CN102315938A - Method for improving security of digital certificate revocation list - Google Patents
Method for improving security of digital certificate revocation list Download PDFInfo
- Publication number
- CN102315938A CN102315938A CN201110192254A CN201110192254A CN102315938A CN 102315938 A CN102315938 A CN 102315938A CN 201110192254 A CN201110192254 A CN 201110192254A CN 201110192254 A CN201110192254 A CN 201110192254A CN 102315938 A CN102315938 A CN 102315938A
- Authority
- CN
- China
- Prior art keywords
- crl
- certificate
- file
- digital
- revocation list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 22
- 238000007689 inspection Methods 0.000 claims description 3
- 238000003672 processing method Methods 0.000 abstract description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 1
- 239000007799 cork Substances 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a method for improving the security of a digital certificate revocation list, and relates to a method for processing a data certificate used in the Internet. The revocation process of a digital certificate comprises the following steps of: launching digital certificate revocation; putting a certificate serial number into a list of digital certificates to be revoked of a digital certificate revocation list; according to the pre-set revocation rule, building a CRL (Certificate Revocation List) file for the serial numbers of digital certificates to be revoked by CA (Certificate Authority): signing the list of digital certificates to be revoked by CA; and publishing the digital certificate revocation list to a specific file or specific list. The file name of CRL or the name of a CRL publishing point in the certificate is contained in the CRL file, and a CRL issuer gives a digital signature, accordingly, the corresponding of the CRL file and the CRL publishing point of the certificate is ensured. The method can achieve the function of the digital certificate revocation list, and also solve the problem that the traditional processing method has hidden dangers, so that the digital certificates are truly linked with the digital certificate revocation list.
Description
Technical field
The present invention relates to method that the data certificate that uses in the Internet is handled, be specifically related to a kind of processing method that improves the digital certificate revocation list fail safe.
Background technology
Because Internet net e-commerce system technology makes the client of shopping on the net can extremely make things convenient for the information that obtains businessman and enterprise like a cork, but has also increased simultaneously some risk responsive or valuable data are abused.In order to guarantee electronic transaction and security of payment on the Internet, confidentiality etc. are taken precautions against the fraud in transaction and the payment process, must set up a kind of faith mechanism on the net.This just requires the buyer and the seller that participate in ecommerce all must have legal identity, and can verify by effectively errorless quilt on the net.
The encryption technology that with the digital certificate is core can be carried out encryption and decryption, digital signature and signature verification to the information of transmission over networks, guarantees to transmit confidentiality, the integrality of information on the net.Used digital certificate,, even lost information such as individual account, password on the net, still can guarantee account, fund security even the information that the user sends is intercepted and captured by other people.
Digital certificate is a kind of authoritative electronic document, by the just third-party institution of authority, i.e. and the certificate signed and issued of certificate verification center.
The authentication system that with the digital certificate is the basis is when appearances needs the digital certificate of calcellation; Adopt the mode of digital certificate any revocation list to realize; The customer digital certificate sequence number of all digital certificates of before the original Expiration Date arrives, being abrogated of record supplies the digital certificate user when authentication the other side digital certificate, to inquire about use in the digital certificate any revocation list (industry often is called for short CRL).In order to handle the situation of large user's amount; Generally speaking; The capital is adopted and is divided the mode in a plurality of digital certificate any revocation list files with the digital certificate any revocation list, if show that in digital certificate this digital certificate is abrogated then corresponding certificate serial number and is arranged in that digital certificate any revocation list file.The structure of digital certificate any revocation list is following:
Certification revocation list (CertificateList)
Wait to sign and abrogate list of cert (tbsCertList)
Version number (version)
Signature algorithm (signature)
The person of signing and issuing (issuer)
This update time (thisUpdate)
The next update time (nextUpdate)
The certificate of abrogating (revokedCertificates)
Abrogate the sequence number (userCertificate) of certificate
Abrogate the time (revocationDate)
Abrogate an expansion (crlEntryExtensions)
Certification revocation list expansion crlExtensions
Signature algorithm (signatureAlgorithm)
Signature value (signatureValue) }
The structure of wherein abrogating an expansion and certification revocation list expansion is following:
The expansion sign
Whether be critical extension
Expanding value
In the operating process of prior standard and industry, the expansion of often using has: the person's of signing and issuing key identification, the person's of signing and issuing title, CRL quantity, increment CRL indicating device, sign and issue publishing point, up-to-date CRL and authoritative message reference.
General certification authentication flow process is an authentication certificate legitimacy at first, the CRL publishing point download of information that comprises according to certificate then or search corresponding CRL file from this locality and check corresponding certificate whether the CRL of appointment file.
See that from the structure of the top certification revocation list that we describe these contents of certification revocation list are not all represented the CRL scope that should contain in CRL file name or the CRL file, this has just caused the mechanism disconnection of CRL and certification authentication, thereby safety problem occurs.
Summary of the invention
The technical issues that need to address of the present invention just are to provide a kind of method that improves the digital certificate revocation list fail safe, the invention solves present digital certificate revocation list and have caused the mechanism of CRL and certification authentication to disconnect, thereby the problem of potential safety hazard occurs.
For addressing the above problem, the present invention adopts following technical scheme:
The process of abrogating of numeral card is:
(1) initiates digital certificate revocation;
(2) certificate serial number is put into any revocation list of treating of digital certificate any revocation list;
(3) CA abrogates the digital certificate sequence number that rule abrogates needs and constitutes a CRL file according to predefined;
(4) CA signs to digital certification revocation list;
(5) issue digital certificate any revocation list is to specific file or in the specific directory;
The name of CRL publishing point in the filename of CRL in (three) step or the certificate is included in the CRL file, does digital signature, guarantee that like this CRL file carries out corresponding with the CRL publishing point of certificate by the CRL person of signing and issuing.
Further, a kind of method that improves the digital certificate revocation list fail safe of the present invention also has following characteristics: guarantee in (three) step that the CRL file with the step that the CRL publishing point of certificate carries out corresponding concrete grammar is:
1) the CRL file is increased a kind of CRL expansion; The all or part of information that comprises CRL publishing point in title or the certificate of CRL file in this expansion; This CRL expansion will must check the method for inspection is whether the downloaded files name is consistent with the filename in the CRL expansion as critical extension when checking CRL validity; Whether with certificate extension in CRL publishing point title consistent; If these three title unanimities then show this CRL file corresponding to the CRL publishing point in the certificate, otherwise are counterfeit CRL file;
2) signature of treating in the CRL file is abrogated list of cert and is increased a content, comprises the CRL publishing point in the certificate;
3) signature of treating in the CRL file is abrogated list of cert and is increased a content, comprises the partial content of the CRL publishing point in the certificate, like last filename.
The present invention can realize digital certificate any revocation list function, can remedy the problem that there is potential safety hazard in existing processing method again, makes digital certificate and digital certificate any revocation list really link together.
Description of drawings
Fig. 1 is that digital certificate of the present invention is abrogated flow chart.
Embodiment
As shown in Figure 1, the process of abrogating of numeral card is:
(6) initiate digital certificate revocation;
(7) certificate serial number is put into any revocation list of treating of digital certificate any revocation list;
(8) CA abrogates the digital certificate sequence number that rule abrogates needs and constitutes a CRL file according to predefined;
(9) CA signs to digital certification revocation list;
(10) issue digital certificate any revocation list is to specific file or in the specific directory;
The name of CRL publishing point in the filename of CRL in (three) step or the certificate is included in the CRL file, does digital signature, guarantee that like this CRL file carries out corresponding with the CRL publishing point of certificate by the CRL person of signing and issuing.
Further, a kind of method that improves the digital certificate revocation list fail safe of the present invention also has following characteristics: guarantee in (three) step that the CRL file with the step that the CRL publishing point of certificate carries out corresponding concrete grammar is:
1) the CRL file is increased a kind of CRL expansion; The all or part of information that comprises CRL publishing point in title or the certificate of CRL file in this expansion; This CRL expansion will must check the method for inspection is whether the downloaded files name is consistent with the filename in the CRL expansion as critical extension when checking CRL validity; Whether with certificate extension in CRL publishing point title consistent; If these three title unanimities then show this CRL file corresponding to the CRL publishing point in the certificate, otherwise are counterfeit CRL file;
2) signature of treating in the CRL file is abrogated list of cert and is increased a content, comprises the CRL publishing point in the certificate;
3) signature of treating in the CRL file is abrogated list of cert and is increased a content, comprises the partial content of the CRL publishing point in the certificate, like last filename.
A kind of method that improves the digital certificate revocation list fail safe; Embodiment is a kind of new CRL expansion of definition CRLFileName; Its object identity is: 1.3.6.1.4.1.27971.32.1.1 (this only is an example object sign, can carry out standardization as required); Whether be that critical extension is designated critical extension (being that value is true); Expanding value is the filename through coding, as adopting DER coded system relatively more commonly used in the digital certificate filename is encoded, and filename itself can adopt the mode of GeneralNames to encode.
What should explain at last is: obviously, the foregoing description only be for clearly the present invention is described and is done for example, and be not qualification to execution mode.For the those of ordinary skill in affiliated field, on the basis of above-mentioned explanation, can also make other multi-form variation or change.Here need not also can't give exhaustive to all execution modes.And conspicuous variation of being amplified out thus or change still are among protection scope of the present invention.
Claims (2)
1. a method that improves the digital certificate revocation list fail safe is characterized in that, the process of abrogating of numeral card is:
(1) initiates digital certificate revocation;
(2) certificate serial number is put into any revocation list of treating of digital certificate any revocation list;
(3) CA abrogates the digital certificate sequence number that rule abrogates needs and constitutes a CRL file according to predefined;
(4) CA signs to digital certification revocation list;
(5) issue digital certificate any revocation list is to specific file or in the specific directory;
The name of CRL publishing point in the filename of CRL in (three) step or the certificate is included in the CRL file, does digital signature, guarantee that like this CRL file carries out corresponding with the CRL publishing point of certificate by the CRL person of signing and issuing.
2. a kind of according to claim 1 method that improves the digital certificate revocation list fail safe is characterized in that, guarantees in (three) step that the CRL file with the step that the CRL publishing point of certificate carries out corresponding concrete grammar is:
1) the CRL file is increased a kind of CRL expansion; The all or part of information that comprises CRL publishing point in title or the certificate of CRL file in this expansion; This CRL expansion will must check the method for inspection is whether the downloaded files name is consistent with the filename in the CRL expansion as critical extension when checking CRL validity; Whether with certificate extension in CRL publishing point title consistent; If these three title unanimities then show this CRL file corresponding to the CRL publishing point in the certificate, otherwise are counterfeit CRL file;
2) signature of treating in the CRL file is abrogated list of cert and is increased a content, comprises the CRL publishing point in the certificate;
3) signature of treating in the CRL file is abrogated list of cert and is increased a content, comprises the partial content of the CRL publishing point in the certificate, like last filename.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110192254A CN102315938A (en) | 2011-07-11 | 2011-07-11 | Method for improving security of digital certificate revocation list |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110192254A CN102315938A (en) | 2011-07-11 | 2011-07-11 | Method for improving security of digital certificate revocation list |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102315938A true CN102315938A (en) | 2012-01-11 |
Family
ID=45428780
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110192254A Pending CN102315938A (en) | 2011-07-11 | 2011-07-11 | Method for improving security of digital certificate revocation list |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102315938A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105100040A (en) * | 2014-05-05 | 2015-11-25 | 恩智浦有限公司 | System and method for filtering digital certificates |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020099668A1 (en) * | 2001-01-22 | 2002-07-25 | Sun Microsystems, Inc. | Efficient revocation of registration authorities |
| US20030037234A1 (en) * | 2001-08-17 | 2003-02-20 | Christina Fu | Method and apparatus for centralizing a certificate revocation list in a certificate authority cluster |
| CN1707999A (en) * | 2004-05-03 | 2005-12-14 | 汤姆森许可公司 | Distribution management of certificate revocation lists |
| US20080034204A1 (en) * | 2004-05-21 | 2008-02-07 | Anantharaman Lakshminarayanan | Communications Network Security Certificate Revocation |
-
2011
- 2011-07-11 CN CN201110192254A patent/CN102315938A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020099668A1 (en) * | 2001-01-22 | 2002-07-25 | Sun Microsystems, Inc. | Efficient revocation of registration authorities |
| US20030037234A1 (en) * | 2001-08-17 | 2003-02-20 | Christina Fu | Method and apparatus for centralizing a certificate revocation list in a certificate authority cluster |
| CN1707999A (en) * | 2004-05-03 | 2005-12-14 | 汤姆森许可公司 | Distribution management of certificate revocation lists |
| US20080034204A1 (en) * | 2004-05-21 | 2008-02-07 | Anantharaman Lakshminarayanan | Communications Network Security Certificate Revocation |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105100040A (en) * | 2014-05-05 | 2015-11-25 | 恩智浦有限公司 | System and method for filtering digital certificates |
| CN105100040B (en) * | 2014-05-05 | 2019-01-01 | 恩智浦有限公司 | System and method for filtering digital certificate |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11664996B2 (en) | Authentication in ubiquitous environment | |
| CN106656488B (en) | Key download method and device for POS terminal | |
| CN105701661B (en) | Method, apparatus and system for secure configuration, transmission and verification of payment data | |
| CN102713922B (en) | The method used for anytime validation of the validation token | |
| CN101848090B (en) | Authentication device and system and method using same for on-line identity authentication and transaction | |
| CN101719250B (en) | Payment authentication method, platform and system | |
| JP2007517272A (en) | Guaranteed transaction system and method using a formatted data structure | |
| CN113011896A (en) | Secure remote payment transaction processing using secure elements | |
| JP2003518303A5 (en) | ||
| US20080082354A1 (en) | Compliance assessment reporting service | |
| CN105809450A (en) | Electronic invoice generation and verification method and system | |
| CN102238193A (en) | Data authentication method and system using same | |
| CN101527021A (en) | RFID electronic tag reading and writing device used for product truth verification | |
| CN102298756A (en) | Method for ensuring security of computer lottery trade information | |
| CN108496194A (en) | A method, server and system for verifying terminal legitimacy | |
| CN110992034A (en) | Supply chain transaction privacy protection system and method based on block chain and related equipment | |
| CN102281288A (en) | Method for enhancing security of digital certificate revocation list (CRL) | |
| KR20130095363A (en) | A cash remittance method based on digital codes using hash function and electronic signature | |
| CN107919960A (en) | The authentication method and system of a kind of application program | |
| TWI677842B (en) | System for assisting a financial card holder in setting password for the first time and method thereof | |
| CN102315938A (en) | Method for improving security of digital certificate revocation list | |
| CN112311534A (en) | Method for generating asymmetric algorithm key pair | |
| CN101977113A (en) | Method for equipment identification in digital copyright management | |
| CN116112178B (en) | Verification identifier generation method, system, electronic device and storage medium | |
| JP2001283144A (en) | Electronic commission processing system and electronic letter of attorney preparing device and electronic application preparing device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120111 |