sends the key public key of the second SM2 key pair to the first device. The key private key ciphertext in the key pair can only be key operated by the security device.
S1.2.3 the first device calculates a co-signed component of the first device, that is, the co-signed first device component, using the private key of the key component of SM2 generated in s1.1.1 and the public key of the second SM2 key pair transmitted by the second device, and transmits the co-signed first device component to the second device.
S1.2.4 the second device uses the received first device component of the collaborative signature, the private key ciphertext of the second device key component in S1.1.2, and the private key ciphertext of the second SM2 key pair in S1.2.2 as input parameters to call a fifth function interface of the security device, the security device completes the calculation of the second device collaborative signature component, and the second device component of the collaborative signature is obtained and sent to the second device, and the second device sends the second device to the first device.
S1.2.5 the first device encapsulates a signed SM2 certificate application, i.e. the signed SM2 certificate application described above, based on the co-signed first device component, the co-signed second device component, and the unsigned certificate application.
Illustratively, after the signed SM2 certificate application described above is obtained, a cryptographic signing certificate, a cryptographic encryption certificate, and a cryptographic certificate private key ciphertext may be applied for and obtained from the certificate authority.
Step 202, performing key splitting on the private key of the encryption certificate based on the second functional interface of the security device, so as to obtain a cooperative decryption key component of the first device of the encryption certificate, a cooperative decryption key component of the second device of the encryption certificate and a public key of the encryption certificate.
The first device of the encryption certificate cooperates with the decryption key component and the second device of the encryption certificate cooperates with the decryption key component to decrypt the encrypted data of the user; the function interface of the safety device is called by the second device; the encryption certificate public key is used for encrypting user data.
Illustratively, in step 202, the secret key of the encrypted certificate private key, specifically, the ciphertext of the encrypted certificate private key, is split based on the second functional interface of the secure device.
Specifically, the step 202 may include the following steps 202a1 to 202a4:
step 202a1, the first device applies for and obtains the encrypted certificate private key ciphertext from a certificate authority using the signed SM2 certificate application.
Step 202a2, the first device uses the co-signed first key component to perform co-decryption on the first device portion on the encrypted certificate private key ciphertext, and generates a first device decryption component.
Step 202a3, the first device generates an SM2 temporary key, and sends the first device decryption component, the encrypted certificate private key ciphertext, and the SM2 temporary key public key to the second device.
Step 202a4, the second device calls the second functional interface of the secure device with the first device decryption component, the encrypted certificate private key ciphertext, the SM2 temporary key public key and the collaborative signature second key component as input parameters, obtains an encrypted certificate first device collaborative decryption key component with an encrypted private key, an encrypted certificate second device collaborative decryption key component with an encrypted private key and an encrypted certificate public key, and sends the encrypted certificate first device collaborative decryption key component to the first device.
Illustratively, the private key of the first device's collaborative decryption key component referred to in step 202a4 above is a temporary key public encryption generated by the first device.
Illustratively, after applying for and acquiring the national cryptographic signature certificate, the national cryptographic certificate and the cryptographic certificate private key ciphertext from the certificate authority using the signed SM2 certificate application, the cryptographic certificate may be split.
The second functional interface is an collaborative key splitting interface provided by the security device, and takes the encrypted certificate private key ciphertext returned by the CA mechanism, the temporary public key of the first device, the second device collaborative signature key component private key ciphertext and the first device collaborative decryption component as inputs to complete the splitting and outputting of the encrypted certificate private key. The output parameters comprise a private key encrypted encryption certificate second device cooperative decryption key component, an encryption certificate first device cooperative decryption key component and an encryption certificate public key. Wherein the second device of the encryption certificate cooperates with the private key ciphertext of the decryption key component only the cryptographic device can decrypt; encryption certificate the first device in conjunction with the decryption key component private key is encrypted by the present security device using the first device temporary public key of S1.3.1 described above, only the first device may be decrypted by the first device temporary key private key.
The specific steps are as follows:
s1.3.1 the first device obtains a national cryptographic signature certificate, a national cryptographic certificate and a cryptographic certificate private key ciphertext from a certificate authority (Certificate Authority, CA) using the signed SM2 certificate application generated in S1.2.5.
S1.3.2 the first device performs a collaborative decryption of the first device portion on the encrypted certificate private key ciphertext using the collaborative signed first device component to generate a first device decryption component.
S1.3.3, the first device generates an SM2 temporary key.
S1.3.4 the first device transmits the national encryption certificate obtained in S1.3.1, the ciphertext of the encryption certificate private key, the first device decryption component in S1.3.2, and the SM2 temporary key public key in S1.3.3 to the second device.
S1.3.5 the second device uses the private key ciphertext of the encryption certificate in S1.3.1, the decryption component of the first device in S1.3.2, the SM2 temporary key public key in S1.3.3 and the private key ciphertext of the co-signed second device component as input parameters to call a second functional interface of the security device, and the security device completes final decryption and key splitting of the private key ciphertext of the encryption certificate, so as to obtain the first device co-decrypting key component of the encryption certificate with the encrypted private key, the second device co-decrypting key component of the encryption certificate with the encrypted private key and the public key of the encryption certificate, and sends the first device co-decrypting key component and the public key of the encryption certificate to the second device.
S1.3.6 the second device sends an encrypted certificate first device in conjunction with the decryption key component to the first device.
The signing of the user data and the decryption of the user encrypted data may be performed by the first device and the second device in cooperation, for example, after the above-described encrypted certificate first device in cooperation with the decryption key component, encrypted certificate second device in cooperation with the decryption key component, and encrypted certificate public key are obtained.
Optionally, in the embodiment of the present application, the first device and the second device may cooperatively complete decryption of the user data, and in the decryption process, the operation of the private key of the second device is performed in the security device.
Illustratively, after the step 202, the collaborative key management method provided in the embodiments of the present application may further include the following step 203:
step 203, decrypting the user encrypted data based on the third functional interface of the secure device and the private key ciphertext of the encrypted certificate second device in cooperation with the decryption key component.
The user encrypted data is encrypted data obtained by encrypting the public key of the encryption certificate.
Illustratively, since the operation of the second device private key is performed in the secure device, the user data decryption process relies on the third functional interface of the secure device. The third functional interface is a cooperative decryption interface provided by the security device, and takes private key ciphertext and SM2 ciphertext data of a cooperative decryption key component of the second device of the encryption certificate as input to complete operation of the cooperative decryption component of the second device and output the cooperative decryption component of the second device.
Specifically, the step 203 may further include the following steps 203a1 to 203a3:
step 203a1, the first device analyzes the encrypted data of the user to obtain a C1 value of the SM2 asymmetric encryption result, and sends the C1 value to the second device.
Step 203a2, the second device uses the C1 value and the private key ciphertext of the cooperative decryption key component of the encrypted certificate second device as input parameters to call the third functional interface of the secure device, so as to obtain a cooperative decryption component, and sends the cooperative decryption component to the first device.
And step 203a3, the first device decrypts the user encrypted data based on the cooperative decryption key component and the cooperative decryption component of the first device of the encrypted certificate, and obtains the user data original text.
The user device sends the encrypted data to the first device, illustratively after encrypting the user data based on the public key of the encryption certificate, which may decrypt the user encrypted data after receiving it.
The specific steps are as follows:
s2.1.1 the first device receives the SM2 ciphertext of the user data encrypted by the user device through the public key of the encryption certificate, that is, the user encrypted data, then analyzes the SM2 ciphertext to obtain a C1 value, and sends the C1 value to the second device.
S2.1.2 the second device uses the received C1 value and the private key ciphertext of the encrypted certificate second device collaborative decryption key component split in S1.3.4 as input parameters to call a third functional interface of the security device, the security device decrypts the encrypted data of the user to obtain a collaborative decryption component, and the second device sends the collaborative decryption component to the first device.
S2.1.3 the first device decrypts the user encrypted data based on the encrypted certificate first device cooperative decryption key component and the cooperative decryption component to obtain the user data original text.
Therefore, the security device can operate the private key in the cooperative decryption process of the first device and the second device, so that the leakage of the clear text of the private key in the decryption process is avoided.
Optionally, in the embodiment of the present application, the signing process of the user data may be completed by the first device and the second device in cooperation, and in the signing process, the operation of the private key of the second device is performed in the security device.
Illustratively, after the step 202, the collaborative key management method provided in the embodiments of the present application may further include the following steps 204 to 207:
step 204, the second device invokes the first functional interface of the secure device to obtain a third SM2 key pair, and sends a key public key of the third SM2 key pair to the first device.
Step 205, the first device calculates a co-signed first device component based on the private key of the key component of the co-signed first key component and the public key of the third SM2 key pair, and sends the co-signed first device component to the second device.
Step 206, the second device uses the private key ciphertext of the collaborative signature first device component, the private key ciphertext of the collaborative signature second key component and the private key ciphertext of the third SM2 key pair as input parameters to call a fifth function interface of the security device, so as to obtain a collaborative signature second device component, and sends the collaborative signature second device component to the first device.
The third SM2 key pair is the same key as the co-signed SM2 random key pair generated in step 201b 2.
Step 207, the first device generates a signature result of the user data based on the collaborative signature first device component and the collaborative signature second device component.
Illustratively, each time the second device invokes the first functional interface of the security device, a different SM2 key pair is randomly generated.
The specific steps are as follows:
S3.1.1 the second device invokes the first functional interface of the secure device, generates a random key pair encrypted by a private key of the collaborative signing process, that is, the third SM2 key pair, and sends the key public key of the third SM2 key pair to the first device.
S3.1.2 the first device computes a co-signed first device component using the key component private key of the SM2 key component generated in s1.1.1 described above, the key public key of the third SM2 cipher pair in S3.1.1, and the signed data digest value. The co-signed first device component is then transmitted to the second device.
S3.1.3 the second device uses the received private key ciphertext of the second device key component in the first device component and S1.1.2 of the collaborative signature and the private key ciphertext of the third SM2 key pair in S3.1.1 as input parameters to call a fifth function interface of the security device, and the security device completes the calculation of the collaborative signature component of the second device, so as to obtain the second device component of the collaborative signature, and sends the second device component of the collaborative signature to the first device.
S3.1.4 after the first device receives the second device component of the collaborative signature, the first device component of the collaborative signature is combined to generate a signature result of the user data.
When the first device sends the data containing the key and the cooperative key operation component (such as the cooperative signature component or the cooperative decryption component calculated by the first device) to the second device, the second device may calculate a check code based on the sent data, and the second device may check the received data according to the check code, to determine whether the received data is complete or not and whether the received data is tampered.
In the embodiment of the present application, the steps performed by the first device may also be performed by a security device communicatively connected to the first device, and the steps that the security device communicatively connected to the first device can specifically perform may refer to the steps performed by the security device communicatively connected to the second device.
According to the collaborative key management method provided by the embodiment of the application, firstly, a first device and a second device collaboratively complete a certificate application based on an SM2 key pair with a private key part encrypted generated by a first functional interface of a security device, and a signed SM2 certificate application is generated; the SM2 certificate with signature is applied for obtaining a national encryption signature certificate, a national encryption certificate and a ciphertext of an encryption certificate private key; then, the secret key of the encryption certificate is split based on a second functional interface of the security device, so that a first device cooperative decryption secret key component of the encryption certificate, a second device cooperative decryption secret key component of the encryption certificate and a public key of the encryption certificate are obtained; the encrypted private key in the SM2 key pair can only carry out key operation through the security device; the functional interface of the security device is invoked by the second device; the encryption certificate public key is used for encrypting the user data; the encryption certificate first device cooperates with the decryption key component and the encryption certificate second device cooperates with the decryption key component for decrypting user encrypted data. Therefore, the secret key plaintext in the processes of secret key component secret key generation, secret key splitting and use can be encrypted through the safety device, and the secret key plaintext can only be decrypted by the safety device, so that the disclosure of the secret key plaintext is prevented.
It should be noted that, in the collaborative key management method provided in the embodiments of the present application, the execution subject may be a collaborative key management system, or a control module in the collaborative key management system for executing the collaborative key management method. In the embodiment of the present application, a collaborative key management system is used as an example to execute a collaborative key management method by using a collaborative key management system, and the collaborative key management system provided in the embodiment of the present application is described.
In the embodiment of the application, the method is shown in the drawings. The collaborative key management method is exemplified by a figure in combination with the embodiment of the present application. In specific implementation, the collaborative key management method shown in the foregoing method drawings may also be implemented in combination with any other drawing that may be combined and illustrated in the foregoing embodiment, which is not repeated herein.
The cooperative key management system provided by the application firstly, based on an SM2 key pair with a private key part encrypted generated by a first functional interface of a security device, a first device and a second device cooperatively complete a certificate application to generate an SM2 certificate application with a signature; the SM2 certificate with signature is applied for obtaining a national encryption signature certificate, a national encryption certificate and a ciphertext of an encryption certificate private key; then, the secret key of the encryption certificate is split based on a second functional interface of the security device, so that a first device cooperative decryption secret key component of the encryption certificate, a second device cooperative decryption secret key component of the encryption certificate and a public key of the encryption certificate are obtained; the encrypted private key in the SM2 key pair can only carry out key operation through the security device; the functional interface of the security device is invoked by the second device; the encryption certificate public key is used for encrypting the user data; the encryption certificate first device cooperates with the decryption key component and the encryption certificate second device cooperates with the decryption key component for decrypting user encrypted data. Therefore, the secret key plaintext in the processes of secret key component secret key generation, secret key splitting and use can be encrypted through the safety device, and the secret key plaintext can only be decrypted by the safety device, so that the disclosure of the secret key plaintext is prevented.
Fig. 3 illustrates a physical schematic diagram of an electronic device, as shown in fig. 3, where the electronic device may include: processor 310, communication interface (Communications Interface) 320, memory 330 and communication bus 340, wherein processor 310, communication interface 320, memory 330 accomplish communication with each other through communication bus 340. Processor 310 may invoke logic instructions in memory 330 to perform a collaborative key management method comprising: based on an SM2 key pair with a private key part encrypted, which is generated by a first functional interface of the security device, the first device and the second device cooperate to complete a certificate application, and a signed SM2 certificate application is generated; the SM2 certificate with the signature is applied for acquiring a national encryption signature certificate, a national encryption certificate and a ciphertext of an encryption certificate private key; the secret key of the encryption certificate is split based on a second functional interface of the security device, so that an encryption certificate first device cooperative decryption secret key component, an encryption certificate second device cooperative decryption secret key component and an encryption certificate public key are obtained; the encrypted private key in the SM2 key pair can only carry out key operation through the security device; the function interface of the safety device is called by the second device; the encryption certificate public key is used for encrypting user data; the first device of the encryption certificate cooperates with the decryption key component and the second device of the encryption certificate cooperates with the decryption key component to decrypt the encrypted data of the user.
Further, the logic instructions in the memory 330 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present application also provides a computer program product comprising a computer program stored on a computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the collaborative key management method provided by the methods described above, the method comprising: based on an SM2 key pair with a private key part encrypted, which is generated by a first functional interface of the security device, the first device and the second device cooperate to complete a certificate application, and a signed SM2 certificate application is generated; the SM2 certificate with the signature is applied for acquiring a national encryption signature certificate, a national encryption certificate and a ciphertext of an encryption certificate private key; the secret key of the encryption certificate is split based on a second functional interface of the security device, so that an encryption certificate first device cooperative decryption secret key component, an encryption certificate second device cooperative decryption secret key component and an encryption certificate public key are obtained; the encrypted private key in the SM2 key pair can only carry out key operation through the security device; the function interface of the safety device is called by the second device; the encryption certificate public key is used for encrypting user data; the first device of the encryption certificate cooperates with the decryption key component and the second device of the encryption certificate cooperates with the decryption key component to decrypt the encrypted data of the user.
In yet another aspect, the present application further provides a computer readable storage medium having stored thereon a computer program which when executed by a processor is implemented to perform the above provided collaborative key management methods, the method comprising: based on an SM2 key pair with a private key part encrypted, which is generated by a first functional interface of the security device, the first device and the second device cooperate to complete a certificate application, and a signed SM2 certificate application is generated; the SM2 certificate with the signature is applied for acquiring a national encryption signature certificate, a national encryption certificate and a ciphertext of an encryption certificate private key; the secret key of the encryption certificate is split based on a second functional interface of the security device, so that an encryption certificate first device cooperative decryption secret key component, an encryption certificate second device cooperative decryption secret key component and an encryption certificate public key are obtained; the encrypted private key in the SM2 key pair can only carry out key operation through the security device; the function interface of the safety device is called by the second device; the encryption certificate public key is used for encrypting user data; the first device of the encryption certificate cooperates with the decryption key component and the second device of the encryption certificate cooperates with the decryption key component to decrypt the encrypted data of the user.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.
Claims (10)
1. A collaborative key management method, applied to a collaborative key management system, the collaborative key management system comprising: a first device, a second device, and a security device communicatively coupled to the second device;
based on an SM2 key pair with a private key part encrypted, which is generated by a first functional interface of the security device, the first device and the second device cooperate to complete a certificate application, and a signed SM2 certificate application is generated; the SM2 certificate with the signature is applied for acquiring a national encryption signature certificate, a national encryption certificate and a ciphertext of an encryption certificate private key;
the secret key of the encryption certificate is split based on a second functional interface of the security device, so that an encryption certificate first device cooperative decryption secret key component, an encryption certificate second device cooperative decryption secret key component and an encryption certificate public key are obtained;
The encrypted private key in the SM2 key pair can only carry out key operation through the security device; the function interface of the safety device is called by the second device; the encryption certificate public key is used for encrypting user data; the first device of the encryption certificate cooperates with the decryption key component and the second device of the encryption certificate cooperates with the decryption key component to decrypt the encrypted data of the user.
2. The method of claim 1, wherein after the key splitting of the encrypted certificate private key based on the second functional interface of the secure device to obtain an encrypted certificate first device cooperative decryption key component and an encrypted certificate second device cooperative decryption key component, the method further comprises:
decrypting the user encrypted data based on the third functional interface of the secure device and the private key ciphertext of the encrypted certificate second device in cooperation with the decryption key component;
the user encrypted data is encrypted data obtained by encrypting the public key of the encryption certificate.
3. The method of claim 2, wherein the decrypting the user encrypted data based on the third functional interface of the secure device, the encrypted certificate second device, in conjunction with a private key ciphertext of a decryption key component, comprises:
The first device analyzes the user encrypted data to obtain a C1 value of an SM2 asymmetric encryption result, and sends the C1 value to the second device;
the second device uses the C1 value and the private key ciphertext of the cooperative decryption key component of the second device of the encryption certificate as input parameters to call the third functional interface of the security device to obtain a cooperative decryption component, and sends the cooperative decryption component to the first device;
and the first device decrypts the user encrypted data based on the cooperative decryption key component of the encrypted certificate and the cooperative decryption component to obtain the user data original text.
4. The method of claim 1, wherein the SM2 key pair, which is encrypted based on a private key portion generated by a first functional interface of the secure device, is completed by the first device in cooperation with the second device to apply for the certificate, and generating a signed SM2 certificate application comprises:
the first device takes the generated SM2 key component as a collaborative signature first key component;
the second device calls the first functional interface of the security device to obtain a first SM2 key pair as a collaborative signature second key component;
The first device sending the co-signed first key component public key to the second device, and the second device sending the co-signed second key component public key to the first device;
the first device synthesizes a cooperative signature certificate complete public key based on the cooperative signature first key component private key and the cooperative signature second key component public key;
and the second device calls a fourth functional interface of the security device by taking the public key of the collaborative signature first key component and the private key ciphertext of the key component of the collaborative signature second key component as input parameters to synthesize a complete public key of the collaborative signature certificate.
5. The method of claim 4, wherein the SM2 key pair encrypted based on the private key portion generated by the first functional interface of the secure device, the first device and the second device cooperatively complete a certificate application, generating a signed SM2 certificate application, comprises:
the first device generates a certificate application without signature based on the cooperative signature certificate complete public key;
the second device invokes the first functional interface of the security device to obtain a collaborative signature SM2 random key pair, and sends a key public key of the collaborative signature SM2 random key pair to the first device;
The first device calculates a first device collaborative signature component based on a key component private key of the SM2 key component and a key public key of the collaborative signature SM2 random key pair, and sends the first device collaborative signature component to the second device;
the second device calls a fifth functional interface of the security device by taking the first device collaborative signature component, the private key ciphertext of the second device collaborative signature key component and the private key ciphertext of the collaborative signature SM2 random key pair as input parameters to obtain a second device collaborative signature component, and sends the second device collaborative signature component to the first device;
the first device generates the signed SM2 certificate application based on the first device collaborative signature component, the second device collaborative signature component, and the unsigned certificate application.
6. The method of claim 5, wherein the performing the key splitting on the encrypted certificate private key based on the second functional interface of the secure device to obtain an encrypted certificate first device cooperative decryption key component, an encrypted certificate second device cooperative decryption key component, and an encrypted certificate public key comprises:
The first device applies for and acquires the encrypted certificate private key ciphertext from a certificate issuing authority by using the signed SM2 certificate application;
the first device uses the collaborative signature first key component to perform collaborative decryption on the first device portion on the encrypted certificate private key ciphertext to generate a first device decryption component;
the first device generates an SM2 temporary key and sends the first device decryption component, the encrypted certificate private key ciphertext and the SM2 temporary key public key to the second device;
and the second device calls the second function interface of the security device by taking the first device decryption component, the encrypted certificate private key ciphertext, the SM2 temporary key public key and the collaborative signature second key component as input parameters to obtain an encrypted certificate first device collaborative decryption key component with an encrypted private key, an encrypted certificate second device collaborative decryption key component with an encrypted private key and an encrypted certificate public key, and sends the encrypted certificate first device collaborative decryption key component to the first device.
7. The method of claim 4, wherein after the key splitting of the encrypted certificate private key based on the second functional interface of the secure device to obtain the encrypted certificate first device cooperative decryption key component and the encrypted certificate second device cooperative decryption key component, the method further comprises:
The second device calls the first functional interface of the security device to obtain a third SM2 key pair, and sends a key public key of the third SM2 key pair to the first device;
the first device calculates a co-signed first device component based on a key component private key of the co-signed first key component and a key public key of the third SM2 key pair, and sends the co-signed first device component to the second device;
the second device calls a fifth functional interface of the security device by taking the collaborative signature first device component, the private key ciphertext of the collaborative signature second key component and the private key ciphertext of the third SM2 key pair as input parameters to obtain a collaborative signature second device component, and sends the collaborative signature second device component to the first device;
the first device generates a signature result of the user data based on the collaborative-signature first device component and the collaborative-signature second device component.
8. A collaborative key management system, the system comprising: a first device, a second device, and a security device communicatively coupled to the second device; the collaborative key management system is configured to implement the steps of the collaborative key management method of any of claims 1-7.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the collaborative key management method of any one of claims 1-7 when the program is executed.
10. A computer readable storage medium, having stored thereon a computer program which, when executed by a processor, implements the steps of the collaborative key management method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311659414.0A CN117749360A (en) | 2023-12-05 | 2023-12-05 | Collaborative key management method, collaborative key management system, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311659414.0A CN117749360A (en) | 2023-12-05 | 2023-12-05 | Collaborative key management method, collaborative key management system, storage medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117749360A true CN117749360A (en) | 2024-03-22 |
Family
ID=90249984
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311659414.0A Pending CN117749360A (en) | 2023-12-05 | 2023-12-05 | Collaborative key management method, collaborative key management system, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117749360A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115499126A (en) * | 2022-04-27 | 2022-12-20 | 河南省核芯微电子科技有限公司 | SM2 key distributed storage-based key pair generation method, collaborative signature method, decryption method, device and medium |
| CN116668011A (en) * | 2023-04-28 | 2023-08-29 | 中金金融认证中心有限公司 | Protection, use and decryption method and system for cooperative key of cooperative key system |
| CN116800416A (en) * | 2023-07-19 | 2023-09-22 | 格尔软件股份有限公司 | Secure transmission method for cooperative encryption key |
-
2023
- 2023-12-05 CN CN202311659414.0A patent/CN117749360A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115499126A (en) * | 2022-04-27 | 2022-12-20 | 河南省核芯微电子科技有限公司 | SM2 key distributed storage-based key pair generation method, collaborative signature method, decryption method, device and medium |
| CN116668011A (en) * | 2023-04-28 | 2023-08-29 | 中金金融认证中心有限公司 | Protection, use and decryption method and system for cooperative key of cooperative key system |
| CN116800416A (en) * | 2023-07-19 | 2023-09-22 | 格尔软件股份有限公司 | Secure transmission method for cooperative encryption key |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107196763B (en) | SM2 algorithm collaborative signature and decryption method, device and system | |
| CN109309569B (en) | SM2 algorithm-based collaborative signature method and device and storage medium | |
| CN108199835B (en) | Multi-party combined private key decryption method | |
| CN108471352B (en) | Processing method, system, computer equipment and storage medium based on distributed private key | |
| CN113014386A (en) | Cipher system based on multi-party cooperative computing | |
| US20230239144A1 (en) | Deterministic chaos-based quantum computer resistant data encryption for large scale wide area network solutions | |
| CN108055134B (en) | Collaborative computing method and system for elliptic curve point multiplication and pairing operation | |
| US20230041237A1 (en) | Key generation and pace with protection against side channel attacks | |
| CN111565108B (en) | Signature processing method, device and system | |
| CN113645235A (en) | Distributed data encryption and decryption system and encryption and decryption method | |
| CN111245594B (en) | Homomorphic operation-based collaborative signature method and system | |
| CN116318696B (en) | Proxy re-encryption digital asset authorization method under condition of no initial trust of two parties | |
| US8484471B2 (en) | Multi-party distributed multiplication device, multi-party distributed multiplication system and method | |
| CN115834038A (en) | Encryption method and device based on national commercial cryptographic algorithm | |
| CN112149166B (en) | Unconventional password protection method and intelligent bank machine | |
| CN112769539B (en) | Method and system for generating RSA key and cooperating with RSA signature and decryption | |
| US20230188330A1 (en) | System and method for identity-based key agreement for secure communication | |
| CN111212068B (en) | Method for encrypting and decrypting characters by input method | |
| CN117749360A (en) | Collaborative key management method, collaborative key management system, storage medium and electronic equipment | |
| CN117521031B (en) | Digital copyright key burning method and device | |
| CN112788046A (en) | Method and system for encrypting transmission information | |
| Shi et al. | Verification of LINE encryption version 1.0 using ProVerif | |
| CN114760053B (en) | Distribution method, device, equipment and medium of symmetric key | |
| JP2002215026A (en) | Signed cipher communication method and device | |
| You et al. | Research on a hybrid system with perfect forward secrecy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |