Search

CN-122027173-A - Hybrid digital certificate generation method and system based on double-algorithm parallel signature

CN122027173ACN 122027173 ACN122027173 ACN 122027173ACN-122027173-A

Abstract

The invention discloses a mixed digital certificate generation method and system based on double-algorithm parallel signature, which are characterized in that under the existing X.509 digital certificate system, the parallel signature is carried out on the same certificate main body data to be signed by adopting a first type digital signature algorithm and a second type digital signature algorithm, and the generated first signature value and second signature value are packaged into the same certificate structure to form a mixed digital certificate. The first digital signature algorithm is a classical computing digital signature algorithm, and the second digital signature algorithm is a post quantum digital signature algorithm. In the certificate verification stage, a verification party verifies two signature values in the mixed signature field according to the signature algorithm identification contained in the certificate, and outputs a certificate verification result according to a preset joint judgment rule. On the premise of keeping the compatibility of the existing digital certificate structure and verification flow, the invention introduces the post-quantum security capability, and improves the long-term security and backward compatibility of the digital certificate in the quantum computing environment.

Inventors

  • YANG SHIZHAO
  • DU ZHAORUI
  • WANG ZHAN
  • JIA HAIYANG
  • SONG YI

Assignees

  • 武汉珈港科技有限公司

Dates

Publication Date
20260512
Application Date
20260331

Claims (10)

  1. 1. The hybrid digital certificate generation method based on the double-algorithm parallel signature is characterized by comprising the following steps of: the method comprises the steps that step 1, a certificate issuing mechanism generates a first key pair and a second key pair respectively, wherein the first key pair is generated based on a first type digital signature algorithm, and the second key pair is generated based on a second type digital signature algorithm; Step 2, respectively encoding the first public key and the second public key into BIT STRING type data, and packaging the BIT STRING type data into a single ASN.1 sequence structure in the same certificate structure according to a preset encoding rule to serve as mixed public key information; step 3, generating certificate main body fields including version numbers, serial numbers, signature algorithm identifications, issuer information, validity periods, user information and mixed public key information according to the X.509 digital certificate specifications, and combining to form TBSCertificate serving as digital certificate main body data to be generated; step 4, using the TBSCertificate complete DER encoded data as input, and respectively adopting a first private key and a second private key to sign the TBSCertificate data or the message digest value thereof to generate a first signature value and a second signature value; and 5, packaging the first signature value and the second signature value into a mixed signature structure, and writing the mixed signature structure and the second signature value into a certificate as a signature value field of the digital certificate to generate a mixed digital certificate.
  2. 2. The method for generating hybrid digital certificates based on dual-algorithm parallel signatures as recited in claim 1, wherein in step 1, said first type digital signature algorithm is a digital signature algorithm based on an integer decomposition problem or elliptic curve discrete logarithm problem.
  3. 3. The method for generating hybrid digital certificates based on dual-algorithm parallel signatures of claim 1 wherein in step 1, the second type of digital signature algorithm is a post-quantum digital signature algorithm based on lattice problem, coding problem or multivariate polynomial problem.
  4. 4. The method for generating hybrid digital certificates based on dual algorithm parallel signatures as recited in claim 1 wherein in step 2, said hybrid public key information structure is defined by ASN.1 as follows: HybridSubjectPublicKeyInfo ::= SEQUENCE { algorithmAlgorithmIdentifier, classicKeyBIT STRING, pqKeyBIT STRING } the algorithm field is a single AlgorithmIdentifier and is used for identifying the combination type of the first-type digital signature algorithm and the second-type digital signature algorithm, the CLASSICKEY is public key code corresponding to the first-type digital signature algorithm, the pqKey is public key code corresponding to the second-type digital signature algorithm, the AlgorithmIdentifier field only comprises a single algorithm identifier OID, does not comprise a plurality of sub AlgorithmIdentifier structures and does not adopt a SEQUENCE OF AlgorithmIdentifier nested list form.
  5. 5. The method for generating hybrid digital certificates based on dual algorithm parallel signature as recited in claim 1, wherein in step 5, the hybrid signature structure is defined by asn.1 as follows: HybridSignatureValue ::= SEQUENCE { signatureClassicBIT STRING, signaturePQBIT STRING } Wherein signatureClassic is a signature value generated by a first type digital signature algorithm, signaturePQ is a signature value generated by a second type digital signature algorithm, and both types of signatures are generated for the same TBSCertificate complete DER encoded data.
  6. 6. The method of claim 1, wherein in step 5, the hybrid digital certificate includes a hybrid signature algorithm identification field signatureAlgorithm for identifying a signature algorithm used to sign TBSCertificate, the signatureAlgorithm field is a single AlgorithmIdentifier for representing a combination type of a first type digital signature algorithm and a second type digital signature algorithm, and the AlgorithmIdentifier includes only a single OID and does not nest a plurality of sub AlgorithmIdentifier structures.
  7. 7. The hybrid digital certificate generation method based on dual algorithm parallel signature as recited in any one of claims 1 to 6, further comprising: step 6, the step of the certificate verification party verifying the mixed digital certificate: Analyzing the mixed digital certificate, extracting certificate main body data TBSCertificate, a mixed signature algorithm combination identification field, a mixed signature structure and a mixed public key information structure; Step 6.2, performing cryptographic hash operation on the TBSCertificate complete DER encoded data to generate a message digest value for signature verification; Step 6.3, performing first digital signature verification on the first signature value by using the first public key obtained through analysis; step 6.4, performing second digital signature verification on the second signature value by using the second public key obtained through analysis; And 6.5, when the first digital signature verification and the second digital signature verification are both passed, judging that the mixed digital certificate verification is successful, otherwise, judging that the verification is failed.
  8. 8. The method for generating a hybrid digital certificate based on dual-algorithm parallel signature as set forth in claim 7, wherein in step 6.1, said hybrid signature algorithm identification is represented by an object identifier OID for indicating a type of digital signature algorithm and a combination relationship thereof contained in said hybrid digital certificate.
  9. 9. A hybrid digital certificate generation system based on dual algorithm parallel signature, comprising: one or more processors; Storage means for storing one or more programs which when executed by the one or more processors cause the one or more processors to implement the hybrid digital certificate generation method based on dual algorithm parallel signature as claimed in any one of claims 1 to 8.
  10. 10. A hybrid digital certificate generation product based on dual algorithm parallel signature comprising computer program instructions which, when run on a computer, cause the computer to perform the hybrid digital certificate generation method based on dual algorithm parallel signature as in any one of claims 1 to 8.

Description

Hybrid digital certificate generation method and system based on double-algorithm parallel signature Technical Field The invention belongs to the technical field of information security, and relates to a method and a system for generating and verifying a hybrid digital certificate based on double-algorithm parallel signature, in particular to a method and a system for generating and verifying a hybrid digital certificate by simultaneously introducing a classical public key cryptographic algorithm and a post quantum digital signature algorithm under the existing X.509 digital certificate system. Background Digital certificates are a core component of Public Key Infrastructure (PKI) and are widely used in the fields of identity authentication, key distribution, secure communications, etc. The existing digital certificate system is mainly constructed based on classical public key cryptographic algorithms such as RSA, elliptic Curve Digital Signature Algorithm (ECDSA) or Edwards curve digital signature algorithm (EdDSA), and the security of the existing digital certificate system depends on mathematical problems such as large integer decomposition, discrete logarithm and the like. With the development of quantum computing technology, the above mathematical problems have potential risks of being efficiently solved under a quantum computing model, so that a digital certificate system relying only on a classical public key cryptographic algorithm faces challenges in terms of long-term security. In order to deal with the threat posed by quantum computing, post quantum cryptography algorithms are attracting attention, including digital signature algorithms based on lattice, hash-based, and other mathematical structures. In the prior art, the application mode of the post quantum cryptography algorithm in the digital certificate generally comprises the steps of completely replacing the original algorithm or adding the post quantum public key and signature information through a certificate extension field. Such schemes often have the problems of insufficient compatibility with the existing X.509 certificate parsing and verification mechanism, high deployment complexity, ambiguous verification policy and the like. Therefore, a hybrid digital certificate generation and verification method compatible with a classical public key cryptographic algorithm and a post quantum digital signature algorithm on the premise of keeping the basic structure and verification flow of the existing x.509 digital certificate unchanged is needed, so as to realize double security guarantee of the digital certificate in a classical computing environment and a quantum computing environment. Disclosure of Invention The invention aims to overcome potential safety hazards of the existing digital certificate system under the threat of quantum computation and the defects of the existing post-quantum certificate scheme in compatibility, deployment complexity and verification strategies, and provides a hybrid digital certificate generation and verification method and system based on double-algorithm parallel signature, which realize cooperative application of a classical public key cryptographic algorithm and a post-quantum digital signature algorithm on the premise of keeping the structure and the analysis mechanism of the existing X.509 digital certificate basically unchanged. The technical scheme adopted by the method is that the hybrid digital certificate generation method based on the double-algorithm parallel signature comprises the following steps: the method comprises the steps that step 1, a certificate issuing mechanism generates a first key pair and a second key pair respectively, wherein the first key pair is generated based on a first type digital signature algorithm, and the second key pair is generated based on a second type digital signature algorithm; Step 2, respectively encoding the first public key and the second public key into BIT STRING type data, and packaging the BIT STRING type data into a single ASN.1 sequence structure in the same certificate structure according to a preset encoding rule to serve as mixed public key information; step 3, generating certificate main body fields including version numbers, serial numbers, signature algorithm identifications, issuer information, validity periods, user information and mixed public key information according to the X.509 digital certificate specifications, and combining to form TBSCertificate serving as digital certificate main body data to be generated; step 4, using the TBSCertificate complete DER encoded data as input, and respectively adopting a first private key and a second private key to sign the TBSCertificate data or the message digest value thereof to generate a first signature value and a second signature value; and 5, packaging the first signature value and the second signature value into a mixed signature structure, and writing the mixed signature structure and the seco