CN103684786A - Method and system for storing digital certificate and binding digital certificate to hardware carrier - Google Patents
Method and system for storing digital certificate and binding digital certificate to hardware carrier Download PDFInfo
- Publication number
- CN103684786A CN103684786A CN201310671316.9A CN201310671316A CN103684786A CN 103684786 A CN103684786 A CN 103684786A CN 201310671316 A CN201310671316 A CN 201310671316A CN 103684786 A CN103684786 A CN 103684786A
- Authority
- CN
- China
- Prior art keywords
- digital certificate
- hardware carrier
- sequence number
- hardware
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a method for storing a digital certificate and binding the digital certificate to a hardware carrier. The method for storing the digital certificate and binding the digital certificate to the hardware carrier comprises the following steps of obtaining the digital certificate from a CA, obtaining an identification code of the hardware carrier when the digital certificate is installed on the hardware carrier, generating a secret key according to the identification code, encrypting an appointed file type database according to the secret key, and storing the digital certificate in the file type database encrypted through the secret key to accomplish the process that the digital certificate is installed on the hardware carrier. According to the method for storing the digital certificate and binding the digital certificate to the hardware carrier, the digital certificate and the hardware carrier where the digital certificate is located can be effectively bound together when the digital certificate and the hardware carrier are installed for the first time, especially, a private key in a secret key pair related to the digital certificate can be changed through the binding process so that the private key can only be used on the hardware carrier and cannot be used on other hardware carriers, and the digital certificate has safety performance similar to safety performance of a hardware USB Key. The invention further provides a system for storing the digital certificate and binding the digital certificate to the hardware carrier.
Description
Technical field
The present invention relates to digital authentication technology field, particularly the method and system of a kind of storage of digital certificate and hardware carrier binding.
Background technology
Prior art comprises:
Digital certificate of file, as PKCS12 form, JKS form.
Support the USB Key of mobile phone common interfaces, as micro USB interface or audio interface.
Based on wireless connections, as the USB Key of bluetooth or Wifi.
USB Key based on mobile phone plug-in package, as SD Card Key, SIM card Key.
The shortcoming of digital certificate of file:
The private key of document certificate is with plaintext form, to consign to upper infill layer application to call, and hardware USB Key only accepts any feature that calling of cryptographic calculation do not provide private key, after cryptographic calculation completes, operation result is offered to caller.Whole invoked procedure, the private key of digital certificate or symmetric key be all invisible, and can not copy derivation.As can be seen here, the encrypted signature mode of digital certificate of file is not safe and reliable.
Because conventionally document certificate only adopts single password to protect private key, once file is replicated, and user password leaks, and the digital certificate of identifying user identity will be falsely used, and produces serious safety problem.So, document certificate by careful for the not high authentication of risk, encryption and decryption application scenarios, and almost cannot be for possessing the legal third party's certificate of legal effect digital signature applications.
The shortcoming of many interfaces USB Key:
The USB Key of double nip or many interfaces was once becoming the first-selection of mobile device Digital Certificate Security application product on market.But because mobile phone I/O interface standard is more, Mini and Micro USB interface except the use of Android mobile phone, the dock interface that also comprises 4 generations of i Phone, 5 generations, add the USB interface that also will support PC end, the common volume of these type of safety means maybe needs to carry extra patchcord greatly, carries and inconvenience.
The shortcoming of wireless connections USB Key:
But wireless telecommunications scheme bluetooth or Wifi, and be mainly bluetooth.But because this type of product needed is bluetooth power supply, irregular need to charging for USB Key.So use and make troubles to user to a certain extent.
The shortcoming of built-in mobile phone parts USB Key:
This type of password product does not possess versatility.SD Card mode for replacement with encryption chip, needs mobile phone to support SD Card expansion.As very popular i Phone, be built-in 16G, 32G or 64G storage, do not support to insert SD Card.SIM card scheme for replacement with the close chip of valency, because SIM card distribution is limited, can only be operated by common carrier, and between China San great operator, have competitive relation, and communication standard is also different.Add and user arrive the telecommunication business Room to change the cost of SIM card huge, so this scheme is more difficult to the marketization.
In sum, although digital certificate of file cost is low, as security tool, self there is many safety problems; USB Key based on adaptive mobile device I/O device, owing to there is diversity and complexity, does not have a kind of scheme can be general, and experiences very poorly because user need to carry extra means user, adds the hardware cost that this kind equipment is higher, is difficult to the marketization.
Summary of the invention
Object of the present invention is intended at least solve one of described technological deficiency.
For this reason, the object of the invention is to propose a kind of storage of digital certificate and the method that hardware carrier is bound.The method has effectively promoted the fail safe of digital certificate self.
Another object of the present invention is to propose a kind of storage of digital certificate and the system that hardware carrier is bound.
For reaching described object, embodiments of the invention provide a kind of method of storage and hardware carrier binding of digital certificate, comprise the following steps: from CA, obtain digital certificate; While described digital certificate being installed on hardware carrier, obtain the identification code of described hardware carrier; According to described identification code, generate key; According to described key, specified file type database is encrypted; Described digital certificate store is installed to described digital certificate on described hardware carrier to complete in the described file based database application by after described secret key encryption.
According to the method for the embodiment of the present invention, can be by the hardware carrier at digital certificate and its place when installing for the first time, just effectively bound together, the private key of the cipher key pair being especially associated with described digital certificate, by described binding procedure, become and can only on described hardware carrier, use, cannot on other hardware carrier, use, allow digital certificate there is the fail safe that is similar to hardware USB Key.
In addition, the method for the storage of digital certificate according to the above embodiment of the present invention and hardware carrier binding can also have following additional technical characterictic:
In some instances, described complete described digital certificate is installed on described hardware carrier after, also comprise: when using described digital certificate, gather the identification code of current hardware carrier; According to the identification code generating solution decryption key of described current hardware carrier; According to described decruption key, described file based database application is decrypted; After described file based database application successful decryption, from described file based database application, obtain described digital certificate.
In some instances, the identification code of described hardware carrier comprises: hardware sequence number, device name, bluetooth Mac address, WIFI Mac address, IMEI, unit type, CPU numbering, mainboard sequence number, hard disk sequence number, memory bar sequence number, the combination of one or more of graphics card/display sequence number and battery sequence number, or, the identification code of described hardware carrier comprises: hardware sequence number, device name, bluetooth Mac address, WIFI Mac address, IMEI, unit type, CPU numbering, mainboard sequence number, hard disk sequence number, memory bar sequence number, the combination of one or more of graphics card/display sequence number and battery sequence number and with by program, generate and be kept in advance the combination of the random UUID on described hardware carrier.
In some instances, described file based database application being carried out to read-write operation is to be undertaken by the application program of appointment.
In some instances, described certificate information comprises: the issuing organization of digital certificate, date of issue, certificate serial number, certificate subject, certificate extensions, PKI and private key information.
The embodiment of second aspect present invention provides a kind of system of storage and hardware carrier binding of digital certificate, comprising: digital certificate acquisition module, for obtaining digital certificate from CA; Hardware carrier collection apparatus module, when described digital certificate being installed on hardware carrier, and described complete described digital certificate is installed on described hardware carrier after and when using described digital certificate, obtain the identification code of described hardware carrier; Generation module, for generating key according to described identification code; Encryption and decryption module, for according to described key, specified file type database being encrypted, and described complete described digital certificate is installed on described hardware carrier after and when using described digital certificate, described file based database application is decrypted; Memory module, for being installed to described hardware carrier to complete by described digital certificate to the described file based database application by after described secret key encryption by described digital certificate store.
According to the system of the embodiment of the present invention, can be by the hardware carrier at digital certificate and its place when installing for the first time, just effectively bound together, the private key of the cipher key pair being especially associated with described digital certificate, by described binding procedure, become and can only on described hardware carrier, use, cannot on other hardware carrier, use, allow digital certificate there is the fail safe that is similar to hardware USB Key.
In addition, the system of the storage of digital certificate according to the above embodiment of the present invention and hardware carrier binding can also have following additional technical characterictic:
In some instances, also comprise: read module, for described complete described digital certificate is installed on described hardware carrier after and in use during described digital certificate, described encryption and decryption module to described file based database application successful decryption after, from described file based database application, obtain described digital certificate.
In some instances, the identification code of described hardware carrier comprises: hardware sequence number, device name, bluetooth Mac address, WIFI Mac address, IMEI, unit type, CPU numbering, mainboard sequence number, hard disk sequence number, memory bar sequence number, the combination of one or more of graphics card/display sequence number and battery sequence number, or, the identification code of described hardware carrier comprises: hardware sequence number, device name, bluetooth Mac address, WIFI Mac address, IMEI, unit type, CPU numbering, mainboard sequence number, hard disk sequence number, memory bar sequence number, the combination of one or more of graphics card/display sequence number and battery sequence number and with by program, generate and be kept in advance the combination of the random UUID on described hardware carrier.
In some instances, described file based database application being carried out to read-write operation is to be undertaken by the application program of appointment.
In some instances, described certificate information comprises: the issuing organization of digital certificate, date of issue, certificate serial number, certificate subject, certificate extensions, PKI and private key information.
The aspect that the present invention is additional and advantage in the following description part provide, and part will become obviously from the following description, or recognize by practice of the present invention.
Accompanying drawing explanation
Of the present invention and/or additional aspect and advantage will become from the following description of the accompanying drawings of embodiments and obviously and easily understand, wherein:
Fig. 1 is the flow chart of the storage of digital certificate according to an embodiment of the invention and the method for hardware carrier binding;
Fig. 2 is the schematic diagram of the storage of digital certificate according to an embodiment of the invention and the method for hardware carrier binding; And
Fig. 3 is the structured flowchart of the storage of digital certificate according to an embodiment of the invention and the system of hardware carrier binding.
Embodiment
Describe embodiments of the invention below in detail, the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or has the element of identical or similar functions from start to finish.Below by the embodiment being described with reference to the drawings, be exemplary, only for explaining the present invention, and can not be interpreted as limitation of the present invention.
In description of the invention, it will be appreciated that, term " longitudinally ", " laterally ", " on ", orientation or the position relationship of the indication such as D score, 'fornt', 'back', " left side ", " right side ", " vertically ", " level ", " top ", " end " " interior ", " outward " be based on orientation shown in the drawings or position relationship, only the present invention for convenience of description and simplified characterization, rather than indicate or imply that the device of indication or element must have specific orientation, with specific orientation, construct and operation, therefore can not be interpreted as limitation of the present invention.
In description of the invention, it should be noted that, unless otherwise prescribed and limit, term " installation ", " being connected ", " connection " should be interpreted broadly, for example, can be mechanical connection or electrical connection, also can be the connection of two element internals, can be to be directly connected, and also can indirectly be connected by intermediary, for the ordinary skill in the art, can understand as the case may be the concrete meaning of described term.
It should be noted that, in the following description, the binding of digital certificate and hardware carrier, " binding " that in this specification, occur refers to: " binding " of the private key of the cipher key pair that hardware carrier is relevant to digital certificate.
Technically, first generate a key pair being formed by PKI and private key, then based on this key pair, added the every terms of information that digital certificate is required, according to corresponding PKCS standard, form certificate signature request (CSR), to authentication, take mechanism (CA) and make application.After CA signature, the digital certificate store that CA has been signed to name is in the hardware carriers such as key, hard disk.
Therefore technically, digital certificate is comprised of a plurality of parts, the essential implication of " binding " in above-mentioned term is: the private key of the cipher key pair being associated with described this digital certificate, can only, being successfully completed on the storage of digital certificate of embodiment of the present invention and described this hardware carrier of hardware carrier binding and could having used, cannot on other hardware carrier, use.That is to say, the main body of binding is above-mentioned indication " private key of the cipher key pair being associated with digital certificate ".
The private key of the cipher key pair that hardware carrier is relevant to digital certificate " binding ", is implemented as follows:
With " master key writing during software translating ", " hardware characteristics code ", " PIN code that user arranges " these three factors, according to special variation, combine and obscure, generated a symmetric key.This symmetric key is used to the encryption and decryption process to document data bank.
This symmetric key is all to produce by computing after the condition code of program detection of dynamic hardware carrier at every turn, there is no permanent storage in hardware carrier, only in the necessary time, appears at momently in internal memory, after calculating process completes, is eliminated.
When program need to be used digital certificate at every turn, according to the identical method of the symmetric key of above-mentioned spanned file database, the condition code of detection of dynamic hardware carrier, again produce same symmetric key, use its database of deciphering and open file, thereby obtained the every terms of information of digital certificate.
Appearance each time due to this key, all using the condition code of detection hardware carrier as prerequisite, so when the condition code of hardware carrier changes, or document data bank is copied on other hardware carriers, to generate original key, and then, just cannot obtain any effective information in document data bank.So such programmed logic has guaranteed that digital certificate is only stored on the hardware carrier of initial installation and could effectively use.
By above-mentioned implementation procedure, having obtained digital certificate is only stored in this interrelational form that could effectively use on the hardware carrier of initial installation and is above-mentioned so-called " binding ".
Below in conjunction with accompanying drawing, describe according to the method and system of the storage of the digital certificate of the embodiment of the present invention and hardware carrier binding.
Fig. 1 is the flow chart of the storage of digital certificate according to an embodiment of the invention and the method for hardware carrier binding.As shown in Figure 1, the method for the storage of digital certificate and hardware carrier binding, comprises the steps: according to an embodiment of the invention
Step S101: obtain digital certificate from CA.
Particularly, during to CA application digital certificate, whether the information that CA need to be applied for various means authenticated user is authentic and valid, and authentication mode comprises and is not limited to following means:
User submits the various files relevant to application content in the mode of material object mailing to CA;
With means of communication such as video, phone, voice, Emails, to the real effectiveness of user's verified information;
From previously, by the USB Key hardware certificate of authentication, generated raw information and authentication code, for this verification process is produced evidence.
In addition, obtain the means of digital certificate, can comprise two kinds:
Program directly with CA secure communication, CA, after authenticating, is directly sent to program module by digital certificate, thereby gets certificate;
After application, CA is to by other information channels of authentic applicant, as Email, SMS etc. send authentication code, after applicant receives this authentication code, authentication code is filled up on program interface, and program and CA secure communication, be sent to CA by authentication code, thereby by authentication, obtain digital certificate.
Step S102: while digital certificate being installed on hardware carrier, obtain the identification code of hardware carrier.Wherein, identification code comprises: the processor numbering of hardware carrier, the production code member of hardware carrier are, the one or more combination in the MAC Address of hardware carrier.Particularly, the identification code of hardware carrier comprises: hardware sequence number, device name, bluetooth Mac address, WIFI Mac address, IMEI, unit type, CPU numbering, mainboard sequence number, hard disk sequence number, memory bar sequence number, the combination of one or more of graphics card/display sequence number and battery sequence number, or, the identification code of hardware carrier comprises: hardware sequence number, device name, bluetooth Mac address, WIFI Mac address, IMEI, unit type, CPU numbering, mainboard sequence number, hard disk sequence number, memory bar sequence number, the combination of one or more of graphics card/display sequence number and battery sequence number and with by program, generate and be kept in advance the combination of the random UUID on hardware carrier.
That is to say, the collection of the identification code of hardware carrier (also claiming condition code), on different software platforms, gathers source and is not quite similar, and possible source comprises and is not limited to following list:
Hardware sequence number;
Device name;
Bluetooth Mac address;
WIFI Mac address;
IMEI;
Mobile phone model;
CPU numbering;
Mainboard sequence number;
Hard disk sequence number;
Memory bar sequence number;
Graphics card/display sequence number;
Battery sequence number.
In addition, can also generate random UUID, and with the common permanent storage of software module on hardware carrier, as supplementing of hardware carrier feature, as a part for condition code.
Hardware carrier condition code can be used all or part of information of above list.
Step S103: generate key according to identification code.
Step S104: be encrypted according to key-pair file type database;
Step S105: digital certificate store is installed to digital certificate on hardware carrier to complete in the file based database application after encrypting.
It should be noted that, it is to be undertaken by the application program of appointment that file based database application is carried out to read-write operation.Wherein, the application program of appointment realizes by software systems, and so-called " application program of appointment " is exactly the software systems of exploitation, or a part for system.It is the software systems of developing in order to realize the application's method, can use " these software systems ", " this software ", " this program " or " program module " to explain the application program of above-mentioned appointment.
Specifically, traditionally, digital certificate is preserved on computers with binary file or text form, digital certificate for document form, has preserved the information such as issuing organization, date of issue, certificate serial number, certificate subject, certificate extensions, PKI, private key with the form of plaintext or reversible encoding.And in the method for the embodiment of the present invention, above-mentioned every terms of information (certificate information) is stored in file based database application, allow the software module (i.e. the application program of appointment) that certificate information can only be corresponding by the file based database application with above-mentioned read, and cannot by file etc., directly read simply, thereby improved significantly the fail safe of digital certificate.
The method of the embodiment of the present invention, digital certificate is combined with its hardware carrier (i.e. binding), when digital certificate is installed (as digital certificate is installed for the first time on hardware carrier), by the identification code of acquisition hardware carrier, as information such as the product coding of the CPU numbering of hardware carrier, hardware carrier, MAC Address, through being for conversion into unique identification code, for distinguishing other hardware carrier.Then this identification code and other factors are combined, generate unique symmetric key (being key), use this key to encrypt above-mentioned file based database application.
It should be noted that key only occurs when computing in the internal memory of hardware carrier temporarily, does not persist.
Further, after completing digital certificate is installed on hardware carrier, also comprise:
Step S106: when using digital certificate, gather the identification code of current hardware carrier.
Step S107: according to the identification code generating solution decryption key of current hardware carrier.
Step S108: file based database application is decrypted according to decruption key.
Step S109: after file based database application successful decryption, obtain digital certificate from file based database application.
Specifically, digital certificate is follow-up while using each time, and software module all can dynamically check the running environment at its place, the identification code of acquisition hardware carrier, uses and generates key same procedure when digital certificate is installed, again generate key, for untiing the enciphered message of file based database application.If the relevant environment of hardware carrier does not change, key is identical, successful decryption, smooth opening file based database application; If relevant environment changes, the key that cannot obtain using for the first time, Decryption failures, certificate information that the digital certificate preserved in cannot file reading type database is relevant etc.
According to the method for the embodiment of the present invention, can be by the hardware carrier at digital certificate and its place when installing for the first time, just effectively bound together, the private key of the cipher key pair being especially associated with described digital certificate, by described binding procedure, become and can only on described hardware carrier, use, cannot on other hardware carrier, use, allow digital certificate there is the fail safe that is similar to hardware USB Key.
Shown in Fig. 2, the method for the embodiment of the present invention, function is identical with hardware USB Key with characteristic, and can externally provide the calculation functions such as signature, encryption and decryption by standard P KCS11 interface.PKCS11 is one group of function interface, while calling, private key is not offered to upper layer application, but receive data, is encrypted computing and operation result is returned.
Can be identical with USB Key, the method for the embodiment of the present invention is supported SO PIN and User PIN.User arranges User PIN code to private key being carried out to the protection of unauthorized access, and the User PIN of user's input just opens a part for the key of cryptographic key containers.Actual key produces when cryptographic key containers initialization, three parts, consist of, first is two or more characteristic values of unique identification hardware carrier, and second portion is the special master key of setting, when software translating, write, third part is only the User PIN code that user arranges.This three part will combine and obscure according to special variation, the final encryption key generating for encryption key container.Hence one can see that, and the method for the embodiment of the present invention is compared safety and reliability with PKCS12 formatted file certificate, even under attack, causes cryptographic key containers to be copied, and appropriator also cannot be opened cryptographic key containers because facility environment changes.The method can be guaranteed secret key safety, and then reaches the safe class that is similar to hardware encryption chip.
The file type data relevant to digital certificate can adopt micro database sqlite, adopts aes algorithm encrypting storing in database various keys, certificate information.At every turn for the access of database, all can dynamic detecting equipment characteristic, generating solution decryption key, has avoided take the unauthorized access that copy data library file is means.
Except key algorithm, the method can, by the PKCS11 function interface of standard is provided, for upper layer application provides the layer of the Helper based on PKCS11, comprise PKCS7, PKCS12 function library and the far call function library relevant to CA.For Android system, USB Key also provides the Provider of the JCE/JCA based on PKCS11, can facilitate Android developer to call simply and easily, and without understanding PKCS11 rudimentary knowledge.
Again in conjunction with shown in Fig. 2, can bind by method and the hardware carrier encrypted, and the cross-platform micro database based on Sqlite, common cryptographic algorithms' implementation also comprised, as RSA, SM2 asymmetric key algorithm, symmetric key algorithm AES, DES, 3DES, SM1, SM2 etc.
According to the method for the embodiment of the present invention, tool has the following advantages:
Promoted the fail safe of digital certificate, digital certificate also can be deployed on Portable tablet personal computer or Handheld computing device, make hardware carrier itself there is the function identical with USB Key, compare with the scheme of various additional firmware, significantly reduced realization, deployment, operation and maintenance cost.
The further embodiment of the present invention provides a kind of system of storage and hardware carrier binding of digital certificate.As shown in Figure 3, the system 300 of the storage of digital certificate and hardware carrier binding comprises according to an embodiment of the invention: digital certificate acquisition module 310, hardware carrier collection apparatus module 320, generation module 330, encryption and decryption module 340 and memory module 350.
Particularly, digital certificate acquisition module 310 is for obtaining digital certificate from CA.Hardware carrier collection apparatus module 320 when described digital certificate being installed on hardware carrier, and described complete described digital certificate is installed on described hardware carrier after and when using described digital certificate, obtain the identification code of described hardware carrier.Generation module 330 is for generating key according to identification code.Encryption and decryption module stores module 340 is for being encrypted specified file type database according to described key, and described complete described digital certificate is installed on described hardware carrier after and when using described digital certificate, described file based database application is decrypted; Memory module 350 is for being installed to described hardware carrier to complete by described digital certificate to the described file based database application by after described secret key encryption by described digital certificate store.It is to be undertaken by the application program of appointment that file based database application is carried out to read-write operation.
Wherein, the identification code of hardware carrier comprises: hardware sequence number, device name, bluetooth Mac address, WIFI Mac address, IMEI, unit type, CPU numbering, mainboard sequence number, hard disk sequence number, memory bar sequence number, the combination of one or more of graphics card/display sequence number and battery sequence number, or, the identification code of hardware carrier comprises: hardware sequence number, device name, bluetooth Mac address, WIFI Mac address, IMEI, unit type, CPU numbering, mainboard sequence number, hard disk sequence number, memory bar sequence number, the combination of one or more of graphics card/display sequence number and battery sequence number and with by program, generate and be kept in advance the combination of the random UUID on hardware carrier.
That is to say, identification code includes but not limited to:
1) hardware sequence number
2) device name
3) bluetooth Mac address
4) WIFI Mac address
5)IMEI
6) mobile phone model
7) CPU numbering
8) mainboard sequence number
9) hard disk sequence number
10) memory bar sequence number
11) graphics card/display sequence number
12) battery sequence number
In addition, program can also generate random UUID, and on hardware carrier, UUID supplements as hardware carrier feature, as a part for described identification code with the common permanent storage of software module.
Described hardware carrier identification code may use above enumerate or enumerate outside in one or more combinations.
Certificate information comprises: the issuing organization of digital certificate, date of issue, certificate serial number, certificate subject, certificate extensions, PKI and private key information.
The system 300 of the storage of the digital certificate of the embodiment of the present invention and hardware carrier binding, also comprise: read module (not shown), read module, for described complete described digital certificate is installed on described hardware carrier after and in use during described digital certificate, described encryption and decryption module to described file based database application successful decryption after, from described file based database application, obtain described digital certificate.
Specifically, traditionally, digital certificate is preserved on computers with binary file or text form, digital certificate for document form, has preserved the information such as issuing organization, date of issue, certificate serial number, certificate subject, certificate extensions, PKI, private key with the form of plaintext or reversible encoding.And in the system of the embodiment of the present invention, above-mentioned every terms of information (certificate information) is stored in file based database application, allow the software module (i.e. the application program of appointment) that certificate information can only be corresponding by the file based database application with above-mentioned read, and cannot by file etc., directly read simply, thereby improved significantly the fail safe of digital certificate.
The system of the embodiment of the present invention, digital certificate is combined with its hardware carrier (i.e. binding), when digital certificate is installed (as digital certificate is installed for the first time on hardware carrier), by the identification code of acquisition hardware carrier, as information such as the product coding of the CPU numbering of hardware carrier, hardware carrier, MAC Address, through being for conversion into unique identification code, for distinguishing other hardware carrier.Then this identification code and other factors are combined, generate unique symmetric key (being key), use this key to encrypt above-mentioned file based database application.
It should be noted that key only occurs when computing in the internal memory of hardware carrier temporarily, does not persist.
Digital certificate is follow-up while using each time, software module all can dynamically check the running environment at its place, the identification code of acquisition hardware carrier, with generating key same procedure when digital certificate is installed, again generate key, for untiing the enciphered message of file based database application.If the relevant environment of hardware carrier does not change, key is identical, successful decryption, smooth opening file based database application; If relevant environment changes, the key that cannot obtain using for the first time, Decryption failures, certificate information that the digital certificate preserved in cannot file reading type database is relevant etc.
According to the system of the embodiment of the present invention, can be by the hardware carrier at digital certificate and its place when installing for the first time, just effectively bound together, the private key of the cipher key pair being especially associated with described digital certificate, by described binding procedure, become and can only on described hardware carrier, use, cannot on other hardware carrier, use, allow digital certificate there is the fail safe that is similar to hardware USB Key.
Shown in Fig. 2, the system of the embodiment of the present invention, function is identical with hardware USB Key with characteristic, can and externally provide the calculation functions such as signature, encryption and decryption by standard P KCS11 interface.PKCS11 is one group of function interface, while calling, private key is not offered to upper layer application, but receive data, is encrypted computing and operation result is returned.
Can be identical with USB Key, the system of the embodiment of the present invention is supported SO PIN and User PIN.User arranges User PIN code to private key being carried out to the protection of unauthorized access, and the User PIN of user's input just opens a part for the key of cryptographic key containers.Actual key produces when cryptographic key containers initialization, three parts, consist of, first is two or more characteristic values of unique identification hardware carrier, and second portion is the special master key of setting, when software translating, write, third part is only the User PIN code that user arranges.This three part will combine and obscure according to special variation, the final encryption key generating for encryption key container.Hence one can see that, and the system of the embodiment of the present invention is compared safety and reliability with PKCS12 formatted file certificate, even under attack, causes cryptographic key containers to be copied, and appropriator also cannot be opened cryptographic key containers because facility environment changes.This system can be guaranteed secret key safety, and then reaches the safe class that is similar to hardware encryption chip.
The file type data relevant to digital certificate can adopt micro database sqlite, adopts aes algorithm encrypting storing in database various keys, certificate information.At every turn for the access of database, all can dynamic detecting equipment characteristic, generating solution decryption key, has avoided take the unauthorized access that copy data library file is means.
Except key algorithm, this system can, by the PKCS11 function interface of standard is provided, for upper layer application provides the layer of the Helper based on PKCS11, comprise PKCS7, PKCS12 function library and the far call function library relevant to CA.For Android system, USB Key also provides the Provider of the JCE/JCA based on PKCS11, can facilitate Android developer to call simply and easily, and without understanding PKCS11 rudimentary knowledge.
Again in conjunction with shown in Fig. 2, can bind by method and the hardware carrier encrypted, and the cross-platform micro database based on Sqlite, common cryptographic algorithms' implementation also comprised, as RSA, SM2 asymmetric key algorithm, symmetric key algorithm AES, DES, 3DES, SM1, SM2 etc.
According to the system of the embodiment of the present invention, tool has the following advantages:
Promoted the fail safe of digital certificate, digital certificate also can be deployed on Portable tablet personal computer or Handheld computing device, make hardware carrier itself there is the function identical with USB Key, compare with the scheme of various additional firmware, significantly reduced realization, deployment, operation and maintenance cost.
In the description of this specification, the description of reference term " embodiment ", " some embodiment ", " example ", " concrete example " or " some examples " etc. means to be contained at least one embodiment of the present invention or example in conjunction with specific features, structure, material or the feature of this embodiment or example description.In this manual, the schematic statement of described term is not necessarily referred to identical embodiment or example.And the specific features of description, structure, material or feature can be with suitable mode combinations in any one or more embodiment or example.
Although illustrated and described embodiments of the invention, for the ordinary skill in the art, be appreciated that without departing from the principles and spirit of the present invention and can carry out multiple variation, modification, replacement and modification to these embodiment, scope of the present invention is by claims and be equal to and limit.
Claims (10)
1. a method for the storage of digital certificate and hardware carrier binding, is characterized in that, comprises the following steps:
From CA, obtain digital certificate;
While described digital certificate being installed on hardware carrier, obtain the identification code of described hardware carrier;
According to described identification code, generate key;
According to described key, specified file type database is encrypted;
Described digital certificate store is installed to described digital certificate on described hardware carrier to complete in the described file based database application by after described secret key encryption.
2. the method for the storage of digital certificate according to claim 1 and hardware carrier binding, is characterized in that, described complete described digital certificate is installed on described hardware carrier after, also comprise:
When using described digital certificate, gather the identification code of current hardware carrier;
According to the identification code generating solution decryption key of described current hardware carrier;
According to described decruption key, described file based database application is decrypted;
After described file based database application successful decryption, from described file based database application, obtain described digital certificate.
3. the method that the storage of digital certificate according to claim 1 and hardware carrier are bound, it is characterized in that, the identification code of described hardware carrier comprises: the combination of one or more of hardware sequence number, device name, bluetooth Mac address, WIFI Mac address, IMEI, unit type, CPU numbering, mainboard sequence number, hard disk sequence number, memory bar sequence number, graphics card/display sequence number and battery sequence number
Or the identification code of described hardware carrier comprises: the combination of one or more of hardware sequence number, device name, bluetooth Mac address, WIFIMac address, IMEI, unit type, CPU numbering, mainboard sequence number, hard disk sequence number, memory bar sequence number, graphics card/display sequence number and battery sequence number and with by program, generate and be kept in advance the combination of the random UUID on described hardware carrier.
4. the method for the storage of digital certificate according to claim 1 and hardware carrier binding, is characterized in that, it is to be undertaken by the application program of appointment that described file based database application is carried out to read-write operation.
5. the method that the storage of digital certificate according to claim 1 and hardware carrier are bound, it is characterized in that, described certificate information comprises: the issuing organization of digital certificate, date of issue, certificate serial number, certificate subject, certificate extensions, PKI and private key information.
6. a system for the storage of digital certificate and hardware carrier binding, is characterized in that, comprising:
Digital certificate acquisition module, for obtaining digital certificate from CA;
Hardware carrier collection apparatus module, when described digital certificate being installed on hardware carrier, and described complete described digital certificate is installed on described hardware carrier after and when using described digital certificate, obtain the identification code of described hardware carrier;
Generation module, for generating key according to described identification code;
Encryption and decryption module, for according to described key, specified file type database being encrypted, and described complete described digital certificate is installed on described hardware carrier after and when using described digital certificate, described file based database application is decrypted;
Memory module, for being installed to described hardware carrier to complete by described digital certificate to the described file based database application by after described secret key encryption by described digital certificate store.
7. the system that the storage of digital certificate according to claim 6 and hardware carrier are bound, it is characterized in that, also comprise: read module, for described complete described digital certificate is installed on described hardware carrier after and in use during described digital certificate, described encryption and decryption module to described file based database application successful decryption after, from described file based database application, obtain described digital certificate.
8. the system that the storage of digital certificate according to claim 6 and hardware carrier are bound, it is characterized in that, the identification code of described hardware carrier comprises: the combination of one or more of hardware sequence number, device name, bluetooth Mac address, WIFI Mac address, IMEI, unit type, CPU numbering, mainboard sequence number, hard disk sequence number, memory bar sequence number, graphics card/display sequence number and battery sequence number
Or the identification code of described hardware carrier comprises: the combination of one or more of hardware sequence number, device name, bluetooth Mac address, WIFIMac address, IMEI, unit type, CPU numbering, mainboard sequence number, hard disk sequence number, memory bar sequence number, graphics card/display sequence number and battery sequence number and with by program, generate and be kept in advance the combination of the random UUID on described hardware carrier.
9. the system of the storage of digital certificate according to claim 6 and hardware carrier binding, is characterized in that, it is to be undertaken by the application program of appointment that described file based database application is carried out to read-write operation.
10. the system that the storage of digital certificate according to claim 6 and hardware carrier are bound, it is characterized in that, described certificate information comprises: the issuing organization of digital certificate, date of issue, certificate serial number, certificate subject, certificate extensions, PKI and private key information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310671316.9A CN103684786A (en) | 2013-12-10 | 2013-12-10 | Method and system for storing digital certificate and binding digital certificate to hardware carrier |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310671316.9A CN103684786A (en) | 2013-12-10 | 2013-12-10 | Method and system for storing digital certificate and binding digital certificate to hardware carrier |
Publications (1)
Publication Number | Publication Date |
---|---|
CN103684786A true CN103684786A (en) | 2014-03-26 |
Family
ID=50321180
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310671316.9A Pending CN103684786A (en) | 2013-12-10 | 2013-12-10 | Method and system for storing digital certificate and binding digital certificate to hardware carrier |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103684786A (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105184121A (en) * | 2015-09-02 | 2015-12-23 | 上海繁易电子科技有限公司 | Hardware authorization system and method using remote server |
CN106899413A (en) * | 2017-04-07 | 2017-06-27 | 深圳奥联信息安全技术有限公司 | Digital signature authentication method and system |
EP3193262A4 (en) * | 2014-09-09 | 2017-07-19 | ZTE Corporation | Database operation method and device |
CN107092503A (en) * | 2017-03-28 | 2017-08-25 | 武汉斗鱼网络科技有限公司 | The method and system that mobile terminal small data UUID is permanently stored |
CN107994983A (en) * | 2017-11-24 | 2018-05-04 | 郑州云海信息技术有限公司 | A kind of rule base dynamic encrypting method based on sqlite3 |
CN108712412A (en) * | 2018-05-15 | 2018-10-26 | 北京五八信息技术有限公司 | A kind of encryption and decryption method of database, device, storage medium and terminal |
CN109951277A (en) * | 2019-03-12 | 2019-06-28 | 广州小鹏汽车科技有限公司 | Virtual key binding method and system |
CN109960996A (en) * | 2018-06-15 | 2019-07-02 | 深圳市云钻科技有限公司 | It is a kind of to judge jewelry product system and method whether corresponding with certificate |
CN112784303A (en) * | 2021-01-26 | 2021-05-11 | 政采云有限公司 | File encryption method, device, system and storage medium |
CN113139162A (en) * | 2019-06-11 | 2021-07-20 | 第四范式(北京)技术有限公司 | Software verification method, software and hardware binding method and programmable device thereof |
CN115296854A (en) * | 2022-07-08 | 2022-11-04 | 中金金融认证中心有限公司 | Method for binding intelligent cipher key and terminal and related product |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1373423A (en) * | 2001-02-28 | 2002-10-09 | 黎明网络有限公司 | Information security processing system and method for electric business |
CN1918526A (en) * | 2004-04-30 | 2007-02-21 | 富士通株式会社 | Information management device and information management method |
CN103037366A (en) * | 2011-09-30 | 2013-04-10 | 卓望数码技术(深圳)有限公司 | Mobile terminal user authentication method and mobile terminal based on asymmetric cryptographic technique |
CN103414699A (en) * | 2013-07-23 | 2013-11-27 | 北京星网锐捷网络技术有限公司 | Authentication method for client certificate, server and client |
-
2013
- 2013-12-10 CN CN201310671316.9A patent/CN103684786A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1373423A (en) * | 2001-02-28 | 2002-10-09 | 黎明网络有限公司 | Information security processing system and method for electric business |
CN1918526A (en) * | 2004-04-30 | 2007-02-21 | 富士通株式会社 | Information management device and information management method |
CN103037366A (en) * | 2011-09-30 | 2013-04-10 | 卓望数码技术(深圳)有限公司 | Mobile terminal user authentication method and mobile terminal based on asymmetric cryptographic technique |
CN103414699A (en) * | 2013-07-23 | 2013-11-27 | 北京星网锐捷网络技术有限公司 | Authentication method for client certificate, server and client |
Non-Patent Citations (1)
Title |
---|
唐志红,: ""PKI/CA在电力行业中的应用"", 《2005年全国发电企业信息化技术研讨会》 * |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3193262A4 (en) * | 2014-09-09 | 2017-07-19 | ZTE Corporation | Database operation method and device |
CN105184121A (en) * | 2015-09-02 | 2015-12-23 | 上海繁易电子科技有限公司 | Hardware authorization system and method using remote server |
CN107092503A (en) * | 2017-03-28 | 2017-08-25 | 武汉斗鱼网络科技有限公司 | The method and system that mobile terminal small data UUID is permanently stored |
CN106899413B (en) * | 2017-04-07 | 2020-05-08 | 深圳奥联信息安全技术有限公司 | Digital signature verification method and system |
CN106899413A (en) * | 2017-04-07 | 2017-06-27 | 深圳奥联信息安全技术有限公司 | Digital signature authentication method and system |
CN107994983A (en) * | 2017-11-24 | 2018-05-04 | 郑州云海信息技术有限公司 | A kind of rule base dynamic encrypting method based on sqlite3 |
CN108712412A (en) * | 2018-05-15 | 2018-10-26 | 北京五八信息技术有限公司 | A kind of encryption and decryption method of database, device, storage medium and terminal |
CN109960996A (en) * | 2018-06-15 | 2019-07-02 | 深圳市云钻科技有限公司 | It is a kind of to judge jewelry product system and method whether corresponding with certificate |
CN109951277A (en) * | 2019-03-12 | 2019-06-28 | 广州小鹏汽车科技有限公司 | Virtual key binding method and system |
CN111698664A (en) * | 2019-03-12 | 2020-09-22 | 广州小鹏汽车科技有限公司 | Virtual key binding method and system |
CN111698664B (en) * | 2019-03-12 | 2023-09-15 | 广州小鹏汽车科技有限公司 | Virtual key binding method and system |
US11882509B2 (en) | 2019-03-12 | 2024-01-23 | Guangzhou Chengxing Zhidong Motors Technology Co., Ltd. | Virtual key binding method and system |
CN113139162A (en) * | 2019-06-11 | 2021-07-20 | 第四范式(北京)技术有限公司 | Software verification method, software and hardware binding method and programmable device thereof |
CN112784303A (en) * | 2021-01-26 | 2021-05-11 | 政采云有限公司 | File encryption method, device, system and storage medium |
CN112784303B (en) * | 2021-01-26 | 2022-11-22 | 政采云有限公司 | File encryption method, device, system and storage medium |
CN115296854A (en) * | 2022-07-08 | 2022-11-04 | 中金金融认证中心有限公司 | Method for binding intelligent cipher key and terminal and related product |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103684786A (en) | Method and system for storing digital certificate and binding digital certificate to hardware carrier | |
ES2970201T3 (en) | Personal identification system with contactless card | |
CN110766383B (en) | Digital wallet supporting anonymous or real-name offline transaction and use method | |
CA2832348C (en) | Managing data for authentication devices | |
CN103907308A (en) | Host device, semiconductor memory device, and authentication method | |
CN102163267A (en) | Solid state disk as well as method and device for secure access control thereof | |
US12069173B2 (en) | Key recovery based on contactless card authentication | |
CN103269271A (en) | Method and system for back-upping private key in electronic signature token | |
CN101771680B (en) | Method for writing data to smart card, system and remote writing-card terminal | |
CN114629639A (en) | Key management method and device based on trusted execution environment and electronic equipment | |
CN103914662A (en) | Access control method and device of file encrypting system on the basis of partitions | |
CA2921718A1 (en) | Facilitating secure transactions using a contactless interface | |
CN107196907A (en) | A kind of guard method of Android SO files and device | |
CN109903052A (en) | A kind of block chain endorsement method and mobile device | |
CN101770559A (en) | Data protecting device and data protecting method | |
CN107944234A (en) | A kind of brush machine control method of Android device | |
WO2015168878A1 (en) | Payment method and device and payment factor processing method and device | |
CN103370718B (en) | Use the data guard method of distributed security key, equipment and system | |
CN101174941A (en) | Off-line digital copyright protection method and device for mobile terminal document | |
CN101127013A (en) | Enciphered mobile storage apparatus and its data access method | |
CN104504309A (en) | Data encryption method and terminal for application program | |
US10313132B2 (en) | Method and system for importing and exporting configurations | |
CN103514540A (en) | USBKEY business realization method and system | |
CN101794260A (en) | Automatically imported method of encryption key for mobile storage device | |
KR20120044678A (en) | A quality test method of dermatoglyphic patterns analysis |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C41 | Transfer of patent application or patent right or utility model | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20151217 Address after: 100085, building 4, building 7, eight Street, Haidian District, Beijing, Applicant after: Beijing Tiancheng Shun Polytron Technologies Inc Address before: 100080 Beijing city Haidian District No. 6 Zhichun Road Jinqiu International Building block A 14 room 1401 Applicant before: Beijing iTrusChina Co., Ltd. |
|
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140326 |