CN112311530B - Block chain-based alliance trust distributed identity certificate management authentication method - Google Patents
Block chain-based alliance trust distributed identity certificate management authentication method Download PDFInfo
- Publication number
- CN112311530B CN112311530B CN202011183457.2A CN202011183457A CN112311530B CN 112311530 B CN112311530 B CN 112311530B CN 202011183457 A CN202011183457 A CN 202011183457A CN 112311530 B CN112311530 B CN 112311530B
- Authority
- CN
- China
- Prior art keywords
- alliance
- certificate
- identity
- distributed
- digital identity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0872—Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Abstract
The invention relates to a block chain-based alliance trust distributed identity certificate management authentication method, which comprises the following steps: (1) taking a network entity capable of issuing a digital identity certificate in a alliance as a certificate issuer, taking a network entity for verifying the authenticity of the digital identity certificate in the alliance as a certificate verifier, and taking a network entity with the digital identity certificate in the alliance as a certificate holder; the alliance digital identity certificate is a distributed network entity identity attribute set associated with an alliance distributed identity identifier, so that the distributed network entity is suitable for distributed cross-domain identity authentication under different application scenes in an alliance; according to the definition of the alliance digital identity certificate, assigning an attribute to generate the alliance digital identity certificate; (2) the digital identity certificate of the alliance is issued, verified, updated and withdrawn in a full life cycle to be managed, and uniform and safe cross-domain identity authentication under different application scenes in the alliance is provided for distributed heterogeneous network entities in the alliance.
Description
Technical Field
The invention belongs to the field of identity authentication security in the field of information security, and particularly relates to a block chain-based alliance trust distributed identity certificate management authentication method.
Background
In recent years, with the rapid development of technologies such as internet of things, internet +, 5G, big data and the like, information interaction between distributed heterogeneous network entities such as personnel, equipment and the like in a federation organization is increasingly enhanced, and the requirements for multi-party collaboration and data fusion between distributed service application information systems are increased. Identity authentication is becoming more and more important as a first gateway for protecting the security of a distributed application information system, and mutual trust between network entities is realized by reliably identifying identity information of each distributed network entity. However, due to lack of identity information intercommunication, distributed service application systems in a federation organization not only enable a distributed network entity of a cross-system to frequently register an identity in each system, but also have the problems of low multi-party cooperation efficiency, increased data island, impossibility of identity, and the like, and are difficult to meet the cross-domain identity authentication requirement of multi-party cooperation and identity data fusion of each service system, and a cross-domain identity authentication scheme which aims at the development of a new service and is uniform, safe and suitable for the distributed heterogeneous network entity is urgently needed to be established. Aiming at the above requirements of cross-domain authentication, the traditional "centralized and user-centered" authentication scheme has the following disadvantages: (1) in the authentication scheme of the central identity, the identity data of the user is managed in a centralized manner and is not controlled by the user, the user privacy data is scattered on the Internet and is difficult to protect, and if the central authentication server is attacked successfully, the whole identity authentication system is broken down; (2) in the identity authentication scheme taking the user as the center, the user completely controls the identity data, but the user cannot effectively identify the fraudulent identity of the identity provider due to the lack of trust in the authentication process of the two parties, and the network phishing attack is difficult to prevent. Therefore, by utilizing the characteristics of block chain decentralization, non-tampering and the like, an identity authentication scheme based on decentralization of the block chain is provided.
The existing identity authentication scheme based on the block chain technology cannot realize the cross-domain unified alliance trust distributed identity authentication which is self-controlled and easy to expand by aiming at distributed heterogeneous network entities such as personnel, equipment, enterprises and organizations in the alliance organization. The patent "identity authentication system based on blockchain technology and implementation method thereof" (CN202010372661.2) proposes that the identity authentication system architecture based on blockchain technology and the processes of real-name registration, identity authentication, cascade authentication and the like are implemented, but identity authentication in different application scenes uses the same digital identity, which cannot meet the application requirements of digital identities in different scenes, and identity information is easily collected, which causes leakage of identity information; the patent only realizes the processes of digital identity registration and authentication, lacks the management of the digital identity full life cycle aiming at the distributed heterogeneous network entities in the alliance, and the distributed heterogeneous network entities can not flexibly and independently control the identity information, thereby preventing the disclosure of identity privacy. Patent "an identity authentication method oriented to alliance chain" (CN202010046737.2) gives a scheme that users jointly participate in key generation and implement identity authentication under the condition of mutual distrust, but users cannot autonomously control to complete identity generation, registration, update and revocation; the identity is represented by the same private key under different application scenes, identity information is easily collected, the whole identity information of a user is leaked, and potential safety hazards are faced.
Disclosure of Invention
In order to solve the above technical problem, a technical solution of the present invention is implemented, and a block chain-based federation trust distributed identity credential management authentication method specifically includes:
the method comprises the steps of issuing, verifying, updating and canceling the whole life cycle management of the alliance digital identity certificate, wherein a network entity capable of issuing the digital identity certificate in the alliance serves as a certificate issuer, a network entity verifying the authenticity of the digital identity certificate in the alliance serves as a certificate verifier, and a network entity with the digital identity certificate in the alliance serves as a certificate holder.
The alliance digital identity certificate is a distributed network entity identity attribute set associated with an alliance distributed identity identifier, and the distributed network entity is suitable for distributed cross-domain identity authentication under different application scenes in an alliance. According to the definition of the alliance digital identity certificate, attribute assignment is carried out to generate the alliance digital identity certificate, wherein a data structure defined by the alliance digital identity certificate consists of three parts, namely Metadata credentiai Metadata, attribute set Claims and certificate issuer signature information Proofs, and the steps comprise: { Credent Metadatat: { credent Name, issuranCEDate, expireDate, Issuer }, classes: { claim1,.., clainN }, Proofs: { signatureValue, signatureAlgorithm, createdTime } }, wherein the metadata includes information of a credential name, an issuance date issuranCEDate, an expiration date, a credential Issuer Issuer, and the like; the credential issuer signature information includes signature information signatureValue, signature algorithm signatureAlgorithm, signature creation time createdTime, and the like. And (3) before the certificate issuers, the holders and the verifier distributed identity clients interact, completing the generation and registration processes of the distributed identity identifiers of the respective alliances according to (1).
(a) Issuing a alliance digital identity certificate: the distributed network entity sends a request for inquiring the identity information of the certificate issuer ledger to the distributed identity service node of the alliance through the distributed identity client so as to obtain the distributed identity identifier and the digital identity certificate definition of the alliance, wherein the distributed identity identifier and the digital identity certificate definition are stored on the distributed identity ledger of the alliance by the certificate issuer. And if the distributed alliance identity service node inquires the distributed alliance identity certificate definition stored on the distributed alliance identity book by the certificate issuer, the inquired distributed alliance identity identifier and the queried distributed alliance identity certificate definition stored on the distributed alliance identity book by the certificate issuer are sent back to the distributed identity client sending the inquiry request. After receiving the distributed identity identifier and the definition of the digital identity certificate of the alliance of the certificate issuer on the distributed identity ledger, the distributed identity client of the distributed network entity sends a request for applying for issuing the certificate to the distributed identity client of the certificate issuer, the certificate issuer receives the request for applying for issuing the certificate, the distributed identity identifier of the distributed network entity initiating the request is verified, if the verification is passed, the certificate issuer creates the digital identity certificate of the alliance for the distributed network entity based on the definition of the digital identity certificate of the alliance stored by the certificate issuer and sends the digital identity certificate of the alliance to the distributed identity client of the distributed network entity. And the distributed identity client of the application issuance certificate distributed network entity receives the alliance digital identity certificate, verifies the authenticity of the received alliance digital identity certificate through the definition of the obtained alliance digital identity certificate on the account book, and stores the alliance digital identity certificate in an identity wallet of the client if the verification is passed.
(b) And (3) authentication of the alliance digital identity certificate: the certificate holder firstly sends a verification result of the distributed identity identifiers of the inquiry certificate verifier on the distributed identity ledger book and a request for whether to cancel the mark to the distributed identity service nodes through the distributed identity client. And the distributed identity service node of the alliance receives the query request, queries an alliance distributed identity ledger, and sends a query result to the distributed identity client of the certificate holder if the verification result of the distributed identity identifier of the certificate verifier on the distributed identity ledger and whether the mark is cancelled or not are queried. And if the received query result shows that the verification result of the distributed identity identifier of the certificate verifier passes and is not revoked, the distributed identity client of the certificate holder takes out the corresponding digital identity certificate from the built-in identity wallet, creates a digital identity certificate according to the digital identity certificate, and then sends a verification request carrying the certificate to the distributed identity client of the certificate verifier. The distributed identity client of the certificate verifier receives the verification request, firstly verifies the alliance distributed identity identifier of the certificate holder, if the verification is passed, extracts the alliance digital identity certificate in the verification request, and simultaneously inquires the definition of the alliance digital identity certificate in the alliance distributed identity account book; then, verifying the authenticity of the certification of the alliance digital identity certificate according to the inquired definition of the alliance digital identity certificate, if the verification is passed, the certificate holder sending the verification request is a legal user, and giving the certificate holder sending the verification request corresponding access authority; otherwise, the credential holder sending the authentication request is an illegal user, and access service is refused to be provided.
(c) And (3) updating the alliance digital identity certificate: a certificate issuer firstly generates a new alliance digital identity certificate definition through a distributed identity client, stores the new alliance digital identity certificate definition in an identity wallet of the issuer, and simultaneously takes out an old alliance digital identity certificate definition; then, carrying out hash operation hash on the new alliance digital identity certificate definition to generate a new alliance digital identity certificate definition information abstract, and adding a timestamp; then, signing the new alliance digital identity certificate definition information abstract and the additional timestamp by using a private key of a distributed network entity alliance distributed identity identifier (1) in the generation process to generate a new alliance digital identity certificate definition related signature; and sending an updating request carrying the new alliance digital identity certificate definition related signature, the new alliance digital identity certificate definition information abstract, the new alliance digital identity certificate definition and the old alliance digital identity certificate definition to the alliance distributed identity service node. And the distributed identity service node receives the updating request, acquires a public key stored in a distributed identity identifier of the alliance in the distributed identity account book by the certificate issuer, checks the signature information in the updating request, and if the signature passes, stores the definition of the new alliance digital identity certificate in the distributed identity account book by the distributed identity service node through a consensus mechanism, completes the updating of the definition of the alliance digital identity certificate, and sends a certificate updating notice to the distributed identity client of the certificate holder to be updated. And the distributed identity client of the certificate holder to be updated receives the update notification, inquires the definition of the updated digital identity certificate on the distributed identity ledger through the distributed identity service node of the alliance, and sends a request for updating the certificate to the distributed identity client of the certificate issuer. The distributed identity client of the certificate issuer receives the update certificate update request, firstly verifies the distributed identity identifier of the holder of the certificate to be updated, if the verification is passed, the certificate issuer creates a new digital identity certificate based on the definition of the updated digital identity certificate of the certificate to be updated, and then the distributed identity client of the certificate issuer sends the new digital identity certificate of the certificate to the distributed identity client of the holder of the certificate to be updated; then the distributed identity client of the certificate holder to be updated receives the new alliance digital identity certificate, verifies the authenticity of the new alliance digital identity certificate through the inquired definition of the new alliance digital identity certificate, and stores the received new alliance digital identity certificate in an identity wallet of the user if the verification is passed; if the verification fails, the credential update fails.
(d) Revocation of a federated digital identity credential: revocation of a federated digital identity credential involves two aspects: revocation of the federation digital identity credential itself and revocation of the federation digital identity credential definition. The revocation of the alliance digital identity certificate sets the attribute of the validity period in the alliance digital identity certificate, when the validity period is exceeded, the revocation is automatically made, and the alliance digital identity certificate in the built-in identity wallet is automatically deleted at the distributed identity client of the certificate holder; revocation of a federation digital identity credential definition is accomplished by: and the certificate issuer sends a revocation request carrying the definition of the digital identity certificate of the to-be-revoked alliance to the alliance distributed identity service node through the distributed identity client. And the distributed identity service node of the alliance receives the revocation request, verifies the distributed identity identifier of the certificate issuer, marks the definition of the digital identity certificate to be revoked on the distributed identity account of the alliance as revoked through a consensus mechanism if the verification is passed, and simultaneously sends the revocation result to the distributed identity client of the certificate issuer, and the certificate issuer deletes the definition of the digital identity certificate of the alliance at the distributed identity client by self.
According to another aspect of the present invention, a method for providing cross-domain identity authentication under different application scenarios in a federation by an intra-federation distributed heterogeneous network entity is further provided, and the method is characterized by including the following steps:
(a) distributed digital identity generation: the distributed network entity firstly generates a self-alliance distributed identity identifier through a distributed identity client, wherein the alliance distributed identity identifier mainly comprises: a fixed header ConsortiumID, a random string RandomString, and a public-private key pair (pk, sk) associated therewith, wherein pk represents a public key and sk represents a private key; performing hash operation on the distributed identity identifier of the alliance to generate an information abstract of the distributed identity identifier of the alliance, and adding a timestamp; and then signing the federation distributed identity identifier information digest and the attached timestamp by using the own private key to generate a federation distributed identity identifier related signature, and then sending the generated federation distributed identity identifier related signature and the federation distributed identity identifier to a federation distributed identity service node.
(b) And (3) generating a federation digital identity certificate: the distributed network entity is used as a certificate issuer, hash operation hash is carried out on the definition of the alliance digital identity certificate through a distributed identity client, an abstract of the definition information of the alliance digital identity certificate is generated, and a timestamp is attached to the abstract; then, signing the definition information abstract and the additional timestamp of the alliance digital identity certificate by using a private key of the distributed digital identity identifier generation process to generate a related signature of the alliance digital identity certificate definition; the signature associated with the generated federation digital identity credential definition and the federation digital identity credential definition are then sent to a federation distributed identity service node. The credential issuer will issue a federation digital identity credential for the distributed network entity based on the digital identity credential definition.
(c) Generation of a block of federation digital identities: after receiving the alliance distributed identity identifier related signature and the alliance digital identity certificate definition related signature of each distributed network entity, the alliance distributed identity service node verifies the received signature, if the received signature passes the verification, a new block is generated according to the received alliance distributed identity identifier and the alliance digital identity certificate definition and is broadcasted to the whole network, and the received alliance distributed identity identifier and the alliance digital identity certificate definition are stored in an alliance distributed identity book through a consensus mechanism.
(d) And (3) alliance digital identity authentication: a distributed network entity serves as a holder of the alliance digital identity certificate and applies for accessing an application system. The verifier of the digital identity certificate of the alliance of the system firstly verifies the digital identity identifier of the distributed network entity applying for access, then inquires and obtains the definition of the digital identity certificate of the distributed network entity applying for access on the distributed identity account book of the alliance, and verifies the digital identity certificate information of the alliance shown by the distributed network entity applying for access, thereby completing the verification of the user identity and obtaining the access to the application system.
Compared with the prior art, the invention has the advantages that:
(1) the traditional identity authentication technology mostly adopts a centralized identity authentication scheme, and the centralized identity authentication scheme adopted on a distributed basic framework has certain safety risk and is easily influenced by DDOS (distributed denial of service) attack, single-point fault attack and the like. A plurality of alliance organizations provide one or more independent peer-to-peer nodes inside, a credible distributed identity authentication alliance network is constructed, the nodes are scattered and go to the center, and DDoS attacks can be effectively defended. And when an attacker attacks a single node, even if the node fails, the distributed authentication service of the whole alliance cannot be influenced.
(2) In a traditional centralized identity authentication scheme, user identity information is scattered on various heterogeneous distributed systems, and a user cannot control related private data, so that personal identity privacy is leaked; in the identity authentication scheme taking the user as the center, the user completely and autonomously controls identity information, but the authentication processes of the two parties lack trust, the user cannot effectively identify the fraudulent identity of the identity provider, and the network phishing attack is difficult to prevent. The invention ensures the safety, credibility and sharing of the identity data in the network environment of the alliance through the block chain consensus mechanism and the identity privacy protection mechanism, the user can independently control the identity information of the user and only expose the identity data to a specific organization or an individual in the alliance, thereby preventing the identity privacy from being revealed.
(3) Traditional identities have increased portability over centralized identities. In contrast, the identity information portability of the invention is that the user transplants the corresponding alliance distributed digital identity according to the needs of the user. Namely, a distributed network entity can obtain a plurality of alliance distributed identity identifiers and related alliance digital identity certificates under different identity authentication scenes based on decentralized identity transplantation, and the transplantation of the user identity of the distributed network entity is finished.
Drawings
FIG. 1 is a schematic diagram of the overall architecture of the present invention;
FIG. 2 is a schematic diagram of the federated distributed identity identifier management model of the present invention;
FIG. 3 is a schematic diagram of the federated digital identity credential management model of the present invention;
FIG. 4 is a schematic diagram of a federation distributed identity authentication operation mechanism model of the present invention.
Detailed Description
In order that the objects, advantages and technical solutions of the present invention will become more apparent, the present invention will be further described in detail by the following specific means in conjunction with the accompanying fig. 1-4.
According to an embodiment of the present invention, a block chain-based federation trust distributed identity credential management authentication system is provided, as shown in fig. 1, which mainly includes a federation distributed identity ledger, a federation distributed identity service node, and a distributed identity client. The alliance distributed identity book is used for storing alliance digital identity information of distributed network entities such as personnel, equipment, enterprises and organizations in an alliance, the alliance digital identity information of the distributed heterogeneous network entities in the alliance is guaranteed to be stored and shared safely through a consensus mechanism and a privacy protection mechanism, and alliance digital identity information support is provided for upper-layer alliance distributed identity service nodes. The distributed identity service node of the alliance is a bridge connecting the distributed identity account book of the alliance and the distributed identity client, receives identity management or authentication requests of distributed identity clients of the distributed network entity, and performs writing, inquiring and marking operations on distributed digital identities of the alliance by means of the distributed identity account book of the alliance; the distributed identity client provides local alliance distributed digital identity management for the distributed heterogeneous network entity, and the alliance distributed digital identity of the entity is stored through an identity wallet built in the client. The system realizes full life cycle management of issuing, verifying, updating and canceling of the alliance digital identity certificate, and further provides cross-domain alliance trust distributed identity authentication for distributed heterogeneous network entities in the alliance. The distributed heterogeneous network entity can autonomously control the alliance internal alliance distributed digital identity through the system, actively prevent identity privacy from being revealed, and simultaneously realize uniform and safe cross-domain identity authentication under different application scenes in the alliance.
According to an embodiment of the present invention, as shown in fig. 2, a federation distributed identity identifier is designed for distributed heterogeneous network entities such as people, devices, enterprises, and organizations in a federation, and has the advantages of global uniqueness, easy expansion, high reliability, and the like in a federation. The distributed heterogeneous network entity generates the alliance distributed identity identifiers through the distributed identity clients and requests the alliance distributed identity identifier registration, verification, update and logout services to the alliance distributed identity service nodes, the complete lifecycle management of the alliance distributed identity identifiers is controlled autonomously, and identity privacy disclosure is prevented initiatively.
And (1.1) generating a distributed network entity alliance distributed identity identifier. The distributed network entity selects the type of the alliance identity according to the type of the distributed identity client through the distributed identity client; then generating a fixed header Consortium ID, a random character string RandomString and a public and private key pair (pk, sk) associated with the fixed header Consortium ID and the random character string RandomString based on the selected federation identity type, wherein pk represents a public key and sk represents a private key, and combining to obtain a federation distributed identity identifier { < Consortium ID: type: RandomString >, pk }; and finally, storing the generated alliance distributed identity identifier in a built-in identity wallet.
And (1.2) registering the distributed network entity alliance distributed identity identifier.
(1.2.1) the distributed network entity firstly takes out the distributed identity identifier of the alliance from the identity wallet of the distributed identity client through the distributed identity client, carries out hash operation on the taken out distributed identity identifier of the alliance to generate an information abstract of the distributed identity identifier of the alliance, and attaches a timestamp; then, signing the summary of the distributed identity identifier information of the alliance and the additional timestamp by using a private key of the user to generate signature information related to the distributed identity identifier of the alliance; and then the signature information related to the generated federation distributed identity identifier and the federation distributed identity identifier taken out by the wallet are sent to a federation distributed identity service node as registration request parameters.
(1.2.2) after the distributed identity service node of the alliance receives the registration request, signature information in the received registration request is verified by extracting a public key in the distributed identity identifier of the alliance in the registration request; if the verification and signing pass, the alliance distributed identity service node stores the received alliance distributed identity identifier in an alliance distributed identity account book through a consensus mechanism; otherwise, the registration fails.
And (1.3) verifying distributed identity identifiers by the distributed network entity alliance.
(1.3.1) the distributed network entity firstly carries out hash operation hash on the distributed identity identifier of the distributed network entity through the distributed identity client to generate a summary H of the distributed identity identifier information of the alliance, and adds a timestamp; then, signing the summary H of the distributed identity identifier information of the alliance and the additional timestamp by using a private key of the user to generate signature information related to the distributed identity identifier of the alliance; and then sending the verification request carrying the generated signature related to the distributed identity identifier of the alliance and the distributed identity identifier of the alliance to a distributed identity service node of the alliance.
(1.3.2) after receiving the verification request, the alliance distributed identity service node firstly inquires the alliance distributed identity identifier information of the distributed network entity sending the verification request on the alliance distributed identity book, and extracts a public key pk in the alliance distributed identity identifier; and then, the signature information related to the distributed identity identifier of the alliance in the received request is checked by using the extracted public key pk, and the distributed identity service node of the alliance stores the verification result in an alliance distributed identity book through a consensus mechanism for other distributed network entities to inquire, and returns the verification result to the distributed network entity sending the verification request.
And (1.4) updating the distributed network entity alliance distributed identity identifier.
(1.4.1) the distributed network entity firstly generates a new alliance distributed identity identifier through a distributed identity client, then carries out hash operation hash on the new alliance distributed identity identifier to generate a new alliance distributed identity identifier information abstract, adds a timestamp, then signs the new alliance distributed identity identifier information abstract and the added timestamp by using a private key corresponding to an old alliance distributed identity identifier to obtain signature information S, and then sends an updating request carrying the old alliance distributed identity identifier, the new alliance distributed identity identifier and the signature information S to an alliance distributed identity service node.
(1.4.2) the distributed identity service node of the alliance receives the updating request, firstly, inquires the information of the old distributed identity identifier of the alliance on the distributed identity account book of the alliance, and extracts the corresponding public key pk in the old distributed identity identifier of the alliance on the distributed identity account book of the alliance; then, the extracted public key pk is used for checking and signing the received signature information S, if the signature information S passes the verification, the distributed identity service nodes of the alliances store a new distributed identity identifier of the alliances in a distributed identity book through a consensus mechanism, mark that an old distributed identity identifier is unavailable, and simultaneously inform a distributed network entity sending an updating request to store the new distributed identity identifier of the alliances in an identity wallet of a distributed identity client side of the distributed network entity and delete the old distributed identity identifier of the alliances; otherwise, the update fails.
And (1.5) revocation of distributed network entity alliance distributed identity identifiers.
(1.5.1) the distributed network entity firstly takes out the alliance distributed identity identifiers to be revoked from the identity wallet through the distributed identity client, carries out hash operation on the alliance distributed identity identifiers to be revoked, generates an information abstract of the alliance distributed identity identifiers to be revoked, and adds timestamps; then, signing the information abstract and the additional timestamp of the alliance distributed identity identifier to be revoked by using a private key of the user to generate signature information related to the alliance distributed identity identifier to be revoked; and then sending a revocation request carrying the signature information related to the to-be-revoked federation distributed identity identifier and the revoked federation distributed identity identifier to the federation distributed identity service node.
(1.5.2) the distributed identity service node of the alliance receives the revocation request, firstly inquires the distributed identity identifier of the alliance to be revoked on the distributed identity ledger of the alliance, and extracts the public key of the distributed identity identifier of the alliance to be revoked on the distributed identity ledger of the alliance; and then, the extracted public key is used for checking signature information related to the to-be-revoked alliance distributed identity identifier, and if the signature passes the check, the to-be-revoked alliance distributed identity identifier information on the alliance distributed identity book is marked as revoked. And simultaneously informing the distributed network entity sending the revocation request to delete the alliance distributed identity identifier to be revoked in the identity wallet of the distributed identity client.
According to an embodiment of the invention, the block chain-based alliance trust distributed identity certificate management authentication method provided by the invention issues, verifies, updates and cancels the whole life cycle management of the alliance digital identity certificate, and takes a network entity capable of issuing the digital identity certificate in the alliance as a certificate issuer, a network entity verifying the authenticity of the digital identity certificate in the alliance as a certificate verifier and a network entity possessing the digital identity certificate in the alliance as certificate holders in three roles. The alliance digital identity certificate is a distributed network entity identity attribute set associated with an alliance distributed identity identifier, and the distributed network entity is suitable for distributed cross-domain identity authentication under different application scenes in an alliance. According to the definition of the alliance digital identity certificate, attribute assignment is carried out to generate the alliance digital identity certificate, wherein a data structure defined by the alliance digital identity certificate consists of three parts, namely Metadata credentiai Metadata, attribute set Claims and certificate issuer signature information Proofs, and the steps comprise: { Credent Metadatat: { credent Name, issuranCEDate, expireDate, Issuer }, classes: { claim1,.., clainN }, Proofs: { signatureValue, signatureAlgorithm, createdTime } }, wherein the metadata includes information of a credential name, an issuance date issuranCEDate, an expiration date, a credential Issuer Issuer, and the like; the credential issuer signature information includes signature information signatureValue, signature algorithm signatureAlgorithm, signature creation time createdTime, and the like. And (3) before the certificate issuers, the holders and the verifier distributed identity clients interact, completing the generation and registration processes of the distributed identity identifiers of the respective alliances according to (1). The method specifically comprises the following steps:
(2.1) alliance digital identity credential issuance
(2.1.1) the distributed network entity sends a request for inquiring the identity information of the certificate issuer ledger to the alliance distributed identity service node through the distributed identity client so as to obtain the alliance distributed identity identifier and the alliance digital identity certificate definition which are stored on the alliance distributed identity ledger by the certificate issuer.
(2.1.2) the distributed identity service node of the alliance receives the inquiry request, inquires the distributed identity ledger of the alliance, if the distributed identity identifier of the alliance and the digital identity certificate definition stored on the distributed identity ledger of the certificate issuer are inquired, the distributed identity identifier of the alliance and the digital identity certificate definition stored on the distributed identity ledger of the alliance of the certificate issuer are inquired, and the inquired distributed identity client side of the distributed identity client side is sent back.
(2.1.3) after receiving the distributed identity identifier and the digital identity certificate definition of the distributed identity of the certificate issuer on the distributed identity ledger, the distributed identity client of the distributed network entity sends a request for applying for issuing the certificate to the distributed identity client of the certificate issuer, the certificate issuer receives the request for applying for issuing the certificate, verifies the distributed identity identifier of the distributed network entity which initiates the request, and if the verification is passed, the certificate issuer creates a digital identity certificate for the distributed network entity based on the digital identity certificate definition of the distributed network entity stored by the certificate issuer and sends the digital identity certificate to the distributed identity client of the distributed network entity.
(2.1.4) the distributed identity client of the distributed network entity of the application issuance certificate receives the alliance digital identity certificate, verifies the authenticity of the received alliance digital identity certificate through the definition of the alliance digital identity certificate acquired on the account book, and stores the certificate in the identity wallet of the client if the verification is passed.
And (2.2) authentication of the alliance digital identity certificate:
(2.2.1) the certificate holder firstly sends a verification result of the distributed identity identifiers of the inquiry certificate verifier on the distributed identity ledger and a request for whether to cancel the marking to the distributed identity service nodes of the alliance through the distributed identity client. And the distributed identity service node of the alliance receives the query request, queries an alliance distributed identity ledger, and sends a query result to the distributed identity client of the certificate holder if the verification result of the distributed identity identifier of the certificate verifier on the distributed identity ledger and whether the mark is cancelled or not are queried.
(2.2.2) if the received query result shows that the verification result of the distributed identity identifier of the certificate verifier is passed and is not revoked, taking out the corresponding digital identity certificate from the built-in identity wallet, then creating a digital identity certificate according to the digital identity certificate, and then sending a verification request carrying the certificate to the distributed identity client of the certificate verifier.
(2.2.3) the distributed identity client of the certificate verifier receives the verification request, firstly verifies the alliance distributed identity identifier of the certificate holder, extracts the alliance digital identity certificate in the verification request if the verification is passed, and simultaneously inquires the definition of the alliance digital identity certificate in the alliance distributed identity account book; then verifying the authenticity of the certification of the alliance digital identity certificate according to the inquired definition of the alliance digital identity certificate, and if the verification is passed, the certificate verifier confirms that the certificate holder sending the verification request is legal, and then gives the certificate holder sending the verification request corresponding access authority; otherwise, it is illegal to refuse to provide access service.
(2.3) federation digital identity credential update
(2.3.1) the certificate issuer firstly generates a new alliance digital identity certificate definition through a distributed identity client, stores the new alliance digital identity certificate definition in an identity wallet of the certificate issuer, and simultaneously takes out an old alliance digital identity certificate definition; then, carrying out hash operation hash on the new alliance digital identity certificate definition to generate a new alliance digital identity certificate definition information abstract, and adding a timestamp; then, signing the new alliance digital identity certificate definition information abstract and the additional timestamp by using a private key of the distributed network entity alliance distributed identity identifier (1.1) in the generation process to generate a new alliance digital identity certificate definition related signature; and sending an updating request carrying the new alliance digital identity certificate definition related signature, the new alliance digital identity certificate definition information abstract, the new alliance digital identity certificate definition and the old alliance digital identity certificate definition to the alliance distributed identity service node.
(2.3.2) the distributed identity service node of the alliance receives the updating request, a public key stored in the distributed identity identifier of the alliance in the distributed identity account book of the certificate issuer is obtained, signature checking is carried out on signature information in the updating request, if the signature checking is passed, the distributed identity service node of the alliance saves the definition of the new alliance digital identity certificate in the distributed identity account book of the alliance through a consensus mechanism, updating of the definition of the alliance digital identity certificate is completed, and a certificate updating notice is sent to a distributed identity client of the certificate holder to be updated.
(2.3.3) the distributed identity client of the certificate holder to be updated receives the update notification, inquires the definition of the updated digital identity certificate on the distributed identity ledger through the distributed identity service node of the alliance, and sends a request for updating the certificate to the distributed identity client of the certificate issuer.
(2.3.4) the distributed identity client of the certificate issuer receives the update certificate update request, firstly, the distributed identity identifier of the certificate holder to be updated is verified, if the verification is passed, the certificate issuer creates a new alliance digital identity certificate based on the definition of the updated alliance digital identity certificate, and then the distributed identity client of the certificate issuer sends the new alliance digital identity certificate to the distributed identity client of the certificate holder to be updated; then the distributed identity client of the certificate holder to be updated receives the new alliance digital identity certificate, verifies the authenticity of the new alliance digital identity certificate through the inquired definition of the new alliance digital identity certificate, and stores the received new alliance digital identity certificate in an identity wallet of the user if the verification is passed; if the verification fails, the credential update fails.
(2.4) federation digital identity credential revocation
(2.4.1) the revocation of the alliance digital identity certificate sets the attribute of the validity period in the alliance digital identity certificate, when the validity period is exceeded, the revocation is automatically made, and the alliance digital identity certificate in the built-in identity wallet is automatically deleted at the distributed identity client of the certificate holder;
(2.4.2) the certificate issuer sends a revocation request carrying the definition of the digital identity certificate of the federation to be revoked to the distributed identity service node of the federation through the distributed identity client. And the distributed identity service node of the alliance receives the revocation request, verifies the distributed identity identifier of the certificate issuer, marks the definition of the digital identity certificate to be revoked on the distributed identity account of the alliance as revoked through a consensus mechanism if the verification is passed, and simultaneously sends the revocation result to the distributed identity client of the certificate issuer, and the certificate issuer deletes the definition of the digital identity certificate of the alliance at the distributed identity client by self.
According to another embodiment of the present invention, a method for providing cross-domain identity authentication under different application scenarios in a federation by an intra-federation distributed heterogeneous network entity is further provided, which specifically includes the following steps:
(3.1) distributed digital identity generation: the distributed network entity firstly generates a self-alliance distributed identity identifier through a distributed identity client, wherein the alliance distributed identity identifier mainly comprises: a fixed header ConsortiumID, a random string RandomString, and a public-private key pair (pk, sk) associated therewith, wherein pk represents a public key and sk represents a private key; performing hash operation on the distributed identity identifier of the alliance to generate an information abstract of the distributed identity identifier of the alliance, and adding a timestamp; and then signing the federation distributed identity identifier information digest and the attached timestamp by using the own private key to generate a federation distributed identity identifier related signature, and then sending the generated federation distributed identity identifier related signature and the federation distributed identity identifier to a federation distributed identity service node.
And (3.2) generating a federation digital identity certificate: the distributed network entity is used as a certificate issuer, hash operation hash is carried out on the definition of the alliance digital identity certificate through a distributed identity client, an abstract of the definition information of the alliance digital identity certificate is generated, and a timestamp is attached to the abstract; then, signing the definition information abstract and the additional timestamp of the alliance digital identity certificate by using a private key of the distributed digital identity identifier generation process to generate a related signature of the alliance digital identity certificate definition; and then sending the signature related to the generated federation digital identity certificate definition and the federation digital identity certificate definition to a federation distributed identity service node. The credential issuer will issue a federation digital identity credential for the distributed network entity based on the digital identity credential definition.
(3.3) generation of a block of federation digital identities: after receiving the related signature of the distributed alliance identity identifier and the related signature of the digital alliance identity certificate definition of each distributed network entity, the distributed alliance identity service node verifies the received signature, if the verification is passed, a new block is generated according to the received distributed alliance identity identifier and the digital alliance identity certificate definition and is broadcasted to the whole network, and the received distributed alliance identity identifier and the digital alliance identity certificate definition are stored in a distributed alliance identity book through a consensus mechanism.
And (3.4) alliance digital identity authentication: a distributed network entity serves as a holder of the alliance digital identity certificate and applies for accessing an application system. The verifier of the digital identity certificate of the alliance of the system firstly verifies the digital identity identifier of the distributed network entity applying for access, then inquires and obtains the definition of the digital identity certificate of the distributed network entity applying for access on the distributed identity account book of the alliance, and verifies the digital identity certificate information of the alliance shown by the distributed network entity applying for access, thereby completing the verification of the user identity and obtaining the access to the application system.
Although illustrative embodiments of the present invention have been described above to facilitate the understanding of the present invention by those skilled in the art, it should be understood that the present invention is not limited to the scope of the embodiments, but various changes may be apparent to those skilled in the art, and it is intended that all inventive concepts utilizing the inventive concepts set forth herein be protected without departing from the spirit and scope of the present invention as defined and limited by the appended claims.
Claims (6)
1. A block chain-based alliance trust distributed identity certificate management authentication method is characterized in that: the method specifically comprises the following steps:
(1) taking a network entity capable of issuing a digital identity certificate in a alliance as a certificate issuer, taking a network entity for verifying the authenticity of the digital identity certificate in the alliance as a certificate verifier, and taking a network entity with the digital identity certificate in the alliance as a certificate holder; the alliance digital identity certificate is a distributed network entity identity attribute set associated with an alliance distributed identity identifier, and the distributed network entity is enabled to adapt to distributed cross-domain identity authentication under different application scenes in the alliance; according to the definition of the alliance digital identity certificate, assigning an attribute to generate the alliance digital identity certificate;
(2) managing the alliance digital identity certificate in a full life cycle, which specifically comprises the following steps:
(2.1) issuing an alliance digital identity certificate;
(2.2) verifying the allied digital identity certificate;
(2.3) updating the alliance digital identity certificate;
(2.4) revoking the alliance digital identity certificate;
the step (2.1) of issuing the alliance digital identity certificate specifically comprises the following steps:
(2.1.1) the distributed network entity sends a request for inquiring the identity information of the certificate issuer ledger to a distributed identity service node of the alliance through a distributed identity client so as to obtain the distributed identity identifier and the digital identity certificate definition of the alliance, wherein the distributed identity identifier and the digital identity certificate definition of the alliance are stored in the distributed identity ledger of the certificate issuer;
(2.1.2) the distributed identity service node of the alliance receives the query request, queries an distributed identity book of the alliance, and if the distributed identity identifier and the digital identity certificate definition of the alliance, which are stored on the distributed identity book of the alliance by the certificate issuer, are queried, sends the queried distributed identity identifier and the digital identity certificate definition of the alliance, which are stored on the distributed identity book of the alliance by the certificate issuer, back to the distributed identity client side which sends the query request;
(2.1.3) after receiving the distributed identity identifier and the digital identity certificate definition of the alliance of the certificate issuer on the distributed identity ledger, the distributed identity client of the distributed network entity sends a request for applying for issuing the certificate to the distributed identity client of the certificate issuer, the certificate issuer receives the request for applying for issuing the certificate, verifies the distributed identity identifier of the distributed network entity which initiates the request, and if the verification is passed, the certificate issuer creates a digital identity certificate for the distributed network entity based on the digital identity certificate definition of the alliance stored by the certificate issuer and sends the digital identity certificate to the distributed identity client of the distributed network entity;
(2.1.4) the distributed identity client of the distributed network entity of the application issuance certificate receives the alliance digital identity certificate, verifies the authenticity of the received alliance digital identity certificate through the definition of the alliance digital identity certificate acquired on the account book, and stores the certificate in the identity wallet of the client if the verification is passed.
2. The block chain based federation trust distributed identity credential management authentication method of claim1, further comprising:
the data structure defined by the alliance digital identity certificate comprises three parts of Metadata Credential Metadata, attribute set classes and certificate issuer signature information Proofs: { Credent Metadata: { crementalName, issuranCEDate, expireDate, Issuer }, Claims: { claim 1.., claimN }, Proofs: { signatureValue, signatureAlgorithm, createdTime } },
the metadata comprises information such as a certificate name, an issue date issuanedate, an expiration date, a certificate Issuer and the like; the certificate issuer signature information includes signature information signatureValue, signature algorithm signatureAlgorithm, signature creation time createdTime, and the like; before each certificate issuer, holder and verifier distributed identity client interact, the generation and registration process of the distributed identity identifier of each alliance is completed according to the identity certificate definition.
3. The block chain based federation trust distributed identity credential management authentication method of claim1, further comprising: the step (2.2) of verifying the alliance digital identity certificate specifically comprises the following steps:
(2.2.1) the certificate holder firstly sends a verification result of the distributed identity identifier of the certificate verifier on the distributed identity ledger of the alliance and a request for whether to cancel the mark to the distributed identity service node of the alliance through the distributed identity client; the distributed identity service node of the alliance receives the query request, queries an alliance distributed identity book, and sends a query result to the distributed identity client of the certificate holder if the verification result of the distributed identity identifier of the certificate verifier on the distributed identity book of the alliance and whether the mark is cancelled or not are queried;
(2.2.2) if the received query result shows that the verification result of the distributed identity identifier of the certificate verifier passes and is not revoked, taking out the corresponding digital identity certificate from the built-in identity wallet, then creating a digital identity certificate according to the digital identity certificate, and then sending a verification request carrying the certificate to the distributed identity client of the certificate verifier;
(2.2.3) the distributed identity client of the certificate verifier receives the verification request, firstly verifies the alliance distributed identity identifier of the certificate holder, extracts the alliance digital identity certificate in the verification request if the verification is passed, and simultaneously inquires the definition of the alliance digital identity certificate in the alliance distributed identity account book; then verifying the authenticity of the certification of the alliance digital identity certificate according to the inquired definition of the alliance digital identity certificate, and if the verification is passed, the certificate verifier confirms that the certificate holder sending the verification request is legal, and then gives the certificate holder sending the verification request corresponding access authority; otherwise, it is illegal to refuse to provide access service.
4. The block chain based federation trust distributed identity credential management authentication method of claim1, further comprising: the step (2.3) of updating the alliance digital identity certificate specifically comprises the following steps:
(2.3.1) the certificate issuer firstly generates a new alliance digital identity certificate definition through a distributed identity client, stores the new alliance digital identity certificate definition in an identity wallet of the certificate issuer, and simultaneously takes out an old alliance digital identity certificate definition; then, carrying out hash operation hash on the new alliance digital identity certificate definition to generate a new alliance digital identity certificate definition information abstract, and adding a timestamp; then, signing the new alliance digital identity certificate definition information abstract and the additional timestamp by using a private key of the distributed network entity alliance distributed identity identifier (1.1) in the generation process to generate a new alliance digital identity certificate definition related signature; sending an update request carrying a new alliance digital identity certificate definition related signature, a new alliance digital identity certificate definition information abstract, a new alliance digital identity certificate definition and an old alliance digital identity certificate definition to an alliance distributed identity service node;
(2.3.2) the distributed identity service node of the alliance receives the updating request, acquires a public key stored in an distributed identity identifier of the alliance in the distributed identity account book of the certificate issuer, checks the signature information in the updating request, and if the signature passes, the distributed identity service node of the alliance saves the definition of the new alliance digital identity certificate in the distributed identity account book of the alliance through a consensus mechanism, completes the updating of the definition of the alliance digital identity certificate, and sends a certificate updating notice to a distributed identity client of a certificate holder to be updated;
(2.3.3) the distributed identity client of the certificate holder to be updated receives the update notification, inquires the definition of the updated digital identity certificate on the distributed identity book of the alliance through the distributed identity service node of the alliance, and sends a request for updating the certificate to the distributed identity client of the certificate issuer;
(2.3.4) the distributed identity client of the certificate issuer receives the update certificate update request, firstly, the distributed identity identifier of the certificate holder to be updated is verified, if the verification is passed, the certificate issuer creates a new alliance digital identity certificate based on the definition of the updated alliance digital identity certificate, and then the distributed identity client of the certificate issuer sends the new alliance digital identity certificate to the distributed identity client of the certificate holder to be updated; then the distributed identity client of the certificate holder to be updated receives the new alliance digital identity certificate, verifies the authenticity of the new alliance digital identity certificate through the inquired definition of the new alliance digital identity certificate, and stores the received new alliance digital identity certificate in an identity wallet of the user if the verification is passed; if the verification fails, the credential update fails.
5. The block chain based federation trust distributed identity credential management authentication method of claim1, further comprising: the revocation of the alliance digital identity certificate in the step (2.4) specifically comprises the following steps:
(2.4.1) the revocation of the alliance digital identity certificate sets the attribute of the validity period in the alliance digital identity certificate, when the validity period is exceeded, the revocation is automatically made, and the alliance digital identity certificate in the built-in identity wallet is automatically deleted at the distributed identity client of the certificate holder;
(2.4.2) the certificate issuer sends a revocation request carrying the definition of the digital identity certificate of the alliance to be revoked to the alliance distributed identity service node through the distributed identity client; and the distributed identity service node of the alliance receives the revocation request, verifies the distributed identity identifier of the certificate issuer, marks the definition of the digital identity certificate to be revoked on the distributed identity account of the alliance as revoked through a consensus mechanism if the verification is passed, and simultaneously sends the revocation result to the distributed identity client of the certificate issuer, and the certificate issuer deletes the definition of the digital identity certificate of the alliance at the distributed identity client by self.
6. A distributed heterogeneous network entity in a union provides a cross-domain identity authentication method under different application scenes in the union, which is characterized by comprising the following steps:
(1) distributed digital identity generation: the distributed network entity firstly generates a self-alliance distributed identity identifier through a distributed identity client, wherein the alliance distributed identity identifier mainly comprises: a fixed header ConsortiumID, a random string RandomString, and a public-private key pair (pk, sk) associated therewith, wherein pk represents a public key and sk represents a private key; performing hash operation on the distributed identity identifier of the alliance to generate an information abstract of the distributed identity identifier of the alliance, and adding a timestamp; then, signing the information abstract of the distributed identity identifier of the alliance and the attached timestamp by using a private key of the distributed identity identifier of the alliance, generating a signature related to the distributed identity identifier of the alliance, and then sending the generated signature related to the distributed identity identifier of the alliance and the distributed identity identifier of the alliance to a distributed identity service node of the alliance;
(2) and (3) generating a federation digital identity certificate: the distributed network entity is used as a certificate issuer, hash operation hash is carried out on the definition of the alliance digital identity certificate through a distributed identity client, an abstract of the definition information of the alliance digital identity certificate is generated, and a timestamp is attached to the abstract; then, signing the definition information abstract and the additional timestamp of the alliance digital identity certificate by using a private key of the distributed digital identity identifier generation process to generate a related signature of the alliance digital identity certificate definition; then, the generated signature related to the alliance digital identity certificate definition and the alliance digital identity certificate definition are sent to an alliance distributed identity service node; the certificate issuer defines to issue a alliance digital identity certificate for the distributed network entity based on the digital identity certificate;
(3) generation of a block of federation digital identities: after receiving the alliance distributed identity identifier related signature and the alliance digital identity certificate definition related signature of each distributed network entity, the alliance distributed identity service node verifies the received signature, if the verification is passed, a new block is generated according to the received alliance distributed identity identifier and the alliance digital identity certificate definition and is broadcasted to the whole network, and the received alliance distributed identity identifier and the alliance digital identity certificate definition are stored in an alliance distributed identity book through a consensus mechanism;
(4) and (3) alliance digital identity authentication: a distributed network entity is used as a holder of a alliance digital identity certificate to apply for accessing an application system, an authenticator of the alliance digital identity certificate of the system firstly verifies an alliance digital identity identifier of the application access distributed network entity, then inquires and obtains the definition of the digital identity certificate of the application access distributed network entity on an alliance distributed identity account, and verifies the information of the alliance digital identity certificate presented by the application access distributed network entity, so that the authentication of the user identity is completed, and the access to the application system is obtained.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011183457.2A CN112311530B (en) | 2020-10-29 | 2020-10-29 | Block chain-based alliance trust distributed identity certificate management authentication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011183457.2A CN112311530B (en) | 2020-10-29 | 2020-10-29 | Block chain-based alliance trust distributed identity certificate management authentication method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112311530A CN112311530A (en) | 2021-02-02 |
| CN112311530B true CN112311530B (en) | 2022-05-10 |
Family
ID=74332048
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011183457.2A Active CN112311530B (en) | 2020-10-29 | 2020-10-29 | Block chain-based alliance trust distributed identity certificate management authentication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112311530B (en) |
Families Citing this family (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113098838B (en) * | 2021-02-21 | 2022-08-26 | 西安电子科技大学 | Trusted distributed identity authentication method, system, storage medium and application |
| CN113037493B (en) * | 2021-02-27 | 2023-06-20 | 上海泰砥科技有限公司 | DID identity-based blockchain zero knowledge proof anonymous credential verification method and system |
| CN113204744B (en) * | 2021-04-07 | 2024-04-23 | 西安链融科技有限公司 | Software authorization system and method based on distributed identity |
| CN113194469B (en) * | 2021-04-28 | 2022-05-13 | 四川师范大学 | 5G unmanned aerial vehicle cross-domain identity authentication method, system and terminal based on block chain |
| CN113486367B (en) * | 2021-06-09 | 2022-05-03 | 湖南大学 | High-performance extensible autonomous dynamic digital identity management architecture for distributed ledger |
| CN113132117B (en) * | 2021-06-18 | 2021-08-24 | 国网电子商务有限公司 | Cross-domain distributed identity authentication method and system based on block chain |
| CN113761497A (en) * | 2021-08-17 | 2021-12-07 | 国网山东省电力公司信息通信公司 | Distributed electric power transaction credible identity management method, system and computer equipment |
| CN113794716B (en) * | 2021-09-14 | 2023-06-06 | 中钞信用卡产业发展有限公司杭州区块链技术研究院 | Network access authentication method, device and equipment for terminal equipment and readable storage medium |
| CN113641975A (en) * | 2021-10-18 | 2021-11-12 | 国网电子商务有限公司 | Identity registration method, identity verification method, device and system |
| CN114785515B (en) * | 2022-03-29 | 2024-04-23 | 中国科学院信息工程研究所 | Edge computing identity authentication method and system based on block chain |
| CN114697114B (en) * | 2022-03-30 | 2024-05-03 | 中国建设银行股份有限公司 | Data processing method, device, electronic equipment and medium |
| CN114944937B (en) * | 2022-04-19 | 2024-04-09 | 网易(杭州)网络有限公司 | Distributed digital identity verification method, system, electronic equipment and storage medium |
| CN114780968A (en) * | 2022-06-23 | 2022-07-22 | 国网区块链科技(北京)有限公司 | Intelligent contract upgrading method and device |
| CN115330421B (en) * | 2022-10-14 | 2022-12-09 | 中国信息通信研究院 | Trusted data asset transmission method and device based on block chain, equipment and medium |
| CN115733688B (en) * | 2022-11-18 | 2024-03-26 | 四川启睿克科技有限公司 | Internet of things equipment offline authentication method based on distributed digital identity |
| CN117176361B (en) * | 2023-09-26 | 2024-05-07 | 云南财经大学 | Block chain digital identity authentication control system and method |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105956923A (en) * | 2016-04-20 | 2016-09-21 | 上海如鸽投资有限公司 | Asset transaction platform and digital certification and transaction method for assets |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11288280B2 (en) * | 2018-10-31 | 2022-03-29 | Salesforce.Com, Inc. | Systems, methods, and apparatuses for implementing consumer data validation, matching, and merging across tenants with optional verification prompts utilizing blockchain |
| CN111669271B (en) * | 2020-05-26 | 2022-10-11 | 中国工商银行股份有限公司 | Certificate management method and certificate verification method for block chain and related device |
-
2020
- 2020-10-29 CN CN202011183457.2A patent/CN112311530B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105956923A (en) * | 2016-04-20 | 2016-09-21 | 上海如鸽投资有限公司 | Asset transaction platform and digital certification and transaction method for assets |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112311530A (en) | 2021-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112311530B (en) | Block chain-based alliance trust distributed identity certificate management authentication method | |
| CN112199726A (en) | Block chain-based alliance trust distributed identity authentication method and system | |
| US10284379B1 (en) | Public key infrastructure based on the public certificates ledger | |
| CN109327481B (en) | Block chain-based unified online authentication method and system for whole network | |
| CN109902074A (en) | Log storing method and system based on data center | |
| US20100138907A1 (en) | Method and system for generating digital certificates and certificate signing requests | |
| CN113824563B (en) | Cross-domain identity authentication method based on block chain certificate | |
| CN112039870A (en) | Privacy protection-oriented vehicle-mounted network authentication method and system based on block chain | |
| US20230020504A1 (en) | Localized machine learning of user behaviors in network operating system for enhanced secure services in secure data network | |
| US20230059173A1 (en) | Password concatenation for secure command execution in a secure network device | |
| CN110086790A (en) | Log storing method and system based on data center | |
| CN112688927A (en) | Block chain-based distributed access control method | |
| US11582241B1 (en) | Community server for secure hosting of community forums via network operating system in secure data network | |
| CN112351019B (en) | Identity authentication system and method | |
| CN109218981A (en) | Wi-Fi access authentication method based on position signal feature common recognition | |
| US20070186097A1 (en) | Sending of public keys by mobile terminals | |
| US11784813B2 (en) | Crypto tunnelling between two-way trusted network devices in a secure peer-to-peer data network | |
| US20230012373A1 (en) | Directory server providing tag enforcement and network entity attraction in a secure peer-to-peer data network | |
| Yang et al. | Blockchain-based decentralized public key management for named data networking | |
| CN114930770A (en) | Certificate identification method and system based on distributed ledger | |
| WO2017210914A1 (en) | Method and apparatus for transmitting information | |
| CN115277059B (en) | Control method for aircraft archive authority management based on blockchain | |
| US11870899B2 (en) | Secure device access recovery based on validating encrypted target password from secure recovery container in trusted recovery device | |
| US11582201B1 (en) | Establishing and maintaining trusted relationship between secure network devices in secure peer-to-peer data network based on obtaining secure device identity containers | |
| US20220399995A1 (en) | Identity management system establishing two-way trusted relationships in a secure peer-to-peer data network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |