The so-called "digital signature" is to generate a series of symbols and codes through some cryptographic operation to form an electronic password for signature, rather than writing a signature or seal. This kind of electronic signature can also be technically verified, and its verification accuracy is incomparable to that of general manual signature and stamp verification. "Digital signature" is a kind of electronic signature method with the most common application, the most mature technology and the strongest operability in e-commerce and e-government. It uses standardized procedures and scientific methods to identify signers and approve electronic data content. It can also verify whether the original text of the file has changed during transmission, and ensure the integrity, authenticity and non-repudiation of the transmitted electronic file.

(A) the principle of digital signature

In public key encryption, a key is a key pair consisting of a public key and a private key. Digital signature is encrypted with private key and decrypted with public key. Since the public key cannot be derived from the private key, the public key will not damage the security of the private key, and the public key can be spread publicly without confidentiality, while the private key must be kept confidential. Therefore, when someone encrypts information with his private key and can decrypt it correctly with his public key, it can be determined that the message has been signed by someone, because it is impossible for others to decrypt the encrypted information correctly with their public key, and it is impossible for others to generate encrypted information with their private key.

Digital signature is not a digital image signed in writing, but an electronic signature of electronic documents through cryptographic technology. In fact, people can deny that they signed the document, and the accuracy of handwriting identification is not 100%, but it is difficult to deny a digital signature. Because the generation of digital signature needs to use the private key and the corresponding public key to verify the signature, some existing schemes, such as digital certificate, bind the identity of the entity (legal subject) with the pair of private key and public key, which makes it difficult for the subject to deny the digital signature.

Digital signature is essentially a security measure. The receiver can prove the authenticity of the received message and the sender to a third party, and its use can ensure that the sender cannot deny and forge information. The main way of digital signature is that the sender of a message generates a hash value (or message digest) from the message text. The sender encrypts this hash value with his own private key to form the sender's digital signature. Then, the digital signature will be sent to the recipient of the email as an attachment. The receiver of the message first calculates the hash value (or message digest) from the received original message, and then decrypts the digital signature attached to the message with the public key of the sender. If the two hash values are the same, the receiver can confirm that the digital signature belongs to the sender.

(B) the role of digital signature

As one of the important methods to maintain the security of data information, digital signature can solve the problems of forgery, denial, counterfeiting and tampering, and its main functions are as follows:

(1) replay attack protection. The replay attack commonly used by hackers in computer field refers to the attacker sending a data packet that the destination host has received to deceive the system, which is mainly used to destroy the correctness of authentication during the authentication process. This kind of attack will repeatedly maliciously or fraudulently repeat an effective data transmission. Attackers use network monitoring or other means to steal authentication credentials and then resend them to the authentication server. In digital signature, if some techniques are adopted, such as stamping the signature message or adding a serial number, replay attacks can be effectively prevented.

(2) anti-counterfeiting. Others can't forge the signature of the message, because the private key is only known to the signer, so others can't construct the correct signature result data.

(3) tamper-proof. The digital signature is sent to the receiver together with the original file or abstract. Once the information is tampered with, the receiver can judge that the file is invalid by calculating the abstract and verifying the signature, thus ensuring the integrity of the file.

(4) prevent denial. Digital signature can be used as the basis of identity authentication, and can also be used as evidence of signer's signature operation. In order to prevent the receiver from denying it, the digital signature system can require the receiver to return his signed message to the sender or a trusted third party. If the receiver does not return any message, the communication can be terminated or restarted, and the signer has no loss, and neither party can deny it.

(5) Confidentiality. Once the handwritten signature file is lost, the file information is likely to be leaked, but the digital signature can encrypt the message to be signed. In network transmission, the message can be encrypted with the public key of the receiver to ensure the confidentiality of the information.

(6) Identity authentication. In digital signature, the customer's public key is a sign of his identity. When signing with a private key, if the receiver or verifier passes the verification with his own public key, then it can be determined that the signer is the one who owns the private key, because only the signer knows the private key.

(3) Digital certificate

In online electronic transactions, merchants need to confirm that the cardholder is the legal holder of a credit card or debit card, and at the same time, the cardholder must be able to identify whether the merchant is a legal merchant and is authorized to accept payment from a certain brand of credit card or debit card. In order to deal with these key issues, there must be a credible institution to issue digital security certificates. Digital certificates represent the identities of all parties involved in online trading activities, such as cardholders, merchants and payment gateways. Every time a transaction is made, the identities of all parties must be verified by digital certificates. Digital certificates are issued by an authoritative and impartial third party organization, namely the Certification Center (CA). After the certification center approves the certificate application, it will issue the certificate to the applicant through the registration service organization.

A digital certificate is a file digitally signed by a certificate authority, which contains public key owner information and public key. The simplest certificate contains a public key, a name and the digital signature of the certification authority. Generally speaking, the certificate also includes the valid time of the key, the name of the certificate authority, the serial number of the certificate and other information. The format of the certificate follows the international standard ITUT X.509

The standard X.509 digital security certificate contains the following contents:

1) version information of the certificate;

2) serial numbers of certificates, each certificate has a unique serial number;

3) The signature algorithm used by the certificate;

4) the name of the certification authority, and the naming rules generally adopt the format of X.500;

5) the validity period of the certificate, and now the universal certificate generally adopts UTC time format;

6) the name of the certificate owner, and the naming rules generally adopt X.500 format;

7) The public key of the certificate owner;

8) Signature of the certificate issuer.

(4) Time stamp

Time is very important information in e-commerce transaction documents. In a written contract, the date of signing the document is as important as the signature to prevent the document from being forged and tampered with. Digital Time Stamp Service (DTS) is one of the online e-commerce security services, which can provide security protection for the date and time information of electronic files. A timestamp is usually a sequence of characters that uniquely identifies the time at a certain moment. Digital time stamp technology is a variant of digital signature technology, which is usually used in digital signature systems.

Time stamp is an encrypted voucher document, which includes three parts:

(1) Abstract); Time stamp of the file;

(2) Date and time when 2)DTS received the document;

(3) Digital signature of DTS.

Generally speaking, the process of time stamp generation is as follows: users first encrypt files that need time stamps with Hash codes to form abstracts, and then send the abstracts to DTS. DTS encrypts (digitally signs) the file after adding the date and time information of receiving the file summary, and then sends it back to the user. The digital timestamp is added by the authentication unit according to the time when DTS receives the document.

But the time stamp service provider in the market is not the "electronic authentication service provider" as mentioned in the electronic signature law. The electronic authentication service license issued by the Ministry of Industry and Information Technology has not been obtained, and it is impossible to prove the subject identity of the document signer, which has limitations in technical and legal effect.

(5) Certificate Authorization Center

1. Certification Center, namely CA Center, is responsible for verifying the legitimacy of public keys in public key system. The CA Center issues a digital certificate to each customer who uses the public key. The function of digital certificate is to prove that the customer listed in the certificate legally owns the public key listed in the certificate. The digital signature of CA center makes it impossible for attackers to forge and tamper with certificates. CA center is responsible for the generation, distribution and management of digital certificates required by all individuals participating in online transactions, so it is the core link of secure electronic transactions.

2. The main tool of CA certification is the digital certificate issued by the online office CA center. CA architecture includes PKI (public key infrastructure) structure, high-strength anti-attack public encryption and decryption algorithm, digital signature technology, identity authentication technology, operation security management technology, reliable trust responsibility system and so on. From the perspective of the roles involved in the business process, it includes certification authority, digital certificate repository and blacklist repository, key escrow processing system, certificate directory service, certificate approval and invalidation processing system. From the hierarchical structure of CA, it can be divided into certification center (root CA), key management center (KM), certification subordinate center (sub-CA), certificate approval center (RA center), certificate approval acceptance point (RAT) and so on. CA Center should generally issue a statement on certification system, solemnly stating CA's policies, security measures, service scope, service quality, responsibilities undertaken, operational procedures and other terms to customers.

According to the structure of PKI, the authenticated entity needs to have a pair of keys, namely, private key and public key. The private key is secret and the public key is public. In principle, it is impossible to deduce the private key from the public key. For example, due to the limitations of current technology, operating tools and time, it is impossible to find the private key by exhaustive method. The keys of each entity always appear in pairs, that is, a public key must correspond to a private key. Information encrypted with public key must be decrypted with corresponding private key; Similarly, the signature generated by the private key can only be decrypted by the paired public key. Public keys are sometimes used to transmit symmetric keys, which is digital envelope technology. The key management strategy is to bind the public key to the entity, and the CA center will make the information of the entity (that is, the real-name authenticated customer) and the public key of the entity into a digital certificate, and the tail of the certificate must have the digital signature of the CA center. Because the digital signature of CA center is unforgeable, the entity's digital certificate is unforgeable. Only after the entity's physical identity qualification has passed, the CA Center will issue a digital certificate to the applicant, thus associating the entity's identity with the digital certificate. Because all entities trust the CA center that provides third-party services, they can trust other entities with digital certificates issued by the CA center and conduct operations and transactions online with confidence.

3.3 Main responsibilities. CA Center is responsible for issuing and managing digital certificates. Its central task is to issue digital certificates and perform the duties of customer identity authentication. CA Center needs very strict policies and processes, as well as perfect security mechanisms in the aspects of decentralized security responsibility, operational security management, system security, physical security, database security, personnel security, key management, etc. In addition, there must be perfect implementation measures such as security audit, operation monitoring, disaster recovery backup, and rapid response to accidents, as well as strong tool support such as identity authentication, access control, anti-virus and anti-attack. The certificate approval business department of CA Center is responsible for the qualification examination of certificate applicants, deciding whether to issue certificates to the applicants, and bearing all the consequences caused by audit errors and issuing certificates to unqualified certificate applicants. Therefore, it should be an institution that can undertake these responsibilities; Certificate processor (CP for short) is responsible for making, issuing and managing certificates for authorized applicants, and bears all consequences caused by operational errors, including confidentiality loss and issuing certificates to unauthorized personnel. Can be borne by the audit business department itself, can also be entrusted to a third party.

4.CA is the certificate center of e-commerce service and the core of PKI system. It issues public key certificates, issues certificates and management certificates for customers' public keys, and provides a series of management services during the key life cycle. It associates the customer's public key with the customer's name and other attributes to authenticate the electronic identity between customers. Certification center is an authoritative, reliable and notarized third-party organization. It is the foundation of the existence and development of e-commerce.

The role of the certification center in password management is as follows:

1) Generate, store, back up/restore, archive and destroy your own keys. From the root CA to issuing certificates directly to customers, all levels of CA have their own key pairs. The key pair of CA center is generally generated directly in the machine by the hardware encryption server and stored in the encryption hardware, or stored in the key database in a certain encrypted form. Encrypted backups are stored in IC cards or other storage media and protected by advanced physical security measures. The destruction of keys should be based on the writing standard of safety keys, and the traces of original keys should be completely removed. It should be emphasized that the security of the root CA key is very important, and its disclosure means the collapse of the whole public key trust system, so the key protection of CA must be set and managed according to the highest security level.

2) Provide security key management services for the secure encrypted communication between the certification center and the local registration, auditing and issuing institutions. In the process of generating and issuing customer certificates, there are not only CA centers, but also registration agencies, auditing agencies and issuing agencies (for certificates with external media). The control of certificate approval within the scope of industry use can be completed by an industry audit institution independent of CA center. CA center can adopt various means when communicating with various institutions safely. For secure communication using certificate mechanism, the key generation, distribution, management and maintenance of all institutions (communication terminals) can be completed by CA center.

3) Determine the life cycle of customer keys, and implement key revocation and update management. Each customer's public key certificate has a validity period, and the life cycle of the key pair is determined by the CA center that issued the certificate. The validity period of certificates in different CA systems is different, generally about 2 ~ 3 years. Key update is nothing more than the following two situations: first, the key pair expires; Second, a new key pair (certificate revocation) needs to be enabled after the key is leaked. When the key pair expires, the customer is generally very clear in advance and can apply for renewal again.

The public key revocation of a certificate is realized by revoking the public key certificate. The revocation of public key certificate comes from two directions, one is the initiative revocation of the superior, and the other is the initiative revocation of the certificate applied by the lower level. When the superior CA cannot trust the subordinate CA (for example, the superior discovers that the private key of the subordinate CA may be leaked), it can take the initiative to stop the legal use of the public key certificate of the subordinate CA. When a customer discovers that his private key has been leaked, he can also take the initiative to apply for revocation of the public key certificate, so as to prevent other subjects from continuing to use the public key to encrypt important information, which may make illegal subjects steal secrets. Generally speaking, in the practical application of e-commerce, the leakage of private keys may be less, mostly because a customer has been transferred from the company due to organizational changes and needs to revoke the subject certificate representing the identity of the enterprise in advance.

4) Provide key generation and distribution services. CA center can provide customers with key pair generation service, which is carried out in a centralized or distributed way. In centralized situation, CA center can use hardware encryption server to apply for batch generation of key pairs for multiple customers, and then distribute them to customers through secure channels. Customer key pairs can also be generated by multiple registration authorities (RA) and distributed to customers.

5) Provide key escrow and key recovery services. CA Center can provide key escrow service according to customers' requirements, and back up and manage customers' encryption key pairs. When the customer needs it, he can put forward the customer's encryption key pair from the keystore and restore his encryption key pair for the customer to unlock the previously encrypted information. In this case, the key manager of CA Center encrypts each customer's private key by symmetric encryption, and the encrypted key is destroyed, thus ensuring the security of private key storage. When the key is recovered, the corresponding key recovery module is used to decrypt it to ensure that the customer's private key can be recovered without any risks and unsafe factors. At the same time, the CA center should also have a backup library to avoid the accidental destruction of the key database and the inability to recover the customer's private key.

6) Other key generation and management and cryptographic operation functions. The special position and role of CA center in the management of its own key and customer key determines that it has the function of generating and managing various keys such as master key and multilevel key encryption key. For the CA center that provides customers with public key trust, manages and maintains the whole e-commerce password system, its key management is a very complicated work, which involves the security and password management strategies of CA center itself, registration and auditing institutions, various security areas and components of clients.

(VI) Significance of EID to digital signature

1, EID is a certificate derived from resident ID card, which can remotely verify identity on the Internet, namely "electronic identity". Technically, EID also adopts PKI(Public Key Infrastructure) key pair technology, in which the smart chip generates the private key, and then the public security department uniformly issues the certificate, and after on-site authentication, it is distributed to citizens. Specifically, PKI technology is a set of Internet security solutions. PKI architecture uses certificates to manage public keys, and binds users' public keys with other identity information through a third-party trusted organization CA to verify users' identities on the Internet. PKI architecture combines public key cryptography with symmetric cryptography, which realizes the automatic management of keys on the Internet and ensures the confidentiality and integrity of online data. The holder of EID sets his own PIN code activation certificate when using it, and displays it to the service organization remotely through the network through the universal card reader; The service organization authenticates the legitimacy of the EID through the identity information service background of the EID, and obtains the information within the corresponding authority.

2.EID prevents fraudulent use, interception, tampering and forgery.

As mentioned above, EID adopts PKI and hard certificate ++PIN code technology, which can effectively prevent identity information from being intercepted, tampered with and forged on the network. In addition, because EID associates personal identity with the background database through password technology, the identity will be uniquely identified, which is difficult to be forged in theory.

Even if the EID is accidentally lost, there is no need to worry about being fraudulently used. Because the EID is uniformly issued by the network identity management center of the public security department, if the holder loses the EID, he can immediately report the loss to the network identity management center, and the EID will be frozen or invalidated immediately. Usually in the absence of EID, if the ID card is lost, because the ID card lacks the cancellation function, even if it is reported lost and reissued, there may still be two ID cards in circulation in society. EID is unique and requires network authentication. Apply for automatic cancellation of new and old ones, which can no longer be used. Therefore, the holder of Eid al-Fitr is considered credible. And because EID has a PIN code, it can't be used after others find it or steal it. EID itself adopts advanced cryptographic technology, so the important information in the key cannot be physically read, so it cannot be cracked, thus effectively avoiding being fraudulently used by others.

If the network account is stolen, as long as the user still has the EID, the password can be reset immediately, so there is no room for the account to be stolen. You can also stipulate that key operations must use EID, for example, transactions on the network must be inserted with EID, so that even if the password is stolen, it will not cause losses.

3. To sum up, EID is essentially a combination of digital signature technology and PIN code technology. It has been certified by the public security department at the time of production, and there is no need for real-name authentication when it is used, which makes up for the drawback that CA institutions need to conduct real-name audit when issuing CA certificates. At the same time, the adoption of PIN code technology makes the ID card owner the only subject who uses his e ID, effectively avoiding the occurrence of theft or fraudulent use. The author thinks that based on the authority of issuing authority and technical reliability, with the wide use of EID, it will completely replace the existing CA institution in digital signature system.