[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN111698093B - Digital timestamp issuing and verifying method based on PKI system - Google Patents

Digital timestamp issuing and verifying method based on PKI system Download PDF

Info

Publication number
CN111698093B
CN111698093B CN202010531678.8A CN202010531678A CN111698093B CN 111698093 B CN111698093 B CN 111698093B CN 202010531678 A CN202010531678 A CN 202010531678A CN 111698093 B CN111698093 B CN 111698093B
Authority
CN
China
Prior art keywords
digital
digital certificate
tsa
timestamp
digital signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010531678.8A
Other languages
Chinese (zh)
Other versions
CN111698093A (en
Inventor
张恒
廖大见
于洋
张键
李宏然
袁冬青
焦文明
徐伟伟
朱雨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Marine Resources Development Institute Of Jiangsu (lianyungang)
Jiangsu Ocean University
Original Assignee
Marine Resources Development Institute Of Jiangsu (lianyungang)
Jiangsu Ocean University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Marine Resources Development Institute Of Jiangsu (lianyungang), Jiangsu Ocean University filed Critical Marine Resources Development Institute Of Jiangsu (lianyungang)
Priority to CN202010531678.8A priority Critical patent/CN111698093B/en
Publication of CN111698093A publication Critical patent/CN111698093A/en
Application granted granted Critical
Publication of CN111698093B publication Critical patent/CN111698093B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a digital timestamp issuing and verifying method based on a PKI system, which comprises the following specific steps of: acquiring a digital certificate and a timestamp service provided by an authentication center; creating a message digest value of the medical record document based on a hash function; carrying out encryption operation on the message digest value by using private key data in the digital certificate according to an encryption principle to create a digital signature and sending the digital signature to a timestamp authority; decrypting the digital signature by using public key data in the digital certificate, and encrypting additional timestamp information in combination with private key data corresponding to the digital certificate to generate a new digital signature; the timestamp authority sends the new digital signature back to the sender along with its own digital certificate. The invention fully considers the time stamp authentication requirement of the medical record document digital signature, can better solve the problem that the time stamp authority possibly exists in the digital signature process and the user communicates with each other to change the credibility of the signature, and enhances the non-repudiation of the data.

Description

一种基于PKI体系的数字时间戳签发和查证方法A digital timestamp issuance and verification method based on PKI system

技术领域technical field

本发明涉及数字签名信息安全领域,具体为一种基于PKI体系的数字时间戳签发和查证方法。The invention relates to the field of digital signature information security, in particular to a method for issuing and verifying digital time stamps based on a PKI system.

背景技术Background technique

随着近年来互联网概念的日益普及,在满足所有的诊疗、法律和管理需求的基础上,电子病历将逐渐取代传统纸质病历,实现对个人健康状态和医疗保健信息的电子化管理。应运而生的数字签名技术不断发展,其中,医师对数字签名的不可否认性是数字签名的重要作用之一。当发生医疗纠纷时,必须有证据来验证当事医师或医技人员的身份,但仅仅有身份信息是不够的,因为涉及到责任医师或医技人员可能在事后篡改病历内容,为防止上述情况发生,必须在签名时就附加上一个被法律和第三方认可的时间戳信息。With the increasing popularity of the Internet concept in recent years, electronic medical records will gradually replace traditional paper medical records and realize electronic management of personal health status and medical care information on the basis of meeting all diagnosis and treatment, legal and management needs. The emerging digital signature technology continues to develop, among which, the non-repudiation of the digital signature by the physician is one of the important functions of the digital signature. When a medical dispute occurs, there must be evidence to verify the identity of the physician or medical technician involved, but identification information alone is not enough, because the responsible physician or medical technician may tamper with the medical record after the event. In order to prevent the above situation If it occurs, it must be signed with a time stamp that is recognized by law and third parties.

许多的工作都集中在对于时间戳的签发及查证流程上。比如简单的时间戳签发步骤包括三步:用户将病历文档W发送给时间戳权威机构TSA、TSA在W之后附加上当前的时间T和该文档的唯一标识 ID形成新电子签名S、TSA将S发送给用户。但上述的时间戳协议在实现中是不具有可行性的,涉及到病历文档W的保密性问题、上传及存储过程中的文件完整性问题、文件过大带来的资源利用率问题以及可能存在TSA与用户串通欺骗的签名可信性问题;基于上述步骤,相关学者做出改进,提出TSA可信的时间戳方案用文档的摘要值H代替原病历文档W,且在传输过程中运用数字签名技术,较好的解决了保密问题、完整性问题和资源利用率问题,但并没有从技术上解决数字签名过程中可能存在的时间戳权威机构与用户串通改变签名的可信性问题。Much work is focused on the issuance and verification process of timestamps. For example, a simple timestamp issuance step includes three steps: the user sends the medical record document W to the timestamp authority TSA, TSA appends the current time T and the unique ID of the document after W to form a new electronic signature S, TSA sends S sent to the user. However, the above time stamp protocol is not feasible in implementation, which involves the confidentiality of the medical record document W, the file integrity problem in the uploading and storage process, the resource utilization problem caused by the excessive file size, and the possible existence of The signature reliability problem of TSA and users colluding and deceiving; based on the above steps, relevant scholars have made improvements and proposed a TSA trusted timestamp scheme to replace the original medical record document W with the digest value H of the document, and use digital signatures in the transmission process. The technology can better solve the problems of confidentiality, integrity and resource utilization, but it does not technically solve the reliability problem of the timestamp authority and the user colluding with the user to change the signature in the process of digital signature.

发明内容SUMMARY OF THE INVENTION

本发明的目的是针对现有技术的缺陷,提出了一种基于PKI体系的数字时间戳签发和查证方法,以解决上述背景技术提出的问题。The purpose of the present invention is to provide a method for issuing and verifying digital time stamps based on the PKI system in view of the defects of the prior art, so as to solve the problems raised by the above background technology.

为实现上述目的,本发明提供如下技术方案:一种基于PKI体系的数字时间戳签发和查证方法,包括以下步骤:To achieve the above object, the present invention provides the following technical solutions: a digital time stamp issuance and verification method based on the PKI system, comprising the following steps:

步骤(1):获取PKI认证中心CA提供的数字证书及时间戳权威机构TSA提供的时间戳服务;Step (1): obtain the digital certificate provided by the PKI certification center CA and the time stamp service provided by the time stamp authority TSA;

步骤(2):基于哈希函数创建XML病历文档W的消息摘要值 h;Step (2): create the message digest value h of the XML medical record document W based on the hash function;

步骤(1a):医师向认证机构CA申请数字证书,获得合法的身份;Step (1a): The physician applies for a digital certificate to the certification authority CA to obtain a legal identity;

步骤(1b):CA中心授权TSA提供时间戳服务,为其颁发数字证书,并对其行为进行监督(必要时可撤销TSA的数字证书);Step (1b): The CA center authorizes TSA to provide time stamp services, issue digital certificates to it, and supervise its behavior (the digital certificate of TSA can be revoked if necessary);

步骤(3):使用数字证书中的私钥数据根据加密原理对消息摘要值h进行加密运算以创建数字签名s=SIGdoctor(h),并将(s,h)及数字证书发送至TSA;Step (3): use the private key data in the digital certificate to encrypt the message digest value h according to the encryption principle to create a digital signature s=SIGdoctor(h), and send (s, h) and the digital certificate to TSA;

步骤(4):TSA利用数字证书中的公钥数据解密数字签名s,并附加时间戳信息结合数字证书对应的私钥数据加密生成新数字签名S;Step (4): TSA utilizes the public key data in the digital certificate to decrypt the digital signature s, and the additional time stamp information is encrypted in combination with the private key data corresponding to the digital certificate to generate a new digital signature S;

步骤(4a):TSA利用发送者数字证书中的公钥数据结合加密算法对接收到的数字签名进行解密获取消息摘要值H;Step (4a): TSA utilizes the public key data in the sender's digital certificate in conjunction with the encryption algorithm to decrypt the received digital signature to obtain the message digest value H;

步骤(4b):比较解密后的消息摘要值H与原消息摘要值h;若不相等,则向请求者发送错误信息;若相等,则将接受到请求时间时的准确时间t、本次时间戳请求的序列号ID以及消息摘要值H三者构成的整体数据块结合数字证书对应的私钥加密形成新数字签名S =SIGTSA(ID,H,t);Step (4b): Compare the decrypted message digest value H and the original message digest value h; if they are not equal, send an error message to the requester; if they are equal, the exact time t and the current time when the requested time is received will be received. The overall data block composed of the serial number ID of the stamp request and the message digest value H is encrypted with the private key corresponding to the digital certificate to form a new digital signature S =SIG TSA (ID, H, t);

步骤(5):TSA将新数字签名S以及自身的数字证书送回给发送者,且执行本地保存备份;Step (5): TSA sends back the new digital signature S and its own digital certificate to the sender, and performs a local save backup;

步骤(6):发送者通过PKI机制验证TSA数字时间戳的可信性;Step (6): The sender verifies the reliability of the TSA digital timestamp through the PKI mechanism;

步骤(6a):发送者通过PKI机制来验证TSA数字证书的可信性,若验证通过,则证明数字时间戳的可信性,且保存好盖有时间戳的数字签名S;Step (6a): the sender verifies the credibility of the TSA digital certificate through the PKI mechanism, if the verification is passed, the credibility of the digital timestamp is proved, and the digital signature S with the timestamp is preserved;

步骤(6b):当发送者需要对XML病历文档W产成的时间进行验证时,PKI认证中心CA可利用TSA数字证书中的公钥验证时间戳的真实性,以明确该文档W是否具有法律效力。Step (6b): When the sender needs to verify the time when the XML medical record document W is generated, the PKI certification center CA can use the public key in the TSA digital certificate to verify the authenticity of the timestamp to clarify whether the document W has legal potency.

本发明的有益效果:本发明所提出的一种基于PKI体系的数字时间戳签发和查证方法,充分考虑病历文档数字签名的时间戳认证需求,同时可以较好的解决数字签名过程中可能存在的时间戳权威机构 TSA与用户串通改变签名的可信性问题,增强了数据的不可抵赖性。Beneficial effects of the present invention: a method for issuing and verifying digital timestamps based on the PKI system proposed by the present invention fully considers the timestamp authentication requirements of digital signatures of medical record documents, and at the same time can better solve the problems that may exist in the process of digital signatures. The time stamp authority TSA colluded with users to change the credibility of the signature, enhancing the non-repudiation of the data.

附图说明Description of drawings

图1是本发明的流程图。Figure 1 is a flow chart of the present invention.

具体实施方式Detailed ways

下面对本发明的较佳实施例进行详细阐述,以使本发明的优点和特征能更易被本领域人员理解,从而对本发明的保护范围做出更为清楚明确的界定。The preferred embodiments of the present invention are described in detail below, so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the protection scope of the present invention can be more clearly defined.

实施例1:请参阅图1,本发明提供一种技术方案:一种基于PKI 体系的数字时间戳签发和查证方法:本发明的实现步骤如下:Embodiment 1: Please refer to FIG. 1, the present invention provides a technical solution: a method for issuing and verifying digital time stamps based on the PKI system: the implementation steps of the present invention are as follows:

(1)获取PKI认证中心CA提供的数字证书及时间戳权威机构TSA提供的时间戳服务;(1) Obtain the digital certificate provided by the PKI certification center CA and the time stamp service provided by the time stamp authority TSA;

(1a)医师向认证机构CA申请数字证书,获得合法的身份;(1a) The physician applies for a digital certificate to the certification agency CA to obtain a legal identity;

(1b)CA中心授权TSA提供时间戳服务,为其颁发数字证书,并对其行为进行监督(必要时可撤销TSA的数字证书);(1b) The CA center authorizes TSA to provide time stamping services, issue digital certificates to it, and supervise its behavior (the digital certificate of TSA can be revoked if necessary);

(2)基于哈希函数创建XML病历文档W的消息摘要值h;(2) The message digest value h of the XML medical record document W is created based on the hash function;

(3)使用数字证书中的私钥数据根据加密原理对消息摘要值h 进行加密运算以创建数字签名s=SIGdoctor(h),并将(s,h)及数字证书发送至TSA;(3) Use the private key data in the digital certificate to encrypt the message digest value h according to the encryption principle to create a digital signature s=SIGdoctor(h), and send (s, h) and the digital certificate to TSA;

(4)TSA利用数字证书中的公钥数据解密数字签名s,并附加时间戳信息结合数字证书对应的私钥数据加密生成新数字签名S;(4) TSA decrypts the digital signature s by using the public key data in the digital certificate, and encrypts the new digital signature S with the additional time stamp information in combination with the private key data corresponding to the digital certificate;

(4a)TSA利用发送者数字证书中的公钥数据结合加密算法对接收到的数字签名进行解密获取消息摘要值H;(4a) TSA decrypts the received digital signature using the public key data in the sender's digital certificate in combination with an encryption algorithm to obtain the message digest value H;

(4b)比较解密后的消息摘要值H与原消息摘要值h;若不相等,则向请求者发送错误信息;若相等,则将接受到请求时间时的准确时间t、本次时间戳请求的序列号ID以及消息摘要值H三者构成的整体数据块结合数字证书对应的私钥加密形成新数字签名S=SIGTSA(ID,H,t);(4b) Compare the decrypted message digest value H with the original message digest value h; if they are not equal, send an error message to the requester; if they are equal, the exact time t at the time of the request and the current timestamp request will be received The overall data block composed of the serial number ID and the message digest value H is encrypted with the private key corresponding to the digital certificate to form a new digital signature S=SIG TSA (ID, H, t);

(5)TSA将新数字签名S以及自身的数字证书送回给发送者,且执行本地保存备份;(5) TSA sends the new digital signature S and its own digital certificate back to the sender, and performs a local save backup;

(6)发送者通过PKI机制验证TSA数字时间戳的可信性;(6) The sender verifies the reliability of the TSA digital timestamp through the PKI mechanism;

(6a)发送者通过PKI机制来验证TSA数字证书的可信性,若验证通过,则证明数字时间戳的可信性,且保存好盖有时间戳的数字签名S;(6a) The sender verifies the credibility of the TSA digital certificate through the PKI mechanism. If the verification is passed, the credibility of the digital timestamp is proved, and the digital signature S with the timestamp is saved;

(6b)当发送者需要对XML病历文档W产成的时间进行验证时, PKI认证中心CA可利用TSA数字证书中的公钥验证时间戳的真实性,以明确该文档W是否具有法律效力。(6b) When the sender needs to verify the time when the XML medical record document W is generated, the PKI certification center CA can use the public key in the TSA digital certificate to verify the authenticity of the time stamp to clarify whether the document W has legal effect.

为了验证本专利中方法的有效性,基于上述数字时间戳签发和查证流程,依托C#的开发环境以及Visual Studio2010的运行环境,设计了一套病历时间戳签发和查证系统,其核心是为医护人员提供时间戳服务,方便对病历文档加盖时间戳。病历时间戳采用流式套接字 Socket作为传输基础,对请求及响应的信息进行打包传输。病历时间戳系统采 用客户/服务器结构,医护人员可以通过登录服务器的IP地址,访问服务器端的TSA服务程序,获得签名时间戳或者在线查证时间戳的真实性和有效性。In order to verify the validity of the method in this patent, based on the above-mentioned digital timestamp issuance and verification process, relying on the C# development environment and the Visual Studio2010 operating environment, a medical record timestamp issuance and verification system is designed, the core of which is for medical staff. Provides a timestamp service to facilitate timestamping medical record documents. The medical record timestamp uses the streaming socket Socket as the transmission basis, and the information of the request and response is packaged and transmitted. The medical record timestamp system adopts a client/server structure, and medical staff can log in to the IP address of the server and access the TSA service program on the server side to obtain the signature timestamp or verify the authenticity and validity of the timestamp online.

其中,客户端程序主要为医护人员提供一个便于操作的界面,以完成时间戳服务的请求以及对时间戳响应信息的处理。需加盖时间戳的病历文档首先进行摘要运算,为了保证数据的传输安全,要对摘要值进行签名,最后形成正确的时间戳服务请求格式数据,并发送到服务器端,然后等待处理。当响应信息返回时,需对结果数据进行正确性分析和完整性验证,以及时间戳服务器的证书可信性与有效性的验证,最后对得到的数据按照不同的应用做相应的处理。Among them, the client program mainly provides an easy-to-operate interface for medical staff to complete the request of the time stamp service and process the time stamp response information. The medical record documents that need to be time stamped are first subjected to digest calculation. In order to ensure the security of data transmission, the digest value must be signed, and finally the correct time stamp service request format data is formed, and sent to the server, and then waiting for processing. When the response information is returned, it is necessary to perform correctness analysis and integrity verification on the result data, as well as the verification of the reliability and validity of the certificate of the timestamp server, and finally, the obtained data is processed according to different applications.

服务器端程序即时间戳服务器,是整个系统的核心,因此系统功能主要集中在服务器端,其主要是响应客户端时间戳请求、签发时间戳、存储时间戳信息等功能。服务端接受时间戳请求的用户会较多,出于安全考虑,服务器端会拥有多个用于签名的密钥,密钥管理模块可安全有效的管理这些密钥。数据库模块用于保存时间戳及其它一些相关信息,以备将来受理客户端时间戳验证的请求。时间源模块能够提供准确可信的时间。查证服务模块负责对请求者身份的验证等。The server-side program is the timestamp server, which is the core of the entire system, so the system functions are mainly concentrated on the server side, which mainly respond to client timestamp requests, issue timestamps, and store timestamp information. There are many users who accept timestamp requests on the server side. For security reasons, the server side will have multiple keys for signing, and the key management module can manage these keys safely and effectively. The database module is used to save timestamps and other related information for future client timestamp verification requests. The time source module can provide accurate and reliable time. The verification service module is responsible for verifying the identity of the requester.

数字时间戳签发和查证流程中,常见的加密和编码算法都已经存在.NET中得到了实现,为编码人员提供了极大的便利性,实现这些算法的命名空间是System.Security.Cryptography,它的命名空间提供加密服务,包括安全的数据编码和解码,以及许多其它的操作。其中,哈希函数的实现将任意长度的二进制字符串映射为固定长度的小二进制字符串。哈希值是一段数据唯一且紧凑的数值表示形式,若散列一段明文,就是更改其中的一个标点符号,随后的哈希值都将产生不同的值。因此,要找到散列为同一个数值的两个不同输入,在计算上是几乎不可能的。所以,数据的哈希值可以检验数据的完整性。In the digital timestamp issuance and verification process, common encryption and encoding algorithms have been implemented in .NET, which provides great convenience for coders. The namespace for implementing these algorithms is System.Security.Cryptography, which The namespace provides cryptographic services, including secure data encoding and decoding, and many other operations. Among them, the implementation of the hash function maps binary strings of arbitrary length to small binary strings of fixed length. A hash value is a unique and compact numerical representation of a piece of data. If a piece of plaintext is hashed, one of the punctuation marks is changed, and subsequent hash values will produce different values. Therefore, it is computationally nearly impossible to find two different inputs that hash to the same value. Therefore, the hash value of the data can verify the integrity of the data.

公钥加密使用一个对未授权的用户保密的私钥和一个公开的公钥。用公钥加密的数据只能是用私钥解密,而用私钥签名的数据只能用公钥去验证。公钥可以被任何人使用;该密钥用于加密要发送到私钥持有者的数据。Public key encryption uses a private key that is kept secret from unauthorized users and a public key that is made public. Data encrypted with the public key can only be decrypted with the private key, while data signed with the private key can only be verified with the public key. The public key can be used by anyone; the key is used to encrypt data to be sent to the holder of the private key.

病历时间戳签发和查证系统主要实现功能包含如下内容。第一,使用哈希函数随机产生一个公钥和一个私钥,密钥是XML可扩展标记语言形式,这些标记将文档分成许多部件加以标识,是一种以简单文本格式存储数据的方式,这意味着它可以被任何计算机读取,返回的是字符串。第二,对所要加密的明文信息生成所需要的消息摘要 MD。第三,用产生的私钥d根据SA算法的加密原理对所生成的消息摘要进行加密运算,得到数字签名。第四,验证另一个实体的标识并保护数据的完整性。即,当使用公钥数据对消息进行数字签名,发送方先向该消息应用哈希函数以创建消息的摘要。然后,发送方使用发送的私钥加密消息摘要以创建发送方的个人签名,因为此私钥唯一的标识该发送方,在收到消息和签名后,接受方使用发送方的公钥解密该签名,以恢复消息摘要,并使用发送方所用的统一哈希算法对该消息进行哈希运算。如果接收方计算的消息摘要与从发送方接受的消息摘要完全匹配,则接收方可以确定该消息来自发送方。The main functions of the medical record timestamp issuance and verification system include the following. First, a public key and a private key are randomly generated using a hash function. The keys are in the form of XML Extensible Markup Language. These tags divide the document into many parts for identification. It is a way of storing data in a simple text format. Means it can be read by any computer and returns a string. Second, generate the required message digest MD for the plaintext information to be encrypted. Third, use the generated private key d to encrypt the generated message digest according to the encryption principle of the SA algorithm to obtain a digital signature. Fourth, verify the identity of another entity and protect the integrity of the data. That is, when a message is digitally signed using public key data, the sender first applies a hash function to the message to create a digest of the message. The sender then encrypts the message digest using the sent private key to create the sender's personal signature, since this private key uniquely identifies the sender, after receiving the message and signature, the recipient decrypts the signature using the sender's public key , to recover the message digest and hash the message using the uniform hashing algorithm used by the sender. If the message digest computed by the receiver exactly matches the digest of the message accepted from the sender, the receiver can determine that the message came from the sender.

以上所述实施例仅表达了本发明的几种实施方式,其描述较为具体和详细,但并不能因此而理解为对发明专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本发明构思的前提下,还可以做出若干变形和改进,这些都属于本发明的保护范围。The above-mentioned embodiments only represent several embodiments of the present invention, and the descriptions thereof are specific and detailed, but should not be construed as a limitation on the scope of the invention patent. It should be pointed out that for those of ordinary skill in the art, without departing from the concept of the present invention, several modifications and improvements can also be made, which all belong to the protection scope of the present invention.

Claims (1)

1.一种基于PKI体系的数字时间戳签发和查证方法,其特征在于,包括如下步骤:1. a digital time stamp issuance and verification method based on PKI system, is characterized in that, comprises the steps: 步骤(1):获取PKI认证中心CA提供的数字证书及时间戳权威机构TSA提供的时间戳服务;Step (1): obtain the digital certificate provided by the PKI certification center CA and the time stamp service provided by the time stamp authority TSA; 步骤(1a):医师向认证机构CA申请数字证书,获得合法的身份;Step (1a): The physician applies for a digital certificate to the certification authority CA to obtain a legal identity; 步骤(1b):CA中心授权TSA提供时间戳服务,为其颁发数字证书,并对其行为进行监督;Step (1b): The CA center authorizes TSA to provide timestamp services, issue digital certificates to it, and supervise its behavior; 步骤(2):基于哈希函数创建XML病历文档W的消息摘要值h;Step (2): create the message digest value h of the XML medical record document W based on the hash function; 步骤(3):使用数字证书中的私钥数据根据加密原理对消息摘要值h进行加密运算以创建数字签名s=SIGdoctor(h),并将(s,h)及数字证书发送至TSA;Step (3): use the private key data in the digital certificate to encrypt the message digest value h according to the encryption principle to create a digital signature s=SIGdoctor(h), and send (s, h) and the digital certificate to TSA; 步骤(4):TSA利用数字证书中的公钥数据解密数字签名s,并附加时间戳信息结合数字证书对应的私钥数据加密生成新数字签名S;Step (4): TSA utilizes the public key data in the digital certificate to decrypt the digital signature s, and the additional time stamp information is encrypted in combination with the private key data corresponding to the digital certificate to generate a new digital signature S; 步骤(4a):TSA利用发送者数字证书中的公钥数据结合加密算法对接收到的数字签名进行解密获取消息摘要值H;Step (4a): TSA utilizes the public key data in the sender's digital certificate in conjunction with the encryption algorithm to decrypt the received digital signature to obtain the message digest value H; 步骤(4b):比较解密后的消息摘要值H与原消息摘要值h;若不相等,则向请求者发送错误信息;若相等,则将接受到请求时间时的准确时间t、本次时间戳请求的序列号ID以及消息摘要值H三者构成的整体数据块结合数字证书对应的私钥加密形成新数字签名S=SIGTSA(ID,H,t);Step (4b): Compare the decrypted message digest value H and the original message digest value h; if they are not equal, send an error message to the requester; if they are equal, the exact time t and the current time when the requested time is received will be received. The overall data block composed of the serial number ID of the stamp request and the message digest value H is encrypted with the private key corresponding to the digital certificate to form a new digital signature S=SIG TSA (ID, H, t); 步骤(5):TSA将新数字签名S以及自身的数字证书送回给发送者,且执行本地保存备份;Step (5): TSA sends back the new digital signature S and its own digital certificate to the sender, and performs a local save backup; 步骤(6):发送者通过PKI机制验证TSA数字时间戳的可信性;Step (6): The sender verifies the reliability of the TSA digital timestamp through the PKI mechanism; 步骤(6a):发送者通过PKI机制来验证TSA数字证书的可信性,若验证通过,则证明数字时间戳的可信性,且保存好盖有时间戳的数字签名S;Step (6a): the sender verifies the credibility of the TSA digital certificate through the PKI mechanism, if the verification is passed, the credibility of the digital timestamp is proved, and the digital signature S with the timestamp is preserved; 步骤(6b):当发送者需要对XML病历文档W产成的时间进行验证时,PKI认证中心CA可利用TSA数字证书中的公钥验证时间戳的真实性,以明确该文档W是否具有法律效力。Step (6b): When the sender needs to verify the time when the XML medical record document W is generated, the PKI certification center CA can use the public key in the TSA digital certificate to verify the authenticity of the timestamp to clarify whether the document W has legal potency.
CN202010531678.8A 2020-06-11 2020-06-11 Digital timestamp issuing and verifying method based on PKI system Active CN111698093B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010531678.8A CN111698093B (en) 2020-06-11 2020-06-11 Digital timestamp issuing and verifying method based on PKI system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010531678.8A CN111698093B (en) 2020-06-11 2020-06-11 Digital timestamp issuing and verifying method based on PKI system

Publications (2)

Publication Number Publication Date
CN111698093A CN111698093A (en) 2020-09-22
CN111698093B true CN111698093B (en) 2022-07-15

Family

ID=72480407

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010531678.8A Active CN111698093B (en) 2020-06-11 2020-06-11 Digital timestamp issuing and verifying method based on PKI system

Country Status (1)

Country Link
CN (1) CN111698093B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112465502A (en) * 2020-11-11 2021-03-09 中国农业银行股份有限公司上海市分行 Method for deploying digital time stamp offline
CN112395620B (en) * 2020-11-19 2024-01-30 四川泰富地面北斗科技股份有限公司 Trusted time stamp implementation method based on trusted time
CN113130031B (en) * 2021-05-18 2024-07-30 中南大学湘雅三医院 PKI-based inter-hospital electronic medical record interaction system, method, equipment and storage medium
CN113536391A (en) * 2021-06-29 2021-10-22 上海浩霖汇信息科技有限公司 Electronic certificate, digital certificate class black box authentication method, system and related products
CN114362955A (en) * 2021-12-01 2022-04-15 零信技术(深圳)有限公司 Software code cloud digital signature method, system, device and storage medium
CN114358932A (en) * 2021-12-24 2022-04-15 中国农业银行股份有限公司 Authentication processing method and device
CN114499875B (en) * 2021-12-31 2024-05-10 兴业消费金融股份公司 Service data processing method, device, computer equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106375092A (en) * 2016-08-25 2017-02-01 杭州天谷信息科技有限公司 Digital certificate signature method for privacy protection
WO2017016318A1 (en) * 2014-11-05 2017-02-02 祝国龙 Credible label generation and verification method and system based on asymmetric cryptographic algorithm
CN106534115A (en) * 2016-11-10 2017-03-22 济南浪潮高新科技投资发展有限公司 Electronic medical record system design based on domestic cipher algorithm and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017016318A1 (en) * 2014-11-05 2017-02-02 祝国龙 Credible label generation and verification method and system based on asymmetric cryptographic algorithm
CN106375092A (en) * 2016-08-25 2017-02-01 杭州天谷信息科技有限公司 Digital certificate signature method for privacy protection
CN106534115A (en) * 2016-11-10 2017-03-22 济南浪潮高新科技投资发展有限公司 Electronic medical record system design based on domestic cipher algorithm and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于PKI技术的数字签名在办公网上的实现;袁珍珍等;《计算机与数字工程》;20100220(第02期);全文 *

Also Published As

Publication number Publication date
CN111698093A (en) 2020-09-22

Similar Documents

Publication Publication Date Title
CN111698093B (en) Digital timestamp issuing and verifying method based on PKI system
US11811912B1 (en) Cryptographic algorithm status transition
US12058115B2 (en) Systems and methods for Smartkey information management
CN109067801B (en) Identity authentication method, identity authentication device and computer readable medium
US6938157B2 (en) Distributed information system and protocol for affixing electronic signatures and authenticating documents
US7702107B1 (en) Server-based encrypted messaging method and apparatus
US8924302B2 (en) System and method for electronic transmission, storage, retrieval and remote signing of authenticated electronic original documents
CN108696358B (en) Digital certificate management method, device, readable storage medium and service terminal
WO2019052286A1 (en) User identity verification method, apparatus and system based on blockchain
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
WO2014086166A1 (en) Method and system for preventively preserving electronic data
US20050044369A1 (en) Electronic document management system
JP2010148098A (en) Method and system for transient key digital stamp
CN108022194A (en) Law-enforcing recorder and its data safety processing method, server and system
CN112583772A (en) Data acquisition and storage platform
WO2017059454A1 (en) System and method for electronic deposit and authentication of original electronic information objects
CN106254341A (en) Data fingerprint extracting method and system for centralized electronic data safety system
CN112950356A (en) Personal loan processing method, system, device and medium based on digital identity
JP5159752B2 (en) Communication data verification device and computer program therefor
CN115114648A (en) A data processing method, device and electronic device
Chokhani et al. PKI and certificate authorities
CN118690419B (en) A digital management method, system, device and storage medium for certificates
KR100654933B1 (en) Authentication system and authentication method for authenticating certificate dynamically generated according to user's password input
TWI376137B (en) System and method for verifying electronic signatures
TWI311429B (en) System and method for signing electronic documents automatically

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant