CN112766962A - Method for receiving and sending certificate, transaction system, storage medium and electronic device - Google Patents
Method for receiving and sending certificate, transaction system, storage medium and electronic device Download PDFInfo
- Publication number
- CN112766962A CN112766962A CN202110075996.2A CN202110075996A CN112766962A CN 112766962 A CN112766962 A CN 112766962A CN 202110075996 A CN202110075996 A CN 202110075996A CN 112766962 A CN112766962 A CN 112766962A
- Authority
- CN
- China
- Prior art keywords
- user terminal
- certificate
- hardware
- characteristic information
- private key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 36
- 238000013475 authorization Methods 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 16
- 238000010586 diagram Methods 0.000 description 22
- 230000008569 process Effects 0.000 description 20
- 238000012795 verification Methods 0.000 description 20
- 230000006870 function Effects 0.000 description 16
- 230000005540 biological transmission Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 238000009795 derivation Methods 0.000 description 5
- 238000004140 cleaning Methods 0.000 description 3
- 238000009434 installation Methods 0.000 description 3
- 230000001010 compromised effect Effects 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- BQCADISMDOOEFD-UHFFFAOYSA-N Silver Chemical compound [Ag] BQCADISMDOOEFD-UHFFFAOYSA-N 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000008275 binding mechanism Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 210000001503 joint Anatomy 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 229910052709 silver Inorganic materials 0.000 description 1
- 239000004332 silver Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3821—Electronic credentials
- G06Q20/38215—Use of certificates or encrypted proofs of transaction rights
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3825—Use of electronic signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/04—Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
Landscapes
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Engineering & Computer Science (AREA)
- Finance (AREA)
- Physics & Mathematics (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Economics (AREA)
- Marketing (AREA)
- Technology Law (AREA)
- Development Economics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the invention provides a certificate receiving and sending method, a transaction system, a storage medium and an electronic device, wherein the certificate receiving method comprises a user terminal, first hardware characteristic information is generated according to acquired hardware characteristics, and a first symmetric key is generated according to the first hardware characteristic information by adopting a first symmetric key algorithm; a user terminal generates a public and private key pair, generates a ciphertext according to a first symmetric key and a private key in the public and private key pair, stores the ciphertext, and deletes the first symmetric key and the private key; the user terminal sends a certificate request to the server so that the server verifies the certificate application information, applies a certificate to the authentication terminal by using a public key and pre-acquired user registration information, receives the certificate sent by the authentication terminal, and stores the certificate and the first hardware characteristic information; the method comprises the steps that a user terminal deletes first hardware characteristic information of the user terminal after sending a certificate request; and the user terminal receives the certificate sent by the server.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a method for receiving and sending a certificate, a transaction system, a storage medium, and an electronic device.
Background
In various services (for example, transaction programs) of financial institutions such as banks, a signature verification mechanism of a digital certificate system is used. Digital certificates can be classified into a hard certificate (i.e., a medium certificate) and a soft certificate (i.e., a file certificate) according to different storage media, wherein the digital certificates are stored through a hardware security medium (e.g., hardware) and are called hard certificates; stored in the form of an electronic file, called a soft certificate. The soft certificate does not need a digital certificate medium, which means that if the use of the soft certificate is not limited, the soft certificate can be operated on any computer and can be used only by downloading and importing, so that the soft certificate has security risks of being copied and abused and the like. In addition, if the computer storing the soft certificate is compromised, the soft certificate also risks being compromised. It should be noted that, in general, the soft and hard certificates contain the private key of the user, and if the private key is copied, stolen and abused, very serious security accidents can be caused.
At present, there are some solutions to the problems of copying, stealing and abusing the file certificate/user private key, etc., for example, using a PIN code (Personal Identification Number), a password, a symmetric key, etc. to perform encrypted storage during the use of the file certificate/user private key, and this method mainly has the following disadvantages: firstly, PIN codes, passwords and the like are easy to acquire through brute force cracking and other forms; secondly, if the key for symmetrically encrypting the file certificate is stored locally, the risk of being stolen still exists; thirdly, for the way of symmetrically encrypting the file certificate and then storing the file certificate locally, the symmetric key is stored in the server, the key needs to be obtained from the server to decrypt the file certificate before each transaction, and the identity authentication or authority verification is needed for obtaining sensitive information such as the key from the server, which is the matter that the digital certificate needs to do, and the key is easy to be obtained by an attacker in the key transmission process through eavesdropping and the like.
It can be seen that the private key in the related art is easily copied, stolen, and abused, which results in insecurity of the transaction process.
Disclosure of Invention
The embodiment of the invention provides a method for receiving and sending a certificate, a transaction system, a storage medium and an electronic device, which are used for at least solving the problem of insecurity of a transaction process caused by the fact that a private key is easily copied, stolen and abused in the related technology.
According to an embodiment of the present invention, there is provided a method for receiving a certificate, which is applied to a user terminal, and includes:
the user terminal acquires the hardware characteristics of the user terminal, generates first hardware characteristic information according to the acquired hardware characteristics, and generates a first symmetric key according to the first hardware characteristic information by adopting a first symmetric key algorithm;
the user terminal generates a public and private key pair, generates a ciphertext according to the first symmetric key and a private key in the public and private key pair, stores the ciphertext, and deletes the first symmetric key and the private key, wherein the public and private key pair comprises a public key and a private key;
the user terminal sends a certificate request to a server, wherein the certificate request indicates certificate application information, a public key in the public and private key pair and the first hardware characteristic information of the user terminal, so that the server verifies the certificate application information, uses the public key and pre-acquired user registration information to apply a certificate to an authentication terminal, receives the certificate sent by the authentication terminal, and stores the certificate and the first hardware characteristic information;
the user terminal deleting the first hardware characteristic information of the user terminal after sending the certificate request;
and the user terminal receives the certificate sent by the server.
Illustratively, after the user terminal receives the certificate sent by the server, the method further includes:
the user terminal acquires a message to be signed;
the user terminal acquires the hardware characteristics of the user terminal again, generates the first hardware characteristic information according to the acquired hardware characteristics, and generates a second symmetric key according to the first hardware characteristic information by adopting the first symmetric key algorithm;
the user terminal decrypts the ciphertext stored by the user terminal according to the second symmetric key to obtain the private key;
the user terminal signs the message to be signed and the first hardware characteristic information according to the private key to obtain a signature value;
the user terminal sends a signature message to the server, wherein the signature message indicates the identity information of the user, the message and the signature value, so that the server verifies the signature message by using the public key corresponding to the user, the first hardware characteristic information stored by the server and the message received by the server.
Illustratively, the first hardware characteristic information is a hash value of the hardware characteristic;
illustratively, the certificate application information includes a certificate serial number and an authorization code;
illustratively, the hardware features include at least one of: the hard disk serial number of the user terminal, the network card MAC address of the user terminal, the CPU serial number of the user terminal, the BIOS serial number of the user terminal and the like.
The embodiment also provides a method for sending a certificate, which is applied to a server and includes:
the server receives a certificate request sent by a user terminal, wherein the certificate request indicates certificate application information, a public key and first hardware characteristic information of the user terminal, the first hardware characteristic information is that the user terminal acquires own hardware characteristics, and generated based on the acquired hardware characteristics, the public key being included in a public-private key pair generated by the user terminal, the user terminal also generates a first symmetric key according to the first hardware characteristic information by adopting a first symmetric key algorithm, and generates a ciphertext from the first symmetric key and a private key of the public-private key pair, and stores the ciphertext, the user terminal does not store the first symmetric key, the private key and the first hardware characteristic information, wherein the public and private key pair comprises a public key and a private key;
the server side verifies the certificate application information, applies a certificate to an authentication side by using the public key and the pre-acquired user registration information, receives the certificate sent by the authentication side, and stores the certificate and the first hardware characteristic information;
and the server side sends the certificate to the user terminal.
In an exemplary embodiment, after the server sends the certificate to the user terminal, the method further includes:
receiving a signature message sent by the user terminal, wherein the signature message indicates identity information, a message and a signature value of a user, the signature value is obtained by the user terminal acquiring hardware characteristics of the user terminal again, generating first hardware characteristic information according to the acquired hardware characteristics, generating a second symmetric key according to the first hardware characteristic information by adopting the first symmetric key algorithm, decrypting the ciphertext stored by the user terminal according to the second symmetric key to obtain a private key, and signing the message to be signed and the first hardware characteristic information according to the private key;
and the server side verifies the signature message by using the public key corresponding to the user, the first hardware characteristic information stored by the server side and the message received by the server side.
In an exemplary embodiment, the first hardware characteristic information is a hash value of the hardware characteristic;
in an exemplary embodiment, the certificate application information includes a certificate serial number and an authorization code;
in an exemplary embodiment, the hardware features include at least one of: the hard disk serial number of the user terminal, the network card MAC address of the user terminal, the CPU serial number of the user terminal, the BIOS serial number of the user terminal and the like.
The present embodiment also provides a transaction system, including:
a service end and a user terminal, wherein,
the user terminal acquires the hardware characteristics of the user terminal, generates first hardware characteristic information according to the acquired hardware characteristics, and generates a first symmetric key according to the first hardware characteristic information by adopting a first symmetric key algorithm;
the user terminal generates a public and private key pair, generates a ciphertext according to the first symmetric key and a private key in the public and private key pair, stores the ciphertext, and deletes the first symmetric key and the private key, wherein the public and private key pair comprises a public key and a private key;
the user terminal sends a certificate request to a server, wherein the certificate request indicates certificate application information, a public key in the public and private key pair and the first hardware characteristic information of the user terminal;
the user terminal deleting the first hardware characteristic information of the user terminal after sending the certificate request;
the server side verifies the certificate application information, applies a certificate to an authentication side by using the public key and the pre-acquired user registration information, receives the certificate sent by the authentication side, and stores the certificate and the first hardware characteristic information;
the server side sends the certificate to the user terminal;
and the user terminal receives the certificate sent by the server.
In an exemplary embodiment, after receiving a certificate sent by the server, the user terminal obtains a message to be signed;
the user terminal acquires the hardware characteristics of the user terminal again, generates the first hardware characteristic information according to the acquired hardware characteristics, and generates a second symmetric key according to the first hardware characteristic information by adopting the first symmetric key algorithm;
the user terminal decrypts the ciphertext stored by the user terminal according to the second symmetric key to obtain the private key;
the user terminal signs the message to be signed and the first hardware characteristic information according to the private key to obtain a signature value;
the user terminal sends a signature message to the server, wherein the signature message indicates the identity information of the user, the message and the signature value;
and the server side verifies the signature message by using the public key corresponding to the user, the first hardware characteristic information stored by the server side and the message received by the server side.
According to a further embodiment of the present invention, a computer-readable storage medium is also provided, in which a computer program is stored, wherein the computer program is configured to carry out the steps of any of the above-described method embodiments when executed.
According to yet another embodiment of the present invention, there is also provided an electronic device, including a memory and a processor, the memory having a computer program stored therein, the processor being configured to execute the computer program to implement the steps in any of the above method embodiments.
According to the embodiment of the invention, the user terminal acquires the hardware characteristics of the user terminal, generates the first hardware characteristic information according to the acquired hardware characteristics, and generates the first symmetric key according to the first hardware characteristic information by adopting the first symmetric key algorithm; a user terminal generates a public and private key pair, generates a ciphertext according to a first symmetric key and a private key in the public and private key pair, stores the ciphertext, and deletes the first symmetric key and the private key, wherein the public and private key pair comprises a public key and a private key; the method comprises the steps that a user terminal sends a certificate request to a server, wherein the certificate request indicates certificate application information, a public key in a public and private key pair and first hardware characteristic information of the user terminal, so that the server verifies the certificate application information, uses the public key and pre-acquired user registration information to apply a certificate to an authentication end, receives the certificate sent by the authentication end, and stores the certificate and the first hardware characteristic information; the method comprises the steps that a user terminal deletes first hardware characteristic information of the user terminal after sending a certificate request; and the user terminal receives the certificate sent by the server. Because the user terminal only stores the ciphertext generated by encrypting according to the symmetric key and the private key, the independent private key and the independent symmetric key are not stored, and the symmetric key is generated according to the hardware characteristic of the user terminal and is in a binding and associating relationship with the user terminal, the situation that the private key is directly copied and stolen is prevented, and even if the ciphertext is copied and stolen, the ciphertext is generated according to the hardware characteristic of the user terminal and is difficult to use on other terminals, so that the safety of transaction can be ensured.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a block diagram of a hardware configuration of an arithmetic device of a certificate receiving method according to an embodiment of the present invention;
fig. 2 is a flowchart of a certificate receiving method according to an embodiment of the present invention;
fig. 3 is a flowchart of a method of transmitting a certificate according to an embodiment of the present invention;
FIG. 4 is a block diagram of the architecture of a transaction system according to an embodiment of the invention;
FIG. 5 is a schematic diagram of an asymmetric encryption algorithm according to an example embodiment of the present invention;
FIG. 6 is a schematic diagram of a PKI architecture in accordance with an exemplary embodiment of the present invention;
FIG. 7 is a schematic diagram of a digital certificate generation flow according to an example embodiment of the present invention;
FIG. 8 is a schematic diagram of a system architecture deployment architecture according to an example embodiment of the present invention;
FIG. 9 is a digital certificate issuance flow diagram according to an exemplary embodiment of the present invention;
FIG. 10 is a schematic diagram of a signature verification flow according to an example embodiment of the invention;
FIG. 11 is a schematic diagram of a bank-enterprise direct private cloud deployment scenario, according to an example embodiment of the present invention;
FIG. 12 is a digital certificate issuance flow diagram for a bank-enterprise direct private cloud deployment scenario, according to an example embodiment of the present invention;
fig. 13 is a schematic signature verification flow diagram of a bank-enterprise direct private cloud deployment scenario according to an example embodiment of the present invention.
Detailed Description
The invention will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
Example 1
The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, a server, or a similar computing device. Taking an operation on an arithmetic device as an example, fig. 1 is a block diagram of a hardware configuration of an arithmetic device of a certificate receiving method according to an embodiment of the present invention. As shown in fig. 1, the computing device 10 may include one or more processors 102 (only one is shown in fig. 1) (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally, a transmission device 106 for communication functions and an input/output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is merely an illustration, and the structure of the above-described arithmetic device is not limited thereto. For example, the computing device 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used for storing computer programs, for example, software programs and modules of application software, such as computer programs corresponding to the certificate receiving method in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer programs stored in the memory 104, so as to implement the method described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computing device 10 over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network may include a wireless network and a wired network provided by a communication provider of the computing device 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In this embodiment, a method for receiving a certificate running on the above-mentioned computing device is provided, which can be applied to a user terminal, and fig. 2 is a flowchart of a method for receiving a certificate according to an embodiment of the present invention, as shown in fig. 2, the flowchart includes the following steps:
step S202, the user terminal obtains the hardware characteristics of the user terminal, generates first hardware characteristic information according to the obtained hardware characteristics, and generates a first symmetric key according to the first hardware characteristic information by adopting a first symmetric key algorithm;
step S204, the user terminal generates a public and private key pair, generates a ciphertext according to the first symmetric key and a private key in the public and private key pair, stores the ciphertext, and deletes the first symmetric key and the private key, wherein the public and private key pair comprises a public key and a private key;
step S206, the user terminal sends a certificate request to a server, wherein the certificate request indicates certificate application information, a public key in the public and private key pair and the first hardware characteristic information of the user terminal, so that the server verifies the certificate application information, uses the public key and pre-acquired user registration information to apply a certificate to an authentication terminal, receives the certificate sent by the authentication terminal, and stores the certificate and the first hardware characteristic information;
step S208, the user terminal deletes the first hardware characteristic information of the user terminal after sending the certificate request;
step S210, the ue receives the certificate sent by the server.
Through the steps of the embodiment of the invention, the user terminal acquires the hardware characteristics of the user terminal, generates the first hardware characteristic information according to the acquired hardware characteristics, and generates the first symmetric key according to the first hardware characteristic information by adopting the first symmetric key algorithm; a user terminal generates a public and private key pair, generates a ciphertext according to a first symmetric key and a private key in the public and private key pair, stores the ciphertext, and deletes the first symmetric key and the private key, wherein the public and private key pair comprises a public key and a private key; the method comprises the steps that a user terminal sends a certificate request to a server, wherein the certificate request indicates certificate application information, a public key in a public and private key pair and first hardware characteristic information of the user terminal, so that the server verifies the certificate application information, uses the public key and pre-acquired user registration information to apply a certificate to an authentication end, receives the certificate sent by the authentication end, and stores the certificate and the first hardware characteristic information; the method comprises the steps that a user terminal deletes first hardware characteristic information of the user terminal after sending a certificate request; and the user terminal receives the certificate sent by the server. Because the user terminal only stores the ciphertext generated by encrypting according to the symmetric key and the private key, the independent private key and the independent symmetric key are not stored, and the symmetric key is generated according to the hardware characteristic of the user terminal and is in a binding and associating relationship with the user terminal, the situation that the private key is directly copied and stolen is prevented, and even if the ciphertext is copied and stolen, the ciphertext is generated according to the hardware characteristic of the user terminal and is difficult to use on other terminals, so that the safety of transaction can be ensured.
Illustratively, after the user terminal receives the certificate sent by the server, the method further includes:
the user terminal obtains a message to be signed;
the user terminal acquires the hardware characteristics of the user terminal again, generates the first hardware characteristic information according to the acquired hardware characteristics, and generates a second symmetric key according to the first hardware characteristic information by adopting the first symmetric key algorithm;
the user terminal decrypts the ciphertext stored by the user terminal according to the second symmetric key to obtain the private key;
the user terminal signs the message to be signed and the first hardware characteristic information according to the private key to obtain a signature value;
the user terminal sends a signature message to the server, wherein the signature message indicates the identity information of the user, the message and the signature value, so that the server verifies the signature message by using the public key corresponding to the user, the first hardware characteristic information stored by the server and the message received by the server.
Illustratively, the first hardware characteristic information is a hash value of the hardware characteristic;
illustratively, the certificate application information includes a certificate serial number and an authorization code;
illustratively, the hardware features include at least one of: the hard disk serial number of the user terminal, the network card MAC address of the user terminal, the CPU serial number of the user terminal, the BIOS serial number of the user terminal and the like.
The present embodiment further provides a method for sending a certificate, which is applied to a server, and fig. 3 is a flowchart of the method for sending a certificate according to the embodiment of the present invention, as shown in fig. 3, including:
step S301, the server receives a certificate request sent by a user terminal, where the certificate request indicates certificate application information, a public key, and first hardware feature information of the user terminal, the first hardware feature information is generated by the user terminal obtaining its own hardware feature and according to the obtained hardware feature, the public key is included in a public-private key pair generated by the user terminal, the user terminal further generates a first symmetric key according to the first hardware feature information by using a first symmetric key algorithm, generates a ciphertext according to the first symmetric key and a private key in the public-private key pair, and stores the ciphertext, and the user terminal does not store the first symmetric key, the private key, and the first hardware feature information, where the public-private key pair includes a public key and a private key;
step S303, the server verifies the certificate application information, applies for a certificate to an authentication end by using the public key and pre-acquired user registration information, receives the certificate sent by the authentication end, and stores the certificate and the first hardware characteristic information;
step S305, the server sends the certificate to the user terminal.
In an exemplary embodiment, after the server sends the certificate to the user terminal, the method further includes:
receiving a signature message sent by the user terminal, wherein the signature message indicates identity information, a message and a signature value of a user, the signature value is obtained by the user terminal acquiring hardware characteristics of the user terminal again, generating first hardware characteristic information according to the acquired hardware characteristics, generating a second symmetric key according to the first hardware characteristic information by adopting a first symmetric key algorithm, decrypting a ciphertext stored by the user terminal according to the second symmetric key to obtain a private key, and signing the message to be signed and the first hardware characteristic information according to the private key;
the server side uses the public key corresponding to the user, the first hardware characteristic information stored by the server side and the message received by the server side to verify the signature message.
In an exemplary embodiment, the first hardware characteristic information is a hash value of the hardware characteristic;
in an exemplary embodiment, the certificate application information includes a certificate serial number and an authorization code;
in an exemplary embodiment, the hardware feature includes at least one of: the hard disk serial number of the user terminal, the network card MAC address of the user terminal, the CPU serial number of the user terminal, the BIOS serial number of the user terminal and the like.
The embodiment further provides a transaction system, and fig. 4 is a block diagram of a structure of a transaction system according to an embodiment of the present invention, as shown in fig. 4, including:
a server 42, a user terminal 44, wherein,
the user terminal 44 acquires its own hardware feature, generates first hardware feature information according to the acquired hardware feature, and generates a first symmetric key according to the first hardware feature information by using a first symmetric key algorithm;
the user terminal 44 generates a public-private key pair, and generates a ciphertext from the first symmetric key and a private key of the public-private key pair, stores the ciphertext, and deletes the first symmetric key and the private key, wherein the public-private key pair includes a public key and a private key;
the user terminal 44 sends a certificate request to the server 42, where the certificate request indicates certificate application information, a public key in the public-private key pair, and the first hardware feature information of the user terminal;
the user terminal 44 deleting the first hardware characteristic information of the user terminal after sending the certificate request;
the server 42 verifies the certificate application information, applies for a certificate to the authentication end by using the public key and the pre-acquired user registration information, receives the certificate sent by the authentication end, and stores the certificate and the first hardware characteristic information;
the server 42 sends the certificate to the user terminal 44;
the user terminal 44 receives the certificate sent by the server 42.
Through the system of the embodiment of the invention, the user terminal only stores the ciphertext generated by encrypting according to the symmetric key and the private key finally, the independent private key and the independent symmetric key are not stored, and the symmetric key is generated according to the hardware characteristic of the user terminal and is in binding and association relationship with the user terminal, so that the situation that the private key is directly copied and stolen is prevented, and even if the ciphertext is copied and stolen, the ciphertext is generated according to the hardware characteristic of the user terminal and is difficult to use on other terminals, so that the safety of transaction can be ensured.
In an exemplary embodiment, after receiving a certificate sent by the server, the user terminal obtains a message to be signed;
the user terminal acquires the hardware characteristics of the user terminal again, generates the first hardware characteristic information according to the acquired hardware characteristics, and generates a second symmetric key according to the first hardware characteristic information by adopting the first symmetric key algorithm;
the user terminal decrypts the ciphertext stored by the user terminal according to the second symmetric key to obtain the private key;
the user terminal signs the message to be signed and the first hardware characteristic information according to the private key to obtain a signature value;
the user terminal sends a signature message to the server, wherein the signature message indicates the identity information of the user, the message and the signature value;
the server side uses the public key corresponding to the user, the first hardware characteristic information stored by the server side and the message received by the server side to verify the signature message.
Example embodiments
The following further explains embodiments of the present invention with reference to specific implementation scenarios.
Fig. 5 is a schematic diagram of an asymmetric encryption algorithm according to an exemplary embodiment of the present invention, and as shown in fig. 5, the asymmetric encryption algorithm plays an important role in securing data security as a foundation for computer communication security. Different rules can be used for encryption and decryption of the asymmetric encryption algorithm as long as a certain correspondence exists between the two rules. The specific process can be briefly described as follows: for example, Alice generates two keys (a public key and a private key) according to an algorithm, where the private key is secret and the public key is public for use by others with whom to communicate; b, acquiring an Alice public key and encrypting the Alice public key by using the Alice public key; and obtaining the information encrypted by the B by the Alice, and decrypting the information by using a private key to finish the communication.
PKI (Public Key Infrastructure) is a universal security Infrastructure that implements and provides security services based on asymmetric cryptography, with data confidentiality, integrity, authentication, and behavioral immutability as security objectives. The digital certificate is the most important and basic data element in the PKI, and various services (confidentiality, integrity, non-repudiation and the like) provided by the PKI are realized through the certificate.
Fig. 6 is a schematic diagram of a PKI architecture according to an exemplary embodiment of the present invention, as shown in fig. 6, wherein CA represents a CA (certificate authority) certificate authority, ra (registration authority) represents a registration authority, an end entity is a PKI subscriber, a repository is responsible for issuing digital certificates and certificate revocation lists, PKI users refer to entities using others' certificates, and CRL represents a certificate revocation list.
Illustratively, fig. 7 is a schematic diagram of a process of generating a digital certificate according to an exemplary embodiment of the present invention, and as shown in fig. 7, a process of generating a legal digital certificate is as follows:
PKI subscribers themselves generate a public-private key pair (pk, sk) of the asymmetric cryptographic algorithm used, submit information to RA's basic information and their public keys (i.e., pk), and own save the generated private keys (i.e., sk);
the RA checks whether the authenticity of the information submitted by the user meets the relevant regulations or not, and sends the information to the CA after the authenticity of the information meets the relevant regulations;
the CA uses the private key of the CA to digitally sign the related content to generate a digital certificate and sends the digital certificate to the database;
the database is responsible for issuing the digital certificate;
after the certificate is issued, the PKI user can query, verify and use the certificate.
Digital certificate authentication is a common authentication mode of an online banking system, and can be divided into different forms such as a soft certificate and a hard certificate. Because the soft certificate has the risk of being stolen, the security of the soft certificate is not as high as that of the hard certificate, but at present, hardware certificate storage media and other forms cannot be introduced into partial business systems and application scenes, and therefore, the mode of using the soft certificate to perform security authentication is still followed.
The exemplary process of message signing by using a digital certificate is as follows:
after the user digital certificate is issued, when the user wants to send a transaction message to the server, the user uses a private key of the user to call a signature algorithm negotiated in advance to sign the transaction message, and the message signature are sent to the server together;
after receiving the message data, the server extracts the user identity information, uses the public key of the user to carry out validity verification on the message signature, if the verification is passed, the message is a legal message sent by the user, otherwise, the message is rejected.
Digital certificate authentication is a common authentication mode of an online banking system, and can be divided into different forms such as a soft certificate and a hard certificate. Because the soft certificate has the risk of being stolen, the security of the soft certificate is not as high as that of the hard certificate, but at present, hardware certificate storage media and other forms cannot be introduced into partial business systems and application scenes, and therefore, the mode of using the soft certificate to perform security authentication is still followed. The protection of the private key of the user becomes particularly critical in such a scene, and the technical scheme is provided for solving the problem that the requirements of file certificate/user private key equipment binding, security protection and privacy of the user private key cannot be met simultaneously in the prior technical scheme. By using the method in the scheme, the security protection and the equipment binding of the soft certificate and the user private key can be realized under the scene, and the requirements of security and supervision are met.
Fig. 8 is a schematic diagram of a system architecture deployment structure according to an exemplary embodiment of the present invention, and as shown in fig. 8, an overall system architecture deployment situation is as follows:
the system overall architecture comprises the following parts:
ca (certificate authority) certification authority: is responsible for digital certificate issuance
A server: the system comprises a certificate application module, a message signature verification module, other functional modules and the like. The certificate application module is responsible for receiving public key information sent by a user and applying for a digital certificate; the message signature checking module is responsible for carrying out validity verification on a message signature sent by a user; besides the functions related to the service, the other functional modules are also responsible for collecting user information on site in the user registration stage and issuing an authorization code for certificate application to the user.
A user terminal: and the user stores the file certificate and the user private key, wherein the security protection of the client file certificate and the equipment binding function are realized in the file certificate security protection module.
The user: users using system and file certificates.
Fig. 9 is a schematic diagram of a digital certificate issuance process according to an exemplary embodiment of the present invention, and as shown in fig. 9, the digital certificate issuance process is as follows:
first, the digital certificate issuing flow symbol definition is explained:
h (), hash function;
l |: the connecting symbol, a | | b ═ ab;
getac (), a self-defined hardware feature code acquisition function;
C=ENCK(m) symmetric encryption algorithm, where the key is k, the encrypted message is m, and the ciphertext C is output;
M=DECk(c) symmetric decryption algorithm, wherein the key is k, the input ciphertext is c, and plaintext M is output;
KDF (x), inputting x, outputting symmetric key Y;
ID: the user identity is a unique identifier;
msig=sigkd(H (m): signature Algorithm sig, the private signature key is kd, the signed message is H (m), and the output digital signature value is msig;
verifykp(msigH (m) 0/1 signature verification function verify, kp public key of signature verification, h (m) signed message, m signature valuesigAnd an output 0/1 representing either a failed or passed signature.
The following further describes the digital certificate issuing process with reference to fig. 9 and a practical application scenario:
the user transacts signing procedures in a business hall, registers user information, and gets a certificate application authorization code;
a user terminal installs a file certificate safety protection module and inputs a certificate application authorization code after installation;
after receiving the certificate application authorization code, the user terminal acquires a local hardware feature code ac (which may include any one or a combination of a hard disk serial number, a network card MAC address, a CPU serial number, a BIOS code and the like) by using a self-defined hardware feature code acquisition function getac (), and generates a symmetric key k which is KDF (H (ac)) by using a hash value H (ac) of the feature code as an input of a key derivation function KDF; calling public and private key pair generation algorithm of public key cryptographic algorithm to produce public and private key pair (kp, kd), using k to symmetrically encrypt kd to produce cipher text c ═ ENCk(kd), storing c, deleting k and kd, and cleaning the memory;
then, the user sends (certificate application authorization code | | | kp | | | h (ac)) to the server through a secure channel (such as offline and other modes), then deletes h (ac), and cleans the memory;
a certificate application module of the server firstly verifies whether the certificate application authorization code is an unused legal verification code, and applies a digital certificate to a CA (certificate authority) by using kp and the registration information of a client after the verification is passed;
and the CA verifies the related information, issues and issues the digital certificate, and returns success information (indicating that the certificate is issued successfully).
The server stores the user identification ID, the hash value H (ac) sent by the user and the user certificate, sends success information (indicating that the certificate is signed and issued successfully) to the user terminal, and the process is ended.
Fig. 10 is a schematic diagram of a signature verification process according to an exemplary embodiment of the present invention, and as shown in fig. 10, the signature verification process is as follows:
assuming that the user identity is ID and the message to be signed is m, the user terminal side stores a ciphertext c encrypted by a user private key;
the user terminal calculates k ═ KDF (H (getac ())), wherein H, getac () is the hash function and the hardware feature code acquisition function used in the issuing process, and the key k is used for carrying out symmetric algorithm decryption DEC on the c stored locallyK(c) And obtaining a signature private key kd. (DEC is decryption algorithm)
The user terminal uses kd to sign the hash values of the messages m and H (ac): m issig=sigkd(H (m | | H (getac ())), sending a message (ID | | | m |) to the serversig) Deleting all calculation intermediate results, and cleaning the memory; for example, a private key obtained by clearing the decryption and a signature value obtained after clearing the signature;
after the server receives the message, the server verifies the signature verify by using the user certificate public key kp corresponding to the user with the user identity ID and the hash value H (ac) of the feature code ackp(msigH (m | | H (ac)), the message m is processed by passing, but not by returning a reject message.
It should be noted that, in an exemplary embodiment, the feature code of the user terminal is dynamically obtained by using a feature code extraction method getac (), and a value of the feature code may not be stored or preset.
According to the embodiment, in the process of generating the digital certificate, a user generates a public and private key pair corresponding to the digital certificate, uses information such as an equipment feature code and the like as the input of a key derivation function to derive a symmetric key, encrypts a user private key by using the symmetric key, and sends the equipment feature code and the public key to a server to apply for the user certificate; according to the embodiment, in the transaction process, before each transaction, the program automatically acquires relevant parameters such as local equipment characteristics and the like as the input of the key derivation function to generate a symmetric key, so that the private key of a user is decrypted; meanwhile, each signature not only signs the transaction message, but also signs the hash value of the user feature code.
The binding of the user private key and the equipment is realized through the double binding mechanism with the equipment feature code in the processes of generating the digital certificate and signing and checking the signature, so that the user private key cannot be copied and abused; meanwhile, the private key of the user is only encrypted and stored by the user, the private key cannot be obtained by the server, the encrypted symmetric key needs to be dynamically calculated every time the user recovers the private key, the encrypted symmetric key is immediately deleted and cleaned in the memory after being used, the key derivation function of the symmetric key is secret and is bound in a program of the equipment terminal, and the requirement of the user on the privacy of the private key is met.
The embodiment of the invention is further explained below by taking a bank scene as an example:
the user terminal can be deployed in a private cloud scene through an enterprise client system which is in butt joint with a bank through a bank-enterprise direct connection module, and one scene is as follows: the hardware UKEY is not allowed to be inserted into the private cloud computer room hardware machine, so that the current UKEY cannot meet the requirement, and a traditional solution (such as the case that the UKEY is inserted into a computer deployed by a bank-enterprise direct connection system) for the hard certificate of the UKEY cannot be used. In the scene, a user definitely requires to use a file certificate, and a private key of the user is only known by the user, so that a bank side server cannot be reserved; the industrial supervision standard also gives out the supervision requirements that the user file certificate must be bound with the equipment and the equipment cannot be released. In order to meet the requirements of the users and the requirements of supervision and safety, the technical scheme provided by the invention is used.
Fig. 11 is a schematic diagram of a deployment scenario of a bank-enterprise private cloud according to an exemplary embodiment of the present invention, and as shown in fig. 11, the overall scheme mainly involves the following systems/subsystems:
CFCA certification authority: the root CA, its certificate issuing and management system is responsible for digital certificate issuing and management.
And, intra-bank related systems;
and, the online banking system: the bank is to public business company's online bank system.
An inner pipe system: the company online bank customer signing system finishes the application of the digital certificate to the CFCA, a business hall teller and a customer manager operate, can directly apply for the certificate to the CFCA in an Ukey form, and can also issue two codes (a certificate serial number and an authorization code) for certificate application to a soft certificate application customer;
a front-end processor: the CFCA is deployed in a front-end processor in the bank, and a user provides two codes (certificate serial number and authorization code) for certificate application and performs digital certificate application service to the CFCA through the front-end processor;
bank-enterprise direct connection system: the system is deployed at a client side and directly connected with a service initiating terminal system, is responsible for receiving and forwarding messages, and needs to execute signature operation according to functional requirements before sending.
Customer and customer ERP system: and the client business system calls the bank-bank interface of the bank to perform transaction through the bank-enterprise direct connection system.
Fig. 12 is a schematic diagram of a digital certificate issuing process of a bank-enterprise direct connection private cloud deployment scenario according to an exemplary embodiment of the present invention, where, as shown in fig. 12, the digital certificate issuing process includes:
the bank-enterprise direct connection system presets an SSL/TLS certificate, and the default of the SSL/TLS certificate is interacted with the front-end processor and the internet bank through an encrypted private line channel;
a soft certificate safety protection program (hereinafter referred to as a small program) is used as a sub-function of the bank-enterprise direct connection system, and before installation, code confusion and shell protection are carried out on an installation program to prevent reverse;
a client transacts a signing procedure through an inner tube system in a business hall, registers client information, and obtains two codes (a certificate serial number and an authorization code) for certificate application;
a bank-enterprise direct connection system is installed on a client terminal of a client room, and a client inputs two codes (a certificate serial number and an authorization code) of a certificate application after installation;
after receiving the certificate and applying for two codes, the applet uses a self-defined hardware feature code acquisition function getac () to acquire a local hardware feature code ac (including a hard disk serial number, a network card MAC address, a CPU serial number and the like), and takes a hash value H (ac) of the feature code as the input of a key derivation function KDF to generate a key symmetric key k (KDF (H (ac))); calling public and private key pair generation algorithm to generate public and private key pair (kp, kd), and encrypting kd with k to generate c ═ ENCk(kd), storing c, deleting k and kd, and cleaning the memory; then, the bank-enterprise direct connection system encrypts a private line channel through an SSL (secure sockets layer), sends (two codes of certificate application | | | kp | | | H (ac)) to a front-end processor, deletes H (ac), and cleans an internal memory;
the front-end processor firstly verifies whether the certificate application authorization code is an unused legal verification code, and sends the two codes, kp and the registration information of the client to the CFCA to apply for the digital certificate after the certificate application authorization code passes the verification;
the CFCA verifies the two codes and the related information, issues a digital certificate and returns the certificate to the front-end processor;
the front-end processor returns the digital certificate to the bank-enterprise direct connection system, and simultaneously sends the unique identity of the user, the digital certificate and the H (ac) value of the digital certificate to the online banking system through the secure channel, and the online banking system stores the digital certificate of the user and the H (ac) value corresponding to the user.
Fig. 13 is a schematic diagram of a signature verification process of a private cloud deployment scenario of a bank-enterprise direct connection according to an exemplary embodiment of the present invention, where, as shown in fig. 13, the signature verification process includes:
the client ERP system sends a message m needing to be signed to the bank-enterprise direct connection system;
the applet function in the silver enterprise direct connection system calculates k as KDF (H (getac ())), and decrypts the locally stored c by using the key k, namely DECK(c) And obtaining a signature private key kd.
And (3) signing the hash value of the message m and the feature code ac by using kd: m issig=sigkd(H (m | | H (getac ()))), sending a message (ID | | m | |) to the internet bank systemsig);
After receiving the message, the internet bank system verifies the signature, namely the verify, by using the certificate public key kp corresponding to the user, the hash value H (ac) of the locally stored feature code ac and the received message mkp(msigH (m | | H (ac)), if the verification passes, the message m is processed, but not the reject message is returned.
It should be noted that, in an exemplary embodiment, the feature codes of the bank-enterprise direct connection system side are all dynamically acquired by using a feature code extraction method getac (), and the values of the feature codes cannot be stored or preset.
In addition, in specific implementation, the client certificate and the private key can be encrypted and stored together, and the client certificate and the signature are sent together after signature for subsequent verification.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Embodiments of the present invention also provide a computer-readable storage medium, in which a computer program is stored, wherein the computer program is configured to implement the steps in any of the above method embodiments when executed. Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Embodiments of the present invention also provide an electronic device comprising a memory having a computer program stored therein and a processor configured to execute the computer program to implement the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method for receiving a certificate, applied to a user terminal, comprising:
the user terminal acquires the hardware characteristics of the user terminal, generates first hardware characteristic information according to the acquired hardware characteristics, and generates a first symmetric key according to the first hardware characteristic information by adopting a first symmetric key algorithm;
the user terminal generates a public and private key pair, generates a ciphertext according to the first symmetric key and a private key in the public and private key pair, stores the ciphertext, and deletes the first symmetric key and the private key, wherein the public and private key pair comprises a public key and a private key;
the user terminal sends a certificate request to a server, wherein the certificate request indicates certificate application information, a public key in the public and private key pair and the first hardware characteristic information of the user terminal, so that the server verifies the certificate application information, uses the public key and pre-acquired user registration information to apply a certificate to an authentication terminal, receives the certificate sent by the authentication terminal, and stores the certificate and the first hardware characteristic information;
the user terminal deleting the first hardware characteristic information of the user terminal after sending the certificate request;
and the user terminal receives the certificate sent by the server.
2. The method for receiving a certificate according to claim 1, wherein after the user terminal receives the certificate sent by the server, the method further comprises:
the user terminal acquires a message to be signed;
the user terminal acquires the hardware characteristics of the user terminal again, generates the first hardware characteristic information according to the acquired hardware characteristics, and generates a second symmetric key according to the first hardware characteristic information by adopting the first symmetric key algorithm;
the user terminal decrypts the ciphertext stored by the user terminal according to the second symmetric key to obtain the private key;
the user terminal signs the message to be signed and the first hardware characteristic information according to the private key to obtain a signature value;
the user terminal sends a signature message to the server, wherein the signature message indicates the identity information of the user, the message and the signature value, so that the server verifies the signature message by using the public key corresponding to the user, the first hardware characteristic information stored by the server and the message received by the server.
3. The method of receiving a certificate according to any of claims 1 or 2, further comprising at least one of:
the first hardware characteristic information is a hash value of the hardware characteristic; or,
the certificate application information comprises a certificate serial number and an authorization code; or,
the hardware features include at least one of: the hard disk serial number of the user terminal, the network card MAC address of the user terminal, the CPU serial number of the user terminal, the BIOS serial number of the user terminal and the like.
4. A method for sending a certificate is applied to a server and comprises the following steps:
the server receives a certificate request sent by a user terminal, wherein the certificate request indicates certificate application information, a public key and first hardware characteristic information of the user terminal, the first hardware characteristic information is that the user terminal acquires own hardware characteristics, and generated based on the acquired hardware characteristics, the public key being included in a public-private key pair generated by the user terminal, the user terminal also generates a first symmetric key according to the first hardware characteristic information by adopting a first symmetric key algorithm, and generates a ciphertext from the first symmetric key and a private key of the public-private key pair, and stores the ciphertext, the user terminal does not store the first symmetric key, the private key and the first hardware characteristic information, wherein the public and private key pair comprises a public key and a private key;
the server side verifies the certificate application information, applies a certificate to an authentication side by using the public key and the pre-acquired user registration information, receives the certificate sent by the authentication side, and stores the certificate and the first hardware characteristic information;
and the server side sends the certificate to the user terminal.
5. The method according to claim 4, wherein after the server sends the certificate to the user terminal, the method further comprises:
receiving a signature message sent by the user terminal, wherein the signature message indicates identity information, a message and a signature value of a user, the signature value is obtained by the user terminal acquiring hardware characteristics of the user terminal again, generating first hardware characteristic information according to the acquired hardware characteristics, generating a second symmetric key according to the first hardware characteristic information by adopting the first symmetric key algorithm, decrypting the ciphertext stored by the user terminal according to the second symmetric key to obtain a private key, and signing the message to be signed and the first hardware characteristic information according to the private key;
and the server side verifies the signature message by using the public key corresponding to the user, the first hardware characteristic information stored by the server side and the message received by the server side.
6. The method according to any one of claims 4 or 5, further comprising at least one of:
the first hardware characteristic information is a hash value of the hardware characteristic; or,
the certificate application information comprises a certificate serial number and an authorization code; or,
the hardware features include at least one of: the hard disk serial number of the user terminal, the network card MAC address of the user terminal, the CPU serial number of the user terminal, the BIOS serial number of the user terminal and the like.
7. A transaction system, comprising:
a service end and a user terminal, wherein,
the user terminal acquires the hardware characteristics of the user terminal, generates first hardware characteristic information according to the acquired hardware characteristics, and generates a first symmetric key according to the first hardware characteristic information by adopting a first symmetric key algorithm;
the user terminal generates a public and private key pair, generates a ciphertext according to the first symmetric key and a private key in the public and private key pair, stores the ciphertext, and deletes the first symmetric key and the private key, wherein the public and private key pair comprises a public key and a private key;
the user terminal sends a certificate request to a server, wherein the certificate request indicates certificate application information, a public key in the public and private key pair and the first hardware characteristic information of the user terminal;
the user terminal deleting the first hardware characteristic information of the user terminal after sending the certificate request;
the server side verifies the certificate application information, applies a certificate to an authentication side by using the public key and the pre-acquired user registration information, receives the certificate sent by the authentication side, and stores the certificate and the first hardware characteristic information;
the server side sends the certificate to the user terminal;
and the user terminal receives the certificate sent by the server.
8. The transaction system of claim 7, further comprising:
the user terminal obtains a message to be signed after receiving the certificate sent by the server side;
the user terminal acquires the hardware characteristics of the user terminal again, generates the first hardware characteristic information according to the acquired hardware characteristics, and generates a second symmetric key according to the first hardware characteristic information by adopting the first symmetric key algorithm;
the user terminal decrypts the ciphertext stored by the user terminal according to the second symmetric key to obtain the private key;
the user terminal signs the message to be signed and the first hardware characteristic information according to the private key to obtain a signature value;
the user terminal sends a signature message to the server, wherein the signature message indicates the identity information of the user, the message and the signature value;
and the server side verifies the signature message by using the public key corresponding to the user, the first hardware characteristic information stored by the server side and the message received by the server side.
9. A computer-readable storage medium, in which a computer program is stored, wherein the computer program is configured to carry out the method of any one of claims 1 to 3 or 4 to 6 when executed.
10. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and the processor is arranged to execute the computer program to implement the method of any one of claims 1 to 3 or 4 to 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110075996.2A CN112766962A (en) | 2021-01-20 | 2021-01-20 | Method for receiving and sending certificate, transaction system, storage medium and electronic device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110075996.2A CN112766962A (en) | 2021-01-20 | 2021-01-20 | Method for receiving and sending certificate, transaction system, storage medium and electronic device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112766962A true CN112766962A (en) | 2021-05-07 |
Family
ID=75703590
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110075996.2A Pending CN112766962A (en) | 2021-01-20 | 2021-01-20 | Method for receiving and sending certificate, transaction system, storage medium and electronic device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112766962A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113132115A (en) * | 2021-05-21 | 2021-07-16 | 中国建设银行股份有限公司 | Certificate switching method, device and system |
CN113411190A (en) * | 2021-08-20 | 2021-09-17 | 北京数业专攻科技有限公司 | Key deployment, data communication, key exchange and security reinforcement method and system |
CN113422684A (en) * | 2021-06-15 | 2021-09-21 | 芜湖雄狮汽车科技有限公司 | Certificate generation method and device for security authentication, electronic equipment and storage medium |
CN113541939A (en) * | 2021-06-25 | 2021-10-22 | 上海吉大正元信息技术有限公司 | Internet of vehicles digital certificate issuing method and system |
CN113595742A (en) * | 2021-08-02 | 2021-11-02 | 广东电网有限责任公司佛山供电局 | Data transmission method, system, computer device and storage medium |
CN113779634A (en) * | 2021-09-17 | 2021-12-10 | 江苏通付盾区块链科技有限公司 | Data storage method and system |
CN113806749A (en) * | 2021-09-23 | 2021-12-17 | 航天信息股份有限公司 | Upgrading method, device and storage medium |
CN114398688A (en) * | 2021-12-29 | 2022-04-26 | 江苏亨通问天量子信息研究院有限公司 | Communication system based on quantum encryption box |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102377564A (en) * | 2011-11-15 | 2012-03-14 | 华为技术有限公司 | Method and device for encrypting private key |
CN103037366A (en) * | 2011-09-30 | 2013-04-10 | 卓望数码技术(深圳)有限公司 | Mobile terminal user authentication method and mobile terminal based on asymmetric cryptographic technique |
CN103067402A (en) * | 2013-01-10 | 2013-04-24 | 天地融科技股份有限公司 | Method and system for digital certificate generation |
CN103067401A (en) * | 2013-01-10 | 2013-04-24 | 天地融科技股份有限公司 | Method and system for key protection |
-
2021
- 2021-01-20 CN CN202110075996.2A patent/CN112766962A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103037366A (en) * | 2011-09-30 | 2013-04-10 | 卓望数码技术(深圳)有限公司 | Mobile terminal user authentication method and mobile terminal based on asymmetric cryptographic technique |
CN102377564A (en) * | 2011-11-15 | 2012-03-14 | 华为技术有限公司 | Method and device for encrypting private key |
CN103067402A (en) * | 2013-01-10 | 2013-04-24 | 天地融科技股份有限公司 | Method and system for digital certificate generation |
CN103067401A (en) * | 2013-01-10 | 2013-04-24 | 天地融科技股份有限公司 | Method and system for key protection |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113132115A (en) * | 2021-05-21 | 2021-07-16 | 中国建设银行股份有限公司 | Certificate switching method, device and system |
CN113132115B (en) * | 2021-05-21 | 2023-03-14 | 中国建设银行股份有限公司 | Certificate switching method, device and system |
CN113422684A (en) * | 2021-06-15 | 2021-09-21 | 芜湖雄狮汽车科技有限公司 | Certificate generation method and device for security authentication, electronic equipment and storage medium |
CN113541939A (en) * | 2021-06-25 | 2021-10-22 | 上海吉大正元信息技术有限公司 | Internet of vehicles digital certificate issuing method and system |
CN113595742A (en) * | 2021-08-02 | 2021-11-02 | 广东电网有限责任公司佛山供电局 | Data transmission method, system, computer device and storage medium |
CN113595742B (en) * | 2021-08-02 | 2023-06-30 | 广东电网有限责任公司佛山供电局 | Data transmission method, system, computer device and storage medium |
CN113411190A (en) * | 2021-08-20 | 2021-09-17 | 北京数业专攻科技有限公司 | Key deployment, data communication, key exchange and security reinforcement method and system |
CN113779634A (en) * | 2021-09-17 | 2021-12-10 | 江苏通付盾区块链科技有限公司 | Data storage method and system |
CN113779634B (en) * | 2021-09-17 | 2024-09-10 | 江苏通付盾科技有限公司 | Data storage method and system |
CN113806749A (en) * | 2021-09-23 | 2021-12-17 | 航天信息股份有限公司 | Upgrading method, device and storage medium |
CN113806749B (en) * | 2021-09-23 | 2024-04-05 | 航天信息股份有限公司 | Upgrading method, device and storage medium |
CN114398688A (en) * | 2021-12-29 | 2022-04-26 | 江苏亨通问天量子信息研究院有限公司 | Communication system based on quantum encryption box |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3661120B1 (en) | Method and apparatus for security authentication | |
CN112766962A (en) | Method for receiving and sending certificate, transaction system, storage medium and electronic device | |
CN109728909B (en) | Identity authentication method and system based on USBKey | |
EP3318003B1 (en) | Confidential authentication and provisioning | |
US6839841B1 (en) | Self-generation of certificates using secure microprocessor in a device for transferring digital information | |
CN108199835B (en) | Multi-party combined private key decryption method | |
JP4651197B2 (en) | Certificate self-generation using a secure microprocessor in devices that transfer digital information | |
EP2204008B1 (en) | Credential provisioning | |
US8397281B2 (en) | Service assisted secret provisioning | |
CN112543166B (en) | Real name login method and device | |
CN110932850B (en) | Communication encryption method and system | |
US20170279807A1 (en) | Safe method to share data and control the access to these in the cloud | |
US20210028931A1 (en) | Secure distributed key management system | |
CN111131416A (en) | Business service providing method and device, storage medium and electronic device | |
US20160226837A1 (en) | Server for authenticating smart chip and method thereof | |
CN113204760B (en) | Method and system for establishing secure channel for software cryptographic module | |
CN113868684A (en) | Signature method, device, server, medium and signature system | |
JP2010231404A (en) | System, method, and program for managing secret information | |
CN113507372A (en) | Bidirectional authentication method for interface request | |
CN111756528A (en) | Quantum session key distribution method and device and communication architecture | |
CN110690969A (en) | Method and system for completing bidirectional SSL/TLS authentication in cooperation of multiple parties | |
JPH10336172A (en) | Managing method of public key for electronic authentication | |
WO2015109958A1 (en) | Data processing method based on negotiation key, and mobile phone | |
CN114338091B (en) | Data transmission method, device, electronic equipment and storage medium | |
NL1043779B1 (en) | Method for electronic signing and authenticaton strongly linked to the authenticator factors possession and knowledge |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |