CN102420829B - Service data signature method, device, system and digital certification terminal - Google Patents

Service data signature method, device, system and digital certification terminal Download PDF

Info

Publication number
CN102420829B
CN102420829B CN201110421661.8A CN201110421661A CN102420829B CN 102420829 B CN102420829 B CN 102420829B CN 201110421661 A CN201110421661 A CN 201110421661A CN 102420829 B CN102420829 B CN 102420829B
Authority
CN
China
Prior art keywords
business
digest algorithm
nontransaction
business datum
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201110421661.8A
Other languages
Chinese (zh)
Other versions
CN102420829A (en
Inventor
孟翔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Watchdata Co ltd
Original Assignee
Beijing WatchData System Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing WatchData System Co Ltd filed Critical Beijing WatchData System Co Ltd
Priority to CN201110421661.8A priority Critical patent/CN102420829B/en
Publication of CN102420829A publication Critical patent/CN102420829A/en
Priority to BR102012032257A priority patent/BR102012032257A2/en
Application granted granted Critical
Publication of CN102420829B publication Critical patent/CN102420829B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention relates to the technical field of information security, in particular to a service data signature method, a service data signature device, a service data signature system and a digital certification terminal. The method comprises the following steps of: receiving service data which is transmitted through a non-trading service signature channel from a client; judging whether a digest algorithm format adopted by the service data belongs to a non-trading service digest algorithm format or not; and if the digest algorithm format adopted by the service data does not belong to the non-trading service digest algorithm format, denying signature, wherein the non-trading service digest algorithm format and a trading service digest algorithm format are different. By the service data signature method, the service data signature device, the service data signature system and the digital certification terminal in the embodiment of the invention, potential safety hazards can be relatively better eliminated, and the legality and security of signature data can be ensured.

Description

Methods, devices and systems and the digital authentication terminal of business datum signature
Technical field
The present invention relates to field of information security technology, relate in particular to methods, devices and systems and the digital authentication terminal of business datum signature.
Background technology
USB_Key is as personal identification and digital signature terminal, in the extensive use of the field such as Net silver, E-Government.
In the last few years, flourish along with Net silver market, in industry, occurred for Network Bank security transaction is that tailor, that have greater security, with the USB_Key product of button Presentation Function or key-press and voice function, and the use that has obtained most of banks is promoted.At present, the second generation Net silver USB_Key on market is on the basis of generation USB_Key, by people in process of exchange for checking the operations such as demonstration information and button, to increase the fail safe of transaction.
While processing transaction business, detailed process is: client is initiated a transaction business, sends respectively transaction data original text to bank server and USB_Key; USB_Key receives after transaction data original text, sensitive information is presented on the display screen of key and waits for that user confirms; After user confirms, USB_Key carries out data summarization computing to transaction data original text and operation result is signed with private key; Then signature result is returned to client.Meanwhile, bank server end adopts the digest algorithm using in USB_Key, and transaction initial data original text is carried out to data summarization computing.The signature result that client returns to USB_Key, together issues server end by this signature result and the public key information that reads from USB_Key.Server end utilizes the PKI of USB_Key, and the signed data that client is transmitted carries out sign test, in the process of sign test, the result of the result of the deciphering that uses public-key and digest algorithm calculating before self is compared, if consistent, Transaction Success; Inconsistent, Fail Transaction, refusal is processed this business.
But, in the signature that carries out some nontransaction business operates as certificate download, system login etc., for the convenience that client uses, do not need user to carry out button operation by force.The detailed process of nontransaction business is: client is initiated once nontransaction business, send nontransaction data original text to server, client is carried out computing by digest algorithm to this nontransaction data original text simultaneously, then the result after computing is carried out to data stuffing according to summary specific format, and send to USB_Key.USB_Key directly carries out private key signature to these nontransaction data, and signature result is returned to client.After this server carries out the sign test process identical with transaction business situation.
In prior art, assailant can initiate transaction for the signature flow process of nontransaction business easily and attack, for example, in attack process, assailant serves as client and forges transaction data original text, the transaction data original text of forgery is sent to bank server, simultaneously with the digest algorithm adopting in USB_Key to the computing that makes an abstract of this forgery transaction data original text, and summary operation result is sent to the signature passage of the nontransaction business in USB_Key.USB_Key signs to these data according to nontransaction flow process, and signature result is returned to assailant.Now, signature result and PKI that assailant returns to USB_Key are issued server end according to the form of transaction business, and server sign test is correct, success attack.
Therefore, there is potential safety hazard in the process that uses USB_Key to carry out online transaction in prior art, probably attacked, and cannot guarantee legitimacy and the fail safe of signed data.
Summary of the invention
The embodiment of the present invention provides a kind of methods, devices and systems and digital authentication terminal of business datum signature, can eliminate safe hidden trouble preferably, guarantees legitimacy and the fail safe of signed data.
The embodiment of the present invention provides a kind of method of business datum signature, comprising:
Digital authentication terminal receives the business datum that client sends by nontransaction business signature passage;
Judge whether the digest algorithm form that described business datum adopts belongs to nontransaction business digest algorithm form;
In the time that the digest algorithm form of described business datum employing does not belong to nontransaction business digest algorithm form, refusal is signed;
Wherein, described nontransaction business digest algorithm form is not identical with transaction business digest algorithm form;
In the time that the digest algorithm form of described business datum employing belongs to nontransaction business digest algorithm form, digital authentication terminal is signed to described business datum, and signature result is returned to described client;
Described business datum original text is sent to server by client, receives the signature result that digital authentication terminal USB_Key_ returns, and described signature result and the PKI that reads in described digital authentication terminal are sent to server;
When server judges the business datum original text that described business datum original text is nontransaction business, the digest algorithm that employing belongs to nontransaction business carries out data summarization computing to the described business datum original text receiving, and obtains the business datum that belongs to nontransaction business digest algorithm form; Receive signature result and PKI that described client sends, described signature result is decrypted, the business datum that belongs to nontransaction business digest algorithm form that the current business data that deciphering is obtained and described server obtain is compared, process if unanimously confirm, if inconsistent refusal is processed;
Wherein, identical transaction business digest algorithm form and nontransaction business digest algorithm form in described server and described USB_Key, have been set in advance.
Accordingly, the embodiment of the present invention provides a kind of device of business datum signature, comprising:
Receiver module, the business datum sending by nontransaction business signature passage for receiving client;
Judge module, for judging whether the digest algorithm form that described business datum adopts belongs to nontransaction business digest algorithm form;
Signature blocks, while not belonging to nontransaction business digest algorithm form for the digest algorithm form adopting when described business datum, refusal is signed; Wherein, described nontransaction business digest algorithm form is not identical with transaction business digest algorithm form.
Accordingly, the embodiment of the present invention provides a kind of digital authentication terminal, comprising: the device of above-mentioned business datum signature.
Accordingly, the embodiment of the present invention provides a kind of system of business datum signature, client, digital authentication terminal USB_Key, server;
Described client, for sending to described USB_Key by business datum by nontransaction business signature passage; And when business datum is sent to described USB_Key by nontransaction business signature passage, described business datum original text is sent to described server; Receive the signature result that described USB_Key returns; Described signature result and the PKI that reads from described USB_Key are sent to described server;
Described USB_Key, the business datum sending by nontransaction business signature passage for receiving client; Judge whether the digest algorithm form that described business datum adopts belongs to nontransaction business digest algorithm form; In the time that the digest algorithm form of described business datum employing does not belong to nontransaction business digest algorithm form, refusal is signed; Wherein, described nontransaction business digest algorithm form is not identical with transaction business digest algorithm form;
When the digest algorithm form adopting when described business datum belongs to preset nontransaction business digest algorithm form, described business datum is signed, and signature result is returned to described client;
Described server, for in the time judging the business datum original text that described business datum original text is nontransaction business, adopt the digest algorithm of nontransaction business, the described business datum original text receiving is carried out to data summarization computing, obtain the business datum that form belongs to nontransaction business digest algorithm form; Receive signature result and PKI that described client sends, described signature result is decrypted, the business datum that belongs to nontransaction business digest algorithm form that the current business data that deciphering is obtained and described server obtain is compared, process if unanimously confirm, if inconsistent refusal is processed;
Wherein, identical transaction business digest algorithm form and nontransaction business digest algorithm form in described server and described USB_Key, have been set in advance.
The embodiment of the present invention provides methods, devices and systems and the digital authentication terminal of business datum signature, receives for digital authentication terminal the business datum that client sends by nontransaction business signature passage; Judge whether the digest algorithm form that described business datum adopts belongs to nontransaction business digest algorithm form; In the time that the digest algorithm form of described business datum employing does not belong to nontransaction business digest algorithm form, refusal is signed; Wherein, described nontransaction business digest algorithm form is not identical with transaction business digest algorithm form.Methods, devices and systems and the digital authentication terminal of the business datum signature that the use embodiment of the present invention provides, be the transaction data data summarization algorithm different with nontransaction data configuration in advance, the digest algorithm form that USB_Key can be adopted according to business datum, judge whether current business data belong to nontransaction data, if belong to, it signed and return to client.Meanwhile, server is similarly the transaction data data summarization algorithm different with nontransaction data configuration, and identical with the configuration in USB_Key.When assailant adopts the digest algorithm computing of transaction business, while sending to USB_Key by nontransaction business signature passage, cannot obtain the signature of USB_Key, avoid assailant to obtain the confirmation that obtains transaction business after signature at server, improve the safety and reliability of data.In the time that assailant adopts the digest algorithm computing of nontransaction business, although can obtain the signature of USB_Key, because the digest algorithm configuring in server is identical with USB_Key, therefore it cannot use transaction business form by the checking of server.To sum up, when the USB_Key that uses the embodiment of the present invention to provide carries out online transaction, there is not potential safety hazard, can guarantee preferably legitimacy and the fail safe of signed data.
Accompanying drawing explanation
Fig. 1 is the system configuration schematic diagram of business datum signature in the embodiment of the present invention;
Fig. 2 is the method flow schematic diagram of business datum signature in the embodiment of the present invention;
Fig. 3 is the method flow schematic diagram of business datum signature in another embodiment of the present invention;
Fig. 4 is the device schematic diagram of business datum signature in the embodiment of the present invention.
Embodiment
Below in conjunction with each accompanying drawing, embodiment of the present invention technical scheme main realized to principle, embodiment and the beneficial effect that should be able to reach is at length set forth.
The problem existing in order to solve prior art, the embodiment of the present invention provides a kind of system of business datum signature, as shown in Figure 1, comprising: client 101 and digital authentication terminal USB_Key102;
This client 101, for sending to USB_Key102 by business datum by the signature passage of nontransaction business;
This USB_Key102, the business datum sending by nontransaction business signature passage for receiving client 101; Judge whether the digest algorithm form that described business datum adopts belongs to nontransaction business digest algorithm form; In the time that the digest algorithm form of described business datum employing does not belong to nontransaction business digest algorithm form, refusal is signed; Wherein, described nontransaction business digest algorithm form is not identical with transaction business digest algorithm form.
Preferably, this system also comprises server 103;
Wherein, described client 101, also for business datum is sent to described USB_Key102 by nontransaction business signature passage when, sends to described server 103 by described business datum original text; Receive the signature result that described USB_Key102 returns; Described signature result and the PKI that reads from described USB_Key102 are sent to described server 103;
Described USB_Key102, the described business datum also sending by the signature passage of nontransaction business for receiving described client 101; When the digest algorithm form adopting when described business datum belongs to preset nontransaction business digest algorithm form, described business datum is signed, and signature result is returned to described client 101;
Described server 103, while being used for judging the business datum original text that described business datum original text is nontransaction business, adopt the digest algorithm of nontransaction business, the described business datum original text receiving is carried out to data summarization computing, obtain the benchmark service data that form belongs to nontransaction business digest algorithm form; Receive signature result and PKI that described client sends, described signature result is decrypted, current business data and described benchmark service data that deciphering is obtained are compared, and process, if inconsistent refusal is processed if unanimously confirm;
Wherein, identical transaction business digest algorithm form and nontransaction business digest algorithm form in described server 103 and described USB_Key102, have been set in advance; Described transaction business digest algorithm form is not identical with described nontransaction business digest algorithm form.
Preferably, client 101, also belongs to nontransaction business digest algorithm for employing business datum original text is carried out to data summarization computing, and the business datum that computing is obtained sends to USB_Key102.
Preferably, server 103 comprises: trading server 1031 and nontransaction server 1032;
This trading server 1031, for receiving the business datum original text of the transaction business that described client 101 sends, carries out data summarization computing to the described business datum original text receiving, and obtains the benchmark service data that form belongs to transaction business digest algorithm form; Receive signature result and PKI that described client 101 sends, described signature result is decrypted, current business data and described benchmark service data that deciphering is obtained are compared, and process, if inconsistent refusal is processed if unanimously confirm;
This nontransaction server 1032, for receiving the business datum original text of the nontransaction business that described client 101 sends, the described business datum original text receiving is carried out to data summarization computing, obtain the benchmark service data that form belongs to nontransaction business digest algorithm form; Receive signature result and PKI that described client 101 sends, described signature result is decrypted, current business data and described benchmark service data that deciphering is obtained are compared, and process, if inconsistent refusal is processed if unanimously confirm.
Above-mentioned trading server 1031 and nontransaction server 1032 can lay respectively at different location, only carry out function separately, and for example, for transaction business, client and trading server 1031 send communication; For nontransaction business, client and nontransaction server 1032 send communication.
Concrete, digital authentication terminal USB_Key102 receives after the business datum of client transmission, according to the passage of this business datum of transmission, determine this business datum and belong to transaction business or nontransaction business, for example, when USB_Key102 receives this business datum by trading signature passage, determine that it belongs to transaction business; When USB_Key102 receives this business datum by nontransaction signature passage, determine that it belongs to nontransaction business.
For nontransaction business, this client 101 need to be to the computing of the advanced row data summarization of business datum original text, again the business datum obtaining after computing is carried out to data stuffing according to the specific format of the data summarization algorithm of its use, then this business datum is sent to USB_Key102.Conventional data summarization algorithm has SHA1 digest algorithm, SHA256 digest algorithm, MD5 digest algorithm etc. at present.Adopt different digest algorithms to the data computing of making a summary, the result obtaining is also different, if the result obtaining after the computing of MD5 digest algorithm is 16 bytes, the byte obtaining after the computing of SHA1 digest algorithm is 20 bytes, the result obtaining after the computing of SHA256 digest algorithm is 32 bytes, and before data summarization operation result is carried out to digital signature, need to the operation result of every kind of digest algorithm be filled to 128 or 256 by different data stuffing modes, concrete figure place of filling is relevant with type, the figure place of data summarization computing.Owing to distinguishing operation result is filled to different-format according to different digest algorithms, thereby obtain the business datum of different-format, therefore can be by judging that the form of business datum determines which kind of digest algorithm it adopts.In this patent, the digest algorithm of the use of telling is including, but not limited to digest algorithms such as appeal SHA1, SHA256, MD5.
Preset identical transaction business digest algorithm form and nontransaction business digest algorithm form in this USB_Key102 and server 103, and this transaction business digest algorithm form is not identical with nontransaction business digest algorithm form, the form of the business datum that the form of the business datum for example obtaining by SHA1 digest algorithm and SHA256 digest algorithm belongs to transaction business digest algorithm form, obtain by MD5 digest algorithm etc. is nontransaction business digest algorithm form.Like this, USB_Key102 receives after the business datum of client 101 by the signature passage transmission of nontransaction business, judges whether the digest algorithm form that this business datum adopts belongs to nontransaction business digest algorithm form; If do not belong to nontransaction business digest algorithm form, refusal is signed; When the digest algorithm form adopting when business datum belongs to preset nontransaction business digest algorithm form, business datum is signed, and signature result is returned to client 101.Simultaneously, client 101 sends business datum original text to server 103, server 103 judges when business datum original text is the business datum original text of nontransaction business, the digest algorithm that employing belongs to nontransaction business carries out data summarization computing to the business datum original text receiving, and obtains the benchmark service data that belong to nontransaction business digest algorithm form; Judge when business datum original text is the business datum original text of transaction business, adopt the digest algorithm that belongs to transaction business to carry out data summarization computing to the business datum original text receiving, obtain the benchmark service data that belong to transaction business digest algorithm form.Certainly, this server 103 can comprise trading server and nontransaction server, processes respectively transaction business and nontransaction business.
Client 101 receives after the signature result that USB_Key102 returns, and it can be nontransaction server that this signature result and the PKI that reads from USB_Key102 are sent to server 103(together).Server 103 receives signature result and the PKI that client 101 sends, and uses this PKI to be decrypted signature result, and current business data and benchmark service data that deciphering is obtained are compared, and processes if unanimously confirm; If inconsistent, refusal is processed.
For transaction business, after the business datum original text that USB_Key102 reception client 101 sends, sensitive information is shown to display screen and waits for that user confirms.After user confirms, use and belong to nontransaction business digest algorithm, business datum original text is carried out to computing signature.Client 101 can be trading server to server 103(simultaneously) transmission business datum original text, server 103 adopts the digest algorithm that belongs to nontransaction business to carry out data summarization computing to the business datum original text receiving, and obtains the benchmark service data that belong to nontransaction business digest algorithm form.Preset identical transaction business digest algorithm form and nontransaction business digest algorithm form in USB_Key102 and server 103, and this transaction business digest algorithm form and nontransaction business digest algorithm form zero lap.Client 101 receives after the signature result that USB_Key102 returns, and this signature result and the PKI that reads from USB_Key102 are sent to server 103 together.Server 103 receives signature result and the PKI that client 101 sends, and uses this PKI to be decrypted signature result, and current business data and benchmark service data that deciphering is obtained are compared, and processes if unanimously confirm; If inconsistent, refusal is processed.
Pass through foregoing description, can find out, the system of the business datum signature that the use embodiment of the present invention provides, by being in advance the transaction data data summarization algorithm different with nontransaction data configuration, the digest algorithm form that USB_Key can be adopted according to business datum, judge whether current business data belong to nontransaction data, if belong to, it signed and return to client.Meanwhile, server is similarly the transaction data data summarization algorithm different with nontransaction data configuration, and identical with the configuration in USB_Key.When assailant adopts the digest algorithm computing of transaction business, while sending to USB_Key by nontransaction business signature passage, cannot obtain the signature of USB_Key, avoid assailant to obtain the confirmation that obtains transaction business after signature at server, improve the safety and reliability of data.In the time that assailant adopts the digest algorithm computing of nontransaction business, although can obtain the signature of USB_Key, because the digest algorithm configuring in server is identical with USB_Key, therefore it cannot be by the checking of server.To sum up, when the system that uses the embodiment of the present invention to provide is carried out online transaction, there is not potential safety hazard, can guarantee preferably legitimacy and the fail safe of signed data.
Based on same inventive concept, the embodiment of the present invention also provides a kind of method of business datum signature, and as shown in Figure 2, the method comprises:
Step 201, digital authentication terminal receive the business datum that client sends by nontransaction business signature passage;
Step 202, judge business datum adopt digest algorithm form whether belong to nontransaction business digest algorithm form;
Step 203, the digest algorithm form that adopts when business datum be not while belonging to nontransaction business digest algorithm form, and refusal is signed; Wherein, nontransaction business digest algorithm form is not identical with transaction business digest algorithm form.
Concrete, in advance the form of result of calculation of the various digest algorithms that carry out digest calculations is divided into transaction business digest algorithm form and preset nontransaction business digest algorithm form, and both zero laps.The nontransaction business digest algorithm of customer end adopted carries out data summarization computing to business datum original text, obtains the business datum that belongs to nontransaction business digest algorithm form, then this business datum is sent to individual digital authentication terminal USB_Key.
Hold at digital authentication terminal USB_Key: USB_Key judges whether the digest algorithm form that this business datum adopts belongs to nontransaction business digest algorithm form after receiving the business datum of client by the signature passage transmission of nontransaction business; If do not belong to nontransaction business digest algorithm form, refusal is signed; If belong to nontransaction business digest algorithm form, this business datum signed, and signature result is returned to client.
In client: business datum original text is sent to server by client; After the signature result that reception USB_Key returns, the PKI of signing result and read in USB_Key is sent to server;
At server end: when server judges that business datum original text is the business datum original text of nontransaction business, the digest algorithm that employing belongs to nontransaction business carries out data summarization computing to the business datum original text receiving, and obtains the benchmark service data that belong to nontransaction business digest algorithm form; Receive signature result and PKI that client sends, this signature result is decrypted, current business data and benchmark service data that deciphering is obtained are compared, and process if unanimously confirm; If inconsistent refusal is processed.Wherein, server can be judged by carrying the instruction of this business datum original text the type of this business datum original text, also can break by other means and the type of this business datum original text.
In the time that this server comprises trading server and nontransaction server, this trading server is only processed transaction business, and nontransaction server is only processed nontransaction business.
When assailant forges transaction data, the transaction data of this forgery is sent to trading server on the one hand, on the other hand the transaction data of this forgery is carried out to digest calculations and form business datum, send to USB_Key by nontransaction signature passage and sign.USB_Key receives after business datum, judges that whether the form of this business datum belongs to the digest algorithm form of nontransaction business, signs to it if belong to, and turns back to client; If do not belong to refusal signature.Because trading server and USB_Key have all configured identical transaction business digest algorithm form and nontransaction business digest algorithm form, and transaction business digest algorithm form and nontransaction business digest algorithm form zero lap.Trading server receives after the transaction data of forgery, uses transaction business digest algorithm to carry out digest calculations, obtains the benchmark service data that form belongs to transaction business digest algorithm form.Like this, even if the transaction data of forging has passed through the signature of USB_Key, also cannot be by the checking of trading server.
Preferably, after digital authentication terminal refusal is signed, digital authentication terminal sends warning message to described server; And/or digital authentication terminal starts lock function.Concrete, send warning message to server, in this warning message, carry the unique identification information of the unique identification information of this equipment and/or the equipment of running client, described server is determined assailant's position and/or identity according to this warning message, also can send lock command to this equipment simultaneously.And, after this equipment refusal signature, confirm under attackly, automatically start lock function, make this equipment failure.
The method of the business datum signature embodiment of the present invention being provided below by specific embodiment is elaborated, and as shown in Figure 3, when USB_Key processes business datum, comprises the following steps:
Step 301, USB_Key receive the business datum that client sends;
Step 302, judge whether the transmission channel of this business datum is trading signature passage, if so, performs step 303; Otherwise, execution step 305;
Step 303, resolve this business datum, show sensitive information, wait for that user confirms;
Step 304, judge user whether confirm operation, if so, perform step 306; Otherwise continue execution step 303;
Step 305, judge whether the digest algorithm form that this business datum adopts belongs to nontransaction business digest algorithm form; If so, perform step 306; Otherwise, refusal signature;
Step 306, this business datum is signed and returned to signature result to client.
Then, the signature result of reception and the PKI that reads from USB_Key are sent to together server by client.This signature result of server parses, and judge whether to confirm to process according to analysis result, detailed process, referring to the description of above-described embodiment, does not repeat them here.
Pass through foregoing description, can find out, the method of the business datum signature that the use embodiment of the present invention provides, by being in advance the transaction data data summarization algorithm different with nontransaction data configuration, the digest algorithm form that USB_Key can be adopted according to business datum, judge whether current business data belong to nontransaction data, if belong to, it signed and return to client.Meanwhile, server is similarly the transaction data data summarization algorithm different with nontransaction data configuration, and identical with the configuration in USB_Key.When assailant adopts the digest algorithm computing of transaction business, while sending to USB_Key by nontransaction business signature passage, cannot obtain the signature of USB_Key, avoid assailant to obtain the confirmation that obtains transaction business after signature at server, improve the safety and reliability of data.In the time that assailant adopts the digest algorithm computing of nontransaction business, although can obtain the signature of USB_Key, because the digest algorithm configuring in server is identical with USB_Key, therefore it cannot be by the checking of server.To sum up, when the method that uses the embodiment of the present invention to provide is carried out online transaction, there is not potential safety hazard, can guarantee preferably legitimacy and the fail safe of signed data.
Based on same inventive concept, the embodiment of the present invention also provides a kind of device of business datum signature, as shown in Figure 4, comprising:
Receiver module 401, the business datum sending by nontransaction business signature passage for receiving client;
Judge module 402, for judging whether the digest algorithm form that described business datum adopts belongs to nontransaction business digest algorithm form;
Signature blocks 403, while not belonging to nontransaction business digest algorithm form for the digest algorithm form adopting when described business datum, refusal is signed; Wherein, described nontransaction business digest algorithm form is not identical with transaction business digest algorithm form.
Preferably, judge module 402 judges that the digest algorithm form that described business datum adopts belongs to nontransaction business digest algorithm form, notifies described signature blocks 403; Described signature blocks 403 is signed to described business datum, and signature result is turned back to client.
Preferably, also comprise: processing module 404, after described signature blocks 403 refusal signatures, sends warning message to server; And/or startup lock function.
Based on same inventive concept, the embodiment of the present invention also provides a kind of digital authentication terminal, as USB_Key, comprising: the device of above-mentioned business datum signature.
Pass through foregoing description, can find out, methods, devices and systems and the digital authentication terminal of the business datum signature that the use embodiment of the present invention provides, be the transaction data data summarization algorithm different with nontransaction data configuration in advance, the digest algorithm form that USB_Key can be adopted according to business datum, judge whether current business data belong to nontransaction data, if belong to, it signed and return to client.Meanwhile, server is similarly the transaction data data summarization algorithm different with nontransaction data configuration, and identical with the configuration in USB_Key.When assailant adopts the digest algorithm computing of transaction business, while sending to USB_Key by nontransaction business signature passage, cannot obtain the signature of USB_Key, avoid assailant to obtain the confirmation that obtains transaction business after signature at server, improve the safety and reliability of data.In the time that assailant adopts the digest algorithm computing of nontransaction business, although can obtain the signature of USB_Key, because the digest algorithm configuring in server is identical with USB_Key, therefore it cannot be by the checking of server.To sum up, when the USB_Key that uses the embodiment of the present invention to provide carries out online transaction, there is not potential safety hazard, can guarantee preferably legitimacy and the fail safe of signed data.
Those skilled in the art should understand, embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt complete hardware implementation example, completely implement software example or the form in conjunction with the embodiment of software and hardware aspect.And the present invention can adopt the form at one or more upper computer programs of implementing of computer-usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) that wherein include computer usable program code.
The present invention is with reference to describing according to flow chart and/or the block diagram of the method for the embodiment of the present invention, equipment (system) and computer program.Should understand can be by the flow process in each flow process in computer program instructions realization flow figure and/or block diagram and/or square frame and flow chart and/or block diagram and/or the combination of square frame.Can provide these computer program instructions to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, the instruction that makes to carry out by the processor of computer or other programmable data processing device produces the device for realizing the function of specifying at flow process of flow chart or multiple flow process and/or square frame of block diagram or multiple square frame.
These computer program instructions also can be stored in energy vectoring computer or the computer-readable memory of other programmable data processing device with ad hoc fashion work, the instruction that makes to be stored in this computer-readable memory produces the manufacture that comprises command device, and this command device is realized the function of specifying in flow process of flow chart or multiple flow process and/or square frame of block diagram or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, make to carry out sequence of operations step to produce computer implemented processing on computer or other programmable devices, thereby the instruction of carrying out is provided for realizing the step of the function of specifying in flow process of flow chart or multiple flow process and/or square frame of block diagram or multiple square frame on computer or other programmable devices.
Although described the preferred embodiments of the present invention, once those skilled in the art obtain the basic creative concept of cicada, can make other change and modification to these embodiment.So claims are intended to be interpreted as comprising preferred embodiment and fall into all changes and the modification of the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification and not depart from the spirit and scope of the present invention the present invention.Like this, if within of the present invention these are revised and modification belongs to the scope of the claims in the present invention and equivalent technologies thereof, the present invention is also intended to comprise these changes and modification interior.

Claims (8)

1. a method for business datum signature, is characterized in that, the method comprises:
Digital authentication terminal receives the business datum that client sends by nontransaction business signature passage;
Judge whether the digest algorithm form that described business datum adopts belongs to nontransaction business digest algorithm form;
In the time that the digest algorithm form of described business datum employing does not belong to nontransaction business digest algorithm form, refusal is signed;
Wherein, described nontransaction business digest algorithm form is not identical with transaction business digest algorithm form;
In the time that the digest algorithm form of described business datum employing belongs to nontransaction business digest algorithm form, digital authentication terminal is signed to described business datum, and signature result is returned to described client;
Described business datum original text is sent to server by client, receives the signature result that digital authentication terminal USB_Key returns, and described signature result and the PKI that reads in described digital authentication terminal are sent to server;
When server judges the business datum original text that described business datum original text is nontransaction business, the digest algorithm that employing belongs to nontransaction business carries out data summarization computing to the described business datum original text receiving, and obtains the business datum that belongs to nontransaction business digest algorithm form; Receive signature result and PKI that described client sends, described signature result is decrypted, the business datum that belongs to nontransaction business digest algorithm form that the current business data that deciphering is obtained and described server obtain is compared, process if unanimously confirm, if inconsistent refusal is processed;
Wherein, identical transaction business digest algorithm form and nontransaction business digest algorithm form in described server and described USB_Key, have been set in advance.
2. the method for claim 1, is characterized in that, described digital authentication terminal also comprises before receiving the business datum of client by the transmission of nontransaction business signature passage:
Customer end adopted belongs to nontransaction business digest algorithm business datum original text is carried out to data summarization computing, obtains the business datum that belongs to nontransaction business digest algorithm form.
3. the method for claim 1, is characterized in that, described refusal also comprises after signing:
Described digital authentication terminal sends warning message to server; And/or described digital authentication terminal starts lock function.
4. a device for business datum signature, is characterized in that, comprising:
Receiver module, the business datum sending by nontransaction business signature passage for receiving client;
Judge module, for judging whether the digest algorithm form that described business datum adopts belongs to nontransaction business digest algorithm form;
Signature blocks, while not belonging to nontransaction business digest algorithm form for the digest algorithm form adopting when described business datum, refusal is signed; Wherein, described nontransaction business digest algorithm form is not identical with transaction business digest algorithm form.
5. device as claimed in claim 4, is characterized in that, described judge module judges that the digest algorithm form that described business datum adopts belongs to nontransaction business digest algorithm form, notifies described signature blocks; Described signature blocks is signed to described business datum, and signature result is turned back to client.
6. device as claimed in claim 4, is characterized in that, also comprises:
Processing module, after described signature blocks refusal signature, sends warning message to server; And/or startup lock function.
7. a digital authentication terminal, is characterized in that, comprising: as the device of the business datum signature as described in arbitrary in claim 4-6.
8. a system for business datum signature, is characterized in that, comprising: client and digital authentication terminal USB_Key, server;
Described client, for sending to described USB_Key by business datum by nontransaction business signature passage; And when business datum is sent to described USB_Key by nontransaction business signature passage, described business datum original text is sent to described server; Receive the signature result that described USB_Key returns; Described signature result and the PKI that reads from described USB_Key are sent to described server;
Described USB_Key, the business datum sending by nontransaction business signature passage for receiving client; Judge whether the digest algorithm form that described business datum adopts belongs to nontransaction business digest algorithm form; In the time that the digest algorithm form of described business datum employing does not belong to nontransaction business digest algorithm form, refusal is signed; Wherein, described nontransaction business digest algorithm form is not identical with transaction business digest algorithm form;
When the digest algorithm form adopting when described business datum belongs to preset nontransaction business digest algorithm form, described business datum is signed, and signature result is returned to described client;
Described server, for in the time judging the business datum original text that described business datum original text is nontransaction business, adopt the digest algorithm of nontransaction business, the described business datum original text receiving is carried out to data summarization computing, obtain the business datum that form belongs to nontransaction business digest algorithm form; Receive signature result and PKI that described client sends, described signature result is decrypted, the business datum that belongs to nontransaction business digest algorithm form that the current business data that deciphering is obtained and described server obtain is compared, process if unanimously confirm, if inconsistent refusal is processed;
Wherein, identical transaction business digest algorithm form and nontransaction business digest algorithm form in described server and described USB_Key, have been set in advance.
CN201110421661.8A 2011-12-15 2011-12-15 Service data signature method, device, system and digital certification terminal Expired - Fee Related CN102420829B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201110421661.8A CN102420829B (en) 2011-12-15 2011-12-15 Service data signature method, device, system and digital certification terminal
BR102012032257A BR102012032257A2 (en) 2011-12-15 2012-12-17 METHOD, DEVICE AND SYSTEM FOR MAKING TRAFFIC DATA AND DIGITAL AUTHENTICATION TERMINAL

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110421661.8A CN102420829B (en) 2011-12-15 2011-12-15 Service data signature method, device, system and digital certification terminal

Publications (2)

Publication Number Publication Date
CN102420829A CN102420829A (en) 2012-04-18
CN102420829B true CN102420829B (en) 2014-07-02

Family

ID=45945064

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110421661.8A Expired - Fee Related CN102420829B (en) 2011-12-15 2011-12-15 Service data signature method, device, system and digital certification terminal

Country Status (2)

Country Link
CN (1) CN102420829B (en)
BR (1) BR102012032257A2 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106611311A (en) * 2015-10-23 2017-05-03 镇江金软计算机科技有限责任公司 Network payment implementation method
CN106712937A (en) * 2016-12-22 2017-05-24 北京海泰方圆科技股份有限公司 Data signature method, device and system
CN111291415A (en) * 2020-03-12 2020-06-16 北京阿尔山金融科技有限公司 Data storage method and device and business system server

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5671279A (en) * 1995-11-13 1997-09-23 Netscape Communications Corporation Electronic commerce using a secure courier system
TW424371B (en) * 1999-02-26 2001-03-01 Qic Systems Corp Group signature method for group message transmission in unsafe communication channel
CN1988444A (en) * 2005-12-23 2007-06-27 北京握奇数据系统有限公司 Digital signature device for confirming needed signature data and its method for confirming data
CN101482962A (en) * 2009-02-26 2009-07-15 北控易码通(北京)科技有限公司 Service data processing terminal and service data processing method
CN101610150A (en) * 2009-07-22 2009-12-23 中兴通讯股份有限公司 Third party's digital signature method and data transmission system
CN101651713A (en) * 2009-09-18 2010-02-17 北京握奇数据系统有限公司 Smart card network data transmitting method and device
CN101820346A (en) * 2010-05-04 2010-09-01 北京飞天诚信科技有限公司 Secure digital signature method
CN101997864A (en) * 2009-08-27 2011-03-30 上海中信信息发展股份有限公司 System architecture for realizing electronic document packaging and constructing method thereof
CN102035654A (en) * 2010-12-29 2011-04-27 北京握奇数据系统有限公司 Identity authentication method, identity authentication equipment, server and identity authentication-based encryption method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2267624B1 (en) * 2004-04-19 2017-07-12 Lumension Security S.A. A generic framework for runtime interception and execution control of interpreted languages
US7424284B2 (en) * 2004-11-09 2008-09-09 Telefonaktiebolaget Lm Ericsson (Publ) Secure network/service access

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5671279A (en) * 1995-11-13 1997-09-23 Netscape Communications Corporation Electronic commerce using a secure courier system
TW424371B (en) * 1999-02-26 2001-03-01 Qic Systems Corp Group signature method for group message transmission in unsafe communication channel
CN1988444A (en) * 2005-12-23 2007-06-27 北京握奇数据系统有限公司 Digital signature device for confirming needed signature data and its method for confirming data
CN101482962A (en) * 2009-02-26 2009-07-15 北控易码通(北京)科技有限公司 Service data processing terminal and service data processing method
CN101610150A (en) * 2009-07-22 2009-12-23 中兴通讯股份有限公司 Third party's digital signature method and data transmission system
CN101997864A (en) * 2009-08-27 2011-03-30 上海中信信息发展股份有限公司 System architecture for realizing electronic document packaging and constructing method thereof
CN101651713A (en) * 2009-09-18 2010-02-17 北京握奇数据系统有限公司 Smart card network data transmitting method and device
CN101820346A (en) * 2010-05-04 2010-09-01 北京飞天诚信科技有限公司 Secure digital signature method
CN102035654A (en) * 2010-12-29 2011-04-27 北京握奇数据系统有限公司 Identity authentication method, identity authentication equipment, server and identity authentication-based encryption method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
《PKI数字签名在电子政务中的应用研究》;王永生;《中国优秀硕士学位论文全文数据库 信息科技辑》;20110312(第6期);I136-160 *
《网上银行客户端可信签名环境研究》;张伟丽;《中国优秀硕士学位论文全文数据库 信息科技辑》;20070915(第3期);I139-91 *
张伟丽.《网上银行客户端可信签名环境研究》.《中国优秀硕士学位论文全文数据库 信息科技辑》.2007,(第3期),I139-91.
王永生.《PKI数字签名在电子政务中的应用研究》.《中国优秀硕士学位论文全文数据库 信息科技辑》.2011,(第6期),I136-160.

Also Published As

Publication number Publication date
CN102420829A (en) 2012-04-18
BR102012032257A2 (en) 2013-11-26

Similar Documents

Publication Publication Date Title
CN109600223B (en) Verification method, activation method, device, equipment and storage medium
US20190312720A1 (en) Method for remotely acquiring secret key, pos terminal and storage medium
JP6620168B2 (en) Dynamic encryption method, terminal, and server
CN103067402B (en) The generation method and system of digital certificate
CN103067401B (en) Method and system for key protection
WO2017045539A1 (en) Identity authentication method and device
CN104618116B (en) A kind of cooperative digital signature system and its method
CN110621014B (en) Vehicle-mounted equipment, program upgrading method thereof and server
CN103078742B (en) Generation method and system of digital certificate
KR20210061469A (en) Information interaction method, device and system
CN109471865A (en) A kind of off-line data management method, system, server and storage medium
KR20150036104A (en) Method, client, server and system of login verification
CN103220280A (en) Dynamic password token and data transmission method and system for dynamic password token
CN107154935B (en) Service request method and device
CN105512576A (en) Method for secure storage of data and electronic equipment
CN113099443A (en) Equipment authentication method, device, equipment and system
CN105516948A (en) Device control method and device control unit
CN106779705B (en) Dynamic payment method and system
EP2518671A1 (en) Method and mobile terminal for realizing network payment
CN104917807A (en) Resource transfer method, apparatus and system
CN112559993A (en) Identity authentication method, device and system and electronic equipment
CN113836506A (en) Identity authentication method, device, system, electronic equipment and storage medium
CN106411520B (en) Method, device and system for processing virtual resource data
CN102420829B (en) Service data signature method, device, system and digital certification terminal
CN104835038A (en) Networking payment device and networking payment method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100015 Beijing city Chaoyang District Dongzhimen West eight Street No. 2 room Wanhong Yan Dong Business Garden

Patentee after: BEIJING WATCHDATA Co.,Ltd.

Address before: 100015 Beijing city Chaoyang District Dongzhimen West eight Street No. 2 room Wanhong Yan Dong Business Garden

Patentee before: BEIJING WATCH DATA SYSTEM Co.,Ltd.

CP01 Change in the name or title of a patent holder
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20140702

Termination date: 20211215

CF01 Termination of patent right due to non-payment of annual fee