patents.google.com

CN110222496A - The method for realizing seal lifecycle management based on electronic identity voucher - Google Patents

️Tue Sep 10 2019

基于电子身份凭证实现印章全生命周期管理的方法A method for realizing the full life cycle management of seals based on electronic identity certificates

技术领域technical field

本发明涉及信息安全领域，尤其涉及印章防伪与信息安全的交叉技术领域，具体是指一种基于电子身份凭证实现印章全生命周期管理的方法。The invention relates to the field of information security, in particular to the cross technical field of seal anti-counterfeiting and information security, and specifically refers to a method for realizing full life cycle management of seals based on electronic identity certificates.

背景技术Background technique

印章作为确认法人身份和意志行为的法律凭证，在我国社会经济生活中一直发挥着不可或缺的作用。确保印章的正确性、有效性是保证法人正常开展活动、实现社会目的和价值的必要条件。近年来，制贩假印章和利用假印章进行各类违法犯罪的活动频繁出现，涉案金额动辄数亿乃至数十亿规模，造成了巨大经济损失和严重社会危害，如何有效实现印章防伪已成为当前亟待解决的重要问题。传统印章防伪技术主要包括印文防伪、印泥/印油防伪两大类，而新型印章防伪技术主要有将芯片嵌入印章和加装控制装置并结合印章信息备案等。但是，单纯的印章信息备案及嵌入芯片等防伪手段仍难以完全杜绝印章的伪造，尤其是存在信息相同的多枚印章假冒风险。As a legal certificate to confirm the identity and will of a legal person, the seal has always played an indispensable role in my country's social and economic life. Ensuring the correctness and validity of the seal is a necessary condition to ensure the normal activities of legal persons and the realization of social purposes and values. In recent years, the activities of making and selling fake seals and using them to carry out various illegal and criminal activities have frequently appeared, involving hundreds of millions or even billions of dollars, causing huge economic losses and serious social harm. important issues to be resolved. Traditional seal anti-counterfeiting technologies mainly include printed text anti-counterfeiting and ink pad/ink ink anti-counterfeiting, while new seal anti-counterfeiting technologies mainly include embedding chips into seals and installing control devices combined with seal information filing. However, simple anti-counterfeiting measures such as seal information filing and embedding chips are still difficult to completely eliminate the forgery of seals, especially the risk of counterfeiting multiple seals with the same information.

发明内容Contents of the invention

本发明的目的是克服了上述现有技术的缺点，提供了一种满足高效率、安全性、操作简便的基于电子身份凭证实现印章全生命周期管理的方法。The purpose of the present invention is to overcome the above-mentioned shortcomings of the prior art, and provide a method for realizing full life cycle management of seals based on electronic identity certificates, which satisfies high efficiency, safety, and easy operation.

为了实现上述目的，本发明的基于电子身份凭证实现印章全生命周期管理的方法如下：In order to achieve the above object, the method of the present invention to realize the full life cycle management of the seal based on the electronic identity certificate is as follows:

该基于电子身份凭证实现印章全生命周期管理的方法，其主要特点是，所述的方法包括印章电子身份凭证制发的步骤，具体包括以下步骤：The main feature of the method for realizing the full life cycle management of seals based on electronic identity certificates is that the method includes the steps of making and issuing seal electronic identity certificates, specifically including the following steps:

(1-1)印章制作客户端向印章密钥服务系统发送印章制作请求，所述的印章密钥服务系统按照印章电子身份凭证格式生成印章电子身份凭证，并向印章制作客户端返回印章电子身份凭证等信息；(1-1) The seal making client sends a seal making request to the seal key service system, and the seal key service system generates a seal electronic identity certificate according to the format of the seal electronic identity certificate, and returns the seal electronic identity to the seal making client Credentials and other information;

(1-2)所述的印章制作客户端将所述的印章电子身份凭证写入所述的印章安全芯片，其中，印章密钥服务系统应答并记录日志。(1-2) The seal creation client writes the seal electronic identity certificate into the seal security chip, wherein the seal key service system responds and records a log.

较佳地，所述的步骤(1-1)具体包括以下步骤：Preferably, said step (1-1) specifically includes the following steps:

(1-1.1)印章制作客户端向印章密钥服务系统发送印章制作请求；(1-1.1) The seal making client sends a seal making request to the seal key service system;

(1-1.2)所述的印章密钥服务系统将所述的印章密钥服务系统的系统时间作为所述的印章制作时间，并按照印章电子身份凭证格式生成印章电子身份凭证；(1-1.2) The seal key service system described in the seal key service system uses the system time of the seal key service system as the seal making time, and generates the seal electronic identity certificate according to the format of the seal electronic identity certificate;

(1-1.3)所述的印章密钥服务系统将所述的印章电子身份凭证等信息返回至所述的印章制作客户端。(1-1.3) The seal key service system returns information such as the seal electronic identity certificate to the seal creation client.

较佳地，所述的步骤(1-2)具体包括以下步骤：Preferably, said step (1-2) specifically includes the following steps:

(1-2.1)所述的印章制作客户端将所述的印章电子身份凭证写入所述的印章安全芯片；(1-2.1) the seal making client writes the seal electronic identity certificate into the seal security chip;

(1-2.2)印章密钥服务系统接收所述的印章制作客户端印章制作完成的应答并记录日志。(1-2.2) The seal key service system receives the reply from the seal making client that the seal is made and records a log.

较佳地，所述的方法还包括印章电子身份凭证注销的步骤，具体包括以下步骤：Preferably, the method further includes the step of canceling the electronic identity certificate of the seal, specifically including the following steps:

(2-1)印章制作客户端向所述的印章密钥服务系统发送注销请求；(2-1) The seal making client sends a cancellation request to the seal key service system;

(2-2)所述的印章密钥服务系统将印章电子身份凭证加入系统黑名单，并同步向印章验证服务系统发布黑名单；The seal key service system described in (2-2) adds the seal electronic identity certificate to the system blacklist, and simultaneously releases the blacklist to the seal verification service system;

(2-3)所述的印章验证服务系统发布所述的印章密钥服务系统数字证书黑名单。(2-3) The seal verification service system publishes the digital certificate blacklist of the seal key service system.

较佳地，所述的黑名单包括所述的印章密钥服务系统数字证书序列号、主题项和撤销时间。Preferably, the blacklist includes the serial number, subject item and revocation time of the digital certificate of the seal key service system.

较佳地，所述的方法还包括印章在线验证的步骤，具体包括以下步骤：Preferably, the method further includes the step of online verification of the seal, which specifically includes the following steps:

(3-1)印章验证客户端读取印章电子身份凭证，并通过印章密钥服务系统数字证书的公钥验证所述的印章电子身份凭证的签名是否具有有效性，如果是，则向印章验证服务系统发送在线验证请求；否则，返回验证失败信息，退出步骤；(3-1) Seal verification The client reads the electronic identity certificate of the seal, and verifies whether the signature of the electronic identity certificate of the seal is valid through the public key of the digital certificate of the seal key service system, and if so, verifies to the seal The service system sends an online verification request; otherwise, it returns a verification failure message and exits the procedure;

(3-2)印章验证服务系统进行黑名单验证。(3-2) The seal verification service system performs blacklist verification.

较佳地，所述的步骤(3-2)具体包括以下步骤：Preferably, said step (3-2) specifically includes the following steps:

(3-2.1)所述的印章验证服务系统根据印章密钥服务系统证书主题项和印章安全芯片唯一编码进行印章密钥服务系统证书黑名单验证，判断验证是否成功，如果是，则继续步骤(3-2.2)；否则，返回验证失败信息，退出步骤；(3-2.1) The seal verification service system described in the seal key service system certificate subject item and the unique code of the seal security chip carry out the blacklist verification of the seal key service system certificate, judge whether the verification is successful, if yes, then continue to step ( 3-2.2); Otherwise, return the verification failure message and exit the step;

(3-2.2)验证所述的印章电子身份凭证是否已存在所述的黑名单中，如果是，则返回验证失败信息，退出步骤；否则，返回验证成功信息及相关信息。(3-2.2) Verify whether the electronic identity certificate of the seal already exists in the blacklist, if yes, return verification failure information, and exit the step; otherwise, return verification success information and related information.

较佳地，所述的在线验证请求包括印章电子身份凭证的印章密钥服务系统证书主题项、印章安全芯片唯一编码和印章密文信息。Preferably, the online verification request includes the subject item of the seal key service system certificate of the seal electronic identity certificate, the unique code of the seal security chip and the ciphertext information of the seal.

较佳地，所述的方法还包括印章离线验证机制的步骤，具体包括以下步骤：Preferably, the method further includes the step of a seal offline verification mechanism, specifically including the following steps:

(4-1)印章验证客户端通过印章密钥服务系统数字证书的公钥验证印章电子身份凭证的签名是否具有有效性，如果是，则继续步骤(4-2)；否则，返回验证失败信息，退出步骤；(4-1) The seal verification client verifies whether the signature of the electronic identity certificate of the seal is valid through the public key of the digital certificate of the seal key service system, if yes, proceed to step (4-2); otherwise, return the verification failure message , exit step;

(4-2)印章验证客户端验证是否已存在所述的印章密钥服务系统数字证书黑名单，如果是，则返回验证失败信息，退出步骤；否则，返回验证成功信息及相关信息。(4-2) The seal verification client verifies whether the digital certificate blacklist of the seal key service system already exists, if yes, returns verification failure information, and exits the step; otherwise, returns verification success information and related information.

较佳地，所述的印章电子身份凭证格式包括印章信息、印章安全芯片信息、读写机具信息、时间信息、印章密钥服务系统数字证书和签名值。Preferably, the format of the seal electronic identity certificate includes seal information, seal security chip information, read-write device information, time information, seal key service system digital certificate and signature value.

较佳地，所述的印章信息包括印章编码、印章类型编码和印章使用单位编码。Preferably, the stamp information includes stamp code, stamp type code and stamp use unit code.

采用了本发明的基于电子身份凭证实现印章全生命周期管理的方法，结合印章防伪业务需求，依据统一的印章电子身份凭证格式，印章制发时，由印章密钥服务系统对印章信息、印章安全芯片信息、读写机具信息、时间信息进行审核，为通过审核的印章颁发电子身份凭证并写入印章安全芯片，依此建立印章电子身份凭证制发、验证与注销机制。其中，基于电子身份凭证的印章验证机制包括在线验证机制与离线验证机制两种，实现了印章密钥服务系统证书黑名单验证、印章电子身份凭证黑名单验证以及印章电子身份凭证中签名值有效性验证等机制，从而建立起基于电子身份凭证的印章全生命周期管理机制，有效提升了印章在线验证的效率，并降低了印章离线验证和印章伪造的安全风险。Adopting the method of the present invention to realize the full life cycle management of seals based on electronic identity certificates, combined with the seal anti-counterfeiting business requirements, according to the unified seal electronic identity certificate format, when the seal is issued, the seal key service system will ensure the security of the seal information and seal Chip information, reading and writing machine information, and time information are reviewed, and electronic identity certificates are issued for seals that pass the review and written into the seal security chip. Based on this, a seal electronic identity certificate issuance, verification, and cancellation mechanism is established. Among them, the seal verification mechanism based on the electronic identity certificate includes two types of online verification mechanism and offline verification mechanism, which realizes the blacklist verification of the seal key service system certificate, the blacklist verification of the seal electronic identity certificate, and the validity of the signature value in the seal electronic identity certificate Verification and other mechanisms, thus establishing a seal life cycle management mechanism based on electronic identity certificates, effectively improving the efficiency of online seal verification, and reducing the security risks of offline seal verification and seal forgery.

附图说明Description of drawings

图1为本发明的基于电子身份凭证实现印章全生命周期管理的方法的印章电子身份凭证制发与注销的流程示意图。Fig. 1 is a schematic flow chart of the issuance and cancellation of the electronic identity certificate of the seal according to the method of realizing the whole life cycle management of the seal based on the electronic identity certificate of the present invention.

图2为本发明的基于电子身份凭证实现印章全生命周期管理的方法的印章在线验证的流程示意图。Fig. 2 is a schematic flow chart of the online verification of the seal based on the method of realizing the whole life cycle management of the seal based on the electronic identity certificate of the present invention.

图3为本发明的基于电子身份凭证实现印章全生命周期管理的方法的印章离线验证机制的流程示意图。Fig. 3 is a schematic flow diagram of the seal offline verification mechanism of the method for realizing the full life cycle management of the seal based on the electronic identity certificate of the present invention.

具体实施方式Detailed ways

为了能够更清楚地描述本发明的技术内容，下面结合具体实施例来进行进一步的描述。In order to describe the technical content of the present invention more clearly, further description will be given below in conjunction with specific embodiments.

本发明的该基于电子身份凭证实现印章全生命周期管理的方法，其中包括以下步骤：The method for realizing the whole life cycle management of the seal based on the electronic identity certificate of the present invention comprises the following steps:

(1-1.1)印章制作客户端向印章密钥服务系统发送印章制作请求；(1-1.1) The seal making client sends a seal making request to the seal key service system;

(1-1.3)所述的印章密钥服务系统将所述的印章电子身份凭证等信息返回至所述的印章制作客户端；(1-1.3) The stamp key service system returns information such as the stamp electronic identity certificate to the stamp making client;

(1-2)所述的印章制作客户端将所述的印章电子身份凭证写入所述的印章安全芯片，其中，印章密钥服务系统应答并记录日志；(1-2) said seal making client writes said seal electronic identity certificate into said seal security chip, wherein the seal key service system responds and records a log;

(1-2.2)印章密钥服务系统接收所述的印章制作客户端印章制作完成的应答并记录日志；(1-2.2) The seal key service system receives the reply from the seal making client that the seal is made and records the log;

(2-1)印章制作客户端向所述的印章密钥服务系统发送注销请求；(2-1) The seal making client sends a cancellation request to the seal key service system;

(2-3)所述的印章验证服务系统发布所述的印章密钥服务系统数字证书黑名单；(2-3) said seal verification service system publishes said seal key service system digital certificate blacklist;

(3-2)印章验证服务系统进行黑名单验证；(3-2) The seal verification service system conducts blacklist verification;

(3-2.2)验证所述的印章电子身份凭证是否已存在所述的黑名单中，如果是，则返回验证失败信息，退出步骤；否则，返回验证成功信息及相关信息；(3-2.2) Verify whether the electronic identity certificate of the seal already exists in the blacklist, if yes, return verification failure information, and exit the step; otherwise, return verification success information and related information;

作为本发明的优选实施方式，所述的黑名单包括所述的印章密钥服务系统数字证书序列号、主题项和撤销时间。As a preferred embodiment of the present invention, the blacklist includes the digital certificate serial number, subject item and revocation time of the seal key service system.

作为本发明的优选实施方式，所述的在线验证请求包括印章电子身份凭证的印章密钥服务系统证书主题项、印章安全芯片唯一编码和印章密文信息。As a preferred embodiment of the present invention, the online verification request includes the subject item of the seal key service system certificate of the seal electronic identity certificate, the unique code of the seal security chip and the ciphertext information of the seal.

作为本发明的优选实施方式，所述的印章电子身份凭证格式包括印章信息、印章安全芯片信息、读写机具信息、时间信息、印章密钥服务系统数字证书和签名值。As a preferred embodiment of the present invention, the format of the seal electronic identity certificate includes seal information, seal security chip information, reading and writing equipment information, time information, digital certificate of the seal key service system and signature value.

作为本发明的优选实施方式，所述的印章信息包括印章编码、印章类型编码和印章使用单位编码。As a preferred embodiment of the present invention, the stamp information includes stamp code, stamp type code and stamp use unit code.

本发明的具体实施方式中，在现有印章防伪技术的基础上，确立统一的印章电子身份凭证格式并在印章制发时，由印章密钥服务系统对印章信息、印章安全芯片、读写机具和印章制作时间进行审核，为通过审核的印章颁发电子身份凭证并写入印章安全芯片，依此建立印章电子身份凭证制发、验证与注销机制。其中，基于电子身份凭证的印章验证机制包括在线验证机制与离线验证机制两种，实现了印章密钥服务系统证书黑名单验证、印章电子身份凭证黑名单验证以及印章电子身份凭证中签名值有效性验证等机制，从而建立起基于电子身份凭证的印章全生命周期管理机制，以大幅增强印章防伪能力。In the specific embodiment of the present invention, on the basis of the existing seal anti-counterfeiting technology, a unified seal electronic identity certificate format is established and when the seal is made and issued, the seal information, seal security chip, and read-write equipment are processed by the seal key service system. Review and seal production time, issue electronic identity certificates for the seals that pass the review and write them into the seal security chip, and establish a mechanism for the issuance, verification and cancellation of seal electronic identity certificates based on this. Among them, the seal verification mechanism based on the electronic identity certificate includes two types of online verification mechanism and offline verification mechanism, which realizes the blacklist verification of the seal key service system certificate, the blacklist verification of the seal electronic identity certificate, and the validity of the signature value in the seal electronic identity certificate Authentication and other mechanisms, so as to establish a seal life cycle management mechanism based on electronic identity certificates, so as to greatly enhance the anti-counterfeiting ability of seals.

本发明的基于电子身份凭证的印章全生命周期管理方法，构成如下：The method for managing the entire life cycle of a seal based on an electronic identity certificate of the present invention is constituted as follows:

该基于电子身份凭证的印章全生命周期管理方法，其主要特点是，包括印章电子身份凭证格式、印章电子身份凭证制发与注销机制、基于电子身份凭证的印章在线验证机制以及基于电子身份凭证的印章离线验证机制，其中，The main features of the life cycle management method for seals based on electronic identity certificates include the format of electronic identity certificates for seals, the mechanism for issuing and canceling electronic identity certificates for seals, the online verification mechanism for seals based on electronic identity certificates, and the electronic identity certificates. Seal offline verification mechanism, in which,

印章电子身份凭证格式，构成如下：印章信息、印章安全芯片信息、读写机具信息、时间信息、印章密钥服务系统数字证书等以及签名值。The format of the seal electronic identity certificate is composed as follows: seal information, seal security chip information, reading and writing equipment information, time information, digital certificate of the seal key service system, etc., and signature value.

印章电子身份凭证格式中的印章信息包括印章编码、印章类型编码、印章使用单位编码等；The seal information in the seal electronic identity certificate format includes seal code, seal type code, seal user code, etc.;

印章电子身份凭证格式中的印章安全芯片信息包括印章安全芯片唯一编码等；The seal security chip information in the seal electronic identity certificate format includes the unique code of the seal security chip, etc.;

印章电子身份凭证格式中的读写机具信息包括读写机具安全模块唯一编码等；The read-write equipment information in the seal electronic identity certificate format includes the unique code of the security module of the read-write equipment, etc.;

印章电子身份凭证格式中的时间信息包括印章制作时间等。The time information in the format of the seal electronic identity certificate includes the time when the seal was made, etc.

印章电子身份凭证格式中的签名值是印章密钥服务系统数字证书的私钥对印章信息、印章安全芯片信息、读写机具信息、时间信息和印章密钥服务系统数字证书主题项的签名结果。The signature value in the seal electronic identity certificate format is the signature result of the private key of the digital certificate of the seal key service system to the seal information, seal security chip information, read-write machine information, time information and the subject item of the digital certificate of the seal key service system.

印章电子身份凭证制发与注销机制为：The issuance and cancellation mechanism of seal electronic identity certificate is as follows:

印章电子身份凭证制发，包括印章制作客户端向印章密钥服务系统发送印章制作请求，印章密钥服务系统接收印章制作客户端印章制作请求，并将印章密钥服务系统的系统时间作为印章制作时间，按照印章电子身份凭证格式生成印章电子身份凭证，并将印章电子身份凭证等信息返回至印章制作客户端；印章制作客户端接收印章密钥服务系统的返回信息，并将印章电子身份凭证写入印章安全芯片，其中，印章电子身份凭证的印章信息、读写机具信息、时间信息加密存储为印章密文信息，印章密钥服务系统接收印章制作客户端印章制作完成的应答并记录日志。Issuance of seal electronic identity certificates, including the seal making client sending a seal making request to the seal key service system, and the seal key service system receiving the seal making client’s seal making request, and using the system time of the seal key service system as the seal making Time, according to the format of the seal electronic identity certificate to generate the seal electronic identity certificate, and return the information such as the seal electronic identity certificate to the seal making client; the seal making client receives the return information from the seal key service system, and writes the seal electronic identity certificate Enter the seal security chip, wherein the seal information, read-write machine information, and time information of the seal electronic identity certificate are encrypted and stored as seal ciphertext information, and the seal key service system receives the response of the seal production client to complete the seal production and records the log.

印章电子身份凭证注销，包括印章制作客户端向印章密钥服务系统发送注销请求，印章密钥服务系统将印章电子身份凭证加入系统黑名单，并同步向印章验证服务系统发布。The cancellation of the seal electronic identity certificate includes that the seal making client sends a cancellation request to the seal key service system, and the seal key service system adds the seal electronic identity certificate to the system blacklist and releases it to the seal verification service system simultaneously.

印章密钥服务系统数字证书注销时，印章验证服务系统发布印章密钥服务系统数字证书黑名单。When the digital certificate of the seal key service system is canceled, the seal verification service system publishes a blacklist of the digital certificate of the seal key service system.

印章密钥服务系统数字证书黑名单包括印章密钥服务系统数字证书序列号、主题项和撤销时间。The digital certificate blacklist of the seal key service system includes the serial number, subject item and revocation time of the digital certificate of the seal key service system.

基于电子身份凭证的印章在线验证机制为：The online seal verification mechanism based on electronic identity certificate is:

印章验证客户端读取印章电子身份凭证，验证印章电子身份凭证的签名有效性。The seal verification client reads the electronic identity certificate of the seal, and verifies the signature validity of the electronic identity certificate of the seal.

印章验证客户端通过印章密钥服务系统数字证书的公钥，验证印章电子身份凭证的签名有效性，若验证失败，则返回验证失败；否则，印章验证客户端向印章验证服务系统发送在线验证请求。The seal verification client uses the public key of the digital certificate of the seal key service system to verify the validity of the signature of the seal electronic identity certificate. If the verification fails, it returns verification failure; otherwise, the seal verification client sends an online verification request to the seal verification service system .

在线验证请求包括印章电子身份凭证，至少包括印章电子身份凭证的印章密钥服务系统证书主题项、印章安全芯片唯一编码以及印章密文信息。The online verification request includes the electronic identity certificate of the seal, at least including the subject item of the seal key service system certificate of the electronic identity certificate of the seal, the unique code of the seal security chip, and the ciphertext information of the seal.

印章验证服务系统收到在线验证请求后，依据印章密钥服务系统证书主题项和印章安全芯片唯一编码，进行印章密钥服务系统证书黑名单验证，若验证失败，则返回验证失败并退出，否则，验证印章电子身份凭证是否在黑名单中。After the seal verification service system receives the online verification request, it will verify the blacklist of the seal key service system certificate according to the subject item of the seal key service system certificate and the unique code of the seal security chip. If the verification fails, it will return verification failure and exit, otherwise , to verify whether the seal electronic identity certificate is in the blacklist.

若印章电子身份凭证已存在黑名单中，则返回验证失败并退出，否则，返回验证成功及相应信息。If the seal electronic identity certificate already exists in the blacklist, return verification failure and exit, otherwise, return verification success and corresponding information.

基于电子身份凭证的印章离线验证机制为：The offline verification mechanism of seal based on electronic identity certificate is:

印章验证客户端读取印章电子身份凭证，验证印章电子身份凭证的签名有效性、印章密钥服务系统数字证书黑名单。The seal verification client reads the seal electronic identity certificate, verifies the signature validity of the seal electronic identity certificate, and the digital certificate blacklist of the seal key service system.

印章验证客户端通过印章密钥服务系统数字证书的公钥，验证印章电子身份凭证的签名有效性，若验证失败，则返回验证失败并退出，否则，验证印章密钥服务系统数字证书黑名单，若已存在黑名单中，则返回验证失败，否则，返回验证成功及相应信息。The seal verification client uses the public key of the digital certificate of the seal key service system to verify the validity of the signature of the seal electronic identity certificate. If the verification fails, it returns verification failure and exits. Otherwise, it verifies the digital certificate blacklist of the seal key service system. If it already exists in the blacklist, it will return the verification failure, otherwise, it will return the verification success and the corresponding information.

印章验证客户端定期下载更新印章密钥服务系统数字证书黑名单。The seal verification client regularly downloads and updates the digital certificate blacklist of the seal key service system.

在此说明书中，本发明已参照其特定的实施例作了描述。但是，很显然仍可以作出各种修改和变换而不背离本发明的精神和范围。因此，说明书和附图应被认为是说明性的而非限制性的。In this specification, the invention has been described with reference to specific embodiments thereof. However, it is obvious that various modifications and changes can be made without departing from the spirit and scope of the invention. Accordingly, the specification and drawings are to be regarded as illustrative rather than restrictive.