CN106372941B - Based on the ca authentication management method of block chain, apparatus and system - Google Patents
Based on the ca authentication management method of block chain, apparatus and system Download PDFInfo
- Publication number
- CN106372941B CN106372941B CN201610782864.2A CN201610782864A CN106372941B CN 106372941 B CN106372941 B CN 106372941B CN 201610782864 A CN201610782864 A CN 201610782864A CN 106372941 B CN106372941 B CN 106372941B
- Authority
- CN
- China
- Prior art keywords
- certificate
- transaction
- block chain
- block
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
Abstract
The safety for being at least able to solve root ca certificate caused by existing CA verification mode the invention discloses a kind of ca authentication management method based on block chain, apparatus and system is difficult to ensure, and then the technical issues of cause the accuracy of entire verification process to reduce.Wherein, block chain further comprises wound generation block and conventional block, and creates generation block for storing root ca certificate, which comprises receives the application certificate transaction comprising certificate of unsigning that node to be certified is sent in block chain network;The certificate of unsigning for including in the application certificate transaction is obtained, according to the certificates constructing signing certificate of unsigning;The certificate transaction comprising the signing certificate is sent to the node to be certified in block chain network;Wherein, the certificate transaction further comprises: being directed toward the first output par, c of the node block chain account to be certified address, and is directed toward the second output par, c of preset controllable block chain account address.
Description
Technical field
The present invention relates to network communication technology fields, and in particular to a kind of ca authentication management method based on block chain, dress
It sets and system.
Background technique
Digital certificate be it is a kind of issued by authoritative institution, on network prove user identity documentary evidence, issue
The process of hair digital certificate is referred to as Certificate Authority (Certification Authority, abbreviation CA) process.Tradition
Certificate authority system include root CA and root CA subordinate multistage CA, wherein root CA is most trust in certificate authority system
Certification authority, can independently certificate, root CA generates certificate by oneself signature, not need by other CA mechanisms
For its certificate.Other CA mechanisms at different levels can be its certificate by its higher level CA mechanism, or its junior CA machine
Structure and its client's certificate, wherein the client of CA mechanism can be various network entities, for example, it may be website
(website)。
It is large number of due to CA mechanism, and level is different, therefore, during traditional ca authentication, in order to identify one
The true and false of a certificate not only will carry out signature verification to the certificate, moreover, also the mechanism for signing and issuing the certificate is verified,
Also, there are higher level CA mechanisms if signing and issuing the mechanism of the certificate, it is also necessary to further verify to higher level CA mechanism, directly
To root CA.For this reason, it may be necessary to user's certificate corresponding to built-in root CA in a browser in advance, in order to verify the true and false of root CA.
But root ca certificate built in user in a browser is easy to meet with the attack of hacker, thus lead to the peace of root ca certificate
Full property is lower, once and root ca certificate be maliciously tampered, then will affect the result of entire verification process.
It can be seen that existing verification mode is due to needing user to pre-save root ca certificate, thus not only increase use
The operating quantity at family occupies the local storage space of user, and the safety for also resulting in root ca certificate is difficult to ensure, and then is caused
The accuracy of entire verification process reduces.
Summary of the invention
In view of the above problems, the present invention is proposed to overcome the above problem in order to provide one kind or at least be partially solved
The above problem based on the ca authentication management method of block chain, apparatus and system.
According to one aspect of the present invention, a kind of ca authentication management method based on block chain, the block chain are provided
It further comprise wound generation block and conventional block, and the wound generation block is for storing root CA certificate, which comprises
Receive the application certificate transaction comprising certificate of unsigning that node to be certified is sent in block chain network;Obtain the application
The certificate of unsigning for including in certificate transaction, according to the certificates constructing signing certificate of unsigning;In block chain network to
The node to be certified sends the certificate transaction comprising the signing certificate;Wherein, the certificate is traded into one
Step includes: to be directed toward the first output par, c of the node block chain account to be certified address, and be directed toward preset controllable block
Second output par, c of chain account address.
Optionally, further comprise: the application certificate being traded and corresponding first transaction record and described issues card
Book corresponding second transaction record of trading is respectively written into the conventional block of the block chain, and to packet in block chain network
Block containing first transaction record and second transaction record is broadcasted.
Optionally, the signing certificate is stored in the second output par, c of the certificate transaction.
It optionally, include verification information in the certificate of unsigning, then the certificates constructing of unsigning according to has been signed
The step of name certificate, specifically includes: the certificate of unsigning verified according to the verification information, after being verified,
The certificate of unsigning is digitally signed.
Optionally, the verification information includes at least one of the following: node public key to be certified, node to be certified letter
Breath, node address to be certified, certification nodal information, certification node address, validity period of certificate and certificate authority time.
Optionally, described that the application certificate corresponding first transaction record of transaction and the certificate are traded
Corresponding second transaction record is respectively written into after the step in the conventional block of the block chain, further comprises: from described
Second transaction record is searched in conventional block, and the signing certificate is obtained according to second transaction record;In block
The cancellation of doucment transaction comprising the signing certificate is sent in chain network, wherein cancellation of doucment transaction includes being directed toward institute
The importation of the second output par, c of certificate transaction is stated, and is directed toward the defeated of the node block chain account to be certified
Part out.
Optionally, further comprise: receiving the certificate query request that user terminal is sent, obtain the certificate query and ask
The certificate information for including in asking;Corresponding transaction record is searched from the conventional block according to the certificate information, and according to
The transaction record found obtains corresponding signing certificate;The signing certificate is sent to the user terminal.
Optionally, after described the step of sending the signing certificate to the user terminal, further comprise: looking into
The transaction record corresponding with the signing certificate stored in the conventional block is ask, when judging in the transaction record
The state of the second output par, c be when not spending state, Xiang Suoshu user terminal sends certificate efficient message;When judging
The state for stating the second output par, c in transaction record is when having spent state, and Xiang Suoshu user terminal sends certificate and disappears in vain
Breath.
Optionally, the root ca certificate includes: that root CA public key, root CA information, the address root CA, validity period of certificate, certificate are issued
Send out time and digital signature.
Another aspect according to the present invention provides a kind of ca authentication managing device based on block chain, the block chain
It further comprise wound generation block and conventional block, and the wound generation block is for storing root CA certificate, which comprises
Receiving module, the application certificate transaction comprising certificate of unsigning sent in block chain network suitable for receiving node to be certified;
Module is obtained, suitable for obtaining the certificate of unsigning for including in the application certificate transaction, has unsigned certificates constructing according to described
Signing certificate;Sending module, suitable for being sent to the node to be certified comprising the signing certificate in block chain network
Certificate transaction;Wherein, the certificate transaction further comprises: with being directed toward the node block chain account to be certified
First output par, c of location, and it is directed toward the second output par, c of preset controllable block chain account address.
Optionally, further comprise: logging modle is suitable for corresponding first transaction record that the application certificate is traded
And the certificate corresponding second transaction record of trading is respectively written into the conventional block of the block chain, and in area
The block comprising first transaction record and second transaction record is broadcasted in block chain network.
Optionally, the signing certificate is stored in the second output par, c of the certificate transaction.
It optionally, include verification information in the certificate of unsigning, then the acquisition module is specifically used for: according to described
Verification information verifies the certificate of unsigning, and after being verified, is digitally signed to the certificate of unsigning.
Optionally, the verification information includes at least one of the following: node public key to be certified, node to be certified letter
Breath, node address to be certified, certification nodal information, certification node address, validity period of certificate and certificate authority time.
Optionally, further comprise: revocation module, suitable for searching second transaction record from the conventional block,
The signing certificate is obtained according to second transaction record;It is sent in block chain network comprising the signing certificate
Cancellation of doucment transaction, wherein cancellation of doucment transaction includes being directed toward the second output par, c of certificate transaction
Importation, and it is directed toward the output par, c of the node block chain account to be certified.
Optionally, further comprise: enquiry module, the certificate query request sent suitable for receiving user terminal obtain institute
State the certificate information for including in certificate query request;Corresponding friendship is searched from the conventional block according to the certificate information
Easily record, and corresponding signing certificate is obtained according to the transaction record found;Described signed is sent to the user terminal
Name certificate.
Optionally, the enquiry module is further used for: storing with the card of having signed in the inquiry conventional block
The corresponding transaction record of book, when the state for judging the second output par, c in the transaction record is not spend state, to
The user terminal sends certificate efficient message;When the state for judging the second output par, c in the transaction record is
When cost state, Xiang Suoshu user terminal sends certificate invalid message.
Optionally, the root ca certificate includes: that root CA public key, root CA information, the address root CA, validity period of certificate, certificate are issued
Send out time and digital signature.
According to the present invention in another aspect, a kind of ca authentication management system based on block chain is provided, including above-mentioned
Ca authentication managing device and node to be certified.
In the ca authentication management method provided by the invention based on block chain, apparatus and system, block chain network is utilized
The certificate and customer's certificate of CA mechanisms at different levels are managed, also, root ca certificate is stored into the wound generation block to block chain network
In, since wound generation block is first block, safety is high, is difficult to be tampered.Correspondingly, the present invention will issue card
The process of book is converted into the process of exchange in block chain network, and in the way of block chained record transaction record that institute is related
It is all recorded in block chain in the operating process of certificate, to make the user do not need locally prestoring root ca certificate, only needs basis
Block chain network is inquired, and is thus not only simplified user's operation, has been saved user's space, and greatly improves root
The safety of CA certificate and the accuracy of subsequent authentication process.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are general for this field
Logical technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to this hair
Bright limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows the node distribution map in the block chain network of the embodiment of the present invention;
Fig. 2 shows the flow charts of the ca authentication management method provided by one embodiment of the present invention based on block chain;
Fig. 3 shows the certification hierarchy of root CA;
Fig. 4 shows the flow chart of the certificates constructing process of other CA mechanisms;
Fig. 5 shows the schematic diagram of a transaction;
Fig. 6 shows the schematic diagram of certificate transaction;
Fig. 7 shows the flow chart of the certificates constructing process of the client of CA mechanism;
Fig. 8 shows the certification hierarchy figure of signing certificate;
Fig. 9 a show in the embodiment of the present invention three issue and Website server that cancellation of doucment link relates generally to,
The flow diagram of CA and block chain;
Fig. 9 b shows the Website server related generally in the embodiment of the present invention three in inquiry certificate link, user's end
The schematic diagram of end and block chain;
Figure 10 shows the network architecture diagram based on block chain;
Figure 11 show another embodiment of the present invention provides a kind of ca authentication managing device based on block chain structure
Figure;
Figure 12 show another embodiment of the present invention provides a kind of ca authentication management system based on block chain structure
Schematic diagram.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing this public affairs in attached drawing
The exemplary embodiment opened, it being understood, however, that may be realized in various forms the disclosure without the implementation that should be illustrated here
Example is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the disclosure
Range is fully disclosed to those skilled in the art.
The embodiment of the invention provides a kind of based on the ca authentication management method of block chain, apparatus and system, at least can
The safety for solving root ca certificate caused by existing CA verification mode is difficult to ensure, and then leads to entire verification process
The technical issues of accuracy reduces.
In embodiments of the present invention, more particularly to following a few class network entities in block chain network: (1) root CA, be most by
The certificate agency of trust;(2) other CA (non-root CA) at different levels need to identify it by higher level CA mechanism is its certificate
Identity;(3) client server can to the corresponding server of user of CA mechanism requests certificate, such as Website server
It is interpreted as the client of CA mechanism;(4) ordinary user, the user for needing to verify other side's certificate during network communication are corresponding
User terminal.Wherein, in embodiments of the present invention, preceding three classes network entity is linked into area as the node in block chain network
In block chain network, thus all information in block chain can be inquired, the 4th class network entity is not used as in block chain network
Node is linked into block chain network, thus any node that need to be first coupled in block chain network is inquired.Certainly, exist
In others embodiment of the invention, the light node in block chain network can also be also used as to be linked into the 4th class network entity
In block chain network, in order to inquire.In addition, CA mechanism belongs to complete in block chain network in above-mentioned a few class network entities
Full node has the power of packing, transaction record can either be written into block chain, can also read the transaction record in block chain;
Client server can be complete node or non-fully node, but not have the power of packing, can not be written into block chain
Transaction record is merely able to read the transaction record in block chain.Fig. 1 is shown in the block chain network of the embodiment of the present invention
Node distribution map.As shown in Figure 1, first layer is root CA, and since the certificate of root CA is self-signed certificate, it first passes through in advance hard
In coding mode write-in wound generation block, to realize the purpose that can not be changed, and then safety is improved.CAn is other CA mechanisms,
The certificate of such CA mechanism need to be issued by higher level CA mechanism.For example, CA1, CA2 and CA3 are the junior CA of root CA in Fig. 1,
It need to be its certificate by root CA, to prove oneself identity.CA11 and CA12 is the junior CA of CA1, need to be by CA1
Its certificate is to prove identity.Client server is the client needed to CA mechanism requests certificate, wherein client angle
Color includes but are not limited to Website server, understands for convenience, is said by taking Website server as an example in the present embodiment
It is bright.For example, in Fig. 1, client server 1 and client server 2 are the client of CA11.
Fig. 2 shows the flow charts of the ca authentication management method provided by one embodiment of the present invention based on block chain.Figure
The executing subject of method shown in 2 is either root CA, is also possible to other CA at different levels.As shown in Fig. 2, this method comprises:
Step S210: the application certificate comprising certificate of unsigning that node to be certified is sent in block chain network is received
Transaction.
Wherein, node to be certified refers to the network entity that all kinds of needs are its certificate by CA mechanism, for example, can be with
It is CA mechanism, junior, is also possible to client server.It wherein, include certificate of unsigning in the transaction of this application certificate.
Step S220: the certificate of unsigning for including in above-mentioned application certificate transaction is obtained, according to the certificates constructing of unsigning
Signing certificate.
Wherein, signing certificate is generated by way of signing to certificate of unsigning.It specifically, can be by each
Class Digital Signature Algorithm is signed, the present invention to specific signature algorithm without limitation.
Optionally, before being signed, further (i.e. above-mentioned is to be certified by the initiator of verifying application certificate transaction
Node) it whether is to audit the network node passed through in advance, and only sign when verification result is correct, if verification result is wrong
Mistake is then refused to sign.It can prevent unauthorized malicious behaviors of nodes from sending application certificate transaction by verifying link, improve application certificate
The reliability of transaction.
Step S230: the certificate transaction comprising signing certificate is sent to node to be certified in block chain network;
Wherein, certificate transaction further comprises: it is directed toward the first output par, c of node block chain account to be certified address, and
It is directed toward the second output par, c of preset controllable block chain account address.
Wherein, according to signing certificate generate and send certificate transaction, with notify node certificate application to be certified at
Function.
Optionally, the embodiment of the present invention can further include following step S240: application certificate transaction is corresponded to
The first transaction record and certificate corresponding second transaction record of trading be respectively written into the conventional block of block chain,
And the block comprising first transaction record and second transaction record is broadcasted in block chain network.
Specifically, in the present invention, block chain further comprises wound generation block and conventional block, and creates generation block and use
In storage root ca certificate, conventional block is used to store the corresponding transaction record of all kinds of certificate authority operations, looks into so as to subsequent
It askes.So-called wound generation block, refers to first block in block chain, and it is earliest to generate the time, safety highest, it is subsequent other
Block haves no right to be modified wound generation block, therefore, root ca certificate storage can be obviously improved root CA into wound generation block
The safety of certificate.Other blocks in block chain in addition to creating generation block are referred to as conventional block, for storing each transaction
Record, for inquiry.
Wherein, the executing subject of step S240 is either node to be certified mentioned above, is also possible to block link network
Other network nodes in network, for example, it can be the network nodes that signature operation is executed to certificate of unsigning.The present invention couple
Without limitation, therefore, step S240 is an optional step to the executing subject of step S240.
It can be seen that utilizing block chain network pipe in the ca authentication management method provided by the invention based on block chain
The certificate and customer's certificate of CA mechanisms at different levels are managed, also, by root ca certificate storage into the wound generation block of block chain network,
Since wound generation block is first block, safety is high, is difficult to be tampered.Correspondingly, the present invention is by certificate
Process be converted into the process of exchange in block chain network, and will be all about in the way of block chained record transaction record
The operating process of certificate is all recorded in block chain, thus make the user do not need locally prestoring root ca certificate, it only need to be according to area
Block chain network is inquired, and is thus not only simplified user's operation, has been saved user's space, and greatly improves root CA
The safety of certificate and the accuracy of subsequent authentication process.
Below with reference to specific example the present invention is described in detail provide the ca authentication management method based on block chain it is specific
Realize details.Wherein, three kinds of management types, respectively certificate, cancellation of doucment and inquiry certificate are related generally to, below
Introduce the detailed process of each type of management operation respectively by three embodiments:
Embodiment one,
The present embodiment is mainly used for realizing certificate class management operation.Specifically, certificate is related to root ca certificate
Generating process, the process of junior CA superior CA application certificate and process from client to CA mechanism application certificate, separately below
It is introduced:
(1) the certificates constructing process of root CA mechanism:
Since root CA is most trusted certificate agency, and the certificate of root CA is self-signed certificate, and no higher level CA recognizes
Card, therefore, the certificate of root CA can trust for a long time, hardly need change.So in embodiments of the present invention will
Wound generation block is written by hard coded mode in root ca certificate, after being all built upon wound generation block due to remaining block, so area
The operation of each node can not be modified wound generation block on block chain, even if thus having ensured the node quilt malice in block chain
Attack can not also change the certificate of root CA.Fig. 3 shows the certification hierarchy of root CA, since the certificate of root CA is self-signed certificate,
It signs without higher level CA mechanism for it, so need to only record the information of root CA itself in certificate.As shown in figure 3, root ca certificate
In include: certificate agency public key, certificate agency information, the block chain account address of certificate agency, validity period of certificate, certificate
Issue the other informations such as time and digital signature.Wherein, block chain account address includes but is not limited to bit coin address.
(2) the certificates constructing process of other CA mechanisms:
Fig. 4 shows the flow chart of the certificates constructing process of other CA mechanisms.As shown in figure 4, the certificate of other CA mechanisms
Generating process includes the following steps:
Step S410: superior CA mechanism in block chain network, CA mechanism, junior sends application certificate transaction.
Here, junior CA mechanism is it can be appreciated that node to be certified, higher level CA mechanism is it can be appreciated that certification section
Point.The embodiment of the present invention can realize based on the transaction format of publicly-owned block chain, and therefore, every transaction may include input and defeated
Two parts out.Fig. 5 shows the schematic diagram of the transaction, may include the certificate of unsigning of CA mechanism, junior in output par, c, i.e.,
Incomplete certificate.Wherein, any certificate of other nodes on block chain in order to prevent, is written in certificate of unsigning
The relevant information of higher level CA mechanism.
Step S420: higher level CA mechanism obtains the certificate of unsigning for including in the transaction of above-mentioned application certificate, according to unsigning
Certificates constructing signing certificate.
In order to improve safety, optionally, in this step, higher level CA mechanism is got in above-mentioned application certificate transaction
After the certificate of unsigning for including, further the certificate of unsigning is verified, and subsequent behaviour is only executed after being verified
Make.For the ease of verifying, verification information can be further included in above-mentioned certificate of unsigning, which, which removes, includes
Except the relevant information of higher level CA mechanism mentioned above, can also include node public key to be certified, nodal information to be certified,
Node block chain account to be certified address, certification nodal information, certification node block chain account address, validity period of certificate and
At least one of information such as certificate authority time.When specific verifying, higher level CA mechanism is according to above-mentioned verification information to junior
The identity of CA mechanism is verified, and is verified to the legitimacy for certificate of unsigning.Moreover, higher level CA mechanism will also be into one
Step card unsign include in certificate certificate agency block chain account address whether the block chain account with the higher level CA mechanism
Address matches, if matching, illustrates that specified certificate mechanism, CA mechanism, junior is the higher level CA mechanism, thus continues
Execute subsequent step;If mismatching, illustrate that specified certificate mechanism, CA mechanism, junior is not the higher level CA mechanism, because
And error message is returned to CA mechanism, junior, to prompt CA mechanism, junior to retransmit correct Transaction Information.Wherein, this hair
The bright execution opportunity to verification step without limitation, for example, it is also possible to be verified after signature.In addition, institute in verification step
The execution sequence for each verifying link for including also is arbitrary, and those skilled in the art can be arranged each according to actual needs
Verify the verifying sequence of link.
After above-mentioned verification process passes through, higher level CA mechanism signs to certificate of unsigning, i.e., supplement is not signed completely
Name certificate, obtains signing certificate.Generally comprised in signing certificate: the public key of user, the information of user, user block
Chain account address, certificate agency information, the block chain account address of certificate agency, validity period of certificate, certificate authority time etc. its
His information and digital signature.Wherein, user refers to CA mechanism, junior, and certificate agency refers to that higher level CA mechanism, digital signature are
Refer to that higher level CA mechanism carries out the result of private key encryption to the Hash of the other information in certificate in addition to digital signature.
In addition, higher level CA mechanism also generates the controllable address that can be controlled, wherein the controllable address both can be in step
Generate, can also pre-generate in S420, the present invention to generation opportunity of controllable address without limitation.Generate the controllable address
Purpose essentially consist in identity certificate status information, in order to inquire certificate status.
Step S430: higher level CA mechanism sends issuing comprising signing certificate to CA mechanism, junior in block chain network
It issues licence transaction;Wherein, certificate transaction further comprises: being directed toward the first output par, c of node to be certified, and refers to
To the second output par, c of preset controllable address.Here, controllable address is controllable block chain account address mentioned above
Abbreviation.Also, node to be certified is usually to pass through its account address in block chain network to be identified, therefore, the
One output par, c is actually to be directed toward node block chain account to be certified address.In addition, working as other nets of direction referred to herein
When network node (such as CA mechanism, junior), actually and it is directed toward the block chain account address of the network node.
Higher level CA mechanism initiates a certificate transaction to CA mechanism, junior, and the transaction is written in signing certificate
Output par, c.Fig. 6 shows the schematic diagram of certificate transaction, as shown in fig. 6, certificate transaction is by root CA machine
Structure is initiated, and " input " in Fig. 6 is partially the importation of transaction, which can be sky, and the address of root CA can also be added
Information.As shown in fig. 6, there are two output par, cs altogether for the transaction, wherein output 0 is direction junior CA mechanism (i.e. junior CA
Mechanism block chain account address) the first output par, c, for being sent to CA mechanism, junior, to notify CA mechanism, the junior card
Book has been issued.Output 1 is the second output par, c for being directed toward above-mentioned controllable address, wherein " signing certificate " table in the part
Show the overall format certificate by signature.Wherein, the sequence of above-mentioned output 0 and output 1 can be arbitrary.In addition, at this
In step, higher level CA mechanism is further collected money from the audience into controllable address to generate the second above-mentioned output par, c, therefore, the part
Output may also be referred to as not spending transaction output (unspent transaction outputs, abbreviation UTXO).Therefore, second
The original state of output par, c is not spend state effectively for identity certificate, it may be assumed that as long as higher level CA mechanism is to controllably
The money (such as bit coin) squeezed into location is not spent, then the state of the second output par, c, which always remains as, does not spend state, from
And certification is effective, once the money that higher level CA mechanism is squeezed into controllable address is spent, then the shape of the second output par, c
State, which is changed into, has spent state, so that certification is invalid.
Step S440: above-mentioned application certificate is traded for higher level CA mechanism and certificate is traded corresponding transaction record
It is written in the conventional block of block chain, and hands in block chain network comprising first transaction record and described second
The block easily recorded is broadcasted.
Wherein, step S440 is an optional step.In addition, the executing subject of step S440 is in addition to that can be higher level
Outside CA mechanism, can also be other network nodes in block chain network, the present invention do not limit by above-mentioned application certificate trade with
And certificate is traded the network node of corresponding transaction record write-in block chain.Moreover, above-mentioned application certificate is traded and is issued
The corresponding transaction record of trading of issuing licence can be both written by the same network node, can also be respectively by different network sections
Point write-in.
(3) the certificates constructing process of client:
Fig. 7 shows the flow chart of the certificates constructing process of the client of CA mechanism, in this example, takes by website of client
It is illustrated for business device, in fact, can also be other kinds of client server in addition to Website server.Such as Fig. 7 institute
Show, the certificates constructing process of client includes the following steps:
Step S710: Website server sends application certificate transaction to CA mechanism in block chain network.
Here, Website server is it can be appreciated that node to be certified, CA mechanism is it can be appreciated that certification node.It should
It include the certificate of unsigning of Website server, i.e., incomplete certificate in the output par, c of transaction.Wherein, area in order to prevent
Any certificate of other nodes on block chain, is also written with the relevant information of CA mechanism in certificate of unsigning.Then, net
Site server will apply certificate trade corresponding transaction record write-in block chain conventional block in.
Step S720:CA mechanism obtains the certificate of unsigning for including in above-mentioned application certificate transaction, according to certificate of unsigning
Signing certificate is generated, and generates the controllable address that the CA mechanism can control.
In order to improve safety, optionally, in this step, CA mechanism, which is got in above-mentioned application certificate transaction, includes
Certificate of unsigning after, further the certificate of unsigning is verified, and subsequent operation is only executed after being verified.
For the ease of verifying, verification information can be further included in above-mentioned certificate of unsigning, the verification information is except mentioned above
CA mechanism relevant information except, can also be node public key to be certified, nodal information to be certified, node address to be certified,
Authenticate the information such as nodal information, certification node address, validity period of certificate and certificate authority time.When specific verifying, CA machine
Structure is verified according to identity of the above-mentioned verification information to Website server, and is tested the legitimacy for certificate of unsigning
Card.Moreover, CA mechanism also further to verify include in certificate of unsigning certificate agency address whether the ground with this CA mechanism
Location matches, if matching, illustrates that the specified certificate mechanism of Website server is this CA mechanism, thus after continuing to execute
Continuous step;If mismatching, illustrate that the specified certificate mechanism of Website server is not this CA mechanism, thus is taken to website
Business device returns to error message, to prompt its to retransmit correct Transaction Information.
After above-mentioned verification process passes through, CA mechanism signs to certificate of unsigning, i.e. the complete card of unsigning of supplement
Book obtains signing certificate.Wherein, the certification hierarchy of signing certificate is as shown in Figure 8, comprising: the public key of user, user
Other letters such as information, the address of user, certificate agency information, the address of certificate agency, validity period of certificate, certificate authority time
Breath and digital signature.
In addition, CA mechanism will also generate the controllable address that can be controlled, which can generate in this step,
It can also pre-generate, the purpose for generating the controllable address essentially consists in Store Credentials status information, in order to inquire certificate shape
State.
Step S730:CA mechanism sends to Website server in block chain network and issues card comprising signing certificate
Book transaction;Wherein, certificate transaction further comprises: being directed toward the first output par, c of Website server, and being directed toward can
The second output par, c of address is controlled, and is stored in the second output par, c and does not spend status information effectively for identity certificate.
CA mechanism initiates a certificate transaction to Website server, and the defeated of the transaction is written in signing certificate
Part out.Wherein, there are two output par, cs altogether for the transaction, wherein is directed toward the first output par, c of junior CA mechanism for sending out
CA mechanism, junior is given, to notify CA mechanism, junior that the certificate has been issued.Second output par, c is directed toward above-mentioned controllable address,
Wherein, the sig (cert) in the part indicates the overall format certificate by signature.In addition, in this step, CA mechanism into
One step is collected money from the audience into controllable address to generate the second above-mentioned output par, c, and therefore, part output may also be referred to as not spending
Transaction output (unspent transaction outputs, abbreviation UTXO).Alternatively, it is also possible to be interpreted as part output
In include not spend status information effectively for identity certificate, it may be assumed that as long as the money that CA mechanism is squeezed into controllable address
(being bit coin) is not spent yet, then illustrates that certificate is effective.
Above-mentioned application certificate is traded for step S740:CA mechanism and the corresponding transaction record of certificate transaction is written
In the conventional block of block chain, and the block comprising above-mentioned transaction record is broadcasted in block chain network.
Wherein, step S740 is an optional step.In addition, the executing subject of step S740 is in addition to that can be CA machine
Outside structure, it can also be other network nodes in block chain network, the present invention, which does not limit, to trade above-mentioned application certificate and issue
It issues licence the network node of corresponding transaction record write-in block chain of trading.Moreover, card is traded and issued to above-mentioned application certificate
The corresponding transaction record of book transaction can be both written by the same network node, can also be write respectively by different network nodes
Enter.
Embodiment two,
The present embodiment is mainly used for realizing cancellation of doucment class management operation.Specifically, cancellation of doucment is related to higher level CA mechanism
It cancels operation that it is the certificate that CA mechanism, junior issues and CA mechanism cancels the operation that it is the certificate that client issues, by
It is similar in the process of two class destruction operations, therefore, first kind destruction operation is mainly introduced below:
Because the corresponding address of certificate is controlled by certification authority, card is issued in certification authority inquiry
The transaction of book, and inquire to the output par, c (i.e. UTXO) where certificate agency controllable address generated, by the output par, c
In include the amount of money use up, that is, show that certificate is revoked.
Specifically, the corresponding transaction record of above-mentioned certificate is searched from conventional block by CA mechanism, is obtained according to the transaction record
Take signing certificate;Send comprising this signing certificate cancellation of doucment transaction, the cancellation of doucment transaction include be directed toward issues card
The importation of second output par, c of book transaction, and it is directed toward the output par, c of node block chain account to be certified.It is specific real
Now, the output par, c of preset controllable address is directed toward in cancellation of doucment transaction in importation reference certificate transaction,
The block chain account address of CA mechanism can be set in output par, c.By cancellation of doucment transaction can will be directed toward it is preset can
The state for controlling the second output par, c of block chain account address does not spend Status Change from initial to have spent state, thus
Indicate that certificate is invalid.
Above-mentioned revocation mode both can be applied to cancel the certificate of CA mechanism, also can be applied to client's
Certificate is cancelled.After certificate revocation, the state information updating that do not spend in the output of the corresponding transaction of the certificate is to have spent
Status information, to show that certificate is invalid.
Embodiment three,
The present embodiment is mainly used for realizing inquiry (verifying) certificate class management operation.Wherein, the verifying of certificate be usually by
There are the users of information exchange to go to verify with certificate owner's (such as Website server), and verification process will not only verify certificate
Whether the certificate that owner itself is possessed is effective, also successively to verify the certificate of certification authority upwards.Specifically, it tests
The key step of card process is as follows:
Step 1: user terminal access server, server sends the certificate that server is possessed to user terminal.
Specifically, whether correct user need to verify the contents such as the validity period of certificate, if correctly, continuing to execute subsequent step
Suddenly, otherwise confirm certificate error.
Step 2: any network node of the user terminal into block chain network sends certificate query request, the network section
Point receives and processes certificate query request.
Wherein, the network node of certificate query request is received and processed either CA mechanism, is also possible to website clothes
Business device saves complete area due to the distributed storage feature of block chain network decentralization on each network node
Block chain information.The network node issues machine according to certificate query request certificate information wherein included, and according to certificate
Transaction Information is taken out in the corresponding transaction of the block chain account address search certificate of structure and certificate owner.
Step 3: the network node obtains corresponding signing certificate according to Transaction Information, by this, signing certificate has been sent
To user terminal.
Specifically, the network node is first according to the address for the certification authority recorded in certificate and certificate owner
The address of (such as Website server) searches the transaction that the certification authority is initiated to certificate owner to block chain, inquiry
A newest transaction out, and take out signing certificate therein.Then, the network node this signing certificate is sent to
User terminal.Whether the certificate received in the signing certificate and step 1 that user relatively receives is consistent, continues if consistent
Subsequent step is executed, otherwise confirms certificate error.
Step 4: the transaction record corresponding with signing certificate that stores in inquiry block chain, when judging transaction record
In the second output par, c include when not spending status information, confirmation certificate is effective;When judging that second in transaction record is defeated
Part is comprising when having spent status information, confirmation certificate is invalid out.
Wherein, step 4 can both be completed by user terminal, can also be completed by user terminal requests CA mechanism.Also,
Step 4 can answer the request of user terminal and trigger, can also after step 3 is finished automatic trigger.Specifically, if
This output is used up, then illustrates that certificate has been revoked;If this output is not used up, illustrate that certificate is effective, wherein
The amount of money having in the output is passed through trade give-ups to other addresses by meaning that for using up.
Step 5: the certificate of the upward examination of credentials issuing organization of recurrence, until root certificate.
Wherein, step 5 can both trigger under the request of user terminal, can also be automatic after step 4 has executed
Triggering.In order to ensure the validity of certificate, need further to examine the legitimacy of the issuing organization of the certificate, that is, further examine
Whether the certificate for looking into the issuing organization of the certificate is effective.The checking process of the part and the examination class to Website server certificate
Seemingly, it is mainly examined in terms of the correctness of certificate and validity two.Wherein, in addition to root certificate, the mistake of other inquiry certificates at different levels
Journey is essentially identical: firstly, according to content verifications certificates such as validity periods on certificate, secondly, going on block chain to search the card of preservation
Whether whether correct secretary's record compares examination of credentials, finally, being revoked by inquiry UTXO state come examination of credentials.As for
The examination of root certificate need to only go in wound generation block to be examined, not need to verify whether to be revoked.Since root certificate is certainly
Signing certificate does not have higher level's issuing organization, would not be revoked after generation block is created in write-in.So the mistake of verifying root certificate
Whether whether correctly journey only needs to verify certificate, do not need to examine validity period and be revoked.
If each of the above step card does not pass through, i.e., there are problems for explanation, can directly return to verification result, be not necessarily to
Continue to verify.
By above-mentioned process, it is achieved that the checking process of certificate.In addition, in order to be more fully understood the present invention, Fig. 9 a
The flow chart for the links being related in the above embodiment of the present invention is respectively illustrated with Fig. 9 b.As illustrated in fig. 9, of the invention
It is being issued and cancellation of doucment link relates generally to Website server, CA and block chain in above-described embodiment.In step 91,
Website server initiates transaction, sends certificate of unsigning.In step 92, CA authority signature certificate generates certificate account address
(controllable address i.e. mentioned above).In step 93, CA mechanism initiates certificate transaction, certificate is written and to certificate
Account is collected money from the audience.In step 94, the UTXO to collect money from the audience in the inquiry certificate transaction of CA mechanism generates a cancellation of doucment transaction,
This output is used up.As shown in figure 9b, website service is related generally in inquiry certificate link in the above embodiment of the present invention
Device, user terminal and block chain.In step 95, user terminal access Website server.In step 96, website service
Device returns to certificate to user terminal.In step 97, user believes according to transaction corresponding with the certificate in certificate lookup block chain
Breath.In step 98, user terminal makes comparisons the certificate on the certificate of Website server and block chain.In step 99,
Corresponding UTXO state in user terminal verifying transaction.In step 100, the certificate of CA mechanism is examined.In a step 101, it examines
The certificate of Cha Gen CA mechanism.Examination result is returned in a step 102.
Figure 10 shows the network architecture diagram based on block chain.As shown in Figure 10, which includes: root CA, root CA
Junior CA1 and the bit coin address (controllable address i.e. mentioned above) that is controlled by root CA, further includes: client's net of CA1
Site server and the bit coin address (controllable address i.e. mentioned above) controlled by CA1, in addition, further including user user
Terminal and block chain create generation block.It can be seen from fig. 10 that Website server can send application certificate transaction to CA1,
CA1 can also send application certificate transaction to root CA.Correspondingly, root CA can send certificate transaction, CA1 to CA1
Certificate transaction can be sent to Website server, wherein while sending certificate transaction, it is also necessary to issuing
The mechanism of certificate collects money from the audience in controllable bit coin address.In addition, user can access the effective of any network node verifying certificate
Property.
It can be seen from the above that the present invention makes use of block chains the management operation such as to issue, cancel and inquire carry out CA certificate, fills
Divide and the characteristics of being not easy to distort and come into the open of block chain is utilized, the deficiency in traditional ca authentication is compensated for, so that CA's issues
It is propagated faster with revocation information, improves the confidence level of certification authority, especially root CA, user can be by looking into real time
The record ask on block chain carrys out examination of credentials, relatively reliable.In addition, the distributed nature of block chain is depended on, so that even if CA
Node will not influence the safety of entire CA network by malicious attack, and block chain network is possible to
Problem is perceived in a short time.
In addition, those skilled in the art can carry out various changes and deformation to above-described embodiment, for example, this field skill
Art personnel can also be modified from following several respects:
(1) in the above-described embodiments, the node on block chain includes CA mechanism and mechanism (such as website clothes for applying for certificate
Business device), and verified when ordinary user's verifying certificate by any node on access block chain.It is alternatively possible to allow general
General family is also used as the access of a node on block chain to come in, to improve the flexibility of verification process.
(2) since the certificate of root CA is that wound generation block is written by hard coded, there are multiple in block chain network
CA, once some root CA is broken, to change root CA, it will destroy entire block chain network.It optionally, is all roots
CA establishes a superior root, write-in wound generation block.By superior root come for root CA certificate.
(3) present invention generates the controllable address of a certification authority in certificate, and transaction generates the account
The corresponding UTXO in family judges whether certificate cancels by the way that whether the UTXO is used up.Optionally, due to the validity of certificate
It is to rely on UTXO, not particular account, therefore, the same account can be multiplexed, i.e., a certification authority only needs
Such account is generated, all certificates which issues UTXO generated all corresponds to this account
Family.
It (4) is the ground of certification authority and application organization comprising an option in the certificate of the embodiment of the present invention
Location, i.e. its corresponding account address in block chain network.Optionally, in order to keep the unification with traditional certificate format, this portion
Dividing can not also be put into certificate, and write direct inside the output par, c content of every transaction, as follows:
Figure 11 show another embodiment of the present invention provides a kind of ca authentication managing device based on block chain structure
Figure.Wherein, block chain further comprises wound generation block and conventional block, and creates generation block and be used to store root ca certificate, described
Device includes:
Receiving module 101, the Shen comprising certificate of unsigning sent in block chain network suitable for receiving node to be certified
It please certificate transaction;
Module 102 is obtained, suitable for obtaining the certificate of unsigning for including in the application certificate transaction, is not signed according to described
Name certificates constructing signing certificate;
Sending module 103 is suitable in block chain network sending to the node to be certified comprising the signing certificate
Certificate transaction;Wherein, the certificate transaction further comprises: being directed toward the node block chain account to be certified
First output par, c of address, and it is directed toward the second output par, c of preset controllable block chain account address.
Optionally, which further comprises: logging modle 104, is suitable for application certificate transaction corresponding first
Transaction record and the certificate corresponding second transaction record of trading are respectively written into the conventional block of the block chain
In, and the block comprising first transaction record and second transaction record is broadcasted in block chain network.
Optionally, the signing certificate is stored in the second output par, c of the certificate transaction.
It optionally, include verification information in the certificate of unsigning, then the acquisition module is specifically used for: according to described
Verification information verifies the certificate of unsigning, and after being verified, is digitally signed to the certificate of unsigning.
Optionally, the verification information includes at least one of the following: node public key to be certified, node to be certified letter
Breath, node address to be certified, certification nodal information, certification node address, validity period of certificate and certificate authority time.
Optionally, which further comprises: revocation module, hands over suitable for searching described second from the conventional block
Easily record obtains the signing certificate according to second transaction record;It sends in block chain network and has been signed comprising described
The cancellation of doucment transaction of name certificate, wherein cancellation of doucment transaction includes being directed toward the second output of the certificate transaction
Partial importation, and it is directed toward the output par, c of the node block chain account to be certified.
Optionally, which further comprises: enquiry module, the certificate query request sent suitable for receiving user terminal,
Obtain the certificate information for including in the certificate query request;According to certificate information lookup pair from the conventional block
The transaction record answered, and corresponding signing certificate is obtained according to the transaction record found;Institute is sent to the user terminal
State signing certificate.Specifically, the enquiry module is further used for: stored in the inquiry conventional block with it is described
The corresponding transaction record of signing certificate, when judging the second output par, c in the transaction record is not spend state, to
The user terminal sends certificate efficient message;When judge the second output par, c in the transaction record be spent shape
When state, Xiang Suoshu user terminal sends certificate invalid message.
Wherein, the root ca certificate includes: root CA public key, root CA information, the address root CA, validity period of certificate, certificate authority
Time and digital signature.
The specific works details of above-mentioned modules can refer to the description of corresponding portion in embodiment of the method, herein no longer
It repeats.
In addition, the above-mentioned ca authentication managing device based on block chain is usually CA mechanism at different levels mentioned above.
Figure 12 show another embodiment of the present invention provides a kind of ca authentication management system based on block chain structure
Schematic diagram, as shown in figure 12, the system include: above-mentioned ca authentication managing device 100 and node to be certified 110.Wherein, CA
Authentication management device 100 is also possible to other CA at different levels either root CA;Node 110 to be certified is either CA machine at different levels
Structure is also possible to client server.
In conclusion in the inventive solutions, main includes following several key problem in technology points:
Firstly, the trust of block chain is joined jointly by all nodes using certificate as on a part write-in block chain of transaction
With completion.Therefore it ensure that the correctness of certificate.
Secondly, root certificate is written in wound generation block so that even if some node on block chain by malicious attack,
Root certificate can not arbitrarily be changed.
Again, using the transactional nature of bit coin, whether consumed by the UTXO that transaction generates, to judge certificate
Whether it is revoked.The process verified every time examines newest record on current block chain in real time, and solving user can not obtain in time
The problem of whether certificate is revoked known.
Finally, in conjunction with the distributed feature of block chain, all nodes all save the record of transaction, therefore user can be with
Arbitrary node is connected to go to be examined.So that checking process is independent of single source, it is therefore prevented that record and be maliciously tampered
Risk.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein.
Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various
Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this
The preferred forms of invention.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be practiced without these specific details.In some instances, well known method, knot is not been shown in detail
Structure and technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects,
In the above description of the exemplary embodiment of the present invention, each feature of the invention is grouped together into single reality sometimes
It applies in example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: being wanted
Ask protection the present invention claims features more more than feature expressly recited in each claim.More precisely, such as
As following claims reflect, inventive aspect is all features less than single embodiment disclosed above.
Therefore, it then follows thus claims of specific embodiment are expressly incorporated in the specific embodiment, wherein each right
It is required that itself is all as a separate embodiment of the present invention.
Those skilled in the art will understand that adaptivity can be carried out to the module in the equipment in embodiment
Ground changes and they is arranged in one or more devices different from this embodiment.It can be the module in embodiment
Or unit or assembly is combined into a module or unit or component, and furthermore they can be divided into multiple submodule or sons
Unit or sub-component.It, can be with other than such feature and/or at least some of process or unit exclude each other
Using any combination to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and such as
All process or units of any method or apparatus of the displosure are combined.Unless expressly stated otherwise, this specification
Each feature disclosed in (including the accompanying claims, abstract and drawings) can be by providing identical, equivalent, or similar mesh
Alternative features replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments in this include institute in other embodiments
Including certain features rather than other feature, but the combination of the feature of different embodiment means to be in model of the invention
Within enclosing and form different embodiments.For example, in the following claims, embodiment claimed is appointed
Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to transport on one or more processors
Capable software module is realized, or is implemented in a combination thereof.It will be understood by those of skill in the art that can make in practice
It is realized with microprocessor or digital signal processor (DSP) some or all in device according to an embodiment of the present invention
The some or all functions of component.The present invention be also implemented as a part for executing method as described herein or
Whole device or device programs (for example, computer program and computer program product).It is such to realize journey of the invention
Sequence can store on a computer-readable medium, or may be in the form of one or more signals.Such signal can
To download from internet website, perhaps it is provided on the carrier signal or is provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and this
Field technical staff can be designed alternative embodiment without departing from the scope of the appended claims.In claim
In, any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" is not excluded for depositing
In element or step not listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple
Such element.The present invention can be by means of including the hardware of several different elements and by means of properly programmed calculating
Machine is realized.In the unit claims listing several devices, several in these devices can be by same
Hardware branch embodies.The use of word first, second, and third does not indicate any sequence.It can be by these words
It is construed to title.
Claims (19)
1. a kind of ca authentication management method based on block chain, which is characterized in that the block chain further comprises wound generation block
And conventional block, and the wound generation block is for storing root ca certificate, which comprises
Receive the application certificate transaction comprising certificate of unsigning that node to be certified is sent in block chain network;
The certificate of unsigning for including in the application certificate transaction is obtained, according to the certificates constructing signing certificate of unsigning;
The certificate transaction comprising the signing certificate is sent to the node to be certified in block chain network;Wherein,
The certificate transaction further comprises: it is directed toward the first output par, c of the node block chain account to be certified address, with
And it is directed toward the second output par, c of preset controllable block chain account address.
2. according to the method described in claim 1, wherein, further comprising: application certificate transaction corresponding first is handed over
Easily record and the certificate corresponding second transaction record of trading is respectively written into the conventional block of the block chain, and
The block comprising first transaction record and second transaction record is broadcasted in block chain network.
3. according to the method described in claim 1, wherein, the signing certificate is stored in the second of the certificate transaction
Output par, c.
4. it include verification information in the certificate of unsigning according to the method described in claim 1, wherein, then it is described according to institute
State unsign certificates constructing signing certificate the step of specifically include:
The certificate of unsigning is verified according to the verification information, after being verified, to it is described unsign certificate into
Row digital signature.
5. according to the method described in claim 4, wherein, the verification information includes at least one of the following: section to be certified
Point public key, nodal information to be certified, node address to be certified, certification nodal information, certification node address, validity period of certificate, with
And the certificate authority time.
6. according to the method described in claim 2, wherein, it is described by the application certificate trade corresponding first transaction record with
And the certificate is traded after the step that corresponding second transaction record is respectively written into the conventional block of the block chain,
Further comprise:
Second transaction record is searched from the conventional block, the card of having signed is obtained according to second transaction record
Book;
The cancellation of doucment transaction comprising the signing certificate is sent in block chain network, wherein cancellation of doucment transaction packet
The importation for being directed toward the second output par, c of the certificate transaction is included, and is directed toward the node block chain account to be certified
The output par, c at family.
7. according to the method described in claim 2, wherein, further comprising:
The certificate query request that user terminal is sent is received, the certificate information for including in the certificate query request is obtained;
Corresponding transaction record is searched from the conventional block according to the certificate information, and according to the transaction record found
Obtain corresponding signing certificate;
The signing certificate is sent to the user terminal.
8. according to the method described in claim 7, wherein, described the step of sending the signing certificate to the user terminal
Later, further comprise:
The transaction record corresponding with the signing certificate stored in the conventional block is inquired, when judging that the transaction remembers
The state of the second output par, c in record is when not spending state, and Xiang Suoshu user terminal sends certificate efficient message;Work as judgement
The state of the second output par, c in the transaction record is when having spent state out, and it is invalid that Xiang Suoshu user terminal sends certificate
Message.
9. according to the method described in claim 1, wherein, the root ca certificate includes: root CA public key, root CA information, root CA
Location, validity period of certificate, certificate authority time and digital signature.
10. a kind of ca authentication managing device based on block chain, which is characterized in that the block chain further comprises wound generation block
And conventional block, and the wound generation block, for storing root ca certificate, described device includes:
Receiving module is handed over suitable for receiving the application certificate comprising certificate of unsigning that node to be certified is sent in block chain network
Easily;
Module is obtained, it is raw according to the certificate of unsigning suitable for obtaining the certificate of unsigning for including in the application certificate transaction
At signing certificate;
Sending module issues card comprising the signing certificate suitable for sending in block chain network to the node to be certified
Book transaction;Wherein, the certificate transaction further comprises: being directed toward the first of the node block chain account to be certified address
Output par, c, and it is directed toward the second output par, c of preset controllable block chain account address.
11. device according to claim 10, wherein further comprise: logging modle is suitable for handing in the application certificate
Easy corresponding first transaction record and corresponding second transaction record of certificate transaction are respectively written into the block chain
Conventional block in, and to the block comprising first transaction record and second transaction record in block chain network
It is broadcasted.
12. device according to claim 10, wherein the signing certificate is stored in the of certificate transaction
Two output par, cs.
13. device according to claim 10, wherein include verification information, the then acquisition in the certificate of unsigning
Module is specifically used for:
The certificate of unsigning is verified according to the verification information, after being verified, to it is described unsign certificate into
Row digital signature.
14. device according to claim 13, wherein the verification information includes at least one of the following: to be certified
Node public key, nodal information to be certified, node address to be certified, certification nodal information, certification node address, validity period of certificate,
And the certificate authority time.
15. device according to claim 11, wherein further comprise:
Module is cancelled, suitable for searching second transaction record from the conventional block, is obtained according to second transaction record
Take the signing certificate;The cancellation of doucment transaction comprising the signing certificate is sent in block chain network, wherein described
Cancellation of doucment transaction includes the importation for being directed toward the second output par, c of the certificate transaction, and is directed toward described wait recognize
Demonstrate,prove the output par, c of node block chain account.
16. device according to claim 11, wherein further comprise:
Enquiry module, the certificate query request sent suitable for receiving user terminal obtain in certificate query request and include
Certificate information;Corresponding transaction record is searched from the conventional block according to the certificate information, and according to the friendship found
Easily record obtains corresponding signing certificate;The signing certificate is sent to the user terminal.
17. device according to claim 16, wherein the enquiry module is further used for:
The transaction record corresponding with the signing certificate stored in the conventional block is inquired, when judging that the transaction remembers
The state of the second output par, c in record is when not spending state, and Xiang Suoshu user terminal sends certificate efficient message;Work as judgement
The state of the second output par, c in the transaction record is when having spent state out, and it is invalid that Xiang Suoshu user terminal sends certificate
Message.
18. device according to claim 10, wherein the root ca certificate includes: root CA public key, root CA information, root CA
Address, validity period of certificate, certificate authority time and digital signature.
19. a kind of ca authentication management system based on block chain, which is characterized in that including any in the claims 10-18
The ca authentication managing device and node to be certified.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610782864.2A CN106372941B (en) | 2016-08-31 | 2016-08-31 | Based on the ca authentication management method of block chain, apparatus and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610782864.2A CN106372941B (en) | 2016-08-31 | 2016-08-31 | Based on the ca authentication management method of block chain, apparatus and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106372941A CN106372941A (en) | 2017-02-01 |
| CN106372941B true CN106372941B (en) | 2019-07-16 |
Family
ID=57898771
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610782864.2A Active CN106372941B (en) | 2016-08-31 | 2016-08-31 | Based on the ca authentication management method of block chain, apparatus and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106372941B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2589147A (en) * | 2019-11-25 | 2021-05-26 | Nchain Holdings Ltd | Methods and devices for automated digital certificate verification |
Families Citing this family (39)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106972931B (en) * | 2017-02-22 | 2020-05-15 | 中国科学院数据与通信保护研究教育中心 | Method for transparentizing certificate in PKI |
| CN106789090B (en) * | 2017-02-24 | 2019-12-24 | 陈晶 | Public key infrastructure system based on block chain and semi-random combined certificate signature method |
| US10484373B2 (en) * | 2017-04-11 | 2019-11-19 | Mastercard International Incorporated | Systems and methods for biometric authentication of certificate signing request processing |
| CN107426157B (en) * | 2017-04-21 | 2020-04-17 | 杭州趣链科技有限公司 | Alliance chain authority control method based on digital certificate and CA authentication system |
| CN107451874A (en) * | 2017-07-27 | 2017-12-08 | 武汉天喻信息产业股份有限公司 | Electronic invoice integrated conduct method and system based on block chain |
| CN109428892B (en) * | 2017-09-01 | 2021-12-28 | 埃森哲环球解决方案有限公司 | Multi-stage rewritable block chain |
| CN107734502B (en) * | 2017-09-07 | 2020-02-21 | 京信通信系统(中国)有限公司 | Micro base station communication management method, system and equipment based on block chain |
| WO2019132767A1 (en) * | 2017-12-28 | 2019-07-04 | 华为国际有限公司 | Transaction processing method and related equipment |
| CN108282539A (en) * | 2018-02-06 | 2018-07-13 | 北京奇虎科技有限公司 | Decentralization storage system based on double-layer network |
| CN108347483B (en) * | 2018-02-06 | 2021-04-09 | 北京奇虎科技有限公司 | Decentralized computing system based on double-layer network |
| CN110163004B (en) | 2018-02-14 | 2023-02-03 | 华为技术有限公司 | Block chain generation method, related equipment and system |
| US20210042744A1 (en) * | 2018-03-14 | 2021-02-11 | Jieqian Zheng | Block chain data processing method, management terminal, user terminal, conversion device, and medium |
| CN108683630B (en) * | 2018-04-03 | 2020-05-29 | 阿里巴巴集团控股有限公司 | Cross-block-chain authentication method and device and electronic equipment |
| US11615060B2 (en) * | 2018-04-12 | 2023-03-28 | ISARA Corporation | Constructing a multiple entity root of trust |
| SG11202008987RA (en) * | 2018-04-27 | 2020-11-27 | Nchain Holdings Ltd | Maintaining blocks of a blockchain in a partitioned blockchain network |
| CN108933667B (en) * | 2018-05-03 | 2021-08-10 | 深圳市京兰健康医疗大数据有限公司 | Management method and management system of public key certificate based on block chain |
| CN108921694B (en) * | 2018-06-21 | 2022-03-04 | 北京京东尚科信息技术有限公司 | Block chain management method, block chain node and computer readable storage medium |
| CN108960825A (en) * | 2018-06-26 | 2018-12-07 | 阿里巴巴集团控股有限公司 | Electric endorsement method and device, electronic equipment based on block chain |
| CN108881471B (en) * | 2018-07-09 | 2020-09-11 | 北京信息科技大学 | Union-based whole-network unified trust anchor system and construction method |
| CN108964924B (en) * | 2018-07-24 | 2020-06-05 | 腾讯科技(深圳)有限公司 | Digital certificate verification method and device, computer equipment and storage medium |
| CN109034826A (en) * | 2018-08-06 | 2018-12-18 | 佛山市甜慕链客科技有限公司 | It is a kind of for based on block chain verifying digital certificate method and system |
| CN108965469B (en) * | 2018-08-16 | 2021-07-30 | 北京京东尚科信息技术有限公司 | Dynamic management method, device, equipment and storage medium for members of block chain network |
| CN109242686A (en) * | 2018-08-31 | 2019-01-18 | 深圳付贝科技有限公司 | Transaction Recall voluntarily method digs mine machine and block catenary system |
| CN109325359B (en) * | 2018-09-03 | 2023-06-02 | 平安科技(深圳)有限公司 | Account system setting method, system, computer device and storage medium |
| CN109359479B (en) * | 2018-09-21 | 2019-12-31 | 北京非对称区块链科技有限公司 | Certificate generation and verification method, device, storage medium and electronic equipment |
| CN109547200A (en) * | 2018-11-21 | 2019-03-29 | 上海点融信息科技有限责任公司 | Certificate distribution method and corresponding calculating equipment and medium in block chain network |
| CN111027970B (en) * | 2018-12-07 | 2024-02-23 | 深圳市智税链科技有限公司 | Authentication management method, device, medium and electronic equipment of block chain system |
| CN111641504A (en) * | 2019-03-01 | 2020-09-08 | 湖南天河国云科技有限公司 | Block chain digital certificate application method and system based on bit currency system |
| GB2583767A (en) * | 2019-05-10 | 2020-11-11 | Nchain Holdings Ltd | Methods and devices for public key management using a blockchain |
| WO2020232417A1 (en) * | 2019-05-16 | 2020-11-19 | Gmo Globalsign, Inc. | Systems and methods for blockchain transactions with offer and acceptance |
| EP3701391B1 (en) * | 2019-06-28 | 2021-11-10 | Advanced New Technologies Co., Ltd. | System and method for updating data in blockchain |
| EP3688710B1 (en) | 2019-06-28 | 2022-05-25 | Advanced New Technologies Co., Ltd. | System and method for blockchain address mapping |
| CN110489234A (en) * | 2019-08-16 | 2019-11-22 | 中国银行股份有限公司 | Message processing method, device, equipment and the readable storage medium storing program for executing of block link layer |
| CN110544095A (en) * | 2019-09-03 | 2019-12-06 | 腾讯科技(深圳)有限公司 | Transaction processing method of block chain network and block chain network |
| CN110598375B (en) * | 2019-09-20 | 2021-03-16 | 腾讯科技(深圳)有限公司 | Data processing method, device and storage medium |
| CN110855679B (en) * | 2019-11-15 | 2021-11-30 | 微位(深圳)网络科技有限公司 | uPKI combined public key authentication method and system |
| CN112015460B (en) * | 2020-09-09 | 2023-11-03 | 南京工程学院 | Code responsibility-following method and system based on block chain technology |
| CN112512048B (en) * | 2020-11-27 | 2022-07-12 | 达闼机器人股份有限公司 | Mobile network access system, method, storage medium and electronic device |
| CN116055069B (en) * | 2023-04-03 | 2023-06-27 | 北京微芯感知科技有限公司 | Distributed CA (conditional access) implementation method based on block chain |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105592098A (en) * | 2016-01-16 | 2016-05-18 | 杭州复杂美科技有限公司 | Management method of vote and CA certificate of block chain |
| CN105591753A (en) * | 2016-01-13 | 2016-05-18 | 杭州复杂美科技有限公司 | Application method of CA certificate on block chain |
| CN105701372A (en) * | 2015-12-18 | 2016-06-22 | 布比(北京)网络技术有限公司 | Block chain identity construction and verification method |
| EP3364351A1 (en) * | 2015-10-16 | 2018-08-22 | Coinplug, Inc | Accredited certificate issuance system based on block chain and accredited certificate issuance method based on block chain using same, and accredited certificate authentication system based on block chain and accredited certificate authentication method based on block chain using same |
-
2016
- 2016-08-31 CN CN201610782864.2A patent/CN106372941B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3364351A1 (en) * | 2015-10-16 | 2018-08-22 | Coinplug, Inc | Accredited certificate issuance system based on block chain and accredited certificate issuance method based on block chain using same, and accredited certificate authentication system based on block chain and accredited certificate authentication method based on block chain using same |
| CN105701372A (en) * | 2015-12-18 | 2016-06-22 | 布比(北京)网络技术有限公司 | Block chain identity construction and verification method |
| CN105591753A (en) * | 2016-01-13 | 2016-05-18 | 杭州复杂美科技有限公司 | Application method of CA certificate on block chain |
| CN105592098A (en) * | 2016-01-16 | 2016-05-18 | 杭州复杂美科技有限公司 | Management method of vote and CA certificate of block chain |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2589147A (en) * | 2019-11-25 | 2021-05-26 | Nchain Holdings Ltd | Methods and devices for automated digital certificate verification |
| WO2021105816A1 (en) * | 2019-11-25 | 2021-06-03 | nChain Holdings Limited | Methods and devices for automated digital certificate verification |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106372941A (en) | 2017-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106372941B (en) | Based on the ca authentication management method of block chain, apparatus and system | |
| CN106301792B (en) | Based on the ca authentication management method of block chain, apparatus and system | |
| CN106384236B (en) | Based on the ca authentication management method of block chain, apparatus and system | |
| JP7076682B2 (en) | Data processing methods, devices, electronic devices and computer programs based on blockchain networks | |
| RU2718959C1 (en) | Domain name control scheme for cross-chain interactions in blockchain systems | |
| RU2707938C1 (en) | Domain name scheme for cross-chain interactions in blockchain systems | |
| CN106339875B (en) | Operation note checking method and device based on publicly-owned block chain | |
| US10965472B2 (en) | Secure bootstrap for a blockchain network | |
| KR101954268B1 (en) | Method for managing electronic document based on blockchain, and electronic document management server using the same | |
| CN110349056A (en) | Transaction processing system and method based on block chain | |
| CN108960825A (en) | Electric endorsement method and device, electronic equipment based on block chain | |
| CN110493007A (en) | A kind of Information Authentication method, apparatus, equipment and storage medium based on block chain | |
| CN109598147B (en) | Data processing method and device based on block chain and electronic equipment | |
| CN110516474A (en) | User information processing method, device, electronic equipment and storage medium in block chain network | |
| CN110311781A (en) | Micro services information is provided | |
| CN108429765B (en) | Method, server and storage medium for realizing domain name resolution based on block chain | |
| CN108111314A (en) | The generation of digital certificate and method of calibration and equipment | |
| CN109472599A (en) | A kind of user's assets information circulation method and device based on block chain | |
| CN115769241A (en) | Privacy preserving architecture for licensed blockchains | |
| CN109413076A (en) | Domain name analytic method and device | |
| CN110535807A (en) | A kind of service authentication method, device and medium | |
| US11025643B2 (en) | Mobile multi-party digitally signed documents and techniques for using these allowing detection of tamper | |
| CN114944937A (en) | Distributed digital identity verification method, system, electronic device and storage medium | |
| WO2020077055A1 (en) | Systems and methods for a federated directory service | |
| CN113779637B (en) | Attribute data processing method, attribute data processing device, attribute data processing equipment and attribute data processing medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Room 3F301, C2 Building, Suzhou 2.5 Industrial Park, 88 Dongchang Road, Suzhou Industrial Park, Jiangsu Province Applicant after: JIANGSU PAYEGIS TECHNOLOGY CO., LTD. Address before: A street in Suzhou City, Jiangsu Province Industrial Park No. 388 innovation park off No. 6 Building 5 floor Applicant before: JIANGSU PAYEGIS TECHNOLOGY CO., LTD. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |