CN114697040B - Electronic signature method and system based on symmetric key - Google Patents
Electronic signature method and system based on symmetric key Download PDFInfo
- Publication number
- CN114697040B CN114697040B CN202011639022.4A CN202011639022A CN114697040B CN 114697040 B CN114697040 B CN 114697040B CN 202011639022 A CN202011639022 A CN 202011639022A CN 114697040 B CN114697040 B CN 114697040B
- Authority
- CN
- China
- Prior art keywords
- electronic signature
- electronic
- key
- server
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000012795 verification Methods 0.000 claims abstract description 20
- 230000008569 process Effects 0.000 claims description 7
- 238000012550 audit Methods 0.000 claims description 5
- 239000000284 extract Substances 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 238000004422 calculation algorithm Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000009826 distribution Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides an electronic signature method and system based on a symmetric key, wherein an electronic signature server is set up to manage electronic seals and electronic signature user information, so that convenience of legal signature users in obtaining electronic signature services is ensured; the electronic signature user carries out electronic signature through the electronic signature server to the trusted center, and the trusted center only needs to verify the identity of the electronic signature server, so that the complexity of the trusted center in account management and identity verification is reduced, and the electronic signature efficiency of the trusted center is improved; the invention can realize unconditional safety and has the characteristic of quantum attack resistance.
Description
Technical Field
The invention belongs to the technical field of electronic contract signing, and particularly relates to an electronic signature method and system based on a symmetric key.
Background
The statements in this section merely provide background information related to the present disclosure and may not necessarily constitute prior art.
Electronic signatures generally refer to all electronic documents that exist in electronic form, are attached to an electronic document, and can identify the identity of the signer of the electronic document, ensure the integrity of the document, and represent the content of the signer agreeing to the statement of the electronic document.
Electronic signature systems are a high and new technology that comes with the construction of informatization. The method mainly solves the signing and stamping problems of the electronic file, is used for identifying the identity of a signer of the electronic file, ensures the integrity of the file, and ensures the authenticity, reliability and non-repudiation of the file. The electronic signature is not a digital image of the written signature seal, it exists in the form of an electronic code. By utilizing the electronic signature, a receiver can transmit a file through a network, can easily verify the identity and signature of a sender, and can verify whether the original text of the file changes in the transmission process.
The current electronic signature system is basically realized based on PKI technology, the identity authentication of a signer is realized based on PKI technology, and meanwhile, the anti-repudiation signature of data is realized by using an RSA asymmetric key. It is well known that the asymmetric key encryption algorithm employed by PKI technology is computationally secure. The cryptographic system based on computational complexity is unsafe in the face of research and construction of foreseeable quantum computers. Therefore, the current electronic signature system realized based on PKI technology has potential safety hazard.
Taking patent document with a document number of CN111030825A as an example for explanation, an anti-quantum computing electronic seal system based on a secret sharing public key pool and a signature and verification method thereof are disclosed, wherein a seal public key is decomposed into two parts by using a Lagrange method, one part is a public part, the other part is a secret part, the public key is stored in the secret sharing public key pool, and the public key is obtained through a public key pointer random number and the secret sharing public key pool in a key fob, so that the seal public key has the anti-quantum computing characteristic. However, this method has the disadvantage that the security of the proprietary algorithm is based entirely on the physical security of the key fob system, is conditional secure, and once the physical indestructibility of the key fob is not established, the algorithm is not secure, and even less resistant to quantum computing.
Disclosure of Invention
In order to solve the problems, the invention provides an electronic signature method and an electronic signature system based on a symmetric key, which can realize unconditional safe quantum attack resistance.
According to some embodiments, the present invention employs the following technical solutions:
An electronic signature system based on symmetric keys, comprising:
the terminal equipment is configured to send a registration request to the electronic signature server, store a shared key fed back by the registration request, send a signature application to the electronic signature server, verify the identity information of the electronic signature server, send the belonging electronic seal ID and the encrypted file to be signed, and receive the fed back signed file;
The electronic signature server is configured to send a registration request to the trusted center, store a shared key fed back by the registration request, receive an applicant registration request of the terminal equipment and distribute the shared key, verify the identity of an applicant of the terminal equipment, receive information sent by the terminal equipment, audit the authority of the applicant, package electronic seal information and the applicant information to form electronic signature data, cover the electronic signature data on a file to be signed, send the file to the trusted center for verification and signature, receive the signed file which passes the audit, encrypt and send the file;
and the trusted center is configured to verify the registration information of the electronic signature server, distribute a shared key, verify the identity of the electronic signature server, digitally sign the received signed file by using a symmetric key, generate the signed file, encrypt the signed file and send the signed file to the electronic signature server.
As an alternative embodiment, the trusted center is provided with a true random number digital signature key store for digital signature of electronic signature data.
Alternatively, the keys of the true random number digital signature key library are divided according to the length used for each digital signature, and the divided keys are sequentially numbered.
As an alternative embodiment, the trusted center is configured to save each key used for signing and its number until the signing validity period of that key expires;
As an alternative embodiment, the trusted center is configured to increase the number of signing keys of the keystore according to signing requirements.
As an alternative embodiment, the electronic signature server stores electronic seal file information, electronic seals, and user rights of the electronic seals.
As an alternative embodiment, the terminal device, the electronic signature server and the trust center communicate through a quantum cryptography network.
An electronic signature method based on a symmetric key comprises the following steps:
The terminal equipment initiates a signature application to the electronic signature server, and the electronic signature server and the terminal equipment use a shared secret key to carry out identity verification;
After verification is successful, the electronic seal ID to be used for signature is sent to the electronic signature server through the verified terminal equipment, and meanwhile, a document needing the electronic signature is sent to the electronic signature server by using a shared key for encryption;
The electronic signature server examines the signature authority of the application signer corresponding to the terminal equipment, if the authority is met, the electronic document requiring the electronic signature is decrypted, the electronic seal information and the application signer information are packaged into electronic signature data, the document is covered, the electronic signature document information is generated, and if the authority is not met, the application is refused;
The electronic signature server encrypts the electronic signature document information by using an unused shared key of the electronic signature server and the trusted center, and generates identity authentication information at the same time, and sends the identity authentication information to the trusted center;
The trusted center receives the data sent by the electronic signature server, verifies the identity of the electronic signature server, decrypts and acquires the electronic signature document information, calculates a message authentication code of the electronic signature document information by using an unused key as a symmetric key digital signature of the electronic signature document information, encrypts the electronic signature information by using a shared key, and sends the encrypted information to the electronic signature server;
the electronic signature server decrypts the obtained encrypted electronic signature information, encrypts the decrypted document again, and sends the decrypted document to the terminal equipment corresponding to the signer.
As an alternative embodiment, the specific process of the terminal device initiating a signature application to the electronic signature server, the electronic signature server and the terminal device using the shared key to perform identity verification includes:
after receiving the signature application request, the electronic signature server sends a random number r1 to a signer applying for signature;
The signer receives r1, calculates a first message authentication code by using an unused shared key K with a sequence number n, wherein the first message authentication code is related to the ID of the signer, the random number r1, the sequence number n and the key K;
The signer selects a random number r2 and sends r2, n and the first message authentication code to an electronic signature server;
the electronic signature server reads a shared secret key K with a serial number n shared with the signer, verifies the correctness of the first message authentication code, calculates a second message authentication code related to the random numbers r1, r2, the serial number n and the shared secret key K if the first message authentication code is correct, and sends the second message authentication code to the signer;
The signer verifies the correctness of the second message authentication code, if the second message authentication code is correct, the identity verification of the two parties is successful, and the two parties label the shared secret key with the serial number of n as used.
In an alternative embodiment, the specific process of generating the identity authentication information by the electronic signature server includes: a hash operation message authentication code related to ciphertext generated by encrypting electronic signature document information by using a shared key of an electronic signature server and a trusted center, an electronic signature server ID, the shared key of the electronic signature server and the trusted center and a serial number thereof is calculated.
As an alternative implementation manner, after receiving the data sent by the electronic signature server, the trusted center reads the shared key K n2 of the trusted center with the sequence number n 2 and the electronic signature server, if the shared key K n2 is used, the authentication of the electronic signature server is abandoned, otherwise, the correctness of the hash operation message authentication code is authenticated by using the K n2, if the authentication of the electronic signature server is correct, the authentication of the electronic signature server is successful, the K n2 is marked as used, the trusted center reads the shared key K n1 of the trusted center with the sequence number n 1 and the electronic signature server, and the ciphertext is decrypted by using the K n1 to obtain the electronic signature document information I, and the K n1 is marked as used.
As an alternative embodiment, the recipient of the electronic signature information of the electronic signature document may encrypt and send the electronic signature document to a trusted center, and verify the validity of the electronic signature; the trusted center extracts the corresponding sequence number key from the key library, calculates the message authentication code, compares whether the value of the message authentication code corresponds to the symmetric key digital signature of the electronic signature document information, if so, the electronic signature is correct, otherwise, the electronic signature is incorrect.
Compared with the prior art, the invention has the beneficial effects that:
The invention is based on a symmetric key algorithm, has the characteristic of quantum attack resistance, fundamentally eliminates the defect that the security is based on computational security of the traditional electronic signature algorithm based on PKI, and has unconditional security.
The invention establishes the electronic signature server to manage the electronic seal and the electronic signature user information, thereby ensuring the convenience of legal signature users for obtaining the electronic signature service; the electronic signature user performs electronic signature to the trusted center through the electronic signature server, and the trusted center only needs to verify the identity of the electronic signature server, so that the complexity of the trusted center in account management and identity verification is reduced, and the electronic signature efficiency of the trusted center is improved.
When the invention calculates each message authentication code, the electronic signature document, the electronic seal and the signature user information are bound, the integrity of the document is ensured, and the authenticity, the reliability and the non-repudiation of the document are ensured.
The invention realizes reliable communication between the electronic signature server and the trusted center by sharing the quantum key information, realizes the identity authentication of the trusted center to the electronic signature server, and ensures the validity of the identity of the electronic signature server.
In order to make the above objects, features and advantages of the present invention more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention.
FIG. 1 is a block diagram of an electronic signature system according to an embodiment;
FIG. 2 is a schematic diagram illustrating an operation of an electronic signature server according to an embodiment;
fig. 3 is a signature flow chart of the second embodiment.
Detailed Description
The invention will be further described with reference to the drawings and examples.
It should be noted that the following detailed description is illustrative and is intended to provide further explanation of the invention. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of exemplary embodiments according to the present invention. As used herein, the singular is also intended to include the plural unless the context clearly indicates otherwise, and furthermore, it is to be understood that the terms "comprises" and/or "comprising" when used in this specification are taken to specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof.
Embodiment one:
Aiming at the security defect of the current electronic signature system, the embodiment provides an electronic signature system, as shown in fig. 1, including:
The trusted center establishes a true random digital signature key bank (hereinafter referred to as signature key bank) in the trusted center for digital signature of the electronic signature data. Dividing the keys of the key library according to the length used by each digital signature, and numbering the divided keys sequentially.
The electronic signature server registers in the trusted center in advance, and the trusted center distributes a shared key to the electronic signature server after verifying the identity of the electronic signature server, wherein the shared key is used for identity authentication when the electronic signature server communicates with the trusted center and encrypted communication with the trusted center. The electronic signature server stores the electronic seal, audits the authority of the application signer, generates signature information, sends the signature information to the trusted center for digital signature, and stores the signature record of the application signer.
The signer (the executing device is a terminal device, such as a processor or a server) registers with the electronic signature server, and after the electronic signature server verifies the identity of the signer, the signer distributes a shared key to the signer, and the shared key is used for identity authentication when the signer communicates with the electronic signature server and encrypted communication with the electronic signature server.
And the administrator of the electronic signature server stores the electronic seal information including the electronic seal file information and the user authority information of the electronic seal in the electronic signature server database in advance.
Specifically, the trusted center is a trusted third party mechanism and is located at the quantum cryptography network terminal, and the trusted center is provided with a true random digital signature key library (hereinafter referred to as signature key library) for digital signature of the electronic signature data.
Dividing the keys of the key library according to the length used by each digital signature, and numbering the divided keys sequentially. The trust center saves each key used for signing and its number until the signing validity period of that key expires. The trusted center can increase the number of signing keys of the key store according to the signing requirements.
The electronic signature server is positioned at the quantum cryptography network terminal and is used for storing the electronic seal, auditing the authority of the application signer, generating signature information, sending the signature information to the trusted center for digital signature and storing the signature record of the application signer. The electronic signature server registers with the trusted center, the trusted center distributes true random numbers to the electronic signature server through a quantum encryption channel after verifying the identity of the electronic signature server, the true random numbers are used as shared keys, the shared keys are respectively and safely stored by the trusted center and the electronic signature server, and the shared keys are used for identity authentication when the electronic signature server communicates with the trusted center and encrypted communication with the trusted center.
The electronic signature server stores the electronic seal information including the electronic seal file information, the user of the electronic seal and the authority information of the user in the electronic signature server database in advance. Of course, the information can be input by a database administrator or be generated by self-extraction by using an information extraction method, and the existing method can be used, so that the details are not repeated here.
The signer is a person who has electronic signature authority and can realize electronic signature on the electronic document through the server, and the specific execution is realized through the quantum cryptography network terminal equipment. The signer registers with the electronic signature server through the terminal equipment, the electronic signature server distributes independent ID after verifying the identity, the shared secret key is distributed to the signer through the quantum cryptography network, the corresponding terminal equipment and the electronic signature server respectively store the shared secret key safely, and the shared secret key is used for identity authentication when the terminal equipment communicates with the electronic signature server and encrypted communication with the electronic signature server.
Of course, the verification signature can also be compared and verified by a verification signer or by using an image/information processing algorithm, and the conventional method can be used, which is not described herein.
The seal making of the electronic seal system based on the symmetric key of the embodiment is completed by the electronic seal server. The electronic signature server stores electronic seal information, signer information and authority information to be used for electronic signature in advance; the electronic seal information mainly comprises an electronic seal ID and electronic file information of the electronic seal. The signer information mainly comprises the ID of the application signer with signature authority of each electronic seal and signature timeliness of each ID.
When the identity information of the signer is confirmed and has the signing authority, the electronic signature server packages the electronic seal information and the signer information into electronic signature data, and adds the electronic signature data to a document needing electronic signature to generate electronic signature document information, as shown in fig. 2.
Embodiment two:
based on the system of the first embodiment, a signature method is provided, as shown in fig. 3, including the following steps:
The electronic signature server registers with a trusted center, the trusted center verifies the identity of the electronic signature server, and the trusted center and the electronic signature server acquire a shared key through quantum key distribution. Before the application signer carries out the electronic signature through the electronic signature server, the application signer registers with the electronic signature server, the electronic signature server verifies the identity of the application signer, and the electronic signature server and the application signer acquire a shared key through quantum key distribution.
The distribution of the shared key can distribute a plurality of keys at a time according to the length of the shared key used each time, and the shared key is divided and numbered in a synchronous sequence.
When the shared key is almost used, the two sides of the shared key use the unused shared key to carry out identity authentication, the authentication is successful, the shared key is redistributed, the newly distributed shared key uses the unused shared key distributed last time to encrypt one by one, the serial numbers are stored in a resynchronization mode, and all the shared keys distributed last time are deleted.
After the signer registers in the electronic signature server to obtain the shared key, the flow of electronic signature through the server is as follows:
the signer initiates a signature application to the electronic signature server by using the registration ID, and the electronic signature server and the signer perform identity verification by using the shared secret key. The authentication process is as follows:
after receiving the signature application request, the electronic signature server sends a random number r1 to a signer applying for signature;
the signer of the application receives r1, unused shares with sequence number n the key K calculates HMAC (r1||uid||n; K), wherein UID is an application signer ID, ||represents a data connection operation;
The signer of the application selects the random number r2, r 2n and HMAC (r1||uid||n; K) sending the electronic signature to an electronic signature server;
The electronic signature server reads a shared secret key K with a serial number of n, which is shared with a signer, verifies the correctness of the HMAC (r1|UID|n; K), calculates the HMAC (r1|r2|n; K) if the HMAC is correct, and sends the HMAC to the signer;
The signer verifies the correctness of the HMAC (r1|r2|n; K), if the HMAC is correct, the identity verification of the two parties is successful, and the two parties label the shared secret key with the sequence number n as used.
After verification is successful, the signer sends the electronic seal ID to be used by the signature to the electronic signature server, and simultaneously sends the document needing the electronic signature to the electronic signature server by using the shared key encryption. The electronic signature server examines the signature authority of the signer, if the authority is satisfied, the electronic signature server decrypts the electronic document needing the electronic signature, packages the electronic seal information and the signer information into electronic signature data, and adds the electronic signature data to the document to generate electronic signature document information.
The electronic signature server encrypts the electronic signature document information by using an unused shared key of the electronic signature server and the trusted center, and simultaneously generates identity authentication information and sends the identity authentication information to the trusted center. The specific encryption mode is as follows:
HMAC(E(I,Kn1)||SID||n1||n2;Kn2),
Wherein I is electronic signature document information, K n1 and K n2 are shared keys of an electronic signature server and a trusted center with sequence numbers n1 and n2, respectively, E (I, K n1) represents ciphertext generated by encrypting I with a key K n1, SID is an electronic signature server ID, HMAC (E (I, K n1)||SID||n1||n2;Kn2) represents a key-dependent hash operation message authentication code of E (I, K n1) SID n 1n 2 generated with a key K n2.
The electronic signature server sends E (I, K n1), SIDs, n1, n2, and HMAC (E (I, K n1)||SID||n1||n2;Kn2) simultaneously to the trusted center.
The trusted center receives the data sent by the electronic signature server, firstly reads the shared key K n2 between the trusted center with the n2 serial number and the electronic signature server, if K n2 is used, the authentication of the electronic signature server is abandoned, otherwise, K n2 is used for verifying the correctness of HMAC (E (I, K n1)||SID||n1||n2;Kn2), if the correctness is correct, the authentication of the electronic signature server is successful, K n2 is marked as used, the trusted center reads the shared key K n1 between the trusted center with the n1 serial number and the electronic signature server, E (I, K n1) is decrypted by using K n1, electronic signature document information I is obtained, and K n1 is marked as used.
The trusted center reads a key K SN with the unused sequence number of SN in the signature key library, calculates an HMAC code of the electronic signature document information by using the key K SN as a symmetric key digital signature of the electronic signature document information, and the calculation formula is as follows:
Ds=HMAC(I||T||SN,KSN),
Wherein I is electronic signature document information, T is time at that time, SN is sequence number of a used signature key, K SN is a key for digital signature, and I represents data connection operation. The trusted center marks the signing key K SN as used.
The trusted center encrypts and sends the I & lt & gtT & lt & gtDs & lt & gtSN as electronic signature information of the document to the electronic signature server, and the electronic signature server decrypts and then encrypts and sends the I & lt & gtT & lt & gtDs & lt & gtSN to the applicant signer. The signer decrypts the electronic signature information of the obtained document.
Any recipient who has the electronic signature information of the document can encrypt and send the electronic signature information to a trusted center to verify the legitimacy of the electronic signature. The trusted center extracts a key K SN with the sequence number of SN from the key store, calculates HMAC (I T SN, K SN), compares whether the value of the key is equal to Ds, and if so, the electronic signature is correct, otherwise, the electronic signature is incorrect.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
While the foregoing description of the embodiments of the present invention has been presented in conjunction with the drawings, it should be understood that it is not intended to limit the scope of the invention, but rather, it is intended to cover all modifications or variations within the scope of the invention as defined by the claims of the present invention.
Claims (7)
1. An electronic signature method based on a symmetric key is characterized in that: the method comprises the following steps:
The terminal equipment initiates a signature application to the electronic signature server, and the electronic signature server and the terminal equipment use a shared secret key K to carry out identity verification;
After verification is successful, the electronic seal ID to be used for signature is sent to the electronic signature server through the verified terminal equipment, and meanwhile, a document needing the electronic signature is sent to the electronic signature server in an encrypted mode by using a shared key K;
The electronic signature server examines the signature authority of the application signer corresponding to the terminal equipment, if the authority is met, the electronic document requiring the electronic signature is decrypted, the electronic seal information and the application signer information are packaged into electronic signature data, the document is covered, the electronic signature document information is generated, and if the authority is not met, the application is refused;
The electronic signature server encrypts the electronic signature document information by using an unused shared key K n1 of the electronic signature server and the trusted center, and generates identity authentication information at the same time, and sends the identity authentication information to the trusted center; the specific process of generating the identity authentication information by the electronic signature server comprises the following steps: calculating a hash operation message authentication code HMAC (E (I, K n1)||SID||n1||n2;Kn2) related to the secret text E (I, K n1) generated by encrypting the electronic signature document information I by using a shared key K n1 of the electronic signature server and the trusted center, the ID of the electronic signature server, the shared key K n1 of the electronic signature server and the trusted center and the serial numbers n1 and n2 of the K n2, wherein the SID is the ID of the electronic signature server;
the trusted center receives the data sent by the electronic signature server and comprising E (I, K n1), SID, n1, n2 and HMAC (E (I, K n1)||SID||n1||n2;Kn2), verifies the identity of the electronic signature server and decrypts to obtain electronic signature document information, and the specific process comprises the steps that after the trusted center receives the data sent by the electronic signature server, the shared key K n2 of the trusted center with the sequence number of n 2 and the electronic signature server is read, if K n2 is used, the identity verification of the electronic signature server is abandoned, otherwise, K n2 is used for verifying the correctness of a hash operation message authentication code HMAC (E (I, K n1)||SID||n1||n2;Kn2), if the correctness is correct, the identity verification of the electronic signature server is successful, K n2 is marked as used, the trusted center with the sequence number of n 1 and the shared key K n1 of the electronic signature server are read by the trusted center, E (I, K n1) is decrypted by K n1 to obtain the electronic signature document information I, and K n1 is marked as used;
The trusted center calculates an HMAC code of electronic signature document information by using an unused key K SN with the sequence number of SN in a true random digital signature key library as a symmetric key digital signature Ds of the electronic signature document information, ds=HMAC (I T SN, K SN), T is the time at that time, encrypts the I T Ds SN as the electronic signature information of the document, and sends the encrypted information to an electronic signature server;
After decrypting the obtained encrypted electronic signature information, the electronic signature server encrypts I T Ds SN and sends the encrypted electronic signature information to terminal equipment corresponding to a signer;
Any receiver receiving the electronic signature information of the electronic signature document can encrypt and send the electronic signature document to a trusted center to verify the legitimacy of the electronic signature; the trusted center extracts a key K SN with the sequence number of SN from a true random digital signature key library, calculates a message authentication code HMAC (I T SN, K SN), compares whether the value of the message authentication code corresponds to a symmetric key digital signature Ds of electronic signature document information, if so, the electronic signature is correct, otherwise, the electronic signature is incorrect.
2. The electronic signature method based on the symmetric key as recited in claim 1, wherein: the terminal equipment initiates a signature application to an electronic signature server, and the specific process of using the shared secret key K to carry out identity verification by the electronic signature server and the terminal equipment comprises the following steps:
after receiving the signature application request, the electronic signature server sends a random number r1 to a signer applying for signature;
the signer of the application receives r1, unused shares with sequence number n the key K calculates HMAC (r1||uid||n; K), wherein UID is an application signer ID, ||represents a data connection operation;
The signer of the application selects the random number r2, r 2n and HMAC (r1||uid||n; K) sending the electronic signature to an electronic signature server;
The electronic signature server reads a shared secret key K with a serial number of n, which is shared with a signer, verifies the correctness of the HMAC (r1|UID|n; K), calculates the HMAC (r1|r2|n; K) if the HMAC is correct, and sends the HMAC to the signer;
the signer verifies the correctness of the HMAC (r1|r2|n; K), if the HMAC is correct, the identity verification of the two parties is successful, and the two parties label the shared secret key K with the sequence number n as used.
3. A symmetric key based electronic signature system for performing a symmetric key based electronic signature method as recited in claim 1, wherein: comprising the following steps:
The terminal equipment is configured to send a registration request to the electronic signature server, store a shared key K fed back by the registration request, send a signature application to the electronic signature server, verify the identity information of the electronic signature server, send the belonging electronic seal ID and the encrypted file to be signed, and receive the fed back signed file;
The electronic signature server is configured to send a registration request to the trusted center, store shared keys K n1 and K n2 fed back by the registration request, receive an applicant registration request of the terminal equipment, distribute the shared key K, verify the applicant identity of the terminal equipment, receive information sent by the terminal equipment, audit the authority of the applicant, package the electronic seal information and the applicant information to form electronic signature data, cover the electronic signature data on a file to be signed, send the file to the trusted center for verification and signature, receive the signed file passing the audit, and send the file after encryption;
The trusted center is configured to verify the registration information of the electronic signature server, distribute the shared keys K n1 and K n2, verify the identity of the electronic signature server, digitally sign the received signed file with the symmetric key K SN, generate the signed file, encrypt the signed file and send the signed file to the electronic signature server.
4. A symmetric key based electronic signature system as recited in claim 3, wherein: the trusted center is provided with a true random number digital signature key library for digital signature of electronic signature data;
Or further, the keys of the true random number digital signature key library are divided according to the length used by each digital signature, and the divided keys are numbered sequentially.
5. A symmetric key based electronic signature system as recited in claim 3, wherein: the trusted center is configured to hold each key for signing and its number until the signing validity period of the key expires;
the trusted center is configured to increase the number of signing keys of the keystore according to signing requirements.
6. A symmetric key based electronic signature system as recited in claim 3, wherein: the electronic signature server stores electronic seal file information, electronic seals and user rights of the electronic seals.
7. A symmetric key based electronic signature system as recited in claim 3, wherein: the terminal device, the electronic signature server and the trusted center are communicated through a quantum cryptography network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011639022.4A CN114697040B (en) | 2020-12-31 | 2020-12-31 | Electronic signature method and system based on symmetric key |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011639022.4A CN114697040B (en) | 2020-12-31 | 2020-12-31 | Electronic signature method and system based on symmetric key |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114697040A CN114697040A (en) | 2022-07-01 |
| CN114697040B true CN114697040B (en) | 2024-06-28 |
Family
ID=82135734
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011639022.4A Active CN114697040B (en) | 2020-12-31 | 2020-12-31 | Electronic signature method and system based on symmetric key |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114697040B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115442143B (en) * | 2022-09-05 | 2023-07-28 | 开普数智科技(广东)有限公司 | Electronic signature method, device, equipment and readable medium |
| CN115913563B (en) * | 2022-10-09 | 2023-09-29 | 鼎铉商用密码测评技术(深圳)有限公司 | Electronic signature generation method, verification method and device |
| CN115361146B (en) * | 2022-10-24 | 2023-03-10 | 中安网脉(北京)技术股份有限公司 | Electronic seal system and method compatible with multiple cryptographic algorithms |
| CN117097562B (en) * | 2023-10-18 | 2024-02-20 | 确信信息股份有限公司 | Safe centralized signature method and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108206831A (en) * | 2017-12-29 | 2018-06-26 | 北京书生电子技术有限公司 | Implementation method and server, the client and readable storage medium storing program for executing of E-seal |
| CN111277417A (en) * | 2020-01-15 | 2020-06-12 | 浙江华云信息科技有限公司 | Electronic signature implementation method based on national network security technology architecture |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111641605B (en) * | 2020-05-16 | 2022-04-15 | 中信银行股份有限公司 | Electronic signature method and system based on dynamic password |
| CN111865605B (en) * | 2020-06-11 | 2023-07-21 | 天地融科技股份有限公司 | Electronic signature method and terminal, electronic signature verification method and terminal |
-
2020
- 2020-12-31 CN CN202011639022.4A patent/CN114697040B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108206831A (en) * | 2017-12-29 | 2018-06-26 | 北京书生电子技术有限公司 | Implementation method and server, the client and readable storage medium storing program for executing of E-seal |
| CN111277417A (en) * | 2020-01-15 | 2020-06-12 | 浙江华云信息科技有限公司 | Electronic signature implementation method based on national network security technology architecture |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114697040A (en) | 2022-07-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3642997B1 (en) | Secure communications providing forward secrecy | |
| US10903991B1 (en) | Systems and methods for generating signatures | |
| EP3349393B1 (en) | Mutual authentication of confidential communication | |
| RU2718689C2 (en) | Confidential communication control | |
| US11930103B2 (en) | Method, user device, management device, storage medium and computer program product for key management | |
| JP4593533B2 (en) | System and method for updating keys used for public key cryptography | |
| CN114697040B (en) | Electronic signature method and system based on symmetric key | |
| US8130961B2 (en) | Method and system for client-server mutual authentication using event-based OTP | |
| US10880100B2 (en) | Apparatus and method for certificate enrollment | |
| CN106713336B (en) | Electronic data safeguard system and method based on double, asymmetrical encryption technology | |
| US8806206B2 (en) | Cooperation method and system of hardware secure units, and application device | |
| CN114692218A (en) | Electronic signature method, equipment and system for individual user | |
| CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
| CN113868684A (en) | Signature method, device, server, medium and signature system | |
| CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
| CN108933659B (en) | An identity verification system and verification method for a smart grid | |
| CN117335989A (en) | Safety application method in internet system based on national cryptographic algorithm | |
| CN114697038B (en) | A quantum attack-resistant electronic signature method and system | |
| CN113868715B (en) | Signature method and system based on quantum key | |
| CN109104393B (en) | Identity authentication method, device and system | |
| CN114692128B (en) | A quantum attack-resistant electronic contract signing method and system | |
| CN117040905A (en) | Data encryption transmission method, device, equipment and storage medium | |
| CN120218927A (en) | A blockchain transaction method, device, equipment and medium resistant to quantum attacks | |
| CN119728092A (en) | A quantum network data encryption method, system and device based on cryptographic algorithm | |
| CN114692216A (en) | Electronic contract signing method, system, storage medium and equipment based on symmetric key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |