CN103873240A - CRL transmission method, device and system - Google Patents
CRL transmission method, device and system Download PDFInfo
- Publication number
- CN103873240A CN103873240A CN201210527983.5A CN201210527983A CN103873240A CN 103873240 A CN103873240 A CN 103873240A CN 201210527983 A CN201210527983 A CN 201210527983A CN 103873240 A CN103873240 A CN 103873240A
- Authority
- CN
- China
- Prior art keywords
- crl
- terminal
- consistent
- release date
- entity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
本发明实施例公开了一种CRL的传输方法、装置及系统,该方法包括:接收终端实体发来的CRL请求消息,所述CRL请求消息中携带终端CRL特征信息;根据所述终端CRL特征信息,判断数字证书认证机构CA中CRL与所述终端实体中CRL是否一致;如果CA中CRL与所述终端实体中CRL一致,向所述终端实体发送没有携带CA中CRL的CRL响应消息;如果CA中CRL与所述终端实体中CRL不一致,向所述终端实体发送携带CA中CRL的CRL响应消息。本发明能够降低终端实体与CA之间的数据流量。
The embodiment of the present invention discloses a CRL transmission method, device and system. The method includes: receiving a CRL request message sent by a terminal entity, the CRL request message carrying terminal CRL feature information; according to the terminal CRL feature information , to determine whether the CRL in the digital certificate authority CA is consistent with the CRL in the terminal entity; if the CRL in the CA is consistent with the CRL in the terminal entity, send a CRL response message that does not carry the CRL in the CA to the terminal entity; if the CA If the CRL in the CA is inconsistent with the CRL in the terminal entity, send a CRL response message carrying the CRL in the CA to the terminal entity. The invention can reduce the data flow between the terminal entity and the CA.
Description
技术领域 technical field
本发明涉及通信领域,尤其涉及一种证书吊销列表(Certificate Revocation List,简称CRL)的传输方法、装置及系统。The present invention relates to the field of communications, in particular to a method, device and system for transmitting a Certificate Revocation List (CRL).
背景技术 Background technique
公钥基础设施(Public Key Infrastructure,简称PKI)是通过使用公钥技术和数字证书来提供系统信息安全服务,并负责验证数字证书持有者身份的一种体系。PKI采用数字证书管理公钥,所述数字证书通过第三方可信任的数字证书认证机构(Certificate Authority,简称CA)签发,把终端实体的公钥和终端实体的其他身份信息捆绑在一起。Public Key Infrastructure (PKI) is a system that uses public key technology and digital certificates to provide system information security services and is responsible for verifying the identity of digital certificate holders. PKI uses digital certificates to manage public keys. The digital certificates are issued by a third-party trusted digital certificate authority (Certificate Authority, referred to as CA), and bind the public key of the end entity with other identity information of the end entity.
以下对所述PKI、数字证书、CA、终端实体等进行简要说明。The PKI, digital certificate, CA, terminal entity, etc. are briefly described below.
一、PKI1. PKI
PKI的功能是通过签发数字证书来绑定数字证书持有者的身份和相关的公开密钥,为获取数字证书、访问数字证书和撤销数字证书提供了方便的途径。同时利用数字证书及相关的各种服务如数字证书发布、黑名单发布等实现通信过程中各终端实体的身份认证,保证了通信数据的机密性、完整性和不可否认性。The function of PKI is to bind the identity of the digital certificate holder and the related public key by issuing a digital certificate, which provides a convenient way for obtaining digital certificates, accessing digital certificates and revoking digital certificates. At the same time, digital certificates and related services such as digital certificate issuance, blacklist issuance, etc. are used to realize the identity authentication of each terminal entity in the communication process, ensuring the confidentiality, integrity and non-repudiation of communication data.
二、数字证书2. Digital certificate
数字证书是由CA签发的电子数据,是PKI技术的基础。数字证书是终端实体的身份证明,证明某一终端实体身份和公钥的合法性以及终端实体与公钥的匹配关系。数字证书是公钥的载体,数字证书上的公钥与唯一终端实体身份绑定。数字证书用一句话来概括,就是对终端实体公钥的封装。形象地讲,就是终端实体的网络身份证。Digital certificates are electronic data issued by CAs and are the basis of PKI technology. A digital certificate is the identity proof of an end entity, which proves the legitimacy of the identity of an end entity and the public key, as well as the matching relationship between the end entity and the public key. The digital certificate is the carrier of the public key, and the public key on the digital certificate is bound to the identity of the unique terminal entity. A digital certificate can be summed up in one sentence, which is the encapsulation of the public key of the end entity. Visually speaking, it is the network ID card of the terminal entity.
证书格式及证书内容一般遵循X.509标准,X.509标准是由国际电信联盟(ITU-T)制定的数字证书标准。数字证书的主要内容包括:序列号、用户公钥、终端实体信息、签证机构的信息、签证机构的签名、证书有效期等。The certificate format and certificate content generally follow the X.509 standard, which is a digital certificate standard formulated by the International Telecommunication Union (ITU-T). The main content of the digital certificate includes: serial number, user public key, terminal entity information, information of the issuing agency, signature of the issuing agency, and validity period of the certificate, etc.
三、CA3. CA
数字证书是PKI实体的网络身份证明。数字证书具有唯一性,来源必须是可靠的,这就意味着需要一个各方终端实体都信任的机构,专门负责数字证书的发放和管理,这个机构就是CA。CA作为权威的、可信赖的、公正的第三方机构,通过自身的注册审核体系,检查核实数字证书申请者的身份,保证发放的数字证书具有权威性、公正性和可信赖性。A digital certificate is the network identity proof of a PKI entity. Digital certificates are unique, and the source must be reliable, which means that an organization trusted by all end entities is required to be responsible for the issuance and management of digital certificates. This organization is CA. As an authoritative, reliable, and impartial third-party organization, CA checks and verifies the identity of digital certificate applicants through its own registration and review system to ensure that the issued digital certificates are authoritative, fair, and trustworthy.
CA的核心功能就是发放和管理数字证书,主要包括:数字证书的颁发、数字证书的更新、数字证书的撤销、数字证书的查询、数字证书的归档、CRL的发布等。The core function of CA is to issue and manage digital certificates, mainly including: issuance of digital certificates, renewal of digital certificates, revocation of digital certificates, query of digital certificates, archiving of digital certificates, issuance of CRL, etc.
四、终端实体4. End entity
终端实体是PKI产品或服务的最终使用者,所述终端实体一般以软件的方式实现,实现该终端实体的程序代码可以设置于个人或组织所使用的设备如个人计算机PC、路由器、交换机、手机等中。The terminal entity is the end user of PKI products or services. The terminal entity is generally implemented in the form of software. The program code to realize the terminal entity can be set in the equipment used by individuals or organizations, such as personal computers, routers, switches, and mobile phones. waiting.
终端实体与CA之间通过网络连接,该网络可以是有线网络也可以是无线网络,这里并不限制,只要能够实现终端实体与CA之间的通信即可。The terminal entity and the CA are connected through a network, and the network may be a wired network or a wireless network, which is not limited here, as long as the communication between the terminal entity and the CA can be realized.
基于以上描述,由于数字证书持有者身份、数字证书持有者信息或者数字证书持有者公钥的改变、数字证书持有者私钥泄漏、CA私钥泄漏、从属关系改变或数字证书持有者业务中止等原因,需要存在一种方法提前将现行的数字证书撤消,即撤消公钥及相关身份信息的绑定关系。在PKI中,使用的方法为证书吊销列表(CRL),即证书黑名单。Based on the above description, due to the change of the identity of the digital certificate holder, the information of the digital certificate holder or the public key of the digital certificate holder, the leakage of the private key of the digital certificate holder, the leakage of the CA private key, the change of the For reasons such as business suspension, there needs to be a method to revoke the current digital certificate in advance, that is, to revoke the binding relationship between the public key and related identity information. In PKI, the method used is the certificate revocation list (CRL), which is a certificate blacklist.
任何一个数字证书被废除以后,CA可以通过发布CRL来声明该数字证书是无效的,并列出所有被废除数字证书的签发者和序列号、CRL的发布日期、数字证书被撤销的日期、CRL下次发布日期等信息。但是,CA不会主动把CRL发布给终端实体,而是由终端实体主动发起CRL请求,CA接收到所述CRL请求后把CA本地的CRL发送给终端实体。After any digital certificate is revoked, the CA can declare that the digital certificate is invalid by issuing a CRL, and list the issuers and serial numbers of all revoked digital certificates, the date of issuance of the CRL, the date when the digital certificate was revoked, and the CRL Next release date and other information. However, the CA will not actively issue the CRL to the terminal entity, but the terminal entity initiates a CRL request, and the CA sends the CA's local CRL to the terminal entity after receiving the CRL request.
具体的,终端实体与CA之间的CRL传输方法是:终端实体主动向CA发送CRL请求消息;CA收到所述请求后,向终端实体返回CRL响应消息,所述CRL响应消息中包括CA本地最新的CRL。Specifically, the CRL transmission method between the terminal entity and the CA is as follows: the terminal entity actively sends a CRL request message to the CA; after the CA receives the request, it returns a CRL response message to the terminal entity, and the CRL response message includes the CA local latest CRLs.
由于CA只要接收到终端实体的CRL请求消息,就会将本地的CRL携带在CRL响应消息中发送给终端实体,如果CA中的CRL在一段时间内没有更新,CA就会将同样的CRL多次发送给终端实体,从而增加了终端实体和CA之间的数据流量。As long as the CA receives the CRL request message from the terminal entity, it will carry the local CRL in the CRL response message and send it to the terminal entity. If the CRL in the CA has not been updated within a period of time, the CA will send the same CRL multiple times sent to the end entity, thereby increasing the data traffic between the end entity and the CA.
发明内容 Contents of the invention
本发明实施例中提供了一种CRL的传输方法、装置及系统,能够降低终端实体与CA之间的数据流量。Embodiments of the present invention provide a CRL transmission method, device and system, which can reduce data traffic between a terminal entity and a CA.
第一方面,提供一种CRL传输方法,包括:In a first aspect, a method for transmitting a CRL is provided, including:
接收终端实体发来的CRL请求消息,所述CRL请求消息中携带终端CRL特征信息;receiving a CRL request message sent by the terminal entity, where the CRL request message carries terminal CRL feature information;
根据所述终端CRL特征信息,判断数字证书认证机构CA中CRL与所述终端实体中CRL是否一致;According to the characteristic information of the terminal CRL, it is judged whether the CRL in the digital certificate authority CA is consistent with the CRL in the terminal entity;
如果CA中CRL与所述终端实体中CRL一致,向所述终端实体发送没有携带CA中CRL的CRL响应消息;If the CRL in the CA is consistent with the CRL in the terminal entity, sending a CRL response message that does not carry the CRL in the CA to the terminal entity;
如果CA中CRL与所述终端实体中CRL不一致,向所述终端实体发送携带CA中CRL的CRL响应消息。If the CRL in the CA is inconsistent with the CRL in the terminal entity, send a CRL response message carrying the CRL in the CA to the terminal entity.
结合上述第一方面,在第一种可能的实现方式中,所述终端CRL特征信息包括发布日期或下次发布日期;相应地,所述根据所述终端CRL特征信息,判断CA中CRL与所述终端实体中CRL是否一致,具体包括:In combination with the first aspect above, in a first possible implementation manner, the terminal CRL feature information includes a release date or next release date; correspondingly, according to the terminal CRL feature information, it is determined Check whether the CRLs in the above-mentioned terminal entities are consistent, including:
判断CA中CRL的发布日期与所述终端CRL特征信息的发布日期是否一致,若CA中CRL的发布日期与所述终端CRL特征信息的发布日期不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布日期与所述终端CRL特征信息的发布日期一致,则CA中CRL与所述终端实体中CRL一致;或者,Judging whether the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, if the release date of the CRL in the CA is inconsistent with the release date of the terminal CRL feature information, then the CRL in the CA and the CRL in the terminal entity Inconsistent, if the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, the CRL in the CA is consistent with the CRL in the terminal entity; or,
判断CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期是否一致,若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期一致,则CA中CRL与所述终端实体中CRL一致。Determine whether the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, if the next release date of the CRL in the CA is inconsistent with the next release date of the terminal CRL feature information, then the CA The CRL is inconsistent with the CRL in the terminal entity. If the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, then the CRL in the CA is consistent with the CRL in the terminal entity.
结合上述第一方面的第一种可能的实现方式,在第二种可能的实现方式中,所述终端CRL特征信息还包括:发布者签名;所述根据所述终端CRL特征信息,判断CA中CRL与所述终端实体中CRL是否一致,具体包括:In combination with the first possible implementation of the first aspect above, in a second possible implementation, the terminal CRL feature information further includes: a signature of the issuer; and according to the terminal CRL feature information, it is determined that the Whether the CRL is consistent with the CRL in the terminal entity, specifically including:
判断CA中CRL的发布日期与所述终端CRL特征信息的发布日期是否一致,若CA中CRL的发布日期与所述终端CRL特征信息的发布日期不一致,则CA中CRL与所述终端实体中CRL不一致;若CA中CRL的发布日期与所述终端CRL特征信息的发布日期一致,则判断CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA中CRL与所述终端实体中CRL一致;或者,Judging whether the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, if the release date of the CRL in the CA is inconsistent with the release date of the terminal CRL feature information, then the CRL in the CA and the CRL in the terminal entity Inconsistent; if the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, then determine whether the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, if the release date of the CRL in the CA If the issuer's signature is inconsistent with the issuer signature of the terminal CRL feature information, the CRL in the CA is inconsistent with the CRL in the terminal entity. If the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, then The CRL in the CA is consistent with the CRL in the end entity; or,
判断CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期是否一致,若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期不一致,则CA中CRL与所述终端实体中CRL不一致;若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期一致,则判断CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA中CRL与所述终端实体中CRL一致。Determine whether the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, if the next release date of the CRL in the CA is inconsistent with the next release date of the terminal CRL feature information, then the CA The CRL is inconsistent with the CRL in the terminal entity; if the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, then it is judged that the signature of the issuer of the CRL in the CA is consistent with the signature of the terminal CRL feature information Whether the issuer's signature is consistent. If the issuer's signature of the CRL in the CA is inconsistent with the issuer's signature of the terminal CRL feature information, the CRL in the CA is inconsistent with the CRL in the terminal entity. If the issuer's signature of the characteristic information of the terminal CRL is consistent, the CRL in the CA is consistent with the CRL in the terminal entity.
结合上述第一方面,在第三种可能的实现方式中,所述终端CRL特征信息包括:发布者签名;所述根据所述终端CRL特征信息,判断CA中CRL与所述终端实体中CRL是否一致,具体包括:In combination with the first aspect above, in a third possible implementation manner, the terminal CRL characteristic information includes: a signature of a publisher; and according to the terminal CRL characteristic information, it is determined whether the CRL in the CA and the CRL in the terminal entity are consistent, including:
判断CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA中CRL与所述终端实体中CRL一致。Judging whether the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, if the issuer signature of the CRL in the CA is inconsistent with the issuer signature of the terminal CRL feature information, then the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information If the CRL in the terminal entity is inconsistent, if the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, then the CRL in the CA is consistent with the CRL in the terminal entity.
第二方面,提供一种CRL的传输装置,其特征在于,包括:In a second aspect, a CRL transmission device is provided, which is characterized in that it includes:
接收单元,用于接收终端实体发来的CRL请求消息,所述CRL请求消息中携带终端CRL特征信息;A receiving unit, configured to receive a CRL request message sent by a terminal entity, where the CRL request message carries terminal CRL feature information;
判断单元,用于根据所述终端CRL特征信息,判断数字证书认证机构CA中CRL与所述终端实体中CRL是否一致;A judging unit, configured to judge whether the CRL in the digital certificate authentication authority CA is consistent with the CRL in the terminal entity according to the characteristic information of the terminal CRL;
第一发送单元,用于如果判断单元判断CA中CRL与所述终端实体中CRL一致,向所述终端实体发送没有携带CA中CRL的CRL响应消息;The first sending unit is configured to send a CRL response message that does not carry the CRL in the CA to the terminal entity if the judging unit judges that the CRL in the CA is consistent with the CRL in the terminal entity;
第二发送单元,用于如果判断单元判断CA中CRL与所述终端实体中CRL不一致,向所述终端实体发送携带CA中CRL的CRL响应消息。The second sending unit is configured to send a CRL response message carrying the CRL in the CA to the terminal entity if the judging unit judges that the CRL in the CA is inconsistent with the CRL in the terminal entity.
结合上述第二方面,在第一种可能的实现方式中,所述终端CRL特征信息包括发布日期或下次发布日期;所述判断单元具体用于:With reference to the second aspect above, in a first possible implementation manner, the terminal CRL feature information includes a release date or a next release date; the judging unit is specifically configured to:
判断CA中CRL的发布日期与所述终端CRL特征信息的发布日期是否一致,若CA中CRL的发布日期与所述终端CRL特征信息的发布日期不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布日期与所述终端CRL特征信息的发布日期一致,则CA中CRL与所述终端实体中CRL一致;或者,Judging whether the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, if the release date of the CRL in the CA is inconsistent with the release date of the terminal CRL feature information, then the CRL in the CA and the CRL in the terminal entity Inconsistent, if the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, the CRL in the CA is consistent with the CRL in the terminal entity; or,
判断CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期是否一致,若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期一致,则CA中CRL与所述终端实体中CRL一致。Determine whether the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, if the next release date of the CRL in the CA is inconsistent with the next release date of the terminal CRL feature information, then the CA The CRL is inconsistent with the CRL in the terminal entity. If the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, then the CRL in the CA is consistent with the CRL in the terminal entity.
结合上述第二方面的第一种可能的实现方式,在第二种可能的实现方式中,所述终端CRL特征信息还包括:发布者签名;所述判断单元具体用于:With reference to the first possible implementation of the second aspect above, in the second possible implementation, the terminal CRL feature information further includes: a signature of the issuer; the judging unit is specifically configured to:
判断CA中CRL的发布日期与所述终端CRL特征信息的发布日期是否一致,若CA中CRL的发布日期与所述终端CRL特征信息的发布日期不一致,则CA中CRL与所述终端实体中CRL不一致;若CA中CRL的发布日期与所述终端CRL特征信息的发布日期一致,则判断CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA中CRL与所述终端实体中CRL一致;或者,Judging whether the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, if the release date of the CRL in the CA is inconsistent with the release date of the terminal CRL feature information, then the CRL in the CA and the CRL in the terminal entity Inconsistent; if the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, then determine whether the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, if the release date of the CRL in the CA If the issuer's signature is inconsistent with the issuer signature of the terminal CRL feature information, the CRL in the CA is inconsistent with the CRL in the terminal entity. If the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, then The CRL in the CA is consistent with the CRL in the end entity; or,
判断CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期是否一致,若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期不一致,则CA中CRL与所述终端实体中CRL不一致;若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期一致,则判断CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA中CRL与所述终端实体中CRL一致。Determine whether the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, if the next release date of the CRL in the CA is inconsistent with the next release date of the terminal CRL feature information, then the CA The CRL is inconsistent with the CRL in the terminal entity; if the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, then it is judged that the signature of the issuer of the CRL in the CA is consistent with the signature of the terminal CRL feature information Whether the issuer's signature is consistent. If the issuer's signature of the CRL in the CA is inconsistent with the issuer's signature of the terminal CRL feature information, the CRL in the CA is inconsistent with the CRL in the terminal entity. If the issuer's signature of the characteristic information of the terminal CRL is consistent, the CRL in the CA is consistent with the CRL in the terminal entity.
结合上述第二方面,在第三种可能的实现方式中,所述终端CRL特征信息包括:发布者签名;所述判断单元具体用于:In combination with the second aspect above, in a third possible implementation manner, the terminal CRL feature information includes: a signature of the issuer; the judging unit is specifically configured to:
判断CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA中CRL与所述终端实体中CRL一致。Judging whether the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, if the issuer signature of the CRL in the CA is inconsistent with the issuer signature of the terminal CRL feature information, then the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information If the CRL in the terminal entity is inconsistent, if the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, then the CRL in the CA is consistent with the CRL in the terminal entity.
第三方面,提供一种CRL的传输系统,其特征在于,包括:In a third aspect, a CRL transmission system is provided, which is characterized in that it includes:
终端实体,用于向数字证书认证机构CA发送CRL请求消息,所述CRL请求消息中携带终端CRL特征信息;还用于接收所述CA发来的CRL响应消息;The terminal entity is used to send a CRL request message to the digital certificate authentication authority CA, and the CRL request message carries terminal CRL feature information; it is also used to receive the CRL response message sent by the CA;
CA,用于接收终端实体发来的CRL请求消息;根据所述终端CRL特征信息,判断数字证书认证机构CA中CRL与所述终端实体中CRL是否一致;如果CA中CRL与所述终端实体中CRL一致,向所述终端实体发送没有携带CA中CRL的CRL响应消息;如果CA中CRL与所述终端实体中CRL不一致,向所述终端实体发送携带CA中CRL的CRL响应消息。CA, used to receive the CRL request message sent by the terminal entity; according to the characteristic information of the terminal CRL, determine whether the CRL in the digital certificate authentication authority CA is consistent with the CRL in the terminal entity; if the CRL in the CA is consistent with the CRL in the terminal entity The CRLs are consistent, sending a CRL response message that does not carry the CRL in the CA to the terminal entity; if the CRL in the CA is inconsistent with the CRL in the terminal entity, sending a CRL response message that carries the CRL in the CA to the terminal entity.
结合上述第三方面,在第一种可能的实现方式中,所述终端CRL特征信息包括:发布日期或下次发布日期;所述CA具体用于:With reference to the third aspect above, in a first possible implementation manner, the terminal CRL characteristic information includes: an issue date or a next issue date; the CA is specifically used for:
接收终端实体发来的CRL请求消息;判断CA中CRL的发布日期与所述终端CRL特征信息的发布日期是否一致,若CA中CRL的发布日期与所述终端CRL特征信息的发布日期不一致,则CA中CRL与所述终端实体中CRL不一致,向所述终端实体发送携带CA中CRL的CRL响应消息;若CA中CRL的发布日期与所述终端CRL特征信息的发布日期一致,则CA中CRL与所述终端实体中CRL一致,向所述终端实体发送没有携带CA中CRL的CRL响应消息;或者,Receive the CRL request message sent by the terminal entity; determine whether the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, if the release date of the CRL in the CA is inconsistent with the release date of the terminal CRL feature information, then The CRL in the CA is inconsistent with the CRL in the terminal entity, and sends a CRL response message carrying the CRL in the CA to the terminal entity; if the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, the CRL in the CA Consistent with the CRL in the terminal entity, sending a CRL response message that does not carry the CRL in the CA to the terminal entity; or,
接收终端实体发来的CRL请求消息;判断CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期是否一致,若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期不一致,则CA中CRL与所述终端实体中CRL不一致,向所述终端实体发送携带CA中CRL的CRL响应消息;若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期一致,则CA中CRL与所述终端实体中CRL一致,向所述终端实体发送没有携带CA中CRL的CRL响应消息。Receive the CRL request message sent by the terminal entity; determine whether the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, if the next release date of the CRL in the CA is consistent with the terminal CRL feature information If the next release date of the CRL in the CA is inconsistent with the CRL in the terminal entity, a CRL response message carrying the CRL in the CA is sent to the terminal entity; if the next release date of the CRL in the CA is inconsistent with the CRL feature of the terminal entity If the next release date of the information is consistent, the CRL in the CA is consistent with the CRL in the terminal entity, and a CRL response message that does not carry the CRL in the CA is sent to the terminal entity.
本发明实施例中,接收终端实体发来的CRL请求消息,所述CRL请求消息中携带终端CRL特征信息;根据所述终端CRL特征信息,判断CA中CRL与所述终端实体中CRL是否一致;如果CA中CRL与所述终端实体中CRL一致,向所述终端实体发送没有携带CA中CRL的CRL响应消息;如果CA中CRL与所述终端实体中CRL不一致,向所述终端实体发送携带CA中CRL的CRL响应消息。从而降低了终端实体与CA之间的数据流量。In the embodiment of the present invention, the CRL request message sent by the terminal entity is received, and the CRL request message carries terminal CRL characteristic information; according to the terminal CRL characteristic information, it is judged whether the CRL in the CA is consistent with the CRL in the terminal entity; If the CRL in the CA is consistent with the CRL in the terminal entity, send a CRL response message that does not carry the CRL in the CA to the terminal entity; if the CRL in the CA is inconsistent with the CRL in the terminal entity, send a The CRL response message for the CRL in the CRL. This reduces the data traffic between the end entity and the CA.
附图说明 Description of drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the accompanying drawings required in the embodiments. Obviously, the accompanying drawings in the following description are only some of the present invention. Embodiments, for those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort.
图1为本发明实施例CRL传输方法的流程图;FIG. 1 is a flowchart of a CRL transmission method according to an embodiment of the present invention;
图1A为CRL的结构示意图;FIG. 1A is a schematic structural diagram of a CRL;
图2为本发明实施例CRL传输方法的另一流程示意图;FIG. 2 is another schematic flowchart of a CRL transmission method according to an embodiment of the present invention;
图3为本发明实施例CRL传输装置的结构示意图;FIG. 3 is a schematic structural diagram of a CRL transmission device according to an embodiment of the present invention;
图4为本发明实施例CRL传输系统的结构示意图;4 is a schematic structural diagram of a CRL transmission system according to an embodiment of the present invention;
图5为本发明实施例终端实体的结构示意图;FIG. 5 is a schematic structural diagram of a terminal entity according to an embodiment of the present invention;
图6为本发明实施例CA的结构示意图。FIG. 6 is a schematic structural diagram of an embodiment CA of the present invention.
具体实施方式 Detailed ways
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整的描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有付出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.
参见图1,为本发明实施例提供的CRL传输方法的流程图,该方法包括:Referring to Fig. 1, it is a flow chart of the CRL transmission method provided by the embodiment of the present invention, the method includes:
101:CA接收终端实体发来的CRL请求消息,所述CRL请求消息中携带终端CRL特征信息;101: The CA receives a CRL request message sent by the terminal entity, and the CRL request message carries terminal CRL feature information;
所述终端CRL特征信息是所述终端实体中的CRL包含的、能够标识CRL的信息。The terminal CRL feature information is information contained in the CRL in the terminal entity and capable of identifying the CRL.
例如,参见图1A所示,目前CRL的内容一般遵循X.509标准,主要包括:版本(Version)、签名(signature)、发布者名字(Issuer Name)、发布日期(ThisUpdate)、下次发布日期(nextUpdate)、吊销证书(Revoked Certificates)、扩展域(Extensions)等,这些字段属于待签名字段;CRL还包括:签名算法(signature Algorithm)、发布者签名(signatureValue)等;其中,发布者签名是通过对所述待签名字段执行哈希算法、对CRL发布者私钥执行签名算法、对两算法的执行结果进行数字摘要得到的;在实际应用中,签名和签名算法两字段中的内容一般相同,均设置为签名算法标示符(ID)。For example, as shown in Figure 1A, the content of the current CRL generally follows the X.509 standard, mainly including: version (Version), signature (signature), issuer name (Issuer Name), issue date (ThisUpdate), next issue date (nextUpdate), revoked certificates (Revoked Certificates), extensions (Extensions), etc., these fields belong to the fields to be signed; CRL also includes: signature algorithm (signature Algorithm), publisher signature (signatureValue), etc. Among them, the publisher signature is Obtained by performing a hash algorithm on the field to be signed, a signature algorithm on the CRL issuer's private key, and a digital summary of the execution results of the two algorithms; in practical applications, the contents of the signature and signature algorithm fields are generally the same , are set to the signature algorithm identifier (ID).
其中,发布者签名是可以唯一标识CRL的字段;CRL中的发布者签名可能有几十个字节,甚至几百个字节。Among them, the issuer's signature is a field that can uniquely identify the CRL; the issuer's signature in the CRL may have dozens of bytes, or even hundreds of bytes.
同一CA发送的CRL的版本、发布者名字、签名以及签名算法这四个字段一般不变,只有在CA中版本、发布者名字、或者签名算法发生变化时,这四个字段中的对应字段才会发生变化。例如,CA中CRL的版本从v1变为v2,则CA后续发送的CRL中版本字段的字段内容都从v1变为v2;发布者名字、签名以及签名算法等字段与版本字段类似,这里不赘述;The four fields of CRL version, issuer name, signature, and signature algorithm sent by the same CA generally remain unchanged. Only when the version, issuer name, or signature algorithm in the CA changes, the corresponding fields in these four fields change will change. For example, if the version of the CRL in the CA changes from v1 to v2, the content of the version field in the subsequent CRL sent by the CA will change from v1 to v2; the issuer name, signature, and signature algorithm fields are similar to the version field, and will not be described here. ;
不同CRL中发布日期、下次发布日期、吊销证书、扩展域等字段可能相同或不同。但是,当废除的数字证书较多时,吊销证书这一字段的字段长度较长。Fields such as issue date, next issue date, revoked certificate, and extended domain may be the same or different in different CRLs. However, when there are many revoked digital certificates, the field length of the revoked certificate field is longer.
第一种可能实现方式中,所述终端CRL特征信息包括发布日期或下次发布日期;进一步还可以包括发布者签名。In the first possible implementation manner, the terminal CRL feature information includes a release date or a next release date; and may further include a signature of the issuer.
第二种可能实现方式中,所述终端CRL特征信息仅包括发布者签名;由于CRL中发布者签名可以唯一标识CRL,因此通过发布者签名就可以判断CA中CRL与终端实体中CRL是否一致。In the second possible implementation, the terminal CRL characteristic information only includes the issuer's signature; since the issuer's signature in the CRL can uniquely identify the CRL, it can be determined whether the CRL in the CA is consistent with the CRL in the terminal entity through the issuer's signature.
102:所述CA根据所述终端CRL特征信息,判断CA中CRL与所述终端实体中CRL是否一致;如果一致,执行103;如果不一致,执行104。102: The CA judges whether the CRL in the CA is consistent with the CRL in the terminal entity according to the characteristic information of the terminal CRL; if they are consistent, perform 103; if not, perform 104.
如果一致,则表明所述CA中CRL与所述终端实体中CRL相同,则所述CA无需再将所述CA中的CRL发送给所述终端实体,则执行103,在CRL响应消息中不携带所述CA中的CRL,从而节省了CA与终端实体之间的数据流量;If they are consistent, it indicates that the CRL in the CA is the same as the CRL in the terminal entity, then the CA does not need to send the CRL in the CA to the terminal entity, and then execute 103, and the CRL response message does not carry The CRL in the CA, thereby saving data traffic between the CA and the end entity;
如果不一致,则表明所述CA中CRL与所述终端实体中CRL不相同,可能是所述CA已经进行了CRL的更新,因此需要将所述CA中的CRL发送给所述终端实体,以便终端实体能够获得最新的CRL;则执行104,在CRL响应消息中携带所述CA中的CRL。If not, it indicates that the CRL in the CA is different from the CRL in the terminal entity, and it may be that the CA has updated the CRL, so the CRL in the CA needs to be sent to the terminal entity so that the terminal The entity can obtain the latest CRL; then execute 104, carry the CRL in the CA in the CRL response message.
具体的,本发明实施例中,根据所述终端CRL特征信息,判断CA中CRL与所述终端实体中CRL是否一致有两种可能实现方式。承上所述,第一种可能实现方式中,所述终端CRL特征信息包括发布日期或下次发布日期;进一步还包括发布者签名。第二种可能实现方式中,所述终端CRL特征信息仅包括发布者签名。Specifically, in the embodiment of the present invention, according to the characteristic information of the terminal CRL, there are two possible implementation manners for judging whether the CRL in the CA is consistent with the CRL in the terminal entity. Based on the above, in the first possible implementation manner, the terminal CRL feature information includes the release date or the next release date; and further includes the issuer's signature. In a second possible implementation manner, the terminal CRL characteristic information only includes the signature of the issuer.
由于CRL发布者签名通常有几十个字节,甚至几百个字节,而CRL中其他字段的数据量相对较小,例如CRL的下次发布日期只有几个字段,因此,相对于CRL中其他字段的数据量,CRL发布者签名的数据量较大。虽然CA可以根据发布者签名准确地判断CA中CRL与终端实体中CRL是否一致,但是所处理的数据量很大。Since the signature of the CRL issuer usually has tens of bytes, or even hundreds of bytes, and the amount of data in other fields in the CRL is relatively small, for example, the next issue date of the CRL has only a few fields. Therefore, compared to the The amount of data in other fields, the amount of data signed by the CRL issuer is relatively large. Although the CA can accurately determine whether the CRL in the CA is consistent with the CRL in the end entity based on the signature of the issuer, the amount of data processed is huge.
第一种可能实现方式中,所述终端CRL特征信息包括发布日期或下次发布日期;此时,所述根据所述终端CRL特征信息,判断CA中CRL与所述终端实体中CRL是否一致,具体可以包括:判断CA中CRL的发布日期与所述终端CRL特征信息的发布日期是否一致,若CA中CRL的发布日期与所述终端CRL特征信息的发布日期不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布日期与所述终端CRL特征信息的发布日期一致,则CA中CRL与所述终端实体中CRL一致;或者,判断CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期是否一致,若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期一致,则CA中CRL与所述终端实体中CRL一致。通常情况下,CA每次发布的CRL中发布日期或下次发布日期是不同的,因此根据发布日期或下次发布日期,可以较为准确地判断CA中CRL与终端实体中CRL是否一致,且所述发布日期或者下次发布日期数据量较小,CA判断时处理的数据量较少,从而降低了CA的数据处理量。In the first possible implementation manner, the terminal CRL feature information includes a release date or a next release date; at this time, according to the terminal CRL feature information, it is judged whether the CRL in the CA is consistent with the CRL in the terminal entity, Specifically, it may include: judging whether the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, if the release date of the CRL in the CA is inconsistent with the release date of the terminal CRL feature information, then the CRL in the CA is consistent with the release date of the terminal CRL feature information The CRL in the terminal entity is inconsistent, if the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, then the CRL in the CA is consistent with the CRL in the terminal entity; or, it is determined that the next release date of the CRL in the CA is the same as Whether the next release date of the terminal CRL feature information is consistent, if the next release date of the CRL in the CA is inconsistent with the next release date of the terminal CRL feature information, the CRL in the CA is inconsistent with the CRL in the terminal entity, If the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL characteristic information, then the CRL in the CA is consistent with the CRL in the terminal entity. Usually, the release date or the next release date in the CRL issued by the CA is different each time. Therefore, according to the release date or the next release date, it can be more accurately judged whether the CRL in the CA is consistent with the CRL in the end entity, and the If the data volume of the above release date or the next release date is relatively small, the amount of data processed by the CA in judging is relatively small, thereby reducing the amount of data processed by the CA.
当CA根据发布日期或者下次发布日期进行判断时,如果发布日期或者下次发布日期不一致,则可以认为CA中CRL与所述终端实体中CRL不一致;如果发布日期或者下次发布日期一致,可以进一步根据唯一标识CRL的发布者签名进行判断,这样,既降低了CA的数据处理量,也可以提高判断的准确性。所述终端CRL特征信息还包括发布者签名,所述根据所述终端CRL特征信息,判断CA中CRL与所述终端实体中CRL是否一致,具体可以包括:When the CA judges based on the release date or the next release date, if the release date or the next release date is inconsistent, it can be considered that the CRL in the CA is inconsistent with the CRL in the terminal entity; if the release date or the next release date is consistent, it can be Judgment is further made based on the signature of the issuer that uniquely identifies the CRL. In this way, the data processing amount of the CA is reduced, and the accuracy of judgment can also be improved. The terminal CRL characteristic information also includes a publisher signature, and according to the terminal CRL characteristic information, judging whether the CRL in the CA is consistent with the CRL in the terminal entity may specifically include:
判断CA中CRL的发布日期与所述终端CRL特征信息的发布日期是否一致,若CA中CRL的发布日期与所述终端CRL特征信息的发布日期不一致,则CA中CRL与所述终端实体中CRL不一致;若CA中CRL的发布日期与所述终端CRL特征信息的发布日期一致,则判断CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA中CRL与所述终端实体中CRL一致;或者,Judging whether the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, if the release date of the CRL in the CA is inconsistent with the release date of the terminal CRL feature information, then the CRL in the CA and the CRL in the terminal entity Inconsistent; if the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, then determine whether the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, if the release date of the CRL in the CA If the issuer's signature is inconsistent with the issuer signature of the terminal CRL feature information, the CRL in the CA is inconsistent with the CRL in the terminal entity. If the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, then The CRL in the CA is consistent with the CRL in the end entity; or,
判断CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期是否一致,若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期不一致,则CA中CRL与所述终端实体中CRL不一致;若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期一致,则判断CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA中CRL与所述终端实体中CRL一致。Determine whether the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, if the next release date of the CRL in the CA is inconsistent with the next release date of the terminal CRL feature information, then the CA The CRL is inconsistent with the CRL in the terminal entity; if the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, then it is judged that the signature of the issuer of the CRL in the CA is consistent with the signature of the terminal CRL feature information Whether the issuer's signature is consistent. If the issuer's signature of the CRL in the CA is inconsistent with the issuer's signature of the terminal CRL feature information, the CRL in the CA is inconsistent with the CRL in the terminal entity. If the issuer's signature of the characteristic information of the terminal CRL is consistent, the CRL in the CA is consistent with the CRL in the terminal entity.
第二种可能实现方式中,所述终端CRL特征信息仅包括:发布者签名;此时,所述根据所述终端CRL特征信息,判断CA中CRL与所述终端实体中CRL是否一致,具体可以包括:In the second possible implementation manner, the terminal CRL characteristic information only includes: the issuer signature; at this time, according to the terminal CRL characteristic information, it is judged whether the CRL in the CA is consistent with the CRL in the terminal entity, specifically, include:
判断CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA中CRL与所述终端实体中CRL一致。Judging whether the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, if the issuer signature of the CRL in the CA is inconsistent with the issuer signature of the terminal CRL feature information, then the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information If the CRL in the terminal entity is inconsistent, if the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, then the CRL in the CA is consistent with the CRL in the terminal entity.
103:所述CA向所述终端实体发送没有携带CA中CRL的CRL响应消息;当前处理分支结束。103: The CA sends a CRL response message that does not carry the CRL in the CA to the terminal entity; the current processing branch ends.
所述CA在CRL响应消息中不携带所述CA中的CRL,从而节省了所述CA与所述终端实体之间的数据流量。The CA does not carry the CRL in the CA in the CRL response message, thereby saving data traffic between the CA and the terminal entity.
104:所述CA向所述终端实体发送携带CA中CRL的CRL响应消息;当前处理分支结束。104: The CA sends a CRL response message carrying the CRL in the CA to the terminal entity; the current processing branch ends.
本实施例中,所述CA根据所述终端CRL特征信息,判断CA中CRL与所述终端实体中CRL是否一致,如果一致,向终端实体发送没有携带CA中CRL的CRL响应消息。从而相对于现有技术中CA每次均在CRL响应消息中携带CA中的CRL,减少了CA与终端实体之间的数据流量。In this embodiment, the CA judges whether the CRL in the CA is consistent with the CRL in the terminal entity according to the characteristic information of the terminal CRL, and if they are consistent, sends a CRL response message that does not carry the CRL in the CA to the terminal entity. Therefore, compared with the prior art where the CA carries the CRL in the CRL response message each time, the data flow between the CA and the terminal entity is reduced.
参见图2,为本发明实施例提供的CRL传输方法的另一流程图,本实施例中以CRL的特征信息包括:发布者签名、发布日期为例,该方法包括:Referring to FIG. 2 , it is another flow chart of the CRL transmission method provided by the embodiment of the present invention. In this embodiment, the characteristic information of the CRL includes: the publisher's signature and the release date as an example. The method includes:
201:终端实体向CA发送CRL请求消息,所述CRL请求消息中携带终端CRL特征信息。201: The terminal entity sends a CRL request message to the CA, where the CRL request message carries terminal CRL feature information.
所述终端CRL特征信息包括:发布日期和发布者签名。The terminal CRL feature information includes: issue date and issuer's signature.
其中,所述CRL请求消息可以使用现有技术中的CRL请求消息的消息格式实现,具体的,将所述终端CRL特征信息可以携带在所述CRL请求消息的消息内容中;或者也可以另外定义新的消息格式,这里并不限制。Wherein, the CRL request message can be realized by using the message format of the CRL request message in the prior art, specifically, the terminal CRL feature information can be carried in the message content of the CRL request message; or can also be defined separately The new message format is not limited here.
202:所述CA接收所述CRL请求消息,判断所述CA中CRL的发布日期与所述终端CRL特征信息的发布日期是否一致,如果一致,执行203;如果不一致,执行205。202: The CA receives the CRL request message, and judges whether the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, and if they are consistent, perform 203; if not, perform 205.
203:所述CA判断所述CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,如果一致,执行204;如果不一致,执行205。203: The CA judges whether the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, and if they are consistent, perform 204; if not, perform 205.
204:所述CA向所述终端实体发送没有携带CA中CRL的CRL响应消息;当前处理分支结束。204: The CA sends a CRL response message that does not carry the CRL in the CA to the terminal entity; the current processing branch ends.
205:所述CA向所述终端实体发送携带CA中CRL的CRL响应消息;当前处理分支结束。205: The CA sends a CRL response message carrying the CRL in the CA to the terminal entity; the current processing branch ends.
其中,本发明实施例中的所述CRL响应消息可以使用现有技术中CRL响应消息的消息格式实现,具体的,携带CRL时同现有技术中CRL响应消息,不携带CRL时,CRL响应消息中对应字段可以缺省;或者也可以定义新的消息格式,这里并不限定。Wherein, the CRL response message in the embodiment of the present invention can be realized by using the message format of the CRL response message in the prior art. Specifically, when the CRL is carried, it is the same as the CRL response message in the prior art. When the CRL is not carried, the CRL response message The corresponding fields in can be default; or a new message format can also be defined, which is not limited here.
本实施例中,CA对CA中CRL的发布日期和发布者签名与所述终端CRL特征信息中的发布日期和发布者签名是否一致进行判断,只在所述发布日期和/或所述发布者签名不一致时,CRL响应消息中携带CA的CRL,在所述发布日期和所述发布者签名均一致时,CRL响应消息中不携带CA的CRL,从而减少了CA与终端实体之间的数据流量。In this embodiment, the CA judges whether the issue date and issuer signature of the CRL in the CA are consistent with the issue date and issuer signature in the terminal CRL feature information, and only when the issue date and/or the issuer signature When the signatures are inconsistent, the CRL response message carries the CRL of the CA. When the release date and the signature of the issuer are consistent, the CRL response message does not carry the CRL of the CA, thereby reducing the data flow between the CA and the terminal entity .
参见图3,为本发明实施例提供的CRL传输装置的结构示意图,用于执行本发明图1和图2所示方法,该装置300包括:Referring to FIG. 3, it is a schematic structural diagram of a CRL transmission device provided by an embodiment of the present invention, which is used to implement the methods shown in FIGS. 1 and 2 of the present invention. The device 300 includes:
接收单元310,用于接收终端实体发来的CRL请求消息,所述CRL请求消息中携带终端CRL特征信息;The receiving unit 310 is configured to receive a CRL request message sent by a terminal entity, where the CRL request message carries terminal CRL feature information;
判断单元320,用于根据所述终端CRL特征信息,判断CA中CRL与所述终端实体中CRL是否一致;A judging unit 320, configured to judge whether the CRL in the CA is consistent with the CRL in the terminal entity according to the terminal CRL feature information;
第一发送单元330,用于如果判断单元320判断CA中CRL与所述终端实体中CRL一致,向所述终端实体发送没有携带CA中CRL的CRL响应消息;The first sending unit 330 is configured to send a CRL response message that does not carry the CRL in the CA to the terminal entity if the judging unit 320 judges that the CRL in the CA is consistent with the CRL in the terminal entity;
第二发送单元340,用于如果判断单元320判断CA中CRL与所述终端实体中CRL不一致,向所述终端实体发送携带CA中CRL的CRL响应消息。The second sending unit 340 is configured to send a CRL response message carrying the CRL in the CA to the terminal entity if the judging unit 320 judges that the CRL in the CA is inconsistent with the CRL in the terminal entity.
优选地,第一种可能实现方式中,所述终端CRL特征信息包括发布日期或下次发布日期;所述判断单元320具体可以用于:Preferably, in the first possible implementation manner, the terminal CRL feature information includes a release date or a next release date; the judging unit 320 can be specifically configured to:
判断CA中CRL的发布日期与所述终端CRL特征信息的发布日期是否一致,若CA中CRL的发布日期与所述终端CRL特征信息的发布日期不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布日期与所述终端CRL特征信息的发布日期一致,则CA中CRL与所述终端实体中CRL一致;或者,Judging whether the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, if the release date of the CRL in the CA is inconsistent with the release date of the terminal CRL feature information, then the CRL in the CA and the CRL in the terminal entity Inconsistent, if the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, the CRL in the CA is consistent with the CRL in the terminal entity; or,
判断CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期是否一致,若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期一致,则CA中CRL与所述终端实体中CRL一致。Determine whether the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, if the next release date of the CRL in the CA is inconsistent with the next release date of the terminal CRL feature information, then the CA The CRL is inconsistent with the CRL in the terminal entity. If the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, then the CRL in the CA is consistent with the CRL in the terminal entity.
进一步的,所述终端CRL特征信息还包括发布者签名;所述判断单元320具体可以用于:Further, the terminal CRL feature information also includes a signature of the issuer; the judging unit 320 can be specifically used for:
判断CA中CRL的发布日期与所述终端CRL特征信息的发布日期是否一致,若CA中CRL的发布日期与所述终端CRL特征信息的发布日期不一致,则CA中CRL与所述终端实体中CRL不一致;若CA中CRL的发布日期与所述终端CRL特征信息的发布日期一致,则判断CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA中CRL与所述终端实体中CRL一致;或者,Judging whether the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, if the release date of the CRL in the CA is inconsistent with the release date of the terminal CRL feature information, then the CRL in the CA and the CRL in the terminal entity Inconsistent; if the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, then determine whether the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, if the release date of the CRL in the CA If the issuer's signature is inconsistent with the issuer signature of the terminal CRL feature information, the CRL in the CA is inconsistent with the CRL in the terminal entity. If the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, then The CRL in the CA is consistent with the CRL in the end entity; or,
判断CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期是否一致,若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期不一致,则CA中CRL与所述终端实体中CRL不一致;若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期一致,则判断CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA中CRL与所述终端实体中CRL一致。Determine whether the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, if the next release date of the CRL in the CA is inconsistent with the next release date of the terminal CRL feature information, then the CA The CRL is inconsistent with the CRL in the terminal entity; if the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, then it is judged that the signature of the issuer of the CRL in the CA is consistent with the signature of the terminal CRL feature information Whether the issuer's signature is consistent. If the issuer's signature of the CRL in the CA is inconsistent with the issuer's signature of the terminal CRL feature information, the CRL in the CA is inconsistent with the CRL in the terminal entity. If the issuer's signature of the characteristic information of the terminal CRL is consistent, the CRL in the CA is consistent with the CRL in the terminal entity.
第二种可能实现方式中,所述终端CRL特征信息包括:发布者签名;所述判断单元320具体可以用于:In a second possible implementation manner, the terminal CRL characteristic information includes: a signature of a publisher; the judging unit 320 may be specifically configured to:
判断CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA中CRL与所述终端实体中CRL一致。Judging whether the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, if the issuer signature of the CRL in the CA is inconsistent with the issuer signature of the terminal CRL feature information, then the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information If the CRL in the terminal entity is inconsistent, if the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, then the CRL in the CA is consistent with the CRL in the terminal entity.
本实施例中,所述CA根据所述终端CRL特征信息,判断CA中CRL与所述终端实体中CRL是否一致,如果一致,向所述终端实体发送不携带CA中CRL的CRL响应消息。从而相对于现有技术中CA每次均在CRL响应消息中携带CA中的CRL,减少了CA与终端实体之间的数据流量。In this embodiment, the CA judges whether the CRL in the CA is consistent with the CRL in the terminal entity according to the characteristic information of the terminal CRL, and if they are consistent, sends a CRL response message that does not carry the CRL in the CA to the terminal entity. Therefore, compared with the prior art where the CA carries the CRL in the CRL response message each time, the data flow between the CA and the terminal entity is reduced.
参见图4,为本发明实施例提供的CRL传输系统的结构示意图,该系统400包括:Referring to FIG. 4, it is a schematic structural diagram of a CRL transmission system provided by an embodiment of the present invention. The
终端实体410,用于向CA420发送CRL请求消息,所述CRL请求消息中携带终端CRL特征信息;还用于接收所述CA发来的CRL响应消息;The
CA420,用于接收终端实体410发来的CRL请求消息;根据所述终端CRL特征信息,判断CA420中CRL与所述终端实体410中CRL是否一致;如果CA420中CRL与所述终端实体410中CRL一致,向所述终端实体410发送没有携带CA420中CRL的CRL响应消息;如果CA420中CRL与所述终端实体410中CRL不一致,向所述终端实体410发送携带CA420中CRL的CRL响应消息。CA420, configured to receive the CRL request message sent by the
如图5所示,所述终端实体410可以通过以下结构实现:As shown in FIG. 5, the
请求消息发送单元510,用于向CA发送CRL请求消息,所述CRL请求消息中所述携带终端CRL特征信息;A request
响应消息接收单元520,用于接收CA发来的所述CRL请求消息对应的CRL响应消息。The response
优选地,第一种可能实现方式中,所述终端CRL特征信息可以包括:发布日期或下次发布日期;所述CA420具体可以用于:接收终端实体410发来的CRL请求消息;判断CA420中CRL的发布日期与所述终端CRL特征信息的发布日期是否一致,若CA420中CRL的发布日期与所述终端CRL特征信息的发布日期不一致,则CA420中CRL与所述终端实体410中CRL不一致,向所述终端实体410发送携带CA420中CRL的CRL响应消息;若CA420中CRL的发布日期与所述终端CRL特征信息的发布日期一致,则CA420中CRL与所述终端实体410中CRL一致,向所述终端实体410发送没有携带CA420中CRL的CRL响应消息;或者,接收终端实体410发来的CRL请求消息;判断CA420中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期是否一致,若CA420中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期不一致,则CA420中CRL与所述终端实体410中CRL不一致,向所述终端实体410发送携带CA420中CRL的CRL响应消息;若CA420中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期一致,则CA420中CRL与所述终端实体410中CRL一致,向所述终端实体410发送没有携带CA420中CRL的CRL响应消息。Preferably, in the first possible implementation manner, the terminal CRL feature information may include: release date or next release date; the CA420 may specifically be used to: receive the CRL request message sent by the terminal entity 410; determine whether the CA420 Whether the release date of the CRL is consistent with the release date of the terminal CRL feature information, if the release date of the CRL in CA420 is inconsistent with the release date of the terminal CRL feature information, the CRL in the CA420 is inconsistent with the CRL in the terminal entity 410, Send a CRL response message carrying the CRL in the CA420 to the terminal entity 410; if the release date of the CRL in the CA420 is consistent with the release date of the terminal CRL feature information, the CRL in the CA420 is consistent with the CRL in the terminal entity 410, and send The terminal entity 410 sends a CRL response message that does not carry the CRL in the CA420; or receives a CRL request message sent by the terminal entity 410; judges the next release date of the CRL in the CA420 and the next release date of the terminal CRL feature information Whether they are consistent, if the next release date of the CRL in CA420 is inconsistent with the next release date of the terminal CRL feature information, then the CRL in CA420 is inconsistent with the CRL in the terminal entity 410, and a The CRL response message of the CRL; if the next release date of the CRL in CA420 is consistent with the next release date of the terminal CRL feature information, the CRL in the CA420 is consistent with the CRL in the terminal entity 410, and sent to the terminal entity 410 There is no CRL response message carrying the CRL in CA420.
进一步的,所述终端CRL特征信息还可以包括发布者签名;所述CA420具体可以用于:接收终端实体410发来的CRL请求消息;判断CA420中CRL的发布日期与所述终端CRL特征信息的发布日期是否一致,若CA420中CRL的发布日期与所述终端CRL特征信息的发布日期不一致,则CA420中CRL与所述终端实体410中CRL不一致,向所述终端实体410发送携带CA420中CRL的CRL响应消息;若CA420中CRL的发布日期与所述终端CRL特征信息的发布日期一致,则判断CA420中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA420中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA420中CRL与所述终端实体410中CRL不一致,向所述终端实体410发送携带CA420中CRL的CRL响应消息,若CA420中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA420中CRL与所述终端实体410中CRL一致,向所述终端实体410发送没有携带CA420中CRL的CRL响应消息;或者,Further, the terminal CRL feature information may also include a signature of the issuer; the CA420 may be specifically configured to: receive a CRL request message sent by the
接收终端实体410发来的CRL请求消息;判断CA420中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期是否一致,若CA420中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期不一致,则CA420中CRL与所述终端实体410中CRL不一致,向所述终端实体410发送携带CA420中CRL的CRL响应消息;若CA420中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期一致,则判断CA420中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA420中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA420中CRL与所述终端实体410中CRL不一致,向所述终端实体410发送携带CA420中CRL的CRL响应消息,若CA420中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA420中CRL与所述终端实体410中CRL一致,向所述终端实体410发送没有携带CA420中CRL的CRL响应消息。Receive the CRL request message sent by the
第二种可能实现方式中,所述终端CRL特征信息包括:发布者签名;所述CA420具体可以用于:接收终端实体410发来的CRL请求消息;判断CA420中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA420中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA420中CRL与所述终端实体410中CRL不一致,向所述终端实体410发送携带CA420中CRL的CRL响应消息,若CA420中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA420中CRL与所述终端实体410中CRL一致,向所述终端实体410发送没有携带CA420中CRL的CRL响应消息。In the second possible implementation manner, the terminal CRL feature information includes: a signature of the issuer; the CA420 can be specifically used to: receive a CRL request message sent by the
其中,所述CA420的具体实现可以参见图1所示的传输方法和图3所示CRL传输装置的实现结构,这里不赘述。Wherein, for the specific implementation of the CA420, reference may be made to the transmission method shown in FIG. 1 and the implementation structure of the CRL transmission device shown in FIG. 3 , which will not be repeated here.
本发明实施例中,终端实体向CA发送CRL请求消息,所述CRL请求消息中携带终端CRL特征信息;CA根据所述终端CRL特征信息,判断CA中CRL与所述终端实体中CRL是否一致,如果一致,向所述终端实体发送没有携带CA中CRL的CRL响应消息,从而减少了终端实体与CA之间的数据流量。In the embodiment of the present invention, the terminal entity sends a CRL request message to the CA, and the CRL request message carries terminal CRL characteristic information; the CA judges whether the CRL in the CA is consistent with the CRL in the terminal entity according to the terminal CRL characteristic information, If they are consistent, a CRL response message that does not carry the CRL in the CA is sent to the terminal entity, thereby reducing the data traffic between the terminal entity and the CA.
参见图6,为本发明实施例提供的CA的结构示意图,CA600包括:处理器610、存储器620、收发器630和总线640;Referring to FIG. 6 , it is a schematic structural diagram of a CA provided by an embodiment of the present invention. The CA600 includes: a processor 610, a memory 620, a transceiver 630, and a bus 640;
处理器610、存储器620、收发器630通过总线640相互连接;总线640可以是ISA总线、PCI总线或EISA总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图6中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The processor 610, the memory 620, and the transceiver 630 are connected to each other through a bus 640; the bus 640 may be an ISA bus, a PCI bus, or an EISA bus. The bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 6 , but it does not mean that there is only one bus or one type of bus.
存储器620,用于存放程序。具体地,程序可以包括程序代码,所述程序代码包括计算机操作指令。存储器620可能包含高速RAM存储器,也可能还包括非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。The memory 620 is used to store programs. Specifically, the program may include program code, and the program code includes computer operation instructions. The memory 620 may include a high-speed RAM memory, and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory.
所述处理器610执行所述程序代码,用于根据收发器630接收到的所述终端CRL特征信息,判断CA中CRL与所述终端实体中CRL是否一致。The processor 610 executes the program code to determine whether the CRL in the CA is consistent with the CRL in the terminal entity according to the terminal CRL feature information received by the transceiver 630 .
收发器630用于连接其他设备,并与其他设备进行通信。具体的,收发器610,用于接收终端实体发来的CRL请求消息,所述CRL请求消息中携带终端CRL特征信息;还用于如果处理器610判断CA中CRL与所述终端实体中CRL一致,向所述终端实体发送没有携带CA中CRL的CRL响应消息;如果处理器610判断CA中CRL与所述终端实体中CRL不一致,向所述终端实体发送携带CA中CRL的CRL响应消息。The transceiver 630 is used to connect and communicate with other devices. Specifically, the transceiver 610 is configured to receive a CRL request message sent by a terminal entity, where the CRL request message carries terminal CRL feature information; and is also configured to determine that the CRL in the CA is consistent with the CRL in the terminal entity if the processor 610 determines , sending a CRL response message that does not carry the CRL in the CA to the terminal entity; if the processor 610 judges that the CRL in the CA is inconsistent with the CRL in the terminal entity, send a CRL response message that carries the CRL in the CA to the terminal entity.
优选地,第一种可能实现方式中,所述终端CRL特征信息包括发布日期或者下次发布日期;所述处理器610具体可以用于:Preferably, in the first possible implementation manner, the terminal CRL feature information includes a release date or a next release date; the processor 610 may be specifically configured to:
判断CA中CRL的发布日期与所述终端CRL特征信息的发布日期是否一致,若CA中CRL的发布日期与所述终端CRL特征信息的发布日期不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布日期与所述终端CRL特征信息的发布日期一致,则CA中CRL与所述终端实体中CRL一致;或者,Judging whether the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, if the release date of the CRL in the CA is inconsistent with the release date of the terminal CRL feature information, then the CRL in the CA and the CRL in the terminal entity Inconsistent, if the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, the CRL in the CA is consistent with the CRL in the terminal entity; or,
判断CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期是否一致,若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期一致,则CA中CRL与所述终端实体中CRL一致。Determine whether the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, if the next release date of the CRL in the CA is inconsistent with the next release date of the terminal CRL feature information, then the CA The CRL is inconsistent with the CRL in the terminal entity. If the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, then the CRL in the CA is consistent with the CRL in the terminal entity.
进一步的,所述终端CRL特征信息还可以包括发布者签名;所述处理器610具体可以用于:Further, the terminal CRL characteristic information may also include a signature of the issuer; the processor 610 may be specifically configured to:
判断CA中CRL的发布日期与所述终端CRL特征信息的发布日期是否一致,若CA中CRL的发布日期与所述终端CRL特征信息的发布日期不一致,则CA中CRL与所述终端实体中CRL不一致;若CA中CRL的发布日期与所述终端CRL特征信息的发布日期一致,则判断CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA中CRL与所述终端实体中CRL一致;或者,Judging whether the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, if the release date of the CRL in the CA is inconsistent with the release date of the terminal CRL feature information, then the CRL in the CA and the CRL in the terminal entity Inconsistent; if the release date of the CRL in the CA is consistent with the release date of the terminal CRL feature information, then determine whether the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, if the release date of the CRL in the CA If the issuer's signature is inconsistent with the issuer signature of the terminal CRL feature information, the CRL in the CA is inconsistent with the CRL in the terminal entity. If the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, then The CRL in the CA is consistent with the CRL in the end entity; or,
判断CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期是否一致,若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期不一致,则CA中CRL与所述终端实体中CRL不一致;若CA中CRL的下次发布日期与所述终端CRL特征信息的下次发布日期一致,则判断CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA中CRL与所述终端实体中CRL一致。Determine whether the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, if the next release date of the CRL in the CA is inconsistent with the next release date of the terminal CRL feature information, then the CA The CRL is inconsistent with the CRL in the terminal entity; if the next release date of the CRL in the CA is consistent with the next release date of the terminal CRL feature information, then it is judged that the signature of the issuer of the CRL in the CA is consistent with the signature of the terminal CRL feature information Whether the issuer's signature is consistent. If the issuer's signature of the CRL in the CA is inconsistent with the issuer's signature of the terminal CRL feature information, the CRL in the CA is inconsistent with the CRL in the terminal entity. If the issuer's signature of the characteristic information of the terminal CRL is consistent, the CRL in the CA is consistent with the CRL in the terminal entity.
第二种可能实现方式中,所述终端CRL特征信息包括:发布者签名;所述处理器610具体可以用于:In a second possible implementation manner, the terminal CRL characteristic information includes: a signature of a publisher; the processor 610 may be specifically configured to:
判断CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名是否一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名不一致,则CA中CRL与所述终端实体中CRL不一致,若CA中CRL的发布者签名与所述终端CRL特征信息的发布者签名一致,则CA中CRL与所述终端实体中CRL一致。Judging whether the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, if the issuer signature of the CRL in the CA is inconsistent with the issuer signature of the terminal CRL feature information, then the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information If the CRL in the terminal entity is inconsistent, if the issuer signature of the CRL in the CA is consistent with the issuer signature of the terminal CRL feature information, then the CRL in the CA is consistent with the CRL in the terminal entity.
本实施例中,处理器610判断CA中CRL与终端实体中CRL是否一致;如果CA中CRL与终端实体中CRL一致,收发器630向终端实体发送没有携带CA中CRL的CRL响应消息,从而相对于现有技术中CA每次均在CRL响应消息中携带CA中的CRL,减少了CA与终端实体之间的数据流量。In this embodiment, the processor 610 judges whether the CRL in the CA is consistent with the CRL in the terminal entity; if the CRL in the CA is consistent with the CRL in the terminal entity, the transceiver 630 sends a CRL response message that does not carry the CRL in the CA to the terminal entity, thereby relatively In the prior art, the CA carries the CRL in the CA in the CRL response message every time, which reduces the data traffic between the CA and the terminal entity.
本领域的技术人员可以清楚地了解到本发明实施例中的技术可借助软件加必需的通用硬件平台的方式来实现。基于这样的理解,本发明实施例中的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例或者实施例的某些部分所述的方法。Those skilled in the art can clearly understand that the technologies in the embodiments of the present invention can be implemented by means of software plus a necessary general-purpose hardware platform. Based on this understanding, the essence of the technical solutions in the embodiments of the present invention or the part that contributes to the prior art can be embodied in the form of software products, and the computer software products can be stored in storage media, such as ROM/RAM , magnetic disk, optical disk, etc., including several instructions to enable a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in various embodiments or some parts of the embodiments of the present invention.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于系统实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。Each embodiment in this specification is described in a progressive manner, the same and similar parts of each embodiment can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for relevant parts, refer to part of the description of the method embodiment.
以上所述的本发明实施方式,并不构成对本发明保护范围的限定。任何在本发明的精神和原则之内所作的修改、等同替换和改进等,均应包含在本发明的保护范围之内。The embodiments of the present invention described above are not intended to limit the protection scope of the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210527983.5A CN103873240A (en) | 2012-12-10 | 2012-12-10 | CRL transmission method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210527983.5A CN103873240A (en) | 2012-12-10 | 2012-12-10 | CRL transmission method, device and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103873240A true CN103873240A (en) | 2014-06-18 |
Family
ID=50911390
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210527983.5A Pending CN103873240A (en) | 2012-12-10 | 2012-12-10 | CRL transmission method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103873240A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104980438B (en) * | 2015-06-15 | 2018-07-24 | 中国科学院信息工程研究所 | The method and system of digital certificate revocation status checkout in a kind of virtualized environment |
| CN109495454A (en) * | 2018-10-26 | 2019-03-19 | 北京车和家信息技术有限公司 | Authentication method, device, cloud server and vehicle |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020184182A1 (en) * | 2001-05-31 | 2002-12-05 | Nang Kon Kwan | Method and system for answering online certificate status protocol (OCSP) requests without certificate revocation lists (CRL) |
| CN101136098A (en) * | 2006-08-30 | 2008-03-05 | 阿里巴巴公司 | Method, device and system for accessing to certificate revocation list |
| CN101572707A (en) * | 2009-05-31 | 2009-11-04 | 成都市华为赛门铁克科技有限公司 | Method, apparatus and system for validating certificate state |
-
2012
- 2012-12-10 CN CN201210527983.5A patent/CN103873240A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020184182A1 (en) * | 2001-05-31 | 2002-12-05 | Nang Kon Kwan | Method and system for answering online certificate status protocol (OCSP) requests without certificate revocation lists (CRL) |
| CN101136098A (en) * | 2006-08-30 | 2008-03-05 | 阿里巴巴公司 | Method, device and system for accessing to certificate revocation list |
| CN101572707A (en) * | 2009-05-31 | 2009-11-04 | 成都市华为赛门铁克科技有限公司 | Method, apparatus and system for validating certificate state |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104980438B (en) * | 2015-06-15 | 2018-07-24 | 中国科学院信息工程研究所 | The method and system of digital certificate revocation status checkout in a kind of virtualized environment |
| CN109495454A (en) * | 2018-10-26 | 2019-03-19 | 北京车和家信息技术有限公司 | Authentication method, device, cloud server and vehicle |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101572707B (en) | Method, apparatus and system for validating certificate state | |
| JP4681554B2 (en) | How to use reliable hardware-based identity credentials in runtime package signing for secure mobile communications and expensive transaction execution | |
| CN111224788B (en) | A blockchain-based electronic contract management method, device and system | |
| CN101674182B (en) | Method and system for introducing online trusted third-party entity public key acquisition, certificate verification and authentication | |
| WO2021068619A1 (en) | Certificate authentication management method, apparatus and device, and computer-readable storage medium | |
| JP3971890B2 (en) | Signature verification support apparatus, signature verification support method, and electronic signature verification method | |
| US9300654B2 (en) | Method of handling a certification request | |
| CN109981287B (en) | Code signing method and storage medium thereof | |
| WO2010149838A1 (en) | Method and apparatus for authenticating a mobile device | |
| CN111696006A (en) | Evidence storing method and scheme setting method based on alliance chain and related equipment | |
| CN114157432B (en) | Digital certificate acquisition method, device, electronic equipment, system and storage medium | |
| US20080150753A1 (en) | Secure Data Transfer In A Communication System Including Portable Meters | |
| CN102904865A (en) | Method, system and device for managing multiple digital certificates based on mobile terminal | |
| CN202696901U (en) | Mobile terminal identity authentication system based on digital certificate | |
| CN114218548B (en) | Identity verification certificate generation method, authentication method, device, equipment and medium | |
| CN102447705A (en) | Digital certificate revocation method and equipment | |
| CN108632037B (en) | Public key processing method and device for public key infrastructure | |
| CN111800270B (en) | A certificate signature method, device, storage medium and computer equipment | |
| CN112887080B (en) | SM 2-based key generation method and system | |
| WO2004071123A1 (en) | Radio ad hoc communication system, terminal, attribute certificate issuing proposal method and attribute certificate issuing request method at the terminal, and a program for executing the methods | |
| CN101582876A (en) | Method, device and system for registering user generated content (UGC) | |
| CN106656507A (en) | Method and device for electronic authentication based on mobile terminal | |
| CN103873240A (en) | CRL transmission method, device and system | |
| CN104363217A (en) | CA digital signature authentication system and method of Web system | |
| JP2008005090A (en) | System for issuing and verifying multiple public key certificates, and method for issuing and verifying multiple public key certificates |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140618 |
|
| RJ01 | Rejection of invention patent application after publication |