CN108696356B - Block chain-based digital certificate deleting method, device and system - Google Patents
Block chain-based digital certificate deleting method, device and system Download PDFInfo
- Publication number
- CN108696356B CN108696356B CN201710218253.XA CN201710218253A CN108696356B CN 108696356 B CN108696356 B CN 108696356B CN 201710218253 A CN201710218253 A CN 201710218253A CN 108696356 B CN108696356 B CN 108696356B
- Authority
- CN
- China
- Prior art keywords
- digital certificate
- block
- backup
- identification information
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3265—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a method, a device and a system for deleting a digital certificate based on a block chain, which are applied to any backup node in the block chain, wherein the method comprises the following steps: according to the information of each backup digital certificate stored for each block, if each backup digital certificate stored for the block is invalid, sending a deletion message containing the identification information of the block to each verification node, and deleting the block body of the block when each verification node determines that each digital certificate in the block of the identification information is invalid. In the embodiment of the invention, if the backup node judges that each backup digital certificate stored aiming at a certain block is invalid, the deletion message containing the identification information of the block is sent to each verification node, so that each verification node deletes the block body of the block when determining that each digital certificate in the block of the identification information is invalid, the storage and calculation resources of the verification node are saved, and the operation efficiency of the verification node is improved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a block chain-based digital certificate deleting method, device and system.
Background
A digital certificate is a document issued by an Authority to prove the identity of a user over a network, and the process of issuing a digital certificate may also be referred to as a Certification Authority (CA) process. In the existing Public Key Infrastructure (PKI) technology, a CA is a trusted starting point, and if a CA can be controlled, a digital certificate can be issued at will by using the CA organization, so that a CA in the core is very vulnerable to attacks. Once a CA is destroyed, all digital certificates issued by the CA are no longer secure and cannot be used further. In addition, the CA root digital certificate which is installed or preset by the digital certificate relying party in advance may also be attacked, if the root digital certificate is maliciously tampered, the whole digital certificate verification process will be affected, and even a false user digital certificate may be identified as a legal user digital certificate.
In recent years, a block chain technique has been developed in which blocks storing digital certificates are stored in a chain in a time-series manner so as to be sequentially connected, and a trusted tree (Merkle) value corresponding to each block is generated from the digital certificate stored in each block, and the trusted tree is used to verify the digital certificates stored in the block, thereby preventing the digital certificates stored in the block from being falsified. Each verification node in the block chain of the same time zone stores all the digital certificates in the block chain, and simultaneously verifies the requests for generating and calling the digital certificates, so that a central CA node does not exist, and the correctness of the digital certificates can be ensured even if a certain verification node fails or is attacked.
However, a great problem exists in the blockchain, the blockchain may include all historical digital certificates, and as time goes on, the digital certificates stored in the blockchain may increase continuously, the amount of data stored in the whole blockchain may become larger and larger, and storage and calculation resources required for the verification node may also become larger and larger, which may cause a serious burden on the verification node and affect the operation of the verification node and user experience.
Disclosure of Invention
The invention provides a block chain-based digital certificate deleting method, device and system, which are used for solving the problems that the operation of a verification node and the experience of a user are influenced because the storage and calculation resources of the verification node are higher and higher as the data volume is larger and larger in the storage process of a digital certificate in the prior art.
The invention discloses a digital certificate deleting method of a blockchain, wherein the blockchain comprises a plurality of verification nodes and at least one backup node, the deleting method is applied to any backup node in the blockchain, and the method comprises the following steps:
determining whether each backup digital certificate saved for each block is invalid or not according to the information of each backup digital certificate saved for each block;
if the fact that each backup digital certificate saved aiming at the block is invalid is determined, a deleting message containing the identification information of the block is sent to each verification node in the block chain, each verification node is enabled to judge whether each digital certificate in the block of the identification information is invalid or not, and when the fact that each digital certificate in the block of the identification information is invalid is determined, the block body of the block of the identification information is deleted.
Further, the determining, according to the information of each backup digital certificate stored for each block, whether each backup digital certificate stored for the block is invalid includes:
determining whether the validity period of each backup digital certificate stored aiming at each block is expired and/or the state of each backup digital certificate is a revoke according to the information of each backup digital certificate stored aiming at each block;
and if the validity period of each backup digital certificate saved for the block is expired and/or the state of the backup digital certificate is revoked, determining that each backup digital certificate saved for the block is invalid.
Further, if each digital certificate stored in each block of each authentication node in the block chain is transformed by using a preset algorithm, after sending a deletion message including identification information of the block to each authentication node in the block chain, the method further includes:
and sending each backup digital certificate stored for the block of the identification information to each verification node.
The invention discloses a block chain-based digital certificate deletion method, wherein a block chain comprises a plurality of verification nodes and at least one backup node, the deletion method is applied to any verification node in the block chain, and the method comprises the following steps:
receiving a deletion message containing identification information of a block, which is sent by a backup node in a block chain, wherein the deletion message is sent after the backup node in the block chain determines that each backup digital certificate stored for the block is invalid according to the information of each backup digital certificate stored for each block by the backup node;
judging whether each digital certificate in the block of the identification information stored by the digital certificate is invalid or not;
and if each digital certificate in the block of the identification information is determined to be invalid, deleting the block body of the block.
Further, if each digital certificate stored in each block is transformed by using a preset algorithm, after receiving a deletion message containing identification information of the block sent by a backup node in a block chain, the method further includes:
receiving each backup digital certificate which is sent by the backup node and is saved by the backup node aiming at the block of the identification information;
before the determining whether each digital certificate in the block of the identification information stored in the self is invalid, the method further includes:
transforming each backup digital certificate by adopting the preset algorithm;
judging whether each digital certificate stored in the block of the identification information is correspondingly matched with the digital certificate after the conversion of the backup digital certificate or not according to each digital certificate stored in the block of the identification information;
if yes, the subsequent steps are carried out.
Further, the determining whether each digital certificate in the block of the identification information stored by itself is invalid includes:
acquiring the validity period and state information of each digital certificate in the block of the identification information stored by the digital certificate authority;
judging whether the valid period of each digital certificate in the block of the identification information is expired and/or whether the state of the digital certificate is revoke;
and if each digital certificate in the block of the identification information is valid for expiration and/or the state of the digital certificate is revocation, determining that each digital certificate in the block of the identification information is invalid.
The invention discloses a digital certificate deleting device based on a block chain, wherein the block chain comprises a plurality of verification nodes and at least one backup node, the deleting device is applied to any backup node in the block chain, and the device comprises:
the determining module is used for determining whether each backup digital certificate stored aiming at each block is invalid or not according to the information of each backup digital certificate stored aiming at each block;
a sending module, configured to send, if it is determined that each backup digital certificate stored for the block is invalid, a deletion message including identification information of the block to each authentication node in the block chain, so that each authentication node determines whether each digital certificate in the block of the identification information is invalid, and when it is determined that each digital certificate in the block of the identification information is invalid, delete the block body of the block of the identification information.
Further, the determining module is specifically configured to determine, according to information of each backup digital certificate stored for each block, whether a validity period of each backup digital certificate stored for the block expires and/or whether a state of the backup digital certificate is revoked; and if the validity period of each backup digital certificate saved for the block is expired and/or the state of the backup digital certificate is revoked, determining that each backup digital certificate saved for the block is invalid.
Further, the sending module is further configured to send each backup digital certificate stored for the block of the identification information to each authentication node if each digital certificate stored in each block of each authentication node in the block chain is transformed by using a preset algorithm.
The invention discloses a digital certificate deleting device based on a block chain, wherein the block chain comprises a plurality of verification nodes and at least one backup node, the deleting device is applied to any verification node in the block chain, and the device comprises:
the system comprises a receiving module and a sending module, wherein the receiving module is used for receiving a deletion message which is sent by a backup node in a block chain and contains identification information of blocks, and the deletion message is sent by the backup node in the block chain after determining that each backup digital certificate stored aiming at each block is invalid according to the information of each backup digital certificate stored aiming at each block by the backup node;
the judging module is used for judging whether each digital certificate in the block of the identification information stored by the judging module is invalid or not;
and the deleting module is used for deleting the block body of the block if each digital certificate in the block of the identification information is determined to be invalid.
Further, the receiving module is further configured to receive each backup digital certificate, which is sent by the backup node and is stored by the backup node for the block of the identification information, if each digital certificate stored by each block is transformed by using a preset algorithm;
the device further comprises:
the matching module is used for transforming each backup digital certificate by adopting the preset algorithm; judging whether each digital certificate stored in the block of the identification information is correspondingly matched with the digital certificate after the conversion of the backup digital certificate or not according to each digital certificate stored in the block of the identification information; if the matching result is yes, the judgment module is triggered.
Further, the determining module is specifically configured to obtain a validity period and state information of each digital certificate in the block of the identification information stored by the determining module; judging whether the valid period of each digital certificate in the block of the identification information is expired and/or whether the state of the digital certificate is revoke; and if each digital certificate in the block of the identification information is valid for expiration and/or the state of the digital certificate is revocation, determining that each digital certificate in the block of the identification information is invalid.
The invention discloses a block chain-based digital certificate deleting system, which comprises at least one block chain-based digital certificate deleting device applied to a backup node and a plurality of block chain-based digital certificate deleting devices applied to a verification node.
The invention discloses a block chain-based digital certificate deleting method, a device and a system, wherein the block chain comprises a plurality of verification nodes and at least one backup node, the deleting method is applied to any backup node in the block chain, and the method comprises the following steps: determining whether each backup digital certificate saved for each block is invalid or not according to the information of each backup digital certificate saved for each block; if the fact that each backup digital certificate saved aiming at the block is invalid is determined, a deleting message containing the identification information of the block is sent to each verification node in the block chain, each verification node is enabled to judge whether each digital certificate in the block of the identification information is invalid or not, and when the fact that each digital certificate in the block of the identification information is invalid is determined, the block body of the block of the identification information is deleted. In the embodiment of the invention, if the backup node judges that each backup digital certificate stored aiming at a certain block is invalid, a deletion message containing the identification information of the block is sent to each verification node in the block chain, so that each verification node judges whether each digital certificate in the block of the identification information is invalid, and when each digital certificate in the block of the identification information is determined to be invalid, the block body of the block of the identification information is deleted, thereby reducing the storage space occupied in the data certificate storage process, saving the storage and calculation resources of the verification node, and improving the operation efficiency of the verification node and the user experience.
Drawings
FIG. 1 is a block chain architecture of the present invention;
fig. 2 is a schematic diagram of a block chain-based digital certificate deletion process according to embodiment 1 of the present invention;
fig. 3 is a schematic diagram of a storage structure of a verification node storing a digital certificate according to embodiments 1 and 4 of the present invention;
fig. 4 is a schematic diagram of a block chain-based digital certificate deletion process according to embodiment 4 of the present invention;
fig. 5 is a schematic structural diagram of a block chain-based digital certificate deleting apparatus according to embodiment 7 of the present invention;
fig. 6 is a schematic structural diagram of a block chain-based digital certificate deleting apparatus according to embodiment 8 of the present invention;
fig. 7 is a schematic structural diagram of a block chain-based digital certificate deletion system according to embodiment 9 of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a block chain architecture diagram provided in the present invention, where the block chain includes a plurality of verification nodes and at least one backup node, and each verification node is used to verify a user's generation request for a digital certificate and a user's update request for a digital certificate status. And each verification node sequentially generates new blocks according to a preset time sequence, stores the digital certificate into the corresponding block according to the digital certificate generation time, and is also used for updating the state of the stored digital certificate according to an update request of a user for the state of the digital certificate. The backup node is used for backing up each digital certificate stored in each block of the verification node, and updating the state of the digital certificate backed up for each block according to the updating request of the user for the state of the digital certificate.
Example 1:
fig. 2 is a schematic diagram of a block chain-based digital certificate deletion process provided in an embodiment of the present invention, where the process includes:
s201: and determining whether each backup digital certificate saved for each block is invalid or not according to the information of each backup digital certificate saved for each block.
The block chain-based digital certificate deleting method provided by the embodiment of the invention is applied to any backup node in the block chain, and the backup node can be a PC (personal computer), a server and other equipment with the functions of operation and storage.
In the embodiment of the present invention, if no malicious change is detected in the blockchain, the digital certificate stored in each corresponding block of each authentication node is the same, and the backup node backs up the digital certificate stored in each block of each authentication node in the blockchain, that is, backs up the digital certificate stored in each block of each authentication node in the blockchain, where a backup digital certificate corresponding to each digital certificate in the block is stored in the backup node for each block.
Specifically, the backup node determines whether each backup digital certificate stored for each block is invalid according to information of each backup digital certificate stored for each block by the backup node, where the information of the backup digital certificate may be a validity period of the digital certificate.
For example: the backup node stores a backup digital certificate 1 and a backup digital certificate 2 for the block a, and stores a backup digital certificate 3 and a backup digital certificate 4 for the block B. At the current time of 3/29/2017, determining that the validity period of the backup digital certificate 1 is expired according to the validity period 2015/7/1/2016-7/1/2016 of the backup digital certificate 1 for the backup node of the block a, determining that the validity period of the backup digital certificate 2 is expired according to the validity period 2016/2/1/2017 of the backup digital certificate 2, determining that the validity period of the backup digital certificate 2 is invalid, and determining that each backup digital certificate stored for the block a is invalid according to the backup digital certificate 1 and the backup digital certificate 2 stored for the block a; the backup node of the block B determines that the validity period of the backup digital certificate 3 expires according to the validity period 2015 of the backup digital certificate 3 from 7 months to 5 days in 2016 to 7 months to 5 months in 2017, and determines that the validity period of the backup digital certificate 4 has not expired according to the validity period 2016 of the backup digital certificate 3 from 5 months to 1 days in 2017 to 5 months to 1 day in 2017, and the backup digital certificate 4 stored in the block B is valid.
S202: if the fact that each backup digital certificate saved aiming at the block is invalid is determined, a deleting message containing the identification information of the block is sent to each verification node in the block chain, each verification node is enabled to judge whether each digital certificate in the block of the identification information is invalid or not, and when the fact that each digital certificate in the block of the identification information is invalid is determined, the block body of the block of the identification information is deleted.
Each block in the block chain is composed of a block header and a block body, wherein the block header stores the time of the block generation, the parent block hash value, namely the hash value of the previous block before the time of the block generation, and the block body stores each digital certificate recorded in the block according to the Merkle value determined by each digital certificate stored in the block. Fig. 3 is a schematic diagram of a storage structure of a verification node storing digital certificates according to an embodiment of the present invention, where the verification node sequentially stores a creating block, a block 2 … block n according to a time sequence, where each block is composed of a block header and a block body, and each block body stores each digital certificate stored in the block.
Specifically, if the backup node determines that each backup digital certificate stored for the block is invalid, it indicates that each backup digital certificate stored for the block can be deleted, a deletion message including identification information of the block is sent to each verification node in the block chain, if the digital certificate stored in each block of the verification node is the same as the backup digital certificate stored by the backup node, the verification node may directly delete the block body of the block of its own identification information, but in order to ensure the accuracy of deleting the digital certificate and avoid deleting the valid digital certificate by error, when the user needs to verify the digital certificate, the valid digital certificate which is deleted by error cannot pass through, which may cause damage to the user's rights and interests, in the embodiment of the present invention, after the verification node receives the deletion message including the identification information of the block, it determines whether each digital certificate in the block of its own identification information is invalid, and deleting the block body of the block of the identification information when each digital certificate in the block of the identification information is determined to be invalid.
For example: if each backup digital certificate stored by the backup node for the block A is invalid, the backup digital certificate stored for the block A can be deleted, a deletion message containing block A identification information 00001 is sent to each verification node in the block chain, after the verification node receives the deletion message containing the identification information 00001, the block A of the identification information stored by the verification node is identified through the identification information 00001, whether each digital certificate in the block A of the verification node is invalid or not is verified, and if each digital certificate in the block A of the verification node is invalid, the block body of the block A is deleted.
In the embodiment of the invention, if the backup node judges that each backup digital certificate stored aiming at a certain block is invalid, a deletion message containing the identification information of the block is sent to each verification node in the block chain, so that each verification node judges whether each digital certificate in the block of the identification information is invalid, and when each digital certificate in the block of the identification information is determined to be invalid, the block body of the block of the identification information is deleted, thereby reducing the storage space occupied in the data certificate storage process, saving the storage and calculation resources of the verification node, and improving the operation efficiency of the verification node and the user experience.
Example 2:
in order to more accurately determine whether each backup digital certificate stored for each block is invalid, on the basis of the above-described embodiments, in an embodiment of the present invention, the determining whether each backup digital certificate stored for each block is invalid according to information of each backup digital certificate stored for the block by itself includes:
determining whether the validity period of each backup digital certificate stored aiming at each block is expired and/or the state of each backup digital certificate is a revoke according to the information of each backup digital certificate stored aiming at each block;
and if the validity period of each backup digital certificate saved for the block is expired and/or the state of the backup digital certificate is revoked, determining that each backup digital certificate saved for the block is invalid.
In the embodiment of the present invention, the information of the backup digital certificate includes: the validity period of the backup digital certificate and the state information of the backup digital certificate, wherein the state information of the backup digital certificate comprises: the method comprises the steps of issuing, revoking, suspending, recovering and the like, wherein a backup node can determine whether the state of a backup digital certificate is revoke or not by identifying the state information of the backup digital certificate, and specifically, the identification of the state information of the backup digital certificate is that the identification of the state information of the backup digital certificate in the prior art is not repeated in detail. The backup node may determine whether each backup digital certificate stored for each block is invalid according to whether the validity period of each backup digital certificate stored for each block by the backup node is expired; of course, it may also be determined whether each backup digital certificate stored for each block is invalid according to whether the state of each backup digital certificate stored for each block is revoked.
Preferably, whether each backup digital certificate saved for each block is invalid or not can be determined simultaneously according to whether the validity period of each backup digital certificate saved for each block per se is expired or not and whether the state of the backup digital certificate is revoked or not. And if each backup digital certificate saved for the block meets the condition that the validity period of the backup digital certificate is expired and/or the state of the backup digital certificate is revoke, determining that each backup digital certificate saved for the block is invalid. In the embodiment of the present invention, for each backup digital certificate, if the validity period of the backup digital certificate is expired or the status of the backup digital certificate is revoked, it is determined that the backup digital certificate is invalid.
For example: the backup node stores a backup digital certificate 5 and a backup digital certificate 6 for the block C, wherein the validity period of the backup digital certificate 5 is 2015, 7 months, 5 days, 2016, 7 months, 5 days, the state is not revoked, the validity period of the backup digital certificate 6 is 2016, 7 months, 5 days, 2017 months, 7 months, 5 days, the state is revoked, the current time is 2017, 3 months, 29 days, the validity period of the backup digital certificate 5 is expired, the state of the backup digital certificate 6 is revoked, and it is determined that each backup digital certificate stored for the block C is invalid.
Example 3:
in order to prevent the verifying node from erroneously deleting the digital certificate stored by itself due to malicious tampering of the certificate of the backup node, in an embodiment of the present invention based on the foregoing embodiments, if each digital certificate stored in each block of each verifying node in the block chain is transformed by using a preset algorithm, after sending a deletion message including identification information of the block to each verifying node in the block chain, the method further includes:
and sending each backup digital certificate stored for the block of the identification information to each verification node.
In order to ensure the security of the digital certificate data stored by each verification node in the block chain, each verification node in the block chain may transform each digital certificate stored in each block by using a preset algorithm according to a preset setting. For example: the verification node performs hash operation on each digital certificate stored in each block by using a hash algorithm, and each block stores each digital certificate after the hash operation. In the embodiment of the present invention, if the verification node transforms each digital certificate stored in each block using a preset algorithm, the backup node backs up, for each block in the block chain, each digital certificate stored in the block before transformation using the preset algorithm.
Specifically, if each digital certificate stored in each block of each authentication node in the block chain is changed by using a preset algorithm, the backup node determines that each backup digital certificate stored for each block is invalid according to information of each backup digital certificate stored for each block by itself, sends a deletion message containing identification information of the block to each authentication node in the block chain, and also sends each backup digital certificate stored for the block of the identification information by itself to each authentication node, after receiving the deletion message containing the identification information of the block sent by the backup node and each backup digital certificate stored for the block of the identification information by the authentication node, determines the block of the identification information by itself according to the identification information, and transforms each backup digital certificate stored for the block of the identification information by the backup node by using a preset algorithm, and determining whether each digital certificate stored by the backup node aiming at the block of the identification information is correct or not by judging whether each digital certificate stored by the block of the identification information is correspondingly matched with the digital certificate after the backup digital certificate is transformed.
For example: each digital certificate stored in each block of each verification node in the block chain is changed by using a hash algorithm, the backup node determines that each backup digital certificate stored for the block E with the identification information of 00005 is invalid, and after the backup node sends a deletion message including the identification information of 00005 to each verification node in the block chain, the backup node sends each backup digital certificate stored for the block E with the identification information of 00005 to each verification node in the block chain.
After the verification node receives the deletion message containing the identification information 00005 and each backup digital certificate stored aiming at the block of the identification information 00005, the block E of which the identification information is 00005 is identified according to the identification information 00005, a preset hash algorithm is adopted to carry out hash operation on each backup digital certificate stored aiming at the block of the identification information 00005 by the backup node, whether each digital certificate stored in the block E of the backup node is correspondingly matched with the backup digital certificate after the hash operation is judged, and if yes, it is determined that each backup digital certificate stored aiming at the block E by the backup node is correct.
Example 4:
fig. 4 is a schematic diagram of a block chain-based digital certificate deletion process provided in an embodiment of the present invention, where the process includes:
s401: and receiving a deletion message containing the identification information of the blocks, which is sent by the backup node in the block chain, wherein the deletion message is sent after the backup node in the block chain determines that each backup digital certificate stored aiming at each block is invalid according to the information of each backup digital certificate stored aiming at each block by the backup node.
The digital certificate deleting method based on the block chain is applied to any verification node in the block chain, and the verification node can be a PC (personal computer), a server and other equipment with the operation and storage functions.
In the embodiment of the present invention, if no malicious change is detected in the blockchain, the digital certificate stored in each corresponding block of each authentication node is the same, and the backup node backs up the digital certificate stored in each block of each authentication node in the blockchain, that is, backs up the digital certificate stored in each block of each authentication node in the blockchain, where a backup digital certificate corresponding to each digital certificate in the block is stored in the backup node for each block. The backup node determines whether each backup digital certificate saved for each block is invalid or not according to the information of each backup digital certificate saved for each block, and if the backup digital certificate saved for each block is invalid, the backup node sends a deletion message containing the identification information of the block to each verification node in the block chain.
For example: the backup node saves a backup digital certificate 1 and a backup digital certificate 2 for a block A, determines that the validity period of the backup digital certificate 1 is expired at the current time of 3 months and 29 days in 2017, determines that the validity period of the backup digital certificate 1 is invalid and the backup digital certificate 1 is invalid according to the validity period 2015 of the backup digital certificate 1 from 1 month 1 day in 7 to 1 month in 2016, 2 months and 1 day in 2017, 2 months and 1 day in 1 month in 2 of the backup digital certificate 2, determines that the validity period of the backup digital certificate 2 is expired and the backup digital certificate 2 is invalid, determines that each backup digital certificate saved for the block A is invalid and sends a deletion message containing identification information 00001 of the block A to each verification node in a block chain.
Specifically, the verification node receives a deletion message containing the identification information of the block, which is sent by the backup node in the block chain after determining that each backup digital certificate stored for each block is invalid according to the information of each backup digital certificate stored for each block by the backup node.
S402: and judging whether each digital certificate in the block of the identification information stored by the digital certificate is invalid or not.
Specifically, after receiving a deletion message containing identification information of a block sent by a backup node, a verification node determines whether each digital certificate in the block of the identification information stored by the verification node is invalid, where the verification node may determine whether the digital certificate is valid according to a validity period of the digital certificate.
For example: the method comprises the steps that a verification node receives a deletion message which is sent by a backup node and contains block identification information 00001, a block A of which the identification information is 00001 is identified, the block A stores a digital certificate 1 and a digital certificate 2, and the current time is 2017, 3, month and 29 days, the verification node determines that the validity period of the digital certificate 1 is expired according to the validity period 2015 of the digital certificate 1, 1 month and 2016, 1 month and 2 months and 1 month of 2017, determines that the validity period of the digital certificate 2 is expired and the digital certificate 2 is invalid according to the validity period 2016 of the digital certificate 2, and determines that each digital certificate in the block A of which the identification information is 00001 is invalid and that the digital certificate 1 and the digital certificate 2 stored in the block A are invalid.
S403: and if each digital certificate in the block of the identification information is determined to be invalid, deleting the block body of the block.
Each block in the block chain is composed of a block header and a block body, wherein the block header stores the time of the block generation, the parent block hash value, namely the hash value of the previous block before the time of the block generation, and the block body stores each digital certificate recorded in the block according to the Merkle value determined by each digital certificate stored in the block. Fig. 3 is a schematic diagram of a storage structure of a verification node storing digital certificates according to an embodiment of the present invention, where the verification node sequentially stores a creating block, a block 2 … block n according to a time sequence, where each block is composed of a block header and a block body, and each block body stores each digital certificate stored in the block.
Specifically, if the verification node determines that each digital certificate in the block of the identification information is invalid, it indicates that each digital certificate in the block can be deleted, and the block body of the block for storing the digital certificate is deleted; if the verification node determines that at least one valid digital certificate exists in the block of the identification information, the verification node indicates that an undeletable digital certificate exists in the block, discards the deletion message sent by the backup node, and does not perform any processing on the block.
For example: and the verification node determines that each digital certificate in the block A with the identification information of 00001 is invalid, and deletes the block body of the block A for storing the digital certificate.
In the embodiment of the invention, the verification node judges the deletion message which is sent after each backup digital certificate stored aiming at a certain block is invalid according to the information of each backup digital certificate stored aiming at each block by the backup node, and deletes the block body of the block of the identification information after determining that each digital certificate in the block of the identification information is invalid, so that the storage space occupied in the data certificate storage process is reduced, the storage and calculation resources are saved, and the operation efficiency and the user experience are improved.
Example 5:
in order to prevent the certificate of the backup node from being maliciously tampered to delete the digital certificate stored in the backup node, on the basis of the foregoing embodiments, in an embodiment of the present invention, if a preset algorithm is used to transform each digital certificate stored in each block, and after receiving a deletion message including identification information of the block sent by the backup node in a block chain, the method further includes:
receiving each backup digital certificate which is sent by the backup node and is saved by the backup node aiming at the block of the identification information;
before the determining whether each digital certificate in the block of the identification information stored in the self is invalid, the method further includes:
transforming each backup digital certificate by adopting the preset algorithm;
judging whether each digital certificate stored in the block of the identification information is correspondingly matched with the digital certificate after the conversion of the backup digital certificate or not according to each digital certificate stored in the block of the identification information;
if yes, the subsequent steps are carried out.
In order to ensure the security of the digital certificate data stored by each verification node in the block chain, the verification node may use a preset algorithm to transform each digital certificate stored by each block according to a preset setting, for example: and the verification node performs hash operation on each digital certificate stored in each block by using a hash algorithm, and stores each digital certificate subjected to the hash operation for each block. In the embodiment of the present invention, if the verification node transforms each digital certificate stored in each block using a preset algorithm, the backup node backs up, for each block in the block chain, each digital certificate stored in the block before transformation using the preset algorithm, and stores information of each digital certificate.
Specifically, if the verification node changes each digital certificate stored in each block by using a preset algorithm, after the verification node receives a deletion message containing a block identifier sent by a backup node in a block chain, each backup digital certificate stored by the backup node for the block of the identifier information sent by the backup node is received.
In addition, in order to prevent the backup digital certificate stored by the backup node for the block of the identification information from being maliciously tampered, the verifying node needs to judge whether each backup digital certificate sent by the backup node is correct before judging whether each digital certificate stored by the verifying node in the block of the identification is invalid, specifically, the verifying node uses a preset algorithm to transform each backup digital certificate, and judges each digital certificate stored by the verifying node for the block of the identification information, that is, whether the digital certificates transformed by the preset algorithm are correspondingly matched with the digital certificate transformed by the backup digital certificate or not, and if the backup digital certificates are matched with each other, determining that each backup digital certificate stored by the backup node for the blocks of the identification information is not tampered, and determining that each backup digital certificate stored by the backup node for the blocks of the identification information is correct. At this time, because the backup node has already judged that each backup digital certificate stored in the block of the identification information is invalid, the verifying node may also delete the block of the identification information, but because the reliability of the backup certificate stored by the backup node is not very high, in order to further ensure the security of the digital certificate, the verifying node verifies whether each digital certificate in the block of the identification information is invalid.
If the verification node uses a preset algorithm to transform each backup digital certificate, and judges that each digital certificate stored in the block of the identification information by the verification node, namely the digital certificate transformed by the preset algorithm cannot be correspondingly matched with the digital certificate transformed by the backup digital certificate, the fact that at least one backup digital certificate is tampered exists in each backup digital certificate stored by the backup node aiming at the block of the identification information is indicated, in order to guarantee the correctness of the digital certificate stored by the verification node and avoid mistakenly deleting the valid non-deletable digital certificate, the verification node discards the deletion message sent by the backup node, and does not perform any processing on the block of the identification information.
Example 6:
in order to accurately determine whether each digital certificate in the block of the self is invalid, on the basis of the foregoing embodiments, in an embodiment of the present invention, the determining whether each digital certificate in the block of the identification information stored in the self is invalid includes:
acquiring the validity period and state information of each digital certificate in the block of the identification information stored by the digital certificate authority;
judging whether the valid period of each digital certificate in the block of the identification information is expired and/or whether the state of the digital certificate is revoke;
and if each digital certificate in the block of the identification information is valid for expiration and/or the state of the digital certificate is revocation, determining that each digital certificate in the block of the identification information is invalid.
In an embodiment of the present invention, the information of the digital certificate includes: the validity period of the digital certificate and the status information of the digital certificate, wherein the status information of the digital certificate comprises: the verification node can determine whether the state of the digital certificate is revoke or not by identifying the state information of the digital certificate, and specifically, the identification of the state information of the digital certificate is that the identification of the state information of the digital certificate in the prior art is not repeated. If the digital certificate is not preset for the verification node, the verification node transforms each digital certificate stored in each block by using a preset algorithm, the verification node identifies the validity period of each untransformed digital certificate stored in the block of the identification information according to the information of each digital certificate stored in the block of the identification information, and the verification node can determine whether each digital certificate in the block of the identification information is invalid according to whether the validity period of each digital certificate in the block of the identification information stored in the verification node is expired; of course, it may also be determined whether each digital certificate in the block of the identification information is invalid according to whether the state of each digital certificate in the block of the identification information stored by itself is a revocation.
Preferably, whether each digital certificate in the block of the identification information is invalid or not can be determined simultaneously according to whether the validity period of each digital certificate in the block of the identification information stored by the block is expired or not and whether the state of the digital certificate is revoked or not. And if the validity period of the digital certificate expires and/or the state of the digital certificate is revoking for each digital certificate in the block of the identification information, determining that each digital certificate in the block of the identification information is invalid. In the embodiment of the invention, for each digital certificate, if the valid period of the digital certificate is expired or the status of the digital certificate is revoke, the digital certificate is determined to be invalid.
For example: the identification information of the block contained in the deletion message sent by the backup node is 00003, the block C of which the identification information of the verification node is 00003 stores a digital certificate 5 and a digital certificate 6, wherein the validity period of the digital certificate 5 is 2015, 5 th month, 7 th month and 5 th month in 2016, the state is not revoked, the validity period of the digital certificate 6 is 2016, 7 th month, 5 th month, 2017, 7 th month and 5 th month, the state is revoked, the current time is 2017, 3, 29 th month, the validity period of the digital certificate 5 is expired, the certificate state of the digital certificate 6 is revoked, and it is determined that each digital certificate in the block C of which the identification information of the block C is 00003 is invalid.
In addition, if the security of the digital certificate data stored by each verification node in the block chain is ensured, the verification node is preset for the verification node, the verification node converts each digital certificate stored in each block by using a preset algorithm, the validity period of the digital certificate is recorded in the digital certificate, the verification node cannot identify the validity period of each converted digital certificate stored in the block of the identification information, and in order to enable the verification node to judge whether each digital certificate stored in the block of the identification information stored by the verification node is invalid or not, in the embodiment of the invention, if the verification node judges that each digital certificate stored in the block of the identification information by the verification node is correspondingly matched with the digital certificate converted by the backup digital certificate for each backup digital certificate sent by the backup node, and the verification node stores each backup digital certificate stored in the block of the identification information by the backup node and each backup digital certificate sent by the received backup node and the digital certificate converted by the verification node And judging whether each digital certificate in the block of the identification information stored by the self is invalid or not according to the stored state information of each digital certificate.
Specifically, the verification node determines whether each digital certificate in the block of the identification information is invalid according to whether the state of each digital certificate in the block of the identification information is revoked and/or whether the validity period of each received backup digital certificate is expired. And if the digital certificate in the block of the identification information meets the condition that the digital certificate is in a revocation status and/or the received backup digital certificate is in an expired validity, determining that each digital certificate in the block of the identification information is invalid. In the embodiment of the present invention, for each digital certificate, if the status information of the digital certificate is revoke, or the backup digital certificate corresponding to the digital certificate is expired, it is determined that the digital certificate is invalid.
For example: each digital certificate stored in each block of each verification node in the block chain is changed by using a hash algorithm, the backup node determines that each backup digital certificate stored for the block E with the identification information of 00005 is invalid, and after the backup node sends a deletion message including the identification information of 00005 to each verification node in the block chain, the backup node sends each backup digital certificate stored for the block E with the identification information of 00005 to each verification node in the block chain.
After the verification node receives the deletion message containing the identification information 00005 and each backup digital certificate stored aiming at the block of the identification information 00005, the block E of which the identification information is 00005 is identified according to the identification information 00005, a preset hash algorithm is adopted to carry out hash operation on each backup digital certificate stored aiming at the block of the identification information 00005 by the backup node, whether each digital certificate stored in the block E of the backup node is correspondingly matched with the backup digital certificate after the hash operation is judged, if the digital certificate stored in the block E of the backup node is correspondingly matched with the backup digital certificate after the hash operation, the backup digital certificate stored aiming at the block E of the backup node is determined not to be falsified, each backup digital certificate is correct, the state information of the digital certificate 8 stored in the block E of the backup node is cancelled, the state information of the digital certificate 9 is not cancelled, and the validity period of the backup digital certificate 8 correspondingly matched with the digital certificate 8 is 2016, 7, 5, 2017, the validity period of the backup digital certificate 9 corresponding to the digital certificate 9 is 2015, 8 months, 5 days-2016, 8 months, 5 days, the current time is 2017, 3 months, 29 days, the status information of the digital certificate 8 is determined to be revoke, the validity period of the backup digital certificate 9 corresponding to the digital certificate 9 is expired, and each digital certificate stored in the block E of the backup digital certificate is determined to be invalid.
Example 7:
fig. 5 is a schematic structural diagram of a block chain-based digital certificate deleting apparatus according to an embodiment of the present invention, where the apparatus includes:
a determining module 51, configured to determine, according to information of each backup digital certificate stored for each block by itself, whether each backup digital certificate stored for the block is invalid;
a sending module 52, configured to send, if it is determined that each backup digital certificate stored for the block is invalid, a deletion message including identification information of the block to each authentication node in the block chain, so that each authentication node determines whether each digital certificate in the block of the identification information is invalid, and when it is determined that each digital certificate in the block of the identification information is invalid, delete the block of the identification information.
The determining module 51 is specifically configured to determine, according to information of each backup digital certificate stored for each block, whether a validity period of each backup digital certificate stored for the block expires and/or whether a state of the backup digital certificate is revoked; and if the validity period of each backup digital certificate saved for the block is expired and/or the state of the backup digital certificate is revoked, determining that each backup digital certificate saved for the block is invalid.
The sending module 52 is further configured to send each backup digital certificate stored for each block of the identification information to each verification node if each digital certificate stored in each block of each verification node in the block chain is transformed by using a preset algorithm.
In the embodiment of the present invention, the apparatus for deleting a digital certificate based on a blockchain as shown in fig. 5 is applied to any backup node in a blockchain, where the blockchain includes a plurality of authentication nodes and at least one backup node.
Example 8:
fig. 6 is a schematic structural diagram of a device for deleting a digital certificate based on a block chain according to an embodiment of the present invention, where the device includes:
a receiving module 61, configured to receive a deletion message that includes identification information of a block and is sent by a backup node in a block chain, where the deletion message is sent after the backup node in the block chain determines that each backup digital certificate stored for each block is invalid according to information of each backup digital certificate stored for each block by the backup node in the block chain;
a judging module 62, configured to judge whether each digital certificate in the block of the identification information stored by itself is invalid;
a deleting module 63, configured to delete the block body of the block if it is determined that each digital certificate in the block of the identification information is invalid.
The receiving module 61 is further configured to receive each backup digital certificate, which is sent by the backup node and is stored by the backup node for the block of the identification information, if each digital certificate stored by each block is transformed by using a preset algorithm;
the device further comprises:
a matching module 64, configured to transform each backup digital certificate by using the preset algorithm; judging whether each digital certificate stored in the block of the identification information is correspondingly matched with the digital certificate after the conversion of the backup digital certificate or not according to each digital certificate stored in the block of the identification information; if the matching result is yes, the judgment module is triggered.
The judging module 62 is specifically configured to obtain a validity period and state information of each digital certificate in the block of the identification information stored by the judging module; judging whether the valid period of each digital certificate in the block of the identification information is expired and/or whether the state of the digital certificate is revoke; and if each digital certificate in the block of the identification information is valid for expiration and/or the state of the digital certificate is revocation, determining that each digital certificate in the block of the identification information is invalid.
In the embodiment of the present invention, the apparatus for deleting a digital certificate based on a blockchain as shown in fig. 6 is applied to any authentication node in a blockchain, where the blockchain includes a plurality of authentication nodes and at least one backup node.
Example 9:
fig. 7 is a schematic structural diagram of a system for deleting a digital certificate based on a block chain according to an embodiment of the present invention, where the system for deleting a digital certificate based on a block chain includes at least one device for deleting a digital certificate based on a block chain, which is applied to a backup node 71, and a plurality of devices for deleting a digital certificate based on a block chain, which are applied to an authentication node 72.
The invention discloses a block chain-based digital certificate deleting method, a device and a system, wherein the block chain comprises a plurality of verification nodes and at least one backup node, the deleting method is applied to any backup node in the block chain, and the method comprises the following steps: determining whether each backup digital certificate saved for each block is invalid or not according to the information of each backup digital certificate saved for each block; if the fact that each backup digital certificate saved aiming at the block is invalid is determined, a deleting message containing the identification information of the block is sent to each verification node in the block chain, each verification node is enabled to judge whether each digital certificate in the block of the identification information is invalid or not, and when the fact that each digital certificate in the block of the identification information is invalid is determined, the block body of the block of the identification information is deleted. In the embodiment of the invention, if the backup node judges that each backup digital certificate stored aiming at a certain block is invalid, a deletion message containing the identification information of the block is sent to each verification node in the block chain, so that each verification node judges whether each digital certificate in the block of the identification information is invalid, and when each digital certificate in the block of the identification information is determined to be invalid, the block body of the block of the identification information is deleted, thereby reducing the storage space occupied in the data certificate storage process, saving the storage and calculation resources of the verification node, and improving the operation efficiency of the verification node and the user experience.
For the system/apparatus embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference may be made to some descriptions of the method embodiments for relevant points.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (13)
1. A block chain-based digital certificate deletion method, wherein the block chain comprises a plurality of verification nodes and at least one backup node, the deletion method is applied to any backup node in the block chain, and the backup node backs up a digital certificate stored in each block of each verification node in the block chain, and the method comprises the following steps:
determining whether each backup digital certificate saved for each block is invalid or not according to the information of each backup digital certificate saved for each block;
if the fact that each backup digital certificate saved aiming at the block is invalid is determined, a deleting message containing the identification information of the block is sent to each verification node in the block chain, each verification node is enabled to judge whether each digital certificate in the block of the identification information is invalid or not, and when the fact that each digital certificate in the block of the identification information is invalid is determined, the block body of the block of the identification information is deleted.
2. The method of claim 1, wherein determining whether each backup digital certificate saved for each block is invalid based on information of each backup digital certificate saved for the block by itself comprises:
determining whether the validity period of each backup digital certificate stored aiming at each block is expired and/or the state of each backup digital certificate is a revoke according to the information of each backup digital certificate stored aiming at each block;
and if the validity period of each backup digital certificate saved for the block is expired and/or the state of the backup digital certificate is revoked, determining that each backup digital certificate saved for the block is invalid.
3. The method according to claim 1, wherein if each digital certificate stored in each block of each authentication node in the block chain is transformed using a preset algorithm, after sending a deletion message containing identification information of the block to each authentication node in the block chain, the method further comprises:
and sending each backup digital certificate stored for the block of the identification information to each verification node.
4. A block chain-based digital certificate deletion method, wherein the block chain comprises a plurality of verification nodes and at least one backup node, the deletion method is applied to any verification node in the block chain, and the backup node backs up a digital certificate stored in each block of each verification node in the block chain, and the method comprises the following steps:
receiving a deletion message containing identification information of a block, which is sent by a backup node in a block chain, wherein the deletion message is sent after the backup node in the block chain determines that each backup digital certificate stored for the block is invalid according to the information of each backup digital certificate stored for each block by the backup node;
judging whether each digital certificate in the block of the identification information stored by the digital certificate is invalid or not;
and if each digital certificate in the block of the identification information is determined to be invalid, deleting the block body of the block.
5. The method of claim 4, wherein if each digital certificate stored in each block is transformed by using a preset algorithm, after receiving a deletion message containing identification information of the block sent by a backup node in the block chain, the method further comprises:
receiving each backup digital certificate which is sent by the backup node and is saved by the backup node aiming at the block of the identification information;
before the determining whether each digital certificate in the block of the identification information stored in the self is invalid, the method further includes:
transforming each backup digital certificate by adopting the preset algorithm;
judging whether each digital certificate stored in the block of the identification information is correspondingly matched with the digital certificate after the conversion of the backup digital certificate or not according to each digital certificate stored in the block of the identification information;
if yes, the subsequent steps are carried out.
6. The method according to claim 4 or 5, wherein said determining whether each digital certificate in the block of the identification information stored by itself is invalid comprises:
acquiring the validity period and state information of each digital certificate in the block of the identification information stored by the digital certificate authority;
judging whether the valid period of each digital certificate in the block of the identification information is expired and/or whether the state of the digital certificate is revoke;
and if each digital certificate in the block of the identification information is valid for expiration and/or the state of the digital certificate is revocation, determining that each digital certificate in the block of the identification information is invalid.
7. A device for deleting a digital certificate based on a blockchain, wherein the device for deleting a digital certificate is applied to any backup node in a blockchain, where the blockchain includes a plurality of authentication nodes and at least one backup node, and the backup node backs up a digital certificate stored in each block of each authentication node in the blockchain, and the device comprises:
the determining module is used for determining whether each backup digital certificate stored aiming at each block is invalid or not according to the information of each backup digital certificate stored aiming at each block;
a sending module, configured to send, if it is determined that each backup digital certificate stored for the block is invalid, a deletion message including identification information of the block to each authentication node in the block chain, so that each authentication node determines whether each digital certificate in the block of the identification information is invalid, and when it is determined that each digital certificate in the block of the identification information is invalid, delete the block body of the block of the identification information.
8. The apparatus according to claim 7, wherein the determining module is specifically configured to determine, according to information of each backup digital certificate stored for each block by itself, whether a validity period of each backup digital certificate stored for the block expires and/or a status of the backup digital certificate is revoked; and if the validity period of each backup digital certificate saved for the block is expired and/or the state of the backup digital certificate is revoked, determining that each backup digital certificate saved for the block is invalid.
9. The apparatus of claim 7, wherein the sending module is further configured to send each backup digital certificate stored for the block of the identification information to each authentication node if each digital certificate stored in each block of each authentication node in the block chain is transformed using a preset algorithm.
10. A device for deleting a digital certificate based on a blockchain, wherein the device for deleting a digital certificate is applied to any authentication node in a blockchain, where the blockchain includes a plurality of authentication nodes and at least one backup node, and the backup node backs up a digital certificate stored in each block of each authentication node in the blockchain, and the device includes:
the system comprises a receiving module and a sending module, wherein the receiving module is used for receiving a deletion message which is sent by a backup node in a block chain and contains identification information of blocks, and the deletion message is sent by the backup node in the block chain after determining that each backup digital certificate stored aiming at each block is invalid according to the information of each backup digital certificate stored aiming at each block by the backup node;
the judging module is used for judging whether each digital certificate in the block of the identification information stored by the judging module is invalid or not;
and the deleting module is used for deleting the block body of the block if each digital certificate in the block of the identification information is determined to be invalid.
11. The apparatus of claim 10, wherein the receiving module is further configured to receive each backup digital certificate, which is sent by the backup node and is stored by the backup node for the chunk of the identification information, if each digital certificate stored by each chunk is transformed using a preset algorithm;
the device further comprises:
the matching module is used for transforming each backup digital certificate by adopting the preset algorithm; judging whether each digital certificate stored in the block of the identification information is correspondingly matched with the digital certificate after the conversion of the backup digital certificate or not according to each digital certificate stored in the block of the identification information; if the matching result is yes, the judgment module is triggered.
12. The apparatus according to claim 10, wherein the determining module is specifically configured to obtain a validity period and status information of each digital certificate in the block of the identification information stored by the determining module; judging whether the valid period of each digital certificate in the block of the identification information is expired and/or whether the state of the digital certificate is revoke; and if each digital certificate in the block of the identification information is valid for expiration and/or the state of the digital certificate is revocation, determining that each digital certificate in the block of the identification information is invalid.
13. A blockchain-based digital certificate deletion system, wherein the deletion system comprises at least one blockchain-based digital certificate deletion apparatus applied to a backup node according to any one of claims 7 to 9, and a plurality of blockchain-based digital certificate deletion apparatuses applied to an authentication node according to any one of claims 10 to 12.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710218253.XA CN108696356B (en) | 2017-04-05 | 2017-04-05 | Block chain-based digital certificate deleting method, device and system |
| PCT/CN2018/078888 WO2018184447A1 (en) | 2017-04-05 | 2018-03-13 | Blockchain-based digital certificate deletion method, device and system, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710218253.XA CN108696356B (en) | 2017-04-05 | 2017-04-05 | Block chain-based digital certificate deleting method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108696356A CN108696356A (en) | 2018-10-23 |
| CN108696356B true CN108696356B (en) | 2020-08-18 |
Family
ID=63711997
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710218253.XA Active CN108696356B (en) | 2017-04-05 | 2017-04-05 | Block chain-based digital certificate deleting method, device and system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN108696356B (en) |
| WO (1) | WO2018184447A1 (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109493044A (en) * | 2018-11-08 | 2019-03-19 | 深圳壹账通智能科技有限公司 | Block chain block delet method, device and terminal device |
| CN110264187B (en) | 2019-01-23 | 2021-06-04 | 腾讯科技(深圳)有限公司 | Data processing method and device, computer equipment and storage medium |
| CN109981586B (en) * | 2019-02-27 | 2021-09-07 | 北京柏链基石科技有限公司 | Node marking method and device |
| CN112153085B (en) * | 2019-06-26 | 2022-05-17 | 华为技术有限公司 | Data processing method, node and block chain system |
| CN110598482B (en) * | 2019-09-30 | 2023-09-15 | 腾讯科技(深圳)有限公司 | Digital certificate management method, device, equipment and storage medium based on blockchain |
| CN111027974A (en) * | 2019-12-12 | 2020-04-17 | 腾讯科技(深圳)有限公司 | Identification code verification method, device, equipment and storage medium |
| CN111783133B (en) * | 2020-06-02 | 2023-06-30 | 广东科学技术职业学院 | Network resource management method based on block chain technology |
| CN111737766B (en) * | 2020-08-03 | 2020-12-04 | 南京金宁汇科技有限公司 | Method for judging validity of digital certificate signature data in block chain |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103491100A (en) * | 2013-09-30 | 2014-01-01 | 中国科学院计算技术研究所 | System for establishing token association relationship between multiple parties |
| CN104202159A (en) * | 2014-09-28 | 2014-12-10 | 网易有道信息技术(北京)有限公司 | Key distributing method and equipment |
| CN106385315A (en) * | 2016-08-30 | 2017-02-08 | 北京三未信安科技发展有限公司 | Digital certificate management method and system |
| CN106504091A (en) * | 2016-10-27 | 2017-03-15 | 上海亿账通区块链科技有限公司 | The method and device that concludes the business on block chain |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015106285A1 (en) * | 2014-01-13 | 2015-07-16 | Yago Yaron Edan | Verification method |
| US20170091726A1 (en) * | 2015-09-07 | 2017-03-30 | NXT-ID, Inc. | Low bandwidth crypto currency transaction execution and synchronization method and system |
| CN105790954B (en) * | 2016-03-02 | 2019-04-09 | 布比(北京)网络技术有限公司 | A kind of method and system constructing electronic evidence |
-
2017
- 2017-04-05 CN CN201710218253.XA patent/CN108696356B/en active Active
-
2018
- 2018-03-13 WO PCT/CN2018/078888 patent/WO2018184447A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103491100A (en) * | 2013-09-30 | 2014-01-01 | 中国科学院计算技术研究所 | System for establishing token association relationship between multiple parties |
| CN104202159A (en) * | 2014-09-28 | 2014-12-10 | 网易有道信息技术(北京)有限公司 | Key distributing method and equipment |
| CN106385315A (en) * | 2016-08-30 | 2017-02-08 | 北京三未信安科技发展有限公司 | Digital certificate management method and system |
| CN106504091A (en) * | 2016-10-27 | 2017-03-15 | 上海亿账通区块链科技有限公司 | The method and device that concludes the business on block chain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108696356A (en) | 2018-10-23 |
| WO2018184447A1 (en) | 2018-10-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108696356B (en) | Block chain-based digital certificate deleting method, device and system | |
| JP7060362B2 (en) | Event certificate for electronic devices | |
| CN108111314B (en) | Method and equipment for generating and verifying digital certificate | |
| CN109257334B (en) | Block chain-based data uplink system, method and storage medium | |
| CN106452764B (en) | Method for automatically updating identification private key and password system | |
| CN106878009B (en) | Key updating method and system | |
| CN110177124B (en) | Identity authentication method based on block chain and related equipment | |
| JP2015171153A (en) | Revocation of root certificates | |
| EP2659373A2 (en) | System and method for secure software update | |
| US20110231662A1 (en) | Certificate validation method and validation server | |
| CN112866242B (en) | Block chain-based digital identity authentication method, equipment and storage medium | |
| EP3966997B1 (en) | Methods and devices for public key management using a blockchain | |
| CN110740038B (en) | Blockchain and communication method, gateway, communication system and storage medium thereof | |
| CN110611647A (en) | Node joining method and device on block chain system | |
| EP4032228A1 (en) | Methods and devices for automated digital certificate verification | |
| CN110826092A (en) | File signature processing system | |
| CN108540447B (en) | Block chain-based certificate verification method and system | |
| CN104392185A (en) | Method for verifying data integrity during log forensics in cloud environments | |
| KR20190120559A (en) | System and Method for Security Provisioning based on Blockchain | |
| CN110719167B (en) | Block chain-based signcryption method with timeliness | |
| CN108075895B (en) | Node permission method and system based on block chain | |
| CN108632037B (en) | Public key processing method and device of public key infrastructure | |
| CN112600831B (en) | Network client identity authentication system and method | |
| CN114257376B (en) | Digital certificate updating method, device, computer equipment and storage medium | |
| US10079680B2 (en) | Selective revocation of certificates |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |