CN111526023A - Block chain uplink data security authentication method and system based on IPK - Google Patents

Abstract

The invention discloses a block chain uplink data security authentication method and system based on IPK, and belongs to the technical field of block chain uplink data information security. The existing scheme realizes the block chain without the center based on the centralized authentication, which can weaken the advantage of the block chain without the center and influence the safety of the uplink data. The invention discloses a block chain uplink data safety certification method based on IPK, which is used for carrying out safety certification on uplink data according to a specific scene of block chain application, and comprises the steps of certification on an acquisition terminal, signature verification of the uplink data and encryption and decryption. According to the invention, the safety certification is completed by using the Internet of things identifier as a public key, the uplink data encryption certification is independent of a third party, a mode of directly and locally completing the uplink data safety certification without depending on a center is realized, and the safety is high. The invention can be perfectly combined with the decentralized characteristic of the block chain, so that the block chain system architecture is simpler and the realization performance is higher.

Description

Block chain uplink data security authentication method and system based on IPK

Technical Field

The invention relates to a block chain uplink data security authentication method and system based on IPK, belonging to the technical field of block chain uplink data information security.

Background

The block chain is a distributed shared account book and a database, and has the characteristics of decentralization, no tampering, trace retaining in the whole process, traceability, collective maintenance, openness and transparency and the like. The characteristics ensure the honesty and the transparency of the block chain and lay a foundation for creating trust for the block chain. By applying the block chain, the problem of asymmetric application information can be solved, and cooperative trust and consistent action among a plurality of main bodies are realized.

In the blockchain architecture, each node has an independent application system, the application systems realize the safe storage of the formed data uplink in the blockchain node, and each node realizes the consistency with the data synchronization through a consensus algorithm.

The safety of the block chain is mainly in a alliance chain and a private chain, and along with the frequent occurrence of safety events, the safety risk problem of the block chain is regarded as a short board which restricts the health development of the industry at present, the block chain is embraced, and the exploration of a safety guarantee system which is suitable for a block chain technical mechanism is required to be accelerated.

Chinese patent publication No. CN110457942A discloses a signature verification method, service node and medium for uplink data blocks. The method comprises the following steps: receiving a block header of a uplink data block sent by a billing node, the block header containing a digest and a signature generated for transaction information in the data block, the signature generated by the billing node encrypting the digest with a private key specific to the billing node; acquiring a public key certificate of a billing node, wherein the public key certificate is generated in response to a request of the billing node for the public key certificate and contains a public key specific to the billing node; acquiring a public key specific to the accounting node from the public key certificate of the accounting node; and decrypting the signature by using the public key specific to the accounting node, and comparing the decryption result with the abstract in the block header so as to verify the signature. The embodiments of the present disclosure improve the security of block chain accounting when a service node does not actually participate in the uplink of a data block.

The scheme adopts a centralized certificate system to authenticate the uplink data, but the aim of the block chain is decentralization, and the realization of the decentralization block chain based on the centralized authentication can weaken the decentralization advantage of the block chain and influence the safety of the uplink data.

Disclosure of Invention

Aiming at the defects of the prior art, the invention aims to provide the block chain uplink data safety certification method and system based on the IPK, which can finish safety certification of uplink data directly and locally without depending on a center by using the identification of the Internet of things as a public key to finish safety certification.

In order to achieve the purpose, the technical scheme of the invention is as follows:

an IPK-based block chain uplink data security authentication method,

according to the specific scenario of the blockchain application, the uplink data is subjected to security authentication,

the method comprises the steps of authentication of an acquisition terminal, signature verification of uplink data and encryption and decryption;

the specific process is as follows:

firstly, the processing flow of the data acquisition terminal B to the uplink data is as follows:

s1, the data acquisition terminal calculates a digital abstract of the cochain data to generate a digital abstract h of the data, wherein h is Hash (data);

s2, the data acquisition terminal uses its own identification private key isk_BSigning the digital abstract h to obtain a digital signature Sig which is obtained by the data acquisition terminal and corresponds to the data_isk(h)；

S3, packing the digital signature sig according to the ASN.1 coding specification to form a digital signature protocol data packet based on IPK;

s4, the data acquisition terminal generates a random number r, and a session key skey is generated through calculation of an elliptic curve algorithm;

s5, the data acquisition terminal encrypts the data to be linked by using the session key skey to obtain a data ciphertext C;

s6, the data acquisition terminal according to the blockThe public key matrix M of the identifier IDA and the IPK system of the chain node A is calculated by an IPK key generation algorithm to generate an identifier public key IPK corresponding to the block chain node A_AThe block chain node A applies its own identification private key isk to IPK key center in advance_AAnd satisfy IPK_A＝isk_A·G；

Wherein: g is a base point number of the elliptic curve;

s7, identification public key IPK of block chain link point A for data acquisition terminal_AAnd calculating the random number r for generating the session key skey to generate a digital envelope D, wherein the D is r and IPK_A；

S8, the data acquisition terminal packs data such as a data ciphertext C, a digital envelope D, an auxiliary information matrix identifier, a receiver identifier, an encryption algorithm identifier, an elliptic curve identifier and the like into an IPK encrypted data packet according to an ASN.1 coding standard;

s9, the data acquisition terminal sends the encrypted data packet cipherPackage and the signature data packet signaturePack to the block chain node A;

second, the processing procedure of uplink data at block link point a is as follows:

step 1: the method comprises the steps that a block chain node A receives an encrypted data packet cipherPackage and a signature data packet signaturePackage sent by a data acquisition terminal;

step 2: the block chain node A uses the identification private key iskA of the node A and a digital envelope D in the encrypted data packet to calculate to obtain a session key skey;

and step 3: the block chain node A decrypts the ciphertext data C by using the session key skey to obtain plaintext data, wherein the data is D_skey(C) D is a symmetric decryption algorithm (e.g., SM4), corresponding to E;

and 4, step 4: the block chain node obtains a signature identifier, namely a data acquisition end identifier IDB, from the signature data packet signaturePack, and a public key matrix stored in the block chain node is calculated to obtain an identifier public key IPK of the data acquisition end_BThen, the authenticity of the signature is verified by using the identification public key;

and 5: the verification shows that the data source is true and reliable, the transmission process is not tampered, and data uplink is allowed; otherwise, the data may be fake or tampered, and the uplink of the data is rejected.

According to the invention, the safety certification is completed by using the Internet of things identifier as a public key, the uplink data encryption certification is independent of a third party, a mode of directly and locally completing the uplink data safety certification without depending on a center is realized, and the safety is high.

The invention can be perfectly combined with the decentralized characteristic of the block chain, so that the block chain system architecture is simpler and the realization performance is higher.

The invention obtains the public key through identification calculation, and meanwhile, the calculation process is also the process of proving the authenticity of the public key, thereby realizing a safety self-certification system.

As a preferable technical measure:

the S3:

the IPK-based digital signature protocol data packet is marked as a signaturePage and has the structural definition as follows:

Signature information：：＝SEQUENCE{

version ASN1_ INTEREGER,// version number

matrix xId ASN1_ UTF8STRING,// matrix identification

signerId ASN1_ UTF8STRING,// signer identification

signTime ASN1_ UCTIME,// signature timestamp

mdOid ASN1_ OBJECT,// digital digest algorithm OBJECT identification

sigrS ASN1_ OCTET _ STRING// signature value (r, s)

RASN 1_ OCTET _ STRING// custom public key

}。

As a preferable technical measure:

the S4:

the elliptic curve algorithm comprises the following steps: taking the x coordinate of the elliptic curve point R and modeling the elliptic curve parameter n to obtain skey R.x mod n, note: g is a base point of the elliptic curve, and the order of the base point is prime; n is the order of the base point G;

the S5:

C＝E_skey(data), E is a symmetric encryption algorithm (e.g., SM 4).

As a preferable technical measure:

the S8:

an encrypted data packet of the IPK, denoted as a cipherPackage,

its data structure is defined as:

Ciphertext information：：＝SEQUENCE{

version ASN1_ INTEREGER,// version number

matrix xId ASN1_ UTF8STRING,// matrix identification

addresseid ASN1_ UTF8STRING,// recipient identification

eco id ASN1_ OBJECT,// elliptic Curve OBJECT identification

env ASN1_ OCTET _ STRING// digital envelope

ciphertext data ASN1_ OCTET _ STRING// ciphertext data

}。

As a preferable technical measure: the step 2:

the session key skey calculation formula:

isk_A ^-1·D＝isk_A ^-1·(r·IPK_A)＝isk_A ^-1·(r·isk_A·G)＝r·G＝(x，y)，skey＝xmod n。

as a preferable technical measure:

the step 4:

verifying the authenticity of the signature:

firstly, obtaining a digital abstract algorithm from a signature data packet, calculating a digital abstract h ═ Hash (data) for decrypted data, then verifying the digital signature by using an identification public key, and verifying the signature by using Verify_IPKB(h，sig)。

As a preferable technical measure: identification public key IPK_BThe identification ID of the terminal or the node is obtained by calculation through an IPK algorithm.

As a preferable technical measure:

the private key is an identification private key isk and is stored in a key storage device in the node or the application system;

the key storage device is a software shield, a U shield, a PCI-E password card or a security chip.

An IPK-based block chain uplink data security authentication system,

the system applying the IPK-based block chain uplink data security authentication method comprises a signature verification module;

the signature verification module: the signature verification module provides application call in an SDK mode;

the data acquisition terminal calls the module to realize the Hash operation on the uplink data, and a private key isk of the data acquisition terminal signs the Hash operation value, namely the abstract data;

and the nodes corresponding to the block chains receive the data sent by the acquisition terminal, including data plaintext, abstract signatures and relevant identification information, and use the identification ID of the acquisition terminal and the public key matrix stored in the nodes to perform IPK operation to obtain an acquisition terminal public key IPK, and use the acquisition terminal public key IPK to complete verification of the abstract data signatures from the acquisition terminal.

According to the invention, the safety certification is completed by using the Internet of things identifier as a public key, the uplink data encryption certification is independent of a third party, a mode of directly and locally completing the uplink data safety certification without depending on a center is realized, and the safety is high.

The invention can be perfectly combined with the decentralized characteristic of the block chain, so that the block chain system architecture is simpler and the realization performance is higher.

The invention realizes the access of the signature verification module based on the SDK mode, integrates the security defense into the block chain link points and the application system, realizes the active defense of the block chain uplink data application, and ensures the authenticity, reliability and non-falsification of the uplink data.

The invention obtains the public key through identification calculation, and meanwhile, the calculation process is also the process of proving the authenticity of the public key, thereby realizing a safety self-certification system.

As a preferable technical measure:

the system also comprises an encryption and decryption module and a key storage module;

the encryption and decryption module: the encryption and decryption module also provides application calling in an SDK mode;

the acquisition terminal calls the module to generate a random number r to generate a session key skey, and calculates a public key IPK of an uploading block chain node by using a block chain node identification ID and a public key matrix stored in the terminal to manufacture a digital envelope;

the block chain links receive the digital envelope, the data plaintext and the related data information sent by the data acquisition terminal,

opening the digital envelope through a node private key isk, verifying to obtain a session key, and completing decryption of a data ciphertext;

a key storage module: the storage of the private key is mainly realized;

the module has four forms: the system comprises a security chip, a software shield, a PCI-E password card and a U shield;

an operating system COS is embedded in the security chip to store and use the private key;

the software shield is a software system of key storage application realized by completely simulating chip functions;

the security chip is embedded into a circuit or a software shield of an application to be used in an embedding system;

according to the requirement of the security level, a security chip and a chip-based password device or a software shield can be selected to realize key storage, and the password device based on the security chip is recommended to be used when the security level is high;

the U shield is an independent safety device which is based on a safety chip and is connected with an application through a USB port to realize key storage operation.

The invention realizes the access of each functional module based on the SDK mode, integrates the security defense into the block chain link points and the application system, realizes the active defense of the block chain uplink data application, and ensures the authenticity, reliability and non-falsification of the uplink data.

In block chain applications, the data is selectively used according to specific situations, the uplink data generally only needs to realize signature verification, and the encryption and decryption module can selectively use the encrypted data with special requirements.

Compared with the prior art, the invention has the following beneficial effects:

according to the invention, the safety certification is completed by using the Internet of things identifier as a public key, the uplink data encryption certification is independent of a third party, a mode of directly and locally completing the uplink data safety certification without depending on a center is realized, and the safety is high.

The invention can be perfectly combined with the decentralized characteristic of the block chain, so that the block chain system architecture is simpler and the realization performance is higher.

The invention obtains the public key through identification calculation, and meanwhile, the calculation process is also the process of proving the authenticity of the public key, thereby realizing a safety self-certification system.

Drawings

Fig. 1 is a process flow of uplink data processing by a data acquisition terminal B according to the present invention;

FIG. 2 is a block chain node A processing flow of uplink data according to the present invention;

FIG. 3 is a flow chart of a data acquisition terminal and a block link point application key of the present invention;

FIG. 4 is a flow chart of the data acquisition terminal and block link point security authentication of the present invention;

FIG. 5 is a flow of encryption of a cochain data signature by the data acquisition terminal of the present invention;

FIG. 6 is a block link point-to-uplink data decryption verification process according to the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

On the contrary, the invention is intended to cover alternatives, modifications, equivalents and alternatives which may be included within the spirit and scope of the invention as defined by the appended claims. Furthermore, in the following detailed description of the present invention, certain specific details are set forth in order to provide a better understanding of the present invention. It will be apparent to one skilled in the art that the present invention may be practiced without these specific details.

As shown in fig. 1-2, a method for security authentication of uplink data on a block chain based on IPK,

according to the specific scenario of the blockchain application, the uplink data is subjected to security authentication,

the method comprises the steps of authentication of an acquisition terminal, signature verification of uplink data and encryption and decryption;

the specific process is as follows:

firstly, the processing flow of the data acquisition terminal B on the uplink data is as follows (see fig. 1):

s1, the data acquisition terminal calculates a digital abstract of the cochain data to generate a digital abstract h of the data, wherein h is Hash (data);

s2, the data acquisition terminal uses its own identification private key isk_BSigning the digital abstract h to obtain a digital signature Sig which is obtained by the data acquisition terminal and corresponds to the data_isk(h)；

S3, packing the digital signature sig according to the ASN.1 coding specification to form a digital signature protocol data packet based on IPK;

s4, the data acquisition terminal generates a random number r, and a session key skey is generated through calculation of an elliptic curve algorithm;

s5, the data acquisition terminal encrypts the data to be linked by using the session key skey to obtain a data ciphertext C;

s6, the data acquisition terminal calculates and generates an identification public key IPK corresponding to the block chain node A through an IPK key generation algorithm according to the identification IDA of the block chain node A and the public key matrix M of the IPK system_AThe block chain node A applies its own identification private key isk to IPK key center in advance_AAnd satisfy IPK_A＝isk_A·G；

S7, identification public key IPK of block chain link point A for data acquisition terminal_AAnd calculating the random number r for generating the session key skey to generate a digital envelope D, wherein the D is r and IPK_A；

S8, the data acquisition terminal packs data such as a data ciphertext C, a digital envelope D, an auxiliary information matrix identifier, a receiver identifier, an encryption algorithm identifier, an elliptic curve identifier and the like into an IPK encrypted data packet according to an ASN.1 coding standard;

s9, the data acquisition terminal sends the encrypted data packet cipherPackage and the signature data packet signaturePack to the block chain node A;

second, the processing procedure of uplink data at block link point a is as follows (see fig. 2):

step 1: the method comprises the steps that a block chain node A receives an encrypted data packet cipherPackage and a signature data packet signaturePackage sent by a data acquisition terminal;

step 2: the block chain node A uses the identification private key iskA of the node A and a digital envelope D in the encrypted data packet to calculate to obtain a session key skey;

and step 3: the block chain node A decrypts the ciphertext data C by using the session key skey to obtain plaintext data, wherein the data is D_skey(C) D is a symmetric decryption algorithm, corresponding to E;

and 4, step 4: the block chain node obtains a signature identifier, namely a data acquisition end identifier IDB, from the signature data packet signaturePack, and a public key matrix stored in the block chain node is calculated to obtain an identifier public key IPK of the data acquisition end_BThen, the authenticity of the signature is verified by using the identification public key;

and 5: the verification shows that the data source is true and reliable, the transmission process is not tampered, and data uplink is allowed; otherwise, the data may be fake or tampered, and the uplink of the data is rejected.

According to the invention, the safety certification is completed by using the Internet of things identifier as a public key, the uplink data encryption certification is independent of a third party, a mode of directly and locally completing the uplink data safety certification without depending on a center is realized, and the safety is high.

The invention can be perfectly combined with the decentralized characteristic of the block chain, so that the block chain system architecture is simpler and the realization performance is higher.

The invention obtains the public key through identification calculation, and meanwhile, the calculation process is also the process of proving the authenticity of the public key, thereby realizing a safety self-certification system.

The invention discloses a specific embodiment of a digital signature protocol data packet, which comprises the following steps:

the IPK-based digital signature protocol data packet is marked as a signaturePage and has the structural definition as follows:

Signature information：：＝SEQUENCE{

version ASN1_ INTEREGER,// version number

matrix xId ASN1_ UTF8STRING,// matrix identification

signerld ASN1_ UTF8STRING,// signer identification

signTime ASN1_ UCTIME,// signature timestamp

mdOid ASN1_ OBJECT,// digital digest algorithm OBJECT identification

sigrS ASN1_ OCTET _ STRING// signature value (r, s)

RASN 1_ OCTET _ STRING// custom public key

}。

The invention discloses a specific embodiment of an elliptic curve algorithm, which comprises the following steps:

the elliptic curve algorithm comprises the following steps: taking the x coordinate of the elliptic curve point R and modeling the elliptic curve parameter n to obtain skey R.x mod n, note: g is a base point of the elliptic curve, and the order of the base point is prime; n is the order of the base point G;

an embodiment of the invention for computing a data ciphertext C

C＝E_skey(data), E is a symmetric encryption algorithm.

One embodiment of the invention for encrypting a data packet:

an encrypted data packet of the IPK, denoted as a cipherPackage,

its data structure is defined as:

Ciphertext information：：＝SEQUENCE{

version ASN1_ INTEREGER,// version number

matrix xId ASN1_ UTF8STRING,// matrix identification

addresseid ASN1_ UTF8STRING,// recipient identification

eco id ASN1_ OBJECT,// elliptic Curve OBJECT identification

env ASN1_ OCTET _ STRING// digital envelope

ciphertext data ASN1_ OCTET _ STRING// ciphertext data

}。

One embodiment of the present invention for computing a session key is:

the session key skey calculation formula:

isk_A ^-1·D＝isk_A ^-1·(r·IPK_A)＝isk_A ^-1·(r·isk_A·G)＝r·G＝(x，y)，skey＝xmod n。

one specific embodiment of the invention for verifying signatures:

verifying the authenticity of the signature:

firstly, obtaining a digital abstract algorithm from a signature data packet, calculating a digital abstract h ═ Hash (data) for decrypted data, then verifying the digital signature by using an identification public key, and verifying the signature by using Verify_IPKB(h，sig)。

The invention identifies a specific embodiment of a public key:

identification public key IPK_BThe identification ID of the terminal or the node is obtained by calculation through an IPK algorithm.

The specific embodiment of the storage mode of the private key of the invention comprises the following steps:

the private key is an identification private key isk and is stored in a key storage device in the node or the application system;

the key storage device is a software shield, a U shield, a PCI-E password card or a security chip.

An IPK-based block chain uplink data security authentication system,

the system applying the IPK-based block chain uplink data security authentication method comprises a signature verification module;

the signature verification module: the signature verification module provides application call in an SDK mode;

the data acquisition terminal calls the module to realize the Hash operation on the uplink data, and a private key isk of the data acquisition terminal signs the Hash operation value, namely the abstract data;

and the nodes corresponding to the block chains receive the data sent by the acquisition terminal, including data plaintext, abstract signatures and relevant identification information, and use the identification ID of the acquisition terminal and the public key matrix stored in the nodes to perform IPK operation to obtain an acquisition terminal public key IPK, and use the acquisition terminal public key IPK to complete verification of the abstract data signatures from the acquisition terminal.

According to the invention, the safety certification is completed by using the Internet of things identifier as a public key, the uplink data encryption certification is independent of a third party, a mode of directly and locally completing the uplink data safety certification without depending on a center is realized, and the safety is high.

The invention can be perfectly combined with the decentralized characteristic of the block chain, so that the block chain system architecture is simpler and the realization performance is higher.

The invention realizes the access of the signature verification module based on the SDK mode, integrates the security defense into the block chain link points and the application system, realizes the active defense of the block chain uplink data application, and ensures the authenticity, reliability and non-falsification of the uplink data.

The invention obtains the public key through identification calculation, and meanwhile, the calculation process is also the process of proving the authenticity of the public key, thereby realizing a safety self-certification system.

The invention adds a specific embodiment of an encryption and decryption module and a key storage module:

the system also comprises an encryption and decryption module and a key storage module;

the encryption and decryption module: the encryption and decryption module also provides application calling in an SDK mode;

the acquisition terminal calls the module to generate a random number r to generate a session key skey, and calculates a public key IPK of an uploading block chain node by using a block chain node identification ID and a public key matrix stored in the terminal to manufacture a digital envelope;

the block chain links receive the digital envelope, the data plaintext and the related data information sent by the data acquisition terminal,

opening the digital envelope through a node private key isk, verifying to obtain a session key, and completing decryption of a data ciphertext;

a key storage module: the storage of the private key is mainly realized;

the module has four forms: the system comprises a security chip, a software shield, a PCI-E password card and a U shield;

an operating system COS is embedded in the security chip to store and use the private key;

the software shield is a software system of key storage application realized by completely simulating chip functions;

the security chip is embedded into a circuit or a software shield of an application to be used in an embedding system;

according to the requirement of the security level, a security chip and a chip-based password device or a software shield can be selected to realize key storage, and the password device based on the security chip is recommended to be used when the security level is high;

the U shield is an independent safety device which is based on a safety chip and is connected with an application through a USB port to realize key storage operation.

The invention realizes the access of each functional module based on the SDK mode, integrates the security defense into the block chain link points and the application system, realizes the active defense of the block chain uplink data application, and ensures the authenticity, reliability and non-falsification of the uplink data.

In block chain applications, the data is selectively used according to specific situations, the uplink data generally only needs to realize signature verification, and the encryption and decryption module can selectively use the encrypted data with special requirements.

As shown in fig. 3-6, the embodiments of the present invention apply:

the invention needs to embed IPK SDK in each node system and data acquisition terminal of the block chain.

The method mainly comprises the following steps:

first, a data acquisition terminal or a block chain link point applies for a key to a block chain key center KMC.

The flow of the key application is as follows (see fig. 3):

1) a data acquisition terminal or a block chain link point generates a random number r, and the random number r is encrypted by using a key center KMC public key IPK to generate a digital envelope D;

2) the data acquisition terminal or the block chain link point sends the digital envelope D and the identification ID of the data acquisition terminal or the block chain link point to a key center KMC;

3) the key center KMC opens the digital envelope D with its own private key isk to obtain a random number r;

4) the key center KMC calculates its corresponding identification private key isk according to the identification ID of the data acquisition terminal or the block chain node. Isk is encrypted by using a random number r to obtain a private key ciphertext E;

5) the key center KMC sends the private key ciphertext E to a data acquisition terminal or a block link point;

6) the data acquisition terminal or the block link point decrypts the private key E by using the random number r to obtain a private key isk, and encrypts and stores the private key isk in the key storage module.

And secondly, after the key application is completed, block chain related application is carried out, and the safety certification between the data acquisition terminal and the block chain link point needs to be realized.

The flow of security authentication is as follows (see fig. 4):

(1) the data acquisition end applies for access to the block link points;

(2) the data acquisition end generates a random number A, and the random number A is encrypted by using the block link point identifier to form a random number A ciphertext;

(3) the data acquisition end sends a random number A ciphertext to the block link point;

(4) the block chain node decrypts the random number A ciphertext by using the node private key to obtain A, and meanwhile, the signature is carried out on the A to obtain S1;

(5) generating a random number B by the block chain link points, and encrypting the random number B by using the data acquisition terminal identification; forming a random number B ciphertext;

(6) the block chain node sends S1 and a random number B ciphertext to the data acquisition terminal;

(7) the data acquisition terminal obtains the random number A from the cache, simultaneously inquires whether the block chain link point identification exists in a white list of the data acquisition terminal, if so, verifies S1 by using the block chain link point identification, extracts signature time from the signature data, compares the signature time with the current time to see whether the timeliness of the signature is effective (the error is less than the set time), and completes the block chain node authentication of the data acquisition terminal through timeliness check;

(8) the data acquisition terminal decrypts the random number B ciphertext by using the acquisition terminal private key to obtain B, and meanwhile, the signature is carried out on the B to obtain S2;

(9) the data acquisition terminal sends S2 to the block chain node;

(10) the block link point obtains the random number B from the cache, simultaneously inquires whether the data acquisition terminal identification exists in the node white list or not, if yes, the data acquisition terminal identification is used for verifying S2, the signature time is extracted from the signature data, the current time is compared with the signature time, whether the timeliness of the signature is effective or not (the error is less than the set time) is judged, and the authentication of the block link point on the data acquisition end is completed through timeliness check; therefore, bidirectional authentication is completed between the block chain link point and the data acquisition end.

The procedure of encrypting the uplink data signature by the data acquisition terminal is as follows (see fig. 5):

1) the data acquisition terminal performs Hash operation on the uplink data to form a data abstract h;

2) signing the data summary h by using a private key isk to obtain a digital signature sig, and packaging the sig to form an IPK-based digital signature protocol data packet signaturePack;

3) generating a random number r, and generating a session key skey through an elliptic curve algorithm;

4) encrypting the data to be linked by using skey to obtain a data ciphertext C;

5) using the block chain node public key IPK to manufacture a digital envelope D;

6) c, D and other identification information are packaged into an IPK encrypted data packet, namely a cipherPackage, and are sent to the blockchain node together with the signaturePack.

Thirdly, the data acquisition terminal encrypts the cochain data signature and sends the encrypted cochain data signature to the block chain node, and the block chain node system completes decryption verification. The procedure for node-to-node decryption verification of uplink data is as follows (see fig. 6):

1) receiving data sent by a data acquisition terminal;

2) the block chain node obtains the skey by using a private key isk and a digital envelope D in the encrypted data packet;

3) decrypting the ciphertext data C by using the skey to obtain a cochain data plaintext;

4) acquiring a data terminal public key IPK through a data acquisition terminal identification ID, and verifying the authenticity of a signature sig of a block chain link point by using the data terminal public key IPK;

5) the signature verification is passed, the block link point completes data uplink, the verification is not passed, and the data is not allowed to be uplink;

and the block chain link point completes decryption verification on the uplink data of the acquired data terminal and stores the verified data in the chain.

The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (10)

1. A method for security authentication of uplink data on a block chain based on IPK is disclosed,

according to the specific scenario of the blockchain application, the uplink data is subjected to security authentication,

the method comprises the steps of authentication of an acquisition terminal, signature verification of uplink data and encryption and decryption;

the specific process is as follows:

firstly, the processing flow of the data acquisition terminal B to the uplink data is as follows:

s1, the data acquisition terminal calculates a digital abstract of the cochain data to generate a digital abstract h of the data, wherein h is Hash (data);

s2, the data acquisition terminal uses its own identification private key isk_BSigning the digital abstract h to obtain a digital signature Sig which is obtained by the data acquisition terminal and corresponds to the data_isk(h)；

S3, packing the digital signature sig according to the ASN.1 coding specification to form a digital signature protocol data packet based on IPK;

s4, the data acquisition terminal generates a random number r, and a session key skey is generated through calculation of an elliptic curve algorithm;

s5, the data acquisition terminal encrypts the data to be linked by using the session key skey to obtain a data ciphertext C;

s6, the data acquisition terminal calculates and generates an identification public key IPK corresponding to the block chain node A through an IPK key generation algorithm according to the identification IDA of the block chain node A and the public key matrix M of the IPK system_AThe block chain node A applies its own identification private key isk to IPK key center in advance_AAnd satisfy IPK_A＝isk_A·G；

Wherein: g is a base point number of the elliptic curve;

s7, identification public key IPK of block chain link point A for data acquisition terminal_AAnd calculating the random number r for generating the session key skey to generate a digital envelope D, wherein the D is r and IPK_A；

S8, the data acquisition terminal packs data such as a data ciphertext C, a digital envelope D, an auxiliary information matrix identifier, a receiver identifier, an encryption algorithm identifier, an elliptic curve identifier and the like into an IPK encrypted data packet according to an ASN.1 coding standard;

s9, the data acquisition terminal sends the encrypted data packet cipherPackage and the signature data packet signaturePack to the block chain node A;

second, the processing procedure of uplink data at block link point a is as follows:

step 1: the method comprises the steps that a block chain node A receives an encrypted data packet cipherPackage and a signature data packet signaturePackage sent by a data acquisition terminal;

step 2: the block chain node A uses the identification private key iskA of the node A and a digital envelope D in the encrypted data packet to calculate to obtain a session key skey;

and step 3: the block chain node A decrypts the ciphertext data C by using the session key skey to obtain plaintext data, wherein the data is D_skey(C) D is a symmetric decryption algorithm;

and 4, step 4: the block chain node obtains a signature identifier, namely a data acquisition end identifier IDB, from the signature data packet signaturePack, and a public key matrix stored in the block chain node is calculated to obtain an identifier public key IPK of the data acquisition end_BVerifying the authenticity of the signature using the public identification key；

And 5: the verification shows that the data source is true and reliable, the transmission process is not tampered, and data uplink is allowed; otherwise, the data may be fake or tampered, and the uplink of the data is rejected.

2. The method of claim 1, wherein the IPK-based method for securely authenticating uplink data on a blockchain is further characterized in that,

the S3:

the IPK-based digital signature protocol data packet is marked as a signaturePage and has the structural definition as follows:

Signature information：：＝SEQUENCE{

version ASN1_ INTEREGER,// version number

matrix xId ASN1_ UTF8STRING,// matrix identification

signerId ASN1_ UTF8STRING,// signer identification

signTime ASN1_ UCTIME,// signature timestamp

mdOidASN1_ OBJECT,// digital digest algorithm OBJECT identification

sigrS ASN1_ OCTET _ STRING// signature value (r, s)

RASN 1_ OCTET _ STRING// custom public key

}。

3. The method of claim 2, wherein the IPK-based method for securely authenticating uplink data on the blockchain,

the S4:

the elliptic curve algorithm comprises the following steps: taking the x coordinate of the elliptic curve point R and modeling the elliptic curve parameter n to obtain skey R.x mod n, note: g is a base point of the elliptic curve, and the order of the base point is prime; n is the order of the base point G;

the S5:

C＝E_skey(data), E is a symmetric encryption algorithm.

4. The method of claim 3, wherein the IPK-based method for securely authenticating uplink data on the blockchain,

the S8:

an encrypted data packet of the IPK, denoted as a cipherPackage,

its data structure is defined as:

Ciphertext information：：＝SEQUENCE{

version ASN1_ INTEREGER,// version number

matrix xId ASN1_ UTF8STRING,// matrix identification

addresseid ASN1_ UTF8STRING,// recipient identification

eco id ASN1_ OBJECT,// elliptic Curve OBJECT identification

env ASN1_ OCTET _ STRING// digital envelope

ciphertext data ASN1_ OCTET _ STRING// ciphertext data

}。

5. The method according to claim 4, wherein the step 2:

the session key skey calculation formula:

isk_A ^-1·D＝isk_A ^-1·(r·IPK_A)＝isk_A ^-1·(r·isk_A·G)＝r·G＝(x，y)，skey＝x modn。

6. the method of claim 1, wherein the IPK-based method for securely authenticating uplink data on a blockchain is further characterized in that,

the step 4:

verifying the authenticity of the signature:

firstly, obtaining a digital abstract algorithm from a signature data packet, calculating a digital abstract h ═ Hash (data) for decrypted data, then verifying the digital signature by using an identification public key, and verifying the signature by using Verify_IPKB(h，sig)。

7. The method according to any of claims 1-6, wherein the identity public key IPK identifies the public key IPK_BThe identification ID of the terminal or the node is obtained by calculation through an IPK algorithm.

8. The method of claim 7, wherein the IPK-based method for securely authenticating uplink data on the blockchain,

the private key is an identification private key isk and is stored in a key storage device in the node or the application system;

the key storage device is a software shield, a U shield, a PCI-E password card or a security chip.

9. An IPK-based block chain uplink data security authentication system is characterized in that,

the system for applying the method for authenticating safety of uplink data on IPK-based blockchain according to any one of claims 1 to 8, comprising a signature verification module;

the signature verification module: the signature verification module provides application call in an SDK mode;

the data acquisition terminal calls the module to realize the Hash operation on the uplink data, and a private key isk of the data acquisition terminal signs the Hash operation value, namely the abstract data;

and the nodes corresponding to the block chains receive the data sent by the acquisition terminal, including data plaintext, abstract signatures and relevant identification information, and use the identification ID of the acquisition terminal and the public key matrix stored in the nodes to perform IPK operation to obtain an acquisition terminal public key IPK, and use the acquisition terminal public key IPK to complete verification of the abstract data signatures from the acquisition terminal.

10. The IPK-based blockchain uplink data security authentication system of claim 9, wherein,

the system also comprises an encryption and decryption module and a key storage module;

the encryption and decryption module: the encryption and decryption module also provides application calling in an SDK mode;

the acquisition terminal calls the module to generate a random number r to generate a session key skey, and calculates a public key IPK of an uploading block chain node by using a block chain node identification ID and a public key matrix stored in the terminal to manufacture a digital envelope;

the block chain links receive the digital envelope, the data plaintext and the related data information sent by the data acquisition terminal,

opening the digital envelope through a node private key isk, verifying to obtain a session key, and completing decryption of a data ciphertext;

a key storage module: the storage of the private key is mainly realized;

the module has four forms: the system comprises a security chip, a software shield, a PCI-E password card and a U shield;

an operating system COS is embedded in the security chip to store and use the private key;

the software shield is a software system of key storage application realized by completely simulating chip functions;

the security chip is embedded into a circuit or a software shield of an application to be used in an embedding system;

according to the requirement of the security level, a security chip and a chip-based password device or a software shield can be selected to realize key storage, and the password device based on the security chip is recommended to be used when the security level is high;

the U shield is an independent safety device which is based on a safety chip and is connected with an application through a USB port to realize key storage operation.

Images