CN113641986B - Method and system for realizing alliance chain user private key hosting based on SoftHSM - Google Patents
Method and system for realizing alliance chain user private key hosting based on SoftHSM Download PDFInfo
- Publication number
- CN113641986B CN113641986B CN202110994619.9A CN202110994619A CN113641986B CN 113641986 B CN113641986 B CN 113641986B CN 202110994619 A CN202110994619 A CN 202110994619A CN 113641986 B CN113641986 B CN 113641986B
- Authority
- CN
- China
- Prior art keywords
- private key
- softhsm
- module
- user
- token
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 230000008676 import Effects 0.000 claims abstract description 11
- 238000012795 verification Methods 0.000 claims description 64
- 230000007246 mechanism Effects 0.000 claims description 19
- 238000004806 packaging method and process Methods 0.000 claims description 14
- 238000009795 derivation Methods 0.000 claims description 12
- VBMOHECZZWVLFJ-GXTUVTBFSA-N (2s)-2-[[(2s)-6-amino-2-[[(2s)-6-amino-2-[[(2s,3r)-2-[[(2s,3r)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-2-[[(2s)-2,6-diaminohexanoyl]amino]-5-(diaminomethylideneamino)pentanoyl]amino]propanoyl]amino]hexanoyl]amino]propanoyl]amino]hexan Chemical compound NC(N)=NCCC[C@@H](C(O)=O)NC(=O)[C@H](CCCCN)NC(=O)[C@H](CCCCN)NC(=O)[C@H]([C@@H](C)O)NC(=O)[C@H]([C@H](O)C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCN=C(N)N)NC(=O)[C@@H](N)CCCCN VBMOHECZZWVLFJ-GXTUVTBFSA-N 0.000 claims 14
- 108010068904 lysyl-arginyl-alanyl-lysyl-alanyl-lysyl-threonyl-threonyl-lysyl-lysyl-arginine Proteins 0.000 claims 14
- 230000006870 function Effects 0.000 description 24
- 238000005516 engineering process Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000008602 contraction Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Abstract
The invention discloses a method and a system for realizing alliance chain user private key hosting based on SoftHSM, which can realize user private key soft hosting, increase the security of private keys and increase the expandability of a system. The technical proposal is as follows: responding to a user node private key import request, and verifying user information and authority information; executing a command to create a token and slot; verifying the result of executing the creation, and if the creation is successful, acquiring the return values of the created token and the slot; starting a softHSM private key hosting module, and importing a user node private key into the softHSM private key hosting module for hosting; verifying the result of importing the private key of the user node into the softHSM private key hosting module; calling an interface updating k8s configuration; the re-enabling user node validates the updated k8s configuration.
Description
Technical Field
The invention relates to application of a blockchain technology, in particular to a method and a system for realizing private key escrow of alliance chain users based on SoftHSM.
Background
A federated chain is an organized form of blockchain, between public and private chains, that is a blockchain that multiple organizations or organizations participate in management, each organization or organization managing one or more nodes whose data only allows different organizations within the system to read, write, and send. The private key of the user in the alliance chain is data for uniquely proving the identity of the user, and the core asset of the user is controlled by the private key, namely, the confirmation of the transaction can be realized only through the signature of the private key, so that the protection of the private key of the blockchain is very important. On one hand, the private key is prevented from being leaked and stolen by a hacker Trojan, and on the other hand, the private key is prevented from being lost, so that the private key can be safely retrieved after the private key is lost. The private key of the user can be stored in the electronic equipment, but once the information is lost or stolen, the private key is lost, and the property safety of the user is greatly influenced.
The existing private key hosting method has the problem that a platform hosting mode is used for backing up the private key, when the user key is lost, the core node needs to be entrusted to retrieve the private key, so that the oversized right of the core node is given, and the client requirement cannot be met. Moreover, the method can enable the trusted party to fully control the account, and even can perform operations against the wish of the trusted party.
While Public Key Cryptography Standards (PKCS) include a set of cryptography standards that provide guidelines and Application Programming Interfaces (APIs) for using cryptographic methods. PKCS #11 is a cryptographic token interface standard that formulates a set of APIs called Cryptoki. Using this API, the application may address the encryption device as tokens and may perform the encryption functions implemented by these tokens. The hardware security module (Hardware Security Module, HSM) is usually required to be connected with software, so that more safe and efficient hardware encryption security is provided for software services, and therefore, the application development of SoftHSM is realized. The use of SoftHSM enables cryptographically secure storage without the need for a hardware security module, which is now developed as part of the OpenDNSSEC (Open Domain Name System Security Extensions) project. The SoftHSM implements the encrypted storage access interface defined by pkcs#1.
How to utilize SoftHSM to realize soft hosting of user private keys of a federation chain so as to strengthen security of user private keys in the federation chain is a problem to be solved in the industry at present.
Disclosure of Invention
The following presents a simplified summary of one or more aspects in order to provide a basic understanding of such aspects. This summary is not an extensive overview of all contemplated aspects, and is intended to neither identify key or critical elements of all aspects nor delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more aspects in a simplified form as a prelude to the more detailed description that is presented later.
The invention aims to solve the problems, and provides a method and a system for realizing alliance chain user private key hosting based on SoftHSM, which realize soft hosting of user private keys, increase the safety of the user private keys and increase the expandability of the system.
The technical scheme of the invention is as follows: the invention discloses a method for realizing alliance chain user private key hosting based on SoftHSM, which comprises the following steps:
step 1: responding to a user node private key import request, verifying user information and authority information corresponding to the user node, returning error information to the client if verification fails, and continuing the next step if verification passes;
step 2: executing a command to create a token and slot;
step 3: verifying the result of executing the creation, returning error information to the client if the creation fails, acquiring the return values of the created token and slot if the creation succeeds, and entering the next step;
step 4: starting a softHSM private key hosting module, and importing a user node private key into the softHSM private key hosting module for hosting;
step 5: verifying the result of importing the private key of the user node into the softHSM private key hosting module, returning error information to the client if the importing fails, and entering the next step if the importing is successful;
step 6: calling an interface updating k8s configuration;
step 7: the re-enabling user node validates the updated k8s configuration.
According to an embodiment of the invention, based on the SoftHSM, a federation chain user private key hosting method is implemented, in step 1, verifying user information and authority information includes a two-step verification mechanism: password verification and verification code verification.
According to an embodiment of the present invention, the step 2 further includes:
checking whether a token and a slot already exist, and if so, entering the next step;
if the token and the slot do not exist, a preset label and pin value is obtained, a random number is added to the label and pin value, and an initToken function of a PKCS#11 library is called to create the token and the slot.
According to an embodiment of the present invention, before invoking the initToken function of the PKCS #11 library to create the token and slot, the method further comprises:
the interface of the initToken function of the PKCS #11 library is encapsulated.
According to an embodiment of the present invention, the step 4 further includes:
and acquiring a file path of the private key of the user node, calling the created token and the return value of the slot, and importing the private key of the user node into the softHSM private key hosting module through a key importing tool.
According to an embodiment of the invention, before starting the SoftHSM private key escrow module, the method for realizing the federation chain user private key escrow based on the SoftHSM further comprises: the SoftHSM is installed and deployed in a certificate issuing mechanism, a PKCS#11 interface is configured in a blockchain encryption service provider module of the certificate issuing mechanism, the client configuration is switched into PKCS#11, and the client and the certificate issuing mechanism are reconnected.
According to an embodiment of the invention, before the user node private key is imported into the SoftHSM private key hosting module by the key importing tool, the method further comprises:
packaging a wrapkey interface of a PKCS#11 library to obtain a key importing tool, and realizing the key importing operation;
and packaging the unwrapkey interface of the PKCS#11 library to obtain a key derivation tool, so as to realize the key derivation operation.
The invention also discloses a system for realizing alliance chain user private key hosting based on the SoftHSM, which comprises:
the user verification module is used for responding to the user node private key import request and verifying the user information and the authority information corresponding to the user node;
the initialization module is used for executing the command for creating the token and the slot, verifying the result of executing the creation, and acquiring the return values of the created token and slot if the creation is successful;
the softHSM private key hosting module is used for importing the private key of the user node into the softHSM private key hosting module for hosting;
the execution verification module is used for verifying the result of the user node private key importing softHSM private key hosting module;
the configuration updating module is used for calling an interface for updating the k8s configuration to update the k8s configuration;
and the node restarting module is used for restarting the user node to enable the updated k8s configuration to be effective.
According to an embodiment of the invention, based on the SoftHSM, the user authentication module verifies the user information and the authority information by a two-step authentication mechanism: password verification and verification code verification.
According to an embodiment of the invention in which the federation chain user private key escrow system is implemented based on SoftHSM, the initialization module is further configured to:
checking whether a token and a slot exist or not, if the token and the slot do not exist, acquiring preset label and pin values, adding a random number to the label and pin values, and calling an initToken function of a PKCS#11 library to create the token and the slot.
According to an embodiment of the invention in which the federation chain user private key escrow system is implemented based on SoftHSM, the initialization module is further configured to:
the method also comprises the following steps before the initToken function of the PKCS#11 library is called to create the token and the slot: the interface of the initToken function of the PKCS #11 library is encapsulated.
According to an embodiment of the invention, the SoftHSM-based federation chain user private key escrow system is further configured to:
and acquiring a file path of the private key of the user node, calling the created token and the return value of the slot, and importing the private key of the user node into the softHSM private key hosting module through a key importing tool.
According to an embodiment of the invention, the SoftHSM-based federation chain user private key escrow system is further configured to:
the method further comprises the following steps before starting the SoftHSM private key escrow module: the SoftHSM is installed and deployed in a certificate issuing mechanism, a PKCS#11 interface is configured in a blockchain encryption service provider module of the certificate issuing mechanism, the client configuration is switched into PKCS#11, and the client and the certificate issuing mechanism are reconnected.
According to an embodiment of the invention, the SoftHSM-based federation chain user private key escrow system is further configured to:
before the user node private key is imported into the SoftHSM private key escrow module by the key import tool, the method further comprises:
packaging a wrapkey interface of a PKCS#11 library to obtain a key importing tool, and realizing the key importing operation;
and packaging the unwrapkey interface of the PKCS#11 library to obtain a key derivation tool, so as to realize the key derivation operation.
Compared with the prior art, the invention has the following beneficial effects: firstly, a two-step verification mechanism is provided to verify the user information, so that the user is ensured to have the authority of private key escrow; the key is that a softHSM private key hosting module is introduced, a user private key is hosted in the softHSM, soft hosting of the user private key is realized, and the security of the user private key is improved. In addition, the invention also encapsulates the initToken interface, the wrapkey interface and the unwrapkey interface of the PKCS#11 library, thereby increasing the expandability of the system.
Drawings
The above features and advantages of the present invention will be better understood after reading the detailed description of embodiments of the present disclosure in conjunction with the following drawings. In the drawings, the components are not necessarily to scale and components having similar related features or characteristics may have the same or similar reference numerals.
Fig. 1 shows a flowchart of an embodiment of the SoftHSM-based federation chain user private key escrow method of the present invention.
Fig. 2 illustrates a schematic diagram of an embodiment of the SoftHSM-based federation chain user private key escrow system of the present invention.
Detailed Description
The invention is described in detail below with reference to the drawings and the specific embodiments. It is noted that the aspects described below in connection with the drawings and the specific embodiments are merely exemplary and should not be construed as limiting the scope of the invention in any way.
Fig. 1 shows a flow chart of an embodiment of the method for implementing federation chain user private key escrow based on SoftHSM according to the present invention, please refer to fig. 1, and implementation steps of the method of the embodiment are described in detail below.
Step 1: and the user verification module responds to the user node private key import request to verify the user information and the authority information corresponding to the user node. If the verification is passed, continuing to the next step, and if the verification is failed, returning error information to the client.
Verifying user information and rights information includes a two-step verification mechanism: the password verification and verification code verification specifically comprises the following steps:
password verification: sending a login request to a server according to a user account number and a password, and returning a corresponding token by the server; signing the returned token by using a password; comparing the signed information with signature information of the same account stored in a database, if the signature information is the same as the signature information of the same account, verifying the signature information successfully, and if the signature information is not the same, failing to verify the signature information; returning the verification result to the client;
verification code verification: acquiring a mobile phone number and a verification code of a user, if the verification code is correct, sending a login request to a server according to the mobile phone number and the verification code, and returning a corresponding token by the server; storing the latest verification code into a database, and signing the token by using the password and the verification code; comparing the signed information with signature information of the same mobile phone number stored in a database, if the signature information is the same as the signature information, verifying the signature information successfully, and if the signature information is not the same, failing to verify the signature information; and returning the verification result to the client.
Step 2: the initialization module executes a command for creating a token and a slot, and specifically comprises the following steps:
checking whether a token and a slot already exist, and if so, entering the next step;
if the token and the slot do not exist, a preset label and pin value is obtained, a random number is added to the label and the pin value, the random number can be different, and an initToken function of a PKCS#11 library is called to create the token and the slot.
The PKCS #11 standard is a set of specifications called Public key encryption standard (Public-Key Cryptography Standards) which identifies A Programming Interface (API), called Cryptoki, which is an abbreviation for cryptographic token interface (cryptographic token interface), for devices that hold cryptographic information and perform cryptographic functions.
Token, slot, label, PIN, inittoken are terms in the PKCS #11 standard,
token: a token, a cryptographic logical view defined by Cryptoki, is a device that can store objects and perform cryptographic functions. As a password token interface opening standard, the Cryptoki defines an application program interface for user equipment having password information (keys or certificates) and executing cryptographic functions, abstracts details of the equipment, and refers to a general model of the password equipment (such as a USBKey and an encryption card) as a password token so as to provide the password token to an application program;
slot: a slot, possibly a logical reader containing a token;
label: a label;
PIN: representing a personal identification code;
initToken function: the token function is initialized.
In addition, before the initToken function calling the pkcs#11 library realizes creation of a token and slot, the method further includes: the interface of the initToken function of the PKCS#11 library is encapsulated so that the functions of creating a token and a slot are realized.
Step 3: and the execution verification module verifies the result of executing the creation, returns error information to the client if the creation fails, acquires the return values of the created token and slot if the creation is successful, and enters the next step.
Step 4: the node restarting module starts the softHSM private key hosting module, and the private key of the user node is imported into the softHSM private key hosting module.
The step 4 specifically comprises the following steps:
the softHSM private key hosting module is used for acquiring a file path of the private key of the user node, calling a return value for creating a token and a slot, and importing the private key of the user node into the softHSM private key hosting module through the key importing tool to process and host the private key of the user.
In addition, before starting the SoftHSM private key escrow module, the method further comprises: and installing and deploying the softHSM in the CA, configuring a PKCS#11 interface in a BCCSP module of the CA, switching the client configuration into PKCS#11, and reconnecting the client and the CA.
CA (Certification Authority) is a certificate issuing authority and is an authority responsible for issuing certificates, authenticating certificates, and managing issued certificates.
BCCSP (Blockchain Cryptographic Service Provider) blockchain encryption service provider provides encryption standards and algorithm implementations for Fabric, including hashing, signing, BCCSP provides encryption algorithm related services to core functions and client SDKs through MSP (i.e., membership Service Provider membership service provider).
In addition, before the user node private key is imported into the SoftHSM private key escrow module by the key import tool, the method further comprises:
packaging a wrapkey interface of a PKCS#11 library to obtain a key importing tool, and realizing the key importing operation;
and packaging the unwrapkey interface of the PKCS#11 library to obtain a key derivation tool, so as to realize the key derivation operation.
Step 5: and the execution verification module verifies the result of the user node private key importing softHSM private key hosting module, returns error information to the client if the importing fails, and enters the next step if the importing is successful.
Step 6: the configuration update module invokes an interface update k8s configuration that updates the k8s configuration.
k8s is known as Kubernetes, is a container cluster management system, and can realize functions of automatic deployment, automatic expansion and contraction, maintenance and the like of a container cluster.
Step 7: the node restarting module restarts the user node to validate the updated k8s configuration.
Fig. 2 illustrates the principle of an embodiment of the present invention for implementing a federated chain user private key escrow system based on SoftHSM, please refer to fig. 2, the architecture and principle of the system of the present embodiment are detailed below.
The system of the present embodiment includes: the system comprises a user verification module, an initialization module, a softHSM private key hosting module, an execution verification module, a configuration updating module and a node restarting module.
The data transmission relation among the modules is as follows: the data of the user verification module is output to the initialization module, the data of the initialization module is output to the softHSM private key hosting module, the data of the softHSM private key hosting module is output to the execution verification module, the data of the execution verification module is output to the configuration updating module, and the data of the configuration updating module is output to the node restarting module.
The user verification module is used for responding to the user node private key import request and verifying the user information and the authority information corresponding to the user node.
The user verification module verifies that the user information and the authority information comprise a two-step verification mechanism: the specific configuration of the password verification and verification code verification is as follows:
password verification: sending a login request to a server according to a user account number and a password, and returning a corresponding token by the server; signing the returned token by using a password; comparing the signed information with signature information of the same account stored in a database, if the signature information is the same as the signature information of the same account, verifying the signature information successfully, and if the signature information is not the same, failing to verify the signature information; returning the verification result to the client;
verification code verification: acquiring a mobile phone number and a verification code of a user, if the verification code is correct, sending a login request to a server according to the mobile phone number and the verification code, and returning a corresponding token by the server; storing the latest verification code into a database, and signing the token by using the password and the verification code; comparing the signed information with signature information of the same mobile phone number stored in a database, if the signature information is the same as the signature information, verifying the signature information successfully, and if the signature information is not the same, failing to verify the signature information; and returning the verification result to the client.
The initialization module is used for executing the command for creating the token and the slot, verifying the result of executing the creation, and acquiring the return values of the created token and slot if the creation is successful.
The specific configuration of the initialization module is as follows:
checking whether a token and a slot already exist, and if so, entering the next step;
if the token and the slot do not exist, a preset label and pin value is obtained, a random number is added to the label 1 and the pin value, and an initToken function of a PKCS#11 library is called to create the token and the slot.
In addition, the method further comprises the following steps before the initToken function of the PKCS#11 library is called to create the token and the slot: the interface of the initToken function of the PKCS #11 library is encapsulated.
The SoftHSM private key hosting module is used for importing the private key of the user node into the SoftHSM private key hosting module for hosting.
The specific configuration of the SoftHSM private key escrow module is as follows:
and acquiring a file path of the private key of the user node, calling the created token and the return value of the slot, and importing the private key of the user node into the softHSM private key hosting module through a key importing tool.
In addition, before starting the SoftHSM private key escrow module, the method further comprises: and installing and deploying the softHSM in the CA, configuring a PKCS#11 interface in a BCCSP module of the CA, switching the client configuration into PKCS#11, and reconnecting the client and the CA.
In addition, before the user node private key is imported into the SoftHSM private key escrow module by the key import tool, the method further comprises:
packaging a wrapkey interface of a PKCS#11 library to obtain a key importing tool, and realizing the key importing operation;
and packaging the unwrapkey interface of the PKCS#11 library to obtain a key derivation tool, so as to realize the key derivation operation.
The execution verification module is used for verifying the result of the user node private key importing SoftHSM private key hosting module.
The configuration updating module is used for calling the interface updating k8s configuration for updating k8s configuration.
The node restarting module is used for restarting the user node to enable the updated k8s configuration to be effective.
While, for purposes of simplicity of explanation, the methodologies are shown and described as a series of acts, it is to be understood and appreciated that the methodologies are not limited by the order of acts, as some acts may, in accordance with one or more embodiments, occur in different orders and/or concurrently with other acts from that shown and described herein or not shown and described herein, as would be understood and appreciated by those skilled in the art.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The various illustrative logical blocks, modules, and circuits described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
In one or more exemplary embodiments, the functions described may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software as a computer program product, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. Any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a web site, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk (disk) and disc (disk) as used herein include Compact Disc (CD), laser disc, optical disc, digital Versatile Disc (DVD), floppy disk and blu-ray disc where disks (disk) usually reproduce data magnetically, while discs (disk) reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
The previous description of the disclosure is provided to enable any person skilled in the art to make or use the disclosure. Various modifications to the disclosure will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other variations without departing from the spirit or scope of the disclosure. Thus, the disclosure is not intended to be limited to the examples and designs described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (4)
1. A method for realizing alliance chain user private key hosting based on softHSM is characterized by comprising the following steps:
step 1: responding to a user node private key import request, verifying user information and authority information corresponding to the user node, returning error information to the client if verification fails, and continuing the next step if verification passes;
step 2: executing a command to create a token and slot;
step 3: verifying the result of executing the creation, returning error information to the client if the creation fails, acquiring the return values of the created token and slot if the creation succeeds, and entering the next step;
step 4: starting a softHSM private key hosting module, and importing a user node private key into the softHSM private key hosting module for hosting;
step 5: verifying the result of importing the private key of the user node into the softHSM private key hosting module, returning error information to the client if the importing fails, and entering the next step if the importing is successful;
step 6: calling an interface updating k8s configuration;
step 7: restarting the user node to enable the updated k8s configuration to be effective;
wherein step 4 further comprises:
acquiring a file path of a private key of a user node, calling a created token and a return value of a slot, and importing the private key of the user node into a softHSM private key hosting module through a key importing tool;
the method further comprises the following steps before starting the SoftHSM private key escrow module: installing and deploying a softHSM in a certificate issuing mechanism, configuring a PKCS#11 interface in a block chain encryption service provider module of the certificate issuing mechanism, switching client configuration into PKCS#11, and reconnecting the client and the certificate issuing mechanism;
wherein step 2 further comprises:
checking whether a token and a slot already exist, and if so, entering the next step;
if the token and the slot do not exist, a preset label and pin value is obtained, a random number is added to the label and pin value, and an initToken function of a PKCS#11 library is called to create the token and the slot;
wherein the method further comprises the following steps before the initToken function of the PKCS#11 library is called to create the token and the slot:
packaging an interface of an initToken function of the PKCS#11 library;
the method further comprises the steps of, before the private key of the user node is imported into the SoftHSM private key hosting module through the key importing tool:
packaging a wrapkey interface of a PKCS#11 library to obtain a key importing tool, and realizing the key importing operation;
and packaging the unwrapkey interface of the PKCS#11 library to obtain a key derivation tool, so as to realize the key derivation operation.
2. The SoftHSM-based federation chain user private key escrow method according to claim 1, wherein in step 1, verifying user information and rights information comprises a two-step verification mechanism: password verification and verification code verification.
3. A system for realizing alliance chain user private key escrow based on softHSM is characterized in that the system comprises:
the user verification module is used for responding to the user node private key import request and verifying the user information and the authority information corresponding to the user node;
the initialization module is used for executing the command for creating the token and the slot, verifying the result of executing the creation, and acquiring the return values of the created token and slot if the creation is successful;
the softHSM private key hosting module is used for importing the private key of the user node into the softHSM private key hosting module for hosting;
the execution verification module is used for verifying the result of the user node private key importing softHSM private key hosting module;
the configuration updating module is used for calling an interface for updating the k8s configuration to update the k8s configuration;
the node restarting module is used for restarting the user node to enable the updated k8s configuration to take effect;
wherein the SoftHSM private key escrow module is further configured to:
acquiring a file path of a private key of a user node, calling a created token and a return value of a slot, and importing the private key of the user node into a softHSM private key hosting module through a key importing tool;
the method further comprises the following steps before starting the SoftHSM private key escrow module: installing and deploying a softHSM in a certificate issuing mechanism, configuring a PKCS#11 interface in a block chain encryption service provider module of the certificate issuing mechanism, switching client configuration into PKCS#11, and reconnecting the client and the certificate issuing mechanism;
wherein the initialization module is further configured to:
checking whether a token and a slot exist or not, if the token and the slot do not exist, acquiring preset label and pin values, adding a random number to the label and pin values, and calling an initToken function of a PKCS#11 library to create the token and the slot;
wherein the initialization module is further configured to:
the method also comprises the following steps before the initToken function of the PKCS#11 library is called to create the token and the slot: packaging an interface of an initToken function of the PKCS#11 library;
wherein the SoftHSM private key escrow module is further configured to:
before the user node private key is imported into the SoftHSM private key escrow module by the key import tool, the method further comprises:
packaging a wrapkey interface of a PKCS#11 library to obtain a key importing tool, and realizing the key importing operation;
and packaging the unwrapkey interface of the PKCS#11 library to obtain a key derivation tool, so as to realize the key derivation operation.
4. The SoftHSM-based federation chain user private key escrow system of claim 3, wherein the user authentication module verifies the user information and the rights information comprising a two-step authentication mechanism: password verification and verification code verification.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110994619.9A CN113641986B (en) | 2021-08-27 | 2021-08-27 | Method and system for realizing alliance chain user private key hosting based on SoftHSM |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110994619.9A CN113641986B (en) | 2021-08-27 | 2021-08-27 | Method and system for realizing alliance chain user private key hosting based on SoftHSM |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113641986A CN113641986A (en) | 2021-11-12 |
| CN113641986B true CN113641986B (en) | 2024-04-02 |
Family
ID=78424138
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110994619.9A Active CN113641986B (en) | 2021-08-27 | 2021-08-27 | Method and system for realizing alliance chain user private key hosting based on SoftHSM |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113641986B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO1998054864A2 (en) * | 1997-05-28 | 1998-12-03 | Adam Lucas Young | Auto-recoverable auto-certifiable cryptosystems |
| US10790976B1 (en) * | 2018-08-01 | 2020-09-29 | Bloomio Ag | System and method of blockchain wallet recovery |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10043029B2 (en) * | 2014-04-04 | 2018-08-07 | Zettaset, Inc. | Cloud storage encryption |
| US9973341B2 (en) * | 2015-01-23 | 2018-05-15 | Daniel Robert Ferrin | Method and apparatus for the limitation of the mining of blocks on a block chain |
| US10461940B2 (en) * | 2017-03-10 | 2019-10-29 | Fmr Llc | Secure firmware transaction signing platform apparatuses, methods and systems |
| US10778439B2 (en) * | 2015-07-14 | 2020-09-15 | Fmr Llc | Seed splitting and firmware extension for secure cryptocurrency key backup, restore, and transaction signing platform apparatuses, methods and systems |
| US10644885B2 (en) * | 2015-07-14 | 2020-05-05 | Fmr Llc | Firmware extension for secure cryptocurrency key backup, restore, and transaction signing platform apparatuses, methods and systems |
| US11301845B2 (en) * | 2019-08-19 | 2022-04-12 | Anchor Labs, Inc. | Cryptoasset custodial system with proof-of-stake blockchain support |
| WO2021062020A1 (en) * | 2019-09-24 | 2021-04-01 | Magic Labs, Inc. | Non-custodial tool for building decentralized computer applications |
-
2021
- 2021-08-27 CN CN202110994619.9A patent/CN113641986B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO1998054864A2 (en) * | 1997-05-28 | 1998-12-03 | Adam Lucas Young | Auto-recoverable auto-certifiable cryptosystems |
| US10790976B1 (en) * | 2018-08-01 | 2020-09-29 | Bloomio Ag | System and method of blockchain wallet recovery |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113641986A (en) | 2021-11-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11743054B2 (en) | Method and system for creating and checking the validity of device certificates | |
| JP7060362B2 (en) | Event certificate for electronic devices | |
| US11070542B2 (en) | Systems and methods for certificate chain validation of secure elements | |
| US9621356B2 (en) | Revocation of root certificates | |
| EP3312756A1 (en) | Establishing cryptographic identity for an electronic device | |
| US7568114B1 (en) | Secure transaction processor | |
| US9331990B2 (en) | Trusted and unsupervised digital certificate generation using a security token | |
| WO2020192406A1 (en) | Method and apparatus for data storage and verification | |
| US20100268942A1 (en) | Systems and Methods for Using Cryptographic Keys | |
| CN109639427B (en) | Data sending method and equipment | |
| TWI782255B (en) | Unlocking method, device for realizing unlocking, and computer-readable medium | |
| JP2013514587A (en) | Content management method using certificate revocation list | |
| JP2008532419A (en) | Secure software communication method and system | |
| CN109417545A (en) | For downloading the technology of network insertion profile | |
| WO2019051839A1 (en) | Data processing method and device | |
| US20190140834A1 (en) | Advanced Crypto Token Authentication | |
| US9882899B2 (en) | Remotely authenticating a device | |
| Riad et al. | A blockchain-based key-revocation access control for open banking | |
| CN116896463A (en) | Trusted environment authentication method and device based on blockchain | |
| CN113641986B (en) | Method and system for realizing alliance chain user private key hosting based on SoftHSM | |
| KR20240045162A (en) | Secure root of trust registration and identity management for embedded devices | |
| CN111046441B (en) | Management method, equipment and medium for encrypted hard disk key | |
| KR20230137422A (en) | Trusted Computing for Digital Devices | |
| JP2017079419A (en) | Server authentication system, terminal, server, server authentication method, program | |
| RU2720320C1 (en) | Method for trusted storage on a smart card of a list of revoked certificates (crl) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |