CN112583858B - Unified identity authentication method based on block chain PBFT algorithm - Google Patents

Unified identity authentication method based on block chain PBFT algorithm Download PDF

Info

Publication number
CN112583858B
CN112583858B CN202110000958.0A CN202110000958A CN112583858B CN 112583858 B CN112583858 B CN 112583858B CN 202110000958 A CN202110000958 A CN 202110000958A CN 112583858 B CN112583858 B CN 112583858B
Authority
CN
China
Prior art keywords
user
node
authentication
authority
nodes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110000958.0A
Other languages
Chinese (zh)
Other versions
CN112583858A (en
Inventor
陈古文
翁庄明
彭本
李秋平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Sinobest Software Technology Co ltd
Original Assignee
Guangzhou Sinobest Software Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Sinobest Software Technology Co ltd filed Critical Guangzhou Sinobest Software Technology Co ltd
Priority to CN202110000958.0A priority Critical patent/CN112583858B/en
Publication of CN112583858A publication Critical patent/CN112583858A/en
Application granted granted Critical
Publication of CN112583858B publication Critical patent/CN112583858B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Power Engineering (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a block chain PBFT algorithm-based unified identity authentication method, which comprises the following steps: and performing uplink registration application on the unified authentication node, establishing a alliance chain, performing uplink management on user information and user authority, performing alliance chain verification when an application system provides an identity authentication request, passing the verification, and returning an authentication result and an authentication result. The PBFT algorithm is adopted in the whole authentication process, so that the identity authentication in a decentralized mode is realized, the tampering and the hacking attack are effectively prevented, and the information security of the identity authentication is ensured.

Description

Unified identity authentication method based on block chain PBFT algorithm
Technical Field
The invention relates to the technical field of identity authentication of application systems, in particular to a block chain PBFT algorithm-based unified identity authentication method.
Background
Generally, the construction idea of building a unified authentication platform by most units is as follows: the method comprises the following steps of establishing a central node of an authentication platform, formulating a standard of a unified authentication and authorization standard system, and butting all application systems according to the standard, so as to realize the establishment of a unified identity authentication and authority authentication system, but the following problems are always existed:
the centralized authentication node depends on the stability of a single system, and once the centralized authentication node is down or attacked, information security events are easily caused.
The centralized authentication node is easy to have the problem that user information is falsified or forged.
In summary, the centralized authentication node is still lacking in information security, decentralized authentication management needs to be implemented, the block chain technology is adopted to solve the trust problem between nodes, and the identity authentication mode of the decentralized node is adopted.
In the blockchain technology, a commonly recognized consensus algorithm needs to be proposed in the case that each node is not trusted. The unified identity authentication is similar to a alliance chain and is a semi-public and semi-open situation, and in the original unified identity authentication, the unified identity authentication is a private chain, but a new node can be added at the same time.
Common consensus algorithms for public chains, such as the POW workload certification mode adopted by bitcoin, consume a large amount of resources for useless competition, and are therefore not suitable for the scenario of unified identity authentication. While the common Paxos-like consensus algorithm (with a half agreement) in the private chain can achieve the optimal performance in the private chain, but is not suitable for a scenario similar to a federation chain in the unified identity authentication.
In summary, the invention adopts a PBFT algorithm (abbreviated as Practical Byzantine Fault Tolerance algorithm) in the block chain consensus algorithm, and guarantees feasibility and performance of the data synchronization algorithm between nodes by applying the characteristic of copy replication of a state machine thereof. Meanwhile, in the process of identity authentication, the information received between the nodes is prevented from being forged in a public key and private key encryption mode.
The information disclosed in this background section is only for enhancement of understanding of the general background of the invention and should not be taken as an acknowledgement or any form of suggestion that this information forms the prior art that is already known to a person skilled in the art.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a block chain PBFT algorithm-based unified identity authentication method, which adopts a unified identity authentication mode, adds an authentication node into a unified authorization mechanism, carries out chain management on identity registration information and user authority information, realizes a verification process of unified authentication in a alliance chain, adopts the PBFT algorithm in the whole authentication process, ensures the characteristics of unified identity authentication, and realizes identity authentication in a decentralized mode. Effectively preventing tampering and hacker attack, and ensuring the information security of identity authentication.
In order to achieve the above purposes, the technical scheme adopted by the invention is as follows:
a unified identity authentication method based on a block chain PBFT algorithm is characterized by comprising the following steps:
the authentication node carries out uplink registration application and establishes a union chain;
when a user registers and adjusts, corresponding user information and user authority carry out uplink, wherein the user information comprises: the hash value of the user name, the MD5 code of the user password, the authority information of the user and the like;
the application system provides an identity authentication request, performs alliance chain verification, passes the verification and returns an authentication result and an authentication result.
On the basis of the technical scheme, when the authentication node carries out uplink registration application to establish a alliance chain, a new node needs to be registered, an authentication block chain project is deployed, and after the authentication block chain project is started, corresponding node information is transmitted to an authentication mechanism record.
Wherein the node information includes: the mac address of the machine, the IP address of the machine and the alliance chain identity of the required uplink.
Further, the interface of the certification authority receives the registration application, the authority administrator checks the qualification, and if the qualification is passed, the cochain process is continued. The certification authority stores the received registration information into a database associated with the alliance chain, and the members of the alliance chain verify whether the node information is communicated or not so as to ensure that the node can successfully uplink.
After the node links the chain, the link result is recorded and returned to the certification authority for storage, and the registration result is returned to the registration node. And the registered node verifies whether the connection is established. After the registered node is added into the alliance chain, message transmission is carried out through the IP address provided by the alliance chain and each node.
On the basis of the technical scheme, when a new user is registered or user information is modified, corresponding user information and authority information of the user are linked up, firstly, an application system registers the latest user information and user authority into a certification authority, and the certification authority sorts and records the user information and the user authority, packs the user information and the user authority and sends the user information and the user authority to a alliance chain.
Wherein, the uploaded information comprises: the hash value of the user name, the MD5 code of the user password, the authority information of the user and the like.
On the basis of the technical scheme, the alliance chain finds the node with the highest weight calculated by the PBFT algorithm, the node is a leader elected by the record, the leader constructs a new block, the submitted user information and user authority are further broadcasted in the whole network, and more than half of nodes are waited to be confirmed.
Wherein PBFT is an abbreviation of Practical Byzantine failure Tolerance, meaning Practical Byzantine Fault-tolerant algorithm with high complexity O (N ^ 2). PBFT is a state machine replication algorithm, i.e. the service is modeled as a state machine that performs replication at different nodes of the distributed system. The copies of each state machine preserve the state of the service and also enable the operation of the service.
Wherein the copies have two roles, primary node (primary) and backup node (backup), and all copies operate in a rotation process called View (View). The primary and backup nodes are for views, which are consecutively numbered integers. In a certain view, one copy is selected from the copies to be a master node, the selection algorithm is p = v mod | R |, wherein v is a view number, | R | is the number of the copies, p is a copy number, and all nodes except the master node are backup nodes. The view replacement process needs to be initiated when the master node fails. The master node 0 receives the request sent by the client C, assigns a sequence number n to the request, and then sends a PREPARE message to all backup nodes in a group format of < < PRE-PREPARE, v, n, d >, m >, where v is a view number, m is the request sent by the client, and d is a summary of the request message m. After receiving the message broadcast by the master node, the backup node judges whether the check receives the message, and after receiving the message, the backup node broadcasts the message to other copies by prefix.
During broadcasting, the anti-counterfeiting among the nodes adopts a public key and a private key, the nodes are packaged into a broadcast message by providing the public key, and the correctness of the returned message is verified by the private key. Meanwhile, a digital signature is added in the message to ensure that the node receiving the message knows who the leader is, and prevent other nodes from forging the message.
On the basis of the technical scheme, after receiving the block to be confirmed, other nodes check the block according to an agreed consensus algorithm, and after the message is confirmed to be correct, the confirmed information is returned to the leader.
Wherein, the content verified according to the consensus algorithm comprises: format, hash value, authority of user information, modification record of the last hash value of the user name and the like.
On the basis of the technical scheme, after the leader receives more than half of node confirmation, the identifier is already agreed with other nodes. The user information is put into a submission state, and then the statement generated by the user information is broadcasted in the whole network.
After receiving the statement, other nodes update the local user information and user authority account book of the node, so that all the nodes have the same user information and user authority.
On the basis of the technical scheme, when the identity authentication is carried out for the alliance chain verification, the application system firstly sends the user name and the password to the authentication mechanism through the cas client.
And the certification authority inquires the related user information of the certification authority according to the received identity information, encapsulates the user information (account number and password) and sends the user information (account number and password) to the alliance chain for verification. And finding a node with the highest weight calculated by the PBFT algorithm by the alliance chain, wherein the node is a leader elected by the verification, the leader verifies the account number and the password, and the verification result is broadcasted in the whole network.
Wherein PBFT is an abbreviation of Practical Byzantine failure Tolerance, meaning Practical Byzantine Fault-tolerant algorithm with high complexity O (N ^ 2). PBFT is a state machine replication algorithm, i.e. the service is modeled as a state machine that performs replication at different nodes of the distributed system. The copies of each state machine preserve the state of the service and also enable the operation of the service.
Wherein the copies have two roles, primary node (primary) and backup node (backup), and all copies operate in a rotation process called View (View). The primary and backup nodes are for views, which are consecutively numbered integers. In a certain view, one copy is selected from the copies as a master node, the selection algorithm is p = v mod | R |, wherein v is a view number, | R | is the number of copies, p is a copy number, and all nodes except the master node are backup nodes. The view change process needs to be initiated when the master node fails. The main node 0 receives the request sent by the client C, assigns a sequence number n to the request, and then sends a PREPARE message to all backup nodes in a group format of < < PRE-PREPARE, v, n, d >, m >, where v is a view number, m is the request message sent by the client, and d is a summary of the request message m. After receiving the message broadcast by the master node, the backup node judges whether the check receives the message, and after receiving the message, the backup node broadcasts the message to other copies by prefix.
During broadcasting, the anti-counterfeiting among the nodes adopts a public key and a private key, the nodes are packaged into a broadcast message by providing the public key, and the correctness of the returned message is verified by the private key. Meanwhile, a digital signature is added in the message to ensure that the node receiving the message knows who the leader is, and prevent other nodes from forging the message.
On the basis of the technical scheme, after other nodes receive the block needing to be confirmed, the verification result and the return content of the leader node are verified according to the verification rule, and confirmation information is returned after confirmation.
When more than half of the nodes agree, the leader returns the result of the user authentication and also returns information such as the related authority of the user.
The certification authority returns the certification result and the authority to the application system, and the certification authority comprises the following steps: and corresponding sessionId, token, authority and other authentication information ensure the integrity of the unified authentication process.
And the application system calls an authentication result returned by the authentication mechanism to carry out authentication and verification, and if the authentication result passes the verification, the application system can successfully log in the system and simultaneously acquire the authority owned by the user.
Drawings
The invention has the following drawings:
the drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
fig. 1 is a schematic diagram of a unified identity authentication method based on a block chain PBFT algorithm.
FIG. 2 is a flow chart of a new node registering uplink.
FIG. 3 is a flow chart of user information and user authorization uplink.
Fig. 4 is a flow diagram of unified authentication federation chain verification.
Detailed Description
The implementation case described here is a unified identity authentication project of a certain company, and the present invention is used as a part of application functions therein. The present invention will be described in further detail with reference to the accompanying drawings. The detailed description, while indicating exemplary embodiments of the invention, is given by way of illustration only, in which various details of embodiments of the invention are included to assist understanding. Accordingly, it will be appreciated by those skilled in the art that various changes and modifications may be made to the embodiments described herein without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
As shown in fig. 1-4, the unified identity authentication method based on the block chain PBFT algorithm according to the present invention includes the following steps:
the authentication node carries out uplink registration application and establishes a alliance chain;
when the user registers and adjusts, the corresponding user information and the user authority carry out uplink, wherein, the user information comprises: the hash value of the user name, the MD5 code of the user password, the authority information of the user and the like;
the application system provides an identity authentication request, performs alliance chain verification, passes the verification and returns an authentication result and an authentication result.
On the basis of the technical scheme, when the authentication node carries out uplink registration application to establish a alliance chain, a new node needs to be registered, an authentication block chain project is deployed, and after the authentication block chain project is started, corresponding node information is transmitted to an authentication mechanism record.
Wherein the node information includes: the mac address of the machine, the IP address of the machine and the alliance chain identity of the required uplink.
Further, the interface of the certification authority receives the registration application, the authority administrator checks the qualification, and if the qualification is passed, the cochain process is continued. The certification authority stores the received registration information into a database associated with the alliance chain, and the members of the alliance chain verify whether the node information is communicated or not so as to ensure that the node can successfully uplink.
After the node links the chain, the link result is recorded and returned to the certification authority for storage, and the registration result is returned to the registration node. And the registered node verifies whether the connection is established or not. After the registered node is added into the alliance chain, message transmission is carried out through the IP address provided by the alliance chain and each node.
On the basis of the technical scheme, when a new user is registered or user information is modified, corresponding user information and authority information of the user are linked up, firstly, an application system registers the latest user information and user authority into a certification authority, and the certification authority sorts and records the user information and the user authority, packs the user information and the user authority and sends the user information and the user authority to a alliance chain.
Wherein, the uploaded information comprises: the hash value of the user name, the MD5 code of the user password, the authority information of the user and the like.
On the basis of the technical scheme, the alliance chain finds the node with the highest weight calculated by the PBFT algorithm, the node is a leader elected by the record, the leader constructs a new block, the submitted user information and user authority are further broadcasted in the whole network, and more than half of nodes are waited to be confirmed.
Wherein PBFT is an abbreviation of Practical Byzantine failure Tolerance, meaning Practical Byzantine Fault-tolerant algorithm with high complexity O (N ^ 2). PBFT is a state machine replication algorithm, i.e. the service is modeled as a state machine that performs replication at different nodes of the distributed system. The copies of each state machine preserve the state of the service and also enable the operation of the service.
Wherein the copies have two roles, primary node (primary) and backup node (backup), and all copies operate in a rotation process called View (View). The primary and backup nodes are for views, which are consecutively numbered integers. In a certain view, one copy is selected from the copies as a master node, the selection algorithm is p = v mod | R |, wherein v is a view number, | R | is the number of copies, p is a copy number, and all nodes except the master node are backup nodes. The view change process needs to be initiated when the master node fails. The master node 0 receives the request sent by the client C, assigns a sequence number n to the request, and then sends a PREPARE message to all backup nodes in a group format of < < PRE-PREPARE, v, n, d >, m >, where v is a view number, m is the request sent by the client, and d is a summary of the request message m. After receiving the message broadcast by the master node, the backup node checks whether the backup node receives the message, and after receiving the message, performs prefix broadcast to other copies.
During broadcasting, the anti-counterfeiting among the nodes adopts a public key and a private key, the nodes are packaged into a broadcast message by providing the public key, and the correctness of the returned message is verified by the private key. Meanwhile, a digital signature is added in the message to ensure that the node receiving the message knows who the leader is, and prevent other nodes from forging the message.
On the basis of the technical scheme, after receiving the block needing to be confirmed, other nodes check according to an agreed consensus algorithm, and after the message is confirmed to be correct, the confirmed information is returned to the leader.
Wherein, the content verified according to the consensus algorithm comprises: format, hash value, authority of user information, modification record of the last hash value of the user name and the like.
On the basis of the technical scheme, after the leader receives more than half of node confirmation, the identifier is already agreed with other nodes. The user information is put into a submission state, and then the statement generated by the user information is broadcasted in the whole network.
After receiving the statement, other nodes update the local user information and user authority account book of the node, so that all the nodes have the same user information and user authority.
On the basis of the technical scheme, when the identity authentication is carried out for the alliance chain verification, the application system firstly sends the user name and the password to the authentication mechanism through the cas client.
And the certification authority inquires the related user information of the certification authority according to the received identity information, encapsulates the user information (account number and password) and sends the user information (account number and password) to the alliance chain for verification. And finding a node with the highest weight calculated by the PBFT algorithm by the alliance chain, wherein the node is a leader elected by the verification, the leader verifies the account number and the password, and the verification result is broadcasted in the whole network.
Wherein PBFT is an abbreviation of Practical Byzantine failure Tolerance, meaning Practical Byzantine Fault-tolerant algorithm with high complexity O (N ^ 2). PBFT is a state machine replication algorithm, i.e. the service is modeled as a state machine that performs replication at different nodes of the distributed system. The copies of each state machine preserve the state of the service and also enable the operation of the service.
Wherein the copies have two roles, primary node (primary) and backup node (backup), and all copies operate in a rotation process called View (View). The primary and backup nodes are for views, which are consecutively numbered integers. In a certain view, one copy is selected from the copies as a master node, the selection algorithm is p = v mod | R |, wherein v is a view number, | R | is the number of copies, p is a copy number, and all nodes except the master node are backup nodes. The view replacement process needs to be initiated when the master node fails. The main node 0 receives the request sent by the client C, assigns a sequence number n to the request, and then sends a PREPARE message to all backup nodes in a group format of < < PRE-PREPARE, v, n, d >, m >, where v is a view number, m is the request message sent by the client, and d is a summary of the request message m. After receiving the message broadcast by the master node, the backup node judges whether the check receives the message, and after receiving the message, the backup node broadcasts the message to other copies by prefix.
During broadcasting, the anti-counterfeiting among the nodes adopts a public key and a private key, the nodes are packaged into a broadcast message by providing the public key, and the correctness of the returned message is verified by the private key. Meanwhile, a digital signature is added in the message to ensure that the node receiving the message knows who the leader is, and prevent other nodes from forging the message.
On the basis of the technical scheme, after other nodes receive the block needing to be confirmed, the verification result and the return content of the leader node are verified according to the verification rule, and confirmation information is returned after confirmation.
When more than half of the nodes agree, the leader returns the result of the user authentication and also returns information such as the related authority of the user.
The certification authority returns the certification result and the authority to the application system, and the certification authority comprises the following steps: and corresponding sessionId, token, authority and other authentication information ensure the integrity of the unified authentication process.
The application system calls an authentication result returned by the authentication mechanism to carry out authentication verification, and if the verification is passed, the application system can successfully log in the system and simultaneously acquire the authority of the user.
The invention is based on the alliance chain of the PBFT algorithm as the bottom layer, designs a decentralized unified authentication method, realizes the distributed storage of user information, ensures the non-falsification of user data, greatly improves the safety of data information, reduces the risk of non-use caused by the crash of a single machine through the uplink management of the authentication node, and improves the stability of the system.
One embodiment is as follows.
Step 1: combing and analyzing the current status of the user information construction about identity authentication, and determining a scheme;
the construction of the project involves a plurality of units, each of which has a plurality of systems, and the constructor desires to collectively authenticate and manage users of the units. But a trusted central authentication node cannot be determined in a plurality of units, and based on the situation, the method is used in the project, a platform integration block chain technology of unified identity authentication is used, a alliance chain is established to integrate the user information therein, and unified authentication of a block chain implementation mode is realized.
And 2, step: in the integration process, because each system of a plurality of units exists, in order to ensure the independence of each system, a mode of adding a private chain and a alliance chain is adopted. The identity authentication of the systems in the alliance is integrated, and other systems can also form an alliance. Therefore, the whole block chain is a private chain, and the private chain is divided into a plurality of federation chains. The alliances are distinguished according to specific groupId.
And step 3: according to the figure 2, the authentication node is registered for application, a federation chain is established, and 8 federation chain machines used in the project are used for ensuring the integrity and the response speed of the system.
And 4, step 4: combing and integrating user information of a plurality of involved units and authority data thereof, performing a chain process according to a figure 3, registering and chain the integrated user information and authority, submitting the user information and authority to a certification authority for recording, submitting the user information to a alliance chain by the certification authority, generating a new block based on a leader elected by a PBFT algorithm, broadcasting the whole network, performing message confirmation after other nodes receive the block needing to be confirmed, returning a confirmation result to the leader, entering a submitting state of the user information after more than half of the nodes are confirmed, performing whole network broadcasting on a statement generated by the user information, and updating a local account book by other nodes.
And 5: and when the user inputs the account password to perform login authentication, performing a federation chain authentication process as shown in fig. 4. After a user inputs an account password, clicks and submits the password, a cas client side submits the password to an authentication mechanism, the authentication mechanism encapsulates user information, sends the account password to a alliance chain, a leader elected based on a PBFT algorithm verifies the account password, if the verification is passed, the verification result is broadcast to the whole network, after other nodes receive a block needing to be confirmed, the verification result of the leader is confirmed, and the confirmation result is returned to the leader. When more than half agrees, the leader returns the result of the user authentication and also returns the information of the user such as the related authority.
Step 6: after a series of test works, the project is on line, and the requirement of uniform identity authentication of the project is fulfilled. Meanwhile, the block chain plays an effective promoting role in the practice of unified identity authentication.
By the design and implementation of the invention, the unified identity authentication under the block chain scene is realized, a solution method of unified identity authentication of a union chain based on a PBFT algorithm is provided, and the data security of the unified identity authentication is improved.
Those not described in detail in this specification are well within the skill of the art.
The above description is only a preferred embodiment of the present invention, and the scope of the present invention is not limited to the above embodiment, but equivalent modifications or changes made by those skilled in the art according to the present disclosure should be included in the scope of the present invention as set forth in the appended claims.

Claims (5)

1. A unified identity authentication method based on a block chain PBFT algorithm is characterized by comprising the following steps: the authentication node carries out uplink registration application and establishes a union chain;
when the user registers and adjusts, the corresponding user information and the user authority carry out uplink, wherein, the user information comprises: the hash value of the user name, the MD5 code of the user password and the authority information of the user;
the application system provides an identity authentication request, performs alliance chain verification, passes the verification and returns an authentication result and an authentication result;
when the identity authentication is carried out for the alliance chain verification, firstly, the application system sends a user name and a password to an authentication mechanism through a cas client;
the certification authority inquires the relevant user information of the certification authority according to the received identity information, packages the user information and sends the user information to the alliance chain for verification;
the alliance chain finds a node with the highest weight calculated by the PBFT algorithm, the node is a leader selected by the verification, the leader verifies the account number password, and the verification result is broadcasted in the whole network;
during broadcasting, a public key and a private key are adopted for anti-counterfeiting among nodes, the nodes are packaged into a broadcast message by providing the public key, the correctness of the returned message is checked by the private key, and meanwhile, a digital signature is added in the message, so that the nodes receiving the message know who a leader is, and other nodes are prevented from counterfeiting the message;
after receiving the block needing to be confirmed, other nodes verify the verification result and the return content of the leader node according to the verification rule, and if the verification is confirmed, the other nodes return confirmation information;
when more than half of the nodes agree, the leader returns the result of user authentication and also returns the related authority information of the user;
the certification authority returns the certification result and the authority to the application system, and the certification authority comprises the following steps: corresponding sessionId, token and authority authentication information ensure the integrity of a unified authentication process;
and the application system calls an authentication result returned by the authentication mechanism to carry out authentication and verification, and if the authentication result passes the verification, the application system can successfully log in the system and simultaneously acquire the authority owned by the user.
2. The method according to claim 1, wherein when the authentication node performs uplink registration to apply for establishment of a federation link, a new node needs to be registered, a block chain project for authentication is deployed, and after the block chain project is started, corresponding node information is transmitted to an authentication authority for recording; the authentication mechanism interface receives the registration application, the mechanism administrator checks the qualification, and if the qualification is passed, the chain winding process is continued; the certification authority stores the received registration information into a database associated with the alliance chain, and the members of the alliance chain verify whether the node information is communicated or not so as to ensure that the node can successfully uplink.
3. The method of claim 2, wherein after the node chains, the link result is returned to the certificate authority for storage, and the registration result is returned to the registration node; the registered node verifies whether the communication is carried out; after the registered node is added into the alliance chain, message transmission is carried out through the IP address provided by the alliance chain and each node.
4. The method as claimed in claim 1, wherein when registering a new user or modifying user information, the corresponding user information and the authority information of the user are uplinked, the application system registers the latest user information and the authority of the user into the certification authority, and the certification authority collates and records the user information and the authority of the user and packages the user information and the authority of the user to the federation chain.
5. The method for unified identity authentication based on the block chain PBFT algorithm as claimed in claim 4, wherein the alliance chain finds the node with the highest election weight through the PBFT algorithm, the node is the leader elected by the record, the leader constructs a new block, further performs the whole network broadcast to the submitted user information and user authority, and waits for more than half of the nodes to confirm;
during broadcasting, the anti-counterfeiting among the nodes adopts a public key and a private key, the nodes are packaged into a broadcast message by providing the public key, and the correctness of the returned message is verified by the private key; meanwhile, a digital signature is added in the message to ensure that the node receiving the message knows who the leader is and prevent other nodes from forging the message;
after receiving the block needing to be confirmed, other nodes check the block according to an agreed consensus algorithm, wherein the checked contents comprise: the modification record of the previous one of the format, the hash value, the authority of the user information and the hash value of the user name; after the message is confirmed to be correct, returning confirmed information to the leader;
after the leader receives the confirmation of more than half of the nodes, the identifier agrees with other nodes, the user information enters a submission state, and then the statement generated by the user information is broadcasted in the whole network; after receiving the statement, other nodes update the local user information and user authority account book of the node, so that all the nodes have the same user information and user authority.
CN202110000958.0A 2021-01-05 2021-01-05 Unified identity authentication method based on block chain PBFT algorithm Active CN112583858B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110000958.0A CN112583858B (en) 2021-01-05 2021-01-05 Unified identity authentication method based on block chain PBFT algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110000958.0A CN112583858B (en) 2021-01-05 2021-01-05 Unified identity authentication method based on block chain PBFT algorithm

Publications (2)

Publication Number Publication Date
CN112583858A CN112583858A (en) 2021-03-30
CN112583858B true CN112583858B (en) 2023-04-18

Family

ID=75144605

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110000958.0A Active CN112583858B (en) 2021-01-05 2021-01-05 Unified identity authentication method based on block chain PBFT algorithm

Country Status (1)

Country Link
CN (1) CN112583858B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112994882B (en) * 2021-04-21 2021-07-20 腾讯科技(深圳)有限公司 Authentication method, device, medium and equipment based on block chain
CN113626781B (en) * 2021-07-19 2024-01-23 中国科学院信息工程研究所 Block chain efficient authentication method based on trusted group
CN113766007B (en) * 2021-07-29 2024-02-20 中国电力科学研究院有限公司 Authentication pre-system and authentication method based on multi-source heterogeneous data analysis protocol
CN114302396B (en) * 2021-12-14 2023-11-07 中国联合网络通信集团有限公司 Data management method, device, equipment, storage medium and system
CN115334038B (en) * 2022-08-20 2024-03-26 信通院(江西)科技创新研究院有限公司 APPID application management method and system based on blockchain
CN116566740B (en) * 2023-06-30 2023-09-01 济南职业学院 Industrial distributed authentication system and implementation method

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020177508A1 (en) * 2019-03-05 2020-09-10 深圳前海微众银行股份有限公司 Block chain construction and group division method and apparatus

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019232789A1 (en) * 2018-06-08 2019-12-12 北京大学深圳研究生院 Voting-based consensus method
CN107341660B (en) * 2017-05-27 2021-06-29 唐盛(北京)物联技术有限公司 Block chain bottom layer consensus mechanism and block chain system based on same
CN109327459B (en) * 2018-11-12 2020-12-01 崔晓晖 Consensus method for union block chain network
CN110958111B (en) * 2019-12-09 2023-09-08 广东电网有限责任公司 Block chain-based identity authentication mechanism of electric power mobile terminal
CN111598565B (en) * 2020-04-24 2022-08-19 广西电网有限责任公司电力科学研究院 Storage construction method and system based on PBFT block chain technology

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020177508A1 (en) * 2019-03-05 2020-09-10 深圳前海微众银行股份有限公司 Block chain construction and group division method and apparatus

Also Published As

Publication number Publication date
CN112583858A (en) 2021-03-30

Similar Documents

Publication Publication Date Title
CN112583858B (en) Unified identity authentication method based on block chain PBFT algorithm
CN110990408B (en) Business information collaboration method based on block chain, business system and alliance chain
CN112035889B (en) Block chain privacy verification method and device for computing outsourcing and computer equipment
US20210097538A1 (en) Systems and methods for managing data generation, storage, and verification in a distributed system having a committee of validator nodes
CN112055025B (en) Privacy data protection method based on block chain
CN112311735B (en) Credible authentication method, network equipment, system and storage medium
CN111191283B (en) Beidou positioning information security encryption method and device based on alliance block chain
US7308502B2 (en) Method and architecture to provide client session failover
US11849052B2 (en) Certificate in blockchain network, storage medium, and computer device
US11240027B2 (en) Synchronizing radius server databases using distributed ledger network
CN109493052B (en) Cross-chain contract system based on main chain and parallel multiple sub-chains
CN113824563B (en) Cross-domain identity authentication method based on block chain certificate
CN111818056B (en) Industrial Internet identity authentication method based on block chain
CN114338242B (en) Cross-domain single sign-on access method and system based on block chain technology
CN113676452B (en) Replay attack resisting method and system based on one-time key
CN112436940A (en) Internet of things equipment trusted boot management method based on zero-knowledge proof
US11646897B2 (en) Method and apparatus for utilizing off-platform-resolved data as an input to code execution on a decentralized platform
CN115378604A (en) Identity authentication method of edge computing terminal equipment based on credit value mechanism
CN111582843A (en) Block chain privacy transaction method based on aggregated signature
CN113746858A (en) Cross-chain communication method based on verifiable random function
CN112600672B (en) Inter-domain credibility consensus method and device based on real identity
CN112039837A (en) Electronic evidence preservation method based on block chain and secret sharing
WO2023082883A1 (en) Cross-blockchain transaction processing method and apparatus, and computer device, computer storage medium and computer program product
CN114938278B (en) Zero-trust access control method and device
CN116186786A (en) Block chain-based service processing method and device, electronic equipment and readable medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant