Nothing Special   »   [go: up one dir, main page]

CN111628863B - Data signature method and device, electronic equipment and storage medium - Google Patents

Data signature method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN111628863B
CN111628863B CN202010471620.9A CN202010471620A CN111628863B CN 111628863 B CN111628863 B CN 111628863B CN 202010471620 A CN202010471620 A CN 202010471620A CN 111628863 B CN111628863 B CN 111628863B
Authority
CN
China
Prior art keywords
private key
signature value
server
client
final
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010471620.9A
Other languages
Chinese (zh)
Other versions
CN111628863A (en
Inventor
安晓江
王学进
胡伯良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Haitai Fangyuan High Technology Co Ltd
Original Assignee
Beijing Haitai Fangyuan High Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Haitai Fangyuan High Technology Co Ltd filed Critical Beijing Haitai Fangyuan High Technology Co Ltd
Priority to CN202010471620.9A priority Critical patent/CN111628863B/en
Publication of CN111628863A publication Critical patent/CN111628863A/en
Application granted granted Critical
Publication of CN111628863B publication Critical patent/CN111628863B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a data signature method and device, electronic equipment and a storage medium, which are used for improving the security of data signatures. The method comprises the following steps: signing the signature information according to the obtained first private key to obtain an intermediate signature value, wherein the first private key is a first part of private key components obtained by dividing the private key after the private key is generated by the server; generating a first data protection key based on the hardware information of the client and the current using times of the first private key; encrypting the intermediate signature value by using the first data protection key to obtain an encrypted signature value; sending the encrypted signature value to the server, so that the server signs the intermediate signature value by using a second private key after decrypting the encrypted signature value to obtain a final signature value; and obtaining the final signature value sent by the server after the final signature value passes the verification.

Description

Data signature method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method and an apparatus for data signature, an electronic device, and a storage medium.
Background
At present, in order to protect the privacy security of users and the non-repudiation of services, a data signature technology is generally used, and the data signature technology becomes an important tool for guaranteeing the information security. The existing mode of data signature based on hardware equipment such as UsbKey and the like is high in cost, and in an application scene corresponding to mobile equipment, the data signature is inconvenient to carry out by using the hardware equipment. Therefore, how to effectively secure the data signature in the application scenario corresponding to the mobile device is a matter of consideration.
Disclosure of Invention
The embodiment of the application provides a data signature method and device, electronic equipment and a storage medium, which are used for improving the security of data signatures.
In a first aspect, a method for data signature is provided, which is applied to a client, and the method includes:
signing the signature information according to the obtained first private key to obtain an intermediate signature value, wherein the first private key is a first part of private key components obtained by dividing the private key after the private key is generated by the server;
generating a first data protection key based on the hardware information of the client and the current using times of the first private key;
encrypting the intermediate signature value by using the first data protection key to obtain an encrypted signature value;
sending the encrypted signature value to the server, so that the server signs the intermediate signature value by using a second private key after decrypting the encrypted signature value to obtain a final signature value;
and obtaining the final signature value sent by the server after the final signature value passes the verification.
In one possible design, after obtaining the final signature value sent by the server after the final signature value is verified, the method further includes:
and updating the use times of the first private key.
In one possible design, before obtaining the final signature value sent by the server after the final signature value is verified, the method further includes:
if the verification of the final signature value by the server fails, obtaining feedback information sent by the server;
and generating prompt information according to the feedback information, wherein the prompt information is used for indicating that the first private key is leaked.
In one possible design, after obtaining the final signature value sent by the server after the final signature value is verified, the method further includes:
and after a preset time, updating the first private key according to the obtained first part of private key components in the private key regenerated by the server side to obtain the updated first private key.
In a second aspect, a data signature method is provided, which is applied to a server, and the method includes:
acquiring an encrypted signature value sent by a client;
generating a second data protection key based on the acquired hardware information of the client and the use times of a current second private key, wherein the second private key is a second part of private key components obtained by dividing the private key after the private key is generated by the server;
decrypting the encrypted signature value by using the second data protection key to obtain an intermediate signature value;
and signing the intermediate signature value by using the second private key to obtain a final signature value, and sending the final signature value to the client after the final signature value passes verification.
In one possible design, after the final signature value is sent to the client after the final signature value is verified, the method further includes:
and updating the use times of the second private key.
In one possible design, if the final signature value fails to verify, the method further includes:
and sending feedback information to the client, so that the client generates prompt information according to the feedback information, wherein the prompt information is used for indicating that the client has the condition that the first private key is leaked.
In one possible design, after the sending the final signature value to the client, the method further includes:
and after a preset time, updating the second private key according to the obtained second part of private key components in the private key regenerated by the server side to obtain the updated second private key.
In a third aspect, an apparatus for data signature is provided, where the apparatus is provided at a client, and the apparatus includes:
the first signature module is used for signing the signature information according to the obtained first private key to obtain an intermediate signature value, wherein the first private key is a first part of private key components obtained by dividing the private key after the private key is generated by the server;
the first generation module is used for generating a first data protection key based on the hardware information of the client and the current using times of the first private key;
the encryption module is used for encrypting the intermediate signature value by using the first data protection key to obtain an encrypted signature value;
the first sending module is used for sending the encrypted signature value to the server, so that the server signs the intermediate signature value by using a second private key after decrypting the encrypted signature value to obtain a final signature value;
and the first obtaining module is used for obtaining the final signature value sent by the server after the final signature value is verified.
In one possible design, the apparatus further includes a first updating module, and the first updating module is configured to update the number of times of using the first private key after the obtaining of the final signature value sent by the server after the final signature value verification passes.
In a possible design, the first obtaining module is further configured to, before the obtaining of the final signature value sent by the server after the final signature value is verified, obtain feedback information sent by the server if the verification of the final signature value by the server fails; and generating prompt information according to the feedback information, wherein the prompt information is used for indicating that the first private key is leaked.
In a possible design, the first updating module is further configured to, after the final signature value sent by the server after the final signature value verification is passed is obtained and a predetermined time is met, update the first private key according to a first part of private key components in a private key regenerated by the server, so as to obtain an updated first private key.
In a fourth aspect, an apparatus for data signature is provided, where the apparatus is disposed at a server, and the apparatus includes:
the second obtaining module is used for obtaining the encrypted signature value sent by the client;
the second generation module is used for generating a second data protection key based on the acquired hardware information of the client and the use times of a current second private key, wherein the second private key is a second part of private key components obtained by dividing the private key after the private key is generated by the server;
the decryption module is used for decrypting the encrypted signature value by using the second data protection key to obtain an intermediate signature value;
and the second signature module is used for signing the intermediate signature value by using the second private key to obtain a final signature value, and sending the final signature value to the client after the final signature value passes verification.
In one possible design, the apparatus further includes a second updating module, and the second updating module is configured to update the number of times of use of the second private key after the final signature value is sent to the client after the final signature value is verified.
In a possible design, the apparatus further includes a feedback module, where the feedback module is configured to send feedback information to the client after the verification of the final signature value fails, so that the client generates prompt information according to the feedback information, where the prompt information is used to indicate that the client has a condition that the first private key is leaked.
In a possible design, the second updating module is further configured to update the second private key according to a second part of private key components in the private key regenerated by the server, after the final signature value is sent to the client and a predetermined time is met, so as to obtain an updated second private key.
In a fifth aspect, an electronic device is provided, comprising:
a processor;
a computer storage medium for storing the processor-executable instructions;
wherein the processor is configured to execute the instructions to implement the method of data signing of the first and/or second aspect.
In a sixth aspect, there is provided a computer storage medium having stored thereon computer-executable instructions for performing the method of data signing according to the first and/or second aspect.
The technical scheme provided by the embodiment of the application at least has the following beneficial effects:
the application provides a scheme of data signature, in the scheme, a private key used by the data signature can be divided into two private key components (namely a first private key and a second private key), a client and a server are respectively stored, then, when the data signature is carried out, the client signs signature information by using the first private key stored by the client, after an intermediate signature value is obtained, a first data protection key can be generated based on hardware information of the client and the number of times of using the current first private key, the intermediate signature value is encrypted by using the first data protection key to obtain an encrypted signature value, and then the encrypted signature value can be sent to the server, the server signs the intermediate signature value by using a second data protection key generated by using the hardware information of the client and the number of times of using the second private key, and the server side sends the final signature value to the client side after the final signature value is verified by the public key.
The data protection key is produced based on the hardware information of the client and the use times of the first private key or the second private key, and the use times of the first private key or the second private key can be changed when the first private key is used, so that the generated data protection key can be changed along with the change of the first private key or the second private key, and the data protection keys used in each encryption process are different. Therefore, even if the first private key is stolen, the data protection key used by the illegal client is different from the second data protection key used by the server because the illegal client cannot know the use times of the first private key and/or the hardware information of the legal client, and the verification of the generated final signature value by the server is failed, so that the data signature cannot be completed. Therefore, the security of the data signature can be improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments will be briefly introduced, and it is obvious that the drawings in the following description are only some embodiments of the present invention.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;
fig. 2 is a flowchart of a method for data signature according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an apparatus for data signature provided in an embodiment of the present application;
fig. 4a is a schematic structural diagram of another apparatus for data signature provided in an embodiment of the present application;
fig. 4b is a schematic structural diagram of another data signing apparatus provided in this application;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments, but not all embodiments, of the technical solutions of the present invention. All other embodiments obtained by a person skilled in the art without any inventive work based on the embodiments described in the present application are within the scope of the protection of the technical solution of the present invention.
The terms "first" and "second" in the description and claims of the present application and the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the term "comprises" and any variations thereof, which are intended to cover non-exclusive protection. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus. In the embodiments of the present application, "a plurality" may mean at least two, for example, two, three, or more, and the embodiments of the present application are not limited.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone.
As described above, the existing method for performing data signature by using hardware devices is relatively high in cost and inconvenient to use in a signature environment corresponding to a mobile device, and therefore, the problem in the prior art is how to effectively guarantee the security of data signature in an application scenario corresponding to the mobile device.
In view of this, the present application provides a data signing scheme, in which a private key used for data signing can be divided into two private key components (i.e. a first private key and a second private key) which are stored in a client and a server, respectively, so that when data signing is performed, the client may use a first data protection key generated based on hardware information of the client and the number of times the first private key is used, encrypting the intermediate signature value obtained after the signature by using the first private key to obtain an encrypted signature value, wherein correspondingly, the server side can decrypt the encrypted signature value by using a second data protection key generated based on the hardware information of the client side and the using times of the second private key, and then the server side uses the second private key to sign to obtain a final signature value, and after the final signature value is verified, the final signature value is sent to the client side.
The data protection key is generated based on the hardware information of the client and the use times of the first private key or the second private key, and when a legal client signs data, the use times of the first private key and the use times of the second private key stored in the client and the server are consistent. The stored use times of the first private key and the second private key can be changed every time the private key is used, so that the generated data protection key can be changed along with the change of the stored use times of the first private key and the second private key, and the data protection keys used in each encryption process are different. Therefore, even if the first private key is stolen, the data protection key used by the illegal client is different from the second data protection key used by the server because the illegal client cannot know the use times of the first private key and/or the hardware information of the legal client, so that the intermediate signature value obtained by the decryption of the server is different from the intermediate signature value generated by the legal client, the verification of the final signature value by the server is failed, and the data signature cannot be completed. Therefore, the security of the data signature can be improved.
Some application scenarios to which the embodiments of the present application can be applied are briefly described below, and it should be noted that the application scenarios described below are only used for illustrating the embodiments of the present application and are not limited. In a specific implementation process, the technical scheme provided by the embodiment of the application can be flexibly applied according to actual needs.
Please refer to fig. 1, which is an application scenario diagram provided by the present application. Fig. 1 includes a client 101 and a server 102. The client 101 may be a mobile terminal such as a portable computer, an ipad, a smart phone, or a terminal that cannot be moved during use such as a desktop computer. The client 101 can communicate with the server 102 through a network.
Specifically, in the embodiment of the present application, when performing data signing, a user may log in to the client 101, the server 102 may generate a key for performing data signing for the user, and then the server 102 may divide a private key in the key into two private key components and send a part of the private key components to the client for storage. For example, the client 101 stores a first private key, and the server 102 stores a second private key, so that data signing can be performed by using both the client 101 and the server 102. Moreover, the client 101 may register with the server 102, so that the server 102 may obtain the hardware information of the client 101 from the registration information of the client 101.
It should be noted that, in this embodiment of the present application, each user may correspond to a pair of keys, that is, when a user logs in different clients and performs data signing together with a server, the keys corresponding to the user may be the same. Moreover, according to different clients logged in by the user, the server can re-divide the private key corresponding to the user according to the corresponding client, and the sub-private key divided this time is different from the sub-private key divided last time.
For example, assuming that the private key corresponding to the user 1 is a, the user 1 logs in the client 1 and then performs data signing together with the server 1, the server 1 may divide the private key into a1 and a2, and further send a1 to the client 1 for storage, and the a2 is stored by the server 1 itself. When the user 1 logs in the client 2 and then performs data signature with the server 1, the server 1 may re-partition the private key a into a3 and a4, and further may send a3 to the client 2 for storage, and the a4 is stored by the server 1 itself. Wherein a1 ≠ a2 ≠ a3 ≠ a 4.
To further illustrate the technical solutions provided by the embodiments of the present application, the following detailed description is made with reference to the accompanying drawings and the detailed description. Although the embodiments of the present application provide the method operation steps as shown in the following embodiments or figures, more or less operation steps may be included in the method based on the conventional or non-inventive labor. In steps where no necessary causal relationship exists logically, the order of execution of the steps is not limited to that provided by the embodiments of the present application. The method can be executed in sequence or in parallel according to the method shown in the embodiment or the figure when the method is executed in an actual processing procedure or a device.
Referring to fig. 2, a flowchart of a method for data signing according to an embodiment of the present application is provided, where the method may be used in the client 101 and the server 102 shown in fig. 1. The flow of the method is described below.
Step 201: the client signs the signature information according to the obtained first private key to obtain an intermediate signature value, wherein the first private key is a first part of private key components obtained by dividing the private key after the private key is generated by the server.
In the embodiment of the application, when data signing is required to be performed on signing information, in order to ensure the storage security of a private key, a server corresponding to a client can divide the private key used for data signing into two private key components, and store the two private key components in the client and the server respectively, for example, the private key is divided into a first part of private key components and a second part of private key components, the first part of private key components, namely a first private key, is stored in the client, the second part of private key components, namely a second private key, is stored in the server, and both the client and the server cannot obtain a complete private key, so that the storage security of the private key can be ensured to a certain extent. When signature operation is carried out, a server and a client are required to participate together, and then a complete signature can be obtained. In this way, even if the private key stored in one of the parties is stolen, the signature cannot be completed, and therefore, the security of the use of the private key can be ensured.
In the embodiment of the application, when data signing is performed, the client can use the first private key owned by the client to sign the signature information needing data signing, so that an intermediate signature value can be obtained.
Step 202: the client generates a first data protection key based on the hardware information of the client and the number of times of using the current first private key.
In this embodiment of the application, after obtaining the intermediate signature value, the client may generate the first data protection key based on its own hardware information and the number of times of using the current first private key. The hardware information of each client is different, the using times of the first private key stored by the client is consistent with the data signing times of the first private key, and after the times of the first private key stored by the client are changed along with the data signing times of the client, the first data protection keys generated by the client for signing data each time are different. Therefore, even if other clients steal the first private key, the hardware information of the clients is different from the hardware information of the clients registered with the server, so that the final signature value finally generated by the server cannot pass the verification, and the security of the data signature can be improved to a certain extent.
Step 203: and the client encrypts the intermediate signature value by using the first data protection key to obtain an encrypted signature value.
In this embodiment of the application, after the client generates the first data protection key, the client may encrypt the intermediate signature value by using the first data protection key to obtain an encrypted signature value. Because the first data protection key used for encryption is generated by the hardware information of the client and the current use times of the first private key of the client, even if the first private key is stolen by other clients, for example, the client B steals the first private key of the client A and wants to impersonate the client A and the server to carry out data signature together, the final signature value finally generated by the server cannot pass verification because the hardware information of the client B and the use times of the first private key are different from those of the client A, and thus the security of the data signature can be improved to a certain extent.
Step 204: the client sends the encrypted signature value to the server, and the server receives the encrypted signature value.
In this embodiment of the application, after the client generates the encrypted signature value, the client may send the encrypted signature value to the server, so that the server performs data signature on the server side, thereby obtaining a complete data signature.
Step 205: and the server generates a second data protection key based on the acquired hardware information of the client and the use times of the current second private key, wherein the second private key is a second part of private key components obtained by dividing the private key after the server generates the private key.
In the embodiment of the application, as described above, when the client and the server perform data signing together, the client needs to register with the server, so that the server can obtain the hardware information of the client when performing data signing, and thus the second data protection key can be generated based on the hardware information of the client and the number of times of using the second private key. When the legal client and the server perform data signature together, the number of times of using the first private key stored in the legal client is the same as the number of times of using the second private key stored in the server, so that the first data protection key generated by the client is also the same as the second protection key generated by the server.
Step 206: and the server side decrypts the encrypted signature value by using the second data protection key to obtain an intermediate signature value.
In this embodiment of the application, after receiving the encrypted signature value sent by the client, the server may decrypt the encrypted signature value by using the generated second data protection key, so as to obtain an intermediate signature value. For a legal client, the first data protection key generated by the client is the same as the second data protection key generated by the server, that is, the data protection key used by the client for encryption is the same as the data protection key used by the server for decryption, and then the intermediate signature value obtained by decryption is also the same, so that the security and the authenticity of the intermediate signature value can be ensured to a certain extent.
Step 207: and the server side signs the intermediate signature value by using a second private key to obtain a final signature value.
In the embodiment of the application, after the server decrypts the intermediate signature value, the server can use the stored second private key to sign the intermediate signature value, so as to obtain the final data signature value.
Step 208: and the server verifies the final signature value, and sends the final signature value to the client after the final signature value passes the verification, so that the client receives the final signature value sent by the server.
In the embodiment of the application, after the server obtains the final signature value, the server can verify the final signature value by using the public key stored in the server, if the verification is passed, the data signature is completed, and the final signature value can be sent to the client so that the client can use the final signature value; if the verification fails, the data signature fails, and finally the signature value cannot be used.
As an optional implementation manner, in this embodiment of the application, after the client receives the verified final signature value sent by the server, the number of times of using the stored first private key may be updated, for example, the number of times of using the first private key stored before the final signature value is received is 5 times, and the number of times of using the first private key updated after the final signature value is received is 6 times.
Correspondingly, after the server sends the final signature value to the client, the server can also update the number of times of using the second private key stored by the server. That is, after the client and the server finish data signing together, the use times of the first private key and the second private key can be updated, so that the use times of the first private key stored in the client and the server are consistent with the use times of the second private key, the first data protection key generated by the client is ensured to be the same as the second data protection key generated by the server, the intermediate signature value encrypted by the client is ensured to be the same as the intermediate signature value obtained by decrypting by the server, and the security of data signing is improved.
As an optional implementation manner, in this embodiment of the application, if the server fails to verify the final signature value, the server may send feedback information to the client, and then the client receives the feedback information and may generate a prompt message according to the feedback information, where the prompt message may be used to indicate that the client has a condition that the first private key is leaked, so that the client improves security management on storage of the first private key.
As an optional implementation manner, in this embodiment of the application, the first private key used by the client and the second private key used by the server may be fixed and unchangeable during data signing, or after a predetermined time period for performing data signing by using the first private key and the second private key, the server may regenerate a new private key and a new public key used for performing data signing, and further may divide the newly generated private key into a new first part of private key component and a new second part of private key component, so as to update the first private key in the client and update the second private key in the server, thereby further improving security and reliability of the data signing.
Based on the same inventive concept, the embodiment of the present application further provides a data signing device, which may be disposed in the client 101 shown in fig. 1, and the data signing device is capable of implementing a function corresponding to the foregoing data signing method. The means for data signing may be a hardware structure, a software module, or a hardware structure plus a software module. The data signature device can be realized by a chip system, and the chip system can be formed by a chip and can also comprise the chip and other discrete devices. Referring to fig. 3, the data signing apparatus includes a first signing module 301, a first generating module 302, an encrypting module 303, a first sending module 304, a first obtaining module 305, and a first updating module 306. Wherein:
the first signature module 301 is configured to sign the signature information according to the obtained first private key to obtain an intermediate signature value, where the first private key is a first part of private key components obtained by dividing a private key after the private key is generated by a server;
a first generating module 302, configured to generate a first data protection key based on the hardware information of the client and the number of times of using the current first private key;
an encrypting module 303, configured to encrypt the intermediate signature value with a first data protection key to obtain an encrypted signature value;
a first sending module 304, configured to send the encrypted signature value to the server, so that the server decrypts the encrypted signature value and signs the intermediate signature value with a second private key to obtain a final signature value;
a first obtaining module 305, configured to obtain the final signature value sent by the server after the final signature value is verified.
In a possible optional implementation manner, the first updating module 306 included in the apparatus in fig. 3 is configured to update the number of times of using the first private key after obtaining the final signature value sent by the server after the final signature value verification passes.
In a possible optional implementation manner, the first obtaining module 305 is further configured to, before obtaining the final signature value sent by the server after the final signature value is verified, obtain feedback information sent by the server if the verification of the final signature value by the server fails; and generating prompt information according to the feedback information, wherein the prompt information is used for indicating that the first private key is leaked.
In a possible optional implementation manner, the first updating module 306 is further configured to, after obtaining a final signature value sent by the server after the final signature value verification passes and meeting a predetermined time, update the first private key according to a first part of private key components in a private key regenerated by the server, so as to obtain an updated first private key.
Based on the same inventive concept, the embodiment of the present application further provides a data signing device, which may be disposed in the server 102 shown in fig. 1, and the data signing device can implement the corresponding function of the foregoing data signing method. The means for data signing may be a hardware structure, a software module, or a hardware structure plus a software module. The data signature device can be realized by a chip system, and the chip system can be formed by a chip and can also comprise the chip and other discrete devices. Referring to fig. 4a, the apparatus for data signature includes a second obtaining module 401, a second generating module 402, a decrypting module 403, and a second signature module 404. Wherein:
a second obtaining module 401, configured to obtain an encrypted signature value sent by a client;
a second generating module 402, configured to generate a second data protection key based on the obtained hardware information of the client and the number of times of using a current second private key, where the second private key is generated by the server and then a second part of private key components obtained by splitting the private key are obtained;
a decryption module 403, configured to decrypt the encrypted signature value with the second data protection key to obtain an intermediate signature value;
and the second signature module 404 is configured to sign the intermediate signature value by using a second private key to obtain a final signature value, and send the final signature value to the client after the final signature value is verified.
In a possible optional implementation manner, as shown in fig. 4b, the apparatus shown in fig. 4b further includes a second updating module 405, where the second updating module 405 is configured to update the number of times of using the second private key after the final signature value is sent to the client after the final signature value is verified.
In a possible optional implementation manner, the apparatus shown in fig. 4b further includes a feedback module 406, where the feedback module 406 is configured to send feedback information to the client after the verification of the final signature value fails, so that the client generates prompt information according to the feedback information, where the prompt information is used to indicate that the client has a condition that the first private key is leaked.
In a possible optional implementation manner, the second updating module 405 is further configured to, after the final signature value is sent to the client and the predetermined time is met, update the second private key according to the obtained second part of private key components in the private key regenerated by the server, so as to obtain an updated second private key.
All relevant contents of each step related to the foregoing embodiment of the data signing method may be referred to the functional description of the functional module corresponding to the data signing apparatus in the embodiment of the present invention, and are not described herein again.
The division of the modules in the embodiments of the present application is schematic, and only one logical function division is provided, and in actual implementation, there may be another division manner, and in addition, each functional module in each embodiment of the present invention may be integrated in one processor, or may exist alone physically, or two or more modules are integrated in one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
Based on the same inventive concept, the embodiment of the present application provides an electronic device, which may be a hardware structure, a software module, or a hardware structure plus a software module. The electronic device may be implemented by a system-on-chip, which may be constituted by a chip, or may include a chip and other discrete devices. Referring to fig. 5, an electronic device in this embodiment of the present application includes at least one processor 501 and a memory 502 connected to the at least one processor, a specific connection medium between the processor 501 and the memory 502 is not limited in this embodiment of the present application, in fig. 5, the processor 501 and the memory 502 are connected by a bus 500 as an example, the bus 500 is represented by a thick line in fig. 5, and connection manners between other components are only schematically illustrated and are not limited. The bus 500 may be divided into an address bus, a data bus, a control bus, etc., and is shown with only one thick line in fig. 5 for ease of illustration, but does not represent only one bus or one type of bus.
In the embodiment of the present application, the memory 502 stores instructions executable by the at least one processor 501, and the at least one processor 501 may execute the steps included in the foregoing method for signing data by executing the instructions stored in the memory 502.
The processor 501 is a control center of the computing, and can connect various parts of the whole computing by using various interfaces and lines, and perform various functions and process data of the electronic device by operating or executing instructions stored in the memory 502 and calling data stored in the memory 502, thereby performing overall monitoring on the electronic device. Optionally, the processor 501 may include one or more processing units, and the processor 501 may integrate an application processor and a modem processor, wherein the processor 501 mainly processes an operating system, a user interface, an application program, and the like, and the modem processor mainly processes wireless communication. It will be appreciated that the modem processor described above may not be integrated into the processor 501. In some embodiments, processor 501 and memory 502 may be implemented on the same chip, or in some embodiments, they may be implemented separately on separate chips.
The processor 501 may be a general-purpose processor, such as a Central Processing Unit (CPU), digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof, that may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor.
Memory 502, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory 502 may include at least one type of storage medium, and may include, for example, a flash Memory, a hard disk, a multimedia card, a card-type Memory, a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Programmable Read Only Memory (PROM), a Read Only Memory (ROM), a charge Erasable Programmable Read Only Memory (EEPROM), a magnetic Memory, a magnetic disk, an optical disk, and so on. The memory 502 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 502 in the embodiments of the present application may also be circuitry or any other device capable of performing a storage function for storing program instructions and/or data.
The communication interface 503 is a transmission interface that can be used for communication, and data can be received or transmitted through the communication interface 503. Taking an electronic device as the client 101 in fig. 1 as an example, after signing the signature message with the first private key, the client 101 may send the generated intermediate signature value to the server 102 through the communication interface 503.
Based on the same inventive concept, the embodiments of the present application also provide a computer-readable storage medium storing computer instructions, which, when executed on a computer, cause the computer to perform the steps of the method for data signing.
In some possible embodiments, various aspects of the method for data signing provided in the embodiments of the present application may also be implemented in the form of a program product, which includes program code for causing a computer to perform the steps included in the method for data signing according to various exemplary embodiments of the present invention described in the foregoing when the program product runs on the computer.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (18)

1. A method for data signature, which is applied to a client, the method comprises:
signing the signature information according to the obtained first private key to obtain an intermediate signature value, wherein the first private key is obtained by dividing the private key into a first private key component of two private key components after the private key is generated by a server;
generating a first data protection key based on the hardware information of the client and the current using times of the first private key;
encrypting the intermediate signature value by using the first data protection key to obtain an encrypted signature value;
sending the encrypted signature value to the server, so that the server signs the intermediate signature value by using a second private key after decrypting the encrypted signature value to obtain a final signature value; wherein, the server uses a second private key to sign the intermediate signature value after decrypting the encrypted signature value to obtain a final signature value, and the method comprises the following steps: the server generates a second data protection key according to the hardware information of the client and the using times of the second private key, decrypts the encrypted signature value by using the second data protection key to obtain an intermediate signature value, and signs the intermediate signature value by using the second private key to obtain a final signature value; the second private key is generated by the server side, and then is divided into a second part of two private key components; the using times of the first private key are the same as the using times of the second private key;
and obtaining the final signature value sent by the server after the final signature value is verified by using a public key.
2. The method of claim 1, wherein after the obtaining the final signature value sent by the server after the final signature value verification passes, the method further comprises:
and updating the use times of the first private key.
3. The method of claim 1, wherein before the obtaining the final signature value sent by the server after the final signature value is verified, the method further comprises:
if the verification of the final signature value by the server fails, obtaining feedback information sent by the server;
and generating prompt information according to the feedback information, wherein the prompt information is used for indicating that the first private key is leaked.
4. The method of any of claims 1-3, wherein after said obtaining the final signature value sent by the server after the final signature value verification passes, the method further comprises:
and after a preset time, updating the first private key according to the obtained first part of private key components in the private key regenerated by the server side to obtain the updated first private key.
5. A method for data signature is applied to a server side, and the method comprises the following steps:
acquiring an encrypted signature value sent by a client; the obtaining of the encrypted signature value sent by the client comprises: the client signs the signature information according to the obtained first private key to obtain an intermediate signature value, and generates a first data protection key based on the hardware information of the client and the number of times of using the current first private key, so that the intermediate signature value is encrypted by using the first data protection key to obtain an encrypted signature value; the first private key is obtained by dividing a private key into a first part of two private key components after the private key is generated by a server side;
generating a second data protection key based on the acquired hardware information of the client and the use times of a current second private key, wherein the second private key is generated by a server and then is divided into a second part of two private key components; the using times of the first private key are the same as the using times of the second private key;
decrypting the encrypted signature value by using the second data protection key to obtain an intermediate signature value;
and signing the intermediate signature value by using the second private key to obtain a final signature value, and sending the final signature value to the client after the final signature value is verified by using a public key.
6. The method of claim 5, wherein after sending the final signature value to the client after the final signature value verification passes, the method further comprises:
and updating the use times of the second private key.
7. The method of claim 6, wherein if the final signature value fails to verify, the method further comprises:
and sending feedback information to the client, so that the client generates prompt information according to the feedback information, wherein the prompt information is used for indicating that the client has the condition that the first private key is leaked.
8. The method of any of claims 5-7, wherein after sending the final signature value to the client, the method further comprises:
and after a preset time, updating the second private key according to the obtained second part of private key components in the private key regenerated by the server side to obtain the updated second private key.
9. An apparatus for data signing, the apparatus being provided at a client, the apparatus comprising:
the first signature module is used for signing the signature information according to the obtained first private key to obtain an intermediate signature value, wherein the first private key is generated by the server and then is divided into a first part of two private key components;
the first generation module is used for generating a first data protection key based on the hardware information of the client and the current using times of the first private key;
the encryption module is used for encrypting the intermediate signature value by using the first data protection key to obtain an encrypted signature value;
the first sending module is used for sending the encrypted signature value to the server, so that the server signs the intermediate signature value by using a second private key after decrypting the encrypted signature value to obtain a final signature value; wherein, the server uses a second private key to sign the intermediate signature value after decrypting the encrypted signature value to obtain a final signature value, and the method comprises the following steps: the server generates a second data protection key according to the hardware information of the client and the using times of the second private key, decrypts the encrypted signature value by using the second data protection key to obtain an intermediate signature value, and signs the intermediate signature value by using the second private key to obtain a final signature value; the second private key is generated by the server side, and then is divided into a second part of two private key components; the using times of the first private key are the same as the using times of the second private key;
and the first obtaining module is used for obtaining the final signature value sent by the server after the final signature value is verified by using a public key.
10. The apparatus of claim 9, wherein the apparatus further comprises a first updating module, and the first updating module is configured to update the number of times of using the first private key after the obtaining of the final signature value sent by the server after the final signature value is verified.
11. The apparatus of claim 9, wherein the first obtaining module is further configured to, before the obtaining of the final signature value sent by the server after the final signature value is verified, obtain feedback information sent by the server if the server fails to verify the final signature value; and generating prompt information according to the feedback information, wherein the prompt information is used for indicating that the first private key is leaked.
12. The apparatus of claim 10, wherein the first updating module is further configured to, after the obtaining of the final signature value sent by the server after the final signature value verification is passed and a predetermined time is satisfied, update the first private key according to a first part of obtained private key components in a private key regenerated by the server, so as to obtain an updated first private key.
13. An apparatus for data signing, the apparatus being provided at a server, the apparatus comprising:
the second obtaining module is used for obtaining the encrypted signature value sent by the client; the obtaining of the encrypted signature value sent by the client comprises: the client signs the signature information according to the obtained first private key to obtain an intermediate signature value, and generates a first data protection key based on the hardware information of the client and the number of times of using the current first private key, so that the intermediate signature value is encrypted by using the first data protection key to obtain an encrypted signature value; the first private key is obtained by dividing a private key into a first part of two private key components after the private key is generated by a server side;
the second generation module is used for generating a second data protection key based on the acquired hardware information of the client and the use times of a current second private key, wherein the second private key is generated by the server and then is divided into a second part of two private key components; the using times of the first private key are the same as the using times of the second private key;
the decryption module is used for decrypting the encrypted signature value by using the second data protection key to obtain an intermediate signature value;
and the second signature module is used for signing the intermediate signature value by using the second private key to obtain a final signature value, and sending the final signature value to the client after the final signature value is verified by using a public key.
14. The apparatus of claim 13, wherein the apparatus further comprises a second update module to update the number of uses of the second private key after the final signature value is sent to the client after the final signature value is verified.
15. The apparatus of claim 13, further comprising a feedback module, configured to send feedback information to the client after the verification of the final signature value fails, so that the client generates hint information according to the feedback information, where the hint information is used to indicate that the client has the first private key leaked.
16. The apparatus of claim 14, wherein the second updating module is further configured to update the second private key according to a second part of the obtained private key components of the private key regenerated by the server after the final signature value is sent to the client and a predetermined time is satisfied, so as to obtain an updated second private key.
17. An electronic device, comprising:
a processor;
a computer storage medium for storing the processor-executable instructions;
wherein the processor is configured to execute the instructions to implement the method of data signing as claimed in any one of claims 1-4 and/or 5-8.
18. A computer-readable storage medium having computer-executable instructions stored thereon, the computer-executable instructions configured to perform the method of data signing as in any one of claims 1-4 and/or 5-8.
CN202010471620.9A 2020-05-29 2020-05-29 Data signature method and device, electronic equipment and storage medium Active CN111628863B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010471620.9A CN111628863B (en) 2020-05-29 2020-05-29 Data signature method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010471620.9A CN111628863B (en) 2020-05-29 2020-05-29 Data signature method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN111628863A CN111628863A (en) 2020-09-04
CN111628863B true CN111628863B (en) 2021-02-09

Family

ID=72260807

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010471620.9A Active CN111628863B (en) 2020-05-29 2020-05-29 Data signature method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111628863B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112948896A (en) * 2021-01-28 2021-06-11 深圳市迅雷网文化有限公司 Signature information verification method and information signature method
CN112966287B (en) * 2021-03-30 2022-12-13 中国建设银行股份有限公司 Method, system, device and computer readable medium for acquiring user data
CN117827884B (en) * 2023-12-31 2024-09-17 北京海泰方圆科技股份有限公司 Batch data query method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243456A (en) * 2014-08-29 2014-12-24 中国科学院信息工程研究所 Signing and decrypting method and system applied to cloud computing and based on SM2 algorithm
CN105577368A (en) * 2016-01-14 2016-05-11 西安电子科技大学 Two-way privacy protective system and method for inquiring medical diagnostic service
CN106878016A (en) * 2017-04-27 2017-06-20 上海木爷机器人技术有限公司 Data is activation, method of reseptance and device
WO2019034951A1 (en) * 2017-08-15 2019-02-21 nChain Holdings Limited Threshold digital signature method and system
CN111130803A (en) * 2019-12-26 2020-05-08 信安神州科技(广州)有限公司 Method, system and device for digital signature

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB201709367D0 (en) * 2017-06-13 2017-07-26 Nchain Holdings Ltd Computer-implemented system and method
CN107370599B (en) * 2017-08-07 2020-07-10 收付宝科技有限公司 Management method, device and system for remotely destroying private key
CN110650010B (en) * 2019-09-24 2022-04-29 支付宝(杭州)信息技术有限公司 Method, device and equipment for generating and using private key in asymmetric key

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243456A (en) * 2014-08-29 2014-12-24 中国科学院信息工程研究所 Signing and decrypting method and system applied to cloud computing and based on SM2 algorithm
CN105577368A (en) * 2016-01-14 2016-05-11 西安电子科技大学 Two-way privacy protective system and method for inquiring medical diagnostic service
CN106878016A (en) * 2017-04-27 2017-06-20 上海木爷机器人技术有限公司 Data is activation, method of reseptance and device
WO2019034951A1 (en) * 2017-08-15 2019-02-21 nChain Holdings Limited Threshold digital signature method and system
CN111130803A (en) * 2019-12-26 2020-05-08 信安神州科技(广州)有限公司 Method, system and device for digital signature

Also Published As

Publication number Publication date
CN111628863A (en) 2020-09-04

Similar Documents

Publication Publication Date Title
CN111080295B (en) Electronic contract processing method and device based on blockchain
CN107770159B (en) Vehicle accident data recording method and related device and readable storage medium
CN110264200B (en) Block chain data processing method and device
CN109067528B (en) Password operation method, work key creation method, password service platform and equipment
CN110570196B (en) Transaction data processing method, device, terminal equipment and storage medium
CN111628863B (en) Data signature method and device, electronic equipment and storage medium
CN109347625B (en) Password operation method, work key creation method, password service platform and equipment
CN111107066A (en) Sensitive data transmission method and system, electronic equipment and storage medium
CN112491843B (en) Database multiple authentication method, system, terminal and storage medium
CN110661748B (en) Log encryption method, log decryption method and log encryption device
CN108471403B (en) Account migration method and device, terminal equipment and storage medium
CN113055380B (en) Message processing method and device, electronic equipment and medium
CN111131416A (en) Business service providing method and device, storage medium and electronic device
CN111404892B (en) Data supervision method and device and server
CN115296794A (en) Key management method and device based on block chain
CN113868713B (en) Data verification method and device, electronic equipment and storage medium
CN109818965B (en) Personal identity verification device and method
CN110602051B (en) Information processing method based on consensus protocol and related device
CN117294484A (en) Method, apparatus, device, medium and product for data interaction
CN112052432A (en) Terminal device authorization method and device
CN116881936A (en) Trusted computing method and related equipment
CN111949996A (en) Generation method, encryption method, system, device and medium of security private key
CN114584347A (en) Verification short message receiving and sending method, server, terminal and storage medium
CN114036546A (en) Identity verification method and device based on mobile phone number, computer equipment and medium
CN112865981A (en) Token obtaining and verifying method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant