Data certification method and apparatus

摘要

An apparatus and method for signing electronic data with a digital signature in which a central server comprises a signature server 110 and a authentication server 120. The signature server 110 securely stores the private cryptographic keys of a number of users 102. The user 102 contacts the central server using a workstation 101 through a secure tunnel which is set up for the purpose. The user 102 supplies a password or other token 190, based on information previously supplied to the user by the authentication server 120 through a separate authentication channel. The authentication server provides the signature server with a derived version of the same information through a permanent secure tunnel between the servers, which is compared with the one supplied by the user 102. If they match, data received from the user 102 is signed with the user's private key. 101 workstation 101 102 user 110 signature server 110 111 HSM hardware signature module 112 signature server 110 database SSDB 120 authentication server 121 authentication server hardware signature module ASHSM 122 authentication server database ASDB 130 authentication device 140 workstation 101 (connection between workstation 101 and signature server 110) 150 connection between authentication server and signature server 110 151 connection between authentication server and authentication device 152 connection between authentication device and workstation 101 160 first signature server 110 client 161 second signature server 110 client 162 third signature server 110 client 170 first authentication server client 171 second authentication server client 172 third authentication server client 180 signature server 110 firewall 181 authentication server firewall 182 signature server 110 physical security 183 authentication server physical security 190 token