Nothing Special   »   [go: up one dir, main page]

CN109728914B - Digital signature verification method, system, device and computer readable storage medium - Google Patents

Digital signature verification method, system, device and computer readable storage medium Download PDF

Info

Publication number
CN109728914B
CN109728914B CN201910064678.9A CN201910064678A CN109728914B CN 109728914 B CN109728914 B CN 109728914B CN 201910064678 A CN201910064678 A CN 201910064678A CN 109728914 B CN109728914 B CN 109728914B
Authority
CN
China
Prior art keywords
client
algorithm
request information
server
digital signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910064678.9A
Other languages
Chinese (zh)
Other versions
CN109728914A (en
Inventor
刘姗
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing QIYI Century Science and Technology Co Ltd
Original Assignee
Beijing QIYI Century Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing QIYI Century Science and Technology Co Ltd filed Critical Beijing QIYI Century Science and Technology Co Ltd
Priority to CN201910064678.9A priority Critical patent/CN109728914B/en
Publication of CN109728914A publication Critical patent/CN109728914A/en
Application granted granted Critical
Publication of CN109728914B publication Critical patent/CN109728914B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a digital signature verification method, a system and a device and a computer readable storage medium, relating to the field of communication. The client generates request information carrying a digital signature according to a client white-box algorithm sent by the server, the client white-box algorithm is generated by the server according to a client ID by using a preset encryption algorithm and a confusion strategy, the digital signature is verification information generated by the client white-box algorithm, and the client sends the request information to the server; and after receiving the request information with the digital signature sent by the client, the server verifies the request information by using the first secret key corresponding to the ID of the client so as to judge whether the request information is legal or not. Therefore, the verification efficiency is ensured under the condition that the server does not need to store a large amount of data; and the client side white box algorithm is used, so that no key plaintext appears at the client side, and the key safety is ensured.

Description

Digital signature verification method, system, device and computer readable storage medium
Technical Field
The present invention relates to the field of internet technologies, and in particular, to a digital signature verification method, system, device, and computer-readable storage medium.
Background
At present, digital signatures are widely applied in the field of communication technology of mobile terminals to implement authentication of both communication parties.
In the prior art, most of digital signatures are implemented by using a public key algorithm, and a private key signature and public key verification mode is used, that is, data encrypted by using the private key is added behind data sent by a client to serve as a digital signature, and the digital signature is sent to a server so that the server decrypts the received digital signature by using the public key to verify the authenticity of the digital signature.
But due to the use scene of the mobile terminal and the particularity of the open source operating system, all the keys existing in the equipment in a plaintext form have potential safety hazards; and the digital signature verification scheme realized by the public key algorithm cannot ensure the security of communication data under the condition of exposing the secret key.
Disclosure of Invention
In view of the above, embodiments of the present invention are proposed in order to provide a digital signature verification method, system, apparatus and computer-readable storage medium that overcome or at least partially solve the above problems.
According to a first aspect of the present invention, there is provided a digital signature verification method, applied to a system including a transmitting end and a receiving end, the method including:
the client generates request information carrying a digital signature according to a client white-box algorithm sent by the server, wherein the client white-box algorithm is generated by the server according to a client ID by using a preset encryption algorithm and a confusion strategy, and the digital signature is verification information generated by using the client white-box algorithm;
the client sends the request information to the server;
and the server side carries out verification operation on the request information by using a first secret key corresponding to the ID of the client side so as to judge whether the request information is legal or not.
According to a second aspect of the present invention, there is provided another digital signature verification method applied to a client, the method including:
generating request information carrying a digital signature according to a client white-box algorithm sent by a server, wherein the client white-box algorithm is generated by the server according to a client ID by using a preset encryption algorithm and a confusion strategy, and the digital signature is verification information generated by using the client white-box algorithm;
and sending the request information to the server.
According to a third aspect of the present invention, there is provided a digital signature verification method, applied to a server, the method including:
receiving request information with a digital signature sent by a client;
and carrying out verification operation on the request information by using a first secret key corresponding to the ID of the client so as to judge whether the request information is legal or not.
According to a fourth aspect of the present invention, there is provided a digital signature verification system, the system comprising: a client and a server;
the client is used for generating request information carrying a digital signature according to a client white-box algorithm sent by the server, wherein the client white-box algorithm is generated by the server according to a client ID by using a preset encryption algorithm and an obfuscation strategy, and the digital signature is verification information generated by using the client white-box algorithm;
the client is used for sending the request information to the server;
and the server is used for carrying out verification operation on the request information by using a first secret key corresponding to the ID of the client so as to obtain an identity verification result of the client.
According to a fifth aspect of the present invention, there is provided another digital signature verification apparatus, applied to a client, the apparatus including:
the information generation module is used for generating request information carrying a digital signature according to a client white-box algorithm sent by a server, wherein the client white-box algorithm is generated by the server according to a client ID (identity) by using a preset encryption algorithm and an obfuscation strategy, and the digital signature is verification information generated by using the client white-box algorithm;
and the sending module is used for sending the request information to the server.
According to a sixth aspect of the present invention, there is provided a digital signature verification apparatus, applied to a server, the apparatus including:
the receiving module is used for receiving request information with a digital signature sent by a client;
and the verification module is used for performing verification operation on the request information by using a first secret key corresponding to the ID of the client so as to judge whether the request information is legal or not.
According to a seventh aspect of the present invention, there is provided a computer-readable storage medium on which a computer program is stored, the computer program, when executed by a processor, implementing the digital signature verification method according to any one of the above aspects.
The embodiment of the invention has the following advantages:
according to the embodiment of the invention, the client can generate request information carrying a digital signature according to a client white-box algorithm sent by the server, and send the request information to the server; and the server receives the request information with the digital signature sent by the client, and then verifies the request information by using a first key corresponding to the ID of the client so as to judge whether the request information is legal or not. The embodiment of the invention is mainly applied to a scene that a mobile terminal is used as a client to carry out two-way communication with a server, a client white box algorithm generated according to the ID of the client is issued to the client through the server, and the verification efficiency is ensured on the premise that the server does not store a large amount of data; meanwhile, the client side white box algorithm is used, so that no key plaintext appears at the client side, and the key safety is ensured.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a flow chart illustrating steps of a method for verifying a digital signature according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating steps of another method for verifying a digital signature according to an embodiment of the present invention;
FIG. 3 is a block diagram of a digital signature generation process provided by an embodiment of the invention;
FIG. 4 is a flow chart of steps of a further method for verifying a digital signature according to an embodiment of the present invention;
FIG. 5 is a block diagram of a digital signature verification system provided by an embodiment of the invention;
fig. 6 is a block diagram of a digital signature verification apparatus according to an embodiment of the present invention;
fig. 7 is a block diagram of another digital signature verification apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
It should be understood that the specific embodiments described herein are merely illustrative of the invention, but do not limit the invention to only some, but not all embodiments.
The embodiment of the invention provides a digital signature verification method which can be applied to a system comprising a client and a server, wherein the client generates request information carrying a digital signature according to a client white-box algorithm sent by the server, the client white-box algorithm is generated by the server according to a client ID (identity) by using a preset encryption algorithm and a confusion strategy, the digital signature is verification information generated by the client white-box algorithm, and the client sends the request information to the server; and after receiving the request information with the digital signature sent by the client, the server verifies the request information by using the first secret key corresponding to the ID of the client so as to judge whether the request information is legal or not. In the embodiment of the invention, the server is adopted to issue the client white box algorithm generated according to the client ID to the client, and the verification efficiency is ensured on the premise that the server does not store a large amount of data; and no key plaintext appears on the client, so that the security of the key is ensured. The above-mentioned digital signature verification method is specifically described below.
Referring to fig. 1, a flow chart of steps of a digital signature verification method is shown, which is applied to a system including a client and a server.
In the embodiment of the present invention, the client may specifically be an application installed on various terminals, for example, an email application on a computer or a mobile terminal, and the specific content of the client is not limited in the embodiment of the present invention.
It can be understood that the server is a device communicating with the client, and the server may specifically be a corresponding server, a base station, and the like.
As shown in fig. 1, the method may include:
step 101, the client sends the client ID to the server.
And 102, the server generates a client white-box algorithm corresponding to the client ID by using a preset encryption algorithm and an obfuscation strategy according to the received client ID.
It should be noted that white-box encryption belongs to a symmetric encryption technology, and is a special encryption method capable of resisting attacks in a white-box environment, and the core idea of the method is obfuscation, which means that plaintext is obfuscated into characters that cannot be directly recognized, so that the characters can be recognized only by performing de-obfuscation through a preset obfuscation strategy, so that encryption is hidden information, and obfuscation refers to information obfuscation. In order to further ensure the security of the key stored at the client, the technical scheme provided by the invention adopts a white-box encryption mode to perform the encapsulation of the obfuscation algorithm and the encryption algorithm, wherein the white-box algorithm at the client is correspondingly generated based on the client ID sent by the client, and may include at least one obfuscation algorithm and an encryption algorithm, the at least one obfuscation algorithm is generated based on an obfuscation policy, for example, an obfuscation matrix of the obfuscation operation may be generated by a preset specific method according to the client ID, and then the obfuscation matrix is used to perform the obfuscation operation (a de-obfuscation operation) of the encrypted content, for example, a hash value of the client ID may be used as the obfuscation matrix; or random numbers generated by the client ID are used as confusion matrixes, and the like, so that each client white-box algorithm can only be applied to the corresponding client.
And 103, the server side sends the client side white box algorithm to the client side.
Step 104: and the client generates request information carrying the digital signature according to a client white box algorithm sent by the server.
The client white-box algorithm is generated by the server side according to the client ID through a preset encryption algorithm and a confusion strategy, and the digital signature is verification information generated through the client white-box algorithm.
In the embodiment of the invention, in the process of communication of the server, the client needs to encrypt the request information and generate the identity verification information before sending the request information to the server, for example, the digital signature is generated by using the abstract content of the request information to realize identity verification, so that the server can conveniently verify the legality of the request information by using the digital signature after receiving the request information.
Illustratively, the client white-box algorithm may be issued by the server to the client in the form of a section of program code, so as to run on the client to implement encryption of the requested content; or can be packaged directly into the form of a component or plug-in, and installed on the client to achieve the same effect.
Step 105: and the client sends the request information to the server.
In the embodiment of the present invention, after the client generates the request information with the digital signature, the client may send the request information to the server, so that the server executes the request content corresponding to the request information.
Step 106: the server receives the request information with the digital signature sent by the client.
In the embodiment of the invention, a client firstly sends request information with a digital signature processed by a client white-box algorithm to a server, the server verifies the digital signature in the request information after receiving the request information and confirms whether the request information is legal, for example, when the client generates the digital signature by using the client white-box algorithm of other clients, the correspondingly generated digital signature cannot be correctly decrypted by using a first key at the server, namely, information (summary information) after the digital signature is decrypted by using the first key is inconsistent with original content (summary information) in the request information or even cannot be identified, the request information is proved to be illegal information; otherwise, when the first key is used to decrypt the digital signature, and the obtained data content is consistent with the original content in the request information, it indicates that the request information belongs to legal information, and the request content corresponding to the request information can be continuously executed.
Step 107: and the server side carries out verification operation on the request information by using the first secret key corresponding to the ID of the client side so as to judge whether the request information is legal or not.
In the embodiment of the invention, after the server sends the client white-box algorithm to the client, only the first key corresponding to the encryption algorithm in the client white-box algorithm is stored on the server, so that after the request information of the client is received, the digital signature in the request information is verified by using the first key, that is, the operation executed by the server is also a standard process of decrypting the content of the encrypted request information. The public key is stored in the server, which is equivalent to that the client is relatively safe, and the server only stores the content of the first key, so that a large data storage load is not caused.
In the specific application, the Encryption algorithm can adopt an AES (Chinese: Advanced Encryption Standard; English: Advanced Encryption Standard) algorithm, the block length of the AES algorithm is fixed to be 128 bits, the key length can be 128, 192 or 256 bits, and the Standard AES algorithm is fast in decryption, so that large calculation waste is avoided.
In the embodiment of the invention, the server decrypts the digital signature in the request information through the first secret key, determines whether the request information is legal, and further judges whether the client has potential safety hazards. If the server side judges that the request information is illegal information after decrypting the digital signature according to the first secret key, the server side can choose not to execute the request content corresponding to the request information and mark the client side corresponding to the request information to indicate that the client side has security vulnerabilities.
In summary, in the embodiment of the present invention, the client generates the request information carrying the digital signature according to the client white-box algorithm sent by the server, where the client white-box algorithm is generated by the server according to the client ID by using a preset encryption algorithm and a confusion policy, the digital signature is the verification information generated by using the client white-box algorithm, and the client sends the request information to the server; and after receiving the request information with the digital signature sent by the client, the server verifies the request information by using the first secret key corresponding to the ID of the client so as to judge whether the request information is legal or not. In the embodiment of the invention, the server side issues the client side white box algorithm generated according to the client side ID to the client side, so that a large amount of data is not stored in the server side, and the verification efficiency can be ensured; and meanwhile, no key plaintext appears on the client so as to ensure the security of the key. The above-mentioned digital signature verification method is specifically described below.
Fig. 2 is a flowchart of steps of another digital signature verification method provided in an embodiment of the present invention, which is applied to a client, and as shown in fig. 2, the method may include:
step 201: and sending the client ID to the server.
Specifically, the client sends the client ID to the server, so that the server generates a client white-box algorithm corresponding to the client ID, and the client white-box algorithm corresponds to the client ID, that is, an obfuscation algorithm in the client white-box algorithm is inverse to an inverse obfuscation algorithm stored in the client; and the confusion algorithm is based on the client ID to generate a confusion matrix for carrying out the confusion operation, so that the inverse confusion algorithm on the client can be correspondingly defrosted only by adopting the corresponding client white-box algorithm, so as to ensure that other clients cannot use the inverse confusion algorithm.
Step 202: and receiving a client white box algorithm sent by a server.
Optionally, the client white-box algorithm includes at least one obfuscation algorithm and an encryption algorithm.
Preferably, the client white-box algorithm includes a first obfuscation algorithm, an encryption algorithm and a second obfuscation algorithm, wherein the first obfuscation algorithm and the second obfuscation algorithm are correspondingly generated according to the client ID by using an obfuscation policy, and the encryption algorithm is generated according to the AES algorithm. The first obfuscation Algorithm and the second obfuscation Algorithm may be, for example, a segment of program for obfuscating information, and the Encryption Algorithm may be, for example, an AES Algorithm, or may also be a DES (chinese: Data Encryption Algorithm; english: Data Encryption Algorithm) Algorithm, and the like, and the present invention is not limited in particular.
Step 203: and generating a first inverse confusion algorithm corresponding to the first confusion algorithm and a second inverse confusion algorithm corresponding to the second confusion algorithm by using the confusion strategy according to the client ID.
Specifically, the first and second inverse confusion algorithms are confusion parts generated by the client using the client ID to respectively correspond to the first and second confusion algorithms, and the two parts are directly generated on the client according to a preset confusion policy (using the hash value of the client ID as a confusion matrix queue or using a random number generated by the client ID as a confusion matrix queue) without being issued by the server. It should be noted that the generating strategies of the first inverse obfuscating algorithm and the second inverse obfuscating algorithm completely correspond to the strategies of the first obfuscating algorithm and the second obfuscating algorithm, so as to ensure that the first inverse obfuscating algorithm is reciprocal to the first obfuscating algorithm, and the second inverse obfuscating algorithm is reciprocal to the second obfuscating algorithm, so as to ensure that the data content processed only by the encryption algorithm is generated after passing through the first inverse obfuscating algorithm, the client white-box algorithm, and the second inverse obfuscating algorithm.
Step 204: and generating request information carrying the digital signature according to a client white box algorithm sent by the server.
As a preferred implementation of the embodiment of the present invention, the generating request information carrying a digital signature according to a client white-box algorithm sent by a server includes:
substep A1: and generating a digital signature according to the request content and the client ID in the request information through a first inverse confusion algorithm, a second inverse confusion algorithm and a client white box algorithm.
Wherein the substeps may comprise: firstly, acquiring abstract information corresponding to request content, wherein the abstract information can be information generated after processing the request content by using a preset function, for example, the corresponding abstract information is generated after encryption processing is performed by using a hash function; then, carrying out confusion processing on the abstract information through a first inverse confusion algorithm; then, encrypting the summary information subjected to the confusion processing of the first inverse confusion algorithm by sequentially utilizing a first confusion algorithm, an encryption algorithm and a second confusion algorithm in the client white box algorithm to generate confusion encryption information; the smiling encrypted information is then subjected to a de-obfuscation process by a second inverse obfuscation algorithm to generate a digital signature.
It should be noted that the number of obfuscating algorithms in the client white-box algorithm should correspond to the number of inverse obfuscating algorithms generated on the client. That is, when an obfuscation algorithm is included in the client white-box algorithm, an inverse obfuscation algorithm is generated on the client, and the obfuscation algorithm may be located after or before the encryption algorithm in the client white-box algorithm. The present invention does not limit the number of specific obfuscating algorithms, and the preferred embodiment of the present invention is to set two obfuscating algorithms before and after the encryption algorithm, and generate two inverse obfuscating algorithms at the client correspondingly to offset the effect of two obfuscating processes.
In the embodiment of the present invention, as shown in fig. 3, the digest information in the requested content, for example, 7, is changed to 6 by the first inverse obfuscating algorithm, and then enters the client white-box algorithm, first the first obfuscating algorithm in the client white-box algorithm is used to counteract the obfuscating operation of the first inverse obfuscating algorithm, that is, to reduce it to 7, then the encryption algorithm in the client white-box algorithm is used to encrypt the digest information, to generate 12, then the second obfuscating algorithm is used to obfuscate the encrypted digest information, to obfuscate the encrypted information 12 to 15, then the second inverse obfuscating algorithm is used to perform the re-obfuscating process, to counteract the obfuscating process of the second obfuscating algorithm in the client white-box algorithm, that is, to reduce it to 12, so that the finally generated digital signature (12) is the result of the encryption operation performed only by the encryption algorithm, for example, the AES algorithm, after the request information is sent to the server, the server can directly perform decryption processing through the pre-stored first key corresponding to the client.
Substep A2: the request information is generated according to the digital signature.
Illustratively, the digital signature is attached to the content of the request message, and then is sent to the server as authentication information for authentication.
Fig. 4 is a flowchart of steps of another digital signature verification method provided in an embodiment of the present invention, which is applied to a server, and as shown in fig. 4, the method may include:
step 401: and receiving the client ID sent by the client.
Step 402: and generating a client white-box algorithm corresponding to the client ID by using a preset encryption algorithm.
Wherein the client white-box algorithm comprises at least one obfuscation algorithm and an encryption algorithm.
Specifically, a client white-box algorithm for the client ID is generated by using the client ID received by the server and using a preset encryption algorithm and an obfuscation policy. For example, a hash value of the client ID information may be used as a matrix queue to generate the obfuscation algorithm; or the client ID information is used as random numbers to respectively generate matrix queues of the confusion algorithm, the matrix queues are used as the basis of the confusion algorithm to realize that the client white box algorithm is associated with the client ID, no plaintext information of any secret key exists in the white box to ensure the safety of communication information, and the client white box algorithm is correspondingly issued to the client so as to facilitate the request information which is sent by the client and is provided with the digital signature generated by the client white box algorithm.
Step 403: and sending the client white-box algorithm to the client.
Step 404: and storing a key of an encryption algorithm corresponding to the client ID as a first key.
In a specific implementation, the server only stores a key storage corresponding to an encryption algorithm in the client white-box algorithm, for example, a key of the AES algorithm.
Step 405: and receiving request information with a digital signature sent by a client.
Step 406: and verifying the request information by using the first secret key corresponding to the ID of the client so as to judge whether the request information is legal or not.
As a preferred implementation of the embodiment of the present invention, the performing, by using a first key corresponding to a client ID, a verification operation on request information to determine whether the request information is legal includes:
substep B1: the first key is looked up according to the client ID.
Wherein the first key is an encryption key generated using the advanced encryption standard, AES, algorithm.
Specifically, the first key is stored in correspondence to the client ID, and when the digital signature included in the request information sent by the client is decrypted, the corresponding key needs to be used, for example, the first key is generated by using standard AES encryption, and other encryption algorithms capable of implementing an encryption process may also be used in the technical solution of the present invention, which is not limited in the present invention.
Substep B2: and verifying the digital signature in the request information according to the first key so as to judge whether the request information is legal or not.
In the embodiment of the invention, by decrypting the digital signature of the first key, the decrypted digital signature in the legal request information is consistent with the request content of the information to be requested, such as the summary information; otherwise, the illegal request information is decrypted by using the first key and cannot acquire the corresponding request content, that is, the decrypted digital signature is inconsistent with the summary information of the request information, which indicates that the data signature carried by the request information is illegal.
In summary, in the embodiment of the present invention, the client generates the request information carrying the digital signature according to the client white-box algorithm sent by the server, where the client white-box algorithm is generated by the server according to the client ID by using a preset encryption algorithm and a confusion policy, the digital signature is the verification information generated by using the client white-box algorithm, and the client sends the request information to the server; and after receiving the request information with the digital signature sent by the client, the server verifies the request information by using the first secret key corresponding to the ID of the client so as to judge whether the request information is legal or not. In the embodiment of the invention, the server is adopted to issue the client white box algorithm generated according to the client ID to the client, and the verification efficiency is ensured on the premise that the server does not store a large amount of data; meanwhile, a client side white box algorithm used for generating identity verification is stored on the client side, as the client side white box algorithm also comprises a confusion algorithm, any secret key plaintext cannot appear on the client side, and the confusion algorithm corresponds to the client side ID, the probability of secret key leakage can be reduced, and meanwhile, as the client side white box algorithm cannot be stolen by other client sides, the safety of the secret key is further improved.
Fig. 5 is a block diagram of a digital signature verification system according to an embodiment of the present invention, and as shown in fig. 5, the system 500 may include a server 510 and a client 520;
the client is used for generating request information carrying a digital signature according to a client white-box algorithm sent by the server, the client white-box algorithm is generated by the server according to a client ID through a preset encryption algorithm and a confusion strategy, and the digital signature is verification information generated by the client white-box algorithm.
And the client is used for sending the request information to the server.
And the server is used for carrying out verification operation on the request information by using the first secret key corresponding to the ID of the client so as to judge whether the request information is legal or not.
Optionally, the system 500 further includes:
the client is used for sending the client ID to the server before the step of generating the request information carrying the digital signature by the client according to the client white box algorithm sent by the server;
the server is used for generating a client white-box algorithm corresponding to the client ID by utilizing a preset encryption algorithm and an obfuscation strategy according to the received client ID;
and the server is used for sending the client white-box algorithm to the client.
Fig. 6 is a block diagram of a digital signature verification apparatus provided in an embodiment of the present invention, which is applied to a client, and as shown in fig. 6, the apparatus 600 may include:
the information generating module 610 is configured to generate request information carrying a digital signature according to a client white-box algorithm sent by the server, where the client white-box algorithm is generated by the server according to the client ID by using a preset encryption algorithm and an obfuscation policy, and the digital signature is verification information generated by using the client white-box algorithm.
A sending module 620, configured to send the request information to the server.
Preferably, the apparatus 600 may further include:
the sending module is also used for sending the client ID to the server before generating the request information carrying the digital signature according to the client white box algorithm sent by the server;
and the receiving module is used for receiving the client white box algorithm sent by the server.
Preferably, the client white-box algorithm comprises at least one obfuscation algorithm and an encryption algorithm.
Optionally, the client white-box algorithm includes a first obfuscation algorithm, an encryption algorithm, and a second obfuscation algorithm, and the apparatus 600 further includes:
and the confusion generating module is used for generating a first inverse confusion algorithm corresponding to the first confusion algorithm and a second inverse confusion algorithm corresponding to the second confusion algorithm by using a confusion strategy according to the client ID before generating the request information carrying the digital signature according to the client white-box algorithm sent by the server.
Preferably, the information generating module 610 includes:
and the signature generation submodule is used for generating a digital signature according to the request content in the request information through a first inverse confusion algorithm, a second inverse confusion algorithm and a client white box algorithm.
And the request determining submodule is used for generating request information according to the digital signature.
Preferably, the signature generation sub-module includes:
the information acquisition unit is used for acquiring abstract information of the request content, wherein the abstract information is generated after the request content is processed by using a preset function;
the confusion processing unit is used for carrying out confusion processing on the abstract information through a first inverse confusion algorithm;
the encryption processing unit is used for encrypting the summary information subjected to the confusion processing of the first inverse confusion algorithm by using a first confusion algorithm, an encryption algorithm and a second confusion algorithm in the client white box algorithm in sequence so as to generate confusion encryption information;
and the de-obfuscating processing unit is used for performing de-obfuscation processing on the obfuscated encrypted information through a second inverse obfuscating algorithm to generate the digital signature.
Fig. 7 is a block diagram of another digital signature verification apparatus provided in an embodiment of the present invention, which is applied to a server, and as shown in fig. 7, the apparatus 700 may include:
the receiving module 710 is configured to receive request information with a digital signature sent by a client.
The verifying module 720 is configured to perform a verifying operation on the request information by using the first key corresponding to the client ID to determine whether the request information is legal.
Preferably, the apparatus 700 comprises:
the receiving module is further configured to receive the client ID sent by the client before receiving the request information with the digital signature sent by the client.
And the generating module is used for generating a client white-box algorithm corresponding to the client ID by using a preset encryption algorithm and a confusion strategy, and the client white-box algorithm comprises at least one confusion algorithm and an encryption algorithm.
And the sending module is used for sending the client white box algorithm to the client.
And the storage module is used for storing a key of an encryption algorithm corresponding to the client ID as a first key.
Preferably, the verification module 720 includes:
and the key searching submodule is used for searching a first key according to the client ID, wherein the first key is an encryption key generated by using an Advanced Encryption Standard (AES) algorithm.
And the decryption submodule is used for decrypting the digital signature in the request information according to the first secret key so as to obtain the signature information.
And the request judgment submodule is used for judging whether the request information is legal or not according to the signature information and the client ID.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
In a typical configuration, the computer device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory. The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium. Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable media (fransitory media), such as modulated data signals and carrier waves.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable digital signature verification device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable digital signature verification device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable digital signature verification device to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable digital signature verification apparatus to cause a series of operational steps to be performed on the computer or other programmable terminal device to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal device provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the embodiments of the invention.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.
The present invention provides a digital signature verification method, system, device and computer readable storage medium, which are introduced in detail above, and the principle and implementation of the present invention are explained in detail herein by applying specific examples, and the descriptions of the above examples are only used to help understanding the method and core ideas of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (23)

1. A digital signature verification method is applied to a system comprising a server and a client, and comprises the following steps:
the client generates request information carrying a digital signature according to a client white-box algorithm sent by the server, wherein the client white-box algorithm is generated by the server according to a client ID by using a preset encryption algorithm and a confusion strategy, and the digital signature is verification information generated by using the client white-box algorithm;
the client sends the request information to the server;
the server side carries out verification operation on the request information by using a first secret key corresponding to the client side ID so as to judge whether the request information is legal or not;
the server side continues to execute the request content corresponding to the request information under the condition that the request information is legal;
and the server does not execute the request content corresponding to the request information under the condition that the request information is illegal.
2. The method according to claim 1, wherein before the step of generating the request information carrying the digital signature by the client according to a client white-box algorithm sent by the server, the method further comprises:
the client sends the client ID to the server;
the server generates a client white-box algorithm corresponding to the client ID by using a preset encryption algorithm and a confusion strategy according to the received client ID;
and the server side sends the client side white box algorithm to the client side.
3. A digital signature verification method, applied to a client, the method comprising:
generating request information carrying a digital signature according to a client white-box algorithm sent by a server, wherein the client white-box algorithm is generated by the server according to a client ID by using a preset encryption algorithm and a confusion strategy, and the digital signature is verification information generated by using the client white-box algorithm;
sending the request information to the server side so that the server side can verify the request information by using a first secret key corresponding to the client side ID to judge whether the request information is legal or not; the server side continues to execute the request content corresponding to the request information under the condition that the request information is legal; and the server does not execute the request content corresponding to the request information under the condition that the request information is illegal.
4. The method according to claim 3, wherein before the generating the request information carrying the digital signature according to the client white-box algorithm sent by the server, the method further comprises:
sending the client ID to the server;
and receiving the client white box algorithm sent by the server.
5. The method of claim 4, wherein the client white-box algorithm comprises at least one obfuscation algorithm and an encryption algorithm.
6. The method of claim 5, wherein the client white-box algorithm comprises a first obfuscation algorithm, an encryption algorithm, and a second obfuscation algorithm, and before the request message carrying the digital signature is generated according to the client white-box algorithm sent by the server, the method further comprises:
and generating a first inverse confusion algorithm corresponding to the first confusion algorithm and a second inverse confusion algorithm corresponding to the second confusion algorithm by utilizing the confusion strategy according to the client ID.
7. The method according to claim 6, wherein the generating the request information carrying the digital signature according to the client white-box algorithm sent by the server comprises:
generating the digital signature according to the request content in the request information through the first inverse confusion algorithm, the second inverse confusion algorithm and the client white box algorithm;
and generating the request information according to the digital signature.
8. The method according to claim 7, wherein the generating the digital signature according to the request content in the request information by the first inverse obfuscation algorithm, the second inverse obfuscation algorithm, and the client white-box algorithm comprises:
acquiring abstract information of the request content, wherein the abstract information is generated after the request content is processed by using a preset function;
performing confusion processing on the summary information through the first inverse confusion algorithm;
encrypting the summary information subjected to the confusion processing of the first inverse confusion algorithm by using the first confusion algorithm, the encryption algorithm and the second confusion algorithm in the client white box algorithm in sequence to generate confusion encryption information;
performing a de-obfuscation process on the obfuscated encrypted information through the second anti-obfuscation algorithm to generate the digital signature.
9. A digital signature verification method is applied to a server side, and comprises the following steps:
receiving request information with a digital signature sent by a client, wherein the digital signature is verification information generated by utilizing a client white-box algorithm, and the client white-box algorithm is generated by the server according to a client ID by utilizing a preset encryption algorithm and an obfuscation strategy;
verifying the request information by using a first key corresponding to the ID of the client to judge whether the request information is legal or not;
the server side continues to execute the request content corresponding to the request information under the condition that the request information is legal; and the server does not execute the request content corresponding to the request information under the condition that the request information is illegal.
10. The method of claim 9, wherein before receiving the request message with the digital signature sent by the client, the method further comprises:
receiving a client ID sent by the client;
generating a client white-box algorithm corresponding to the client ID by using a preset encryption algorithm and a confusion strategy, wherein the client white-box algorithm comprises at least one confusion algorithm and an encryption algorithm;
sending the client white-box algorithm to the client;
and storing a key of the encryption algorithm corresponding to the client ID as the first key.
11. The method of claim 10, wherein performing a verification operation on the requested information using a first key corresponding to a client ID to determine whether the requested information is legitimate comprises:
searching the first key according to the client ID, wherein the first key is an encryption key generated by using an Advanced Encryption Standard (AES) algorithm;
decrypting the digital signature in the request information according to the first key to obtain signature information;
and judging whether the request information is legal or not according to the signature information.
12. A digital signature verification system is characterized by comprising a server and a client;
the client is used for generating request information carrying a digital signature according to a client white-box algorithm sent by the server, wherein the client white-box algorithm is generated by the server according to a client ID by using a preset encryption algorithm and an obfuscation strategy, and the digital signature is verification information generated by using the client white-box algorithm;
the client is used for sending the request information to the server;
the server is used for verifying the request information by using a first key corresponding to the client ID so as to judge whether the request information is legal or not;
the server is used for continuously executing the request content corresponding to the request information under the condition that the request information is legal; and under the condition that the request information is illegal, not executing the request content corresponding to the request information.
13. The system of claim 12, further comprising:
the client is used for sending the client ID to the server before the step of generating request information carrying a digital signature by the client according to a client white box algorithm sent by the server;
the server is used for generating a client white-box algorithm corresponding to the client ID by utilizing a preset encryption algorithm and an obfuscation strategy according to the received client ID;
and the server is used for sending the client white box algorithm to the client.
14. A digital signature verification apparatus, applied to a client, the apparatus comprising:
the information generation module is used for generating request information carrying a digital signature according to a client white-box algorithm sent by a server, wherein the client white-box algorithm is generated by the server according to a client ID (identity) by using a preset encryption algorithm and an obfuscation strategy, and the digital signature is verification information generated by using the client white-box algorithm;
the sending module is used for sending the request information to the server so that the server can verify the request information by using a first key corresponding to the client ID to judge whether the request information is legal or not; the server side continues to execute the request content corresponding to the request information under the condition that the request information is legal; and the server does not execute the request content corresponding to the request information under the condition that the request information is illegal.
15. The apparatus of claim 14, wherein the apparatus comprises:
the sending module is further configured to send the client ID to the server before the request information carrying the digital signature is generated according to the client white-box algorithm sent by the server;
and the receiving module is used for receiving the client side white box algorithm sent by the server side.
16. The apparatus of claim 15, wherein the client white-box algorithm comprises at least one obfuscation algorithm and an encryption algorithm.
17. The apparatus of claim 16, wherein the client white-box algorithm comprises a first obfuscation algorithm, an encryption algorithm, and a second obfuscation algorithm, the apparatus further comprising:
and the confusion generating module is used for generating a first inverse confusion algorithm corresponding to the first confusion algorithm and a second inverse confusion algorithm corresponding to the second confusion algorithm by utilizing the confusion strategy according to the client ID before generating the request information carrying the digital signature according to the client white-box algorithm sent by the server.
18. The apparatus of claim 17, wherein the information generating module comprises:
the signature generation submodule is used for generating the digital signature according to the request content in the request information through the first inverse confusion algorithm, the second inverse confusion algorithm and the client white box algorithm;
and the request determining submodule is used for generating the request information according to the digital signature.
19. The apparatus of claim 18, wherein the signature generation sub-module comprises:
an information obtaining unit, configured to obtain summary information of the request content, where the summary information is generated after processing the request content by using a preset function;
the confusion processing unit is used for carrying out confusion processing on the summary information through the first inverse confusion algorithm;
the encryption processing unit is used for sequentially utilizing the first obfuscating algorithm, the encryption algorithm and the second obfuscating algorithm in the client white-box algorithm to encrypt the summary information subjected to obfuscation processing by the first inverse obfuscating algorithm so as to generate obfuscated encrypted information;
a de-obfuscating processing unit, configured to perform de-obfuscation processing on the obfuscated encrypted information through the second inverse obfuscating algorithm to generate the digital signature.
20. A digital signature verification apparatus, applied to a server, the apparatus comprising:
the system comprises a receiving module, a processing module and a sending module, wherein the receiving module is used for receiving request information with a digital signature sent by a client, the digital signature is verification information generated by utilizing a client white-box algorithm, and the client white-box algorithm is generated by the server according to a client ID by utilizing a preset encryption algorithm and an obfuscation strategy;
the verification module is used for verifying the request information by using a first secret key corresponding to the ID of the client so as to judge whether the request information is legal or not;
the execution module is used for continuously executing the request content corresponding to the request information under the condition that the request information is legal; and under the condition that the request information is illegal, not executing the request content corresponding to the request information.
21. The apparatus of claim 20, further comprising:
the receiving module is further configured to receive the client ID sent by the client before receiving the request information with the digital signature sent by the client;
the generating module is used for generating a client white-box algorithm corresponding to the client ID by using a preset encryption algorithm and a confusion strategy, and the client white-box algorithm comprises at least one confusion algorithm and an encryption algorithm;
the sending module is used for sending the client white box algorithm to the client;
and the storage module is used for storing a key of the encryption algorithm corresponding to the client ID as the first key.
22. The apparatus of claim 21, wherein the authentication module comprises:
a key searching submodule, configured to search the first key according to the client ID, where the first key is an encryption key generated by using an advanced encryption standard AES algorithm;
the decryption submodule is used for decrypting the digital signature in the request information according to the first secret key so as to obtain signature information;
and the request judgment submodule is used for judging whether the request information is legal or not according to the signature information.
23. A computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements a digital signature verification method as claimed in any one of claims 1 to 11.
CN201910064678.9A 2019-01-23 2019-01-23 Digital signature verification method, system, device and computer readable storage medium Active CN109728914B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910064678.9A CN109728914B (en) 2019-01-23 2019-01-23 Digital signature verification method, system, device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910064678.9A CN109728914B (en) 2019-01-23 2019-01-23 Digital signature verification method, system, device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN109728914A CN109728914A (en) 2019-05-07
CN109728914B true CN109728914B (en) 2022-04-08

Family

ID=66299266

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910064678.9A Active CN109728914B (en) 2019-01-23 2019-01-23 Digital signature verification method, system, device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN109728914B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110149312B (en) * 2019-04-09 2021-10-15 北京奇艺世纪科技有限公司 Data processing method, device, system and computer readable storage medium
CN110933108B (en) * 2019-09-26 2021-05-11 腾讯科技(深圳)有限公司 Data processing method and device based on block chain network, electronic equipment and storage medium
CN112804184B (en) * 2019-11-13 2023-10-10 阿里巴巴集团控股有限公司 Data confusion method, device and equipment
CN110855667B (en) * 2019-11-14 2023-04-07 宁夏吉虎科技有限公司 Block chain encryption method, device and system
CN110891061B (en) * 2019-11-26 2021-08-06 中国银联股份有限公司 Data encryption and decryption method and device, storage medium and encrypted file
CN111193751B (en) * 2020-01-13 2022-02-08 临沂大学 Factory setting restoration method and equipment
CN113810178B (en) * 2020-06-12 2023-05-05 中国移动通信有限公司研究院 Key management method, device, system and storage medium
CN112073200B (en) * 2020-09-02 2024-06-25 北京五八信息技术有限公司 Signature processing method and device
CN113806710A (en) * 2021-09-26 2021-12-17 北京沃东天骏信息技术有限公司 Data processing method, device, equipment and storage medium
CN114844645B (en) * 2022-03-28 2024-06-14 五八有限公司 Data verification method and device, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101211451A (en) * 2007-12-21 2008-07-02 北京飞天诚信科技有限公司 Redepositing system and method based on digital sign
CN101282222A (en) * 2008-05-28 2008-10-08 胡祥义 Digital signature method based on CSK
CN108111622A (en) * 2017-12-29 2018-06-01 北京梆梆安全科技有限公司 A kind of method, apparatus and system for downloading whitepack library file

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101211451A (en) * 2007-12-21 2008-07-02 北京飞天诚信科技有限公司 Redepositing system and method based on digital sign
CN101282222A (en) * 2008-05-28 2008-10-08 胡祥义 Digital signature method based on CSK
CN108111622A (en) * 2017-12-29 2018-06-01 北京梆梆安全科技有限公司 A kind of method, apparatus and system for downloading whitepack library file

Also Published As

Publication number Publication date
CN109728914A (en) 2019-05-07

Similar Documents

Publication Publication Date Title
CN109728914B (en) Digital signature verification method, system, device and computer readable storage medium
CN110855671B (en) Trusted computing method and system
CN107959567B (en) Data storage method, data acquisition method, device and system
CN107317677B (en) Secret key storage and equipment identity authentication method and device
CN106452770B (en) Data encryption method, data decryption method, device and system
CN106650482A (en) Electronic file encryption method and device, electronic file decryption method and device and electronic file encryption and decryption system
CN108989325A (en) Encryption communication method, apparatus and system
CN108134673B (en) Method and device for generating white box library file
CN113395406B (en) Encryption authentication method and system based on power equipment fingerprint
CN113204772B (en) Data processing method, device, system, terminal, server and storage medium
CN102404337A (en) Data encryption method and device
Kumar et al. Data outsourcing: A threat to confidentiality, integrity, and availability
CN113609522A (en) Data authorization and data access method and device
US10681038B1 (en) Systems and methods for efficient password based public key authentication
CN110149312B (en) Data processing method, device, system and computer readable storage medium
CN111079157A (en) Secret fragmentation trusteeship platform based on block chain, equipment and medium
CN113918982A (en) Data processing method and system based on identification information
CN114553557B (en) Key calling method, device, computer equipment and storage medium
CN107968793B (en) Method, device and storage medium for downloading white box key
CN107404476B (en) Method and device for protecting data security in big data cloud environment
CN116170185A (en) Data encryption method and device, processor and electronic equipment
CN111431846B (en) Data transmission method, device and system
CN113111360A (en) File processing method
Yeboah-Ofori et al. Enhancement of Big Data Security in Cloud Computing Using RSA Algorithm
CN115114648A (en) Data processing method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant