Note : Les descriptions sont présentées dans la langue officielle dans laquelle elles ont été soumises.
CA 03164765 2022-06-15
SECURE COMMUNICATION METHOD AND DEVICE BASED ON IDENTITY
AUTHENTICATION
BACKGROUND OF THE INVENTION
Technical Field
[0001] The present invention relates to the field of communication security
technology, and more
particularly to a secure communication method and a secure communication
device based
on identity authentication.
Description of Related Art
[0002] To ensure communication security, it is required to make security
configuration on the
two nodes performing data communication in a business system, so as to
recognize and
verify the identity of each other. The traditional security schemes mostly
employ the
mechanism of digital certificate + TLS (Transport Layer Security) to satisfy
the
requirements on identity recognition and secure communication. With respect to
identity
recognition, a scheme is employed in the prior-art technology in which
identity
information (such as identity number) of the initiating party is added in the
message, and
the receiving party on receiving the identity information verifies the other's
identity
legitimacy by enquiring a database; with respect to security, a scheme is
employed in the
prior-art technology in which exchange and storage are carried out through
encryption/decryption algorithms, signature algorithms and secret keys
previously agreed
upon, to support for such signature verification requirements as encryption,
decryption
and signing during message transmission.
[0003] In addition, when the mechanism of digital certificate + TLS is
employed, it is needed to
apply for digital certificates from the certificate authority (CA, the
certificate issuing
authority), but this brings about great inconvenience to secure data
communication for
1
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
constructing a quick application scenario, and there lacks flexibility of
application;
moreover, use of the TLS communication protocol requires multistep
negotiations before
ciphertext transmission is organized, is unduly complicated under general
application
scenarios, and possesses inferior applicability, while the exchange of such
important
information as the encryption/decryption algorithms, signature algorithms and
secret keys,
and the permanent storage of the same in the others' systems cause certain
administrative
risks.
SUMMARY OF THE INVENTION
[0004] The present invention aims to provide a secure communication method and
a secure
communication device based on identity authentication, by forcefully
authenticating
electronic seals of two parties, it is made possible to flexibly and highly
effectively verify
identity information of the communicating two parties without applying for any
digital
certificate from the certificate authority, so that security of communication
data is ensured.
[0005] In order to achieve the above objective, according to one aspect of the
present invention,
there is provided a secure communication method based on identity
authentication, and
the method comprises:
[0006] respectively fabricating respective electronic seals by a request node
and a response node,
wherein the electronic seals each include a verification area consisting of a
signature
algorithm, signature information, an encryption algorithm, fingerprint
information, a
digest algorithm, a public key, and an encrypted private key;
[0007] mutually reporting the fingerprint information in the others'
electronic seals by the request
node and the response node, for mutually extracting the others' fingerprint
information
for comparison with the reported fingerprint information to verify identity
after the two
parties have exchanged their electronic seals;
[0008] using a random factor by the request node to encrypt plaintext data to
generate cyphertext
data, after the two nodes have passed identity verification, and using the
public key of the
2
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
electronic seal of the response node to encrypt the random factor to obtain a
communication secret key, thereafter packaging to send the cyphertext data,
the
communication secret key and the fingerprint information in the electronic
seal of the
request node to the response node; and
[0009] comparing, by the response node, the fingerprint information in a file
package with the
reported fingerprint information, decrypting the encrypted private key of the
electronic
seal pertaining to the response node after comparison has succeeded,
decrypting the
communication secret key in the file package via the private key to restore
the random
factor, and hence using the random factor to parse the cyphertext data to
obtain the
plaintext data.
[0010] Preferably, the step of respectively fabricating respective electronic
seals by a request
node and a response node includes:
[0011] designing partitions of each electronic seal, wherein the partitions
include a header area,
a seal information area and a tail area in addition to the verification area;
and
[0012] correspondingly filling, by the request node and the response node on
the basis of
partitioned structures of the electronic seals, a start marker, an
identification code and a
version number in the respective header area, correspondingly filling a seal
holder
number, a seal holder name, an issuing authority number, an issuing authority
name and
a validation period in the respective seal information area, correspondingly
filling
description information and an end marker in the respective tail area, and
correspondingly
filling the signature algorithm, the signature information, the encryption
algorithm, the
fingerprint information, the digest algorithm, the public key and the
encrypted private
key in the verification area.
[0013] Preferably, generating the public key and the encrypted private key
includes:
[0014] randomly generating a pair of public key and private key according to
the signature
algorithm in the electronic seal;
[0015] encrypting the pertinent private key on the basis of a seal password
PIN preset by the
3
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
request node to generate the encrypted private key of the electronic seal of
the request
node; and
[0016] encrypting the pertinent private key on the basis of a seal password
PIN preset by the
response node to generate the encrypted private key of the electronic seal of
the response
node.
[0017] Optionally, generating the fingerprint information includes:
[0018] joining character strings of the seal holder number and the seal holder
name in the
electronic seal, and using the corresponding seal password PIN to encrypt a
character
string joining result to form a cyphertext;
[0019] employing the digest algorithm to digest the cyphertext, and obtaining
a digest character
string; and
[0020] signing the digest character string through the private key to which
the signature
algorithm corresponds, and obtaining the fingerprint information of the
electronic seal.
[0021] Optionally, generating the signature information includes:
[0022] defining a key field byte in the electronic seal, wherein the key field
byte is a feature byte
of the electronic seal;
[0023] digesting the key field byte through the digest algorithm, and
obtaining a key field
character string; and
[0024] signing the key field character string through the private key to which
the signature
algorithm corresponds, and forming the signature information of the electronic
seal.
[0025] Preferably, the step of mutually extracting the others' fingerprint
information for
comparison with the reported fingerprint information to verify identity after
the two
parties have exchanged their electronic seals includes:
[0026] sending by the request node the pertinent electronic seal to the
response node, so as to
enable the response node to read the signature algorithm, the public key, the
digest
algorithm and the signature information of the electronic seal pertaining to
the request
4
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
node;
[0027] reading by the response node the key field byte in the electronic seal
pertaining to the
request node, digesting on the basis of the digest algorithm to obtain the
digest character
string, and using the public key of the signature algorithm to execute
signature
verification on the key field byte;
[0028] comparing, by the response node after signature verification has been
passed, the
fingerprint information of the electronic seal pertaining to the request node
with the
fingerprint information reported by the request node, and authorizing access
of the request
node when a comparison result exhibits consistency;
[0029] sending by the response node the pertinent electronic seal to the
request node, so as to
enable the request node to read the signature algorithm, the public key, the
digest
algorithm and the signature information of the electronic seal pertaining to
the response
node;
[0030] reading by the request node the key field byte in the electronic seal
pertaining to the
response node, digesting on the basis of the digest algorithm to obtain the
digest character
string, and using the public key of the signature algorithm to execute
signature
verification on the key field byte; and
[0031] comparing, by the request node after signature verification has been
passed, the
fingerprint information of the electronic seal pertaining to the response node
with the
fingerprint information reported by the response node, and authorizing access
of the
response node when a comparison result exhibits consistency.
[0032] Preferably, the step of using a random factor by the request node to
encrypt plaintext data
to generate cyphertext data, and using the public key of the electronic seal
of the response
node to encrypt the random factor to obtain a communication secret key,
thereafter
packaging to send the cyphertext data, the communication secret key and the
fingerprint
information in the electronic seal of the request node to the response node
includes:
[0033] generating the random factor by the request node, for encrypting the
plaintext data to
obtain the cyphertext data;
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
[0034] using, by the request node, the public key of the electronic seal
pertaining to the response
node to encrypt the random factor, and generating the communication secret
key; and
[0035] packaging to send, by the request node, the communication secret key,
the cyphertext data
and the fingerprint information of the pertinent electronic seal to the
response node.
[0036] Further, the step of comparing, by the response node, the fingerprint
information in a file
package with the reported fingerprint information, decrypting the encrypted
private key
of the electronic seal pertaining to the response node after comparison has
succeeded,
decrypting the communication secret key in the file package via the private
key to restore
the random factor, and hence using the random factor to parse the cyphertext
data to
obtain the plaintext data includes:
[0037] reading by the response node the fingerprint information in the file
package, and
comparing the same with the fingerprint information reported by the request
node;
[0038] reading, by the response node after the comparison has been passed, the
encryption
algorithm, the signature algorithm, the encrypted private key and the preset
seal password
PIN of the pertinent electronic seal, and decrypting the private key of the
electronic seal
pertaining to the response node; and
[0039] parsing the communication secret key via the private key to restore the
random factor,
and finally using the random factor to parse the cyphertext data to obtain the
plaintext
data.
[0040] In comparison with prior-art technology, the secure communication
method based on
identity authentication provided by the present invention achieves the
following
advantageous effects.
[0041] In the secure communication method based on identity authentication
provided by the
present invention, electronic seals pertaining to a request node and a
response node are
fabricated in advance by the request node and the response node, the
electronic seals each
include a verification area consisting of a signature algorithm, signature
information, an
6
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
encryption algorithm, fingerprint information, a digest algorithm, a public
key, and an
encrypted private key, after the electronic seals have been fabricated to
completion, the
request node and the response node mutually report the fingerprint information
in the
others' electronic seals for identity verification during the process of
exchanging the
electronic seals, and secure data communication can be proceeded only when the
two
nodes have passed identity verification. The specific process is as follows:
the request
node uses a random factor to encrypt plaintext data to generate cyphertext
data, thereafter
uses the public key of the electronic seal of the response node to encrypt the
random
factor to obtain a communication secret key, and till now packages to send the
cyphertext
data, the communication secret key and the fingerprint information for
recognizing the
identity of the request node to the response node; after having received the
file package,
the response node reads the fingerprint information contained therein and
compares the
same with the fingerprint information reported by the request node, authorizes
the request
node to access to the response node only after the comparison has been passed,
thereafter
the response node invokes the pertinent encrypted private key, uses a
plaintext private
key after the encrypted private key has been decrypted to decrypt the
communication
secret key to thereby restore the random factor, and finally uses the random
factor to parse
the cyphertext data to obtain the plaintext data, so as to complete cyphertext
transmission
from the request node to the response node.
[0042] In summary, as compared with prior-art schemes, in the present
invention electronic seals
are fabricated by the two parties themselves through negotiations of the two
parties, there
is no more need to apply for any digital certificate from the certificate
authority (CA),
flexibility of application is enhanced, through the forced exchange and
authentication
policy of the electronic seals, it can be guaranteed that the communication
cyphertext
would not be stolen by any third party, whereby security of communication
between the
two parties is enhanced; in addition, the process of negotiating secret keys
of the two
parties before data transmission is dispensed with, thereby increasing
convenience of
application.
7
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
[0043] According to another aspect of the present invention, there is provided
a secure
communication device based on identity authentication, the device is applied
with the
secure communication method based on identity authentication mentioned in the
foregoing technical solution, and the device comprises:
[0044] a seal fabricating unit, for respectively fabricating respective
electronic seals by a request
node and a response node, wherein the electronic seals each include a
verification area
consisting of a signature algorithm, signature information, an encryption
algorithm,
fingerprint information, a digest algorithm, a public key, and an encrypted
private key;
[0045] a fingerprint registering unit, for mutually reporting the fingerprint
information in the
others' electronic seals by the request node and the response node, for
mutually extracting
the others' fingerprint information for comparison with the reported
fingerprint
information to verify identity after the two parties have exchanged their
electronic seals;
[0046] a file encrypting unit, for storing the compressed logistics box code
message in a storage
system, and completing archiving of the original logistics box code message;
and
[0047] a file decrypting unit, for comparing, by the response node, the
fingerprint information in
a file package with the reported fingerprint information, decrypting the
encrypted private
key of the electronic seal pertaining to the response node after comparison
has succeeded,
decrypting the communication secret key in the file package via the private
key to restore
the random factor, and hence using the random factor to parse the cyphertext
data to
obtain the plaintext data.
[0048] In comparison with prior-art technology, the advantageous effects
achieved by the secure
communication device based on identity authentication provided by the present
invention
are identical with the advantageous effects achievable by the secure
communication
method based on identity authentication as provided by the foregoing technical
solution,
so no repetition is redundantly made in this context.
[0049] According to the third aspect of the present invention, there is
provided a computer-
8
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
readable storage medium storing thereon a computer program that executes steps
of the
aforementioned secure communication method based on identity authentication
when it
is run by a processor.
[0050] In comparison with prior-art technology, the advantageous effects
achieved by the
computer-readable storage medium provided by the present invention are
identical with
the advantageous effects achievable by the secure communication method based
on
identity authentication as provided by the foregoing technical solution, so no
repetition is
redundantly made in this context.
BRIEF DESCRIPTION OF THE DRAWINGS
[0051] The drawings described here are employed to provide further
understanding to the present
invention, and constitute a part of the present invention. The schematic
embodiments of
the present invention and descriptions thereof are meant to explain the
present invention,
rather than to inadequately restrict the present invention. In the drawings,
[0052] Fig. 1 is a flowchart schematically illustrating the secure
communication method based
on identity authentication in Embodiment 1;
[0053] Fig. 2 is a flowchart schematically illustrating interaction of the
secure communication
method based on identity authentication in Embodiment 1; and
[0054] Fig. 3 is a view exemplarily illustrating the structure of an
electronic seal in Embodiment
1.
DETAILED DESCRIPTION OF THE INVENTION
[0055] In order to make more lucid and clear the aforementioned objectives,
features and
advantages of the present invention, the technical solutions in the
embodiments of the
present invention will be more clearly and comprehensively described below
with
reference to the accompanying drawings in the embodiments of the present
invention.
Apparently, the embodiments as described are merely partial, rather than the
entire,
9
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
embodiments of the present invention. All other embodiments obtainable by
persons
ordinarily skilled in the art on the basis of the embodiments in the present
invention
without making creative effort shall all fall within the protection scope of
the present
invention.
[0056] Embodiment 1
[0057] Please refer to Figs. 1 to 3, this embodiment provides a secure
communication method
based on identity authentication, and the method comprises:
[0058] respectively fabricating respective electronic seals by a request node
and a response node,
wherein the electronic seals each include a verification area consisting of a
signature
algorithm, signature information, an encryption algorithm, fingerprint
information, a
digest algorithm, a public key, and an encrypted private key; mutually
reporting the
fingerprint information in the others' electronic seals by the request node
and the response
node, for mutually extracting the others' fingerprint information for
comparison with the
reported fingerprint information to verify identity after the two parties have
exchanged
their electronic seals; using a random factor by the request node to encrypt
plaintext data
to generate cyphertext data, after the two nodes have passed identity
verification, and
using the public key of the electronic seal of the response node to encrypt
the random
factor to obtain a communication secret key, thereafter packaging to send the
cyphertext
data, the communication secret key and the fingerprint information in the
electronic seal
of the request node to the response node; and comparing, by the response node,
the
fingerprint information in a file package with the reported fingerprint
information,
decrypting the encrypted private key of the electronic seal pertaining to the
response node
after comparison has succeeded, decrypting the communication secret key in the
file
package via the private key to restore the random factor, and hence using the
random
factor to parse the cyphertext data to obtain the plaintext data.
[0059] In the secure communication method based on identity authentication
provided by the
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
present invention, electronic seals pertaining to a request node and a
response node are
fabricated in advance by the request node and the response node, the
electronic seals each
include a verification area consisting of a signature algorithm, signature
information, an
encryption algorithm, fingerprint information, a digest algorithm, a public
key, and an
encrypted private key, after the electronic seals have been fabricated to
completion, the
request node and the response node mutually report the fingerprint information
in the
others' electronic seals for identity verification during the process of
exchanging the
electronic seals, and secure data communication can be proceeded only when the
two
nodes have passed identity verification. The specific process is as follows:
the request
node uses a random factor to encrypt plaintext data to generate cyphertext
data, thereafter
uses the public key of the electronic seal of the response node to encrypt the
random
factor to obtain a communication secret key, and till now packages to send the
cyphertext
data, the communication secret key and the fingerprint information for
recognizing the
identity of the request node to the response node; after having received the
file package,
the response node reads the fingerprint information contained therein and
compares the
same with the fingerprint information reported by the request node, authorizes
the request
node to access to the response node only after the comparison has been passed,
thereafter
the response node invokes the pertinent encrypted private key, uses a
plaintext private
key after the encrypted private key has been decrypted to decrypt the
communication
secret key to thereby restore the random factor, and finally uses the random
factor to parse
the cyphertext data to obtain the plaintext data, so as to complete cyphertext
transmission
from the request node to the response node.
[0060] In summary, as compared with prior-art schemes, in the present
invention electronic seals
are fabricated by the two parties themselves through negotiations of the two
parties, there
is no more need to apply for any digital certificate from the certificate
authority (CA),
flexibility of application is enhanced, through the forced exchange and
authentication
policy of the electronic seals, it can be guaranteed that the communication
cyphertext
would not be stolen by any third party, whereby security of communication
between the
11
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
two parties is enhanced; in addition, the process of negotiating secret keys
of the two
parties before data transmission is dispensed with, thereby increasing
convenience of
application.
[0061] Please refer to Fig. 3, the step of respectively fabricating respective
electronic seals by a
request node and a response node includes:
[0062] designing partitions of each electronic seal, wherein the partitions
include a header area,
a seal information area and a tail area in addition to the verification area;
and
correspondingly filling, by the request node and the response node on the
basis of
partitioned structures of the electronic seals, a start marker, an
identification code and a
version number in the respective header area, correspondingly filling a seal
holder
number, a seal holder name, an issuing authority number, an issuing authority
name and
a validation period in the respective seal information area, correspondingly
filling
description information and an end marker in the respective tail area, and
correspondingly
filling the signature algorithm, the signature information, the encryption
algorithm, the
fingerprint information, the digest algorithm, the public key and the
encrypted private
key in the verification area.
[0063] As shown in Fig. 3, in the header area, the start marker has two bytes,
the identification
code has three bytes, and the version number has one byte; in the verification
area, the
signature algorithm has eight bytes, the signature information has thirty-two
bytes, the
encryption algorithm has eight bytes, the fingerprint information has thirty-
two bytes, the
digest algorithm has eight bytes, the public key has thirty-two bytes, and the
encrypted
private key has thirty-two bytes; in the seal information area, the seal
holder number has
thirty-two bytes, the seal holder name has thirty-two bytes, the issuing
authority number
has thirty-two bytes, the issuing authority name has thirty-two bytes, and the
validation
period information has sixteen bytes; in the tail area, the description
information has
sixty-two bytes, and the end marker has two bytes. Understandably, the
signature
algorithm is an asymmetric algorithm for signing information or performing
signature
12
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
verification on information, such as RSA, SM1, the encryption algorithm is a
symmetric
algorithm for encrypting or decrypting information, such as AES, SM2, and the
digest
algorithm is an algorithm for digesting information, such as MD5, SM3.
[0064] In addition, in this embodiment the encrypted private key is placed in
the electronic seal
for storage, whereby it is made possible to properly store and administer the
private key,
and reduce the administrative risk brought about by the permanent disposal of
the private
key in the other's system for storage.
[0065] The step of generating the public key and the encrypted private key in
this embodiment
includes: randomly generating a pair of public key and private key according
to the
signature algorithm in the electronic seal; encrypting the pertinent private
key on the basis
of a seal password PIN preset by the request node to generate the encrypted
private key
of the electronic seal of the request node; and encrypting the pertinent
private key on the
basis of a seal password PIN preset by the response node to generate the
encrypted private
key of the electronic seal of the response node.
[0066] During specific implementation, suppose the electronic seal of the
request node is A, the
corresponding signature algorithm of electronic seal A is SA, the electronic
seal of the
response node is B, the corresponding signature algorithm of electronic seal B
is SB, the
request node generates public key SA.PublicKey and private key SA.PrivateKey
according to signature algorithm SA, the response node generates public key
SB.PublicKey and private key SB.PrivateKey according to signature algorithm
SB,
thereafter public key SA.PublicKey is correspondingly filled in a public key
area of
electronic seal A, public key SB.PublicKey is correspondingly filled in a
public key area
of electronic seal B, private key SA.PrivateKey and private key SB.PrivateKey
are then
immediately encrypted, specifically, a seal password PIN preset by the request
node is
used to encrypt private key SA.PrivateKey to obtain the encrypted private key
of
electronic seal A, a seal password PIN preset by the response node is used to
encrypt
13
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
private key SB.PrivateKey to obtain the encrypted private key of electronic
seal B, the
process can be expressed by the expression: private key = EA.Encrypt
(SA.PrivateKey,
PIN), SA.PrivateKey is then filled in a private key area of electronic seal A,
and
SB.PrivateKey is correspondingly filled in a private key area of electronic
seal B, thus
completing fillings of the verification areas of electronic seal A and
electronic seal B.
[0067] Further, the step of generating the fingerprint information in this
embodiment includes:
joining character strings of the seal holder number and the seal holder name
in the
electronic seal, and using the corresponding seal password PIN to encrypt a
character
string joining result to form a cyphertext; employing the digest algorithm to
digest the
cyphertext, and obtaining a digest character string; and signing the digest
character string
through the private key to which the signature algorithm corresponds, and
obtaining the
fingerprint information of the electronic seal.
[0068] During specific implementation, taking for example the generation of
fingerprint
information in electronic seal A, and this can be expressed by an expression
as: fingerprint
information = SA.Sign (DA (EA(ID+Name, PIN)), SA.PrivateKey), where ID
represents
the seal holder number, Name represents the seal holder name, EA represents
the
encryption algorithm, and DA represents the digest algorithm; the fingerprint
information
indicates a result expression obtained after the key field information in the
electronic seal
has been signed, and the above expression can be understood as joining
character strings
of the seal holder number and the seal holder name in the electronic seal,
thereafter using
the seal password PIN as a secret key of the encryption algorithm (symmetric
algorithm)
to encrypt the character string joining result to form a cyphertext,
subsequently digesting
the cyphertext through the digest algorithm to obtain a digest character
string, and finally
signing the digest character string through the private key of the signature
algorithm
(asymmetric algorithm) to form the fingerprint information. By the same token,
generation of the fingerprint information in electronic seal B is identical
with the case in
electronic seal A, and this embodiment makes no redundant description thereto.
14
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
Exemplarily, the seal holder number can be an ID card number, a unified
identification
number of social credit, or an organization number.
[0069] Further, the step of generating the signature information in this
embodiment includes:
defining a key field byte in the electronic seal, wherein the key field byte
is a feature byte
of the electronic seal; digesting the key field byte through the digest
algorithm, and
obtaining a key field character string; and signing the key field character
string through
the private key to which the signature algorithm corresponds, and forming the
signature
information of the electronic seal.
[0070] During specific implementation, taking for example the generation of
signature
information in electronic seal A, and this is expressed by an expression as:
signature
information = SA.Sign (DA (content), SA.PrivateKey), where content represents
key
field bytes, as shown in Fig. 3, namely the entire fields from the area of
"encryption
algorithm" to the area of "end marker" in the electronic seal (the content
following forty-
six bytes in the electronic seal); the key field bytes are digested through
the digest
algorithm to obtain a key field character string, and the key field character
string is
subsequently signed through the private key to which the signature algorithm
corresponds
to form the signature information of electronic seal A. By the same token,
generation of
the signature information in electronic seal B is identical with the case in
electronic seal
A, and this embodiment makes no redundant description thereto.
[0071] Till now, the signature and seal constructing phase is complete,
electronic seal A and
electronic seal B are generated to be usable for identity recognition and
secure data
communication, and a signature and seal verifying phase subsequently ensues.
[0072] Specifically, the step of mutually extracting the others' fingerprint
information for
comparison with the reported fingerprint information to verify identity after
the two
parties have exchanged their electronic seals in this embodiment includes:
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
[0073] sending by the request node the pertinent electronic seal to the
response node, so as to
enable the response node to read the signature algorithm, the public key, the
digest
algorithm and the signature information of the electronic seal pertaining to
the request
node; reading by the response node the key field byte in the electronic seal
pertaining to
the request node, digesting on the basis of the digest algorithm to obtain the
digest
character string, and using the public key of the signature algorithm to
execute signature
verification on the key field byte; comparing, by the response node after
signature
verification has been passed, the fingerprint information of the electronic
seal pertaining
to the request node with the fingerprint information reported by the request
node, and
authorizing access of the request node when a comparison result exhibits
consistency;
sending by the response node the pertinent electronic seal to the request
node, so as to
enable the request node to read the signature algorithm, the public key, the
digest
algorithm and the signature information of the electronic seal pertaining to
the response
node; reading by the request node the key field byte in the electronic seal
pertaining to
the response node, digesting on the basis of the digest algorithm to obtain
the digest
character string, and using the public key of the signature algorithm to
execute signature
verification on the key field byte; and comparing, by the request node after
signature
verification has been passed, the fingerprint information of the electronic
seal pertaining
to the response node with the fingerprint information reported by the response
node, and
authorizing access of the response node when a comparison result exhibits
consistency.
[0074] Please refer to Fig. 3, the foregoing embodiment can be understood as a
process in which
the two nodes exchange electronic seals and verify identities, in which
process the request
node firstly sends electronic seal A to the response node, upon reception of
electronic seal
A, the response node performs a signature verification operation thereon,
thereafter reads
the fingerprint information in electronic seal A and compares the same with
the fingerprint
information reported by electronic seal A in the response node, it is
considered that
electronic seal A is legitimate in identity when the comparison result shows
consistency,
16
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
at this time the request node is authorized to access to the response node;
after the
response node has completed verification of the identity of the request node,
the request
node should continue to verify the identity of the response node, that is to
say, the
response node sends electronic seal B to the request node, upon reception of
electronic
seal B, the request node performs a signature verification operation thereon,
thereafter
reads the fingerprint information in electronic seal B and compares the same
with the
fingerprint information reported by electronic seal B in the request node, it
is considered
that electronic seal B is legitimate in identity when the comparison result
shows
consistency, at this time the response node is authorized to access to the
request node.
[0075] Explanation is made with an example in which the response node performs
a signature
verification operation on electronic seal A, the process can be expressed by
an expression
as: signature verification = SA.Verify (DA (content), SA.PublicKey, SI), where
SI
represents the signature information in electronic seal A; the above
expression can be
understood as performing a signature verification operation through the public
key of the
signature algorithm (asymmetric algorithm) and the signature information (SI)
of a
signature and seal file structure of electronic seal A, if the signature
verification succeeds,
this indicates that the signature and seal file is not distorted, if the
signature verification
does not succeed, this indicates that the signature and seal file is
distorted.
[0076] Explanation is made with an example in which the response node verifies
identity
legitimacy of electronic seal A, the process can be expressed by an expression
as: identity
= If (Equal (A.DS. fingerprint information, register electronic seal A.
fingerprint
information)), and this expression can be understood as drawing the
fingerprint
information out of the signature and seal file of electronic seal A and
comparing the same
with the fingerprint information reported in the response node, and
authorizing access of
the request node when the comparison result shows consistency.
[0077] In addition, the signature verification operation and the identity
legitimacy verification
17
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
operation of the request node on electronic seal B are identical with the
aforementioned
signature verification operation and identity legitimacy verification
operation of the
response node on electronic seal A, and this embodiment makes no redundant
description
thereto.
[0078] Till now, the signature and seal verifying phase of the two parties is
complete, and the
encrypted/decrypted communication phase of the two parties ensues
subsequently.
[0079] The step of using a random factor by the request node to encrypt
plaintext data to generate
cyphertext data, and using the public key of the electronic seal of the
response node to
encrypt the random factor to obtain a communication secret key, thereafter
packaging to
send the cyphertext data, the communication secret key and the fingerprint
information
in the electronic seal of the request node to the response node in this
embodiment includes:
[0080] generating the random factor by the request node, for encrypting the
plaintext data to
obtain the cyphertext data; using, by the request node, the public key of the
electronic
seal pertaining to the response node to encrypt the random factor, and
generating the
communication secret key; and packaging to send, by the request node, the
communication secret key, the cyphertext data and the fingerprint information
of the
pertinent electronic seal to the response node.
[0081] During specific implementation, the solution for the request node to
encrypt the plaintext
data to obtain the cyphertext data can be expressed by the expression as:
cyphertext data
= B.EA (A.plainText, Key), where plainText is plaintext data, Key is a
randomly
generated encryption factor, and Key can not only be selected from a fixed
character
string, but can also be a random number generated during each encryption; the
above
expression can be understood as using the encryption factor Key as the secret
key of the
encryption algorithm (symmetric algorithm), and using the encryption algorithm
(symmetric algorithm) required by the signature and seal of the other party to
encrypt the
18
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
plaintext data (plainText) to generate the cyphertext data. The solution for
the request
node to encrypt the random factor to generate the communication secret key can
be
expressed by the expression as: communication secret key = B.SA.Encrypt (Key,
B.SA.PublicKey), and this can be understood as encrypting the encryption
factor (Key)
generated at the current party through the public key of the signature
algorithm
(asymmetric algorithm) required by the signature and seal of the other party
to form the
communication secret key.
[0082] Moreover, the step of comparing, by the response node, the fingerprint
information in a
file package with the reported fingerprint information, decrypting the
encrypted private
key of the electronic seal pertaining to the response node after comparison
has succeeded,
decrypting the communication secret key in the file package via the private
key to restore
the random factor, and hence using the random factor to parse the cyphertext
data to
obtain the plaintext data in this embodiment includes:
[0083] reading by the response node the fingerprint information in the file
package, and
comparing the same with the fingerprint information reported by the request
node;
reading, by the response node after the comparison has been passed, the
encryption
algorithm, the signature algorithm, the encrypted private key and the preset
seal password
PIN of the pertinent electronic seal, and decrypting the private key of the
electronic seal
pertaining to the response node; and parsing the communication secret key via
the private
key to restore the random factor, and finally using the random factor to parse
the
cyphertext data to obtain the plaintext data.
[0084] During specific implementation, after having received the file package,
the response node
firstly reads the fingerprint information in the file package, compares the
same with the
fingerprint information reported by the request node, thus achieving
verification each
time to ensure security of data transmission, after the comparison has been
passed, the
response node reads the encrypted private key (SB.PrivateKey) in electronic
seal B.
19
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
[0085] If the plaintext private key is to be used, it is further required to
decrypt the encrypted
private key, the decryption expression is: B.SA.PrivateKey = B.EA.Decrypt
(B.SecureKey, PIN), that is, the encryption algorithm in the signature and
seal is firstly
read, PIN is used as the secret key of the encryption algorithm (symmetric
algorithm) to
decrypt the encrypted private key, and the decrypted plaintext is the
plaintext private key.
[0086] If the random factor is to be obtained, it is further required to
decrypt the communication
secret key, the decryption expression is: A. Key = B.SA.Decrypt (communication
secret
key, B.SA.PrivateKey), that is, the signature algorithm in the signature and
seal is firstly
read, the plaintext private key of the already decrypted signature algorithm
(asymmetric
algorithm) is used to decrypt the communication secret key in the file
package, and the
random factor (Key) of the request node is obtained after the decryption.
[0087] If the plaintext data is to be obtained, it is further required to
decrypt the cyphertext data,
the decryption expression is: A.plainText = B.EA.Decrypt (cyphertext, A.Key),
that is,
the encryption algorithm in the signature and seal is firstly read, the
already decrypted
random factor is used as the secret key of the encryption algorithm (symmetric
algorithm)
to decrypt the cyphertext data, and the plaintext data is obtained after the
decryption.
[0088] Till now, the response node has completed encrypted data communication
with the
request node. By the same token, the encrypted data communication of the
request node
with the response node is an inverse process of the process in the foregoing
embodiment,
please refer to Fig. 2, when the response node sends the cyphertext data to
the request
node, the corresponding node is responsible for the generation of the
encryption factor,
and uses electronic seal A of the request node to generate the communication
secret key
and the cyphertext data; after having received the cyphertext data, the
communication
secret key and the fingerprint information of electronic seal B, the request
node uses its
own electronic seal A to decrypt to obtain the plaintext data.
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
[0089] As should be noted, a verification area of the electronic seal is
designed in this
embodiment, and the seal holder is enabled to reduce security defects of known
algorithms as far as possible and to enhance overall algorithm strength by
stipulating
symmetric and asymmetric encryption algorithms. At the same time, what this
embodiment provides is a secure communication scheme in the level of business
data
(rather than protocol), to realize autonomous control of data security of the
communicating two parties.
[0090] Embodiment 2
[0091] This embodiment provides a secure communication device based on
identity
authentication, and the device comprises:
[0092] a seal fabricating unit, for respectively fabricating respective
electronic seals by a request
node and a response node, wherein the electronic seals each include a
verification area
consisting of a signature algorithm, signature information, an encryption
algorithm,
fingerprint information, a digest algorithm, a public key, and an encrypted
private key;
[0093] a fingerprint registering unit, for mutually reporting the fingerprint
information in the
others' electronic seals by the request node and the response node, for
mutually extracting
the others' fingerprint information for comparison with the reported
fingerprint
information to verify identity after the two parties have exchanged their
electronic seals;
[0094] a file encrypting unit, for storing the compressed logistics box code
message in a storage
system, and completing archiving of the original logistics box code message;
and
[0095] a file decrypting unit, for comparing, by the response node, the
fingerprint information in
a file package with the reported fingerprint information, decrypting the
encrypted private
key of the electronic seal pertaining to the response node after comparison
has succeeded,
decrypting the communication secret key in the file package via the private
key to restore
the random factor, and hence using the random factor to parse the cyphertext
data to
obtain the plaintext data.
21
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
[0096] In comparison with prior-art technology, the advantageous effects
achieved by the secure
communication device based on identity authentication provided by this
embodiment are
identical with the advantageous effects achievable by the secure communication
method
based on identity authentication as provided by the foregoing embodiment, so
no
repetition is redundantly made in this context.
[0097] Embodiment 3
[0098] This embodiment provides a computer-readable storage medium storing
thereon a
computer program that executes steps of the aforementioned secure
communication
method based on identity authentication when it is run by a processor.
[0099] In comparison with prior-art technology, the advantageous effects
achieved by the
computer-readable storage medium provided by this embodiment are identical
with the
advantageous effects achievable by the secure communication method based on
identity
authentication as provided by the foregoing technical solution, so no
repetition is
redundantly made in this context.
[0100] As understandable by persons ordinarily skilled in the art, the entire
or partial steps that
realize the method of the present invention can be completed via a program
that instructs
relevant hardware, the program can be stored in a computer-readable storage
medium,
and subsumes the various steps of the method in the aforementioned embodiment
when
it is executed, and the storage medium can be ROM/RAM, a magnetic disk, an
optical
disk, a memory card, etc.
[0101] The above description is merely directed to specific modes of execution
of the present
invention, but the protection scope of the present invention is not restricted
thereby. Any
change or replacement easily conceivable to persons skilled in the art within
the technical
22
Date Recue/Date Received 2022-06-15
CA 03164765 2022-06-15
range disclosed by the present invention shall be covered by the protection
scope of the
present invention. Accordingly, the protection scope of the present invention
shall be
based on the protection scope as claimed in the Claims.
23
Date Recue/Date Received 2022-06-15
