CN114462015A - Block chain based distributed bidirectional authentication method, device and storage medium - Google Patents

Block chain based distributed bidirectional authentication method, device and storage medium Download PDF

Info

Publication number
CN114462015A
CN114462015A CN202210114556.8A CN202210114556A CN114462015A CN 114462015 A CN114462015 A CN 114462015A CN 202210114556 A CN202210114556 A CN 202210114556A CN 114462015 A CN114462015 A CN 114462015A
Authority
CN
China
Prior art keywords
authentication
authenticated
information
intelligent contract
identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210114556.8A
Other languages
Chinese (zh)
Inventor
林祥兴
艾本仁
杜聚龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shujie Shenzhen Technology Co ltd
Original Assignee
Shujie Shenzhen Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shujie Shenzhen Technology Co ltd filed Critical Shujie Shenzhen Technology Co ltd
Priority to CN202210114556.8A priority Critical patent/CN114462015A/en
Publication of CN114462015A publication Critical patent/CN114462015A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions

Abstract

The application provides a distributed bidirectional authentication method, equipment and a storage medium based on a block chain; the method comprises the following steps: the authenticated device requests access to the controlled resource; the authenticated equipment carries out bidirectional authentication with the authentication equipment through an intelligent contract in the block chain; after the bidirectional authentication is passed, the authenticated device accesses the controlled resource through the controller device, and bidirectional authentication is performed between the authenticated device and the controller device when the controlled resource is accessed; wherein the controller device is a device for controlling the controlled resource. The method and the device can complete the safety access control with small cost through the block chain technology.

Description

Block chain based distributed bidirectional authentication method, device and storage medium
Technical Field
The present application relates to the field of communications, and in particular, to a distributed bidirectional authentication method, device and storage medium based on a block chain.
Background
The wide area multi-point access of small and micro enterprises, the wide area cross-network multi-point access of household equipment, even the wide area access of enterprise-level equipment generally embody network isomerism and cross-domain access is large, single enterprises and families can not use an existing authentication access authentication system to cover the various access authentications or the arrangement realization cost is too high, especially in the outbreak era of the internet of things, the sensor of the internet of things also involves privacy and safety, and the bidirectional authentication access which also needs high safety guarantee is needed, but because the performance of the equipment of the internet of things is often smaller, a lightweight but high-safety bidirectional access authentication means is urgently needed; at present, the two-way authentication technology in the related art is mostly based on the CA system of the electronic certificate, which is not flexible enough and has too high use cost for users under the prior art.
Disclosure of Invention
The application provides a distributed bidirectional authentication method, equipment and a storage medium based on a block chain, which can complete safety access control with low cost through a block chain technology.
In one aspect, the present application provides a distributed bidirectional authentication method based on a block chain, including:
the authenticated device requests access to the controlled resource;
the authenticated equipment carries out bidirectional authentication with the authentication equipment through an intelligent contract in the block chain;
after the bidirectional authentication is passed, the authenticated device accesses the controlled resource through the controller device, and bidirectional authentication is performed between the authenticated device and the controller device when the controlled resource is accessed; wherein the controller device is a device for controlling the controlled resource.
On the other hand, the application also provides a distributed bidirectional authentication method based on the block chain, which comprises the following steps: after the authentication device is triggered by the intelligent contract in the block chain, the authenticated device requesting to access the controlled resource and the controller device related to the controlled resource requesting to access perform bidirectional authentication through the intelligent contract respectively;
after the authentication device passes the mutual authentication with the authenticated device and the controller device, the authentication device sends an authentication result to the authenticated device and the controller device through the intelligent contract or directly sends the authentication result to the authenticated device and the controller device in a block chain transaction mode.
In another aspect, the present application further provides a distributed bidirectional authentication method based on a block chain, including: after receiving the controlled resource access application message, the controller device initiates an authentication, authorization and application to the intelligent contract according to the controlled resource access application message; receiving an authentication result of the intelligent contract to determine whether to open a security resource, and forwarding the authentication result to the authenticated device according to the requirement of the authenticated device; or, the controller device receives the authentication result to determine whether to open the secure resource;
when an authenticated device requests to access a controlled resource, and the bidirectional authentication of the authenticated device and an authentication device and the bidirectional authentication of the controller device and the authentication device are passed, the controller device provides a controlled resource for the authenticated device to access;
the controller device performs mutual authentication with the authenticated device upon access by the authenticated device.
In another aspect, the present application further provides a distributed bidirectional authentication method based on a block chain, including: the intelligent contract receives a request for the authenticated device to access the controlled resource;
the smart contract triggers mutual authentication between the authenticated device and the authenticating device, and mutual authentication of the controller device and the authenticating device, such that the authenticated device accesses the controlled resource controlled by the controller device when all authentications are passed.
In another aspect, the present application further provides an electronic device, including: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing any of the above methods when executing the program.
In yet another aspect, the present application further provides a computer-readable storage medium storing computer-executable instructions for implementing any one of the methods described above.
Compared with the related technology, the method and the device adopt the intelligent contract to carry out bidirectional authentication, ensure the access security, do not need to establish entities such as a complex authentication center certificate system transmission center and the like by adopting the block chain technology, have the characteristics of high security, low cost, simple layout and the like, and are particularly suitable for security authentication of families or small enterprises or decentralized multipoint and multi-service access security authentication.
Additional features and advantages of the present application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the present application. Other advantages of the application may be realized and attained by the instrumentalities and combinations particularly pointed out in the specification, claims, and drawings.
Drawings
The accompanying drawings are included to provide an understanding of the present disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the examples serve to explain the principles of the disclosure and not to limit the disclosure.
Fig. 1 is a schematic architecture diagram of an access system according to an embodiment of the present application;
fig. 2 is a flowchart of a distributed bidirectional authentication method based on a blockchain according to an embodiment of the present application;
FIG. 3 is a flow chart of authentication scheme A of an embodiment of the present application;
FIG. 4 is a flow chart of authentication scheme B of an embodiment of the present application;
fig. 5 is a flowchart of a distributed bidirectional authentication method based on a block chain according to an embodiment of the present application (operation on the authentication device side);
fig. 6 is a flowchart of a distributed bidirectional authentication method based on a blockchain according to an embodiment of the present application (operation applied to an authenticated device);
FIG. 7 is a diagram of an authentication scheme A of an example of application of the present application;
fig. 8 is a schematic diagram of an authentication scheme B of an application example of the present application.
Detailed Description
The present application describes embodiments, but the description is illustrative rather than limiting and it will be apparent to those of ordinary skill in the art that many more embodiments and implementations are possible within the scope of the embodiments described herein. Although many possible combinations of features are shown in the drawings and discussed in the detailed description, many other combinations of the disclosed features are possible. Any feature or element of any embodiment may be used in combination with or instead of any other feature or element in any other embodiment, unless expressly limited otherwise.
The present application includes and contemplates combinations of features and elements known to those of ordinary skill in the art. The embodiments, features and elements disclosed in this application may also be combined with any conventional features or elements to form a unique inventive concept as defined by the claims. Any feature or element of any embodiment may also be combined with features or elements from other inventive aspects to form yet another unique inventive aspect, as defined by the claims. Thus, it should be understood that any of the features shown and/or discussed in this application may be implemented alone or in any suitable combination. Accordingly, the embodiments are not limited except as by the appended claims and their equivalents. Furthermore, various modifications and changes may be made within the scope of the appended claims.
Further, in describing representative embodiments, the specification may have presented the method and/or process as a particular sequence of steps. However, to the extent that the method or process does not rely on the particular order of steps set forth herein, the method or process should not be limited to the particular sequence of steps described. Other orders of steps are possible as will be understood by those of ordinary skill in the art. Therefore, the particular order of the steps set forth in the specification should not be construed as limitations on the claims. Furthermore, the claims directed to the method and/or process should not be limited to the performance of their steps in the order written, and one skilled in the art can readily appreciate that the sequences may be varied and still remain within the spirit and scope of the embodiments of the present application.
In the embodiment of the application, the block chain technology is applied to the access field to ensure the security of end-to-end access. Wherein:
the account address of the blockchain and the transaction signature mechanism can ensure that the signed transaction information can not be repudiated to come from the unique account address to which the signature belongs. The character is very suitable for information interaction among a plurality of roles during authentication, and each role can sign information sent to other roles through the mechanism to ensure that the information comes from the role and the content is not changeable.
The intelligent contract technique of the blockchain ensures reliable operation of the distributed nodes, and the logic of the intelligent contract can perform various identification and check signatures. The intelligent contract can be created by using the account address of the block chain, the corresponding relation can be established, and the relation has the characteristics of non-falsification and non-repudiation, and can be used for the authentication system to create a flexible authentication flow and an authentication object through the intelligent contract.
The architecture of the access system according to the embodiment of the present application is shown in fig. 1, which includes an authentication device, an authenticated device, a secure resource control point (or referred to as a controller device), and an intelligent contract created by the authentication device through a block chain.
The authentication device is also called an authenticator, the authenticated device is also called an authenticatee or an authenticated object, and the secure resource control point is used for controlling secure resources (or called controlled resources). The authenticator, the secure resource control point and the authenticated device perform mutual authentication through the intelligent contract, so that the authenticated device can access a specified area and use the controlled resource provided by the specified area, wherein the specified area comprises a specified network or a controlled security domain. The controlled security domain refers to a security domain controlled by a secure resource control point.
Bi-directional in this application means that mutual authentication can be made between the authenticatee and the authenticator, between the authenticatee and the controller device, and between the controller device and the authenticator. The authenticator is used for authenticating the authenticatee, and the authenticatee also authenticates the authenticator; the controller device authenticates the authenticatee, which also authenticates the controller device; the authenticator authenticates the controller device, which also authenticates the authenticator. The method and the system complete the mutual authentication among the 3 persons by utilizing the block chain infrastructure, particularly the intelligent processing and designing of the account number transaction attribute and the intelligent contract.
The embodiment of the application can be widely applied to the environment with block chain facilities, and has the scene of an authenticator role, an authenticatee role, controlled resources and control points for controlling the access of the controlled resources. For example, the method is applied to secure multipoint access, such as home device access/multi-home device secure access, enterprise device access/enterprise device remote access, and the like, and also applied to shared network access, such as WiFi shared access.
In the embodiment of the application, the accessed network can be an internet of things, a wireless network and the like.
As shown in fig. 2, a distributed bidirectional authentication method based on a block chain according to an embodiment of the present application includes:
in step 201, the authentication device creates an intelligent contract for the blockchain.
In an exemplary embodiment, the authentication device applies for an account of the blockchain as an account of the authentication device, and creates an intelligent contract of the blockchain through the account of the authentication device. The account number of the authentication device may be referred to as a primary account number.
The key information in the intelligent contract may include: authenticated device data, authentication functions, security resource control point data, and owner information and interactive interface information of the intelligent contract.
The authenticated device data may include authenticated object data including information identifying the authenticated device itself and corresponding rights, such as an account number of the authenticated device, an authentication protocol, a right range, and a device type.
The interactive interface information is a list of interactive methods supported by the object and corresponding interactive addresses, and the methods indicate which interactive semantics are supported by the object; the corresponding address is an interaction address for the method, and may be an address of a blockchain, an intelligent contract address, or a communication protocol and address information of an interaction outside the blockchain, such as an HTTPS protocol and a URL or other remote invocation protocol and address.
The authentication function realizes the processing logic of authentication and authorization, and is used for judging or matching the access authority of the authenticated device to a certain security resource and providing a function of correspondingly distributed security resource control point data, and the input parameters can contain (authenticated device information, security resource information, access request operation information and optional security resource control point information), and the authentication information of the allowed or disallowed access and each participated authentication role and the optional correspondingly distributed security resource control point data detailed information are output, and the processing results comprise the accessible and usable security resource detailed information and the like. The term "optional" as used herein means that the security resource control point information is not necessarily used as an input parameter, and the detailed information of the correspondingly allocated security resource control point data is not necessarily in the output; since in some schemes (such as the authentication scheme B hereinafter) the security resource control point information may not be provided directly, but the allocated security resource control point and the security resource that can be used for access may be looked up by a function.
The safety resource control point data comprises an account number, a device type, a safety resource type, safety resource detailed information, interactive interface information and the like of the safety resource control point.
Owner information and interactive interface information: an intelligent contract creator is typically the owner of the intelligent contract unless other account numbers are set up as the owner of the contract in the intelligent contract. The owner can be a single account or a plurality of accounts, and even can set a multi-account joint signature mode to exercise the intelligent contract modification authority. The owner's interactive interface information is used to identify the interactive interface when certain information needs to be validated by the owner/authentication device, to guide the interaction between the smart contract or other authentication entity and the owner, and may be multiple to facilitate communication by the system in terms of business choice or reliability considerations, one or more interfaces.
Accordingly, the smart contract may optionally include the following interface logic:
authenticated device data add and delete interface: and adding and deleting interfaces of the data of the authenticated equipment. The interface has security level limitation, and the owner or an account number designated by the owner is required to have authority to operate.
Authentication function interface: the interface may be multiple, intelligent contract functions, allowing calls.
Setting interfaces of owner information and interactive interface information: and the system is used for setting the owner information and the interaction interface information. The interactive interface information may be multiple to facilitate communication by the system on one or more interfaces depending on service selection or reliability considerations. The setup interface for owner information and interactive interface information is typically only called by the owner.
Note that: the intelligent contract of a specific block chain not only can be provided with an owner, but also can be subdivided to authorize different block chain accounts to execute intelligent contract management roles of different levels. For example, information of an authenticated person can be added or deleted by giving a certain account number in addition to an account number of an owner, the application does not limit the use method of the intelligent contract, but for the sake of legislation, the management roles are logically unified as the owner. Generally, the authentication device is the owner's device, so that the specific block chain account number difference between the owner and the authentication device is not subdivided in the present application, and a suitable account number mechanism can be simply selected in practice, but the method described in the present application is not affected, so that the method is simple in terms of implementation and is equivalent to the method described in the present application.
The data adding and deleting interface of the safety resource control point: and adding and deleting interfaces of the data of the safety resource control points. Only the owner or the specified account can invoke the interface.
In this embodiment, after step 201, the method may further include:
the authentication device sets owner information and interactive interface information of the intelligent contract.
The account of the owner and the information interface of the owner interaction are set through the setting interfaces of the owner information and the interaction interface information of the intelligent contract.
The security resource control point device applies a block chain account as an account of the security resource control point device in the intelligent contract, and an authentication device account and an intelligent contract account are set in the security resource control point device.
And the authentication equipment adds or modifies the data of the security resource control point in the intelligent contract.
The interface of intelligent contract, i.e. the safety resource control point data is used to add or delete the interface to add or modify the resource control point and the safety resource detailed information.
The authenticated device applies for a block chain account as an account of the authenticated device, the authenticated device account may be called a sub-account, and an authentication device account and a smart contract account are set in the authenticated device.
The authentication device adds authenticated device data, such as authenticated device account information, and the like, to an intelligent contract or an authentication device interaction interface information address, such as a URL address, specified by the intelligent contract, and sets a security resource access authority corresponding to each authenticated device, wherein one or one type of security resource corresponds to one authentication function.
If the information of the authenticated equipment is recorded in the intelligent contract, the authentication equipment adds the data of the authenticated equipment in the intelligent contract by using the primary account number through the data adding and deleting interface of the authenticated equipment, designates the access authority of the specific security resource, designates the specific authentication function and optionally designates the information of the accessed security resource control point.
If the authenticated equipment information is recorded at the authentication equipment interaction interface information address specified by the intelligent contract, the authentication equipment data is added at the corresponding authentication equipment interaction interface information address for the subsequent interaction of the intelligent contract and the authentication equipment on the data.
Step 202, the authenticated device requests to access the designated area, and the authentication device, the authenticated device and the controller device perform mutual authentication.
Specifically, the authentication device authenticates the authenticated device and the associated controller device through the smart contract; after the authentication is passed, the authentication device gives a verifiable authentication result, and the authenticated device and the controller device can perform identity verification and information integrity verification on the authentication result according to the result, namely the authenticated device and the controller device perform authentication on the authentication device, namely bidirectional authentication between the authentication device and the authenticated device and between the authentication device and the controller device. The authenticated device accesses the controlled resource through the controller device, bidirectional authentication is performed between the authenticated device and the controller device during access, the authenticated device verifies the controller device according to the controller device identity information (for example, the block chain address) included in the authentication result, and the controller device can also verify the authenticated device, namely, bidirectional authentication between the authenticated device and the controller device according to the authenticated device information (for example, the block chain address) in the authentication result.
Step 203, after the bidirectional authentication is passed, the authenticated device accesses the designated area and uses the security resource (i.e. controlled resource) of the designated area.
In step 202, the bidirectional authentication may be performed by using various schemes, and two bidirectional authentication schemes are described below by using two examples, in which a secure resource control point is used as a controller device, and a secure resource of a designated area is used as a controlled resource.
Authentication scheme A: the authenticated device performs authentication with the secure resource control point as the controller device, as shown in fig. 3, including the following steps:
step 301, the authenticated device sends a controlled resource access application message (transaction) to the security resource control point, that is, sends a controlled resource access application message to the intelligent contract in an indirect manner.
Wherein the authenticated device may initiate a controlled resource access application message to a secure resource control point in the form of a blockchain transaction over a blockchain network or a non-blockchain network (out-of-band message).
An example of a case where an authenticated party sends an access application message through a non-blockchain network is as follows: when the WiFi of the mobile phone is accessed, the method is utilized. The mobile phone (WiFi station entity in WiFi) is used as authenticated equipment, the wireless access point (WiFi AP entity in WiFi) is used as controller equipment, the mobile phone sends a network access application message to the AP, and the AP logically forwards the message after adding the identity certification according to the application flow. Because the handset sends messages to the AP not over the blockchain network, it is called an out-of-band message.
The meaning of sending a message in the form of a blockchain is: the message conforms to the format requirements of the transaction of the target blockchain, and the original transaction sender signs the transaction message. So that the target blockchain or intelligent contract for blockchains can identify and authenticate the original sender.
The controlled resource access application message carries the identity information and signature information of the authenticated device and the information of the controlled resource (such as an IP address, a URL, a block chain address and the like, which represent the information of the controlled resource); application serial numbers may also be included. The application serial number is used for tracking all related roles associated with each application, processing the application by the intelligent contract and corresponding messages sent by the intelligent contract, all processing corresponding to one application is called an application transaction, and the application serial number can be used for preventing replay attack and solving the problem of information tracking of different roles of the same application in a distributed environment so as to avoid the problem that the same application and related information cannot be associated or are not accurately associated. For example, the same access application message is repeatedly received, if there is no application serial number, it is determined that the same access message needs to keep the original message (transaction) or the hash value of the message (transaction), and if there is an application serial number, it can be determined as long as the application serial number is saved. In addition, more flexible access application messages and mechanisms aiming at the same access application, such as modification, invalidation and the like of the application, can be designed for the subsequent same application serial number; each application is assigned a unique serial number by the applicant, for example using a strictly monotonically increasing positive integer sequence starting from 0 with a step size of 1; all related roles in the subsequent process comprise that the intelligent contract carries out legality detection on the application serial number, and mainly judges whether the application serial number is legally valued according to a serial number rule or not, and whether a replay message with an existing serial number or a message assembled by partial messages with the existing serial number is borrowed or not; because it is common to all processes, the detection can be uniformly included in the following process steps, and therefore the detection steps and contents are not listed in each process. The signature information is a signature of the whole access application information, which can be used as an integrity protection signature of the controlled resource access application message, and also can be used as an identity signature of the authenticated device, that is: the identity signature and the integrity protected signature may be combined into one. If the "controlled resource access application" is issued in the form of a blockchain transaction, (note that the out-of-band message format may also be an information format of a blockchain transaction, but it is not sent over a blockchain network), then, in the case of using a blockchain account number as the identity of the authentication device, the optimization method is: the identity signature and integrity signature may be replaced by a signature of the transaction by the sender account number of the blockchain transaction.
The recipient can determine the identity of the message producer and whether the transmission was tampered with based on the identity signature and the integrity protection signature.
Step 302, after receiving the controlled resource access application message, the security resource control point detects whether the application message is legal, and if so, initiates an authentication authorization application to the intelligent contract according to the controlled resource access application message.
The authentication, authorization and authorization application includes the received controlled resource access application message, the self identity information added by the security resource control point, and the signature of the whole authentication, authorization and authorization application message, that is, the access application (including identity signature and information integrity signature) of the authenticated device, and the identity signature and integrity protection signature of the authentication, authorization and authorization application by the security resource control point. If the authentication, authorization and authorization application is sent in the form of blockchain transaction, the identity signature and the integrity signature can be directly replaced by the signature of the account number of the sender of the blockchain transaction to the transaction under the condition that the blockchain account number is used as the identity of the security resource control point.
Step 303, the intelligent contract is processed according to the authentication, authorization and authorization application, specifically, the intelligent contract comprises: the method comprises the steps of authenticating through an authentication function of an intelligent contract, checking whether the identity of a sender of an authentication, authentication and authorization application message is an allowed control point identity and a signature thereof, unlocking a controlled resource access application contained in the identity, checking whether the original sender identity of the controlled resource access application is an allowed verified person and a signature thereof, then opening an instruction and parameters carried in the controlled resource access application to perform calculation and logic processing according to the authentication function matched in the intelligent contract, and returning an authentication result to the security resource control point. Transactions processed by a specified intelligent contract internal function that is sent to an intelligent contract are often referred to in the context of blockchain intelligent contract technology as calls to the intelligent contract function. Namely, the security resource control point calls the intelligent contract function, and the caller can obtain a return result after the chain is identified.
When the intelligent contract performs identity authentication, control point allocation and resource allocation, if the situation that the information for supporting function calculation and judgment is stored in the specified interface address outside the intelligent contract is met, the intelligent contract needs to interact by using the method and the address in the corresponding interactive interface information, and details are not described below.
The intelligent contract is processed according to the applied parameters and the identity of the applicant according to the intelligent contract processing flow, and an authentication result is returned to the security resource control point. In addition, the intelligent contract can interact with the authentication equipment according to the requirement, the authentication result of the intelligent contract is verified and confirmed, and the authentication result is subjected to identity signature and integrity signature protection, so that the authentication result returned by the intelligent contract carries the identity information, the identity signature and the information integrity signature of the authentication equipment to ensure that the authentication result information is approved by the authentication equipment.
The authentication result includes whether the access application passes, and besides, the authentication result can also include the identity information of the security resource control point, the authentication result information of the security resource control point, the identity information and the authentication result information of the authenticated device, the security resource use information, the identity and the identity signature of the authentication device, and the integrity protection signature of the authentication result, which are the same, the identity signature and the integrity protection signature of the authentication device can be combined into one.
Step 304, the security resource control point determines whether to open security resources according to the authentication result, and forwards the authentication result to the authenticated device according to the need of the authenticated device.
The security resource control point judges whether the identity of the authentication equipment is legal or not according to the identity signature of the authentication equipment in the authentication result, verifies the authenticity of the authentication result according to the information integrity signature of the authentication result by the authentication equipment, verifies the identity legitimacy and the application legitimacy of the authenticated equipment according to whether the identity of the authenticated equipment passes or not and whether the application passes or not in the authentication result, and can decide to open security resources and forward the authentication result to the authenticated equipment only after confirming that the identity of the authentication equipment is legal and the identity of the authenticated equipment and the application are legal.
And 305, the authenticated device respectively authenticates the security resource control point and the authentication device according to the authentication result, and after the authentication is passed, the authenticated device receives the authentication result.
And the authenticated device judges the identity authenticity of the authentication device and whether the authentication result is falsely or falsely identified or not according to the identity and the signature of the authentication device in the authentication result and the integrity protection signature of the authentication result. In addition, the authenticated device can also judge the identity and the legality of the security resource control point according to the identity information of the security resource control point and the authentication result information of the security resource control point in the authentication result. In addition, the authenticated device carries out bidirectional authentication according to respective identities in the use authentication results between the subsequent access of the secure resources and the secure control point according to the use information of the secure resources, namely, the authenticated device proves the identity of the authenticated device to the opposite side by sending information with an identity signature.
And an authentication scheme B: the authenticated device and the intelligent contract are mutually authenticated, and the method can be applied to the situation that the communication address and/or the block chain address information of the security resource control point are not required to be known in advance or cannot be known, and as shown in fig. 4, the method comprises the following steps:
in step 401, the authenticated device sends a controlled resource access application message (transaction) to the address of the smart contract directly in the form of a blockchain transaction.
The controlled resource access application message may carry identity information and signature information of the authenticated device and information of the controlled resource; the application serial number may also be carried. The signature information is a signature of the whole access application information, which can be used as an integrity protection signature of the controlled resource access application message, and also can be used as an identity signature of the authenticated device, that is: the identity signature and the integrity protected signature may be combined into one. Since this information is sent to the smart contract in a blockchain transaction, the two signatures can be replaced by the signature of the entire transaction from the original sender, i.e., the authentication device account number, in the blockchain transaction, and the identity of the sender and the integrity of the transaction information can be verified by the blockchain.
Step 402, the authentication function in the intelligent contract judges the validity of the message according to the controlled resource access application message, and if the message is legal, the authentication and authorization are carried out, the authentication result is notified to the security resource control point, and the authentication result is returned to the authenticated device.
The intelligent contract matches the security resources in the contract and the data of the authentication level processing flow and configuration, informs the authentication result to the security resource control point and returns the result to the authenticated equipment. In addition, the intelligent contract can interact with the authentication equipment according to the requirement, the authentication result of the intelligent contract is verified and confirmed, and the authentication result is subjected to identity signature and integrity signature protection, so that the authentication result returned by the intelligent contract carries the identity information, the identity signature and the information integrity signature of the authentication equipment to ensure that the authentication result is approved by the authentication equipment.
The authentication result includes the identity information of the distributed security resource control point, the authentication result information of the distributed security resource control point, the identity information and the authentication result information of the authenticated device, the usage information of the distributed security resource, the identity and the identity signature of the authentication device, and the integrity protection signature of the authentication device on the authentication result, wherein the identity signature and the integrity protection signature can be combined into one.
Step 403, the security resource control point determines whether to open security resources according to the authentication result.
And the distributed security resource control point judges the identity of the authenticated equipment and applies for validity according to the authentication result to determine whether to give open security resources or not. Furthermore, the identity authenticity of the authentication device can be judged according to the authentication device identity and the signature in the authentication result, and the authentication device verifies the authenticity of the authentication result according to the information integrity signature of the authentication result, so that the unreliability of the intelligent contract processing result caused by the malicious action of part of nodes on the block chain can be avoided. Because the authentication device verifies and signs the authentication result in an integrity protection mode, the authentication device cannot be tampered by other people including the intelligent contract.
Step 404, the authenticated device authenticates the authentication device and the security resource control point respectively according to the authentication result; specifically, the identity authenticity of the authentication device and whether the authentication result is spoofed or tampered can be determined according to the identity signature of the authentication device and the integrity protection signature of the authentication result in the authentication result. In addition, the authenticated device can also judge the identity and the validity of the security resource control point according to the identity information of the security resource control point and the authentication result information of the security resource control point in the authentication result. And after the authentication is passed, receiving the authentication result.
Step 405, performing bidirectional authentication between the authenticated device and the secure resource control point; specifically, the method comprises the following steps: and the authenticated device initiates a controlled resource use application to the security resource control point according to the security resource use information and the security resource control point information in the authentication result. The authenticated equipment uses the authenticated equipment identity in the authentication result to obtain the security resource control point in the authentication result and the correspondingly distributed security resource information to initiate a use application (message) for the security resource and sign the message; the security resource control point uses the identity information in the authentication result to reply the message, wherein the message comprises information such as further use indication and signs the message. The authenticated device and the security resource control point respectively use the information in the authentication result to carry out signature comparison on the identity of the other party, the security resource control point also compares the use application information according to the controlled resource information of the authentication result, and the security resource control point allows the authenticated device to access/use the controlled resource under the condition that the comparison results are consistent.
In an optimization scheme of the authentication scheme (A or B or other authentication schemes), if an authenticated device, an authentication device and a security resource control point device run in a trusted intelligent contract running environment, namely the devices are all confident that a called intelligent contract address and a calling function result comprise a return result, generated intracontract data, a notification message and the like are trusted and cannot be tampered by the fact that a called node does not know in common with a chain or a specific running node of the called intelligent contract is malicious/unintentional (the tampering of the calling result is the behavior of a common identity isolated node and a malicious node), the authentication device can authorize the intelligent contract to give an authentication result of identity authentication and access application without judging and signing the result of the application by the authentication device. And the authenticated device and the security resource control point device respectively judge according to an authentication result given by the intelligent contract.
In an exemplary embodiment, the method further comprises:
and the authentication equipment deletes the information of the account number of the authenticated equipment in the intelligent contract.
The information such as the account number of the authentication object can be deleted in the intelligent contract through the data adding and deleting interface of the authenticated device, so that the authenticated device cannot be accessed to the network.
The embodiment of the application applies the address of the block chain and the digital signature principle to the bidirectional authentication when the authenticated equipment accesses the controlled resource, and the authentication equipment can determine whether the authenticated equipment, the controller equipment and the application of the access resource are allowed or not; the authenticated device may also determine whether the authenticating device, the controller device are legitimate, and the controller device may also determine whether the authenticating device, the authenticated device, and the access resource are allowed. By using the characteristics of the block chain and the intelligent contract, the intelligent operation flow capacity is provided for the block chain application, and the development of new characteristics is facilitated. Particularly, by utilizing the block chain characteristics, the address of each block chain can become an access control management core of a single network, so that the cost is low, and entities such as a complicated certificate center certificate system transfer center and the like do not need to be established. The authentication system established by taking the account address as the core is more suitable for the arrangement of scattered small or household end-to-end security authentication with high security requirements.
As shown in fig. 5, in the distributed bidirectional authentication method based on a block chain according to the embodiment of the present application, the operation on the authentication device side includes:
step 501, the authentication device receives an intelligent contract notification to verify and confirm the authentication result, and the notification can be notified through a block chain event, a transaction notification or through a communication channel outside a block chain (the interaction method and the specific communication mode supported by the notification can be indicated in the authentication device interaction interface information in the intelligent contract), and then the authentication device performs a bidirectional authentication process on the related device requesting access to the controlled resource and the controlled resource access application, that is, the authenticated device requesting access to the controlled resource, the security resource control point device designated by the authenticated device or the security resource control point device matched with the intelligent contract, and the access controlled resource authority designated by the authenticated device are authenticated through the intelligent contract;
step 502, after the authentication device passes the authentication of the device and the application, the authentication device may send an authentication result to a blockchain account corresponding to other devices related to the authentication directly in a blockchain transaction form or through the intelligent contract, and the authentication result uses the account of the authentication device to perform identity signature and information integrity protection signature to prove that the authentication result is a result given by the authentication device and has not been tampered in the transmission process.
Step 501 may also be preceded by: the authentication device creates an intelligent contract for the blockchain.
In an exemplary embodiment, the authentication device applies for an account of a blockchain, and creates an intelligent contract of the blockchain through the account of the authentication device. The account number of the authentication device may be referred to as a primary account number.
The intelligent contract may include: authenticated device data, authentication functions, secure resource control point data, and owner information/authentication device and interaction interface information.
Accordingly, the smart contract may optionally include the following interface logic:
the system comprises an authenticated device data adding and deleting interface, an authentication function interface, owner information/authentication equipment, an interactive interface information setting interface and a safety resource control point data adding and deleting interface.
In an exemplary embodiment, before step 501, further comprising:
the authentication device sets owner/authentication device information and interaction interface information of the intelligent contract.
Wherein, the account of the owner is set through the interface of the intelligent contract (usually, the intelligent contract technology provides the owner function for setting the intelligent contract), and the owner/authentication device interaction interface information is set.
And the authentication equipment adds or modifies the data of the control point of the security resource in the intelligent contract and contains the detailed information of the security resource.
Wherein the resource control point information may be added or modified using the interface of the intelligent contract.
The authentication equipment increases the information of the account number of the authenticated equipment and sets the security resource access authority and the authentication function corresponding to each or every type of account number of the authenticated equipment.
The authentication device adds information such as an account number of the authenticated device in the intelligent contract by using a primary account number through a data adding and deleting interface of the authenticated device, specifies a specific security resource access authority, specifies a specific authentication function, and optionally specifies access control point information.
In step 501, when the authenticated device requests to access the controlled resource, the intelligent contract triggers the authentication device and the related devices and applies for bidirectional authentication, that is, the authenticated device requesting to access the controlled resource, the secure resource control point device specified by the authenticated device or the secure resource control point device matched with the intelligent contract, and the access controlled resource authority specified by the authenticated device are authenticated by the intelligent contract; in step 502, after the authentication device passes the authentication of the device and the application, the authentication device may directly send a corresponding authentication result to a blockchain account corresponding to other device related to the authentication in a blockchain transaction manner, or the authentication device may send an authentication result message to an intelligent contract to trigger an intelligent contract flow to send an authentication result to other device related to the authentication or authorize the intelligent contract to send an authentication result to other device related to the authentication according to a contract function flow, where the authentication result is used to indicate identity information and validity of the device participating in the authentication and whether the authenticated device is allowed to access the specified region to access the controlled resource, where the controlled resource may be a secure resource in the specified region, and the specified region may include a specified network or a controlled secure domain.
Steps 501 and 502 show the interaction scene of the authentication device and the intelligent contract, and the mutual authentication is carried out on the authenticated device and the security resource control point through the intelligent contract. After the bidirectional authentication is passed, the secure resource control point allows the authenticated device to access the controlled resource.
The technology of interaction between the blockchain intelligent contract and the account depends on the specifically used blockchain technology, and the interaction can be generally realized as follows: account notification/contract invocation may be accomplished by the account sending an intelligent contract transaction to the contract; besides a method for directly sending a transaction to an opposite party, a contract notification account can also notify the opposite party of interaction through a plurality of state variable change events (an event message mechanism is designed for an intelligent contract of a block chain generally, and the state variable change can trigger the event), or the intelligent contract sets a specific state variable, and the opposite party account of interaction can acquire information by monitoring the change of the state variable so as to achieve the purpose of being notified. An example of a listening variable change of the present application is: the smart contract uses several variable information: authentication state variables, authentication result information variables, interface variables and application pointer variables. For a new access application, under the condition that an authenticator is required to confirm after the intelligent contract authentication passes, setting the state of an authentication state variable as 'the contract authentication passes and the authenticator is required to confirm and sign the access application result information'; setting an authentication result information variable as 'the transmitted original authentication and authorization application and the detailed security resource information allocated to the application'; setting an application pointer variable as an original hash value of the access application message (hash value of the blockchain transaction corresponding to the authentication and authorization application); the interface variable is set to "the designated authenticator interactive interface information and a pointer to the corresponding authentication result information variable". The authenticator judges whether the operation on the new access application state is needed or not by monitoring the interface variable and the authentication state variable which are related to the authenticator on the intelligent contract on the block chain. And if necessary, checking the identities and contract a addresses of the authenticated party B and the secure resource control point C to be correct. After confirming that the authentication result is correct, authenticator a sends a transaction to contract a with the purpose of: and modifying the 'authentication state variable' into 'authentication pass', adding the identity information and the authentication pass information of the A into the 'authentication result information variable', signing the information in the whole 'authentication result information variable', and replacing the original information in the 'authentication result information variable'. (the transaction triggers the intelligent contract to subsequently send the authentication result to other authentication related devices)
It should be understood that: there are many ways of interacting with intelligent contracts, which require intelligent contract technology and interface design according to specific block chains, and this method only shows one possible implementation. The following description is also similar to the interaction of the intelligent contract and the return of the message to other roles, and is not repeated.
In an exemplary embodiment, the method further comprises:
and the authentication equipment deletes the information of the account number of the authenticated equipment in the intelligent contract.
The information such as the account number of the authentication object can be deleted in the intelligent contract through the data adding and deleting interface of the authenticated device, so that the authenticated device cannot access the specified area.
In an exemplary embodiment, a distributed bidirectional authentication method based on a blockchain includes:
after the authentication device is triggered by the intelligent contract in the block chain, the authenticated device requesting to access the controlled resource and the controller device related to the controlled resource requesting to access perform bidirectional authentication through the intelligent contract respectively;
after the mutual authentication between the authentication equipment and the authenticated equipment is passed, directly sending an authentication result to the authenticated equipment or sending the authentication result to the authenticated equipment through the intelligent contract according to the information of the authenticated equipment or the interactive interface information of the authenticated equipment recorded in the intelligent contract in a block chain transaction mode; and after the bidirectional authentication with the controller equipment is passed, directly sending an authentication result to the controller equipment or sending the authentication result to the controller equipment through the intelligent contract according to the information of the controller equipment or the interactive interface information of the controller equipment recorded in the intelligent contract in a block chain transaction mode.
In an exemplary embodiment, said sending the authentication result directly or via the smart contract to the authenticated device and the controller device in the form of a blockchain transaction comprises:
the authentication device generates an authentication result which indicates whether the authentication device applies for the authenticated device to pass or not, wherein the authentication result carries the authenticated device, identity information and identity authentication information of controller device, access authorization pass of the authenticated device, access information and authorization information of the controlled resource, and identity information and signature information of the authentication device; the signature information is an integrity protection signature of the authentication device on the authentication result, and/or identity signature information of the authentication device; sending an authentication result to the authenticated device and the controller device directly through the intelligent contract or in a blockchain transaction form;
or, the authentication device authorizes the intelligent contract to generate an authentication result and sends the authentication result to the authenticated device and the controller device, wherein the authentication result carries the authenticated device, the identity information and the identity authentication information of the controller device, the access authorization pass of the authenticated device, and the access information and the authorization information of the controlled resource.
As shown in fig. 6, in the distributed bidirectional authentication method based on a block chain according to the embodiment of the present application, the operation of an authenticated device includes:
601. the authenticated device requests access to the controlled resource;
602. the authenticated equipment carries out bidirectional authentication with the authentication equipment through an intelligent contract in the block chain;
603. after the bidirectional authentication is passed, the authenticated device accesses the controlled resource through the controller device, and bidirectional authentication is performed between the authenticated device and the controller device when the controlled resource is accessed; wherein the controller device is a device for controlling the controlled resource.
In step 601, the authenticated device may directly or indirectly send a controlled resource access application message to the smart contract; accordingly, in step 602, the mutual authentication may be performed by various schemes, such as:
authentication scheme A: the authenticated equipment and the security resource control point interact for authentication, and refer to fig. 3;
and an authentication scheme B: the authenticated device performs authentication in interaction with the smart contract, and can be applied to a case where the address information of the controller device is not required to be known or cannot be known, see fig. 4.
If the controlled resource is a security resource in a designated area and the controller device is a security resource control point, the authenticated device is allowed to use the security resource controlled by the security resource control point when the bidirectional authentication passes.
In one exemplary embodiment, the request for access to the controlled resource by the authenticated device may include:
the authenticated device carries a controlled resource access application message in a block chain transaction mode by adopting a direct mode (namely a mode of an authentication scheme B) or an indirect mode (namely a mode of an authentication scheme A) and sends the controlled resource access application message to an address of an intelligent contract, wherein the controlled resource access application message carries information of the controlled resource, identity information of the authenticated device and signature information of the authenticated device; the signature information is an integrity protection signature for the application message and can also be used as an identity signature of the authenticated device.
In an exemplary embodiment, the sending, by the authenticated device, the controlled resource access application message to the address of the smart contract in a direct manner in the form of a blockchain transaction may include:
and the authenticated equipment carries the controlled resource access application message to be sent to the address of the intelligent contract directly in a block chain transaction mode.
In an exemplary embodiment, the sending, by the authenticated device, the controlled resource access application message to the address of the smart contract in an indirect manner in the form of a blockchain transaction may include:
and the authenticated equipment carries the controlled resource access application message in a blockchain transaction mode through the controller equipment and sends the message to the address of the intelligent contract.
In an exemplary embodiment, the bidirectional authentication between the authenticated device and the authentication device through the intelligent contract in the blockchain may include:
the authenticated device obtains an authentication result through the intelligent contract, wherein the authentication result represents whether the authentication device passes the authentication of the authenticated device and the access application and detailed information, and the authentication result carries the authenticated device, the identity information and the identity authentication information of the controller device, the access authorization of the authenticated device, the access information and the authorization information of the controlled resource and the signature information of the authentication device; the signature information is an integrity protection signature of the authentication device on the authentication result, and can also be used as identity signature information of the authentication device;
and the authenticated equipment performs identity authentication on the authentication equipment according to the identity signature information of the authentication equipment.
In another exemplary embodiment, when the authenticated device and/or the controller device obtains an authentication result in a trusted intelligent contract operating environment and can confirm that the address of the invoked intelligent contract is trusted, the authentication result may be generated by the authentication device authorizing the intelligent contract, where the authentication result carries identity information and identity authentication information of the authenticated device and the controller device, an access authorization pass of the authenticated device, and access information and authorization information of the controlled resource. That is, there is no need for the authentication device to sign the authentication result.
In an exemplary embodiment, the authenticated device accesses the controlled resource through a controller device, and performing mutual authentication between the authenticated device and the controller device when accessing the controlled resource includes:
the authenticated equipment accesses the controlled resource through the controller equipment according to the access information of the controlled resource in the authentication result;
if the authenticated equipment adopts a direct mode when sending the controlled resource access application message, the authenticated equipment and the controller equipment respectively carry out bidirectional authentication according to the identity information in the authentication result message when accessing the controlled resource;
if the authenticated device adopts an indirect mode of sending out-of-band when sending the controlled resource access application message, the authenticated device sends the controlled resource access application message to the controller device through the secure channel, and the channel can be used for the controlled resource access authentication, and when the authenticated device and the controller device obtain the authentication result message, the bidirectional authentication with the controller device is completed. If the requirement is not met, bidirectional authentication can be carried out according to the identity information in the authentication result message when the controlled resource is accessed subsequently.
When the authenticated device sends the controlled resource access application message, an indirect mode is adopted, and when the authenticated device B and the controller device C initiate the authentication process through a secure channel, the authentication result carries the identity signature and the information integrity signature of the sent messages of B and C and the identity authentication information of the authentication device A to B and C, so that half of the bidirectional authentication between B and C can be considered to be completed, the identity of C is proved to be C in the authentication result by C, and if the C signs and integrity protection on the messages by using the identity of C in the authentication result when the authentication result is forwarded, B can finish the bidirectional authentication between B and C by comparing the signature with the identity information of C in the authentication result to authenticate C. Namely: in the indirect mode, only under the condition that a reliable security channel exists, the two-way authentication can be achieved by obtaining the authentication result, and in other conditions, because the message is forwarded from a third party without knowing, the device and the identity cannot be bound, the two-way authentication of the B and the C is needed independently.
The distributed bidirectional authentication method based on the block chain in the embodiment of the application is applied to controller equipment and comprises the following steps:
after receiving the controlled resource access application message, the controller device initiates an authentication, authorization and application to the intelligent contract according to the controlled resource access application message; receiving the authentication result of the intelligent contract to determine whether to open the security resource, and forwarding the authentication result to the authenticated device according to the requirement of the authenticated device (that is, forwarding the authentication result to the authenticated device is an optional operation); or, the controller device receives the authentication result to determine whether to open the secure resource; the method specifically comprises two modes of indirect and direct:
when an indirect mode, namely an authentication scheme A, is adopted, after receiving a controlled resource access application message, the security resource control point initiates an authentication authorization application to the intelligent contract according to the controlled resource access application message; when the authentication result of the intelligent contract is received, whether the security resource is opened or not is determined, and the authentication result is forwarded to the authenticated equipment according to the requirement of the authenticated equipment;
when a direct mode, namely an authentication scheme B is adopted, the security resource control point receives the authentication result and determines whether to open security resources;
when an authenticated device requests to access a controlled resource, and the bidirectional authentication of the authenticated device and the authentication device and the bidirectional authentication of a controller device and the authentication device pass, the controller device provides a controlled resource for the authenticated device to access;
the controller device performs mutual authentication with the authenticated device upon access by the authenticated device.
The distributed bidirectional authentication method based on the block chain in the embodiment of the application is applied to an intelligent contract and comprises the following steps:
the intelligent contract receives a request for the authenticated device to access the controlled resource;
the smart contract triggers mutual authentication between the authenticated device and the authenticating device, and mutual authentication of the controller device and the authenticating device, such that the authenticated device accesses the controlled resource controlled by the controller device when all authentications are passed.
Wherein the triggering may be a direct notification, such as sending a transaction or sending an event, or by changing a predetermined state variable, the authenticating device listens for changes in the state variable, and when a change to a preset state is found, the triggered and authenticating device or the authenticated device performs mutual authentication. How to trigger specifically depends on the blockchain technique used, and the application is not limited.
In one exemplary embodiment, the intelligent contract receiving a request for access to a controlled resource by an authenticated device includes:
the intelligent contract receives a controlled resource access application message which is sent to an address of the intelligent contract by the authenticated device in a direct mode or an indirect mode in a block chain transaction mode, wherein the controlled resource access application message carries identity information and signature information of the authenticated device and information of the controlled resource; the signature information is an integrity protected signature of the application message and/or an identity signature of the authenticated device.
In an exemplary embodiment, the intelligent contract receives a controlled resource access application message sent by the authenticated device to an address of the intelligent contract in a direct manner through a blockchain transaction, and the controlled resource access application message comprises:
the intelligent contract receives the controlled resource access application message which is directly sent to the address of the intelligent contract by the authenticated device in the form of blockchain transaction.
In an exemplary embodiment, the receiving, by the intelligent contract, a controlled resource access application message sent by the authenticated device to an address of the intelligent contract in an indirect manner in the form of a blockchain transaction includes:
the intelligent contract receives a controlled resource access application message which is sent to the address of the intelligent contract by the authenticated device through the controller device in the form of blockchain transaction.
In an exemplary embodiment, the triggering of mutual authentication between an authenticated device and an authentication device, and the triggering of mutual authentication between a controller device and the authentication device, includes:
sending an authentication application of the authenticated device and an authorization application of the controlled resource to the authentication device through a form of blockchain transaction or other blockchain interaction methods (e.g., changing state variables, sending blockchain events, etc.);
sending the identity authentication of the controller device related to the application to the authentication device through a blockchain transaction form or other blockchain interaction methods;
when the authentication result is received, directly or indirectly sending the authentication result to the authenticated device in a blockchain transaction mode, or sending the authentication result to the authenticated device by other blockchain interaction methods, wherein the authentication result and the access authorization pass of the authenticated device, the access information of the controlled resource, the identity information and the identity authentication result of the controller device, the identity information of the authentication device and the signature of the authentication result information are carried, and the signature is also the identity signature information of the authentication device, so that the authenticated device determines the authentication result and performs identity authentication on the authentication device and the controller device; and
and sending an authentication result to the controller device by a block chain transaction mode or other block chain interaction methods, wherein the authentication result carries the identity information and the identity authentication result of the authenticated device and an access authorization pass, the access information of the controlled resource, the identity information and the identity authentication result of the controller device, the identity information of the authentication device and a signature for the authentication result information, and the signature is also the identity signature information of the authentication device, so that the controller device determines the access information and performs identity authentication on the authentication device and the authenticated device.
To sum up, the embodiment of the application has the characteristics of high safety, low cost, simple layout and the like, and is particularly suitable for safety certification of families or small enterprises or access safety certification of scattered multipoint and multi-service. Similar to the unified access authentication of multi-family internet of things devices, enterprise remote access authentication, security resource use authentication and shared WiFi access authentication. According to the method and the device, the intelligent contract high availability of the block chain is utilized, and reliable operation can be achieved even if a part of nodes go wrong. The intelligent contract of the block chain has rich logic processing to support the development of rich and diverse AAA (Authentication, Authorization, Accounting, Authentication, Authorization and Accounting) processes.
The above embodiments are explained below by way of application examples.
One) initialization process:
1) and generating a block chain account according to the requirements of the block chain. This account number is referred to as the primary account number for convenience.
The account is used to create an intelligent contract on a blockchain. The contract optionally contains the following interface logic:
a. authenticated device data add/delete interface, also called authenticated object data add/delete interface: and adding and deleting interfaces of the data of the authenticated equipment. The authenticated device data contains information identifying the device itself and the corresponding rights, such as an authenticated device account number, an authentication protocol, a right range, a device type, and the like. The interface has security level limitation, and the operation is authorized only by a primary account number or an account number designated by the primary account number.
b. An authentication function: the function of judging/matching the access level of a certain account/equipment to a certain security resource, the input parameters include (authenticated object information, security resource information, access request operation information, optional security resource control point information), and the output is: authentication status and authentication result information. These are stateful information recorded on the blockchain, (e.g., storage variable type in the solid language commonly used by smart contracts). The number of the interfaces can be multiple. The authentication state records the process state of the current access application, and can be divided into: application, need for authentication device confirmation, pass, fail, etc.; when the authentication state is "pass", the authentication result information is referred to as an authentication pass message. The authentication result information includes, besides the authentication state, the identity information of the security resource control point, the authentication result information of the security resource control point, the identity information and the authentication result information of the authenticated device, the security resource usage information, the identity and the identity signature of the authentication device, and the integrity protection signature of the authentication device on the authentication result information. Typically the identity signature and the integrity protected signature may be combined into one.
c. Authentication device information and interaction interface information: the primary account number may set detailed information of the authentication devices, where each authentication device or each kind of authentication device corresponds to one or a kind of authentication, and the information includes: and information for identifying the equipment and corresponding management authority, such as an authentication equipment account number, an authentication protocol, an authentication range, an equipment type, interactive interface information and the like. The primary account number is usually the smart contract owner and is consistent with the authentication device account number, and certainly, a more complex account number system may be set within the range allowed by the specific block chain smart contract to distinguish the several roles, so that practitioners can easily understand the authentication logic of the present application, and the implementation method of the present application is not changed, and therefore, it is not listed or explained in detail herein. Setting the account number in the authenticated device and the security access control point as the basis of the identity of the authentication device; other account number or accounts can be set as the account number of the authentication device, but the corresponding account number of the authentication device needs to be set as the basis for verifying the identity of the authentication device in the bidirectional authentication corresponding to the authenticated device and the security resource control point device which use the authentication device to perform the bidirectional authentication.
d. The data adding and deleting interface of the safety resource control point: the add-delete interface of the security resource object comprises an account number (equivalent to ID) of a security resource control point, equipment type, security resource information (including ID, type, access information and the like), interactive interface information and the like; the data adding and deleting interface of the safety resource control point can be called only by the owner or the designated account number of the owner. The interactive interface information of the security resource control point is used for the interaction between the intelligent contract, the authenticator or the authenticated party and the security resource control point under the condition of requirement.
2) And setting an intelligent contract owner information interface. The block chain intelligent contract technology provides an interface for setting the functions of an owner of the intelligent contract, wherein the owner has the highest authority for creating, destroying and modifying the intelligent contract, the intelligent contract once created specifies that the owner or a default creating account is the owner, and the interface can be called to set the operation authority of the account and each function of the owner of the intelligent contract when the intelligent contract is created. The owner of a smart contract is usually the account number for creating the contract, the primary account number in this application is usually the owner role, and of course, the primary account number may also grant another account number or multiple account numbers as the owner to perform subsequent modification and revocation on the smart contract.
3) And adding or modifying the security resource object including the resource control point information by using the data add-delete interface of the security resource control point.
II) adding equipment flow
1) The authenticated device applies for blockchain accounts, which are referred to as sub-accounts for convenience.
2) The primary account number adds information such as the account number of the authenticated equipment in the intelligent contract through the data adding and deleting interface of the authenticated equipment, appoints a specific security resource access authority, appoints a specific authentication function, and optionally appoints access control point information. This information, in combination with the secure resource control point information, can be used for intelligent logical control and decision making of authentication functions.
3) The intelligent contract address and the optional authentication device account number are respectively set in the authenticated device and the security resource control point device (the information can be read from the intelligent contract in the security intelligent contract environment).
4) The authenticated device can start to use so far, and when the security resource needs to be accessed, a bidirectional authentication process is started to initiate an application, for example, an authentication scheme A or an authentication scheme B is adopted.
The authentication scheme A, namely the scheme that the authenticated equipment sends the controlled resource access application message to the intelligent contract in an indirect mode, comprises the following steps:
as shown in fig. 7, Peer (node) a is an authentication device, also referred to as an authenticator, Peer B is an authenticated device, also referred to as an authenticatee or an authenticated object, Peer C is a secure resource control point, also referred to as a controller device, and conteract a is an intelligent Contract a laid by Peer a, hereinafter referred to as A, B, C and Contract a. When B wants to access the security resource, B initiates an access application to contract a through C, wherein C is specified by B directly forwarding the message or contract a allocates a C to process the original application, and the effective information of the application is finally informed to A. A identifies and signs B, C through contract a to ensure B, C is not impersonated, and identifies the application access authority of B to ensure the application authority range; secondly, B needs to obtain the access permission of the security resource through the authentication of A and ensure that A is not spoofed and the authentication result of A is not spoofed, therefore, it also needs to verify A and the authentication result information are not spoofed through the identity information of A and the identity signature of A in the authentication result which are set by itself; in addition, the B can also ensure that the identity of the C is legal through the identity information of the C carried in the authentication result information, and verify the identity of the C equipment by performing bidirectional authentication with the identity information in the authentication result used by the C party when the safety resource is accessed and used, and the identity of the C equipment is not faked; in the same way, the authentication result information of A and A is verified by C through the identity information of A and the identity signature of A in the authentication result which are set by C, and the device B is verified by B through the identity signature of B when the identity information of B carried in the authentication result information and B perform bidirectional authentication.
First, a achieves this by laying out a contract a and setting an authentication method (authentication function) for different authenticated objects and specific authenticated objects by the above initialization flow and addition device flow. The information of the contract a and/or the address information of the contract a are preset in the B and the C. When B wants to gain secure resource access or use, it needs to indicate the identity to C. B initiates a controlled resource access application to C in the form of a blockchain transaction through a blockchain network or an out-of-band channel, wherein the related information of the security resource of the application of B and the identity of B and the integrity protection signature of B to the application information are carried, the signature can also be used as the identity signature of B, and the following steps all require that a sender carries the identity and the signature in a message, namely the sender identity information and the integrity signature of the sender to the whole message, and simultaneously the identity signature of the sender is also used as the identity signature of the sender. The recipient can determine from the signature the identity of the message producer and whether the message was tampered with during transmission. And C, after receiving the request, initiating an authentication, authorization and authorization application to the contract a according to the application requirement of the applied security resource, wherein the application is generally finished in a function calling form of an intelligent contract. And C, sending a block chain intelligent contract transaction to the intelligent contract according to the application type of the B to call the function of the intelligent contract, wherein the calling function and the parameter are indicated and the original application information of the B is contained.
As it is a blockchain transaction, the transaction itself requires and C signs the integrity and identity of the message to the transaction. The contract a "receives the message" (usually, in order to invoke a certain processing function of the intelligent contract, the block chain account number sends a transaction invoking the intelligent contract function to the intelligent contract, and a specific sending method and requirement need to be performed according to an intelligent contract method and an interface of a specific block chain, which are not described in detail below), and executes a processing step according to the contract function. Such as verifying the identity of C, the identity of B, matching different security authentication level processes and data within the contract, and also interacting with account a as needed. The technology of interaction between the blockchain intelligent contract and the account depends on the specifically used blockchain technology, and the interaction can be generally realized as follows: account notification/contract invocation may be accomplished by the account sending an intelligent contract transaction to the contract; the contract notification account can notify the interactive opposite party by sending a blockchain transaction or several state variable change events (usually, a blockchain intelligent contract is designed with an event message mechanism, and the state variable change is a triggerable event), and the account can actively acquire information by monitoring the change of the state variables so as to achieve the purpose of being notified. A specific example of this application is: the smart contract uses several variable information: authentication state variables, authentication result information variables, interface variables and application pointer variables. For a new access application, under the condition that an authenticator is required to confirm after the intelligent contract passes the authentication, setting the state of an authentication state variable as 'the contract passes the authentication and requires the authenticator to confirm and sign the access application result information'; setting an authentication result information variable as 'the transmitted original authentication and authorization application and the detailed security resource information allocated to the application'; setting an application pointer variable as an original hash value of the access application message (hash value of the blockchain transaction corresponding to the authentication and authorization application); the interface variable is set to "the designated authenticator interactive interface information and a pointer to the corresponding authentication result information variable". The authenticator can judge whether the operation of the new access application state is needed or not by monitoring the interface variable and the authentication state variable related to the authenticator on the intelligent contract on the block chain. If necessary, the identity of B, C is checked against the contract a address correctness. After confirming that the authentication result is correct, a sends a transaction to contract a for the purpose of: and modifying the 'authentication state variable' into 'authentication pass', adding the identity information and the authentication pass information of the A into the 'authentication result information variable', signing the information in the whole 'authentication result information variable', and replacing the original information in the 'authentication result information variable'. (the transaction triggers the intelligent contract to subsequently send the authentication result to other authentication related devices)
It should be understood that: there are many ways of interacting with intelligent contracts, which require intelligent contract technology and interface design according to specific block chains, and this method only shows one possible implementation. The following description is also similar to the interaction of the intelligent contract and the return of the message to other roles, and is not repeated.
The authentication result or the authentication result information includes information of "authentication state variable" and "authentication result information variable".
The contract a returns an authentication result to the contract C (for example, the contract C monitors the transmitted transaction processing result, and obtains the authentication result through the above state variable and authentication result information variable of the contract a. or alternatively, the contract a directly transmits the blockchain transaction carrying the authentication result information to the contract C.), the authentication result carries B, C identity information, B, C identity authentication result, security resource detailed information allocated to the application includes access authorization information and authorization information such as access authorization pass of B (used for limiting access of authenticated devices by times or time periods), and identity information and signature of a, namely integrity signature of a on the above information. C, when receiving the returned result of the contract a, judging the identity of the contract A, verifying the integrity of the authentication result information and the identity signature to belong to the contract A, and then trusting the authentication result, wherein the C can confirm whether the application of the B is legal or not through the authentication result, and if the B and the C communicate by adopting a non-block chain network, the C forwards the result to the B; and if the blockchain network is adopted as a communication means between the B and the C, the C sends a transaction carrying the obtained authentication result to the B through the blockchain network. When B receives the return result of contract a, it judges whether A is impersonated and the authentication result is tampered according to A signature, and B can also judge the identity of C according to the need. If the authentication is passed, B can initiate subsequent access use to the corresponding resource according to the information of the security resource and the information of C distributed in the authentication result, and the identity in the authentication result is used between B and C in subsequent use to perform bidirectional authentication when the access use is performed on the security channel.
Please note that, in the indirect method, the authentication process is initiated between B and C through the secure channel, the message sent by B to C carries the identity information and the identity signature of B, and the authentication result carries the identity signature and the information integrity signature of the message sent by B and C and the identity authentication information of the authentication device to B and C, so that it can be considered that half of the bidirectional authentication between B and C has been completed, i.e. C can confirm the identity of B, and then C in the authentication result can be authenticated as long as C proves its identity to B, if C uses the identity of C in the authentication result to sign and integrity protect the message when forwarding the authentication result, B can authenticate C by comparing the identity information of C in the signature and authentication result, and thus, the bidirectional authentication between B and C can be completed. For example, in a scenario when a WiFi STA accesses a WiFi AP, the STA performs the above authentication interaction with the AP by accessing an authentication security channel, after C obtains an authentication result, the STA signs the result information using its own identity information in the authentication result and sends it to B, and B checks that the signature of the message matches the identity of C in the authentication result, i.e. it can be considered that the bidirectional authentication of B and C has been completed.
The authentication scheme B is a scheme that the authenticated equipment sends a controlled resource access application message to the intelligent contract in a direct mode;
the authentication scheme B is applied to the case where the address information of the secure resource control point C does not need to be known or cannot be known. As shown in fig. 8.
In the authentication scheme, B does not need to know the address of C, B initiates a security resource access application to contract a, and the contract a matches a control point C of the security resource according to the application; the contract a gives an authentication result according to the matched function, the identity information and the application resource information contained in the application, wherein interaction can be performed according to the authentication type and the authentication type A, as described in the authentication scheme A, and details are not repeated here; contract a sends the authentication result to C and B (i.e., sets the "authentication state variable" and the "authentication result information variable", or directly sends the blockchain transaction with the authentication result). The carried information is identical to the authentication scheme A. Both B and C can receive the application's determination based on the result information determination A, B, C, the identity authenticity of the contract a, and the information transmission is not tampered with.
It is known that objects that typically utilize a blockchain for transactions do not have a blockchain operating node but only require a wallet that provides blockchain interaction services through third party nodes. When the A, B, C role described above uses the blockchain wallet alone, the results given by the third party node's smart contract are not necessarily trusted. Therefore, the final confirmation step of a in the above scheme is required. A, B, C, if the nodes laid by itself or the trusted third party node is used for service, the confidentiality of the communication channel is improved, and other technical means ensure that the intelligent contract operation result cannot be influenced by the malicious node and the full-chain consensus is kept, the following optimization scheme can be adopted.
One of the optimization schemes is as follows: in a trusted intelligent contract environment, such as with trusted blockchain nodes and intelligent contract execution nodes, A, B, C performs intelligent contract related blockchain transaction operations and returns results through these nodes. That is to say, in the case that the execution and result of the intelligent contract are authentic, a may authorize the intelligent contract to determine the access application without the need for a to confirm and sign the result of the access application. Because the execution result of the smart contract is now authentic. At this time, the result of the application includes the identity information of a and the signature information of a authorized contract a, and does not include the signature of a on the result information of the application, and other information is consistent with the authentication scheme a, i.e. the contract a can directly give the result. A. B, C can determine the identity of A, B, C and the status of the authentication result by the "authentication status variable" and the "authentication result information variable".
The other optimization scheme is as follows: in the intelligent contract, the identity information of the authenticated equipment can be verified in other modes except the block chain account number, wherein the modes can be used for identity certification and message signature; the other authentication entities record the public key of the authenticated device, the authenticated device keeps the private key of the authenticated device, and the authenticated device sends the identity information with the private key signature to carry out identity certification so that the other authentication entities can verify the identity of the authenticated device according to the identity information and the private key signature; wherein the other authentication entities include one or more of: intelligent contracts, authentication devices, controller devices.
For example, the identification information in a and contract a that may be used to identify B, C via record B, C is used without the blockchain address of record B, C as the identification information. Each B, C may have its own identity information or one identification information for a class B or C. For example, a Public Key (PK) is recorded for a class B, all devices that can prove to possess the public key can access a specified security resource, if there is a private key (Sk) that B1 and B2 possess the PK, B1 and B2 may perform identity signature and integrity protection signature on information using Sk in the above process, and other devices or roles may verify whether the information sent by B1 and B2 corresponds to the PK according to the identity signature and integrity protection signature of the sent information. The optimization can be realized without newly adding the block chain address in the intelligent contract and the A after each new device obtains the block chain address, and the identity information can be firstly added, so that the flexible layout system is facilitated. Similarly, a may also be identity information set in B and C, for example, public key information PKA of a, and then the identity signature and the information integrity protection signature of a in the above process are replaced with a signature using a private key corresponding to PKA of a.
Third) delete device flow
And deleting information such as the account number of the authenticated device in the intelligent contract through the data adding and deleting interface of the authenticated device.
An embodiment of the present application further provides an electronic device, including: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the distributed bidirectional authentication method based on block chains of any of the above embodiments when executing the program.
The embodiments of the present application further provide a computer-readable storage medium, which stores computer-executable instructions, where the computer-executable instructions are used to execute the distributed bidirectional authentication method based on a block chain according to any of the above embodiments.
In this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.

Claims (19)

1. A distributed bidirectional authentication method based on a block chain is characterized by comprising the following steps:
the authenticated device requests access to the controlled resource;
the authenticated equipment carries out bidirectional authentication with the authentication equipment through an intelligent contract in the block chain;
after the bidirectional authentication is passed, the authenticated device accesses the controlled resource through the controller device, and bidirectional authentication is performed between the authenticated device and the controller device when the controlled resource is accessed; wherein the controller device is a device for controlling the controlled resource.
2. The method of claim 1, wherein the authenticated device requesting access to a controlled resource comprises:
the authenticated equipment carries a controlled resource access application message in a block chain transaction mode and sends the controlled resource access application message to an address of an intelligent contract in a direct mode or an indirect mode, wherein the controlled resource access application message carries information of the controlled resource, identity information of the authenticated equipment and signature information of the authenticated equipment; the signature information is an integrity protected signature of the application message and/or an identity signature of the authenticated device.
3. The method of claim 2, wherein the authenticated device carries the controlled resource access application message in a direct manner in the form of a blockchain transaction to an address of the smart contract, comprising:
and the authenticated equipment carries the controlled resource access application message to be sent to the address of the intelligent contract directly in a block chain transaction mode.
4. The method of claim 2, wherein the authenticated device sends the controlled resource access application message to the address of the smart contract in an indirect manner in the form of a blockchain transaction, including:
and the authenticated equipment carries the controlled resource access application message in a blockchain transaction mode through the controller equipment and sends the message to the address of the intelligent contract.
5. The method of claim 2, wherein the authenticated device is bidirectionally authenticated with the authentication device via a smart contract in a blockchain, comprising:
the authenticated device obtains an authentication result through the intelligent contract, wherein the authentication result represents whether the authentication device passes the authentication of the authenticated device and the access application and detailed information, and the authentication result carries the authenticated device, the identity information and the identity authentication information of the controller device, the access authorization of the authenticated device, the access information and the authorization information of the controlled resource and the signature information of the authentication device; the signature information is an integrity protection signature of the authentication device on the authentication result, and/or identity signature information of the authentication device;
and the authenticated equipment performs identity authentication on the authentication equipment according to the identity signature information of the authentication equipment.
6. The method of claim 2, wherein:
when the authenticated device and/or the controller device obtain an authentication result in a trusted intelligent contract running environment and can confirm that the address of the called intelligent contract is trusted, the authentication result is generated by the authentication device authorizing the intelligent contract, wherein the authentication result carries the identity information and the identity authentication information of the authenticated device and the controller device, the access authorization pass of the authenticated device, and the access information and the authorization information of the controlled resource.
7. The method of claim 5, wherein the authenticated device accesses the controlled resource through a controller device, and wherein performing mutual authentication between the authenticated device and the controller device when accessing the controlled resource comprises:
the authenticated equipment accesses the controlled resource through the controller equipment according to the access information of the controlled resource in the authentication result;
if the authenticated equipment adopts a direct mode when sending the controlled resource access application message, the authenticated equipment and the controller equipment respectively carry out bidirectional authentication according to the identity information in the authentication result message when accessing the controlled resource;
if the authenticated device adopts an indirect mode of sending out-of-band when sending the controlled resource access application message, the authenticated device sends the controlled resource access application message to the controller device through the secure channel, and the channel can be used for the controlled resource access authentication, and when the authenticated device and the controller device obtain the authentication result, the bidirectional authentication with the controller device is completed.
8. A distributed bidirectional authentication method based on a block chain is characterized by comprising the following steps:
after the authentication device is triggered by the intelligent contract in the block chain, the authenticated device requesting to access the controlled resource and the controller device related to the controlled resource requesting to access perform bidirectional authentication through the intelligent contract respectively;
and after the mutual authentication between the authentication equipment and the authenticated equipment and the controller equipment is passed, the authentication result is sent to the authenticated equipment and the controller equipment through the intelligent contract or directly sent to the authenticated equipment and the controller equipment in a blockchain transaction mode.
9. The method of claim 8, wherein said sending an authentication result message to the authenticated device and the controller device via the smart contract or directly in a blockchain transaction comprises:
the authentication device generates an authentication result which indicates whether the authentication device applies for the authenticated device to pass or not, wherein the authentication result carries the authenticated device, identity information and identity authentication information of controller device, access authorization pass of the authenticated device, access information and authorization information of the controlled resource, and identity information and signature information of the authentication device; the signature information is an integrity protection signature of the authentication device on the authentication result message, and/or identity signature information of the authentication device; sending the authentication result to the authenticated device and the controller device through the smart contract or directly in a blockchain transaction form;
or, the authentication device authorizes the intelligent contract to generate an authentication result message and sends the authentication result message to the authenticated device and the controller device, wherein the authentication result message carries the authenticated device, the identity information and the identity authentication information of the controller device, the access authorization pass of the authenticated device, and the access information and the authorization information of the controlled resource.
10. A distributed bidirectional authentication method based on a block chain is characterized by comprising the following steps:
after receiving the controlled resource access application message, the controller device initiates an authentication, authorization and application to the intelligent contract according to the controlled resource access application message; receiving an authentication result of the intelligent contract to determine whether to open a security resource, and forwarding the authentication result to the authenticated device according to the requirement of the authenticated device; or, the controller device receives the authentication result to determine whether to open the secure resource;
when an authenticated device requests to access a controlled resource, and the bidirectional authentication of the authenticated device and an authentication device and the bidirectional authentication of the controller device and the authentication device are passed, the controller device provides a controlled resource for the authenticated device to access;
the controller device performs mutual authentication with the authenticated device upon access by the authenticated device.
11. A distributed bidirectional authentication method based on a block chain is characterized by comprising the following steps:
the intelligent contract receives a request for the authenticated device to access the controlled resource;
the smart contract triggers mutual authentication between the authenticated device and the authenticating device, and mutual authentication of the controller device and the authenticating device, such that the authenticated device accesses the controlled resource controlled by the controller device when all authentications are passed.
12. The method of claim 11, wherein the intelligent contract receives a request for access to a controlled resource by an authenticated device, comprising:
the intelligent contract receives a controlled resource access application message which is sent to an address of the intelligent contract by the authenticated device in a direct mode or an indirect mode in a block chain transaction mode, wherein the controlled resource access application message carries identity information and signature information of the authenticated device and information of the controlled resource; the signature information is an integrity protected signature of the application message and/or an identity signature of the authenticated device.
13. The method of claim 12, wherein the intelligent contract receiving the controlled resource access application message sent by the authenticated device to the address of the intelligent contract in a direct manner via a blockchain transaction comprises:
the intelligent contract receives the controlled resource access application message which is directly sent to the address of the intelligent contract by the authenticated device in the form of blockchain transaction.
14. The method of claim 12, wherein the receiving of the controlled resource access application message by the intelligent contract sent by the authenticated device to the address of the intelligent contract in an indirect manner via a blockchain transaction comprises:
the intelligent contract receives a controlled resource access application message which is sent to the address of the intelligent contract by the authenticated device through the controller device in the form of blockchain transaction.
15. The method of claim 12, wherein the triggering of the mutual authentication between the authenticated device and the authentication device, and the triggering of the mutual authentication between the controller device and the authentication device, comprises:
sending an authentication application of the authenticated device and an authorization application of the controlled resource to the authentication device in a blockchain transaction mode;
sending the identity authentication of the controller device related to the application to the authentication device in a blockchain transaction form;
when the authentication result is received, directly or indirectly sending the authentication result to the authenticated device in a block chain transaction mode, wherein the authentication result and the access authorization pass of the authenticated device, the access information of the controlled resource, the identity information of the authentication device and the signature of the authentication result information are carried, the signature is also the identity signature information of the authentication device, and the identity information and the identity authentication result of the controller device, so that the authenticated device determines the authentication result and performs identity authentication on the authentication device and the controller device; and
and sending an authentication result to the controller device in a block chain transaction mode, wherein the authentication result carries the identity information and the identity authentication result of the authenticated device and an access authorization pass, the access information of the controlled resource, the identity information of the authentication device and a signature of the authentication result information, and the signature is also the identity signature information of the authentication device, so that the controller device determines the access information and performs identity authentication on the authentication device and the authenticated device.
16. The method of claim 12, wherein:
the key information in the intelligent contract comprises: authenticated equipment data, an authentication function, security resource control point data, and owner information and interactive interface information of the intelligent contract;
wherein the authenticated device data comprises authenticated object data comprising one or more of: the account number, authentication protocol, authority range, equipment type, other information for identifying the authenticated equipment and corresponding authority;
the authentication function is processing logic for realizing authentication authorization, and is used for judging or matching the access authority of the authenticated equipment to a certain security resource and providing the corresponding distributed security resource control point data;
the safety resource control point data comprises an account number, a device type, a safety resource type, safety resource detailed information and interactive interface information of the safety resource control point;
wherein the owner is the creator of the intelligent contract or other account number set as the owner of the intelligent contract in the intelligent contract; the owner is a single account or multiple accounts;
the owner's interactive interface information is used for identifying an interactive interface when the owner/authentication equipment is required to confirm certain information and guiding the interaction between the intelligent contract or other authentication entity and the owner, and the interactive interfaces are one or more; and when the number of the interactive interfaces is multiple, the system selects one or more interactive interfaces for communication according to the service or reliability.
17. The method of claim 12, wherein:
in the intelligent contract, the identity information of the authenticated equipment is verified in other modes except the block chain account number, wherein the other modes can be used for identity certification and message signature; the other authentication entities record the public key of the authenticated device, the authenticated device keeps the private key of the authenticated device, and the authenticated device sends the identity information with the private key signature to perform identity certification so that the other authentication entities can verify the identity of the authenticated device according to the identity information and the private key signature; wherein the other authentication entities include one or more of: intelligent contracts, authentication devices, controller devices.
18. An electronic device, comprising: memory, processor and computer program stored on the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1-7, or implements the method according to any of claims 8-9, or implements the method according to claim 10, or implements the method according to any of claims 11-17 when executing the program.
19. A computer-readable storage medium storing computer-executable instructions for implementing the method of any one of claims 1-7, or implementing the method of any one of claims 8-9, or implementing the method of claim 10, or implementing the method of any one of claims 11-17.
CN202210114556.8A 2022-01-30 2022-01-30 Block chain based distributed bidirectional authentication method, device and storage medium Pending CN114462015A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210114556.8A CN114462015A (en) 2022-01-30 2022-01-30 Block chain based distributed bidirectional authentication method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210114556.8A CN114462015A (en) 2022-01-30 2022-01-30 Block chain based distributed bidirectional authentication method, device and storage medium

Publications (1)

Publication Number Publication Date
CN114462015A true CN114462015A (en) 2022-05-10

Family

ID=81411164

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210114556.8A Pending CN114462015A (en) 2022-01-30 2022-01-30 Block chain based distributed bidirectional authentication method, device and storage medium

Country Status (1)

Country Link
CN (1) CN114462015A (en)

Similar Documents

Publication Publication Date Title
CN111970129B (en) Data processing method and device based on block chain and readable storage medium
US11218481B2 (en) Personal identity system
US8397060B2 (en) Requesting digital certificates
JP4628468B2 (en) Providing limited access to mobile device functions
US20040073801A1 (en) Methods and systems for flexible delegation
US11399076B2 (en) Profile information sharing
CN101156416A (en) Measures for enhancing security in communication systems
WO2013056674A1 (en) Centralized security management method and system for third party application and corresponding communication system
CN109344628B (en) Method for managing trusted nodes in block chain network, nodes and storage medium
US20200235921A1 (en) Method and system for recovering cryptographic keys of a blockchain network
CN114008968A (en) System, method and storage medium for license authorization in a computing environment
US20100306820A1 (en) Control of message to be transmitted from an emitter domain to a recipient domain
WO2019056971A1 (en) Authentication method and device
CN105763517A (en) Router security access and control method and system
CN107358118B (en) SFS access control method and system, SFS and terminal equipment
WO2017210914A1 (en) Method and apparatus for transmitting information
CN113114610A (en) Stream taking method, device and equipment
CN114786170A (en) Method, terminal, USIM and system for switching uplink data security processing entity
CN106576245B (en) User equipment proximity request authentication
CN114462015A (en) Block chain based distributed bidirectional authentication method, device and storage medium
CN114499981A (en) Video access method and device
CN114978741B (en) Inter-system authentication method and system
WO2024007803A1 (en) Collaborative verification methods, collaborative authentication method, operator device and enterprise device
CN115118427A (en) Data transmission method, device and equipment of block chain system and storage medium
CN117811756A (en) Communication event processing method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination