The electronic seal authentication module supports the authentication of electronic seals when all client electronic signature software performs electronic signature, such as the authentication services when supporting MS Office, WPS, RED Office, PDF and web page signature. In other words, no matter what kind of electronic signature software is used for the electronic signature of the client, a unified authentication service system can be used, which greatly improves the integrity and scalability of the system and saves investment.
Mainly carry out the following certification:
A) Verify the legality of digital certificates: verify whether digital certificates are issued by designated legal issuing institutions. If it is only a client control, it is difficult to verify when stamping.
B) Whether the digital certificate has expired: that is, verifying whether the digital certificate is within the validity period. Since the valid time must be the server time, it is meaningless to judge whether the certificate is valid according to the client time.
C) Whether the digital certificate has been revoked: the electronic signature server will periodically obtain the revocation certificate list CRL from the digital certificate center, so that by verifying whether the certificate has been revoked, it can be ensured that the electronic signature card corresponding to the digital certificate that has been revoked for some reason cannot be signed. Without an authentication server, this is impossible.
D) Verify whether the electronic signature card or identity authentication card is lost or destroyed: If the above points can be completed through the services provided by the public security CA center, only the electronic signature management subsystem can generate and publish the status list of the electronic signature card. Although the above-mentioned verification of digital certificate has passed, if the electronic seal card is temporarily lost, the electronic seal can no longer be used because of the change of the seal picture, or the seal management center forcibly stops using the electronic seal, these situations will be difficult to identify if it is not verified when signing, which will lead to the illegal signing behavior and confusion of the electronic seal. The main functions of the web page signature server-side component are included in the unified electronic signature authentication server, which mainly includes the following two functions:
A) Verifying the legality of the electronic signature card and the digital certificate in it;
B) Web page information tamper-proof verification: whether the submitted Web page information is the information before signature is identified by the digital signature of the signature object. Write the data into the database after verification, otherwise, alert the client that "the webpage information was tampered with when it was submitted to the server". The encryption and decryption of files need the combination of server-side components and client-side components. The server-side component mainly decrypts the encrypted ciphertext submitted by the client and encrypts the files delivered to the client.
The encryption and decryption part is realized by digital envelope technology, which combines the advantages of symmetric key technology and asymmetric key technology to realize efficient and safe encryption and decryption.
The component first encrypts the file with a random symmetric key, then encrypts the symmetric key with the recipient's public key, and sends the encrypted key and ciphertext to the recipient. The receiver first decrypts the symmetric key with its own private key, and then decrypts the ciphertext with this key to obtain the plaintext file.
In practice, symmetric keys are sometimes called exchange keys according to the purpose.
The main functions of the file encryption and decryption server component include:
A) Decrypt the file sent by the client: When the client encryption and decryption component solves the file transmission security from the client to the server, it is the public key of the server certificate that encrypts the exchange key, so when the server decrypts, the private key of the server certificate is used to decrypt the plaintext of the exchange key to decrypt the ciphertext.
B) Encrypt the file sent to the client: when a client visitor needs to browse a file, the server component will encrypt the file with the randomly generated exchange key, then encrypt the exchange key with the public key of the receiver, and send the ciphertext and the encrypted exchange key to the client. The client decrypts with its own private key to obtain the exchange key, and decrypts the ciphertext with this exchange key to obtain the original text.