CN119051876B - Sign combined key signature and encryption method - Google Patents
Sign combined key signature and encryption method Download PDFInfo
- Publication number
- CN119051876B CN119051876B CN202411450294.8A CN202411450294A CN119051876B CN 119051876 B CN119051876 B CN 119051876B CN 202411450294 A CN202411450294 A CN 202411450294A CN 119051876 B CN119051876 B CN 119051876B
- Authority
- CN
- China
- Prior art keywords
- key
- user
- identification
- identity authentication
- authentication system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 11
- 239000012634 fragment Substances 0.000 claims description 16
- 238000010586 diagram Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/062—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
本发明公开了一种标识组合密钥签名及加密方法,涉及信息安全技术领域,包括:系统密钥初始化;用户标识密钥申请分发;使用标识密钥对用户的消息进行签名;使用标识密钥对用户的签名进行验签;使用标识密钥对用户的消息进行加密;使用标识密钥对用户的消息进行解密;本发明解决了公钥体制下用户身份及公钥真实性、密钥安全性问题。
The present invention discloses an identification combination key signature and encryption method, which relates to the field of information security technology, including: system key initialization; user identification key application distribution; using the identification key to sign the user's message; using the identification key to verify the user's signature; using the identification key to encrypt the user's message; using the identification key to decrypt the user's message; the present invention solves the problems of user identity and public key authenticity and key security under the public key system.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a signature and encryption method for an identification combined key.
Background
The current public key cryptography application field mainly relies on PKI/CA authentication and digital signature technology, wherein a PKI authentication system consists of a terminal user entity, a certificate registration authority RA and a certificate issuing authority CA, a terminal user key is generated by a hardware cryptographic module similar to a USBKEY, RA audits user identity information, and CA binds a user public key with the user identity information in an associated mode through issuing a user certificate to prove who the network identity corresponding to the user public key is.
The PKI authentication system is a trust domain established by each terminal entity based on common trust of the same CA organization, when identity authentication is needed between the entities, signature of a digital certificate of an opposite party and validity of a certificate chain are needed to be verified, the identity authentication needs to rely on a third party CA system, verification time is long and efficiency is low, meanwhile, for the application of lightweight clients such as mobile end applets, H5, APP and the like which are widely used at present, hardware devices such as USBKEY and the like are difficult to integrate, and the traditional hardware key scheme based on a PC environment is difficult to meet the requirements of cloud computing on light weight and diversification of terminal types.
Disclosure of Invention
In order to solve the problems in the prior art, the invention aims to provide an identification combined key signature and encryption method, which solves the problems of user identity, public key authenticity and key security under a public key system.
In order to achieve the purpose, the technical scheme adopted by the invention is that the method for signing and encrypting the identification combined key comprises the following steps:
Step 1, initializing a system key, namely initializing a master key by a key generation system, wherein the master key comprises a master private key and a master public key, generating a secondary key by an identity authentication system, comprising the secondary private key and the secondary public key, and applying a system identification key to the key generation system by the identity authentication system, comprising a system identification private key and a system identification public key;
Step 2, the user identification key application distribution comprises the steps of generating a third-level key comprising a third-level private key and a third-level public key for a user, and applying for the user identification key comprising the user identification private key and the user identification public key to a key generation system;
Step 3, signing the message of the user by using the identification key, namely calculating a user key factor and a user combination private key, and signing the message by using the user combination private key;
step 4, signing the signature of the user by using the identification key, namely inquiring the user identification key, calculating a user combination public key and signing by using the user combination public key;
Step 5, encrypting the message of the user by using the identification key, namely inquiring the user identification key, calculating a user combination public key, and encrypting the message to be sent by using the user combination public key;
and 6, decrypting the message of the user by using the identification key, namely calculating a user key factor and a user combination private key, and decrypting the message by using the user combination private key.
As a further improvement of the present invention, in step 1, the primary key and the secondary key are specifically as follows:
The key generation system calls a server cipher machine to generate an SM2 key pair, the key generation system calls a server cipher machine to generate a master key of the system, a master private key is recorded as ms, a master public key is recorded as PUB, PUB= [ ms ] G, wherein G is a base point of an elliptic curve, x and y coordinate bit strings of the PUB are respectively expressed as xPUB and yPUB, and the PUB provides public inquiry to the outside;
The identity authentication system calls a server cipher machine to generate an SM2 key pair, and the SM2 key pair is used as a secondary key of the system, wherein a secondary private key is SysBuiPri, and a secondary public key is SysBuiPub, sysBuiPub = [ SysBuiPri ] G.
As a further improvement of the present invention, in step 1, the application of the system identification key by the identity authentication system to the key generation system specifically includes:
The identity authentication system acquires self SysId and sends SysId | SysBuiPub to the key generation system to apply for a system identification key, wherein|represents splicing, the key generation system generates a random number SysRan E [1, n-1] for the identity authentication system, wherein n is the order of a base point G, and the key generation system calculates and generates a system identification public key SysIdPub = [ SysRan ] G+ SysBuiPub, sysIdPub of the identity authentication system, wherein the x and y coordinate bit strings are respectively represented as xSysIdPub, ySysIdPub;
The key generation system calculates a system identification factor SysIdFactor =SM3 (SysId | xSysIdPub | ySysIdPub | xPUB | yPUB) mod n of the identity authentication system by using an SM3 algorithm, wherein mod is modulo operation, and the key generation system calculates a system identification private key SysIdPri = (SysIdFactor x SysRan +ms) mod n of the identity authentication system, wherein x is large integer multiplication operation;
The key generation system sends a system identification private key and a system identification public key, namely SysIdPri | SysIdPub, to the identity authentication system, the identity authentication system calculates and generates a system identification factor SysIdFactor =SM3 (SysId | xSysIdPub | ySysIdPub | xPUB | yPUB) mod n by using an SM3 algorithm, calculates a system combination private key SysComPri = (SysIdPri + SysIdFactor | SysBuiPri) mod n, and calculates a system combination public key SysComPub = [ SysIdFactor ] SysIdPub +PUB;
The identity authentication system checks the correctness of the system combined public key, confirms SysComPub and [ SysComPri ] G are equal or not, if the system combined public key is equal, the identity authentication system stores the system combined private key SysComPri in a server cipher machine for secret storage, the system identification public key SysIdPub provides public inquiry to the outside, and if the system combined private key is not equal, the system identification key is reapplied.
As a further improvement of the present invention, the step 2 is specifically as follows:
The user logs in an identity authentication system, the identity authentication system obtains the special terminal equipment identifier of the user and marks the special terminal equipment identifier as UsrIdDev, the user inputs identity information UsrId and an authentication password UsrPIN, and the identity authentication system calculates and generates a user key factor UsrKeyFactor =HMAC (UsrIdDev |UserId, SM3 (UsrPIN)) mod n by using SM3 and HMAC algorithm;
The identity authentication system generates a random number 1 for the user and marks UsrRan E [1, n-1]; the identity authentication system calculates a user three-level private key UsrBuiPri = (UsrKeyFactor + UsrRan1+ SysComPri ) mod n for the user, and calculates a user three-level public key UsrBuiPub = [ UsrBuiPri ] G;
The identity authentication system sends UsrId I UsrBuiPub to a key generation system to apply for a user identification key for a user, the key generation system generates a random number 2 for the user, which is marked as UsrRan 2E [1, n-1], and calculates and generates an x coordinate bit string and a y coordinate bit string of a user identification public key UsrIdPub E [ UsrRan2] G+ UsrBuiPub, usrIdPub which are respectively denoted as xUsrIdPub, yUsrIdPub, simultaneously uses an SM3 algorithm to calculate and generate a user identification factor UsrIdFactor =SM3 (UsrId I xUsrIdPub I yUsrIdPub I xPUB I yPUB) mod n, calculates a user identification private key UsrIdPri E [ UsrIdFactor X UsrRan2+ms ] mod n, and sends the user identification private key and the user identification public key, namely UsrIdPri I UsrIdPub to the identity authentication system;
The identity authentication system uses SM3 algorithm to calculate user identification factor UsrIdFactor =SM3 (UsrId | xUsrIdPub | yUsrIdPub | xPUB | yPUB) mod n, calculates user combined private key fragment 1, recorded as UsrComPri 1= (UsrIdPri + UsrIdFactor) UsrRan) mod n, calculates user combined private key UsrComPri = (UsrIdPri + UsrIdFactor) UsrBuiPri) mod n, and calculates user combined public key UsrComPub = [ UsrIdFactor ] UsrIdPub +PUB;
The identity authentication system checks the correctness of the user combined public key to confirm whether UsrComPub and [ UsrComPri ] G are equal or not, if so, the identity authentication system stores the ciphertext after UsrComPri1 is encrypted by using a server cipher machine, the user identification public key UsrIdPub is stored in a plaintext mode, the user identification public key UsrIdPub provides public inquiry for the outside, and if not, the user identification key is reapplied.
As a further improvement of the present invention, the step 3 is specifically as follows:
The method comprises the steps of calculating and generating a user key factor UsrKeyFactor, searching a user identification public key UsrIdPub and a user combination private key fragment 1, namely UsrComPri, according to user identity information UsrId by an identity authentication system, calculating a user identification factor UsrIdFactor by the identity authentication system, calculating a user combination private key fragment 2, recorded as UsrComPri2, usrComPri 2= (UsrIdFactor (UsrKeyFactor + SysComPri)) mod n, calculating a user combination private key UsrComPri = (UsrComPri 1+ UsrComPri 2) mod n, and calculating a user combination public key UsrComPub = [ UsrComPri ] G, and calling the user combination private key UsrComPri to sign a message by adopting a national secret SM3 and SM2 algorithm.
As a further improvement of the present invention, the step 4 is specifically as follows:
The identity authentication system searches the user identification public key UsrIdPub according to the user identity information UsrId, calculates a user identification factor UsrIdFactor =sm3 (UsrId | xUsrIdPub | yUsrIdPub | xPUB | yPUB) mod n by using an SM3 algorithm, and calculates a user combination public key UsrComPub = [ UsrIdFactor ] UsrIdPub +pub; the authentication system invokes the user combination public key UsrComPub to sign the user's signed message using the national secret SM3 and SM2 algorithms.
As a further improvement of the present invention, the step 5 is specifically as follows:
the identity authentication system searches the user identification public key UsrIdPub according to the user identity information UsrId, calculates a user identification factor UsrIdFactor =sm3 (UsrId | xUsrIdPub | yUsrIdPub | xPUB | yPUB) mod n by using an SM3 algorithm, and calculates a user combination public key UsrComPub = [ UsrIdFactor ] UsrIdPub +pub; the authentication system invokes the user combination public key UsrComPub to encrypt the message to be sent using the national secret SM4, SM2 algorithm.
As a further improvement of the present invention, the step 6 is specifically as follows:
The method comprises the steps of calculating and generating a user key factor UsrKeyFactor, searching a user identification public key UsrIdPub and a user combination private key fragment 1, namely UsrComPri, according to user identity information UsrId by an identity authentication system, calculating a user identification factor UsrIdFactor by the identity authentication system, calculating a user combination private key fragment 2, namely UsrComPri2, usrComPri 2= (UsrIdFactor (UsrKeyFactor + SysComPri)) mod n, calculating a user combination private key UsrComPri = (UsrComPri 1+ UsrComPri 2) mod n, and decrypting ciphertext messages by the identity authentication system calling the user combination private key UsrComPri by adopting a national secret SM4 and SM2 algorithm.
The invention derives the public and private key pairs of the user based on the main key, the secondary key and the user characteristic value by utilizing the mathematical characteristics of the elliptic curve cipher, forms a security trust self-certification system and solves the problems of public key certification and authenticity certification under the public key system.
The invention takes three factors of the user terminal identification, the identity identification and the user password as the user key factors, and combines the user key factors with the server system key to calculate and derive the user public and private key pair, thereby solving the problem of association binding self-certification of the user terminal, the user key, the user identification and the server system, and proving the unique binding relationship without the participation of a third-party CA (certificate authority) mechanism in authentication.
The beneficial effects of the invention are as follows:
1. The user secret key is generated in a segmentation mode, stored in a fragmentation mode and calculated in a combination mode, and the user combined secret key can be calculated only through a plurality of secret key factors private to the user, the fragment secret key stored in the server and the hardware secret key of the server cipher machine.
2. The user key does not depend on a client side password module, the key authentication does not depend on a third-party CA system, the method can be widely applied to digital signature and encryption and decryption application scenes of lightweight clients such as mobile end applets, H5, APP and the like, the requirements of cloud computing on the lightweight and diversified terminal types are met, signature verification time is short, and the efficiency is high.
Drawings
FIG. 1 is a block diagram of a system architecture according to an embodiment of the present invention;
FIG. 2 is a system flow diagram of an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Examples:
The embodiment provides an identification combined key signature and encryption method, wherein a terminal identification, a user identification and a user password are taken as factors for calculating a user key pair, key fragments are generated by all parties during key generation, and are stored in a segmented mode, and a user public and private key pair is generated through combined calculation of the user identification, a user fragment key, a system key parameter and the like during key use, so that association binding and trusted authentication among the user identification, the terminal identification and an identity authentication system are realized, and the problems of user identification, public key authenticity and key safety under a public key system are solved.
As shown in fig. 1, the system of the embodiment specifically comprises a terminal device, an identity authentication system, a key generation system and a server cipher machine, wherein the system flow is shown in fig. 2, and specifically comprises the following steps:
S100, initializing a system key.
S101, initializing a master key by a key generation system.
S10101, the key generation system calls a server cipher machine to generate an SM2 key pair, the key generation system calls the server cipher machine to generate a master key, a master private key is recorded as ms, a master public key is recorded as PUB, PUB= [ ms ] G (G is the base point of an elliptic curve, and the following is the same), x and y coordinate bit strings of the PUB are respectively expressed as xPUB and yPUB, and the PUB provides public inquiry to the outside.
S102, the identity authentication system generates a secondary key.
S10201, the identity authentication system calls a server cipher machine to generate an SM2 key pair, wherein the SM2 key pair is used as a system secondary key, a secondary private key is SysBuiPri, and a secondary public key is SysBuiPub, sysBuiPub = [ SysBuiPri ] G.
S103, the identity authentication system applies a system identification key to the key generation system.
S10301, the identity authentication system acquires SysId and sends SysId I SysBuiPub to the key generation system to apply for the system identification key.
S10302, the key generation system generates random number SysRan E [1, n-1] for the identity authentication system (n is the order of the base point G, and the following is the same).
S10303, the key generation system calculates and generates the system identification public key SysIdPub = [ SysRan ] g+ SysBuiPub, sysIdPub of the identity authentication system, and the x and y coordinate bit strings are respectively represented as xSysIdPub, ySysIdPub.
S10304 the key generation system calculates a system identification factor SysIdFactor =sm3 (SysId xSysIdPub ySysIdPub xPUB yPUB) mod n, where mod is a modulo (remainder) operation, for generating the identity authentication system using the SM3 algorithm.
And S10305, the key generation system calculates and generates a system identification private key SysIdPri = (SysIdFactor x SysRan +ms) mod n of the identity authentication system, wherein x is a large integer multiplication operation.
S10306, the key generation system sends the system identification private key and the system identification public key, namely SysIdPri I SysIdPub, to the identity authentication system.
S10307: the identity authentication system uses SM3 algorithm to calculate and generate a system identification factor SysIdFactor =sm3 (SysId | xSysIdPub | ySysIdPub | xPUB | yPUB) mod n.
S10308 the identity authentication system computing system combines private keys SysComPri = (SysIdPri + SysIdFactor x SysBuiPri) mod n.
And S10309, the identity authentication system calculates a system combined public key SysComPub = [ SysIdFactor ] SysIdPub +PUB.
S10310, checking the correctness of the combined public key of the identity authentication system, and confirming whether SysComPub and [ SysComPri ] G are equal?
If the two keys are equal, the identity authentication system stores the system combination private key SysComPri in the server cipher machine for secret storage, and the system identification public key SysIdPub provides public inquiry to the outside.
S10312, if not, returning to S10301, and reapplying the system identification key.
S200, user identification key application distribution.
S201, a tertiary key is generated for the user, taking user A as an example.
S20101, the user A logs in an identity authentication system, and the identity authentication system acquires the special terminal equipment identifier of the user A and marks the special terminal equipment identifier as UsrIdDev.
S20102, the user inputs identity information UsrId and an authentication password UsrPIN.
S20103 the identity authentication system uses SM3 and HMAC algorithm to calculate the generated user key factor UsrKeyFactor = HMAC (UsrIdDev ||usrdid, SM3 (UsrPIN)) mod n.
S20104, the identity authentication system generates a random number 1 for the user A and marks UsrRan as [1, n-1].
S20105 the identity authentication system calculates a user three-level private key UsrBuiPri = (UsrKeyFactor + UsrRan1+ SysComPri ) mod n for user a.
And S20106, the identity authentication system calculates a user three-level public key UsrBuiPub = [ UsrBuiPri ] G for the user A.
S202, applying a user identification key to the key generation system.
S20201, the identity authentication system sends UsrId I UsrBuiPub to the key generation system to apply for the user identification key for the user A.
S20202 the key generation system generates a random number 2 for user A, noted UsrRan 2E [1, n-1].
S20203 the key generation system calculates and generates the x, y coordinate bit strings of the user identification public key UsrIdPub = [ UsrRan2] g+ UsrBuiPub, usrIdPub of the user a, which are denoted as xUsrIdPub, yUsrIdPub, respectively.
S20204 the key generation system uses SM3 algorithm to calculate the user identification factor UsrIdFactor =sm3 (UsrId xUsrIdPub yUsrIdPub xPUB yPUB) mod n for generating user a.
S20205 the key generation system calculates the user identification private key UsrIdPri = (UsrIdFactor x UsrRan2 +ms) mod n of user a.
S20206, the key generation system sends the identification private key of the user A and the user identification public key, namely UsrIdPri I UsrIdPub, to the identity authentication system.
S20207 the identity authentication system calculates the user identification factor UsrIdFactor =sm3 (UsrId | xUsrIdPub | yUsrIdPub | xPUB | yPUB) mod n of the user a using the SM3 algorithm.
S20208 the identity authentication system calculates the user combined private key fragment 1 of user a, denoted UsrComPri 1= (UsrIdPri + UsrIdFactor x UsrRan 1) mod n.
S20209 the authentication system computes user combined private key UsrComPri = (UsrIdPri + UsrIdFactor x UsrBuiPri) mod n for user a.
S20210 the authentication system calculates the user combined public key UsrComPub = [ UsrIdFactor ] UsrIdPub +pub of user a.
S20211 the authentication system verifies the correctness of the user' S combined public key, confirming UsrComPub is equal to [ UsrComPri ] G?
If the key is equal, the identity authentication system stores UsrComPri encrypted ciphertext by using a server cipher machine, the user identification public key UsrIdPub is stored in a plaintext mode, and the user identification public key UsrIdPub provides public inquiry to the outside.
If not, S20213 returns to S20201 to reapply the user identification key.
S300, signing by using the identification key.
Taking user a as an example of a message signature.
S301, calculating a user key factor.
S30101 is the same as S20101.
S30102 is the same as S20102.
S30103 is the same as S20103.
S302, calculating a user combination private key.
S30201, the identity authentication system looks up the user identification public key UsrIdPub and the user combination private key fragment 1 (i.e., usrComPri 1) based on the user identity information UsrId.
S30202 same as S20207.
S30203 the identity authentication system calculates a user combined private key fragment 2 (denoted UsrComPri 2), usrComPri = (UsrIdFactor × (UsrKeyFactor + SysComPri)) mod n.
S30204 the identity authentication system calculates a user combined private key UsrComPri = (UsrComPri 1+ UsrComPri 2) mod n.
S303, signing by using a user combined private key.
And S30301, the identity authentication system calculates a user combination public key UsrComPub = [ UsrComPri ] G.
S30302, the identity authentication system invokes a user combination private key UsrComPri to sign the message by adopting the SM3 and SM2 cryptographic algorithms.
S400, verifying the signature by using the identification key.
Take the example of verifying the signature of user a.
S401, inquiring the user identification key and calculating the user combination public key.
S40101, the identity authentication system searches the user identification public key UsrIdPub of the user A according to the user identity information UsrId.
S40102 same as S20207.
S40103 is the same as S20210.
S402, verifying the signature by using the user combined public key.
S40201, the identity authentication system calls a user combination public key UsrComPub of the user A to check signature information of the user A by adopting SM3 and SM2 cryptographic algorithms.
S500, encrypting by using the identification key.
Take the example of sending an encrypted message to user a.
S501, inquiring a user identification key, and calculating a user combination public key, and the same as S401.
S502, encrypting the message to be sent by using the user combination public key.
S50201, the identity authentication system invokes the user combination public key UsrComPub of the user A to encrypt the message to be sent by adopting the SM4 and SM2 national encryption algorithm.
S600, decrypting using the identification key.
Take user a as an example to decrypt the message.
S601, calculating a user key factor, and S301.
S602, calculating a user combination private key, and the same as S302.
S603, decrypting the message using the user combined private key.
S60301, the identity authentication system calls a user combination private key UsrComPri of the user A to decrypt the ciphertext message by adopting the SM4 and SM2 cryptographic algorithms.
The foregoing examples merely illustrate specific embodiments of the invention, which are described in greater detail and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention.
Claims (1)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411450294.8A CN119051876B (en) | 2024-10-17 | 2024-10-17 | Sign combined key signature and encryption method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411450294.8A CN119051876B (en) | 2024-10-17 | 2024-10-17 | Sign combined key signature and encryption method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN119051876A CN119051876A (en) | 2024-11-29 |
| CN119051876B true CN119051876B (en) | 2025-02-14 |
Family
ID=93576255
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411450294.8A Active CN119051876B (en) | 2024-10-17 | 2024-10-17 | Sign combined key signature and encryption method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119051876B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111010272A (en) * | 2019-12-20 | 2020-04-14 | 武汉理工大学 | A kind of identification private key generation and digital signature method, system and device |
| CN118368065A (en) * | 2024-06-20 | 2024-07-19 | 四川省数字证书认证管理中心有限公司 | Identification key management and authentication method |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7174021B2 (en) * | 2002-06-28 | 2007-02-06 | Microsoft Corporation | Systems and methods for providing secure server key operations |
| CN101340282B (en) * | 2008-05-28 | 2011-05-11 | 北京易恒信认证科技有限公司 | Generation method of composite public key |
| CN110391900B (en) * | 2019-07-04 | 2022-03-01 | 晋商博创(北京)科技有限公司 | Private key processing method, terminal and key center based on SM2 algorithm |
-
2024
- 2024-10-17 CN CN202411450294.8A patent/CN119051876B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111010272A (en) * | 2019-12-20 | 2020-04-14 | 武汉理工大学 | A kind of identification private key generation and digital signature method, system and device |
| CN118368065A (en) * | 2024-06-20 | 2024-07-19 | 四川省数字证书认证管理中心有限公司 | Identification key management and authentication method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN119051876A (en) | 2024-11-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108667626B (en) | Secure two-party collaboration SM2 signature method | |
| CN112367175B (en) | Implicit certificate key generation method based on SM2 digital signature | |
| US10530585B2 (en) | Digital signing by utilizing multiple distinct signing keys, distributed between two parties | |
| CN108173639B (en) | A Two-Party Cooperative Signature Method Based on SM9 Signature Algorithm | |
| US11223486B2 (en) | Digital signature method, device, and system | |
| CN112104453B (en) | Anti-quantum computation digital signature system and signature method based on digital certificate | |
| CN107947913B (en) | An identity-based anonymous authentication method and system | |
| WO2021042685A1 (en) | Transaction method, device, and system employing blockchain | |
| CN104270249B (en) | It is a kind of from the label decryption method without certificate environment to identity-based environment | |
| CN110138567B (en) | ECDSA (electronic signature system) based collaborative signature method | |
| CN113132104B (en) | A proactive and secure two-party generation method for ECDSA digital signatures | |
| CN110830236A (en) | Identity-based encryption method based on global hash | |
| CN107659395A (en) | The distributed authentication method and system of identity-based under a kind of environment of multi-server | |
| US20140321642A1 (en) | Group encryption methods and devices | |
| CN118368065B (en) | Identification key management and authentication methods | |
| CN117614624B (en) | Identity authentication security trust method based on key agreement in Internet of vehicles | |
| CN114978488A (en) | SM2 algorithm-based collaborative signature method and system | |
| CN113014376B (en) | Method for safety authentication between user and server | |
| CN107682158B (en) | A Managed Authenticated Encryption Method | |
| CN119449283A (en) | A cross-domain authentication method based on zero-knowledge proof | |
| GB2543359A (en) | Methods and apparatus for secure communication | |
| CN119051876B (en) | Sign combined key signature and encryption method | |
| CN109981289A (en) | Batch authentication method of elliptic curve digital signature algorithm under implicit certificate | |
| TWI761243B (en) | Encryption system and encryption method for group instant massaging | |
| CN113132315B (en) | Online conference authentication method, device, equipment, medium and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 4th Floor, Building 3, No. 1699 Jinhe Road, High tech Zone, Chengdu City, Sichuan Province 610000 Patentee after: Sichuan digital certificate Certification Management Center Co.,Ltd. Country or region after: China Address before: 509-512, 5th Floor, Building E, No. 333 Jiaozi Avenue, High tech Zone, Chengdu City, Sichuan Province 610000 Patentee before: Sichuan digital certificate Certification Management Center Co.,Ltd. Country or region before: China |