[go: up one dir, main page]

CN1722656B - A digital signature method and digital signature tool - Google Patents

A digital signature method and digital signature tool Download PDF

Info

Publication number
CN1722656B
CN1722656B CN 200410026787 CN200410026787A CN1722656B CN 1722656 B CN1722656 B CN 1722656B CN 200410026787 CN200410026787 CN 200410026787 CN 200410026787 A CN200410026787 A CN 200410026787A CN 1722656 B CN1722656 B CN 1722656B
Authority
CN
China
Prior art keywords
signature
hardware
secret key
file
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN 200410026787
Other languages
Chinese (zh)
Other versions
CN1722656A (en
Inventor
梁庆生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN 200410026787 priority Critical patent/CN1722656B/en
Publication of CN1722656A publication Critical patent/CN1722656A/en
Application granted granted Critical
Publication of CN1722656B publication Critical patent/CN1722656B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a digital signature method and a signature tool, comprising the following steps: dividing a file to be signed into a plurality of data packets, then sending the data packets into signing hardware in batches, encrypting the mixed data by two private keys in the hardware respectively, and then outputting the encrypted data to software respectively; after the software receives the two groups of encrypted data, the data are reorganized into a new signature file; the signature file comprises two parts, wherein one part is a ciphertext encrypted by a private key to an original text, and the other part is a ciphertext encrypted by the private key to the original text; the invention has the following advantages: the signed digital file can be clearly known by anyone with legal authority about the content, identity, source, author and the final signature time of the file; any signed digital file is unique, i.e., none of the signed files are the same; any modifications made to the signed digital file are known.

Description

一种数字签名方法及数字签名工具 A digital signature method and digital signature tool

技术领域technical field

本发明涉及数字签名技术,具体涉及一种数字签名方法,本发明还涉及采用该方法的数字签名工具。The invention relates to digital signature technology, in particular to a digital signature method, and also relates to a digital signature tool using the method.

背景技术Background technique

随着科技的不断进步,随着计算机及互联网的为断普及,越来越多的手写文件被数字文件所取代,那么如何确定一个数字文件的身份、合法来源,文件的作者,文件最后的签名时间呢?如何保证数字文件一经被签名后,就具有唯一性呢?如何确保对已被签名的数字文件作所作的任何修改都是可知的呢?这就迫切需要一种工具及方法,去实现以上功能。同时,我们还要使得被签证后的数字文件能被任何拥有合法权限的人能清楚地知道该签名文件的内容、身份、来源、作者、文件最后的签名时间。这里的一个关键是文件的最后签名时间和作者的身份,文件的最后签名时间及作者的身份能够保证每一个被签名的文件都是唯一的。With the continuous advancement of science and technology, with the continuous popularization of computers and the Internet, more and more handwritten documents are replaced by digital documents, so how to determine the identity, legal source, author and final signature of a digital document what time? How to ensure that digital files are unique once they are signed? How to ensure that any modification made to a signed digital file is known? There is an urgent need for a tool and a method to realize the above functions. At the same time, we also need to make the digital document after being signed by anyone with legal authority to clearly know the content, identity, source, author, and last signature time of the signed document. A key here is the last signature time of the document and the identity of the author. The last signature time of the document and the identity of the author can ensure that each signed document is unique.

发明内容Contents of the invention

本发明的一个主要目的在于,提供一种数字签名方法,采用本方法可使得:A main purpose of the present invention is to provide a digital signature method, which can make:

一、被签名的数字文件能被任何拥有合法权限的人清楚地知道该签名文件的内容、身份、来源、作者、文件最后的签名时间。1. The signed digital file can be clearly known by anyone with legal authority to the content, identity, source, author, and last signature time of the signed file.

二、任何被签名的数字文件都具有唯一性,即没有一个被签名后的文件是相同的。2. Any signed digital file is unique, that is, no signed file is the same.

三、对被签名的数字文件所作的任何修改都是可知的。3. Any modification made to the signed digital file is known.

本发明的另一个目的是提供一种采用上述签名方法的数字签名工具,采用该工具,可以实现上述数字签名方法的功能。Another object of the present invention is to provide a digital signature tool using the above-mentioned signature method, which can realize the functions of the above-mentioned digital signature method.

本发明提供的数字签名方法如下:The digital signature method provided by the present invention is as follows:

签名步骤:Signature steps:

生成签名文件:软件将要签名的文件分成多个数据分组,然后将这些数据分组分批送入到签名硬件中,然后发出加密指令。硬件内部首先将输入的数据与硬件ID及当前时间按照一定的规则混合,然后使用硬件内部的两条私有密匙分别对混合后的数据进行加密,然后分别输出给软件,软件接收这两组加密数据后,将这些数据再重新组织成一个新的签名文件。该签名文件包含两部分,一部分为由私有密匙一对原文加密的密文,另一部分为由私有密匙二对原文加密的密文。这样,这个新生成的签名文件就在原文的基础上具有基于硬件身份及时间的唯一性,同时还具有加密特性。Generate signature file: The software divides the file to be signed into multiple data packets, and then sends these data packets to the signing hardware in batches, and then sends out encryption instructions. The hardware first mixes the input data with the hardware ID and the current time according to certain rules, then uses two private keys inside the hardware to encrypt the mixed data, and then outputs them to the software respectively, and the software receives the two sets of encryption After the data, reorganize the data into a new signature file. The signature file contains two parts, one part is the ciphertext encrypted by the private key pair of the original text, and the other part is the ciphertext encrypted by the private key pair of the original text. In this way, the newly generated signature file has uniqueness based on hardware identity and time on the basis of the original text, and also has encryption features.

验证签名步骤:Verify signature steps:

一、使用自身密匙进行验证:1. Use your own key for authentication:

软件将要签名的文件的由私有密匙一加密的部分送入到硬件中,然后发出解密指令,要求硬件使用自身的私有密匙一对其进行解密。硬件内部就会使用私有密匙一将送入的数据进行解密,然后将解密后的数据返回给软件。接着,软件将要签名的文件的由私有密匙二加密的部分送入到硬件中,然后发出解密指令,要求硬件使用自身的私有密匙二对其进行解密。硬件内部就会使用私有密匙二将送入的数据进行解密,然后将解密后的数据返回给软件。The software sends the part of the file to be signed encrypted by the private key to the hardware, and then issues a decryption command, requiring the hardware to use its own private key to decrypt it. The hardware will use the private key to decrypt the incoming data, and then return the decrypted data to the software. Then, the software sends the part of the file to be signed encrypted by the private key 2 into the hardware, and then sends a decryption command, requiring the hardware to decrypt it with its own private key 2. The hardware will use the private key 2 to decrypt the input data, and then return the decrypted data to the software.

软件将前后两次解密的结果进行比较,如果不相同,表示文件已被修改,这时可以提示错误,将不同的地方显示出来。如果相同,表示签名后的文件未被修改,由于解密后还原的数据中包含有硬件的ID及签名时的时间以及原有的原文内容,这时软件就可以将这些数据分离出来,生成该签名文件的原文副本,同时显示签名者身份及签名时的时间。The software compares the two decrypted results before and after. If they are not the same, it means that the file has been modified. At this time, an error can be prompted and the different places will be displayed. If they are the same, it means that the signed file has not been modified. Since the decrypted data contains the ID of the hardware, the time of signing and the original original content, the software can separate these data and generate the signature. An original copy of a document, showing who signed it and when it was signed.

二、使用由签名硬件输出的加密密匙在任何一个签名工具上进行验证(不包括自身):2. Use the encryption key output by the signing hardware to verify on any signing tool (excluding itself):

在进行验证签名文件时,生成签名文件的签名工具必须在生成签名文件后输出其加密的私有密匙(使用公有密匙对硬件内的两条私有密匙进行加密,然后输出)。When verifying the signature file, the signature tool that generates the signature file must output its encrypted private key after generating the signature file (use the public key to encrypt the two private keys in the hardware, and then output).

软件首先获取该签名文件的签名工具(简称原签名工具)的加密后的私有密匙,然后将加密后的私有密匙送入要验证的签名工具(简单称验证工具),由验证工具使用公有密匙对输入的加密密匙解密,生成原签名工具的两条私有密匙,这样,验证工具就可以使用原签名工具的私有密匙对由原签名工具进行签名的文件进行验证了,验证方法同上,这里不再累述。The software first obtains the encrypted private key of the signature tool (referred to as the original signature tool) of the signature file, and then sends the encrypted private key to the signature tool to be verified (referred to as the verification tool for short), and the verification tool uses the public The key decrypts the input encryption key and generates two private keys of the original signature tool, so that the verification tool can use the private key of the original signature tool to verify the files signed by the original signature tool. The verification method Same as above, not repeated here.

三、使用由签名硬件输出的由随机数加密的密匙在指定的签名工具上进行验证:3. Use the key encrypted by the random number output by the signing hardware to verify on the designated signing tool:

这种验证方法与上一验证方法的最大不同在于,没有授权的签名工具无法对其进行验证,这样就增加了签名的文件的安全性,就不会因由于输出的加密密匙被窃取而导致签名文件被未被授权的人查看。The biggest difference between this verification method and the previous verification method is that no authorized signature tool can verify it, which increases the security of the signed file, and will not cause any damage due to the theft of the output encryption key. Signed documents are viewed by unauthorized persons.

1、被授权的签名工具(简称被授权工具)首先要生成一个随机数,然后将该随机数与自身ID按一定的规则混合,然后使用公有密匙对其进行加密,然后将加密后的数据输出。1. The authorized signature tool (referred to as the authorized tool) first generates a random number, then mixes the random number with its own ID according to certain rules, then encrypts it with a public key, and then encrypts the encrypted data output.

2、软件将输出的加密后的数据送入到原签名工具,原签名工具使用公有密匙对该数据进行解密,还原成随机数及被授权工具ID,然后使用随机数对原签名工具内的私有密匙进行加密,然后将加密后的私有密匙及被授权工具ID输出,软件获得加密后的私有密匙的同时,将被授权工具ID显示给用户,以验证其身份。2. The software sends the output encrypted data to the original signature tool, and the original signature tool uses the public key to decrypt the data, restores it to a random number and the authorized tool ID, and then uses the random number to encrypt the data in the original signature tool. The private key is encrypted, and then the encrypted private key and the authorized tool ID are output. When the software obtains the encrypted private key, the authorized tool ID is displayed to the user to verify its identity.

3、软件将由随机数加密后的加密密匙送入被授权工具,被授权工具使用其生成的随机数对加密密匙进行解密,生成原签名工具的两条私有密匙,这样,验证工具就可以使用原签名工具的私有密匙对由原签名工具进行签名的文件进行验证了,验证方法同上。3. The software sends the encrypted key encrypted by the random number to the authorized tool, and the authorized tool uses the random number generated by it to decrypt the encrypted key and generates two private keys of the original signature tool. In this way, the verification tool is You can use the private key of the original signature tool to verify the files signed by the original signature tool, and the verification method is the same as above.

提供一种采用上述数字签名方法的数字签名工具,包括工具盒体、设置在盒体中的单片机,在盒体中还设有与所述单片机交换信息的如下单元:硬件加密算法单元及解密算法单元、唯一的ID号发生单元、至少一条公有密匙单元、至少两条私有密匙、随机数发生器单元、随机数储存区单元、时钟计数器单元,在盒体上还设有用于与外围设备进行通讯的外围接口和长期供电装置。A digital signature tool adopting the above-mentioned digital signature method is provided, comprising a tool box body, a single-chip microcomputer arranged in the box body, and the following units for exchanging information with the single-chip microcomputer are also arranged in the box body: a hardware encryption algorithm unit and a decryption algorithm unit, a unique ID number generation unit, at least one public key unit, at least two private keys, a random number generator unit, a random number storage area unit, a clock counter unit, and the box body is also provided with peripheral equipment Peripheral interface and long-term power supply for communication.

本发明提供的签名工具具有如下优点:The signature tool provided by the present invention has the following advantages:

一、具有不可复制性,即硬件无法被完整地复制(除发行机构),这样就在硬件层面上保证了硬件的唯一性。1. It is non-replicable, that is, the hardware cannot be completely copied (except for the issuing agency), so that the uniqueness of the hardware is guaranteed at the hardware level.

二、硬件是一个黑盒子,可以由类似智能卡或单片机的器件组成,。Second, the hardware is a black box, which can be composed of devices like smart cards or single-chip microcomputers.

三、硬件可以内置硬件加密及解密算法,亦可以使用软件加密及解密算法。3. The hardware can have built-in hardware encryption and decryption algorithms, or use software encryption and decryption algorithms.

四、硬件内有一唯一ID号,该ID号作为该硬件的身份证明。4. There is a unique ID number in the hardware, which is used as the identity certificate of the hardware.

五、硬件内有一条或多条公有密匙。5. There are one or more public keys in the hardware.

六、硬件内有两条或多条私有密匙6. There are two or more private keys in the hardware

七、硬件有一外围接口可以与外围设备进行通讯。7. The hardware has a peripheral interface that can communicate with peripheral devices.

八、硬件有一长期供电系统(例如电池供电)及备用供电系统,并可以有一电量指示装置。8. The hardware has a long-term power supply system (such as battery power supply) and a backup power supply system, and can have a power indicator device.

九、硬件内的时钟不可以被修改或设置(除发行机构外),且该时钟在出厂时就已被发行机构设置成与国际时间同步。9. The clock in the hardware cannot be modified or set (except the issuing institution), and the clock has been set by the issuing institution to synchronize with the international time when it leaves the factory.

十、硬件一经掉电,将立即失效,即无法对其进行任何操作,即使其被重新上电,亦无法对其进行操作,从而保证了硬件时钟的不可被非法修改。10. Once the hardware is powered off, it will fail immediately, that is, it cannot be operated in any way, even if it is powered on again, it cannot be operated, thus ensuring that the hardware clock cannot be illegally modified.

十一、硬件内部有一随机数发生器,用于生成随机数。11. There is a random number generator inside the hardware for generating random numbers.

十二、硬件内部有一随机数储存区,用于储存最近一些生成的随机数。12. There is a random number storage area inside the hardware, which is used to store some recently generated random numbers.

硬件内部系统还具有如下功能:The hardware internal system also has the following functions:

当外部发出加密数据指令时,首先将当前硬件时钟及硬件ID与输入的要加密的数据按照一定的规则混合后生成一组新的要加密的数据,然后使用硬件内置的私有密匙一及私有密匙二分别对该新生成的混合数据进行加密,生成两份不同的加密后的数据,再输出给外围设备。举例如下:假设加密数据分组为128位,假设要加密的数据为0×01,0×02,0×03,0×04,0×05,0×06,0×07,0×08,硬件内部系统首先将系统时钟(相对于某一固定时间经过的毫秒数):假设为0×45,0×67,0×89,0×10,硬件内部唯一ID:假设为0×01,0×02,0×03,0×04,组成一个128位的分组,然后分别用私有密匙一pkey1及私有密匙二pkey2对该分组数据进行加密,生成两组加密后的数据,这样这两组加密后的数据在被分别正确解密后,都包括有硬件ID及签证时的时间。When the encrypted data command is issued externally, firstly, the current hardware clock and hardware ID are mixed with the input data to be encrypted according to certain rules to generate a new set of encrypted data, and then use the hardware built-in private key 1 and the private The second key encrypts the newly generated mixed data respectively, generates two different encrypted data, and then outputs them to the peripheral device. An example is as follows: Suppose the encrypted data group is 128 bits, and the data to be encrypted is 0×01, 0×02, 0×03, 0×04, 0×05, 0×06, 0×07, 0×08, hardware The internal system first sets the system clock (the number of milliseconds elapsed relative to a certain fixed time): assumed to be 0×45, 0×67, 0×89, 0×10, and the unique ID inside the hardware: assumed to be 0×01, 0× 02, 0×03, 0×04 to form a 128-bit group, and then use the private key one pkey1 and the private key two pkey2 to encrypt the data in the group to generate two sets of encrypted data, so that the two sets After the encrypted data are correctly decrypted, they all include the hardware ID and the time when the visa was issued.

一、当外部发出加密pkey1及pkey2密匙命令时,硬件内部系统使用公有密匙ckey1分别对pkey1,pkey2进行加密然后输出到外围系统。1. When the encryption pkey1 and pkey2 key commands are issued from the outside, the internal system of the hardware uses the public key ckey1 to encrypt pkey1 and pkey2 respectively and then output them to the peripheral system.

二、当外部发出命令要求硬件输出随机数时,硬件内部系统使用公有密匙ckey1对产生的随机数进行加密后并输出。2. When an external command is issued to require the hardware to output a random number, the internal system of the hardware uses the public key ckey1 to encrypt the generated random number and output it.

三、当外部发出使用随机数据加密pkey1及pkey2密匙命令时,硬件内部系统使用公用密匙ckey1分别对pkey1,pkey2进行加密,生成一组加密数据,再使用输入的随机数据对刚才生成的加密数再进行加密,然后输出到外围系统。3. When the command to encrypt pkey1 and pkey2 with random data is issued externally, the hardware internal system uses the public key ckey1 to encrypt pkey1 and pkey2 respectively to generate a set of encrypted data, and then use the input random data to encrypt the generated data The data is encrypted and then output to the peripheral system.

四、当外部发出要求使用自身密匙解密数据时,硬件系统分别使用私有密匙一pkey1及私有密匙二pkey2对该输入的两组分组数据进行解密,然后将解密后的两组数据进行比较并输出。4. When an external request is issued to decrypt data using its own key, the hardware system uses private key one pkey1 and private key two pkey2 to decrypt the input two groups of group data, and then compares the two groups of decrypted data and output.

五、当外部发出要求使用输入的加密密匙解密数据时,硬件内部系统先使用公用密匙对输入的加密的私有密匙一及私有密匙二进行解密,然后使用该两条私有密匙对输入的两组分组加密数据进行解密,然后将解密后的两组数据进行比较并输出。5. When an external request is issued to use the input encryption key to decrypt data, the hardware internal system first uses the public key to decrypt the input encrypted private key 1 and private key 2, and then uses the two private keys to decrypt the data. The input two sets of block encrypted data are decrypted, and then the two sets of decrypted data are compared and output.

六、当外部发出要求使用硬件中的随机数据及输入的加密密匙解密数据时,硬件内部系统先使用硬件中的公用密匙对输入的加密后的随机密匙进行解密,然后使用该随机数据对输入的加密密匙进行解密,然后再使用公用密匙对输入的加密的私有密匙一及私有密匙二进行解密,然后使用该两条私有密匙对输入的两组分组加密数据进行解密,然后将解密后的两组数据进行比较并输出。6. When an external request is sent to decrypt the data using the random data in the hardware and the input encryption key, the internal system of the hardware first uses the public key in the hardware to decrypt the encrypted random key input, and then uses the random data Decrypt the input encryption key, and then use the public key to decrypt the input encrypted private key 1 and private key 2, and then use the two private keys to decrypt the input two groups of encrypted data , and then compare and output the two sets of decrypted data.

七、当外部要求硬件输出自身ID时,硬件内部系统将自身的ID输出到外围系统。7. When the outside requires the hardware to output its own ID, the internal system of the hardware outputs its own ID to the peripheral system.

九、为了防止遗失或被盗签名工具而被别人滥用签名,可以在使用签名工具时,硬件要求输入密码进行验证或其它验证才工作。9. In order to prevent the signature from being misused by others if the signature tool is lost or stolen, when using the signature tool, the hardware requires the input of a password for verification or other verification to work.

除了硬件之外,还有一软件用于对硬件进行操纵。该软件必须实现如下功能:In addition to the hardware, there is also a software for manipulating the hardware. The software must implement the following functions:

1、发出命令要求硬件对输入的数据进行加密,然后对输出的两组数据进行处理。1. Issue a command to require the hardware to encrypt the input data, and then process the two sets of output data.

2、发出命令要求硬件对硬件内的私有密匙进行加密,然后对输出的数据进行处理。2. Issue a command to require the hardware to encrypt the private key in the hardware, and then process the output data.

3、发出命令要求硬件输出加密后的随机密匙。3. Issue a command to request the hardware to output the encrypted random key.

4、发出命令要求硬件使用随机数据加密pkey1及pkey2密匙,然后对输出的数据进行处理。4. Issue a command to request the hardware to encrypt the pkey1 and pkey2 keys with random data, and then process the output data.

5、发出命令要求硬件使用自身密匙解密数据,然后将输出的两组数据进行处理。5. Issue a command to request the hardware to use its own key to decrypt the data, and then process the output two sets of data.

6、发出命令要求使用输入的加密密匙解密数据,然后将输出的两组数据进行处理。6. Issue a command to use the input encryption key to decrypt the data, and then process the output two sets of data.

7、发出命令要求使用硬件中的随机数据及输入的加密密匙解密数据,然后将输出的两组数据进行处理。7. Issue a command to decrypt the data using the random data in the hardware and the input encryption key, and then process the two sets of output data.

8、读出硬件内部唯一ID。8. Read out the unique ID inside the hardware.

附图说明Description of drawings

图1是本发明数字签名工具的组成方框图;Fig. 1 is the composition block diagram of digital signature tool of the present invention;

图2是数字签名工具的电路原理图;Fig. 2 is a schematic circuit diagram of a digital signature tool;

图3本发明数字签名方法的工作流程方框图。Fig. 3 is a block diagram of the workflow of the digital signature method of the present invention.

具体实施方式Detailed ways

数字签名工具的结构如图1、图2所示,在工具盒体中设有单片机,在盒体中还设有与单片机交换信息的如下单元:硬件加密算法单元及解密算法单元、唯一的ID号发生单元、一条或多条公有密匙单元、两条或多条私有密匙、随机数发生器单元、随机数储存区单元、时钟计数器单元,在盒体上还设有用于与外围设备进行通讯的外围接口和长期供电装置。The structure of the digital signature tool is shown in Figure 1 and Figure 2. There is a single-chip microcomputer in the tool box, and the following units for exchanging information with the single-chip microcomputer are also set in the box: hardware encryption algorithm unit and decryption algorithm unit, unique ID Number generation unit, one or more public key units, two or more private keys, random number generator unit, random number storage area unit, clock counter unit, there are also devices on the box for communicating with peripheral equipment Communication peripheral interface and long-term power supply device.

下面结合图3进一步说明本发明数字签名方法的工作原理:Further illustrate the working principle of the digital signature method of the present invention below in conjunction with Fig. 3:

签名流程:Signature process:

生成签名文件:软件将要签名的文件分成多个数据分组,然后将这些数据分组分批送入到签名硬件中,然后发出加密指令。硬件内部首先将输入的数据与硬件ID及当前时间按照一定的规则混合,然后使用硬件内部的两条私有密匙分别对混合后的数据进行加密,然后分别输出给软件,软件接收这两组加密数据后,将这些数据再重新组织成一个新的签名文件。该签名文件包含两部分,一部分为由私有密匙一对原文加密的密文,另一部分为由私有密匙二对原文加密的密文。这样,这个新生成的签名文件就在原文的基础上具有基于硬件身份及时间的唯一性,同时还具有加密特性。Generate signature file: The software divides the file to be signed into multiple data packets, and then sends these data packets to the signing hardware in batches, and then sends out encryption instructions. The hardware first mixes the input data with the hardware ID and the current time according to certain rules, then uses two private keys inside the hardware to encrypt the mixed data, and then outputs them to the software respectively, and the software receives the two sets of encryption After the data, reorganize the data into a new signature file. The signature file contains two parts, one part is the ciphertext encrypted by the private key pair of the original text, and the other part is the ciphertext encrypted by the private key pair of the original text. In this way, the newly generated signature file has uniqueness based on hardware identity and time on the basis of the original text, and also has encryption features.

验证签名流程:Verify signature process:

使用自身密匙进行验证:Authenticate with own key:

软件将要签名的文件的由私有密匙一加密的部分送入到硬件中,然后发出解密指令,要求硬件使用自身的私有密匙一对其进行解密。硬件内部就会使用私有密匙一将送入的数据进行解密,然后将解密后的数据返回给软件。The software sends the part of the file to be signed encrypted by the private key to the hardware, and then issues a decryption command, requiring the hardware to use its own private key to decrypt it. The hardware will use the private key to decrypt the incoming data, and then return the decrypted data to the software.

接着,软件将要签名的文件的由私有密匙二加密的部分送入到硬件中,然后发出解密指令,要求硬件使用自身的私有密匙二对其进行解密。硬件内部就会使用私有密匙二将送入的数据进行解密,然后将解密后的数据返回给软件。Then, the software sends the part of the file to be signed encrypted by the private key 2 into the hardware, and then sends a decryption command, requiring the hardware to decrypt it with its own private key 2. The hardware will use the private key 2 to decrypt the input data, and then return the decrypted data to the software.

软件将前后两次解密的结果进行比较,如果不相同,表示文件已被修改,这时可以提示错误,将不同的地方显示出来。如果相同,表示签名后的文件未被修改,由于解密后还原的数据中包含有硬件的ID及签名时的时间以及原有的原文内容,这时软件就可以将这些数据分离出来,生成该签名文件的原文副本,同时显示签名者身份及签名时的时间。The software compares the two decrypted results before and after. If they are not the same, it means that the file has been modified. At this time, an error can be prompted and the different places will be displayed. If they are the same, it means that the signed file has not been modified. Since the decrypted data contains the ID of the hardware, the time of signing and the original original content, the software can separate these data and generate the signature. An original copy of a document, showing who signed it and when it was signed.

使用由签名硬件输出的加密密匙在任何一个签名工具上进行验证(不包括自身):Use the encryption key output by the signing hardware to verify on any signing tool (not including itself):

在进行验证签名文件时,生成签名文件的签名工具必须在生成签名文件后输出其加密的私有密匙(使用公有密匙对硬件内的两条私有密匙进行加密,然后输出)。When verifying the signature file, the signature tool that generates the signature file must output its encrypted private key after generating the signature file (use the public key to encrypt the two private keys in the hardware, and then output).

软件首先获取该签名文件的签名工具(简称原签名工具)的加密后的私有密匙,然后将加密后的私有密匙送入要验证的签名工具(简单称验证工具),由验证工具使用公有密匙对输入的加密密匙解密,生成原签名工具的两条私有密匙,这样,验证工具就可以使用原签名工具的私有密匙对由原签名工具进行签名的文件进行验证了,验证方法同上,这里不再累述。The software first obtains the encrypted private key of the signature tool (referred to as the original signature tool) of the signature file, and then sends the encrypted private key to the signature tool to be verified (referred to as the verification tool for short), and the verification tool uses the public The key decrypts the input encryption key and generates two private keys of the original signature tool, so that the verification tool can use the private key of the original signature tool to verify the files signed by the original signature tool. The verification method Same as above, not repeated here.

使用由签名硬件输出的由随机数加密的密匙在指定的签名工具上进行验证:Use the key encrypted by the random number output by the signing hardware to verify on the specified signing tool:

这种验证方法与上一验证方法的最大不同在于,没有授权的签名工具无法对其进行验证,这样就增加了签名的文件的安全性,就不会因由于输出的加密密匙被窃取而导致签名文件被未被授权的人查看。The biggest difference between this verification method and the previous verification method is that no authorized signature tool can verify it, which increases the security of the signed file, and will not cause any damage due to the theft of the output encryption key. Signed documents are viewed by unauthorized persons.

被授权的签名工具(简称被授权工具)首先要生成一个随机数,然后将该随机数与自身ID按一定的规则混合,然后使用公有密匙对其进行加密,然后将加密后的数据输出。The authorized signing tool (referred to as the authorized tool) first generates a random number, then mixes the random number with its own ID according to certain rules, then encrypts it with the public key, and then outputs the encrypted data.

软件将输出的加密后的数据送入到原签名工具,原签名工具使用公有密匙对该数据进行解密,还原成随机数及被授权工具ID,然后使用随机数对原签名工具内的私有密匙进行加密,然后将加密后的私有密匙及被授权工具ID输出,软件获得加密后的私有密匙的同时,将被授权工具ID显示给用户,以验证其身份。The software sends the output encrypted data to the original signature tool. The original signature tool uses the public key to decrypt the data, restores it to a random number and the authorized tool ID, and then uses the random number to encrypt the private key in the original signature tool. Encrypt with the key, and then output the encrypted private key and the authorized tool ID. When the software obtains the encrypted private key, it will display the authorized tool ID to the user to verify its identity.

软件将由随机数加密后的加密密匙送入被授权工具,被授权工具使用其生成的随机数对加密密匙进行解密,生成原签名工具的两条私有密匙,这样,验证工具就可以使用原签名工具的私有密匙对由原签名工具进行签名的文件进行验证了,验证方法同上,这里不再累述。The software sends the encryption key encrypted by the random number to the authorized tool, and the authorized tool uses the random number generated by it to decrypt the encrypted key, and generates two private keys of the original signature tool, so that the verification tool can use The private key of the original signature tool has verified the file signed by the original signature tool. The verification method is the same as above, and will not be repeated here.

私有密匙、硬件ID及硬件申请人的身份确认由一发行机构进行统一分配及管理,这样就可以保证私有密匙、硬件ID的唯一性。The private key, hardware ID and identity confirmation of the hardware applicant are uniformly distributed and managed by an issuing organization, so that the uniqueness of the private key and hardware ID can be guaranteed.

Claims (3)

1. a digital signature method is characterized in that, comprises the steps:
Signature step:
Generate signature file earlier: the file that software will be signed is divided into a plurality of packets, then these packets is sent in batches in the signature hardware, sends encrypted instruction then; At first mix with hardware ID and current time the data of input hardware inside according to certain rule, use two privately owned secret keys of hardware inside respectively mixed data to be encrypted then, export to software then respectively, after software receives this two set of encrypted data, these data are reorganized into a new signature file again; This signature file comprises two parts, and a part is by a pair of original text encrypted ciphertext of privately owned secret key, and another part is by two pairs of original text encrypted ciphertext of privately owned secret key; This newly-generated signature file just has the uniqueness based on hardware identity and time on the basis of original text, also have encryption feature simultaneously;
The certifying signature step: described signature verification step is chosen any one kind of them from following three kinds of verification steps:
1) use self secret key to verify:
The part of being encrypted by privately owned secret key one of the file that software will be signed is sent in the hardware, sends decryption instructions then, requires hardware to use a pair of its of privately owned secret key of self to be decrypted; Hardware inside will use privately owned secret key one that the data of sending into are decrypted, and the data after will deciphering then return to software;
The part that the file that software will be signed is encrypted by privately owned secret key two is sent in the hardware, sends decryption instructions then, requires hardware to use the privately owned secret key two of self that it is decrypted; Hardware is inner to use privately owned secret key two that the data of sending into are decrypted, and the data after will deciphering then return to software;
Software compares the result of twice deciphering in front and back, if inequality, the expression file is modified, and the prompting mistake shows different places; If it is identical, file behind the expression signature is not modified, decipher the time and the original textual content that include the ID of hardware in the back data of reducing and signing when, software comes out these data separating, generate the original text copy of this signature file, the time when showing signer identity and signature simultaneously;
2) use the cryptographic keys of exporting by signature hardware on any one signature instrument, to verify:
When carrying out the certifying signature file, the signature instrument that generates signature file must be exported the privately owned secret key of its encryption after generating signature file, use publicly-owned secret key that two privately owned secret keys in the hardware are encrypted, then output;
Privately owned secret key after the signature instrument that software at first obtains this signature file is encrypted, the signature instrument of this signature file is called for short former signature instrument, privately owned secret key after will encrypting is then sent into the signature instrument that will verify, use of the cryptographic keys deciphering of publicly-owned secret key by verification tool to input, generate two privately owned secret keys of former signature instrument, like this, verification tool just can use the privately owned secret key of former signature instrument that the file of being signed by former signature instrument is verified that verification method is the same;
3) use the secret key of being exported by signature hardware by random number encryption to verify on the signature instrument of appointment: the signature instrument that is authorized at first generates a random number, then this random number is mixed by certain rule with self ID, use publicly-owned secret key that it is encrypted then, then data encrypted is exported;
Software is sent to former signature instrument with the data encrypted of output, former signature instrument uses publicly-owned secret key that these data are decrypted, be reduced into random number and be authorized to appliance id, use random number that the privately owned secret key in the former signature instrument is encrypted then, privately owned secret key after will encrypting then and be authorized to appliance id output, in the time of privately owned secret key after software to be encrypted, will be authorized to appliance id and be shown to the user, to verify its identity;
Software will be sent into by the cryptographic keys behind the random number encryption and be authorized to instrument, being authorized to instrument uses the random number of its generation that cryptographic keys is decrypted, generate two privately owned secret keys of former signature instrument, verification tool is verified the file of being signed by former signature instrument with the privately owned secret key of using former signature instrument.
2. one kind is adopted the digital signature instrument of digital signature method according to claim 1, it is characterized in that, comprise the instrument box body, be arranged on the single-chip microcomputer in the box body, in box body, also be provided with following hardware cell: hardware encipher algorithm unit and decipherment algorithm unit with described single-chip microcomputer exchange message, unique ID generating unit, at least one publicly-owned secret key unit, article at least two, privately owned secret key unit, the randomizer unit, unit, random number storage area, the clock counter unit also is provided with the peripheral interface and the long-term electric supply installation that are used for carrying out with ancillary equipment communication on box body.
3. according to the described digital signature instrument of claim 2, it is characterized in that, in described box body, be provided with many publicly-owned secret key unit and many privately owned secret key unit.
CN 200410026787 2004-04-08 2004-04-08 A digital signature method and digital signature tool Expired - Fee Related CN1722656B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200410026787 CN1722656B (en) 2004-04-08 2004-04-08 A digital signature method and digital signature tool

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200410026787 CN1722656B (en) 2004-04-08 2004-04-08 A digital signature method and digital signature tool

Publications (2)

Publication Number Publication Date
CN1722656A CN1722656A (en) 2006-01-18
CN1722656B true CN1722656B (en) 2010-05-26

Family

ID=35912638

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200410026787 Expired - Fee Related CN1722656B (en) 2004-04-08 2004-04-08 A digital signature method and digital signature tool

Country Status (1)

Country Link
CN (1) CN1722656B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101364869B (en) * 2007-08-09 2012-03-28 鸿富锦精密工业(深圳)有限公司 Electronic document encryption system and method
CN103237010B (en) * 2010-10-25 2016-12-28 北京中科联众科技股份有限公司 The server end of digital content is cryptographically provided
JP2015501110A (en) * 2011-12-15 2015-01-08 トムソン ライセンシングThomson Licensing Group encryption method and device
CN106161037B (en) * 2016-08-19 2019-05-10 北京小米移动软件有限公司 Digital signature method and device
CN107017995B (en) * 2017-04-21 2019-06-07 广东信鉴信息科技有限公司 Mixing signature and sign test method, apparatus and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1342007A (en) * 2000-09-05 2002-03-27 深圳市中兴集成电路设计有限责任公司 New scrambler
WO2002073877A2 (en) * 2001-03-09 2002-09-19 Pascal Brandys System and method of user and data verification
US20020138732A1 (en) * 2001-03-23 2002-09-26 Irvin David R. Methods, systems and computer program products for providing digital signatures in a network environment
CN1416237A (en) * 2002-10-01 2003-05-07 齐宇庆 Encryption method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1342007A (en) * 2000-09-05 2002-03-27 深圳市中兴集成电路设计有限责任公司 New scrambler
WO2002073877A2 (en) * 2001-03-09 2002-09-19 Pascal Brandys System and method of user and data verification
US20020138732A1 (en) * 2001-03-23 2002-09-26 Irvin David R. Methods, systems and computer program products for providing digital signatures in a network environment
CN1416237A (en) * 2002-10-01 2003-05-07 齐宇庆 Encryption method and device

Also Published As

Publication number Publication date
CN1722656A (en) 2006-01-18

Similar Documents

Publication Publication Date Title
CN102427449B (en) Trusted mobile storage method based on security chips
US10142107B2 (en) Token binding using trust module protected keys
CN101019369B (en) Method for delivering direct proof private key to device using online service
CN101651543B (en) Creditable calculation platform key migration system and key migration method thereof
CN101112035B (en) File encryption and decryption method, file encryption and decryption device
CN100468438C (en) Encryption and decryption methods that implement hardware and software binding
CN103580855B (en) Usbkey management method based on sharing technology
CN101640590B (en) Method for obtaining identification cipher algorithm private key and cipher center
RU2584500C2 (en) Cryptographic authentication and identification method with real-time encryption
SE514105C2 (en) Secure distribution and protection of encryption key information
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
CN201518127U (en) Encrypted mobile memory based on password authentication
WO2005022288A2 (en) Security token
CN102271037A (en) Key protectors based on online keys
CN106953732B (en) Key management system and method for chip card
CN110958219A (en) SM2 proxy re-encryption method and device for medical cloud shared data
CN102801730A (en) Information protection method and device for communication and portable devices
CN101938354B (en) Key distribution method based on modular exponentiation and application thereof
CN105184181B (en) File encryption method, file decryption method and file encryption device
CN102299793A (en) Certificate authentication system based on trusted computing password support platform
CN103560892A (en) Secret key generation method and secret key generation device
CN115801232B (en) A method, apparatus, device, and storage medium for protecting private keys.
CN104954137A (en) Method of virtual machine security certification based on domestic password technique
CN102270182B (en) Encrypted mobile storage equipment based on synchronous user and host machine authentication
CN1722656B (en) A digital signature method and digital signature tool

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100526

Termination date: 20130408