[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN108199847B - Digital security processing method, computer device, and storage medium - Google Patents

Digital security processing method, computer device, and storage medium Download PDF

Info

Publication number
CN108199847B
CN108199847B CN201711481208.XA CN201711481208A CN108199847B CN 108199847 B CN108199847 B CN 108199847B CN 201711481208 A CN201711481208 A CN 201711481208A CN 108199847 B CN108199847 B CN 108199847B
Authority
CN
China
Prior art keywords
client
key
server
private key
generation parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711481208.XA
Other languages
Chinese (zh)
Other versions
CN108199847A (en
Inventor
陈壹鹏
王胜男
张永强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Xinjian Information Technology Co ltd
Shuan Times Technology Co ltd
Original Assignee
Guangdong Xinjian Information Technology Co ltd
Shuan Times Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Xinjian Information Technology Co ltd, Shuan Times Technology Co ltd filed Critical Guangdong Xinjian Information Technology Co ltd
Priority to CN201711481208.XA priority Critical patent/CN108199847B/en
Publication of CN108199847A publication Critical patent/CN108199847A/en
Application granted granted Critical
Publication of CN108199847B publication Critical patent/CN108199847B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

A digital security processing method, apparatus, and medium, the method of an embodiment comprising: receiving a digital signature request sent by a client; returning a digital signature response to the client, wherein the digital signature response carries second and third client key generation parameters; receiving second user authorization information returned by the client, wherein the second user authorization information carries second and third client keys respectively generated by the client based on second and third client key generation parameters; respectively generating a second server side key and a third server side key based on the second client side key and the third client side key and the second server side key and the third server side key generation parameters; decrypting the stored second private key ciphertext encryption result by using a second server-side key to obtain a private key ciphertext, and signing the data to be signed by using the private key ciphertext to obtain a digital signature result; and encrypting the private key ciphertext by using a third server-side key to obtain a third private key ciphertext encryption result, and storing the third client-side key generation parameter, the third server-side key generation parameter and the third private key ciphertext encryption result in a correlation manner. The scheme of the embodiment improves the safety.

Description

Digital security processing method, computer device, and storage medium
Technical Field
The present invention relates to the field of cryptography, and in particular, to a digital security processing method, a computer device, and a computer storage medium.
Background
With the development of internet technology and the rise of e-government e-commerce, businesses such as internet banking, internet working, internet shopping and the like have gradually entered the lives of the masses and are changing and developing rapidly. When many critical business operations and transmission of sensitive information are involved, digital signature technology is generally used to realize security protection such as integrity verification, tamper resistance and repudiation resistance of data. Although intelligent cipher key, intelligent IC card equipment such as bluetooth, sound sign indicating number and NFC (near field communication technology) among the traditional internet can be used to mobile internet equipment in theory, the restriction is still that the model is of a great variety, the compatibility is poor, and the individual carries and uses loaded down with trivial details, leads to user experience very poor, and has not been widely opened. Combining PKI (public key infrastructure) technology and commercial cryptographic chips with wearable devices, while reducing the inconvenience of personal carrying, still face the problems of compatible adaptations and numerous operating steps when in use.
Disclosure of Invention
Based on this, an object of the embodiments of the present application is to provide a digital security processing method, a computer device, and a computer storage medium.
A digital security processing method, comprising the steps of:
sending a digital signature request to a server;
receiving a digital signature response returned by the server based on the digital signature request, wherein the digital signature response carries a second client key generation parameter and a third client key generation parameter;
generating a second client key based on the second client key generation parameter, generating a third client key based on the third client key generation parameter, and sending second user authorization information to the server, wherein the second user authorization information carries the second client key and the third client key;
and receiving a digital signature result returned by the server.
A digital security processing method, comprising the steps of:
receiving a digital signature request sent by a client;
returning a digital signature response to the client, wherein the digital signature response carries a second client key generation parameter and a third client key generation parameter;
receiving second user authorization information returned by the client, wherein the second user authorization information carries a second client key generated by the client based on the second client key generation parameter and a third client key generated based on the third client key generation parameter;
generating a second server key, a third client key and a third server key generation parameter based on the second client key and the second server key generation parameter;
decrypting the stored second private key ciphertext encryption result by using the second server-side key to obtain a private key ciphertext, and signing the data to be signed by using the private key ciphertext to obtain a digital signature result;
and encrypting the private key ciphertext by using the third server-side key to obtain a third private key ciphertext encryption result, and storing the third client-side key generation parameter, the third server-side key generation parameter and the third private key ciphertext encryption result in an associated manner.
A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method as described above when executing the program.
A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method as set forth above.
Based on the scheme of the embodiment, the private key of the signature is hosted at the server, and each time the signature is performed, the client and the server cooperatively complete the signature based on the private key ciphertext hosted by the server, and on the basis of each time the signature is completed, the client further generates a new client key, the server further generates a new private key ciphertext encryption result based on the new client key and the server key, so that the stored private key ciphertext encryption result is updated, the participation of the user of the client is required during each signature, the ciphertext private key encryption results used each time are different, and the server can prevent the server from keeping the private key ciphertext to pretend to be the user signature, thereby further improving the security of digital security processing.
Drawings
FIG. 1 is a schematic diagram of an application environment of the embodiment;
FIG. 2 is a flow diagram of a digital security process in one embodiment;
FIG. 3 is a flow diagram of a digital security processing method in one particular example;
FIG. 4 is a schematic flow chart diagram of a digital security processing method in another embodiment;
FIG. 5 is a flow diagram of a digital security processing method in one particular example;
FIG. 6 is an interaction flow diagram of a digital security process in one specific example;
fig. 7 is a flow diagram of a digital security processing method in another specific example;
FIG. 8 is a block diagram of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
Fig. 1 is a schematic diagram of an application environment related to the scheme of the present application in an embodiment, referring to fig. 1, the scheme of the present embodiment relates to a terminal 101, a server 102, and a cryptographic engine 103, where the terminal 101 and the server 102 are connected through a network, the cryptographic engine 103 is connected only with the server 102, and in some embodiments, the cryptographic engine 103 may also be configured as a part of the server 102. The terminal 101 may specifically be a desktop terminal, a mobile terminal, and other devices that may or need to host the private key to the server 102, the mobile terminal may specifically be at least one of a mobile phone, a tablet computer, a notebook computer, and the like, and the server 120 may be implemented by an independent server or a server cluster formed by multiple servers. In the scheme of the application, the terminal 101 interacts with the user and the server 102 to realize the input of user information, and realizes the binding of the user and the private key ciphertext and the authorized use of the user to the private key ciphertext together with the server 102. The server interacts with the terminal 101 and the cipher machine 103 to realize the storage and management of the user private key, and realize the binding of the user and the private key cipher text and the authorized use of the user to the private key cipher text. Wherein the server may have possession of the certificate and private key issued by the authority. The crypto machine 103 is used to generate the encrypted private key ciphertext and export and import the encrypted private key ciphertext for signature, and can only communicate with the server 102.
Fig. 2 shows a flowchart of a digital security processing method in an embodiment, where the method is applied to the terminal 101 or the client provided on the terminal 101 in fig. 1. Referring to fig. 2, the digital security processing method in this embodiment includes steps S201 to S204 as follows.
Step S201: and sending a digital signature request to the server.
The terminal 101 may send the digital signature request to the server at any time when a signature is required. The digital signature request may carry the relevant user information of the user of the terminal, and may also carry the data to be signed.
Step S202: and receiving a digital signature response returned by the server based on the digital signature request, wherein the digital signature response carries a second client key generation parameter and a third client key generation parameter.
The second client key generation parameter and the third client key generation parameter may be any parameters that the terminal 101 can use to generate a client key. In one particular example, the second client key generation parameter and the third client key generation parameter may each be a randomly generated random number.
In an embodiment, the digital signature response may further carry a verification parameter (referred to as a third verification parameter in this embodiment), where the third verification parameter is used for a user of the terminal 101 to input, so that the server 102 can perform verification when receiving the information sent by the terminal 101 in the next step. The third verification parameter may be any parameter that can be verified, such as a randomly generated random number, which may be in any possible form, such as randomly generated numbers, chinese characters, character strings, or combinations thereof.
Step S203: and generating a second client key based on the second client key generation parameter, generating a third client key based on the third client key generation parameter, and sending second user authorization information to the server, wherein the second user authorization information carries the second client key and the third client key.
The manner of generating the second client key based on the second client key generation parameter and generating the third client key based on the third client key generation parameter is not limited, and the second client key and the third client key may be generated by using a key derivation function KDF, a hash function, or the like, for example.
In a specific example, before generating the second client key based on the second client key generation parameter and generating the third client key based on the third client key generation parameter, the method may further include the steps of: and acquiring a user identification code. The user Identification code may be a PIN code (Personal Identification Number) of the terminal 101, which may be input by a user of the terminal 101.
In this case, when the second client key is generated based on the second client key generation parameter and the third client key is generated based on the third client key generation parameter, the following steps may be performed: and generating a second client key based on the second client key generation parameter and the user identification code, and generating a third client key based on the third client key generation parameter and the user identification code. Therefore, the generated second client-side secret key and the generated third client-side secret key have direct participation of the user of the client side by combining the participation of the user identification code, so that the participation of the user of the client side is further ensured in each signature process.
In an embodiment, in a case that the digital signature response further includes a third verification parameter, before sending the second user authorization information to the server, the method may further include the steps of: and acquiring a fourth verification parameter input by the user. At this time, the fourth authentication parameter is also carried in the second user authorization information. In case the end user input is correct, this fourth authentication parameter should be the same as the third authentication parameter described above.
In another embodiment, before the sending the second user authorization information to the server, the method may further include the steps of: and encrypting the second user authorization information by adopting a server certificate public key. Thereby further improving safety.
Step S204: and receiving a digital signature result returned by the server.
It can be understood that the digital signature result may be a digital signature result obtained by signing data to be signed based on a private key ciphertext stored by the server.
Based on the scheme of the embodiment, in the process of executing the signature, the client obtains two client key generation parameters from the server and returns two client keys to the server, so that the server can generate a new private key ciphertext encryption result based on the other client key under the condition that the private key ciphertext is decrypted by one client key, and accordingly, the stored private key ciphertext encryption result is updated, the participation of a user of the client is required during each signature, the private key ciphertext encryption results used each time are different, the server background personnel can be prevented from reserving the private key ciphertext encryption result to pretend to be a user signature, and the security of digital security processing is further improved.
In a specific example, the method in the present embodiment may further include steps S301 to S303 as shown in fig. 3.
Step S301: and sending a private key escrow request to the server side.
The client may send the private key escrow request to the server when any private key escrow needs to be performed, where the private key escrow request may carry the relevant user information of the user of the terminal 101, and the specific type and content of the user information are not limited in this embodiment.
Step S302: and receiving a private key escrow response returned by the server side, wherein the private key escrow response carries a first client side key generation parameter.
The first client key generation parameter may be any parameter that the terminal 101 may use to generate a client key. In one particular example, the first client key generation parameters may each be a randomly generated random number.
In an embodiment, the private key escrow response may further carry a verification parameter (referred to as a first verification parameter in this embodiment), where the first verification parameter is used for a user of the terminal 101 to input, so that the server 102 can perform verification when receiving the information sent by the terminal 101 in the next step. The first authentication parameter may be any parameter that can be authenticated, such as a randomly generated random number, which may be in any possible form, such as randomly generated numbers, Chinese characters, character strings, or combinations thereof.
Step S303: and generating a first client key based on the first client key generation parameter, and sending first user authorization information to a server, wherein the first user authorization information carries the first client key.
The manner of generating the first client key based on the first client key generation parameter is not limited, and the first client key may be generated by using a key derivation function KDF, a hash function, or the like, for example.
In a specific example, before generating the first client key based on the first client key generation parameter, the method may further include the steps of: and acquiring a user identification code. The user identification code may be a PIN code of the terminal 101, which may be entered by the user of the terminal 101.
In this case, when generating the first client key based on the first client key generation parameter, the following procedure may be adopted: generating a first client key based on the first client key generation parameter and the user identification code. Thereby, the generated first client key is directly participated in by the user of the client in combination with the participation of the user identification code.
In an embodiment, when the private key escrow response further includes a first verification parameter, before sending the first user authorization information to the server, the method may further include the step of: and acquiring a second verification parameter input by the user. At this time, the first user authorization information also carries the second authentication parameter. In case the end user input is correct, this second authentication parameter should be the same as the first authentication parameter described above.
In another embodiment, before the sending the first user authorization information to the server, the method may further include the steps of: and encrypting the first user authorization information by adopting a server certificate public key. Thereby further improving safety.
Fig. 4 is a flowchart illustrating a digital security processing method according to another embodiment, which is described by taking the processing procedure of the server 102 shown in fig. 1 as an example. As shown in fig. 3, the method in this embodiment includes steps S401 to S406.
Step S401: and receiving a digital signature request sent by a client.
The client on the terminal 101 may send the digital signature request to the server at any time when a digital signature is required. The digital signature request may carry the relevant user information of the user of the terminal, and may also carry the data to be signed.
Step S402: and returning a digital signature response to the client, wherein the digital signature response carries a second client key generation parameter and a third client key generation parameter.
The second client key generation parameter and the third client key generation parameter may be any parameters that the terminal 101 can use to generate a client key. In one particular example, the second client key generation parameter and the third client key generation parameter may each be a randomly generated random number.
In an embodiment, the digital signature response may further carry a verification parameter (referred to as a third verification parameter in this embodiment), where the third verification parameter is used for a user of the terminal 101 to input, so that the server 102 can perform verification when receiving the information sent by the terminal 101 in the next step. The third verification parameter may be any parameter that can be verified, such as a randomly generated random number, which may be in any possible form, such as randomly generated numbers, chinese characters, character strings, or combinations thereof.
Step S403: and receiving second user authorization information returned by the client, wherein the second user authorization information carries a second client key generated by the client based on the second client key generation parameter and a third client key generated based on the third client key generation parameter.
The client on the terminal 101 may generate the second client key based on the second client key generation parameter, generate the third client key based on the third client key generation parameter, such as to use a key derivation function KDF, a hash function, etc., in any possible manner. In one specific example, the second client key may be generated based on a second client key generation parameter and a user identification code, and the third client key may be generated based on a third client key generation parameter and the user identification code. The user identification code may be a PIN code of the terminal 101, which may be obtained from the terminal 101 itself, or may be input by the user of the terminal 101.
In an embodiment, in a case that the digital signature response further includes a third verification parameter, the second user authorization information further carries a fourth verification parameter input by the user. In case the end user input is correct, this fourth authentication parameter should be the same as the third authentication parameter described above.
Therefore, in this case, before proceeding to the next step S404, the method may further include the steps of: and verifying the consistency of the fourth verification parameter and the third verification parameter. And under the condition that the fourth verification parameter is consistent with the third verification parameter, the next step S404 is carried out, otherwise, failure information is returned to the client side or the current digital signature process is directly exited.
In an example, in a case that the client encrypts the second user authorization information by using the server certificate public key, after receiving the second user authorization information, before proceeding to the processing procedure of the next step (as in step S404), the method may further include the steps of: and decrypting the second user authorization information by adopting a server side certificate private key.
Step S404: and generating a second server key based on the second client key and the second server key generation parameter, and generating a third server key based on the third client key and the third server key generation parameter.
The way of generating the second server key by the server based on the second client key and the second server key generation parameter, and generating the third server key based on the third client key and the third server key generation parameter is not limited, and for example, the server may generate the third server key by using a key derivation function KDF, a hash function, and the like.
Step S405: and decrypting the stored second private key ciphertext encryption result by using the second server-side key to obtain a private key ciphertext, and signing the data to be signed by using the private key ciphertext to obtain a digital signature result.
The second private key ciphertext encryption result may be a private key ciphertext encryption result generated when the private key escrow application succeeds, without performing any signature process. Under the condition that the digital signature process is executed, the stored private key ciphertext encryption result can be updated after the last digital signature is successful.
In one embodiment, signing data to be signed with a private key ciphertext, and obtaining a digital signature result may include:
sending an encryption request to a cipher machine, wherein the encryption request carries the data to be signed and the private key ciphertext; the data to be signed can be carried in the digital signature request and sent to the server by the client, and the server can also obtain the data to be signed by other modes;
and receiving a digital signature result obtained by signing the data to be signed by adopting the private key ciphertext returned by the cipher machine.
And S406, encrypting the private key ciphertext by using the third server-side key to obtain a third private key ciphertext encryption result, and storing the third client-side key generation parameter, the third server-side key generation parameter and the third private key ciphertext encryption result in a correlation manner.
The private key ciphertext may be a private key ciphertext obtained by parsing an encryption result of the second private key ciphertext.
The association storage of the third client-side key generation parameter, the third server-side key generation parameter, and the third private key ciphertext encryption result may be the update of the second client-side key generation parameter, the second server-side key generation parameter, and the second private key ciphertext encryption result that have been stored by the server-side. Namely, the server no longer stores the key generation parameter of the second client, the key generation parameter of the second server and the encryption result of the second private key, but stores the key generation parameter of the third client, the key generation parameter of the third server and the encryption result of the third private key, thereby ensuring that the server always generates a new encryption result of the private key based on the participation of the user of the terminal after each digital signature, ensuring that the encryption results of the private key used by the server during each signature are different, preventing background personnel of the server from keeping the encryption result of the private key to falsify the signature of the user, and further improving the security of the digital security processing.
In one embodiment, the method of the present embodiment may further include steps S501 to S504 as shown in fig. 5.
Step S501: and receiving a private key escrow request sent by the client.
The client may send the private key escrow request to the server when any private key escrow needs to be performed, where the private key escrow request may carry the relevant user information of the user of the terminal 101, and the specific type and content of the user information are not limited in this embodiment.
Step S502: and a private key escrow response returned to the client, wherein the private key escrow response carries a first client key generation parameter.
The first client key generation parameter may be any parameter that the terminal 101 may use to generate a client key. In one particular example, the first client key generation parameters may each be a randomly generated random number.
In an embodiment, the private key escrow response may further carry a verification parameter (referred to as a first verification parameter in this embodiment), where the first verification parameter is used for a user of the terminal 101 to input, so that the server 102 can perform verification when receiving the information sent by the terminal 101 in the next step. The first authentication parameter may be any parameter that can be authenticated, such as a randomly generated random number, which may be in any possible form, such as randomly generated numbers, Chinese characters, character strings, or combinations thereof.
Step S503: and receiving first user authorization information returned by the client, wherein the first user authorization information carries a first client key generated by the client based on the first client key generation parameter.
The manner in which the client generates the first client key based on the first client key generation parameter is not limited, and the first client key may be generated by using a key derivation function KDF, a hash function, or the like, for example.
In one particular example, the client may generate the first client key based on the first client key generation parameter and the user identification code when generating the first client key based on the first client key generation parameter. The user identification code may be a PIN code of the terminal 101, which may be entered by the user of the terminal 101. Thereby, the generated first client key is directly participated in by the user of the client in combination with the participation of the user identification code.
In an embodiment, in the case that the private key escrow response further includes a first authentication parameter, the first user authorization information further carries a second authentication parameter input by the user. In case the end user input is correct, this second authentication parameter should be the same as the first authentication parameter described above.
Therefore, in this case, before proceeding to the next step S504, the method may further include the steps of: and verifying the consistency of the second verification parameter and the first verification parameter. And under the condition that the second verification parameter is verified to be consistent with the first verification parameter, the next step S504 is carried out, otherwise, failure information is returned to the client side or the current private key escrow application process is directly quitted.
In an example, in a case that the client encrypts the first user authorization information by using the server certificate public key, after receiving the first user authorization information, before entering a processing procedure of a next step (as in step S504), the method may further include the steps of: and decrypting the first user authorization information by adopting a server side certificate private key.
Step S504: and obtaining a private key ciphertext, generating a first server side key based on the first client side key and a first server side key generation parameter, and encrypting the private key ciphertext by using the first server side key to obtain a first private key ciphertext encryption result.
In one embodiment, the manner of obtaining the private key ciphertext may include:
sending a private key ciphertext acquisition request to a cipher machine;
and receiving a private key ciphertext returned by the cipher machine based on the private key ciphertext acquisition request.
After the first private key ciphertext encryption result is obtained, the first client side key generation parameter, the first service side key generation parameter, and the first private key ciphertext encryption result may be stored in association for use in a subsequent digital signature processing process.
Based on the embodiment, it can be determined that the embodiment of the application hosts the signature private key of the terminal user in the server, sends the data to be signed to the server when digital signature is required, and returns the signature value to the user after the server completes the digital signature, thereby implementing the digital signature. The private key for signature can be generated and exported by a cipher machine of the server side, the exported private key can be a private key ciphertext, and the private key in the cipher machine is used for encryption so as to improve the safety. For the private key ciphertext, the server side encrypts the private key ciphertext again by using a user identification number (PIN code) and a client side key deduced by the client side based on the key generation parameter, and encrypts the private key ciphertext once again every time signature operation is performed, so that the signature can be completed only by participation of a user, and the safety of digital security processing is improved.
Based on the embodiments described above, the following is a detailed description with reference to two specific examples thereof. The scheme involved in the present application, in a specific example technical implementation process, involves two digital security processes: escrow private key application and escrow private key signature are exemplified below in connection with these two processes.
Fig. 6 shows an interaction flow diagram of a digital security process in a specific example, which is described by taking a process of hosting a private key application as an example.
With reference to fig. 6, in a specific process of applying for a server to host a private key, a user of the terminal 101 first opens a client of the terminal 101, and sends a private key hosting application instruction by clicking a relevant button, control, and the like on the client, and the client sends a private key hosting request to the server after receiving the private key hosting application instruction. The private key escrow request may carry the relevant user information of the user of the terminal 101, and the specific type and content of the user information are not limited in this embodiment.
After receiving the private key escrow request, the server generates a first verification parameter (which may be a random number) r1, a first client key generation parameter (which may be a random number) r2, and a first server key generation parameter (which may be a random number) r 3. Then, the server returns a private key escrow response to the client, where the private key escrow response includes the first verification parameter r1 and the first client key generation parameter r 2.
After receiving the private key escrow response, the client may display the first authentication parameter r1 and prompt the user to enter the authentication parameter r1 and a user identification number (PIN code). The user of the client may enter the authentication parameter r1 and the PIN code based on the prompt.
Subsequently, the client calculates a first client key a based on the first client key generation parameter r2 and the PIN code: a ═ f1(PIN, r2), where the function f1 may be any function that may be used to generate keys, such as a key derivation function KDF, a hash function, and so on.
The client encrypts a second authentication parameter r 1' and a first client key A input by the user by using the server digital certificate to obtain an encrypted result B. And then sending first user authorization information to the server, wherein the user authorization information comprises the encrypted result B.
After receiving the first user authorization information, the server decrypts the encrypted result B by using the server certificate private key to obtain a decrypted second verification parameter r1 'and a decrypted client key a'.
After decryption, the server firstly compares whether the decrypted second verification parameter r 1' is consistent with the locally stored first verification parameter r1, if not, an error result is returned, and if so, a private key ciphertext acquisition request is sent to the cipher machine, and a private key ciphertext D returned by the cipher machine is received.
Then, the server side calculates a first server side key C according to the decrypted first client side key a' and the first server side key generation parameter r 3: c ═ f2 (a', r3), where the function f2() may be any function that may be used to generate a key, such as a key derivation function KDF, a hash function, etc. The function f2() for generating the server key by the server and the function f1() for generating the client key by the client may be the same function or different functions.
Subsequently, the server encrypts the private key ciphertext D by using the first server key C to obtain a first private key ciphertext Encryption result E, and any possible Encryption Algorithm may be used in the Encryption, such as AES (Advanced Encryption Standard)/DES (Data Encryption Algorithm)/3 DES (triple Data Encryption Algorithm)/SM 4 (a national Encryption Algorithm), and the like, which is not specifically limited in this embodiment.
After the first private key ciphertext encryption result E is obtained, the server stores the client side key generation parameter r2, the server side key generation parameter r3 and the private key ciphertext encryption result E in an associated manner. And returns a private key escrow result to the client, which may be information that the private key was successfully escrowed.
After the server 102 successfully hosts the private key of the client 101, the subsequent terminal 101 may perform digital signature based on the hosted private key by the server 101 when the signature is required. Fig. 7 is an interaction flow diagram of a digital security processing method in a specific example, and an interaction processing procedure for performing digital signature is described as an example in this embodiment.
As shown in fig. 7, in a specific process of performing digital signature, a user of the terminal 101 first opens a client of the terminal 101, and issues a signature instruction by clicking a relevant button, control, and the like on the client. After receiving the signature instruction, the client sends a digital signature request to the server, where the digital signature request may carry the relevant user information of the user of the terminal 101 and may also carry data to be signed.
After receiving the digital signature request, the server reads out the stored second client key generation parameter, the second server key generation parameter and the second private key ciphertext encryption result, and under the condition that no digital signature is executed at any time, the stored second client key generation parameter, the stored second server key generation parameter and the stored second private key ciphertext encryption result are the first client key generation parameter r2, the stored first server key generation parameter r3 and the stored first private key ciphertext encryption result E1 in the process of applying for private key escrow.
Subsequently, the server generates a new third verification parameter r4, a new third client key generation parameter r5, and a new server key generation parameter r 6. Then, the server returns a digital signature response to the client, where the digital signature response carries the second client key generation parameter r2, the third verification parameter r4, and the third client key generation parameter r 5.
After receiving the digitally signed response, the client may display the third authentication parameter r4 and prompt the user to enter the authentication parameter r4 and a user identification number (PIN code). The user of the client may enter the authentication parameter r4 and the PIN code based on the prompt.
Subsequently, the client calculates a second client key a1 from the second client key generation parameter r2 and the PIN code: a1 ═ f1(PIN, r2), where the function f1() may be any function that can be used to generate a key, such as a key derivation function KDF, a hash function, etc.
Further, the client calculates a third client key a2 from the third client key generation parameter r5 and the PIN code: a2 ═ f1(PIN, r5), and the function f1() may be any function that can be used to generate keys, such as a key derivation function KDF, a hash function, and so on.
Subsequently, the client encrypts the fourth authentication parameter r 4', the second client key a1 and the third client key a2, which are input by the user, by using the server-side digital certificate, so as to obtain an encrypted result B. And then sending second user authorization information to the server, wherein the second user authorization information carries the encrypted result B.
After receiving the second user authorization information, the server decrypts the encrypted result B by using the server certificate private key to obtain a decrypted fourth verification parameter r4 ', a decrypted second client key A1 ' and a decrypted third client key A2 ';
after decryption, the server compares whether the decrypted fourth verification parameter r4 'is consistent with the locally stored third verification parameter r4, if not, an error result is returned, and if so, a second server key C1 is calculated according to the second client key A1' and the stored second server key generation parameter r 3: c1 ═ f2(a 1', r3), and the function f2() may be any function that can be used to generate a key, such as a key derivation function KDF, a hash function, and the like. The function f2() for generating the server key by the server and the function f1() for generating the client key by the client may be the same function or different functions.
Subsequently, the server decrypts the stored second private key ciphertext encryption result E1 by using the generated second server key C1 to obtain a private key ciphertext D', and it can be understood that a decryption algorithm for decrypting and an encryption algorithm for encrypting the private key ciphertext should be consistent.
And after the decrypted private key ciphertext D 'is obtained, the server side signs the data to be signed based on the decrypted private key ciphertext D' to obtain a digital signature result. In a specific example, the signing process may be completed in combination with a cryptographic engine, and specifically, the signing process may be completed by: and the server side sends an encryption request to the cipher machine, wherein the encryption request carries the data to be signed and the private key ciphertext D ', and the cipher machine signs the data to be signed by adopting the private key ciphertext D', obtains a digital signature result and returns the digital signature result to the server side. And after the server calculates the digital signature result by itself or obtains the digital signature result returned by the cipher machine, the server can return the digital signature result to the client, thereby completing the digital signature process.
On the other hand, after obtaining the digital signature result, the server may further calculate a third server key C2 according to the decrypted third client key a 2' and a newly generated third server key generation parameter r 6: c2 ═ f2(a 2', r6), and the function f2() for the server to generate the server key and the function f1() for the client to generate the client key may be the same function or different functions.
After the third server key C2 is obtained, the server encrypts the decrypted private key ciphertext D' using the third server key C2 to obtain a third private key ciphertext encryption result E2, and any possible encryption algorithm may be used during encryption, such as AES/DES/3DES/SM 4.
Then, the server stores the third client key generation parameter r5, the third server key generation parameter r6 and the third private key ciphertext encryption result E2 in an associated manner, so as to update the stored second client key generation parameter r2, the second service key generation parameter r3 and the second private key ciphertext encryption result E1. That is, the server no longer stores the second client key generation parameter r2, the second service key generation parameter r3, and the second private key ciphertext encryption result E1, but stores the associated third client key generation parameter r5, the third server key generation parameter r6, and the third private key ciphertext encryption result E2, so that after each digital signature, the server always generates a new private key ciphertext encryption result based on the participation of the user of the terminal 101, and ensures that the private key ciphertext encryption results used by the server each time the digital signature is performed are different, thereby preventing backend personnel of the server from keeping the private key ciphertext to falsify the user signature, and further improving the security of the digital security processing.
Based on the examples described above, there is also provided in one embodiment a computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements the method of any one of the embodiments described above.
FIG. 8 is a diagram illustrating an internal structure of a computer device in one embodiment. The computer device may specifically be the terminal 101 or the server 102 in fig. 1. As shown in fig. 8, the computer apparatus includes a processor, a memory, a network interface, and an input device connected through a system bus. Wherein the memory includes a non-volatile storage medium and an internal memory. The non-volatile storage medium of the computer device stores an operating system and may also store a computer program that, when executed by the processor, causes the processor to implement the digital secure processing method. The internal memory may also have stored therein a computer program that, when executed by the processor, causes the processor to perform a digital security processing method.
Those skilled in the art will appreciate that the architecture shown in fig. 8 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
It will be understood by those skilled in the art that all or part of the processes in the methods of the embodiments described above may be implemented by a computer program, which is stored in a non-volatile computer readable storage medium, and in the embodiments of the present invention, the program may be stored in the storage medium of a computer system and executed by at least one processor in the computer system to implement the processes of the embodiments including the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
Accordingly, in an embodiment, a storage medium is further provided, on which a computer program is stored, wherein the program, when executed by a processor, implements the dot-product protocol processing method according to any one of the above embodiments.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A digital security processing method, comprising the steps of:
sending a digital signature request to a server;
receiving a digital signature response returned by the server based on the digital signature request, wherein the digital signature response carries a second client key generation parameter and a third client key generation parameter;
generating a second client key based on the second client key generation parameter, generating a third client key based on the third client key generation parameter, and sending second user authorization information to the server, wherein the second user authorization information carries the second client key and the third client key;
and receiving a digital signature result returned by the server.
2. The method of claim 1, comprising at least one of:
the first item:
the digital signature response also carries a third verification parameter;
before sending the second user authorization information to the server, the method further comprises the following steps: acquiring a fourth verification parameter input by a user;
the second user authorization information also carries the fourth verification parameter;
the second term is:
generating a second client key based on the second client key generation parameter, and before generating a third client key based on the third client key generation parameter, the method further comprises the following steps: acquiring a user identification code;
generating a second client key based on the second client key generation parameter, the generating a third client key based on the third client key generation parameter comprising: generating a second client key based on the second client key generation parameter and the user identification code, and generating a third client key based on the third client key generation parameter and the user identification code;
the third item:
before sending the second user authorization information to the server, the method further comprises the following steps:
and encrypting the second user authorization information by adopting a server certificate public key.
3. The method according to claim 1 or 2, characterized in that before sending the digital signature request to the server, it further comprises the step;
sending a private key escrow request to the server;
receiving a private key escrow response returned by the server, wherein the private key escrow response carries a first client key generation parameter;
and generating a first client key based on the first client key generation parameter, and sending first user authorization information to a server, wherein the first user authorization information carries the first client key.
4. The method of claim 3, comprising at least one of:
the first item:
the private key escrow response also carries a first verification parameter;
before sending the first user authorization information to the server, the method further comprises the following steps: acquiring a second verification parameter input by a user;
the first user authorization information also carries the second verification parameter;
the second term is:
before generating the first client key based on the first client key generation parameter, the method further comprises the following steps: acquiring a user identification code;
the step of generating a first client key based on the first client key generation parameter comprises: generating a first client key based on the first client key generation parameter and the user identification code;
the third item:
before sending the first user authorization information to the server, the method further comprises the following steps:
and encrypting the first user authorization information by adopting a server certificate public key.
5. A digital security processing method, comprising the steps of:
receiving a digital signature request sent by a client;
returning a digital signature response to the client, wherein the digital signature response carries a second client key generation parameter and a third client key generation parameter;
receiving second user authorization information returned by the client, wherein the second user authorization information carries a second client key generated by the client based on the second client key generation parameter and a third client key generated based on the third client key generation parameter;
generating a second server key based on the second client key and a second server key generation parameter, and generating a third server key based on a third client key and a third server key generation parameter;
decrypting the stored second private key ciphertext encryption result by using the second server-side key to obtain a private key ciphertext, and signing the data to be signed by using the private key ciphertext to obtain a digital signature result;
and encrypting the private key ciphertext by using the third server-side key to obtain a third private key ciphertext encryption result, and storing the third client-side key generation parameter, the third server-side key generation parameter and the third private key ciphertext encryption result in an associated manner.
6. The method of claim 5, comprising at least one of:
the first item:
the digital signature response also carries a third verification parameter;
the second user authorization information also carries a fourth verification parameter input by the user;
before generating a second server key based on the second client key and a second server key generation parameter, and generating a third server key based on the third client key and a third server key generation parameter, the method further includes the steps of: verifying consistency of the fourth verification parameter and the third verification parameter;
the second term is:
after receiving the second user authorization information and before generating a second server key and a third server key, the method further comprises the following steps: decrypting the second user authorization information by using a server certificate private key;
the third item:
the method for signing the data to be signed by using the private key ciphertext to obtain the digital signature result comprises the following steps:
sending an encryption request to a cipher machine, wherein the encryption request carries the data to be signed and the private key ciphertext;
and receiving a digital signature result obtained by signing the data to be signed by adopting the private key ciphertext returned by the cipher machine.
7. The method according to claim 5 or 6, wherein before receiving the digital signature request sent by the client, the method further comprises the steps of:
receiving a private key escrow request sent by the client;
a private key escrow response returned to the client, wherein the private key escrow response carries a first client key generation parameter;
receiving first user authorization information returned by the client, wherein the first user authorization information carries a first client key generated by the client based on the first client key generation parameter;
and obtaining a private key ciphertext, generating a first server side key based on the first client side key and a first server side key generation parameter, and encrypting the private key ciphertext by using the first server side key to obtain a first private key ciphertext encryption result.
8. The method of claim 7, further comprising at least one of:
the first item:
the private key escrow response also carries a first verification parameter; the first user authorization information also carries a second verification parameter input by the user;
before generating the first server-side key based on the first client-side key and the first server-side key generation parameter, the method further comprises the following steps: verifying the second verification parameter to be consistent with the first verification parameter;
the second term is:
after receiving the first user authorization information and before generating the first service-side key, the method further comprises the following steps: decrypting the first user authorization information by using a server certificate private key;
the third item:
the method for obtaining the private key ciphertext comprises the following steps:
sending a private key ciphertext acquisition request to a cipher machine;
and receiving a private key ciphertext returned by the cipher machine based on the private key ciphertext acquisition request.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method according to any of claims 1 to 8 are implemented when the program is executed by the processor.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 8.
CN201711481208.XA 2017-12-29 2017-12-29 Digital security processing method, computer device, and storage medium Active CN108199847B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711481208.XA CN108199847B (en) 2017-12-29 2017-12-29 Digital security processing method, computer device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711481208.XA CN108199847B (en) 2017-12-29 2017-12-29 Digital security processing method, computer device, and storage medium

Publications (2)

Publication Number Publication Date
CN108199847A CN108199847A (en) 2018-06-22
CN108199847B true CN108199847B (en) 2020-09-01

Family

ID=62586849

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711481208.XA Active CN108199847B (en) 2017-12-29 2017-12-29 Digital security processing method, computer device, and storage medium

Country Status (1)

Country Link
CN (1) CN108199847B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110098928B (en) * 2019-05-08 2022-02-25 国家电网有限公司 Key generation method and device for collaborative signature
CN111046441B (en) * 2019-10-31 2022-07-12 苏州浪潮智能科技有限公司 Management method, equipment and medium for encrypted hard disk key
CN112073200B (en) * 2020-09-02 2024-06-25 北京五八信息技术有限公司 Signature processing method and device
CN112688784B (en) * 2020-12-23 2023-04-11 中科美络科技股份有限公司 Digital signature and verification method, device and system
CN112581285B (en) * 2020-12-28 2022-12-09 上海万向区块链股份公司 Block chain-based account generation method, system and medium in stock right transaction system
CN113114646B (en) * 2021-04-01 2022-06-21 深圳市腾讯网络信息技术有限公司 Risk parameter determination method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101197674A (en) * 2007-12-10 2008-06-11 华为技术有限公司 Encrypted communication method, server and encrypted communication system
CN101212293A (en) * 2006-12-31 2008-07-02 普天信息技术研究院 Identity authentication method and system
CN101547095A (en) * 2009-02-11 2009-09-30 广州杰赛科技股份有限公司 Application service management system and management method based on digital certificate
CN102413132A (en) * 2011-11-16 2012-04-11 北京数码视讯软件技术发展有限公司 Two-way-security-authentication-based data downloading method and system
CN102571355A (en) * 2012-02-02 2012-07-11 飞天诚信科技股份有限公司 Method and device for importing secret key without landing

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8099602B2 (en) * 2008-09-26 2012-01-17 Mykonos Software, Inc. Methods for integrating security in network communications and systems thereof

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212293A (en) * 2006-12-31 2008-07-02 普天信息技术研究院 Identity authentication method and system
CN101197674A (en) * 2007-12-10 2008-06-11 华为技术有限公司 Encrypted communication method, server and encrypted communication system
CN101547095A (en) * 2009-02-11 2009-09-30 广州杰赛科技股份有限公司 Application service management system and management method based on digital certificate
CN102413132A (en) * 2011-11-16 2012-04-11 北京数码视讯软件技术发展有限公司 Two-way-security-authentication-based data downloading method and system
CN102571355A (en) * 2012-02-02 2012-07-11 飞天诚信科技股份有限公司 Method and device for importing secret key without landing

Also Published As

Publication number Publication date
CN108199847A (en) 2018-06-22

Similar Documents

Publication Publication Date Title
US10142107B2 (en) Token binding using trust module protected keys
US10785019B2 (en) Data transmission method and apparatus
CN108199847B (en) Digital security processing method, computer device, and storage medium
CN113691502B (en) Communication method, device, gateway server, client and storage medium
US10601801B2 (en) Identity authentication method and apparatus
US11930103B2 (en) Method, user device, management device, storage medium and computer program product for key management
CN110401615B (en) Identity authentication method, device, equipment, system and readable storage medium
CN111654367B (en) Method for cryptographic operation and creation of working key, cryptographic service platform and device
CN204360381U (en) mobile device
CN110868291B (en) Data encryption transmission method, device, system and storage medium
CN109861813B (en) Anti-quantum computing HTTPS communication method and system based on asymmetric key pool
CN114697040B (en) Electronic signature method and system based on symmetric key
CN111241492A (en) Product multi-tenant secure credit granting method, system and electronic equipment
CN115499118A (en) Message key generation method, message key generation device, file encryption method, message key decryption method, file encryption device, file decryption device and medium
CN105847000A (en) Token generation method and communication system based on same
CN117240625B (en) Tamper-resistant data processing method and device and electronic equipment
CN109005184A (en) File encrypting method and device, storage medium, terminal
CN110380859B (en) Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol
CN114143108A (en) Session encryption method, device, equipment and storage medium
CN112241527B (en) Secret key generation method and system of terminal equipment of Internet of things and electronic equipment
JP2009267900A (en) Key generating device, certificate generating device, service providing system, key generating method, certificate generating method, service providing method, and program
CN110557367A (en) Secret key updating method and system for quantum computing secure communication resistance based on certificate cryptography
US20240106633A1 (en) Account opening methods, systems, and apparatuses
CN112927026A (en) Coupon processing method and device, electronic equipment and computer storage medium
CN115442037A (en) Account management method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant