Digital certificate revocation method and equipment

A digital certificate and digital technology, applied in the field of network security, can solve the problems of digital certificate revocation, network security hidden dangers, etc., and achieve the effect of ensuring security, user information security, and revocation process directly and quickly

Inactive Publication Date: 2012-05-09
HUAWEI TECH CO LTD
2 Cites 10 Cited by

AI-Extracted Technical Summary

Problems solved by technology

The existing revocation process is that the user calls or sends an E-mail to the administrator of the certificate authority CA, and the administrator manually revokes the user's digital certificate; when the administrator of the c...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Method used

Adopt digital encryption mode to carry out digital encryption to described digital certificate revocation request message, prevent digital certificate revocation request message from being falsified and watched over in sending process; Simultaneously...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Abstract

The invention discloses a digital certificate revocation method. The method comprises the following steps: obtaining a digital certificate revocation command by a client side; constructing a digital certificate revocation request message according to the digital certificate revocation command; carrying out digital encryption on the digital certificate revocation request message, and setting identity identification for the digital certificate revocation request message after digital encryption; and sending the encrypted digital certificate revocation request message with the identity identification to a certificate server so as to request the certificate server to perform digital certificate revocation. In the digital certificate revocation method, after the digital certificate revocation command input by a user is received, the digital certificate revocation request message is constructed and sent to the certificate server so as to perform digital certificate revocation so that the revocation process is more direct and faster, which ensures timeliness for digital certificate revocation and improves the safety of user information.

Application Domain

Technology Topic

RevocationClient-side +4

Image

  • Digital certificate revocation method and equipment
  • Digital certificate revocation method and equipment
  • Digital certificate revocation method and equipment

Examples

  • Experimental program(6)

Example Embodiment

[0044] Example 1
[0045] The processing flow chart of the method for revoking a digital certificate provided by the embodiment of the present invention is as follows: figure 1 As shown, the terminal entities applied to PKI technology include:
[0046] Step S101: Obtain a digital certificate revocation instruction.
[0047] In this embodiment, the digital revocation instruction may be obtained when the user needs to revoke his digital certificate due to changes in user identity, user information or user public key, leakage of user private key, or user service suspension. The digital certificate revocation instruction sent by the user; it may also be the digital certificate revocation instruction automatically generated after the network device as the terminal entity detects that it is attacked.
[0048] Step S102: Construct a digital certificate revocation request message according to the digital certificate revocation instruction.
[0049] When receiving the digital certificate revocation instruction input by the user, the terminal entity constructs a digital certificate revocation request message according to the digital certificate revocation instruction; the specific construction process is as provided in the embodiment of the present invention figure 2 shown, including:
[0050] Step S201: Parse the data information of the digital certificate to be revoked contained in the digital certificate revocation instruction;
[0051] Step S202: Construct a digital certificate revocation request message according to the data information.
[0052] The constructed digital certificate revocation request message includes the following information: interaction ID, digital certificate revocation reason, the name of the issuer of the digital certificate to be revoked, the certificate serial number of the digital certificate to be revoked, and the physical address of the digital certificate to be revoked in the certificate server . The interaction ID is used to identify the revocation interaction process of the digital certificate.
[0053] Step S103: digitally encrypt the digital certificate revocation request message and set an identity identifier for the digitally encrypted digital certificate revocation request message;
[0054] The digital certificate revocation request message is digitally encrypted by digital encryption to prevent the digital certificate revocation request message from being tampered with and spied on during the sending process; The certificate revocation request is spoofed or forged, and the requester's identity is effectively audited.
[0055] Step S104: Send the digital certificate revocation request message that has been digitally encrypted and set with an identity identifier to the certificate server, so as to request the certificate server to revoke the digital certificate.
[0056] The digital certificate revocation method provided by the embodiment of the present invention can be applied to a variety of digital certificate revocation protocols; the following describes the application of the digital certificate revocation method in the embodiment of the present invention to the SCEP protocol as an example.
[0057] SCEP protocol, namely Simple Certificate Enrollment Protocol (Simple Certificate Enrollment Protocol), is a simple certificate management protocol for certificate registration, certificate acquisition, certificate registration status query and CRL acquisition. This protocol does not support certificate revocation. The SCEP protocol defines two SCEP objects: the SCEP client and the SCEP server. The SCEP server is usually undertaken by the certificate authority CA; the SCEP client is undertaken by the terminal entity.
[0058] Based on the SCEP protocol, the digital certificate revocation method provided by the embodiment of the present invention is used to revoke a digital certificate that needs to be revoked. When a user needs to revoke a digital certificate, a digital certificate revocation instruction is sent to the SCEP client, so that the SCEP client can revoke a digital certificate according to the The digital certificate revocation instruction constructs a digital certificate revocation request message.
[0059] In the embodiment of the present invention, on the basis of the SCEP protocol, a new SCEP message type is added: CertRevokeReq (the message code value is 28), and a digital certificate revocation request message, which complies with SCEP Secure Message Objects (SCEP Secure Message Objects). ) format description.
[0060] In order to prevent the constructed digital certificate revocation request message from being peeped by an attacker, the digital certificate revocation request message is encrypted and encapsulated in the form of a digital envelope in the SCEP client.
[0061] The function of a digital envelope is similar to that of an ordinary envelope. The digital envelope uses cryptographic technology to ensure that only the designated recipient can read the contents of the message.
[0062] Symmetric encryption algorithm and asymmetric encryption algorithm are used in the digital envelope. The information sender first encrypts the information with a randomly generated or pre-configured symmetric cipher, and then uses the receiver's public key to encrypt the symmetric cipher. The symmetric cipher encrypted by the public key is called a digital envelope:
[0063] Encrypted Data=EncryptedWithSymmetricalKey(Data).
[0064] Digital Envelope=EncryptedWithRecipientPubliKey(Symmetrical_Key).
[0065] When the information receiver wants to decrypt the information, it must decrypt the digital envelope with its own private key to obtain a symmetric cipher, and then use the symmetric cipher to decrypt the obtained information, thus ensuring the authenticity and non-snooping of data transmission.
[0066] In the embodiment of the present invention, on the basis of the SCEP protocol, the digital certificate revocation request message is encrypted and encapsulated in the form of a digital envelope, specifically:
[0067] The SCEP client encrypts the digital certificate revocation request message with a randomly generated symmetric key, and then encrypts the randomly generated symmetric key with the public key of the digital certificate in the SCEP server to generate a digital envelope. The digital envelope is attached to the digital certificate revocation request message.
[0068] In order to prevent the digital certificate revocation request message from being forged or tampered with by an attacker, the SCEP client performs a digital signature operation on the digital certificate revocation request message that has undergone the digital envelope operation.
[0069] Digital fingerprint refers to a fixed-length digital sequence obtained by calculating data information through a certain hash algorithm: Finger Print=HASH(Data).
[0070] Digital signature refers to the data obtained after the user encrypts the digital fingerprint of the original data with his own private key. That is, the user first uses the hash algorithm to calculate the digital fingerprint of the original data, and then encrypts the digital fingerprint with the private key to generate a digital signature: Digital Signature=EncryPted(HASH(Data)).
[0071] The SCEP client first calculates the digital fingerprint of the digital certificate revocation request message, and then encrypts the data fingerprint with its own private key to generate a digital signature. The digital signature is appended to the digital certificate revocation request message.
[0072] Send the digital certificate revocation request message that has been digitally encapsulated and digitally signed to the SCEP server to revoke the digital certificate that needs to be revoked.

Example Embodiment

[0073] Embodiment 2
[0074] exist figure 1 Based on the method shown, when the digital certificate revocation request message is sent to the certificate server, optionally, the process further includes waiting for the certificate server to respond to the digital certificate revocation request message, such as: image 3 shown, including steps S101-S107, wherein:
[0075] Steps 101 to 104 are the same as those in the first embodiment, and are not repeated here.
[0076] Step S105: Waiting to receive the digital certificate revocation response message responded by the server in the certificate authority, and start timing from the time when the digital certificate revocation request message is sent to the certificate server;
[0077] After sending the digital certificate revocation request message to the certificate server, start timing from the time when the digital certificate revocation request message is sent, and record the time from the digital certificate revocation request message sent to waiting to receive the digital certificate revocation response message responded by the certificate server. part.
[0078] Step S106: determine whether the preset time is exceeded; when the preset time is exceeded, and the digital certificate revocation response message responded by the certificate server has not been received, step S107 is performed;
[0079] Step S107: resend the digital certificate revocation request message to the certificate server; then return to step S105 until the digital certificate revocation response message responded by the certificate server is received;
[0080] Preset a fixed period of time, start timing from sending the digital certificate revocation request message to the certificate server, and when the timing exceeds the fixed period of time and the digital certificate revocation response message from the certificate server has not been received, resend all the digital certificate revocation response messages. The digital certificate revocation request message is sent to the certificate server to ensure the timely revocation of the digital certificate.
[0081] The present invention is in image 3 Based on the method shown, optionally, it also includes counting the times of resending the digital certificate revocation request message to the certificate server, such as Figure 4 shown, including:
[0082] Step S108: record the number of times of resending the digital certificate revocation request message to the certificate server;
[0083] Step S109: when the number of resending times exceeds the preset number of sending times, stop sending the digital certificate revocation request message, and prompt the digital certificate revocation failure;
[0084] Send the digital certificate revocation request message to the certificate server to revoke the digital certificate, if the digital certificate revocation request message is intercepted during the process of sending to the certificate server or cannot be sent to the certificate server normally due to network interruption; or sent to the certificate server normally; In the certificate server, if the certificate server fails to correctly process the digital certificate revocation request message due to failure, the digital certificate can be revoked in time when the network is restored and the certificate server resumes work by sending multiple times.
[0085] When a serious network failure occurs, or an irrecoverable failure occurs on the certificate server, or the constructed digital certificate revocation request message itself has defects that cannot make the certificate server identify it, the digital certificate revocation request message cannot be revoked by sending the digital certificate revocation request message multiple times. The digital certificate is revoked in time; therefore, in this embodiment of the present invention, the number of times of resending the digital certificate revocation request message to the certificate server is preset. Indicates the failure of digital certificate revocation, so that the cause of the failure can be checked in time to ensure that the revocation of the digital certificate that needs to be revoked is completed in a short time.

Example Embodiment

[0086] Embodiment 3
[0087] The embodiment of the present invention provides a digital certificate revocation device corresponding to the digital certificate revocation request message shown in the first embodiment, and its structural diagram is as follows Figure 5 shown, including:
[0088] an acquisition unit 301, a processor 302, an encoder 303 and a transmitter 304;
[0089] in:
[0090] The obtaining unit 301 is configured to obtain a digital certificate revocation instruction;
[0091] The processor 302 is configured to construct a digital certificate revocation request message according to the digital certificate revocation instruction;
[0092] The encoder 303 is configured to digitally encrypt the digital certificate revocation request message and set an identity identifier for the digitally encrypted digital certificate revocation request message;
[0093] The transmitter 304 is configured to send the digitally encrypted certificate revocation request message set with the identity identifier to the certificate server, so as to request the certificate server to revoke the digital certificate.
[0094] exist Figure 5 On the basis of the digital certificate revocation device shown, another schematic structural diagram of the digital certificate revocation device provided by the embodiment of the present invention is as follows: Image 6 As shown, the processor 303 includes:
[0095] Parsing unit 305 and construction unit 306;
[0096] The parsing unit 305 is configured to parse the data information of the digital certificate to be revoked contained in the digital certificate revocation instruction;
[0097] The constructing unit 306 is configured to construct a digital certificate revocation request message according to the data information; the digital certificate revocation request message includes: the physical address of the digital certificate to be revoked in the certificate server.
[0098] Optionally, the digital certificate revocation device provided in this embodiment of the present invention further includes, such as Figure 7 shown:
[0099] Response receiver 307, timer 308;
[0100] The response receiver 307 is configured to wait for receiving the digital certificate revocation response message responded by the server in the certificate authority;
[0101] The timer 308 is used to start timing when the digital certificate revocation request message is sent to the certificate server; and when a preset time is exceeded, and the response receiver 307 has not received the digital certificate responded by the certificate server When the response message is revoked, a control instruction is sent to the transmitter 304 to control the transmitter 304 to resend the digital certificate revocation request message to the certificate server.
[0102] Optionally, it also includes a counter 309;
[0103] The counter 309 is used to record the number of times that the transmitter 304 re-sends the digital certificate revocation request message to the certificate server; and when the recorded number of re-sends exceeds the preset number of times, the transmitter is controlled to stop sending The digital certificate revocation request message indicates that the digital certificate revocation failed.
[0104] The digital certificate revocation device shown in the third embodiment of the present invention can be applied to the SCEP protocol, and the basic SCEP protocol revokes the digital certificate. Meanwhile, in this embodiment of the present invention, the timer 308 is a preferred timing device. In the specific implementation process, when the digital certificate revocation request message is sent to the certificate server, the timer 308 can be created and timed immediately. When the server responds with a digital certificate revocation reply message, the created timer can be destroyed.
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

no PUM

Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Similar technology patents

Method and device for transmitting radio configuration message

ActiveCN102547987AAvoid the problem of fatal exceptions in uplink and downlink interactionsGuaranteed timelinessConnection managementReal-time computingRadio Network Controller
Owner:LEADCORE TECH

Active prevention and control method and system for highway traffic accident scene risk

ActiveCN113066287AReduce the probability of secondary accidentsGuaranteed timelinessDetection of traffic movementAnti-collision systemsIncident siteReal-time computing
Owner:TRAFFIC MANAGEMENT RES INST OF THE MIN OF PUBLIC SECURITY

Classification and recommendation of technical efficacy words

Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products