CN120110686B - Certificate processing method, electronic device, and computer-readable storage medium - Google Patents
Certificate processing method, electronic device, and computer-readable storage mediumInfo
- Publication number
- CN120110686B CN120110686B CN202510586971.7A CN202510586971A CN120110686B CN 120110686 B CN120110686 B CN 120110686B CN 202510586971 A CN202510586971 A CN 202510586971A CN 120110686 B CN120110686 B CN 120110686B
- Authority
- CN
- China
- Prior art keywords
- certificate
- application
- middleware
- file
- security authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the application provides a certificate processing method, electronic equipment and a computer readable storage medium. The method comprises the steps of obtaining a certificate file issued by a certificate issuing mechanism, generating and sending a certificate uploading application to safety authentication equipment based on the certificate file, wherein the safety authentication equipment is used for generating a first equipment identity credential for the certificate uploading application, sending the certificate uploading application and the first equipment identity credential to a cloud server, the cloud server is used for storing the certificate file included in the certificate uploading application, and storing a certificate identifier in the safety authentication equipment and storing the certificate file in a local cache of a middleware when a received uploading result is that uploading is successful. The application solves the technical problems that the storage resources of the security authentication equipment are limited and the quantum password storage demand is difficult to adapt to the increase in the related technology.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a certificate processing method, an electronic device, and a computer readable storage medium.
Background
While traditional cryptosystems rely on mathematical problems such as large number decomposition or discrete logarithms, quantum computers can break these problems in polynomial time, threatening the existing encryption security. The quantum-resistant password is based on other mathematical structures, and can keep the security even if the quantum computer is adopted for cracking.
For the resource-restricted type security authentication device, after the device is migrated to the quantum-resistant password, the length of a public key and a signature is increased in order of magnitude due to the inherent characteristic of arithmetic mathematical construction, the volumes of the key and the certificate are greatly increased, and the security storage space of the security authentication device is limited (usually only tens of KB), so that the certificate storage becomes a technical bottleneck. The scheme provided in the related art needs to reform an upstream and downstream docking system, needs a large amount of functional adjustment for the existing verification logic, relies on adding an additional authentication process to adapt to the quantum-resistant password requirement of the resource-limited security authentication equipment, is difficult to directly compatible with the existing password authentication process, and has the technical problem of large application limitation.
Disclosure of Invention
The embodiment of the application provides a certificate processing method, electronic equipment and a computer readable storage medium, which are used for relieving or solving the technical problems that the storage resources of security authentication equipment are limited and the storage requirements of quantum passwords are difficult to adapt to the increase in the related technology.
In a first aspect, an embodiment of the present application provides a certificate processing method, which is applied to middleware, including:
Acquiring a certificate file issued by a certificate issuing organization;
the security authentication equipment is used for generating a first equipment identity credential for the certificate uploading application and sending the first equipment identity credential to the middleware;
the cloud server is used for storing a certificate file included in the certificate uploading application and sending an uploading result including a certificate identifier to the middleware under the condition that the certificate uploading application and the first equipment identity credential pass through verification, wherein the certificate identifier is obtained by the cloud server based on the certificate file extraction;
And under the condition that the received uploading result is that the uploading is successful, storing the certificate identification in the security authentication equipment, and storing the certificate file in a local cache of the middleware.
In a second aspect, an embodiment of the present application provides a certificate processing method, which is applied to a security authentication device, including:
The method comprises the steps that under the condition that a certificate uploading application is received, a first equipment identity credential is generated for the certificate uploading application and is sent to a middleware, the certificate uploading application is generated by the middleware based on a certificate file issued by a certificate issuing mechanism, the middleware is used for sending the certificate uploading application and the first equipment identity credential to a cloud server, the cloud server is used for storing a certificate file included in the certificate uploading application under the condition that the certificate uploading application and the first equipment identity credential pass verification, and sending an uploading result including a certificate identifier to the middleware, the certificate identifier is obtained by the cloud server through extraction of the certificate file, and the middleware is used for sending the certificate identifier to security authentication equipment and storing the certificate file in a local cache of the middleware under the condition that the uploading result is received to be successful;
The certificate identification is received and stored.
In a third aspect, an embodiment of the present application provides a certificate processing method, which is applied to a cloud server, and includes:
The method comprises the steps of receiving a certificate uploading application and a first equipment identity credential sent by a middleware, wherein the certificate uploading application is generated by the middleware based on a certificate file issued by a certificate issuing mechanism and is sent to safety authentication equipment, and the first equipment identity credential is generated by the safety authentication equipment for the certificate uploading application and is sent to the middleware;
under the condition that the certificate uploading application and the first equipment identity credential pass the verification, extracting a certificate identifier based on a certificate file included in the certificate uploading application, and storing the certificate file;
And the middleware is used for storing the certificate identifier in the security authentication equipment and storing the certificate file in a local cache of the middleware when the received uploading result is that the uploading is successful.
In a fourth aspect, an embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored on the memory, where the processor implements the method of any one of the embodiments of the present application when the computer program is executed.
In a fifth aspect, embodiments of the present application provide a computer readable storage medium having a computer program stored therein, the computer program, when executed by a processor, implementing a method according to any of the embodiments of the present application.
Based on the certificate processing method of the first aspect, the second aspect and the third aspect, the present application has at least the following beneficial effects or advantages:
The security authentication device does not need to store a certificate file, manages certificate identifications for reflecting binding relations, and realizes certificate distribution and device-following transfer by means of the cloud server so as to relieve storage resource constraint faced by similar resource-constrained devices in quantum password migration resistance. The improvement mode can realize noninductive upgrading for the existing frameworks of an application end, a certificate issuing mechanism and the like, is transparent for upper-layer application, does not need to carry out functional logic adjustment for the application, and does not increase additional authentication flow.
The foregoing description is only an overview of the present application, and is intended to provide a better understanding of the technical means of the present application, as it is embodied in the present specification, and is intended to provide a better understanding of the above and other objects, features and advantages of the present application, as it is embodied in the following description.
Drawings
In the drawings, the same reference numerals refer to the same or similar parts or elements throughout the several views unless otherwise specified. The figures are not necessarily drawn to scale. It is appreciated that these drawings depict only some embodiments according to the application and are not therefore to be considered limiting of its scope.
FIG. 1 shows a first flowchart of a certificate processing method of an embodiment of the present application;
fig. 2 shows a first schematic block diagram in the related art;
FIG. 3 shows a second schematic block diagram of a certificate handling method of an embodiment of the present application;
FIG. 4 shows a second flowchart of a certificate processing method of an embodiment of the present application;
FIG. 5 shows a third flowchart of a certificate processing method of an embodiment of the present application;
FIG. 6 shows a first timing diagram of a certificate processing method according to an embodiment of the present application;
FIG. 7 shows a second timing diagram of a certificate processing method of an embodiment of the present application;
FIG. 8 shows a third timing diagram of a certificate processing method of an embodiment of the present application;
FIG. 9 shows a first schematic diagram of a certificate handling arrangement of an embodiment of the present application;
FIG. 10 shows a second schematic diagram of a certificate handling arrangement of an embodiment of the present application;
FIG. 11 shows a third schematic diagram of a certificate handling arrangement of an embodiment of the present application;
Fig. 12 shows a block diagram of an electronic device provided by an embodiment of the application.
Detailed Description
Hereinafter, only certain exemplary embodiments are briefly described. As will be recognized by those skilled in the pertinent art, the described embodiments may be modified in numerous different ways without departing from the spirit or scope of the present application. Accordingly, the drawings and description are to be regarded as illustrative in nature, and not as restrictive.
In order to facilitate understanding of the technical solutions of the embodiments of the present application, the following describes related technologies of the embodiments of the present application. The following related technologies may be optionally combined with the technical solutions of the embodiments of the present application, which all belong to the protection scope of the embodiments of the present application.
The following terms will be used hereinafter:
anti-quantum cryptography (Post-Quantum Cryptography, PQC) refers to cryptographic algorithms that are resistant to quantum computer attacks. While traditional cryptosystems rely on mathematical problems such as large number decomposition or discrete logarithms, quantum computers can break these problems in polynomial time, threatening the existing encryption security. The quantum-resistant code is based on other mathematical structures, and can maintain the security even if the quantum computer is mature.
X.509, a widely used digital certificate standard for verifying identity, encrypting communications and ensuring data integrity in the internet and various security systems, is a core component of the public key infrastructure (PKI, public Key Infrastructure).
SN (Serial Number), a unique identity identifier, which is cured into the security chip by the manufacturer at the time of production.
The Public and private keys are a pair of keys in an asymmetric encryption scheme, the Public Key (Public Key) can be used to encrypt data, and also to verify digital signatures, which can only be decrypted by a user who has the corresponding private Key. Private key (PRIVATE KEY) the private key is used to decrypt data encrypted by the corresponding public key and to generate a digital signature.
The certificate authority (CERTIFICATE AUTHORITY, CA) is a trusted third party authority responsible for issuing, managing and revoking digital certificates.
One technical challenge faced in anti-quantum cryptography migration for resource-constrained secure authentication devices, such as USBKey (also known as smart cryptographic keys) products-anti-quantum cryptography algorithm certificate storage challenge due to secure storage resource constraints. The USBKey is a safety authentication device widely used in the fields of finance, government affairs, the Internet of things and the like, and the safety capability of the USBKey depends on the physical safety characteristic of a safety chip.
On the one hand, compared with the general memory device, the unit memory cost of the security chip is usually 25 times higher than that of the security chip due to factors such as physical attack security requirement and process. The USBKey is limited by cost, and the internal storage space of the adopted security chip is usually smaller, and common specification is 320KB. The space left to store keys, certificates, and user data is typically less than 90KB, taking into account the space reserved for firmware and algorithm libraries.
The demand for storage space by certificates against quantum cryptography algorithms is significantly increased over classical algorithm certificates. The key reason is that in widely used certificate formats such as x.509 certificates and PGP certificates, both the public key of the certificate and the signature of the certificate are necessary elements, and the mathematical construction characteristic of the quantum cryptography resistant algorithm causes the public key to increase in order of magnitude with the signature length.
With a public key length of 256 bytes (Byte) of classical RSA-2048 and a signature length of 256 bytes, whereas the public key length of the FIPS 204 ML-DSA Dilithium algorithm based on lattice cipher reaches 2.5KB, the signature is more extended to 4.5KB, and the corresponding X.509 certificate volume is nearly 6 times that of RSA-2048 algorithm. SM2 is an elliptic curve cryptography algorithm, RSA-2048 is a public key cryptography algorithm based on the problem of large integer decomposition, and SM2 and RSA-2048 belong to non-quantum resistant algorithms. Falcon-1024 is a lattice-based digital signature algorithm, dilithium is a lattice-based digital signature algorithm, SPHINCS + -128 is a hash-based digital signature algorithm, SPHINCS + -25 is a hash-based digital signature algorithm, and the 4 algorithms belong to an anti-quantum algorithm.
Table 1 comparison of parameters and certificate sizes for anti-quantum signature algorithm
This geometrical growth of the key parameters and the validation data directly results in a corresponding expansion of the volume of the digital certificate containing the data. For example, an X.509 certificate with a SPHINCS + -256 public key and signature embedded therein may be up to 51KB in volume, as opposed to the conventional ECC certificates which are typically less than 1KB. According to different service scenarios, a plurality of key pairs and corresponding certificates are usually managed and stored in the USBKey, wherein the key pairs and the certificates comprise key pairs and certificates of different algorithms, such as RSA2048 certificates and SM2 certificates, and quantum cryptography resistant algorithm certificates which are expected to be added, and key pairs and certificates of different purposes, such as SSL login certificates, transaction certificates and batch signature certificates. This feature of the quantum cryptography algorithm poses a serious challenge for USBKey products with limited storage resources, and the existing storage space may not meet the number of certificates required for the application.
It should be noted that, the application scenario or the application example provided in the embodiment of the present application is for convenience of understanding, and the embodiment of the present application does not specifically limit the application of the technical solution. In addition, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data are required to comply with the related laws and regulations and standards of the related country and region, and are provided with corresponding operation entries for the user to select authorization or rejection.
The following describes the technical scheme of the present application and how the technical scheme of the present application solves the foregoing technical problems in detail with specific embodiments. The specific embodiments illustrated may be combined with one another and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described in detail below with reference to the accompanying drawings.
Fig. 1 shows a first flowchart of a certificate processing method according to an embodiment of the present application, applied to middleware, and as shown in fig. 1, the method may include steps S101 to S104.
Step S101, acquiring a certificate file issued by a certificate issuing organization;
Step S102, generating and sending a certificate uploading application to a security authentication device based on a certificate file, wherein the security authentication device is used for generating a first device identity credential for the certificate uploading application and sending the first device identity credential to a middleware;
Step 103, sending a certificate uploading application and a first equipment identity credential to a cloud server, wherein the cloud server is used for storing a certificate file included in the certificate uploading application and sending an uploading result including a certificate identifier to a middleware under the condition that the certificate uploading application and the first equipment identity credential pass verification, and the certificate identifier is extracted by the cloud server based on the certificate file;
And step S104, storing the certificate identifier in the security authentication equipment and storing the certificate file in the local cache of the middleware under the condition that the received uploading result is that the uploading is successful.
The cloud service end may be various, for example, public cloud service deployed on the internet, or private cloud service deployed inside an enterprise or an organization.
In the embodiment of the application, the uploading flow of the certificate is shown, and the middleware acquires the issued certificate file from a Certificate Authority (CA), wherein the certificate file is an important certificate for identity authentication and encryption communication. The middleware generates a certificate upload application based on the acquired certificate file, and sends the application to a secure authentication device (e.g., USBKey). The certificate upload application contains the related information of the certificate file and is used for requesting the security authentication device for the authority of the subpoena books. After receiving the certificate uploading application, the security authentication device generates a first device identity credential for the application for verifying the device identity, so that only legal devices can perform the certificate uploading operation, unauthorized certificate uploading behaviors are prevented, and the security of the system is enhanced. The secure authentication device then sends the first device identity credential to the middleware. And the middleware sends the certificate uploading application and the first equipment identity credential to the cloud server. After receiving the information, the cloud service end can verify to ensure the validity of the certificate uploading application and the equipment identity credential. If the verification is passed, the cloud server stores the certificate file contained in the certificate uploading application and extracts the certificate identification from the certificate file. The certificate identifier is a unique identifier generated by the cloud service end based on the certificate file and is used for subsequent certificate management and verification. The cloud server then sends an upload result containing the certificate identifier to the middleware. After receiving the uploading result, if the result shows that the uploading is successful, the middleware stores the certificate identifier in the security authentication device and stores the certificate file in the local cache for quick access of the certificate file, so that the dependence on the cloud server is reduced, and the response speed and the user experience of the system are improved. The certificate file is stored in the cloud server, and meanwhile, the certificate identifier is stored in the security authentication device, and the distributed storage mode decouples the storage requirements of the security authentication device and the certificate file body, so that the security of data is ensured, and the storage flexibility is improved.
Through the processing, on the premise of ensuring the correct association relation between the certificate and the key pair, the certificate file is not stored in the equipment, and the certificate file is distributed in an online mode through the cloud server, so that challenges brought by storage limitation of the equipment in the quantum password migration resisting process are met, only the user side of the legal USBKey with the certificate private key is allowed to upload the certificate to the certificate distribution cloud service, and only the user side with the corresponding USBKey is allowed to distribute the certificate to the local equipment, and potential security attack and privacy leakage risks are avoided;
The security authentication products can be various, such as USBKey, U shield, smart card, hardware token, etc. For convenience of description, in the case that the security authentication device is a USBKey, the execution body is a middleware, that is, a USBKey middleware. The USBKey is a hardware device of a USB interface, is internally provided with a singlechip or a smart card chip, has a certain storage space, can store a private key and a digital certificate of a user, and realizes authentication of the user identity by utilizing an internal public key algorithm. The USBKey and the USBKey middleware are existing parts in the existing authentication flow, interaction among the USBKey middleware, the USBKey and the cloud server is improved, and interaction logic between the application side and the USBKey is not required to be modified. Both the key pair and the certificate file are stored inside the USBKey. The USBKey is a carrier of a certificate file, and the certificate file is distributed and migrated along with the USBKey.
In the optional embodiment provided by the application, in step S102, the certificate uploading application generated by the middleware comprises the first data generating moment of the certificate uploading application generated by the middleware, the serial number of the security authentication device and the certificate file.
In the embodiment provided by the application, the first equipment identity credential generated by the security authentication equipment is also attached to the certificate uploading application. The certificate uploading application provided by the middleware can select a specific coding format according to a specific application scene, and is not particularly limited.
In an alternative embodiment provided by the application, the method further comprises determining the certificate identification from a plurality of candidate identifications including a certificate serial number, a subject name, a certificate fingerprint and a public key hash based on the certificate standard type and the requirement information of the application system.
The certificate identifier refers to unique identifier data of a certificate, can be selected as different identifiers according to different certificate standards, and takes an X.509 certificate as an example, in practical application, which data is selected as the certificate identifier can be determined according to service requirements of an application system. Optional certificate identifications such as a certificate serial Number (CERTIFICATE SERIAL Number), a unique integer assigned by a Certificate Authority (CA) that is unique under the same CA, a Subject Name (Subject Name), identification information of a certificate holder, also called "certificate DN", a certificate fingerprint (CERTIFICATE FINGERPRINT), a unique value obtained by hashing the content of the certificate (typically a DER code), and a value obtained by hashing Public Key data in the certificate. For example, the service system distinguishes certificates through certificate DN names, when the password application interface is called to request USBKey signature, the transmitted parameter used for selecting the certificate is the certificate DN, and the certificate DN is selected as the certificate identifier.
According to an embodiment of the present application, the security authentication device further stores a key pair of a public key and a private key, and before executing step S101, the method further includes:
obtaining a certificate request to be signed based on public key assembly;
The security authentication device is used for signing the certificate request by adopting a private key;
and the certificate issuing mechanism issues a certificate file under the condition that the certificate request passes the verification.
In the embodiment provided by the application, the improvement is based on the original flow framework with the certificate authentication requirement, and the security authentication equipment (such as a USBKey) internally generates a pair of asymmetric keys, wherein the public key is used for constructing a certificate request, the private key is safely stored in the USBKey, and the private key is not transmitted outwards according to the information security standard. The middleware uses the public key and other necessary identity information to assemble a certificate request (CSR) to be signed for applying the certificate to a Certificate Authority (CA). The certificate request is sent to the secure authentication device, which digitally signs the certificate request using its internally stored private key, generating a signed certificate request for which the request is indeed initiated by a legitimate USBKey. After the signature is completed, the signed certificate request is sent to a certificate authority for verification. After the certificate authority receives the request, a series of verification operations may be performed, including verifying the validity of the signature, confirming the validity of the applicant's identity information, checking the validity of the public key, and so forth. Only if all the verifications pass will the certificate authority issue a digital certificate file and return it to the middleware.
In the embodiment provided by the present application, in step S104, storing the certificate file in the local cache of the middleware may include any of the following ways:
Storing certificate files in a local disk in the form of files;
storing the certificate file in a local database;
storing a certificate file in a Windows system registry;
Certificate files are stored by using a certificate management mechanism or a certificate store provided by an operating system;
storing the certificate file by utilizing a sandbox technology;
developing a secure storage software protection certificate file.
In the embodiment of the application, the middleware protects the locally cached certificate file from being tampered, unintentionally or maliciously deleted through a protection mechanism realized by means of file authority protection, account access control or a third-party technology of an operating system, reduces the interaction times between a user side and a cloud server side, and lightens the request pressure of the cloud server side. The storage mode can adopt one or a combination of more than one of the above modes.
Fig. 2 shows a first schematic block diagram in the related art, and an application system architecture based on the USBKey is shown in fig. 2, and mainly comprises an upper computer (i.e. an interface where a user interacts) and the USBKey (security authentication device). The application or browser (i.e. the user side) realizes the functions of key management, certificate management, password operation, and the like by calling a password application interface (API) provided by the USBKey middleware. The USBKey middleware is responsible for processing instruction communication and interaction logic with the USBKey (namely the safety authentication equipment). It should be noted that the USBKey product provides two parts including the USBKey middleware and the USBKey for manufacturers. For ease of understanding, the security authentication device may be referred to as a USBKey hereinafter, the middleware may be referred to as a USBKey middleware, the certificate authority may be referred to as a CA service, the application end may be referred to as an application for short, and the cloud service end may be referred to as a certificate distribution cloud service.
In the existing flow, the flow of downloading the signature certificate to the USBKey can be expressed as follows:
a) The USBKey verifies the user authority;
b) Creating a key container by using the USBKey;
c) [ USBKey ] generates a key pair in a key container;
d) The USBKey middleware is used for generating a public key to assemble a certificate request to be signed;
e) The USBKey signs the certificate request by using the generated private key;
f) The CA service (i.e., certificate authority) verifies the signed certificate request, and issues a certificate file after verification is passed;
g) The [ application ] (namely an application end) calls an import certificate interface of the [ USBKey middleware ];
h) [ USBKey ] stores a certificate file in a key container.
In order to show that the embodiment provided by the present application does not need to change the original authentication framework, fig. 3 shows a second schematic block diagram of the certificate processing method according to the embodiment of the present application, and as shown in fig. 3, the "cryptographic application interface" API remains unchanged. The USBKey equipment does not store a certificate file any more, and stores a certificate identifier in association with a key container and a key file corresponding to the certificate. A Key File (Key File) is a File storing Key data for security operations such as encryption, decryption, signature verification, and the like. The key file may contain information of a symmetric key, an asymmetric key pair (public key and private key), and the like, which are stored in the secure authentication device to prevent unauthorized access and tampering. The "certificate distribution cloud service" is responsible for storing and distributing certificate files. In the embodiment provided by the application, the USBKey manufacturer provides a USBKey product which comprises a USBKey middleware, USBKey equipment and a certificate distribution cloud service (namely a cloud service end). It should be noted that although the interaction body of the cloud server is added, for the application end and the certificate authority in the existing process, the interaction with the USBKey product is not changed, and the interaction mode in the USBKey is changed, so that the non-inductive improvement mode of the original process can be realized. In other words, the internal architecture is adjusted, but the application or browser at the client side still interacts with the USBKey middleware through the same cryptographic application interface API. The method means that the application end can seamlessly butt-joint a new certificate processing method without any modification, and the noninductive improvement of the original flow is realized.
Illustratively, communication between the USBKey middleware and the certificate cloud distribution service (i.e., the cloud service end) can adopt various secure communication modes, such as TLS (transport layer security protocol), HTTPS (secure hypertext transfer protocol), VPN (virtual private network), IPsec (Internet Protocol Security), SSH (Secure Shell) tunnel, and the like. TLS is an encryption protocol that provides secure communications over the internet. By encrypting the data packets, it is ensured that the data is not stolen or tampered with during transmission. HTTPS is a secure version of the HTTP protocol, encrypting data via the TLS protocol. The method not only encrypts the data, but also verifies the identities of both communication parties through the digital certificate, thereby preventing man-in-the-middle attacks. The VPN can establish a secure communication channel on a public network (such as the Internet) by creating an encrypted virtual tunnel to securely transmit data to a target server, thereby ensuring confidentiality and integrity of the data during transmission. IPsec is a network layer security protocol that ensures the security and integrity of data during transmission by encrypting and authenticating IP packets, providing end-to-end security at the IP layer. SSH is a protocol for secure telnet and management servers, through which data of other protocols (e.g., HTTP, FTP, etc.) can be encapsulated in SSH connections, thereby enabling encrypted transmission of data. The above communication method is merely an example of a secure communication method, and is not particularly limited.
The above embodiment realizes the first distribution and downloading of the certificate, and in the subsequent interaction with the application end, the certificate needs to be read for security authentication, and the following description is given to the certificate reading process, and after step S104, the method further includes the following specific steps:
Acquiring key container information of the security authentication device in response to receiving a reading instruction for reading the certificate file;
Retrieving the certificate identification from the key container information according to the reading instruction;
searching a certificate file with an index of a certificate identifier in a local cache;
and under the condition that the certificate file passes the integrity verification, sending the certificate file to an application end, wherein the application end is used for calling the middleware to perform man-machine interaction.
In the embodiment provided by the application, when the application end needs to carry out security authentication, an instruction for reading the certificate file is sent to the middleware. And triggering a certificate reading process after the middleware receives the reading instruction. Key container information obtained from a secure authentication device (e.g., a USBKey device). The key container information contains information such as certificate identifications stored in the security authentication device, and the certificate identifications corresponding to the instructions are retrieved from the key container information. The middleware searches the local cache for the certificate file indexed to the retrieved certificate identifier, which indicates that the local cache stores the certificate file downloaded from the cloud server and successfully stored. After finding the certificate file, the middleware performs integrity verification on the certificate file, and if the certificate file passes the integrity verification, the middleware sends the certificate file to the application end. The application end then calls the middleware to perform man-machine interaction, and the subsequent security authentication process is completed.
The reading instruction is sent when the application end invokes the middleware to read the certificate from the security authentication device, and can indicate various contents, for example, indicate to return all stored certificate identifications in an enumeration mode, specify the certificate type in a preset key container in the security authentication device to return the certificate identification of the corresponding certificate type, specify a subject name DN, and retrieve the certificate identification in the key information container.
In an embodiment provided by the application, the method further comprises the steps of:
Deleting the certificate file in the local cache if the certificate file fails the integrity verification;
The security authentication equipment is used for generating and sending a second equipment identity credential to the middleware for the certificate distribution application;
The cloud server is used for returning a certificate file to the middleware under the condition that the certificate distribution application and the second equipment identity credential pass through verification;
And storing the certificate file in the local cache and sending the certificate file to the application terminal.
In the embodiments provided by the present application, if the certificate file fails the integrity verification, it indicates that the certificate file may be tampered with or damaged during storage or transmission. In the event that the certificate file fails integrity verification, the middleware may delete the certificate file in the local cache to prevent subsequent operations using compromised or unsafe certificates. Based on the certificate identification, the middleware generates a certificate distribution application, including the certificate identification, for requesting the cloud server to retrieve the certificate file. Before sending the cloud service end, the middleware sends a certificate distribution application to the security authentication device. After receiving the application, the security authentication device signs the certificate distribution application by using the device identity key in the security authentication device, and generates and sends a second device identity credential to the middleware. The middleware sends the certificate distribution application and the second equipment identity credential to the cloud service end, and the cloud service end verifies the received application and credential. If the verification is passed, the cloud service end returns a certificate file to the middleware, the middleware stores the certificate file obtained again from the cloud service end in a local cache, the certificate file is sent to the application end, and the application end then uses the certificate file for security authentication.
Through the steps, when the integrity verification of the certificate file fails, a mechanism is provided for re-acquiring and verifying the certificate file, so that the application end can use an effective certificate to carry out safety verification, the authenticity and the integrity of the certificate file are ensured, and the safety and the reliability of the whole system are improved.
According to the embodiment of the application, the certificate distribution application generated by the middleware comprises the second data generation time of the certificate distribution application generated by the middleware, the serial number of the security authentication device and the certificate identification.
In the embodiment provided by the application, the second equipment identity credential generated by the security authentication equipment is also attached to the certificate distribution application. The certificate distribution application provided by the middleware can select a specific coding format according to a specific application scene, and is not particularly limited.
In the embodiment provided by the application, fig. 5 shows a third flowchart of the certificate processing method in the embodiment of the application, and as shown in fig. 5, a certificate deletion mechanism is provided in addition to the first-time distribution downloading, reading and reacquiring mechanism of the certificate, and the certificate file can be safely deleted from the local cache and the cloud server when no longer needed. After step S104, the method further comprises:
Acquiring key container information of the security authentication equipment in response to receiving a deletion instruction for deleting the certificate file;
retrieving the certificate identification from the key container information according to the deleting instruction;
deleting a certificate file with an index of a certificate identifier in a local cache;
The security authentication equipment is used for generating and sending a third equipment identity credential to the middleware for the certificate deletion application;
The cloud server is used for deleting the certificate file at the cloud server and sending the deleting result to the middleware under the condition that the certificate deleting request and the third equipment identity credential pass through verification;
And deleting the certificate identification in the security authentication device under the condition that the received deleting result indicates that the deleting is completed.
In the embodiment of the application, when the application end needs to delete the certificate file, a deleting instruction for deleting the certificate file is sent to the middleware. After receiving the deleting instruction, the middleware triggers the certificate deleting process. And the middleware searches the certificate identification corresponding to the instruction in the key container information according to the deleting instruction. The middleware searches the local cache for a certificate file indexed to the retrieved certificate identification and deletes it. Based on the certificate identification, the middleware generates a certificate deletion application. The certificate deletion application comprises a certificate identifier and is used for requesting the cloud server to delete the certificate file. Before sending to the cloud service end, the middleware sends a certificate deletion application to the security authentication device, the security authentication device signs the certificate deletion application by using an internal device identity key, and generates and sends a third device identity credential to the middleware. The middleware sends the certificate deletion application and the third equipment identity credential to the cloud server, and the cloud server verifies the received certificate deletion application and the third equipment identity credential. And the cloud server verifies the certificate deletion application and the third equipment identity credential, if the verification is passed, the cloud server deletes the certificate file at the cloud server and sends a deletion result to the middleware. If the result shows that the deletion is completed, the middleware sends the certificate identification to the security authentication device for deleting the certificate identification in the key container, and the whole deletion process is completed.
According to the embodiment of the application, the certificate deletion application generated by the middleware comprises the third data generation time of the certificate deletion application generated by the middleware, the serial number of the security authentication device and the certificate identification.
In the embodiment provided by the application, the third device identity credential generated by the security authentication device is also attached to the certificate deletion application. The certificate deletion application provided by the middleware can select a specific coding format according to a specific application scene, and is not particularly limited.
Fig. 4 shows a second flowchart of a certificate processing method according to an embodiment of the present application, which is applied to a security authentication apparatus, and as shown in fig. 4, the method may include steps S201 to S202.
Step S201, under the condition that a certificate uploading application is received, a first equipment identity credential is generated for the certificate uploading application and is sent to a middleware, wherein the certificate uploading application is generated by the middleware based on a certificate file issued by a certificate issuing mechanism, the middleware is used for sending the certificate uploading application and the first equipment identity credential to a cloud server, the cloud server is used for storing a certificate file included in the certificate uploading application under the condition that the certificate uploading application and the first equipment identity credential pass through verification, and sending an uploading result comprising a certificate identifier to the middleware, the certificate identifier is obtained by extracting the certificate file by the cloud server, and the middleware is used for sending the certificate identifier to a security authentication device and storing the certificate file in a local cache of the middleware under the condition that the uploading result is received to be successful;
Step S202, receiving and storing certificate identification.
In the embodiment provided by the application, the security authentication device signs the certificate uploading application by using the device identity key stored in the security authentication device to generate a first device identity credential, and the application is proved to be initiated by legal security authentication device. The security authentication device sends the generated first device identity credential back to the middleware, which then sends the certificate upload application and the first device identity credential together to the cloud server. And the cloud server performs verification after receiving the certificate uploading application and the first equipment identity credential. After the verification is passed, the cloud server stores the certificate file, generates a certificate identifier, and sends an uploading result containing the certificate identifier back to the middleware. After receiving the uploading result returned by the cloud server, if the result shows that the uploading is successful, the middleware sends the certificate identifier to the security authentication equipment and stores the certificate file in the local cache. The secure authentication device receives and stores the certificate identification.
According to the embodiment provided by the application, in step S201, under the condition that a certificate uploading application is received, generating a first equipment identity credential for the certificate uploading application comprises:
calculating based on a certificate uploading application by adopting an equipment identity key to obtain a first equipment identity credential;
The device identity key is generated by a key relation system and stored in the security authentication device, or is obtained by dispersing a seed key and a serial number of the security authentication device.
In the embodiment provided by the application, the security authentication equipment (USBKey equipment) calculates the certificate uploading application by adopting the equipment identity key to obtain the first equipment identity credential, and in the production process of the USBKey product, the KMS (Key management System) generates the equipment identity key and writes the equipment identity key into the equipment, and the equipment identity key can be dispersed by the seed key and the SN (unique serial number) of the USBKey. The device identity key is preferably a symmetric key stored in the USBKey, and is not suitable for selecting a traditional public key cryptographic algorithm or a certain quantum cryptographic algorithm in consideration of the storage capacity constraint of the USBKey and the security principle of quantum cryptographic migration resistance.
In accordance with an alternative embodiment provided by the present application, receiving and storing the certificate identification in step S202 includes creating a certificate identification file in the key container for storing the certificate file, or,
In the attribute of the key container or the key container information, an attribute or a field for storing the certificate identification is added.
In the embodiment provided by the application, a Key Container (Key Container) is a secure structure for storing and managing keys and related information. The set certificate identification file is stored in a secure storage area of the secure authentication device, or the attribute or field of the key container is stored in the secure storage area of the secure authentication device, so that the security and confidentiality of the set certificate identification file are ensured.
It should be noted that, in the related art, the binding relationship between the certificate file and the key file in the key container is not stored in the security authentication device any more, and the certificate file is replaced by the certificate identifier and can be processed by a similar association method, which is within the protection scope of the present application.
The device identity credential may be a message authentication code (i.e. MAC) generated by computing an input message (i.e. the above-mentioned certificate upload application) using a device identity key for the USBKey device, the message authentication code being one form of the first device identity credential. The calculation of the Message Authentication Code (MAC) is used to prove that the message is authorized by a legitimate USBKey device, and may be performed in a variety of ways, for example, by encrypting the incoming message using a symmetric encryption algorithm (e.g., AES-CMAC) to generate the MAC. The input message is processed using a hash function (e.g., HMAC-SHA 256) in conjunction with the device identity key to generate the MAC.
For example, when the security authentication device (USBKey device) generates the first device identity credential for the certificate uploading application, it needs to verify whether the sequence code SN carried in the certificate uploading application matches with the actual sequence code of the security authentication device, and also can verify whether the public key carried in the certificate file is consistent with the public key in the key file. The public key verification method is not applicable to a case where a root certificate, an intermediate-level certificate, or a certificate of which a key pair is not inside a secure authentication device is distributed by using a cloud server.
For executing the subject security authentication device, the following steps may be employed for certificate distribution:
The method comprises the steps of receiving a certificate distribution application sent by a middleware, wherein the certificate distribution application is generated and sent based on a certificate identifier when a certificate file fails to pass integrity verification;
The method comprises the steps of generating and sending a second equipment identity credential to a middleware aiming at a certificate distribution application, sending the certificate distribution application and the second equipment identity credential to a cloud server by the middleware, returning a certificate file to the middleware under the condition that the certificate distribution application and the second equipment identity credential pass verification, storing the certificate file in a local cache by the middleware, and sending the certificate file to an application terminal.
Specifically, the reasons why the certificate file fails the integrity verification may be various, for example, the entire certificate file is not cached, or there is a miss in cached data of the certificate file, and the cached data fails the integrity verification. For any of the reasons, once the middleware detects that the integrity of the certificate file is problem, a certificate distribution application is generated, and a subsequent certificate resending process is triggered.
Illustratively, when the secure authentication device (USBKey device) generates the second device identity credential for the certificate distribution application, it needs to verify whether the sequence code SN carried in the certificate upload application matches with the actual sequence code of the secure authentication device, and may further verify whether the certificate identifier is consistent with at least one certificate identifier in the key container in the secure authentication device.
For the execution subject to be a secure authentication device, the following steps can be adopted for the certificate deletion process:
The method comprises the steps that in response to the middleware receiving a deleting instruction for deleting a certificate file, key container information is sent to the middleware; the middleware is used for retrieving the certificate identification from the key container information according to the deleting instruction;
The method comprises the steps of receiving a certificate deletion application, wherein the certificate deletion application is generated and sent by middleware based on a certificate identifier;
The cloud server is used for deleting the certificate file at the cloud server and sending the deleting result to the middleware under the condition that the certificate deleting request and the third equipment identity credential pass through verification;
And deleting the certificate identifier under the condition that the deleting result received by the middleware indicates that the deleting is completed.
For example, when the secure authentication device (USBKey device) generates the third device identity credential for the certificate deletion application, it needs to verify whether the sequence code SN carried in the certificate upload application matches with the actual sequence code of the secure authentication device, and may further verify whether the certificate identifier is consistent with at least one certificate identifier in the key container in the secure authentication device.
Fig. 5 shows a third flowchart of a certificate processing method according to an embodiment of the present application, which is applied to a cloud service, and as shown in fig. 5, the method may include steps S301 to S303.
Step 301, receiving a certificate uploading application and a first equipment identity credential sent by a middleware, wherein the certificate uploading application is generated by the middleware based on a certificate file issued by a certificate issuing mechanism and sent to a security authentication device, and the first equipment identity credential is generated by the security authentication device for the certificate uploading application and sent to the middleware;
Step S302, under the condition that the certificate uploading application and the first equipment identity credential pass through verification, a certificate identifier is extracted based on a certificate file included in the certificate uploading application, and the certificate file is stored;
and step S303, sending an uploading result comprising the certificate identifier to the middleware, wherein the middleware is used for storing the certificate identifier in the security authentication equipment and storing the certificate file in a local cache of the middleware when the uploading result is received to be that the uploading is successful.
In the embodiment provided by the application, the cloud server receives a certificate uploading application and a first equipment identity credential sent by the middleware. The certificate upload application is generated by the middleware based on a certificate file issued by a Certificate Authority (CA), and transmitted to the security authentication device. The first equipment identity credential is generated by the security authentication equipment for the certificate uploading application and is sent to the middleware. And the cloud server verifies the received certificate uploading application and the first equipment identity credential. And if the verification is passed, the cloud server extracts the certificate identification based on the certificate file contained in the certificate uploading application. The certificate identifier is a unique identifier generated by the cloud server according to the certificate file and is used for subsequent certificate management and verification. And the cloud service end sends an uploading result containing the certificate identifier to the middleware to indicate whether the certificate file is successfully uploaded and stored. If the uploading is successful, the middleware stores the certificate identification in the security authentication device and stores the certificate file in a local cache for subsequent use.
Illustratively, the cloud server stores the certificate file and the serial number SN of the corresponding security authentication device with the certificate identifier as an index.
According to an embodiment of the present application, the certificate upload application further includes a serial number and a first data generation time, and the method further includes:
Refusing to store the certificate file if any of the following conditions are satisfied;
the condition includes that the first data generation time exceeds a preset time range;
The number segment of the serial number does not belong to a predetermined service range;
the certificate file is not verified by the root file;
calling a first equipment identity key generated by a key management system according to the serial number, and verifying the first equipment identity credential to obtain a verification result that the first equipment identity credential fails to pass verification;
and verifying the first equipment identity credential according to the second equipment identity key scattered by the predetermined seed key and the serial number, and obtaining a verification result that the first equipment identity credential fails to pass.
In the embodiment provided by the application, the method for verifying the application of the certificate uploading and the first equipment identity credential by the cloud server at least comprises the steps of verifying whether the time for generating the data is within a preset time range or not, rejecting service if the time is not in accordance with the current time, verifying whether a serial number SN of safety authentication equipment (such as USBKey equipment) is in compliance with the serial number, rejecting service if the serial number SN is in a service range or not, verifying validity of a certificate file by a certificate issuing mechanism (such as CA) root certificate (also can be a medium-grade certificate), rejecting service if the validity of the certificate file is not passed, calling an equipment identity key in a key management system KMS according to the serial number of the safety authentication equipment, or dispersing the equipment identity key, and verifying the first equipment identity credential if the serial number does not pass.
In the digital Certificate system, a Root Certificate (Root Certificate) and an intermediate-level Certificate (INTERMEDIATE CERTIFICATE) form part of a Certificate chain. The root certificate is the topmost certificate of the certificate chain, issued by the Certificate Authority (CA) itself, and is the basis of the whole trust chain. The intermediate level certificate (INTERMEDIATE CERTIFICATE) is a certificate issued by the root certificate for issuing the end user certificate, and the existence of the intermediate level certificate can reduce the burden of the root certificate and increase the flexibility of certificate issuing.
For example, after receiving a message containing a first device identity credential, the cloud server needs to retrieve a device identity key to verify the validity of the credential. The cloud service side can acquire the device identity key in various modes, and call the device identity key in the KMS (key management system) according to the SN (serial number) of the USBKey device. If the device identity key is not directly stored in the KMS, the cloud server can generate the device identity key through a key dispersion algorithm according to the seed key and the SN of the USBKey device.
For the execution subject to be a cloud server, the following steps can be adopted for certificate distribution:
The method comprises the steps of receiving a certificate distribution application and a second equipment identity credential, wherein the certificate distribution application is generated based on a certificate identifier and sent to a security authentication device for a middleware under the condition that a certificate file does not pass integrity verification;
and returning the certificate file to the middleware under the condition that the certificate distribution application and the second equipment identity credential pass through verification, wherein the middleware is used for storing the certificate file in a local cache and sending the certificate file to an application terminal.
Illustratively, the certificate distribution application further includes a serial number and a second data generation time, the method further comprising:
Refusing to distribute the certificate file if any of the following conditions is satisfied;
The condition includes that the second data generation time exceeds a preset time range;
The number segment of the serial number does not belong to a predetermined service range;
Calling a second equipment identity key generated by the key management system according to the serial number, and verifying the second equipment identity credential to obtain a verification result that the second equipment identity credential fails to pass verification;
And verifying the second equipment identity credential according to the second equipment identity key scattered by the predetermined seed key and the serial number, and obtaining a verification result that the second equipment identity credential fails to pass.
In the embodiment provided by the application, the method for verifying the certificate distribution application and the second equipment identity credential by the cloud server at least comprises the steps of verifying whether the time for generating the data is within a preset time range or not, rejecting service if the time is not in accordance with the current time, verifying whether a serial number SN of safety authentication equipment (such as USBKey equipment) is in compliance with the serial number, rejecting service if the serial number SN is in a service range if the serial number is not in compliance with the serial number, calling the equipment identity key in a key management system KMS or dispersing the equipment identity key according to the serial number of the safety authentication equipment, and verifying the second equipment identity credential, and rejecting service if the serial number does not pass.
For the execution subject to be a cloud server, the following steps can be adopted for certificate deletion:
The method comprises the steps of receiving a certificate deletion application and a third equipment identity credential, wherein the certificate deletion application is generated based on a certificate identifier in the middle and is sent to safety authentication equipment, and the third equipment identity credential is generated for the safety authentication equipment and is sent to middleware;
Deleting the certificate file under the condition that the certificate deletion request and the third equipment identity credential pass through verification;
And the middleware is used for deleting the certificate identification in the security authentication equipment under the condition that the received deleting result indicates that the deleting is completed.
According to the above embodiment and optional embodiments, the present application provides an optional implementation manner, and improves a USBKey certificate management method for a resource-restricted security authentication device, for example, provides an improvement scheme for a USBKey certificate management function. Fig. 6 shows a first timing chart of a certificate handling method according to an embodiment of the present application, in which the middleware may be referred to as a USBKey middleware, the certificate authority may be referred to as a CA service, the application end may be simply referred to as an application, the cloud service end may be referred to as a certificate distribution cloud service, and steps a) to g) of the existing flow are unchanged, and as shown in fig. 6, starting from step h), a new method is adopted:
a) The USBKey verifies the user authority;
b) Creating a key container by using the USBKey;
c) [ USBKey ] generates a key pair in a key container;
d) The USBKey middleware is used for generating a public key to assemble a certificate request to be signed;
e) The USBKey signs the certificate request by using the generated private key;
f) The CA service verifies the signed certificate request, and issues a certificate file after verification is passed;
g) The application invokes an import certificate interface of the USBKey middleware;
the following begins as a targeted improvement of alternative embodiments of the present application:
h) After receiving the certificate file, the [ USBKey middleware ] generates a 'certificate uploading application' to be signed;
i) The USBKey generates a device identity credential (first device identity credential in the importing process) for a certificate uploading application by using a device identity key (first device identity key);
j) The certificate distributing cloud service verifies the certificate uploading application and the equipment identity certificate, extracts the certificate identifier from the certificate file after the verification is passed, stores the certificate file, and returns a result response containing the certificate identifier;
k) The [ USBKey middleware ] receives and judges the result of certificate uploading, stores a certificate file in a local cache of a client if the operation is successful, and executes the next step;
l) [ USBKey ] stores the certificate identity in the key container.
It will be appreciated that the above process is generally divided into 3 stages:
The first stage, generating a certificate uploading application and a device identity credential, generating a certificate uploading application by using a USBKey middleware, and calling the USBKey to generate the device identity credential;
the second stage, uploading the certificate, [ certificate cloud distribution service ] verifies the certificate uploading application, stores the certificate file after verification, and returns the certificate identification;
And in the third stage, the certificate identification is stored, [ USBKey ] stores the certificate identification in a key container in the device (instead of directly storing the certificate file in the prior art), and [ USBKey middleware ] stores the certificate file in a local cache.
The above is a process of importing a signature certificate, and for the process of importing a certificate file, after the application end obtains the certificate file from the certificate authority, that is, after the step g), the interaction interface (importing certificate interface) with the USBKey middleware is unchanged for the application end, the interaction logic is unchanged, and the input and output are unchanged. The certificate file is not stored in the security authentication device any more, and only the binding relation between the certificate and the key pair is managed.
Fig. 7 shows a second timing diagram of a certificate processing method according to an embodiment of the present application, and as shown in fig. 7, a method of reading a certificate from a USBKey is provided.
A1 Calling the [ USBKey middleware ] to read a certificate interface by the [ application ];
b1 Reading key container information from the [ USBKey ] and searching a 'certificate identifier' of a target certificate;
c1 If the integrity of the certificate file is found, the integrity of the certificate file is verified (the signature of the certificate file is verified by using a CA certificate), the local cache is deleted if the verification is not passed, and the certificate file is returned to the application if the verification is passed, and the flow is ended;
d1 The method comprises the steps of (1) generating a 'certificate distribution application' by a [ USBKey middleware ], and calling the [ USBKey ] to generate a 'device identity credential' for the 'certificate distribution application' by a 'device identity key' (namely, a second device identity credential in the reading and reissuing process);
e1 The certificate distributing cloud service verifies the certificate distributing application and the equipment identity credential, and searches and returns a corresponding certificate file after the verification is passed;
f1 The USBKey middleware stores a certificate file in a local cache by taking a certificate identifier as an index;
g1 The [ USBKey middleware ] returns a "certificate file" to the [ application ].
The above is the procedure of reading and redistributing the certificate file, and for the application end, the interaction interface (certificate reading interface) with the [ USBKey middleware ] is unchanged, the interaction logic is unchanged, and the input and output are unchanged. The certificate file can be distributed in an online manner without using a USBKey. The certificate distributing cloud service only receives the certificate uploading request of legal USBKey, and only receives the client of USBKey used when the uploading certificate is held to distribute the certificate. The method comprises the steps of realizing a local certificate caching mechanism and a certificate verification mechanism in the USBKey middleware, and reducing network interaction between the USBKey middleware and a certificate distribution cloud service on the premise of ensuring that a certificate is correctly available.
Fig. 8 shows a third timing diagram of a certificate processing method according to an embodiment of the present application, and as shown in fig. 8, a method of deleting a certificate from a USBKey is provided.
A2 Calling the [ USBKey middleware ] to delete the certificate interface by the [ application ];
b2 Reading key container information from the [ USBKey ] and searching a 'certificate identifier' of a target certificate;
c2 Searching a target certificate file in a local cache by taking a certificate identifier as an index, [ USBKey middleware ];
d2 The method comprises the steps of (1) generating a certificate deletion application by using a USBKey middleware, and calling the USBKey to generate a device identity credential for the certificate deletion application by using a device identity key during the deletion process, namely a third device identity credential;
e2 The certificate distributing cloud service verifies the certificate deletion application and the equipment identity credential, and searches and deletes the corresponding certificate file after the verification is passed;
f2 The [ USBKey middleware ] requests that the [ USBKey ] delete the 'certificate identifier' from the key container;
g2 The [ USBKey middleware ] returns a certificate deletion result to the [ application ].
The above is the procedure of deleting the certificate file, and for the application end, the interaction interface (deleting the certificate interface) with the [ USBKey middleware ] is unchanged, the interaction logic is unchanged, and the input and output are unchanged.
Aiming at the characteristic of larger volume of the certificate of the anti-quantum cryptography algorithm, the alternative embodiment provided by the application reduces the storage space required by the security authentication equipment for storing the certificate on the premise of recovering the complete certificate, for example, an X.509 certificate embedded with Dilithium public key and signature has the volume of 8KB, and only more than ten or more than ten bytes (only a certificate DN is stored) are needed in the security authentication equipment after the processing mode is adopted;
Through the optional processing mode, the certificate processing method provided by the optional embodiment is transparent to the upper layer application, and the upper layer application does not need to be transformed in terms of interfaces, data or flow, and the certificate management interface of the USBKey middleware is kept unchanged outwards, so that backward compatibility is realized. Only legal USBKey clients with certificate private keys are allowed to upload certificates, only clients with corresponding USBKey are allowed to distribute certificates, potential security attack and privacy disclosure risks are avoided, and interface response performance is optimized and cloud service request pressure is relieved through a local caching method.
Fig. 9 shows a first schematic diagram of a certificate processing apparatus according to an embodiment of the present application, and correspondingly to an application scenario and a method of a method provided by an embodiment of the present application, the embodiment of the present application further provides a certificate processing apparatus, which is applied to middleware, as shown in fig. 9, and includes:
an acquisition module 901, configured to acquire a certificate file issued by a certificate issuing authority;
the first processing module 902 is configured to generate and send a certificate upload application to a security authentication device based on the certificate file;
The cloud server is used for storing a certificate file included in the certificate uploading application and sending an uploading result including a certificate identifier to the middleware under the condition that the certificate uploading application and the first equipment identity credential pass verification, wherein the certificate identifier is extracted by the cloud server based on the certificate file;
The first storage module 904 is configured to store the certificate identifier in the security authentication device and store the certificate file in a local cache of the middleware when the received upload result is that the upload is successful.
The functions of each module in each device of the embodiment of the present application may be referred to the corresponding descriptions in the above methods, and have corresponding beneficial effects, which are not described herein.
Fig. 10 shows a second schematic diagram of a certificate processing apparatus according to an embodiment of the present application, corresponding to an application scenario and a method of a method provided by an embodiment of the present application, a certificate processing apparatus is further provided according to an embodiment of the present application, and is applied to a security authentication device, as shown in fig. 10, and includes:
The second processing module 1001 is configured to generate a first device identity credential for a certificate upload application and send the first device identity credential to the middleware when the certificate upload application is received, where the certificate upload application is generated by the middleware based on a certificate file issued by a certificate issuing authority, the middleware is configured to send the certificate upload application and the first device identity credential to a cloud server, the cloud server is configured to store a certificate file included in the certificate upload application when the certificate upload application and the first device identity credential are verified, and send an upload result including a certificate identifier to the middleware, the certificate identifier is obtained by extracting the certificate file by the cloud server, and the middleware is configured to send the certificate identifier to a security authentication device and store the certificate file in a local cache of the middleware when the certificate upload result is received as successful upload;
A second storage module 1002 for receiving and storing certificate identifications.
Fig. 11 shows a third schematic diagram of a certificate processing apparatus according to an embodiment of the present application, corresponding to an application scenario and a method of a method provided by an embodiment of the present application, the embodiment of the present application further provides a certificate processing apparatus, which is applied to a cloud server, as shown in fig. 11, and includes:
The receiving module 1101 is configured to receive a certificate upload application and a first device identity credential sent by a middleware, where the certificate upload application is generated by the middleware based on a certificate file issued by a certificate issuing mechanism and sent to the security authentication device, and the first device identity credential is generated by the security authentication device for the certificate upload application and sent to the middleware;
The third processing module 1102 is configured to extract a certificate identifier based on a certificate file included in the certificate upload application and store the certificate file when the certificate upload application and the first device identity credential pass through the verification;
The second sending module 1103 is configured to send an upload result including the certificate identifier to the middleware, where the middleware is configured to store the certificate identifier in the security authentication device and store the certificate file in a local cache of the middleware when the upload result is received as that the upload is successful.
Fig. 12 is a block diagram of an electronic device used to implement an embodiment of the application. As shown in fig. 12, the electronic device includes a memory 1201 and a processor 1202, the memory 1201 storing a computer program executable on the processor 1202. The processor 1202, when executing the computer program, implements the methods of the embodiments described above. The number of memory 1201 and processor 1202 may be one or more. In a specific implementation, the electronic device may further include a communication interface 1203, configured to communicate with an external device, and perform data interaction transmission.
In a specific implementation, if the memory 1201, the processor 1202 and the communication interface 1203 are implemented independently, the memory 1201, the processor 1202 and the communication interface 1203 may be connected to each other by a bus and perform communication with each other. The bus may be an industry standard architecture (Industry Standard Architecture, ISA) bus, an external device interconnect (PERIPHERAL COMPONENT INTERCONNECT, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, among others. The bus may be classified as an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in fig. 12, but not only one bus or one type of bus.
Alternatively, in a specific implementation, if the memory 1201, the processor 1202 and the communication interface 1203 are integrated on a chip, the memory 1201, the processor 1202 and the communication interface 1203 may complete communication with each other through internal interfaces.
The embodiment of the application provides a computer readable storage medium storing a computer program which, when executed by a processor, implements the method provided in the embodiment of the application.
The embodiment of the application provides a computer program product, comprising a computer program, which when being executed by a processor, realizes the method provided in the embodiment of the application.
The embodiment of the application also provides a chip, which comprises a processor and is used for calling the instructions stored in the memory from the memory and running the instructions stored in the memory, so that the communication equipment provided with the chip executes the method provided by the embodiment of the application.
The embodiment of the application also provides a chip which comprises an input interface, an output interface, a processor and a memory, wherein the input interface, the output interface, the processor and the memory are connected through an internal connection path, the processor is used for executing codes in the memory, and when the codes are executed, the processor is used for executing the method provided by the application embodiment.
It should be appreciated that the Processor may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), field programmable gate array (Field Programmable GATE ARRAY, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. A general purpose processor may be a microprocessor or any conventional processor or the like. It is noted that the processor may be a processor supporting an advanced reduced instruction set machine (ADVANCED RISC MACHINES, ARM) architecture.
Further alternatively, the memory may include a read-only memory and a random access memory. The memory may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), programmable ROM (PROM), erasable Programmable ROM (EPROM), electrically Erasable EPROM (EEPROM), or flash Memory, among others. Volatile memory can include random access memory (Random Access Memory, RAM), which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available. For example, static random access memory (STATIC RAM, SRAM), dynamic random access memory (Dynamic Random Access Memory, DRAM), synchronous Dynamic Random Access Memory (SDRAM), double data rate Synchronous dynamic random access memory (Double DATA RATE SDRAM, DDR SDRAM), enhanced Synchronous dynamic random access memory (ENHANCED SDRAM, ESDRAM), synchronous link dynamic random access memory (SYNC LINK DRAM, SLDRAM), and Direct memory bus random access memory (DR RAM).
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions in accordance with the present application are fully or partially produced. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. Computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present application, the meaning of "a plurality" is two or more, unless explicitly defined otherwise.
Any process or method described in flow charts or otherwise herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process. And the scope of the preferred embodiments of the present application includes additional implementations in which functions may be performed in a substantially simultaneous manner or in an opposite order from that shown or discussed, including in accordance with the functions that are involved.
Logic and/or steps described in the flowcharts or otherwise described herein, e.g., may be considered a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions.
It is to be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. All or part of the steps of the methods of the embodiments described above may be performed by a program that, when executed, comprises one or a combination of the steps of the method embodiments, instructs the associated hardware to perform the method.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing module, or each unit may exist alone physically, or two or more units may be integrated in one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules described above, if implemented in the form of software functional modules and sold or used as a stand-alone product, may also be stored in a computer-readable storage medium. The storage medium may be a read-only memory, a magnetic or optical disk, or the like.
The above is merely an exemplary embodiment of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think of various changes or substitutions within the technical scope of the present application, and these should be covered in the scope of the present application. Therefore, the protection scope of the application is subject to the protection scope of the claims.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510586971.7A CN120110686B (en) | 2025-05-08 | 2025-05-08 | Certificate processing method, electronic device, and computer-readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510586971.7A CN120110686B (en) | 2025-05-08 | 2025-05-08 | Certificate processing method, electronic device, and computer-readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN120110686A CN120110686A (en) | 2025-06-06 |
| CN120110686B true CN120110686B (en) | 2025-09-05 |
Family
ID=95885135
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202510586971.7A Active CN120110686B (en) | 2025-05-08 | 2025-05-08 | Certificate processing method, electronic device, and computer-readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN120110686B (en) |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103152344B (en) * | 2013-03-06 | 2016-07-06 | 广东数字证书认证中心有限公司 | Cryptographic algorithm method and device based on digital certificate |
| US20190140848A1 (en) * | 2017-11-07 | 2019-05-09 | Spinbackup Inc. | Decentralized Access Control for Cloud Services |
| CN107872532B (en) * | 2017-11-27 | 2020-09-25 | 北京天诚安信科技股份有限公司 | Method and system for storing and downloading third-party cloud storage platform |
| CN114238916A (en) * | 2021-12-08 | 2022-03-25 | 中国建设银行股份有限公司 | Communication method, apparatus, computer equipment and storage medium |
| US20240072999A1 (en) * | 2022-08-29 | 2024-02-29 | Micron Technology, Inc. | Cloud storage with enhanced data privacy |
| CN116418501A (en) * | 2022-12-30 | 2023-07-11 | 北京握奇数据股份有限公司 | Storage method and device of security information, electronic equipment and medium |
-
2025
- 2025-05-08 CN CN202510586971.7A patent/CN120110686B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN120110686A (en) | 2025-06-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11588649B2 (en) | Methods and systems for PKI-based authentication | |
| US20210367795A1 (en) | Identity-Linked Authentication Through A User Certificate System | |
| US10652015B2 (en) | Confidential communication management | |
| US20190173873A1 (en) | Identity verification document request handling utilizing a user certificate system and user identity document repository | |
| US10007797B1 (en) | Transparent client-side cryptography for network applications | |
| US11811739B2 (en) | Web encryption for web messages and application programming interfaces | |
| US8538020B1 (en) | Hybrid client-server cryptography for network applications | |
| WO2019233204A1 (en) | Method, apparatus and system for key management, storage medium, and computer device | |
| CN114244508B (en) | Data encryption method, device, equipment and storage medium | |
| US8583911B1 (en) | Network application encryption with server-side key management | |
| JP2011515961A (en) | Authentication storage method and authentication storage system for client side certificate authentication information | |
| US20240193255A1 (en) | Systems and methods of protecting secrets in use with containerized applications | |
| US12309274B2 (en) | Cryptography-as-a-service | |
| CN118802143A (en) | Data transmission method, device and electronic equipment | |
| CN120110686B (en) | Certificate processing method, electronic device, and computer-readable storage medium | |
| US20240048532A1 (en) | Data exchange protection and governance system | |
| CN115720137A (en) | A system, method and device for information management | |
| CN118694618B (en) | A method to enhance the quantum security of the Central Authentication Service Protocol | |
| CN115580495B (en) | Data auditing method and device, electronic equipment and storage medium | |
| CN118473798A (en) | Data sharing method, data sharing device and related equipment | |
| WO2025163752A1 (en) | Information processing device, terminal, communication system, communication method, and program | |
| CN118842587A (en) | Communication method, server side, equipment side and communication system | |
| CN118353629A (en) | Self-signed certificates |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |