[go: up one dir, main page]

CN110932851B - A key protection method for multi-party cooperative operation based on PKI - Google Patents

A key protection method for multi-party cooperative operation based on PKI Download PDF

Info

Publication number
CN110932851B
CN110932851B CN201911206709.6A CN201911206709A CN110932851B CN 110932851 B CN110932851 B CN 110932851B CN 201911206709 A CN201911206709 A CN 201911206709A CN 110932851 B CN110932851 B CN 110932851B
Authority
CN
China
Prior art keywords
client
server
key
user
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911206709.6A
Other languages
Chinese (zh)
Other versions
CN110932851A (en
Inventor
尹才敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Digital Certificate Certification Management Center Co ltd
Original Assignee
Sichuan Digital Certificate Certification Management Center Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Digital Certificate Certification Management Center Co ltd filed Critical Sichuan Digital Certificate Certification Management Center Co ltd
Priority to CN201911206709.6A priority Critical patent/CN110932851B/en
Publication of CN110932851A publication Critical patent/CN110932851A/en
Application granted granted Critical
Publication of CN110932851B publication Critical patent/CN110932851B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a key protection method based on PKI (public key infrastructure) multi-party cooperative operation, which relates to the field of electronic authentication PKI (public key infrastructure) cryptographic technology integration innovation, combines various cryptographic technologies and combined authentication of various factors to ensure the safety of generation, calling and storage of a user private key, obtains a pseudo key by adding a user identity factor into a real key as a part of salt and converting the pseudo key after being confused with other data of a server, performs fragmentation processing on the pseudo key, and controls the storage of a part locally by a user, thereby realizing that the integrity and confidentiality of the real key of the user are not influenced by single key leakage through the mechanism.

Description

一种基于PKI的多方协同运算的密钥保护方法A Key Protection Method for Multi-Party Collaborative Operation Based on PKI

技术领域technical field

本发明涉及电子认证PKI密码技术集成创新领域,特别涉及一种基于PKI的多方协同运算的密钥保护方法。The invention relates to the field of electronic authentication PKI cryptographic technology integration innovation, in particular to a PKI-based multi-party cooperative operation key protection method.

背景技术Background technique

目前电子认证PKI密码技术在终端个人电脑上主要采用硬件介质智能密码钥匙USBkey(如银行U盾、IC卡)来产生、存储及进行密码运算,通过硬件介质的PIN码保护来控制对使用者的鉴权访问,但该硬件目前主要依赖PC应用场景,不利于移动互联网、物联网等智能终端应用场景的便捷使用。传统的通过硬件介质USBkey作为密码保护方式不利于在移动互联网、物联网等智能终端应用场景中便捷使用,一是随身携带USBkey设备不方便、且容易丢失,二是对某些智能终端不能做适配,其对智能终端软硬件环境要求较高。At present, the electronic authentication PKI password technology mainly uses the hardware medium smart password key USBkey (such as bank U-shield, IC card) on the terminal personal computer to generate, store and perform password operations, and control the user's password through the PIN code protection of the hardware medium. Authentication access, but the hardware currently mainly relies on PC application scenarios, which is not conducive to the convenient use of smart terminal application scenarios such as mobile Internet and Internet of Things. The traditional way of using the hardware medium USBkey as a password protection method is not conducive to convenient use in smart terminal application scenarios such as mobile Internet and Internet of Things. First, it is inconvenient to carry USBkey devices with you and easy to lose. Second, it is not suitable for some smart terminals. It has higher requirements on the hardware and software environment of the intelligent terminal.

当前为了在移动互联网、物联网等智能终端应用场景便捷使用PKI数字认证技术,在应用集成时,主要使用软密钥的方式,即由智能终端生成文件密钥,在本地存储调用,该种方式存在极大的安全隐患。其在密钥生成、存储、运算、传递等过程中的每个环节都有可能被恶意程序截取,从而造成密钥泄露。At present, in order to conveniently use PKI digital authentication technology in smart terminal application scenarios such as mobile Internet and Internet of Things, the soft key method is mainly used during application integration, that is, the file key is generated by the smart terminal and called locally. There are great security risks. Every link in the process of key generation, storage, calculation, and transmission may be intercepted by malicious programs, resulting in key leakage.

发明内容SUMMARY OF THE INVENTION

本发明的目的在于:提供了一种基于PKI的多方协同运算的密钥保护方法,针对不方便使用传统UKEY的应用场景,该方法结合了多种密码技术、多种因子的组合认证,以确保用户私钥的生成、调用、存储安全,通过将用户身份因子作为盐的一部分添加到真实密钥中,并与服务器其他数据混淆后变换得到伪密钥,再对伪密钥进行分片处理,并由用户自己控制存储一部分在本地,通过上述机制实现了单一密钥泄露不影响用户真实密钥的完整性和保密性,解决了现有技术在密钥生成、存储、运算、传递等过程中的每个环节都有可能被恶意程序截取,从而造成密钥泄露的问题。The purpose of the present invention is to: provide a key protection method based on PKI multi-party cooperative operation, for the application scenario where it is inconvenient to use traditional UKEY, the method combines the combined authentication of multiple cryptographic techniques and multiple factors to ensure The generation, invocation, and storage of the user's private key are secure. The user's identity factor is added to the real key as a part of the salt, and the pseudo-key is obtained after being confused with other data of the server, and then the pseudo-key is segmented. The user controls and stores part of it locally. Through the above mechanism, the leakage of a single key does not affect the integrity and confidentiality of the user's real key. Every link of the network may be intercepted by malicious programs, resulting in the problem of key leakage.

本发明采用的技术方案如下:The technical scheme adopted in the present invention is as follows:

一种基于PKI的多方协同运算的密钥保护方法,包括用户User、客户端Client、服务器端Server和外部RA/CA/KMC服务器,A key protection method for PKI-based multi-party collaborative operation, comprising a user User, a client client, a server server and an external RA/CA/KMC server,

用户User:用户参与信息录入、操作确定;User User: User participation information entry, operation confirmation;

客户端Client:负责客户端密钥相关运算;Client Client: Responsible for client key related operations;

服务器端Server:负责服务器端密钥分割及相关运算,密钥运算需采用安全性高的硬件密码组件实现,将证书申请请求发送给外部RA/CA/KMC服务器,用于申请数字证书和加密密钥;Server-side Server: Responsible for server-side key segmentation and related operations. The key operation needs to be implemented by a hardware cryptographic component with high security. The certificate application request is sent to an external RA/CA/KMC server for applying for digital certificates and encryption encryption. key;

外部RA/CA/KMC服务器:外部第三方系统服务,用于申请数字证书和加密密钥;External RA/CA/KMC server: external third-party system service for applying for digital certificates and encryption keys;

所述基于PKI的多方协同运算的密钥保护方法主要包括以下步骤:The key protection method for the PKI-based multi-party cooperative operation mainly includes the following steps:

S1用户证书注册:在用户User实名认证通过后,由服务器加密机为用户User随机产生签名密钥及证书请求P10,对真实私钥进行加盐混淆处理,对伪密钥进行A、B、C三段分割,用户User通过身份ID及PIN码保护加密存储其中的A、B两段,服务器通过加密机内置密钥加密存储其中的B、C两段;证书请求P10用于向外部RA/CA/KMC服务器申请证书,用户加密证书的私钥使用伪密钥B段加密后存储;整个密钥产生、分割、传递及保存都采用了PKI技术以及人、设备多因素进行了相应保护。S1 user certificate registration: After the user User's real-name authentication is passed, the server encryption machine randomly generates the signature key and certificate request P10 for the user User, salts and confuses the real private key, and performs A, B, and C on the pseudo key. Three segments are divided, the user User protects and stores the two segments A and B through the identity ID and PIN code, and the server encrypts and stores the two segments B and C through the built-in key of the encryption machine; the certificate request P10 is used for external RA/CA. The /KMC server applies for a certificate, and the private key of the user's encrypted certificate is encrypted with the pseudo-key B segment and stored; the entire key generation, segmentation, transmission and storage are protected by PKI technology and multiple factors of people and equipment.

S2数字签名应用:使用身份ID及证书PIN码作为私钥持有人的唯一凭证,在客户端Client解密得到分割的两部分密钥d_A和d_B,将其中一份d_B作为对称密钥,另一份d_A与待签名HASH值组合后,进行对称加密后,再发送给服务器端进行合成伪密钥、去盐处理及真密钥签名,真密钥签名值使用对称密钥d_B对称加密后再返回给客户端Client,客户端Client使用相同的对称密钥d_B解密得到服务器端的真密钥签名值;在整个密钥片段解密、伪密钥合成、求真、加密及数据传递过程都采用了PKI技术以及人、设备多因素进行了相应保护。S2 digital signature application: use the identity ID and certificate PIN code as the unique certificate of the private key holder, decrypt the two-part keys d_A and d_B on the client side, and use one of the d_B as the symmetric key and the other as the symmetric key. After the share d_A is combined with the HASH value to be signed, it is symmetrically encrypted and sent to the server for synthetic pseudo-key, desalting and true key signature. The true key signature value is symmetrically encrypted with the symmetric key d_B and then returned. For the client client, the client client uses the same symmetric key d_B to decrypt the real key signature value of the server side; PKI technology is used in the entire key fragment decryption, pseudo key synthesis, truth seeking, encryption and data transmission process And the multi-factors of people and equipment have been correspondingly protected.

S3数据加密应用:加密者使用接收人的加密证书公钥加密待发数据,解密者使用身份ID及证书PIN码作为私钥持有人的唯一凭证,在客户端Client解密得到分割的两部分签名密钥d_A和d_B,将其中一份d_B签名私钥作为对称密钥,对注册环节加密保存的加密证书私钥(加密私钥)进行解密,然后使用解密后的私钥解密收到的密文。在密钥片段解密、数据解密过程中采用了PKI技术以及实体的身份和PIN码信息多因素进行了相应保护。S3 data encryption application: the encryptor uses the recipient's encryption certificate public key to encrypt the data to be sent, the decryptor uses the identity ID and certificate PIN code as the unique certificate of the private key holder, and decrypts the two-part signature on the client side. Keys d_A and d_B, use one of the d_B signature private keys as a symmetric key, decrypt the encrypted certificate private key (encrypted private key) encrypted and saved in the registration process, and then use the decrypted private key to decrypt the received ciphertext . In the process of key fragment decryption and data decryption, PKI technology and multiple factors of entity's identity and PIN code information are used for corresponding protection.

采用上述基于PKI的多方协同运算的密钥保护方法,能够确保客户端Client和服务器端Server任意一方出现密钥泄露后,也不影响用户真实密钥的完整性和保密性,确保了用户私钥的生成、调用、存储及运算的安全,该方法的密钥保护安全性等级可达到传统硬件介质智能密码钥匙USBkey(如银行U盾、IC卡)的高安全级别。Using the above-mentioned PKI-based multi-party cooperative operation key protection method can ensure that the integrity and confidentiality of the user's real key will not be affected if any one of the client Client and the server-side Server is leaked, ensuring the user's private key. The security level of the key protection of the method can reach the high security level of the traditional hardware medium intelligent password key USB key (such as bank U shield, IC card).

进一步地,所述步骤S1用户证书注册主要包括以下步骤:Further, the step S1 user certificate registration mainly includes the following steps:

S101:用户User发起证书注册申请,首先通过客户端Client采集用户实名、实证、实人生物特征等信息进行认证,认证通过进入后续证书注册环节;S101: The user User initiates a certificate registration application. First, the client client collects information such as the user's real name, evidence, and real person biometrics for authentication. After the authentication is passed, it enters the subsequent certificate registration link;

S102:客户端Client产生临时SM2非对称密钥,私钥记为T_Pri,公钥记为T_Pub;S102: The client Client generates a temporary SM2 asymmetric key, the private key is recorded as T_Pri, and the public key is recorded as T_Pub;

S103:客户端Client将实名身份ID、公钥T_Pub发给服务器端Server;S103: The client client sends the real-name identity ID and public key T_Pub to the server server;

S104:服务器端Server为该client分配会话对称密钥session,记为T_Session;S104: The server-side Server allocates a session symmetric key session to the client, which is recorded as T_Session;

S105:服务器端Server调用硬件密码模块的密钥生成接口为client产生正式SM2非对称密钥对,私钥记为d,公钥记为P;S105: The server-side Server invokes the key generation interface of the hardware cryptographic module to generate a formal SM2 asymmetric key pair for the client, the private key is denoted as d, and the public key is denoted as P;

S106:服务器端Server调用硬件密码模块的PKCS10生成接口为client产生证书请求P10;S106: The server-side Server invokes the PKCS10 generation interface of the hardware cryptographic module to generate a certificate request P10 for the client;

S107:服务器端Server调用外部RA/CA/KMC服务器系统的接口使用证书请求P10为client申请“签名证书SignCert、加密证书EncryptCert、加密密钥明文EncryptKey”;S107: The server-side Server invokes the interface of the external RA/CA/KMC server system and uses the certificate request P10 to apply for the client for "SignCert, encryption certificate, EncryptCert, and encryption key plaintext EncryptKey";

S108:服务器端Server对client私钥d进行加盐及数据混淆处理,得到伪私钥d’=Mix(salt,d);S108: The server-side Server performs salting and data obfuscation processing on the client's private key d to obtain a pseudo-private key d'=Mix(salt,d);

S109:服务器端Server对d’依次划分为A、B、C三个部分,分别记为d_A、d_B、d_C;S109: The server-side Server divides d' into three parts, A, B, and C in turn, which are respectively recorded as d_A, d_B, and d_C;

S110:服务器端Server调用硬件密码模块的对称加密接口,将T_Session作为对称密钥,对“d_A+d_B,SignCert,EncryptCert,EncryptKey”进行对称加密输出,记为client’=SM4_Enc(T_Session,d_A+d_B,SignCert,EncryptCert,EncryptKey);S110: The server-side Server calls the symmetric encryption interface of the hardware cryptographic module, uses T_Session as the symmetric key, and performs symmetric encryption output on "d_A+d_B, SignCert, EncryptCert, EncryptKey", which is recorded as client'=SM4_Enc(T_Session,d_A+d_B ,SignCert,EncryptCert,EncryptKey);

S111:服务器端Server使用T_Pub对T_Session进行SM2非对称加密,记为T_Session’=SM2_Enc(T_Pub,T_Session);S111: The server-side Server uses T_Pub to perform SM2 asymmetric encryption on T_Session, which is recorded as T_Session'=SM2_Enc(T_Pub, T_Session);

S112:服务器端Server调用硬件密码模块的对称加密接口,使用内置设备对称密钥,对“d_B+d_C,EncryptKey”进行对称加密输出,记为Server’=SM4_Enc(d_B+d_C,EncryptKey);S112: The server-side Server calls the symmetric encryption interface of the hardware cryptographic module, and uses the built-in device symmetric key to perform symmetric encryption output on "d_B+d_C, EncryptKey", which is recorded as Server'=SM4_Enc(d_B+d_C,EncryptKey);

S113:服务器端Server将Server’存储到数据库中;S113: The server-side Server stores Server' in the database;

S114:服务器端Server将client’+T_Session’返回给客户端Client;S114: The server-side Server returns client'+T_Session' to the client-side Client;

S115:客户端Client使用T_Pri对T_Session’进行SM2非对称解密,得到会话对称密钥T_Session=SM2_Dec(T_Pri,T_Session’);S115: The client Client uses T_Pri to perform SM2 asymmetric decryption on T_Session' to obtain a session symmetric key T_Session=SM2_Dec(T_Pri, T_Session');

S116:客户端Client使用T_Session对client’进行SM4对称解密,得到d_A+d_B,SignCert,EncryptCert,EncryptKey=SM4_Dec(T_Session,client’);S116: The client Client uses T_Session to perform SM4 symmetrical decryption on client', and obtains d_A+d_B, SignCert, EncryptCert, EncryptKey=SM4_Dec(T_Session, client');

S117:客户端Client使用d_B对EncryptKey进行SM4对称加密,得到EncryptKey’=SM4_Enc(d_B,EncryptKey);S117: The client Client uses d_B to perform SM4 symmetric encryption on the EncryptKey, and obtains EncryptKey'=SM4_Enc(d_B, EncryptKey);

S118:用户输入证书PIN码,记为Cert_PIN;S118: The user inputs the certificate PIN code, which is recorded as Cert_PIN;

S119:客户端Client对实名身份ID+Cert_PIN进行HASH运算,得到Cert_PIN’=SM3(身份ID+Cert_PIN);S119: The client Client performs a HASH operation on the real-name identity ID+Cert_PIN, and obtains Cert_PIN'=SM3 (identity ID+Cert_PIN);

S120:客户端Client使用Cert_PIN’对d_A+d_B进行SM4对称加密,得到(d_A+d_B)’=SM4_Enc(Cert_PIN’,d_A+d_B);S120: The client Client uses Cert_PIN' to perform SM4 symmetric encryption on d_A+d_B to obtain (d_A+d_B)'=SM4_Enc(Cert_PIN', d_A+d_B);

S121:客户端Client存储(d_A+d_B)’,SignCert,EncryptCert,EncryptKey’;S121: Client Client Storage (d_A+d_B)',SignCert,EncryptCert,EncryptKey';

S122:用户注册完毕。S122: User registration is completed.

进一步地,所述步骤S2数字签名应用主要包括以下步骤:Further, the step S2 digital signature application mainly includes the following steps:

S201:数字签名开始;S201: digital signature starts;

S202:客户端Client身份识别获取身份ID;S202: The client identifies the client to obtain the identity ID;

S203:用户输入证书PIN码,记为Cert_PIN;S203: The user inputs the certificate PIN code, which is recorded as Cert_PIN;

S204:客户端Client对实名身份ID+Cert_PIN进行HASH运算,得到Cert_PIN’=SM3(身份ID+Cert_PIN);S204: The client Client performs a HASH operation on the real-name identity ID+Cert_PIN, and obtains Cert_PIN'=SM3 (identity ID+Cert_PIN);

S205:客户端Client使用Cert_PIN’对(d_A+d_B)’进行SM4对称解密,得到d_A+d_B=SM4_Dec(Cert_PIN’,(d_A+d_B)’);S205: The client Client uses Cert_PIN' to perform SM4 symmetrical decryption on (d_A+d_B)', and obtains d_A+d_B=SM4_Dec(Cert_PIN',(d_A+d_B)');

S206:客户端Client对待签名信息P进行HASH运算,得到hash值为H=SM3(P);S206: The client Client performs a HASH operation on the signature information P, and the obtained hash value is H=SM3(P);

S207:客户端Client使用d_B对d_A+H进行对称加密,得到(d_A+H)’=SM4_Enc(d_B,d_A+H);S207: The client Client uses d_B to symmetrically encrypt d_A+H to obtain (d_A+H)'=SM4_Enc(d_B, d_A+H);

S208:客户端Client将身份ID、(d_A+H)’发送至服务器端Server;S208: The client client sends the identity ID, (d_A+H)' to the server server;

S209:服务器端Server根据实名身份ID找到用户证书,调用外部RA/CA/KMC服务器接口,确认证书状态(若证书无效,则终止操作);S209: The server-side server finds the user certificate according to the real-name identity ID, calls the external RA/CA/KMC server interface, and confirms the certificate status (if the certificate is invalid, the operation is terminated);

S210:服务器端Server根据实名身份ID找到注册时对应的server’值;S210: The server-side server finds the corresponding server' value during registration according to the real-name identity ID;

S211:服务器端Server调用硬件密码模块的对称解密接口,使用设备内置对称密钥,对server’进行对称解密输出,得到d_B+d_C,EncryptKey=SM4_Dec(server’);S211: The server-side Server invokes the symmetric decryption interface of the hardware cryptographic module, and uses the built-in symmetric key of the device to perform symmetric decryption output on the server' to obtain d_B+d_C, EncryptKey=SM4_Dec(server');

S212:服务器端Server使用d_B对(d_A+H)’进行对称解密,得到d_A+H=SM4_Dec(d_B,(d_A+H)’);S212: The server-side Server uses d_B to symmetrically decrypt (d_A+H)', and obtains d_A+H=SM4_Dec(d_B,(d_A+H)');

S213:服务器端Server合成混淆的伪私钥d’=d_A+d_B+d_C;S213: the server-side Server synthesizes the obfuscated pseudo private key d'=d_A+d_B+d_C;

S214:服务器端Server对伪私钥d’做去杂质(去盐)处理,得到用户真私钥d=UnMix(salt,d’);S214: The server-side Server performs impurity (desalting) processing on the pseudo private key d', and obtains the user's true private key d=UnMix(salt, d');

S215:服务器端Server使用真私钥d对H加密,生成P1/P7数字签名,记为SignData=P1(d,H)/P7(d,H,证书);S215: The server-side Server uses the true private key d to encrypt H to generate a P1/P7 digital signature, which is recorded as SignData=P1(d,H)/P7(d,H,certificate);

S216:服务器端Server将d_B作为对称密钥,对SignData对称加密,得到SignData’=SM4_Enc(d_B,SignData);S216: The server-side Server uses d_B as a symmetric key, and symmetrically encrypts SignData to obtain SignData'=SM4_Enc(d_B, SignData);

S217:服务器端Server将SignData’返回至客户端Client;S217: The server-side Server returns SignData' to the client-side Client;

S218:客户端Client将d_B作为对称密钥,对SignData’对称解密,得到数字签名SignData=SM4_Dec(d_B,SignData’);S218: The client Client uses d_B as a symmetric key, and decrypts SignData' symmetrically to obtain a digital signature SignData=SM4_Dec(d_B, SignData');

S219:数字签名结束。S219: The digital signature ends.

进一步地,所述步骤S3数据加密应用主要包括以下步骤:Further, the step S3 data encryption application mainly includes the following steps:

S301:User-A加密信息发送给User-B,数据加密开始;S301: User-A sends encrypted information to User-B, and data encryption starts;

S302:Client-A使用User-B的加密证书EncryptCert_B,对待发数据data做数字信封封装,记为Envelope_B=Encrypt(EncryptCert_B,data);S302: Client-A uses User-B's encryption certificate EncryptCert_B to encapsulate the data to be sent in a digital envelope, which is recorded as Envelope_B=Encrypt(EncryptCert_B, data);

S303:Client-A将Envelope_B发送给client-B;S303: Client-A sends Envelope_B to client-B;

S304:Client-B身份识别获取User-B的身份ID;S304: Client-B identity identification obtains the identity ID of User-B;

S305:User-B用户输入证书PIN码,记为Cert_PIN;S305: User-B enters the certificate PIN code, which is recorded as Cert_PIN;

S306:client-B对实名身份ID+Cert_PIN进行HASH运算,得到Cert_PIN’=SM3(身份ID+Cert_PIN);S306: client-B performs HASH operation on the real-name identity ID+Cert_PIN, and obtains Cert_PIN'=SM3 (identity ID+Cert_PIN);

S307:client-B使用Cert_PIN’对(d_A+d_B)’进行SM4对称解密,得到d_A+d_B=SM4_Dec(Cert_PIN’,(d_A+d_B)’);S307: client-B uses Cert_PIN' to perform SM4 symmetrical decryption on (d_A+d_B)', and obtains d_A+d_B=SM4_Dec(Cert_PIN',(d_A+d_B)');

S308:client-B使用d_B对EncryptKey’解密,得到EncryptKey=SM4_Dec(d_B,EncryptKey’);S308: client-B uses d_B to decrypt EncryptKey' to obtain EncryptKey=SM4_Dec(d_B, EncryptKey');

S309:client-B使用EncryptKey解密Envelope_B,得到明文数据data=Decrypt(EncryptKey,Envelope_B);S309: client-B decrypts Envelope_B using EncryptKey, and obtains plaintext data data=Decrypt(EncryptKey, Envelope_B);

S310:数据解密结束。S310: Data decryption ends.

针对现有软密钥(文件密钥)技术中存在的安全问题具体有以下几点:The security problems existing in the existing soft key (file key) technology are as follows:

1、客户端常规软密钥的密钥产生和运算不安全,若使用硬件密钥又不方便;1. The key generation and operation of the client's conventional soft key are insecure, and it is inconvenient to use the hardware key;

2、常规软密钥在密钥存储及传递缺少增强的安全机制,容易造成密钥泄露;2. Conventional soft keys lack enhanced security mechanisms in key storage and transmission, which may easily lead to key leakage;

3、常规软密钥加密采用相同的加盐因子,容易出现全局性风险;3. Conventional soft key encryption uses the same salting factor, which is prone to global risks;

4、常规软密钥的密钥存储及传递缺少密钥分割的安全机制,容易造成密钥泄露;4. The key storage and transmission of conventional soft keys lack the security mechanism of key segmentation, which is easy to cause key leakage;

5、常规密钥协商存在会话密钥协商的多次交互,效率较低;5. Conventional key negotiation involves multiple interactions of session key negotiation, and the efficiency is low;

6、密钥服务器数据库被拖库后存在造成的数据泄露风险;6. There is a risk of data leakage after the key server database is dragged into the database;

而本发明一种基于PKI的多方协同运算的密钥保护方法,针对上述问题,采取前述方案,主要的好处有:And a kind of key protection method based on PKI multi-party cooperative operation of the present invention, in view of the above problem, adopts the aforementioned scheme, and the main benefits are as follows:

1、客户端Client真实密钥的产生和运算依托服务器端Server的硬件密码组件(加密机或加密卡)实现,密钥的产生和运算更安全,并且使用方便;1. The generation and operation of the real key of the client client rely on the hardware cryptographic component (encryption machine or encryption card) of the server-side Server. The generation and operation of the key are more secure and easy to use;

2、对真实密钥采用加盐及混淆生成伪密钥,密钥存储及传递均使用伪密钥,以防止真实密钥被泄露;2. Use salting and obfuscation to generate fake keys for real keys, and use fake keys for key storage and transmission to prevent real keys from being leaked;

3、加盐因子采用与用户身份信息及PIN码关联,每用户专有,每个用户的加盐因子不同,以防止去盐操作出现全局性风险;3. The salting factor is associated with the user's identity information and PIN code, each user is exclusive, and each user's salting factor is different to prevent global risks in the desalting operation;

4、伪密钥的传递及存储采用密钥分割技术,客户端和服务器都只保留部分片段的密文,这种密钥分段、多重加密实现了密钥传递及存储的高安全性,单一泄露不影响整体密钥安全;4. The transmission and storage of the pseudo key adopts the key segmentation technology. Both the client and the server only retain part of the ciphertext. This key segmentation and multiple encryption realize the high security of key transmission and storage. The disclosure does not affect the overall key security;

5、巧妙运用了伪密钥中的某一共享片段来实现会话密钥共享,使得会话密钥不用协商,效率高;5. A certain shared segment in the pseudo key is cleverly used to realize session key sharing, so that the session key does not need to be negotiated, and the efficiency is high;

6、服务器端存储的片段密钥采用硬件密码组件(加密机或加密卡)解密,并在硬件密码组件(加密机或加密卡)内部才能被解密和调用,确保真实密钥不落地,即便数据库被拖库,没有硬件密码组件(加密机或加密卡),密钥数据也无法解开,安全性较高。6. The fragment key stored on the server side is decrypted by the hardware cryptographic component (encryption machine or encryption card), and can only be decrypted and invoked inside the hardware cryptographic component (encryption machine or encryption card) to ensure that the real key does not fall, even if the database The towed library has no hardware password components (encryption machine or encryption card), and the key data cannot be unlocked, so the security is high.

综上所述,由于采用了上述技术方案,本发明的有益效果是:To sum up, due to the adoption of the above-mentioned technical solutions, the beneficial effects of the present invention are:

1.本发明一种基于PKI的多方协同运算的密钥保护方法,客户端Client真实密钥的产生和运算依托服务器端Server的硬件密码组件(加密机或加密卡)实现,密钥的产生和运算更安全,并且使用方便;1. a kind of key protection method based on the multi-party cooperative operation of PKI of the present invention, the generation and operation of the real key of the client client rely on the hardware cipher component (encryption machine or encryption card) of the server server to realize, the generation of the key and the encryption card are realized. The operation is more secure and easy to use;

2.本发明一种基于PKI的多方协同运算的密钥保护方法,对真实密钥采用加盐及混淆生成伪密钥,密钥存储及传递均使用伪密钥,以防止真实密钥被泄露;2. A kind of key protection method based on PKI multi-party cooperative operation of the present invention, adopts salting and obfuscation to generate pseudo-keys for real keys, and pseudo-keys are used for key storage and transmission to prevent real keys from being leaked ;

3.本发明一种基于PKI的多方协同运算的密钥保护方法,加盐因子采用与用户身份信息及PIN码关联,每用户专有,每个用户的加盐因子不同,以防止去盐操作出现全局性风险;3. A key protection method based on PKI multi-party collaborative operation of the present invention, the salting factor is associated with user identity information and PIN code, each user is exclusive, and the salting factor of each user is different to prevent desalting operations. There is a global risk;

4.本发明一种基于PKI的多方协同运算的密钥保护方法,伪密钥的传递及存储采用密钥分割技术,客户端和服务器都只保留部分片段的密文,这种密钥分段、多重加密实现了密钥传递及存储的高安全性,单一泄露不影响整体密钥安全;4. A kind of key protection method based on PKI multi-party cooperative operation of the present invention, the transmission and storage of the pseudo key adopts the key segmentation technology, and both the client and the server only retain the ciphertext of part of the fragment, this key fragmentation. 、Multiple encryption realizes high security of key transmission and storage, and a single leak does not affect the overall key security;

5.本发明一种基于PKI的多方协同运算的密钥保护方法,巧妙运用了伪密钥中的某一共享片段来实现会话密钥共享,使得会话密钥不用协商,效率高;5. A kind of key protection method based on PKI multi-party cooperative operation of the present invention, cleverly uses a certain shared segment in the pseudo key to realize session key sharing, so that the session key does not need to be negotiated, and the efficiency is high;

6.本发明一种基于PKI的多方协同运算的密钥保护方法,服务器端存储的片段密钥采用硬件密码组件(加密机或加密卡)解密,并在硬件密码组件(加密机或加密卡)内部才能被解密和调用,确保真实密钥不落地,即便数据库被拖库,没有硬件密码组件(加密机或加密卡),密钥数据也无法解开,安全性较高。6. a kind of key protection method based on PKI multi-party cooperative operation of the present invention, the fragment key stored on the server side adopts hardware cipher component (encryption machine or encryption card) to decrypt, and in the hardware cipher component (encryption machine or encryption card) Only the inside can be decrypted and called to ensure that the real key does not fall to the ground. Even if the database is dragged to the library and there is no hardware password component (encryption machine or encryption card), the key data cannot be decrypted, and the security is high.

附图说明Description of drawings

本发明将通过例子并参照附图的方式说明,其中:The invention will be described by way of example and with reference to the accompanying drawings, in which:

图1是本发明的原理框图;Fig. 1 is the principle block diagram of the present invention;

图2是本发明的步骤S1用户证书注册流程图;Fig. 2 is the step S1 user certificate registration flow chart of the present invention;

图3是本发明的步骤S2数字签名应用流程图;Fig. 3 is the step S2 digital signature application flow chart of the present invention;

图4是本发明的步骤S3数据加密应用流程图;Fig. 4 is the step S3 data encryption application flow chart of the present invention;

具体实施方式Detailed ways

本说明书中公开的所有特征,或公开的所有方法或过程中的步骤,除了互相排斥的特征和/或步骤以外,均可以以任何方式组合。All features disclosed in this specification, or all disclosed steps in a method or process, may be combined in any way except mutually exclusive features and/or steps.

需要说明的是,术语“第一”和“第二”等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should be noted that relational terms such as the terms "first" and "second" are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any relationship between these entities or operations. any such actual relationship or sequence exists. Moreover, the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device that includes a list of elements includes not only those elements, but also includes not explicitly listed or other elements inherent to such a process, method, article or apparatus. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in a process, method, article or apparatus that includes the element.

下面结合图1至图4对本发明作详细说明。The present invention will be described in detail below with reference to FIGS. 1 to 4 .

实施例1Example 1

一种基于PKI的多方协同运算的密钥保护方法,如图1,包括用户User、客户端Client、服务器端Server和外部RA/CA/KMC服务器,A key protection method based on PKI multi-party cooperative operation, as shown in Figure 1, includes user User, client Client, server server and external RA/CA/KMC server,

用户User:用户参与信息录入、操作确定;User User: User participation information entry, operation confirmation;

客户端Client:负责客户端密钥相关运算;Client Client: Responsible for client key related operations;

服务器端Server:负责服务器端密钥分割及相关运算,密钥运算需采用安全性高的硬件密码组件实现,将证书申请请求发送给外部RA/CA/KMC服务器,用于申请数字证书和加密密钥;Server-side Server: Responsible for server-side key segmentation and related operations. The key operation needs to be implemented by a hardware cryptographic component with high security. The certificate application request is sent to an external RA/CA/KMC server for applying for digital certificates and encryption encryption. key;

外部RA/CA/KMC服务器:外部第三方系统服务,用于申请数字证书和加密密钥;External RA/CA/KMC server: external third-party system service for applying for digital certificates and encryption keys;

所述基于PKI的多方协同运算的密钥保护方法主要包括以下步骤:The key protection method for the PKI-based multi-party cooperative operation mainly includes the following steps:

S1用户证书注册:在用户User实名认证通过后,由服务器加密机为用户User随机产生签名密钥及证书请求P10,对真实私钥进行加盐混淆处理,对伪密钥进行A、B、C三段分割,用户User通过身份ID及PIN码保护加密存储其中的A、B两段,服务器通过加密机内置密钥加密存储其中的B、C两段;证书请求P10用于向外部RA/CA/KMC服务器申请证书,用户加密证书的私钥使用伪密钥B段加密后存储;整个密钥产生、分割、传递及保存都采用了PKI技术以及人、设备多因素进行了相应保护。S1 user certificate registration: After the user User's real-name authentication is passed, the server encryption machine randomly generates the signature key and certificate request P10 for the user User, salts and confuses the real private key, and performs A, B, and C on the pseudo key. Three segments are divided, the user User protects and stores the two segments A and B through the identity ID and PIN code, and the server encrypts and stores the two segments B and C through the built-in key of the encryption machine; the certificate request P10 is used for external RA/CA. The /KMC server applies for a certificate, and the private key of the user's encrypted certificate is encrypted with the pseudo-key B segment and stored; the entire key generation, segmentation, transmission and storage are protected by PKI technology and multiple factors of people and equipment.

S2数字签名应用:使用身份ID及证书PIN码作为私钥持有人的唯一凭证,在客户端Client解密得到分割的两部分密钥d_A和d_B,将其中一份d_B作为对称密钥,另一份d_A与待签名HASH值组合后,进行对称加密后,再发送给服务器端进行合成伪密钥、去盐处理及真密钥签名,真密钥签名值使用对称密钥d_B对称加密后再返回给客户端Client,客户端Client使用相同的对称密钥d_B解密得到服务器端的真密钥签名值;在整个密钥片段解密、伪密钥合成、求真、加密及数据传递过程都采用了PKI技术以及人、设备多因素进行了相应保护。S2 digital signature application: use the identity ID and certificate PIN code as the unique certificate of the private key holder, decrypt the two-part keys d_A and d_B on the client side, and use one of the d_B as the symmetric key and the other as the symmetric key. After the share d_A is combined with the HASH value to be signed, it is symmetrically encrypted and sent to the server for synthetic pseudo-key, desalting and true key signature. The true key signature value is symmetrically encrypted with the symmetric key d_B and then returned. For the client client, the client client uses the same symmetric key d_B to decrypt the real key signature value of the server side; PKI technology is used in the entire key fragment decryption, pseudo key synthesis, truth seeking, encryption and data transmission process And the multi-factors of people and equipment have been correspondingly protected.

S3数据加密应用:加密者使用接收人的加密证书公钥加密待发数据,解密者使用身份ID及证书PIN码作为私钥持有人的唯一凭证,在客户端Client解密得到分割的两部分签名密钥d_A和d_B,将其中一份d_B签名私钥作为对称密钥,对注册环节加密保存的加密证书私钥(加密私钥)进行解密,然后使用解密后的私钥解密收到的密文。在密钥片段解密、数据解密过程中采用了PKI技术以及实体的身份和PIN码信息多因素进行了相应保护。S3 data encryption application: the encryptor uses the recipient's encryption certificate public key to encrypt the data to be sent, the decryptor uses the identity ID and certificate PIN code as the unique certificate of the private key holder, and decrypts the two-part signature on the client side. Keys d_A and d_B, use one of the d_B signature private keys as a symmetric key, decrypt the encrypted certificate private key (encrypted private key) encrypted and saved in the registration process, and then use the decrypted private key to decrypt the received ciphertext . In the process of key fragment decryption and data decryption, PKI technology and multiple factors of entity's identity and PIN code information are used for corresponding protection.

采用上述基于PKI的多方协同运算的密钥保护方法,能够确保客户端Client和服务器端Server任意一方出现密钥泄露后,也不影响用户真实密钥的完整性和保密性,确保了用户私钥的生成、调用、存储及运算的安全,该方法的密钥保护安全性等级可达到传统硬件介质智能密码钥匙USBkey(如银行U盾、IC卡)的高安全级别。Using the above-mentioned PKI-based multi-party cooperative operation key protection method can ensure that the integrity and confidentiality of the user's real key will not be affected if any one of the client Client and the server-side Server is leaked, ensuring the user's private key. The security level of the key protection of the method can reach the high security level of the traditional hardware medium intelligent password key USB key (such as bank U shield, IC card).

实施例2Example 2

本实施例是实施例1的进一步说明,如图2,所述步骤S1用户证书注册主要包括以下步骤:This embodiment is a further description of Embodiment 1. As shown in FIG. 2 , the step S1 user certificate registration mainly includes the following steps:

S101:用户User发起证书注册申请,首先通过客户端Client采集用户实名、实证、实人生物特征等信息进行认证,认证通过进入后续证书注册环节;S101: The user User initiates a certificate registration application. First, the client client collects information such as the user's real name, evidence, and real person biometrics for authentication. After the authentication is passed, it enters the subsequent certificate registration link;

S102:客户端Client产生临时SM2非对称密钥,私钥记为T_Pri,公钥记为T_Pub;S102: The client Client generates a temporary SM2 asymmetric key, the private key is recorded as T_Pri, and the public key is recorded as T_Pub;

S103:客户端Client将实名身份ID、公钥T_Pub发给服务器端Server;S103: The client client sends the real-name identity ID and public key T_Pub to the server server;

S104:服务器端Server为该client分配会话对称密钥session,记为T_Session;S104: The server-side Server allocates a session symmetric key session to the client, which is recorded as T_Session;

S105:服务器端Server调用硬件密码模块的密钥生成接口为client产生正式SM2非对称密钥对,私钥记为d,公钥记为P;S105: The server-side Server invokes the key generation interface of the hardware cryptographic module to generate a formal SM2 asymmetric key pair for the client, the private key is denoted as d, and the public key is denoted as P;

S106:服务器端Server调用硬件密码模块的PKCS10生成接口为client产生证书请求P10;S106: The server-side Server invokes the PKCS10 generation interface of the hardware cryptographic module to generate a certificate request P10 for the client;

S107:服务器端Server调用CA系统的接口使用证书请求P10为client申请“签名证书SignCert、加密证书EncryptCert、加密密钥明文EncryptKey”;S107: The server on the server side invokes the interface of the CA system and uses the certificate request P10 to apply for "SignCert for signing certificate, EncryptCert for encryption certificate, and EncryptKey for encryption key plaintext" for the client;

S108:服务器端Server对client私钥d进行加盐及数据混淆处理,得到伪私钥d’=Mix(salt,d);S108: The server-side Server performs salting and data obfuscation processing on the client's private key d to obtain a pseudo-private key d'=Mix(salt,d);

S109:服务器端Server对d’依次划分为A、B、C三个部分,分别记为d_A、d_B、d_C;S109: The server-side Server divides d' into three parts, A, B, and C in turn, which are respectively recorded as d_A, d_B, and d_C;

S110:服务器端Server调用硬件密码模块的对称加密接口,将T_Session作为对称密钥,对“d_A+d_B,SignCert,EncryptCert,EncryptKey”进行对称加密输出,记为client’=SM4_Enc(T_Session,d_A+d_B,SignCert,EncryptCert,EncryptKey);S110: The server-side Server calls the symmetric encryption interface of the hardware cryptographic module, uses T_Session as the symmetric key, and performs symmetric encryption output on "d_A+d_B, SignCert, EncryptCert, EncryptKey", which is recorded as client'=SM4_Enc(T_Session,d_A+d_B ,SignCert,EncryptCert,EncryptKey);

S111:服务器端Server使用T_Pub对T_Session进行SM2非对称加密,记为T_Session’=SM2_Enc(T_Pub,T_Session);S111: The server-side Server uses T_Pub to perform SM2 asymmetric encryption on T_Session, which is recorded as T_Session'=SM2_Enc(T_Pub, T_Session);

S112:服务器端Server调用硬件密码模块的对称加密接口,使用内置设备对称密钥,对“d_B+d_C,EncryptKey”进行对称加密输出,记为Server’=SM4_Enc(d_B+d_C,EncryptKey);S112: The server-side Server calls the symmetric encryption interface of the hardware cryptographic module, and uses the built-in device symmetric key to perform symmetric encryption output on "d_B+d_C, EncryptKey", which is recorded as Server'=SM4_Enc(d_B+d_C,EncryptKey);

S113:服务器端Server将Server’存储到数据库中;S113: The server-side Server stores Server' in the database;

S114:服务器端Server将client’+T_Session’返回给客户端Client;S114: The server-side Server returns client'+T_Session' to the client-side Client;

S115:客户端Client使用T_Pri对T_Session’进行SM2非对称解密,得到会话对称密钥T_Session=SM2_Dec(T_Pri,T_Session’);S115: The client Client uses T_Pri to perform SM2 asymmetric decryption on T_Session' to obtain a session symmetric key T_Session=SM2_Dec(T_Pri, T_Session');

S116:客户端Client使用T_Session对client’进行SM4对称解密,得到d_A+d_B,SignCert,EncryptCert,EncryptKey=SM4_Dec(T_Session,client’);S116: The client Client uses T_Session to perform SM4 symmetrical decryption on client', and obtains d_A+d_B, SignCert, EncryptCert, EncryptKey=SM4_Dec(T_Session, client');

S117:客户端Client使用d_B对EncryptKey进行SM4对称加密,得到EncryptKey’=SM4_Enc(d_B,EncryptKey);S117: The client Client uses d_B to perform SM4 symmetric encryption on the EncryptKey, and obtains EncryptKey'=SM4_Enc(d_B, EncryptKey);

S118:用户输入证书PIN码,记为Cert_PIN;S118: The user inputs the certificate PIN code, which is recorded as Cert_PIN;

S119:客户端Client对实名身份ID+Cert_PIN进行HASH运算,得到Cert_PIN’=SM3(身份ID+Cert_PIN);S119: The client Client performs a HASH operation on the real-name identity ID+Cert_PIN, and obtains Cert_PIN'=SM3 (identity ID+Cert_PIN);

S120:客户端Client使用Cert_PIN’对d_A+d_B进行SM4对称加密,得到(d_A+d_B)’=SM4_Enc(Cert_PIN’,d_A+d_B);S120: The client Client uses Cert_PIN' to perform SM4 symmetric encryption on d_A+d_B to obtain (d_A+d_B)'=SM4_Enc(Cert_PIN', d_A+d_B);

S121:客户端Client存储(d_A+d_B)’,SignCert,EncryptCert,EncryptKey’;S121: Client Client Storage (d_A+d_B)',SignCert,EncryptCert,EncryptKey';

S122:用户注册完毕。S122: User registration is completed.

实施例3Example 3

本实施例是实施例1的进一步说明,如图3,所述步骤S2数字签名应用主要包括以下步骤:This embodiment is a further description of Embodiment 1. As shown in FIG. 3 , the digital signature application of step S2 mainly includes the following steps:

S201:数字签名开始;S201: digital signature starts;

S202:客户端Client身份识别获取身份ID;S202: The client identifies the client to obtain the identity ID;

S203:用户输入证书PIN码,记为Cert_PIN;S203: The user inputs the certificate PIN code, which is recorded as Cert_PIN;

S204:客户端Client对实名身份ID+Cert_PIN进行HASH运算,得到Cert_PIN’=SM3(身份ID+Cert_PIN);S204: The client Client performs a HASH operation on the real-name identity ID+Cert_PIN, and obtains Cert_PIN'=SM3 (identity ID+Cert_PIN);

S205:客户端Client使用Cert_PIN’对(d_A+d_B)’进行SM4对称解密,得到d_A+d_B=SM4_Dec(Cert_PIN’,(d_A+d_B)’);S205: The client Client uses Cert_PIN' to perform SM4 symmetrical decryption on (d_A+d_B)', and obtains d_A+d_B=SM4_Dec(Cert_PIN',(d_A+d_B)');

S206:客户端Client对待签名信息P进行HASH运算,得到hash值为H=SM3(P);S206: The client Client performs a HASH operation on the signature information P, and the obtained hash value is H=SM3(P);

S207:客户端Client使用d_B对d_A+H进行对称加密,得到(d_A+H)’=SM4_Enc(d_B,d_A+H);S207: The client Client uses d_B to symmetrically encrypt d_A+H to obtain (d_A+H)'=SM4_Enc(d_B, d_A+H);

S208:客户端Client将身份ID、(d_A+H)’发送至服务器端Server;S208: The client client sends the identity ID, (d_A+H)' to the server server;

S209:服务器端Server根据实名身份ID找到用户证书,调用CA接口,确认证书状态(若证书无效,则终止操作);S209: The server on the server side finds the user certificate according to the real-name identity ID, calls the CA interface, and confirms the certificate status (if the certificate is invalid, the operation is terminated);

S210:服务器端Server根据实名身份ID找到注册时对应的server’值;S210: The server-side server finds the corresponding server' value during registration according to the real-name identity ID;

S211:服务器端Server调用硬件密码模块的对称解密接口,使用设备内置对称密钥,对server’进行对称解密输出,得到d_B+d_C,EncryptKey=SM4_Dec(server’);S211: The server-side Server invokes the symmetric decryption interface of the hardware cryptographic module, and uses the built-in symmetric key of the device to perform symmetric decryption output on the server' to obtain d_B+d_C, EncryptKey=SM4_Dec(server');

S212:服务器端Server使用d_B对(d_A+H)’进行对称解密,得到d_A+H=SM4_Dec(d_B,(d_A+H)’);S212: The server-side Server uses d_B to symmetrically decrypt (d_A+H)', and obtains d_A+H=SM4_Dec(d_B,(d_A+H)');

S213:服务器端Server合成混淆的伪私钥d’=d_A+d_B+d_C;S213: the server-side Server synthesizes the obfuscated pseudo private key d'=d_A+d_B+d_C;

S214:服务器端Server对伪私钥d’做去杂质(去盐)处理,得到用户真私钥d=UnMix(salt,d’);S214: The server-side Server performs impurity (desalting) processing on the pseudo private key d', and obtains the user's true private key d=UnMix(salt, d');

S215:服务器端Server使用真私钥d对H加密,生成P1/P7数字签名,记为SignData=P1(d,H)/P7(d,H,证书);S215: The server-side Server uses the true private key d to encrypt H to generate a P1/P7 digital signature, which is recorded as SignData=P1(d,H)/P7(d,H,certificate);

S216:服务器端Server将d_B作为对称密钥,对SignData对称加密,得到SignData’=SM4_Enc(d_B,SignData);S216: The server-side Server uses d_B as a symmetric key, and symmetrically encrypts SignData to obtain SignData'=SM4_Enc(d_B, SignData);

S217:服务器端Server将SignData’返回至客户端Client;S217: The server-side Server returns SignData' to the client-side Client;

S218:客户端Client将d_B作为对称密钥,对SignData’对称解密,得到数字签名SignData=SM4_Dec(d_B,SignData’);S218: The client Client uses d_B as a symmetric key, and decrypts SignData' symmetrically to obtain a digital signature SignData=SM4_Dec(d_B, SignData');

S219:数字签名结束。S219: The digital signature ends.

实施例4Example 4

本实施例是实施例1的进一步说明,如图4,所述步骤S3数据加密应用主要包括以下步骤:This embodiment is a further description of Embodiment 1. As shown in Figure 4, the step S3 data encryption application mainly includes the following steps:

S301:User-A加密信息发送给User-B,数据加密开始;S301: User-A sends encrypted information to User-B, and data encryption starts;

S302:Client-A使用User-B的加密证书EncryptCert_B,对待发数据data做数字信封封装,记为Envelope_B=Encrypt(EncryptCert_B,data);S302: Client-A uses User-B's encryption certificate EncryptCert_B to encapsulate the data to be sent in a digital envelope, which is recorded as Envelope_B=Encrypt(EncryptCert_B, data);

S303:Client-A将Envelope_B发送给client-B;S303: Client-A sends Envelope_B to client-B;

S304:Client-B身份识别获取User-B的身份ID;S304: Client-B identity identification obtains the identity ID of User-B;

S305:User-B用户输入证书PIN码,记为Cert_PIN;S305: User-B enters the certificate PIN code, which is recorded as Cert_PIN;

S306:client-B对实名身份ID+Cert_PIN进行HASH运算,得到Cert_PIN’=SM3(身份ID+Cert_PIN);S306: client-B performs HASH operation on the real-name identity ID+Cert_PIN, and obtains Cert_PIN'=SM3 (identity ID+Cert_PIN);

S307:client-B使用Cert_PIN’对(d_A+d_B)’进行SM4对称解密,得到d_A+d_B=SM4_Dec(Cert_PIN’,(d_A+d_B)’);S307: client-B uses Cert_PIN' to perform SM4 symmetrical decryption on (d_A+d_B)', and obtains d_A+d_B=SM4_Dec(Cert_PIN',(d_A+d_B)');

S308:client-B使用d_B对EncryptKey’解密,得到EncryptKey=SM4_Dec(d_B,EncryptKey’);S308: client-B uses d_B to decrypt EncryptKey' to obtain EncryptKey=SM4_Dec(d_B, EncryptKey');

S309:client-B使用EncryptKey解密Envelope_B,得到明文数据data=Decrypt(EncryptKey,Envelope_B);S309: client-B decrypts Envelope_B using EncryptKey, and obtains plaintext data data=Decrypt(EncryptKey, Envelope_B);

S310:数据解密结束。S310: Data decryption ends.

以上所述,仅为本发明的优选实施方式,但本发明的保护范围并不局限于此,任何熟悉本领域的技术人员在本发明所揭露的技术范围内,可不经过创造性劳动想到的变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应该以权利要求书所限定的保护范围为准。The above are only the preferred embodiments of the present invention, but the protection scope of the present invention is not limited to this. Any person skilled in the art may, within the technical scope disclosed by the present invention, think of changes or changes without creative work. Substitutions should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope defined by the claims.

Claims (4)

1.一种基于PKI的多方协同运算的密钥保护方法,包括用户User、客户端Client、服务器端Server和外部RA/CA/KMC服务器,其特征在于:1. a key protection method based on the multi-party cooperative operation of PKI, comprises user User, client Client, server side Server and external RA/CA/KMC server, it is characterized in that: 用户User:用户参与信息录入、操作确定;User User: User participation information entry, operation confirmation; 客户端Client:负责客户端密钥相关运算;Client Client: Responsible for client key related operations; 服务器端Server:负责服务器端密钥分割及相关运算,密钥运算需采用硬件密码组件实现,将证书申请请求发送给外部RA/CA/KMC服务器,用于申请数字证书和加密密钥;Server-side Server: Responsible for server-side key segmentation and related operations. The key operation needs to be implemented by hardware cryptographic components, and the certificate application request is sent to the external RA/CA/KMC server for applying for digital certificates and encryption keys; 外部RA/CA/KMC服务器:外部第三方系统服务,用于申请数字证书和加密密钥;External RA/CA/KMC server: external third-party system service for applying for digital certificates and encryption keys; 所述基于PKI的多方协同运算的密钥保护方法包括以下步骤:The key protection method for the PKI-based multi-party cooperative operation comprises the following steps: S1用户证书注册:在用户User实名认证通过后,由服务器加密机为用户User随机产生签名密钥及证书请求P10,对用户真私钥进行加盐混淆处理得到用户伪私钥,对用户伪私钥进行A、B、C三段分割,用户User通过身份ID及PIN码保护加密存储其中的A、B两段,服务器通过加密机内置密钥加密存储其中的B、C两段;证书请求P10用于向外部RA/CA/KMC服务器申请证书,用户加密证书中的私钥使用用户伪私钥B段加密后存储;S1 user certificate registration: After the user User's real-name authentication is passed, the server encryption machine randomly generates a signature key and a certificate request P10 for the user User, and salts and confuses the user's real private key to obtain the user's pseudo-private key. The key is divided into three segments A, B, and C. The user User uses the identity ID and PIN code to protect, encrypt and store the A and B segments. The server encrypts and stores the B and C segments through the built-in key of the encryption machine. Certificate request P10 It is used to apply for a certificate from an external RA/CA/KMC server, and the private key in the user encryption certificate is encrypted with the user's pseudo private key B segment and stored; S2数字签名应用:使用身份ID及证书PIN码作为私钥持有人的唯一凭证,在客户端Client解密得到分割的两部分密钥d_A和d_B,将其中一份d_B作为对称密钥,另一份d_A与待签名HASH值组合后,进行对称加密后,再发送给服务器端进行用户伪私钥合成,对用户伪私钥去盐处理得到用户真私钥,用户真私钥进行签名,用户真私钥签名值使用对称密钥d_B对称加密后再返回给客户端Client,客户端Client使用相同的对称密钥d_B解密得到服务器端的用户真私钥签名值;S2 digital signature application: use the identity ID and certificate PIN code as the unique certificate of the private key holder, decrypt the two-part keys d_A and d_B on the client side, and use one of the d_B as the symmetric key and the other as the symmetric key. After the d_A is combined with the HASH value to be signed, it is symmetrically encrypted, and then sent to the server for the synthesis of the user's pseudo-private key. The user's pseudo-private key is desalted to obtain the user's real private key. The private key signature value is symmetrically encrypted with the symmetric key d_B and then returned to the client client. The client client uses the same symmetric key d_B to decrypt to obtain the user's true private key signature value on the server side; S3数据加密应用:加密者使用接收人的加密证书公钥加密待发数据,解密者使用身份ID及证书PIN码作为私钥持有人的唯一凭证,在客户端Client解密得到分割的两部分签名密钥d_A和d_B,将其中一份d_B签名私钥作为对称密钥,对注册环节加密保存的用户加密证书中的私钥进行解密,然后使用解密后的私钥解密收到的密文。S3 data encryption application: the encryptor uses the recipient's encryption certificate public key to encrypt the data to be sent, the decryptor uses the identity ID and certificate PIN code as the unique certificate of the private key holder, and decrypts the two-part signature on the client side. Keys d_A and d_B, use one of the d_B signature private keys as a symmetric key to decrypt the private key in the user encryption certificate encrypted and saved in the registration process, and then use the decrypted private key to decrypt the received ciphertext. 2.根据权利要求1所述的一种基于PKI的多方协同运算的密钥保护方法,其特征在于:所述步骤S1用户证书注册包括以下步骤:2. a kind of key protection method based on PKI multi-party cooperative operation according to claim 1, is characterized in that: described step S1 user certificate registration comprises the following steps: S101:用户User发起证书注册申请,首先通过客户端Client采集用户实名、实证、实人生物特征信息进行认证,认证通过进入后续证书注册环节;S101: The user User initiates a certificate registration application. First, the client client collects the user's real name, evidence, and real person biometric information for authentication. After the authentication is passed, the subsequent certificate registration link is entered; S102:客户端Client产生临时SM2非对称密钥,私钥记为T_Pri,公钥记为T_Pub;S102: The client Client generates a temporary SM2 asymmetric key, the private key is recorded as T_Pri, and the public key is recorded as T_Pub; S103:客户端Client将实名身份ID、公钥T_Pub发给服务器端Server;S103: The client client sends the real-name identity ID and public key T_Pub to the server server; S104:服务器端Server为该Client分配会话对称密钥session,记为T_Session;S104: The server on the server side allocates a session symmetric key session to the Client, which is recorded as T_Session; S105:服务器端Server调用硬件密码模块的密钥生成接口为Client产生正式SM2非对称密钥对,用户真私钥记为d,公钥记为P;S105: The server-side Server invokes the key generation interface of the hardware cryptographic module to generate a formal SM2 asymmetric key pair for the Client, the user's real private key is recorded as d, and the public key is recorded as P; S106:服务器端Server调用硬件密码模块的PKCS10生成接口为Client产生证书请求P10;S106: The server-side Server invokes the PKCS10 generation interface of the hardware cryptographic module to generate a certificate request P10 for the Client; S107:服务器端Server调用外部RA/CA/KMC服务器系统的接口使用证书请求P10为Client申请签名证书SignCert、加密证书EncryptCert、用户加密证书中的私钥EncryptKey;S107: The server on the server side invokes the interface of the external RA/CA/KMC server system and uses the certificate request P10 to apply for the signing certificate SignCert, the encryption certificate EncryptCert, and the private key EncryptKey in the user encryption certificate for the Client; S108:服务器端Server对用户真私钥d进行加盐及数据混淆处理,得到用户伪私钥d’=Mix(salt,d);S108: The server-side Server performs salting and data obfuscation processing on the user's real private key d, and obtains the user's pseudo-private key d'=Mix(salt, d); S109:服务器端Server对d’依次划分为A、B、C三个部分,分别记为d_A、d_B、d_C;S109: The server-side Server divides d' into three parts, A, B, and C in turn, which are respectively recorded as d_A, d_B, and d_C; S110:服务器端Server调用硬件密码模块的对称加密接口,将T_Session作为对称密钥,对d_A+d_B,SignCert,EncryptCert,EncryptKey进行对称加密输出,记为Client’=SM4_Enc(T_Session,d_A+d_B,SignCert,EncryptCert,EncryptKey);S110: The server-side Server calls the symmetric encryption interface of the hardware cryptographic module, uses T_Session as a symmetric key, and performs symmetric encryption output on d_A+d_B, SignCert, EncryptCert, and EncryptKey, which is recorded as Client'=SM4_Enc(T_Session,d_A+d_B,SignCert ,EncryptCert,EncryptKey); S111:服务器端Server使用T_Pub对T_Session进行SM2非对称加密,记为T_Session’=SM2_Enc(T_Pub,T_Session);S111: The server-side Server uses T_Pub to perform SM2 asymmetric encryption on T_Session, which is recorded as T_Session'=SM2_Enc(T_Pub, T_Session); S112:服务器端Server调用硬件密码模块的对称加密接口,使用内置设备对称密钥,对“d_B+d_C,EncryptKey”进行对称加密输出,记为Server’=SM4_Enc(d_B+d_C,EncryptKey);S112: The server-side Server calls the symmetric encryption interface of the hardware cryptographic module, and uses the built-in device symmetric key to perform symmetric encryption output on "d_B+d_C, EncryptKey", which is recorded as Server'=SM4_Enc(d_B+d_C,EncryptKey); S113:服务器端Server将Server’存储到数据库中;S113: The server-side Server stores Server' in the database; S114:服务器端Server将Client’+T_Session’返回给客户端Client;S114: The server-side Server returns Client'+T_Session' to the client-side Client; S115:客户端Client使用T_Pri对T_Session’进行SM2非对称解密,得到会话对称密钥T_Session=SM2_Dec(T_Pri,T_Session’);S115: The client Client uses T_Pri to perform SM2 asymmetric decryption on T_Session' to obtain a session symmetric key T_Session=SM2_Dec(T_Pri, T_Session'); S116:客户端Client使用T_Session对Client’进行SM4对称解密,得到d_A+d_B,SignCert,EncryptCert,EncryptKey=SM4_Dec(T_Session,Client’);S116: The client Client uses T_Session to perform SM4 symmetrical decryption on Client' to obtain d_A+d_B, SignCert, EncryptCert, EncryptKey=SM4_Dec(T_Session, Client'); S117:客户端Client使用d_B对EncryptKey进行SM4对称加密,得到EncryptKey’=SM4_Enc(d_B,EncryptKey);S117: The client Client uses d_B to perform SM4 symmetric encryption on the EncryptKey, and obtains EncryptKey'=SM4_Enc(d_B, EncryptKey); S118:用户输入证书PIN码,记为Cert_PIN;S118: The user inputs the certificate PIN code, which is recorded as Cert_PIN; S119:客户端Client对实名身份ID+Cert_PIN进行HASH运算,得到Cert_PIN’=SM3(身份ID+Cert_PIN);S119: The client Client performs a HASH operation on the real-name identity ID+Cert_PIN, and obtains Cert_PIN'=SM3 (identity ID+Cert_PIN); S120:客户端Client使用Cert_PIN’对d_A+d_B进行SM4对称加密,得到(d_A+d_B)’=SM4_Enc(Cert_PIN’,d_A+d_B);S120: The client Client uses Cert_PIN' to perform SM4 symmetric encryption on d_A+d_B to obtain (d_A+d_B)'=SM4_Enc(Cert_PIN', d_A+d_B); S121:客户端Client存储(d_A+d_B)’,SignCert,EncryptCert,EncryptKey’;S122:用户注册完毕。S121: Client Client stores (d_A+d_B)', SignCert, EncryptCert, EncryptKey'; S122: User registration is completed. 3.根据权利要求1所述的一种基于PKI的多方协同运算的密钥保护方法,其特征在于:所述步骤S2数字签名应用包括以下步骤:3. the key protection method of a kind of PKI-based multi-party cooperative operation according to claim 1, is characterized in that: described step S2 digital signature application comprises the following steps: S201:数字签名开始;S201: digital signature starts; S202:客户端Client身份识别获取身份ID;S202: The client identifies the client to obtain the identity ID; S203:用户输入证书PIN码,记为Cert_PIN;S203: The user inputs the certificate PIN code, which is recorded as Cert_PIN; S204:客户端Client对实名身份ID+Cert_PIN进行HASH运算,得到Cert_PIN’=SM3(身份ID+Cert_PIN);S204: The client Client performs a HASH operation on the real-name identity ID+Cert_PIN, and obtains Cert_PIN'=SM3 (identity ID+Cert_PIN); S205:客户端Client使用Cert_PIN’对(d_A+d_B)’进行SM4对称解密,得到d_A+d_B=SM4_Dec(Cert_PIN’,(d_A+d_B)’);S205: The client Client uses Cert_PIN' to perform SM4 symmetrical decryption on (d_A+d_B)', and obtains d_A+d_B=SM4_Dec(Cert_PIN',(d_A+d_B)'); S206:客户端Client对待签名信息P进行HASH运算,得到hash值为H=SM3(P);S206: The client Client performs a HASH operation on the signature information P, and the obtained hash value is H=SM3(P); S207:客户端Client使用d_B对d_A+H进行对称加密,得到(d_A+H)’=SM4_Enc(d_B,d_A+H);S207: The client Client uses d_B to symmetrically encrypt d_A+H to obtain (d_A+H)'=SM4_Enc(d_B, d_A+H); S208:客户端Client将身份ID、(d_A+H)’发送至服务器端Server;S208: The client client sends the identity ID, (d_A+H)' to the server server; S209:服务器端Server根据实名身份ID找到用户证书,调用外部RA/CA/KMC服务器接口,确认证书状态,若证书无效,则终止操作;S209: The server on the server side finds the user certificate according to the real-name identity ID, and calls the external RA/CA/KMC server interface to confirm the certificate status. If the certificate is invalid, the operation is terminated; S210:服务器端Server根据实名身份ID找到注册时对应的Server’值;S210: The server-side Server finds the corresponding Server' value during registration according to the real-name identity ID; S211:服务器端Server调用硬件密码模块的对称解密接口,使用设备内置对称密钥,对Server’进行对称解密输出,得到d_B+d_C,EncryptKey=SM4_Dec(Server’);S211: The server-side Server calls the symmetric decryption interface of the hardware cryptographic module, and uses the built-in symmetric key of the device to perform symmetric decryption output on the Server' to obtain d_B+d_C, EncryptKey=SM4_Dec(Server'); S212:服务器端Server使用d_B对(d_A+H)’进行对称解密,得到d_A+H=SM4_Dec(d_B,(d_A+H)’);S212: The server-side Server uses d_B to symmetrically decrypt (d_A+H)', and obtains d_A+H=SM4_Dec(d_B,(d_A+H)'); S213:服务器端Server合成混淆的用户伪私钥d’=d_A+d_B+d_C;S213: The server-side Server synthesizes the obfuscated user pseudo private key d'=d_A+d_B+d_C; S214:服务器端Server对用户伪私钥d’做去盐处理,得到用户真私钥d=UnMix(salt,d’);S214: The server-side Server de-salts the user's pseudo private key d' to obtain the user's true private key d=UnMix(salt, d'); S215:服务器端Server使用用户真私钥d对H加密,生成P1/P7数字签名,记为SignData=P1(d,H)/P7(d,H,证书);S215: The server-side Server uses the user's real private key d to encrypt H to generate a P1/P7 digital signature, which is recorded as SignData=P1(d,H)/P7(d,H,certificate); S216:服务器端Server将d_B作为对称密钥,对SignData对称加密,得到SignData’=SM4_Enc(d_B,SignData);S216: The server-side Server uses d_B as a symmetric key, and symmetrically encrypts SignData to obtain SignData'=SM4_Enc(d_B, SignData); S217:服务器端Server将SignData’返回至客户端Client;S217: The server-side Server returns SignData' to the client-side Client; S218:客户端Client将d_B作为对称密钥,对SignData’对称解密,得到数字签名SignData=SM4_Dec(d_B,SignData’);S218: The client Client uses d_B as a symmetric key, and decrypts SignData' symmetrically to obtain a digital signature SignData=SM4_Dec(d_B, SignData'); S219:数字签名结束。S219: The digital signature ends. 4.根据权利要求1所述的一种基于PKI的多方协同运算的密钥保护方法,其特征在于:所述步骤S3数据加密应用包括以下步骤:4. a kind of key protection method based on PKI multi-party cooperative operation according to claim 1, is characterized in that: described step S3 data encryption application comprises the following steps: S301:User-A加密信息发送给User-B,数据加密开始;S301: User-A sends encrypted information to User-B, and data encryption starts; S302:Client-A使用User-B的加密证书EncryptCert_B,对待发数据data做数字信封封装,记为Envelope_B=Encrypt(EncryptCert_B,data);S302: Client-A uses User-B's encryption certificate EncryptCert_B to encapsulate the data to be sent in a digital envelope, which is recorded as Envelope_B=Encrypt(EncryptCert_B, data); S303:Client-A将Envelope_B发送给Client-B;S303: Client-A sends Envelope_B to Client-B; S304:Client-B通过身份识别获取User-B的身份ID;S304: Client-B obtains the identity ID of User-B through identity identification; S305:User-B用户输入证书PIN码,记为Cert_PIN;S305: User-B enters the certificate PIN code, which is recorded as Cert_PIN; S306:Client-B对实名身份ID+Cert_PIN进行HASH运算,得到Cert_PIN’=SM3(身份ID+Cert_PIN);S306: Client-B performs HASH operation on the real-name identity ID+Cert_PIN to obtain Cert_PIN'=SM3 (identity ID+Cert_PIN); S307:Client-B使用Cert_PIN’对(d_A+d_B)’进行SM4对称解密,得到d_A+d_B=SM4_Dec(Cert_PIN’,(d_A+d_B)’);S307: Client-B uses Cert_PIN' to perform SM4 symmetrical decryption on (d_A+d_B)', and obtains d_A+d_B=SM4_Dec(Cert_PIN',(d_A+d_B)'); S308:Client-B使用d_B对EncryptKey’解密,得到EncryptKey=SM4_Dec(d_B,EncryptKey’);S308: Client-B uses d_B to decrypt EncryptKey', and obtains EncryptKey=SM4_Dec(d_B, EncryptKey'); S309:Client-B使用EncryptKey解密Envelope_B,得到待发数据data=Decrypt(EncryptKey,Envelope_B);S309: Client-B uses EncryptKey to decrypt Envelope_B, and obtains data to be sent data=Decrypt(EncryptKey, Envelope_B); S310:数据解密结束。S310: Data decryption ends.
CN201911206709.6A 2019-11-29 2019-11-29 A key protection method for multi-party cooperative operation based on PKI Active CN110932851B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911206709.6A CN110932851B (en) 2019-11-29 2019-11-29 A key protection method for multi-party cooperative operation based on PKI

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911206709.6A CN110932851B (en) 2019-11-29 2019-11-29 A key protection method for multi-party cooperative operation based on PKI

Publications (2)

Publication Number Publication Date
CN110932851A CN110932851A (en) 2020-03-27
CN110932851B true CN110932851B (en) 2022-09-23

Family

ID=69847937

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911206709.6A Active CN110932851B (en) 2019-11-29 2019-11-29 A key protection method for multi-party cooperative operation based on PKI

Country Status (1)

Country Link
CN (1) CN110932851B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111641587B (en) * 2020-04-27 2022-03-04 河南省云安大数据安全防护产业技术研究院有限公司 Internet of things equipment interconnection method and device
CN112115491B (en) * 2020-08-20 2024-03-22 恒安嘉新(北京)科技股份公司 Symmetric encryption key protection method, device, equipment and storage medium
CN112016082B (en) * 2020-10-26 2021-01-22 成都掌控者网络科技有限公司 Authority list safety control method
CN113130031B (en) * 2021-05-18 2024-07-30 中南大学湘雅三医院 PKI-based inter-hospital electronic medical record interaction system, method, equipment and storage medium
CN113726503B (en) * 2021-07-12 2023-11-14 国网山东省电力公司信息通信公司 Method and system for protecting web interaction information
CN115632778B (en) * 2022-12-20 2023-04-18 四川省数字证书认证管理中心有限公司 A multi-terminal encryption and decryption intercommunication method
CN116827542B (en) * 2023-08-29 2023-11-07 江苏省国信数字科技有限公司 Digital certificate management method and system of intelligent device
CN117118759B (en) * 2023-10-24 2024-01-30 四川省数字证书认证管理中心有限公司 Method for reliable use of user control server terminal key
CN117479151B (en) * 2023-12-27 2024-03-12 阳光凯讯(北京)科技股份有限公司 Data encryption transmission method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106548345A (en) * 2016-12-07 2017-03-29 北京信任度科技有限公司 The method and system of block chain private key protection are realized based on Secret splitting
CN110224812A (en) * 2019-06-12 2019-09-10 江苏慧世联网络科技有限公司 A kind of method and equipment that the electronic signature mobile client calculated based on Secure is communicated with Collaboration Server

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7689832B2 (en) * 2000-09-11 2010-03-30 Sentrycom Ltd. Biometric-based system and method for enabling authentication of electronic messages sent over a network
CN101115060B (en) * 2007-08-09 2012-04-18 上海格尔软件股份有限公司 Method for protecting user encryption key in asymmetric key transmission process in user key management system
CN101483518B (en) * 2009-02-20 2011-11-09 北京天威诚信电子商务服务有限公司 Customer digital certificate private key management method and system
CN104618120B (en) * 2015-03-04 2018-01-23 青岛微智慧信息有限公司 A kind of mobile terminal key escrow digital signature method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106548345A (en) * 2016-12-07 2017-03-29 北京信任度科技有限公司 The method and system of block chain private key protection are realized based on Secret splitting
CN110224812A (en) * 2019-06-12 2019-09-10 江苏慧世联网络科技有限公司 A kind of method and equipment that the electronic signature mobile client calculated based on Secure is communicated with Collaboration Server

Also Published As

Publication number Publication date
CN110932851A (en) 2020-03-27

Similar Documents

Publication Publication Date Title
CN110932851B (en) A key protection method for multi-party cooperative operation based on PKI
JP7119040B2 (en) Data transmission method, device and system
CN109040045B (en) A cloud storage access control method based on ciphertext policy attribute-based encryption
US8644516B1 (en) Universal secure messaging for cryptographic modules
US20030026433A1 (en) Method and apparatus for cryptographic key establishment using an identity based symmetric keying technique
US7266705B2 (en) Secure transmission of data within a distributed computer system
US20080240433A1 (en) Lightweight secure authentication channel
JP2023500570A (en) Digital signature generation using cold wallet
CN108809936B (en) A kind of intelligent mobile terminal identity verification method based on hybrid encryption algorithm and its implementation system
CN113609522B (en) Data authorization and data access method and device
CN117278330B (en) Lightweight networking and secure communication method for electric power Internet of things equipment network
CN113726733B (en) Encryption intelligent contract privacy protection method based on trusted execution environment
CN113708917A (en) APP user data access control system and method based on attribute encryption
CN112671729B (en) Internet of vehicles oriented anonymous key leakage resistant authentication method, system and medium
CN111901335B (en) Block chain data transmission management method and system based on middle station
CN114244501A (en) Power data privacy protection system and implementation method thereof, and encryption attribute revocation method
CN113468582A (en) Anti-quantum computing encryption communication method
US11917056B1 (en) System and method of securing a server using elliptic curve cryptography
CN117254916A (en) Non-key DDS safety authentication and communication method based on OP-TEE
CN114448600A (en) Key management method and system suitable for zero trust network
US12261946B2 (en) System and method of creating symmetric keys using elliptic curve cryptography
CN119766474A (en) Mobile communication method based on quantum resistance and state secret algorithm mixing and mobile terminal
CN112788068A (en) CP-ABE-based fixed ciphertext length proxy re-encryption system and method in cloud computing
CN118713833A (en) Quantum-resistant security enhancements for the Open Identity Connection Protocol
CN118694529A (en) Quantum-resistant security enhancement method for secure channel protocol of cryptographic devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: 4th Floor, Building 3, No. 1699 Jinhe Road, High tech Zone, Chengdu City, Sichuan Province 610041

Patentee after: Sichuan digital certificate Certification Management Center Co.,Ltd.

Country or region after: China

Address before: Room 509-512, 5th Floor, Block E, No. 333 Gaoxinjiaozi Avenue, Chengdu China (Sichuan) Pilot Free Trade Zone, Chengdu 610041

Patentee before: Sichuan digital certificate Certification Management Center Co.,Ltd.

Country or region before: China