CN115118434A

CN115118434A - Key management method and device based on block chain

Info

Publication number: CN115118434A
Application number: CN202210754111.6A
Authority: CN
Inventors: 栗志果
Original assignee: Ant Blockchain Technology Shanghai Co Ltd
Current assignee: Ant Blockchain Technology Shanghai Co Ltd
Priority date: 2022-06-28
Filing date: 2022-06-28
Publication date: 2022-09-27

Abstract

One or more embodiments of the present specification provide a method and an apparatus for key management based on a block chain, which are applied to a client; the method comprises the following steps: responding to a signature processing operation initiated by a user and aiming at a target digital file, and performing identity authentication on the user; if the identity authentication of the user passes, an authorization logic contained in a first intelligent contract is called, authorization information for signing and sealing the target digital file by using the digital seal of the user is generated, signature processing is carried out on the authorization information based on a private key of the user, so that a signing and sealing service end responds to the authorization information after the obtained signature, a plurality of public key fragments are obtained from at least one storage node, splicing processing is carried out on the plurality of public key fragments, then the signature of the authorization information is verified based on the public key of the user obtained through the splicing processing, and the signature processing is carried out on the target digital file based on the digital seal of the user after the verification is passed.

Description

Key management method and device based on block chain

Technical Field

One or more embodiments of the present disclosure relate to the field of blockchain technologies, and in particular, to a method and an apparatus for managing a key based on a blockchain.

Background

For an organization, a business, a public institution, even an individual, etc., it is usually necessary to use their seal to perform a signature process on some document related to the organization, such as signing and stamping a seal pattern on the document, so as to indicate the correctness and authenticity of the document authorized by the organization through the signature on the document. Common seal types include corporate official seals, invoice-specific seals, contract seals, corporate seals, financial seals, and the like. In practical application, a specific type of seal can be used for signing and sealing a file of a corresponding type; for example, business posts may be signed using business official stamps, business contracts may be signed using contract stamps, and so forth.

However, the physical seal has various inconveniences in use; for example, manual management of a physical seal is required, the seal needs to be acquired manually when the physical seal is used, only the physical seal can be used for signature processing of a paper document, and the like. In order to improve the use efficiency of the seal, the digital seal is produced due to the fact that the application of paperless office work is more and more extensive, and the digital seal can be used for signing and sealing digital files. Under the circumstance, how to ensure the use safety of the digital seal and avoid the digital seal from being embezzled and abused becomes the problem to be solved urgently.

Disclosure of Invention

One or more embodiments of the present disclosure provide the following:

the present specification provides a key management method based on a block chain, which is applied to a client; a first intelligent contract used for managing a private key of a user is deployed on the blockchain; the public key of the user is divided into a plurality of public key fragments which are stored in at least one storage node in a distributed manner; the method comprises the following steps:

responding to a signature processing operation initiated by the user and aiming at a target digital file, and performing identity authentication on the user;

if the identity authentication of the user passes, the authorization logic contained in the first intelligent contract is called, authorization information for signing the target digital file by using the digital seal of the user is generated, signature processing is carried out on the authorization information based on the private key of the user, so that a signing service end responds to the authorization information after the obtained signature, the plurality of public key fragments are obtained from the at least one storage node, the plurality of public key fragments are spliced, then the signature of the authorization information is verified based on the public key of the user obtained through the splicing processing, and the signature processing is carried out on the target digital file based on the digital seal of the user after the verification is passed.

The present specification further provides a key management method based on a block chain, which is applied to a block chain service platform; a first intelligent contract used for managing a private key of a user is deployed on the blockchain; the public key of the user is divided into a plurality of public key fragments which are stored in at least one storage node in a distributed manner; the method comprises the following steps:

receiving a signature request sent by a client when the client responds to signature processing operation initiated by the user and aiming at a target digital file and passes the identity authentication of the user;

and in response to the signing request, invoking authorization logic contained in the first intelligent contract, generating authorization information for signing the target digital file by using the digital seal of the user, signing the authorization information based on a private key of the user, so that a signing service end responds to the authorization information after the obtained signature, firstly obtaining the plurality of public key fragments from the at least one storage node, splicing the plurality of public key fragments, then verifying the signature of the authorization information based on the public key of the user obtained by splicing, and signing the target digital file based on the digital seal of the user after the verification is passed.

The present specification also provides a key management apparatus based on a block chain, which is applied to a client; a first intelligent contract used for managing a private key of a user is deployed on the blockchain; the public key of the user is divided into a plurality of public key fragments which are stored in at least one storage node in a distributed manner; the method comprises the following steps:

the authentication module is used for responding to signature processing operation aiming at the target digital file initiated by the user and authenticating the identity of the user;

and the calling module is used for calling authorization logic contained in the first intelligent contract if the identity authentication of the user passes, generating authorization information for signing and sealing the target digital file by using the digital seal of the user, signing and processing the authorization information based on a private key of the user, so that a signing and sealing service end responds to the acquired authorization information after signature, acquiring the plurality of public key fragments from the at least one storage node, splicing the plurality of public key fragments, verifying the signature of the authorization information based on the public key of the user obtained through splicing, and signing and sealing the target digital file based on the digital seal of the user after the verification passes.

The present specification also provides a key management apparatus based on a block chain, which is applied to a block chain service platform; a first intelligent contract used for managing a private key of a user is deployed on the blockchain; the public key of the user is divided into a plurality of public key fragments which are stored in at least one storage node in a distributed manner; the method comprises the following steps:

the receiving module is used for receiving a signature request sent by a client when the client responds to the signature processing operation initiated by the user and aiming at the target digital file and passes the identity authentication of the user;

and the calling module is used for responding to the signing request, calling authorization logic contained in the first intelligent contract, generating authorization information for signing the target digital file by using the digital seal of the user, signing the authorization information based on the private key of the user, so that the signing service end responds to the authorization information after the obtained signature, firstly acquiring the public key fragments from the at least one storage node, splicing the public key fragments, then verifying the signature of the authorization information based on the public key of the user obtained through splicing, and signing the target digital file based on the digital seal of the user after the verification is passed.

The present specification also provides an electronic device comprising:

a processor;

a memory for storing processor-executable instructions;

wherein the processor implements the steps of the method as described in any one of the above by executing the executable instructions.

The present specification also provides a computer readable storage medium having stored thereon computer instructions which, when executed by a processor, carry out the steps of the method according to any one of the preceding claims.

In the above technical solution, firstly, a public key of a user may be divided into a plurality of public key fragments, the public key fragments are distributively stored in at least one storage node, then, in response to a signature processing operation initiated by the user for a target digital file, when the identity authentication of the user passes, an authorization logic included in a first intelligent contract deployed on the blockchain and used for managing a private key of the user may be invoked, authorization information for signing the target digital file using a digital seal of the user is generated, the authorization information is signed based on the private key of the user, and a signature service end responds to the acquired signed authorization information, acquires the plurality of public key fragments from the at least one storage node, and performs a splicing process on the plurality of public key fragments by performing the splicing process on the plurality of public key fragments, when the public key of the user is recovered, the signature of the authorization information can be verified based on the public key of the user, and the signature processing can be performed on the target digital file based on the digital seal of the user after the verification is passed.

Through the mode, on the first aspect, the digital seal of the user can be used for signature processing on the target digital file based on the private key authorization of the user, so that the use safety of the digital seal is ensured, and the digital seal is prevented from being embezzled and abused; in the second aspect, the public key of the user can be divided into a plurality of public key fragments, the public key fragments are stored in at least one storage node in a distributed manner, and the public key of the user is restored by splicing the plurality of public key fragments acquired from the at least one storage node, so that even if data leakage occurs in part of the public key fragments, the public key of the user cannot be restored by using the part of the public key fragments, and the use safety of the digital seal can be further improved; in a third aspect, a user may host and store his public key to a storage system, which may provide convenience to the user while ensuring data security of the public key.

Drawings

Fig. 1 is a schematic diagram of a network environment associated with a blockchain according to an exemplary embodiment of the present disclosure.

Fig. 2 is a flowchart illustrating a method for block chain based key management according to an exemplary embodiment of the present specification.

FIG. 3 is a schematic diagram of a user interface shown in an exemplary embodiment of the present description.

Fig. 4 is a flowchart illustrating another method for block chain based key management according to an exemplary embodiment of the present disclosure.

Fig. 5 is a hardware configuration diagram of an electronic device in which a key management apparatus based on a block chain is located according to an exemplary embodiment of the present specification.

Fig. 6 is a block diagram of a key management apparatus based on a blockchain according to an exemplary embodiment of the present specification.

Fig. 7 is a block diagram of another blockchain-based key management apparatus according to an exemplary embodiment of the present specification.

Detailed Description

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of one or more embodiments of the specification, as detailed in the claims which follow.

It should be noted that: in other embodiments, the steps of the corresponding methods are not necessarily performed in the order shown and described herein. In some other embodiments, the method may include more or fewer steps than those described herein. Moreover, a single step described in this specification may be broken down into multiple steps for description in other embodiments; multiple steps described in this specification may be combined into a single step in other embodiments.

Blockchains are generally divided into three types: public chain (Public Blockchain), Private chain (Private Blockchain), and federation chain (Consortium Blockchain). In addition, there may be various combinations of the above, such as a combination of a private chain and a federation chain, a combination of a federation chain and a public chain, and so on.

Of the three types of blockchains described above, the most decentralized is the public chain. A party joining the public chain (which may also be referred to as a node in the blockchain) may read the data records on the chain, participate in transactions, compete for accounting rights for new blocks, etc. Moreover, each node can freely join or leave the network and perform related operations.

The private chain is in contrast, with the write rights of the network being controlled by an organization or institution and the read rights of the data being specified by the organization. That is, the private chain can be viewed as a weakly centralized system with strict restrictions on nodes and a small number of nodes. This type of blockchain is more suitable for use within a particular establishment.

The federation chain is between the public chain and the private chain, and partial decentralization can be realized. Each node in a federation chain typically has a physical organization or organization corresponding to it; the nodes are authorized to join the network and form a benefit-related alliance, and the operation of the block chain is maintained together.

In a blockchain network, blockchain link points are logical communication entities; the different types of block chain nodes can run on the same physical server or different physical servers.

Referring to fig. 1, fig. 1 is a schematic diagram illustrating a network environment associated with a blockchain according to an exemplary embodiment of the present disclosure.

In the network environment as shown in fig. 1, a user-side computing device 101, a server-side 102, and at least one blockchain system may be included; such as blockchain system 103, blockchain system 104, and blockchain system 105.

In one embodiment shown, the user-side computing device 101, may include a variety of different types of user-side computing devices; for example, the user-side computing device may include devices such as PC computing devices, mobile computing devices, internet of things devices, and other forms of smart devices with certain computing capabilities, among others.

It should be noted that the user-side computing device 101 does not mean that all the user-side computing devices are in the same communication network, but is merely a general term for the user-side computing devices.

In one embodiment shown, some of the user-side computing devices 101 may be coupled to the server-side 102 through various communication networks; for example, device 3 is coupled to server side 102.

Some of the user-side computing devices 101 may also be not coupled to the server 102, but directly coupled to the blockchain system as blockchain link points; for example, the device 4 may be directly coupled to the blockchain system 103 as a blockchain link point.

In one embodiment shown, the user-side computing device 101, may also include one or more user-side servers; for example, device 5 and device 6. Some of the user-side computing devices 101 may be coupled to the user-side server; for example, device 1 is coupled to device 5 and device 2 is coupled to device 6. The user-side server may be further coupled to the blockchain system as a blockchain link point, or may be further coupled to the server 102 through various communication networks; for example, the device 5 may be further coupled directly to the blockchain system as a blockchain link point, and the device 6 is further coupled to the server side 102.

In an embodiment shown, the user-side server may be implemented by a service entity that builds a user account system; the service entities may include an operator entity that provides service bearers for various online and/or offline services to users. Correspondingly, the operation entity may include an operator corresponding to the service bearer; for example, the operation entity may include an individual, an organization, and the like that operate and manage the service bearer.

In one embodiment shown, the server side 102 may also be coupled to one or more blockchain systems through various communication networks; for example, the server side 102 is respectively coupled to the blockchain system 103, the blockchain system 104, and the blockchain system 105, and so on.

In one illustrated embodiment, the communication network may include wired and/or wireless communication networks; for example, it may be a Local Area Network (LAN), Wide Area Network (WAN), internet or a combination thereof implemented based on a wired access Network or a wireless access Network provided by an operator, such as a mobile cellular Network.

In one embodiment, each blockchain system may maintain one or more blockchains (e.g., public blockchains, private blockchains, federation blockchains, etc.) and include a plurality of blockchain nodes for carrying the one or more blockchains; for example, a block chain node 1, a block link point 2, a block link point 3, a block link point 4, a block link point i, etc., as shown in fig. 1, may collectively carry one or more block chains. And cross-chain data access can be performed between the blockchains contained in each blockchain system and between the blockchain systems.

In one embodiment shown, the block link points may be physical devices, or may be virtual devices implemented in a server or a server cluster; for example, a block link point may be one physical host in a server cluster, or may be a virtual machine created by virtualizing hardware resources carried by a server or a server cluster based on a virtualization technology. Each blockchain node may be coupled together by various types of communication methods (e.g., TCP/IP, etc.) to form a network to carry one or more blockchains.

In one illustrated embodiment, the server 102 may include a BaaS platform (also referred to as a BaaS cloud) for providing a Blockchain Service (BaaS).

The BaaS platform may provide block chain services to user-side computing devices coupled to the BaaS platform by providing pre-compiled software for activities that occur on the block chain (such as subscription and notification, user verification, database management, and remote updates).

For example, a BaaS platform may provide software such as MQ (Message Queue) services; the user side computing equipment coupled with the BaaS platform can subscribe an intelligent contract deployed on a certain blockchain in a blockchain system coupled with the BaaS platform and generate a contract event on the blockchain after triggering execution; and the BaaS platform can monitor the event generated on the block chain after the intelligent contract is triggered to be executed, and then based on software related to MQ service, the contract event is added to the message queue in the form of notification message, so that the user side computing equipment subscribing the message queue can obtain the notification related to the contract event.

For data generated outside the blockchain, it can be constructed into a standard transaction (transaction) format supported by the blockchain and then published to the blockchain, with all nodes in the blockchain network agreeing on the transaction. After the consensus is achieved, the transaction can be persisted in the blockchain by a node in the blockchain network as a billing node.

In a programmable blockchain, a user may be supported to create and invoke some complex logic in the blockchain network by providing the user with the functionality of smart contracts (smart contracts). An intelligent contract is a program on a blockchain that can be executed triggered by a transaction. An intelligent contract may be defined in the form of code.

After the intelligent contract is created, a contract account corresponding to the intelligent contract appears on the blockchain and has a specific address. The behavior of an intelligent contract is controlled by a contract code (code) in the contract account, while an account store (store) in the contract account preserves the state of the intelligent contract.

The transaction for invoking the smart contract may include the address of the account from which the intelligent contract was initiated to invoke, the address of the intelligent contract to be invoked, and the methods and parameters for invoking the intelligent contract. After invoking the smart contract, the state of the smart contract may change; the status of the intelligent contract may be viewed by communicating with the tile link points.

The intelligent contract can be independently executed by each node in the blockchain network in a specified mode, all execution records and related data can be stored on the blockchain, and therefore after the execution of the transaction is finished, transaction certificates which cannot be tampered and cannot be lost are stored on the blockchain.

The intelligent contracts deployed on the blockchain can only access data contents stored on the blockchain generally; in practical applications, for some complex business scenarios implemented based on the intelligent contract technology, the intelligent contract may need to access external data stored on the data entity outside the chain.

In this scenario, the intelligent contract deployed on the blockchain may access data on the data entities outside the chain through the predictive engine program, thereby implementing data interaction between the intelligent contract and the data entities in the real world. The data entities outside the chain may include, for example, centralized servers or data centers disposed outside the chain.

In practical application, when a predictive engine program is deployed for an intelligent contract on a blockchain, a predictive engine intelligent contract corresponding to the predictive engine program can be deployed on the blockchain; wherein, the intelligent contract of the prediction machine is used for maintaining external data sent by the prediction machine program to the intelligent contract on the block chain; for example, external data sent by the predictive machine program to the smart contract on the blockchain may be stored in the account storage space (storage field) of the predictive machine smart contract.

When a target intelligent contract on the blockchain is called, external data required by the target intelligent contract can be read from the account storage space of the prediction machine intelligent contract to complete the calling process of the intelligent contract.

It should be noted that, when sending external data to the smart contract on the blockchain, the predictive engine program may use an active sending method or a passive sending method.

In one implementation, the data entity outside the chain may send external data to be provided to the target intelligent contract to the dialer intelligent contract after signing with the private key of the dialer program; for example, the signed external data may be sent to the intelligent contract of the prediction machine in a periodic sending manner;

the intelligent contract of the language predicting machine can maintain a CA (certificate authority) certificate of the language predicting machine program, after external data sent by a data entity outside a chain is received, a signature of the external data can be verified by using a public key of the language predicting machine program maintained in the CA certificate, and after the signature passes, the external data sent by the data entity outside the chain is stored in an account storage space of the intelligent contract of the language predicting machine.

In another implementation, when a target intelligent contract on a blockchain is called, if external data required by the target intelligent contract is not read from an account storage space of the predictive machine intelligent contract, the predictive machine intelligent contract may interact with the predictive machine program by using an event mechanism of the intelligent contract, and the external data required by the target intelligent contract is sent to the account storage space of the predictive machine intelligent contract by the predictive machine program.

For example, when a target intelligent contract on a blockchain is called, if external data required by the target intelligent contract is not read from an account storage space of the intelligent contract of the language predictive machine, the intelligent contract of the language predictive machine can generate an external data acquisition event, record the external data acquisition event into a transaction log of the transaction calling the intelligent contract, and store the transaction log into a storage space of a node device; the predicting machine program can monitor a transaction log generated by the predicting machine intelligent contract stored in the storage space of the node device, and after monitoring an external data acquisition event in the transaction log, respond to the monitored external data acquisition event and send external data required by the target intelligent contract to the predicting machine intelligent contract.

The event mechanism of the intelligent contract is a mode for the interaction between the intelligent contract and the out-of-chain entity. For intelligent contracts deployed on a blockchain, direct interaction with out-of-chain entities is generally not possible; for example, the intelligent contract cannot generally send the invocation result of the intelligent contract to the invocation initiator of the intelligent contract point-to-point after the invocation is completed.

The call results (including intermediate results and final call results) generated by the intelligent contract during the call are usually recorded in the form of events (events) to the transaction log (transaction logs) of the transaction that called the intelligent contract, and stored in the memory space of the block link point. And the entity outside the chain which needs to interact with the intelligent contract can acquire the calling result of the intelligent contract by monitoring the transaction log stored in the storage space of the block chain node.

The specification provides a technical scheme of key management based on a blockchain, which comprises the steps of firstly dividing a public key of a user into a plurality of public key fragments, distributively storing the public key fragments in at least one storage node, subsequently responding to signature processing operation initiated by the user and aiming at a target digital file, calling authorization logic contained in a first intelligent contract which is arranged on the blockchain and used for managing a private key of the user when the identity authentication of the user passes, generating authorization information which uses a digital seal of the user to sign the target digital file, signing the authorization information based on the private key of the user, responding to the obtained signed authorization information by a signing service terminal, obtaining the plurality of fragments from at least one storage node, splicing the plurality of public key fragments, when the public key of the user is recovered by splicing the plurality of public key fragments, the signature of the authorization information can be verified based on the public key of the user, and the signature of the target digital file is signed based on the digital seal of the user after the verification is passed.

In particular implementations, in one aspect, a first smart contract for managing a private key of a user may be deployed on a blockchain; on the other hand, the public key of the user can be divided into a plurality of private key fragments and stored in at least one storage node in a distributed mode.

For a target digital file which needs to be signed, a user in charge of signing the target digital file can initiate a signing processing operation for the target digital file through the client.

The client may respond to the signature processing operation and perform identity authentication on the user when detecting the signature processing operation.

The client may invoke authorization logic included in the first intelligent contract when the identity authentication of the user passes, that is, execute a part of codes corresponding to the authorization logic in codes of the first intelligent contract, generate authorization information for signing the target digital file using the digital seal of the user, and sign the authorization information based on a private key of the user, and subsequently, in response to the obtained signed authorization information, the signing service side may first obtain the plurality of public key fragments from the at least one storage node, and splice the obtained plurality of public key fragments. Since the plurality of public key fragments are obtained by splitting the public key of the user, in this case, the public key of the user can be recovered by splicing the plurality of public key fragments.

The signature server side can verify the signature of the authorization information based on the public key of the user when completing the splicing processing of the plurality of public key fragments, namely recovering the public key of the user, and perform signature processing on the target digital file based on the digital seal of the user after the verification is passed. The private key of the user and the public key of the user are a pair of asymmetric keys held by the user; the user's digital stamp may be a desired digital stamp selected from all digital stamps available to the user.

Referring to fig. 2, fig. 2 is a flowchart illustrating a method for managing keys based on a blockchain according to an exemplary embodiment of the present disclosure.

In this embodiment, the above key management method based on the block chain may be applied to the client. The user can initiate the signature processing operation aiming at the digital file needing signature processing through the client, and the client can complete the signature processing of the digital file by using the digital seal of the user through data interaction with the blockchain.

In conjunction with the network environment shown in FIG. 1, the client described above may run on device 4 in user-side computing device 101. The blockchain may be any type of blockchain that provides intelligent contract functionality.

An intelligent contract (hereinafter referred to as a first intelligent contract) for managing a private key of a user may be deployed on the block chain. Accordingly, the public key of the user can be divided into a plurality of public key fragments which are stored in at least one storage node in a distributed mode.

In practical applications, since the blockchain technology is a distributed ledger technology, a blockchain network usually includes a plurality of blockchain nodes, in which case, the storage node may be a blockchain node in the blockchain. Alternatively, the storage node may be a storage node in a distributed storage system in communication with the blockchain.

Further, each storage node may store at least one public key shard. For example, assuming that the public key of the user is divided into 3 public key fragments, which are respectively a public key fragment 1, a public key fragment 2, and a public key fragment 3, the public key fragment 1 and the public key fragment 2 may be stored by one storage node, and the public key fragment 3 may be stored by another storage node, or the public key fragment 1, the public key fragment 2, and the public key fragment 3 may be stored to three different storage nodes.

In an illustrated embodiment, the public key of the user may be divided into several pieces of public keys, and at least one cloud storage node stored in the cloud storage system is managed in a distributed manner.

Cloud storage is a mode of online storage on the internet, and data can be stored in a plurality of virtual servers provided by a third party instead of a dedicated server in a hosted mode. The plurality of virtual servers form a cloud storage system, and each virtual server is a cloud storage node in the cloud storage system. Generally, the cloud storage system may be accessed in the form of accessing a web service, that is, accessing the cloud storage system through an API (Application Programming Interface) provided by the cloud storage system.

The above key management method based on block chains may include the following steps:

step 202: and responding to the signature processing operation aiming at the target digital file initiated by the user, and performing identity authentication on the user.

In this embodiment, for any digital file (hereinafter referred to as a target digital file) that needs to be signed, a user in charge of signing the target digital file may initiate a signing operation for the target digital file through the client.

Specifically, the client may output a user interface for signing the digital file as shown in fig. 3 to the user. The user may upload the target digital file in the user interface, select a desired digital seal (hereinafter referred to as a target digital seal) from all digital seals that the user can use, and then click an "ok" button after the upload of the target digital file and the selection of the target digital seal are completed, so as to trigger the signature processing of the target digital file based on the target digital seal. In this case, the client may determine the user's click operation on the "confirm" button as the user-initiated signature processing operation for the target digital file.

In practical applications, the user responsible for signing the target digital file may be a legal owner of the digital seal for signing the target digital file, or another user who has been authorized by the legal owner to use the digital seal. The user may refer to an individual, an organization, and the like, which is not limited in this specification.

The client may respond to the signature processing operation when detecting the signature processing operation, and perform identity authentication on the user to determine whether the user has the signature processing authority. The user having the signature processing authority may indicate that the user is a legal owner of the digital seal for performing signature processing on the target digital file, or that the user is authorized to use the digital seal.

Specifically, the client may obtain the identity information of the user, and perform identity authentication on the user based on the obtained identity information. For any user, its identity information may include a combination of one or more of the following: the identity of the user (for example, biometric information such as face information and fingerprint information, an account used for logging in the client, etc.); a blockchain account of the user; etc. may be used to uniquely refer to the user.

In order to avoid the waste of storage resources of the client due to the excessive data maintenance of the client, the association relationship between the digital seal and the identity information of the user who can use the digital seal can be maintained by the database. Wherein, the database can be deployed on other devices different from the device on which the client is located.

For example, the above-mentioned association relationship may be as shown in table 1 below:

TABLE 1

The digital stamp 1 can be used by some and only some users with the identity information 1; the digital stamp 2 can be used by a user having identity information 1, a user having identity information 2, and a user having identity information 3.

In this case, the client may access the database to obtain the association stored in the database. When the client performs identity authentication on the user based on the acquired identity information, the client can specifically search the identity information in the association relation stored in the database, if the identity information can be searched, the client can consider that the identity authentication on the user passes, otherwise, the client does not consider that the identity authentication on the user does not pass; for example, if the user selects the target digital stamp through the user interface, it may be determined whether the database stores the association relationship between the target digital stamp and the identity information, and if so, the identity authentication of the user may be considered to be passed, otherwise, the identity authentication of the user may not be considered to be passed.

Step 204: if the identity authentication of the user passes, the authorization logic contained in the first intelligent contract is called, authorization information for signing the target digital file by using the digital seal of the user is generated, signature processing is carried out on the authorization information based on the private key of the user, so that a signing service end responds to the authorization information after the obtained signature, the plurality of public key fragments are obtained from the at least one storage node, the plurality of public key fragments are spliced, then the signature of the authorization information is verified based on the public key of the user obtained through the splicing processing, and the signature processing is carried out on the target digital file based on the digital seal of the user after the verification is passed.

In this embodiment, the client may invoke the first smart contract when the identity authentication of the user passes.

In practical applications, the client may construct the invocation data for invoking the first intelligent contract into a standard transaction format supported by the blockchain, as a contract invocation transaction, and issue the contract invocation transaction to the blockchain, where all the blockchain nodes in the blockchain agree on the contract invocation transaction. After agreement is reached, the contract invocation transaction may be packaged into a block by a blockchain node in the blockchain that is an accounting node. For the contract invocation transaction packaged into a block, each block link point in the block chain may invoke the first intelligent contract in response to the contract invocation transaction.

Specifically, the authorization logic included in the first intelligent contract may be called by the block chain node, that is, a part of codes corresponding to the authorization logic in the codes of the first intelligent contract is executed, authorization information obtained by signing the target digital file with the digital seal of the user is generated, the authorization information is signed based on the private key of the user, and subsequently, the signing service end may obtain the plurality of public key fragments from the at least one storage node in response to the obtained signed authorization information, and perform splicing processing on the plurality of obtained public key fragments. Since the plurality of public key fragments are obtained by splitting the public key of the user, in this case, the public key of the user can be recovered by splicing the plurality of public key fragments.

As described above, the user may select a desired digital stamp from all digital stamps available to the user through the user interface for signing digital files, so as to use the digital stamp to sign the target digital file.

Or, according to the file type of the target digital file, determining a digital seal matched with the file type from all digital seals which can be used by the user; at this time, the digital seal is a digital seal that can be used for signing and sealing the digital file belonging to the file type. Subsequently, the digital seal can be used to perform signature processing on the target digital file.

In practical application, the target digital file may be stored in the block chain in advance, so that the target digital file may be directly acquired from the block chain when the target digital file needs to be signed subsequently. Similarly, the digital seal of the user may also be stored in the blockchain in advance, so that the digital seal of the user may be directly obtained from the blockchain when the digital seal of the user needs to be used subsequently.

Therefore, the user can realize the signature processing of the target digital file only by initiating the signature processing operation through the client, and does not need to execute other operations, thereby simplifying the signature processing flow of the user for the digital file.

The embodiment shown in fig. 2 will be described in detail below in terms of splitting and storing the public key of the user, splicing the public key fragments, and authorizing the signature processing of the target digital file.

(1) Splitting and storing the public key of the user

In an embodiment shown, a user can host and store the public key to a storage system, so that the user can be prevented from keeping the private key by himself, and convenience is provided for the user while the data security of the private key is ensured.

In this case, the user may initiate a hosting operation for the user's public key through the client. The client side can respond to the hosting operation, obtain the public key of the user, call the public key segmentation logic contained in the first intelligent contract, and perform segmentation processing on the public key of the user to obtain a plurality of public key fragments.

In a case where the public key splitting process for the user is completed by calling the public key splitting logic included in the first intelligent contract, the storage logic included in the first intelligent contract may be further called, at least one storage node may be allocated from the distributed storage system, and the plurality of public key fragments obtained by the splitting process may be stored in the at least one storage node, respectively.

As described in the foregoing, when the plurality of public key fragments are stored in the at least one storage node, different public key fragments may be stored in different storage nodes, that is, one storage node stores one public key fragment; alternatively, part of the public key fragments may be stored in the same storage node, and other public key fragments may be stored in other storage nodes, for example, one storage node stores one or two public key fragments.

In an embodiment shown, at least one storage node may be randomly allocated from the distributed storage system; for example, assuming that the distributed storage system includes 5 storage nodes in total, and assuming that 3 storage nodes are required to store the public key fragments, 3 storage nodes may be randomly selected from the 5 storage nodes of the distributed storage system, and the public key fragments are respectively stored in the 3 randomly selected storage nodes.

In one embodiment, if the distributed storage system is an off-chain storage system with respect to the blockchain, the first intelligent contract may perform data interaction with the distributed storage system through a predictive program.

In this case, although the at least one storage node may obtain the plurality of public key fragments from the first intelligent contract through the event mechanism of the intelligent contract, in order to facilitate management of the at least one storage node, the plurality of public key fragments may be sent to the at least one storage node through the prediction machine program by the first intelligent contract, so that the plurality of public key fragments are stored by the at least one storage node.

In an illustrated embodiment, in order to further improve data security, a TEE (Trusted Execution Environment) may be installed on the node device in the block chain, and the first smart contract may be deployed in the TEE.

Specifically, the code of the first smart contract may be encrypted based on a key maintained in the TEE in a symmetric encryption manner, and the encrypted first smart contract is deployed in the blockchain, and then the encrypted first smart contract stored in the blockchain may be loaded into the TEE, and the TEE decrypts the encrypted first smart contract based on the key, and executes the code of the first smart contract obtained through decryption, so as to implement invocation of the first smart contract.

In this case, when the plurality of public key fragments are stored in the at least one storage node, specifically, in the TEE, the plurality of public key fragments may be encrypted based on a key maintained in the TEE, and the encrypted plurality of public key fragments may be stored in the at least one storage node. Correspondingly, when the plurality of public key fragments are obtained from the at least one storage node and are subjected to splicing processing, the plurality of encrypted public key fragments may be obtained from the at least one storage node, and in the TEE, the plurality of encrypted public key fragments are decrypted based on the secret key to obtain the plurality of public key fragments and are subjected to splicing processing.

(2) Splicing the public key fragments

In this case, the first intelligent contract may read the plurality of public key fragments stored in the at least one storage node through the predicting machine program, and perform splicing processing on the plurality of read public key fragments to recover the public key of the user.

(3) Authorizing the signature processing of the target digital file

In an embodiment shown, when the user is authorized to use the digital seal of the user to sign the target digital file based on the private key of the user, specifically, an authorization logic included in the first intelligent contract may be further invoked, that is, a part of codes corresponding to the authorization logic in the codes of the first intelligent contract is executed, authorization information for signing the target digital file using the digital seal of the user is generated, the authorization information is signed based on the recovered private key of the user, a signature service end may subsequently respond to the obtained signed authorization information, verify the signature of the authorization information based on the public key of the user, and sign the target digital file based on the digital seal of the user after the verification is passed. The private key of the user and the public key of the user are a pair of asymmetric keys held by the user.

In an embodiment shown, the signing service end may be a centralized signing server, or may be an intelligent contract (hereinafter referred to as a second intelligent contract) deployed on the blockchain for signing the digital file.

If the signing server is the signing server, the signing server may be the device 5 in the user-side computing device 101 in conjunction with the network environment shown in fig. 1. In a case where the signature processing of the authorization information based on the private key of the user is completed by calling the authorization logic included in the first intelligent contract, since the signed authorization information is the call result of the first intelligent contract, in this case, an event including the signed authorization information may be generated, and the event may be recorded in a transaction log of the contract call transaction and stored in the block chain.

The signature server may obtain the event by monitoring the transaction log stored in the block chain, so as to obtain the signed authorization information included in the event. Alternatively, the signature server may subscribe to an SDK (Software Development Kit) deployed at a block link point in the block chain and serving as an event notification center, so that when the SDK detects that the event is generated, the event is sent to the signature server, so that the signature server may acquire the event, and thus acquire the signed authorization information included in the event.

Subsequently, the signature server may respond to the obtained signed authorization information, verify the signature of the authorization information based on the public key of the user, and perform signature processing on the target digital file based on the digital seal of the user after the verification is passed. Wherein the public key of the user may be maintained by the signing server.

If the signing service end is the second intelligent contract, under the condition that the signature processing of the authorization information based on the private key of the user is completed by calling the authorization logic contained in the first intelligent contract, the signed authorization information can be submitted to the second intelligent contract as a call parameter called by a cross contract by the first intelligent contract so as to call the second intelligent contract by the cross contract.

In practical applications, the first intelligent contract may create a message including the signed authorization information based on a mechanism for message invocation between different intelligent contracts, and send the message to the second intelligent contract, so that the second intelligent contract may respond to the message when receiving the message, obtain the signed authorization information in the message, and execute a corresponding code in codes of the second intelligent contract based on the signed authorization information.

Specifically, the signing logic included in the second intelligent contract may be called across contracts, that is, a part of codes corresponding to the signing logic in the codes of the second intelligent contract is executed, the signature of the authorization information is verified based on the public key of the user, and the target digital file is signed based on the digital seal of the user after the verification is passed. Wherein the public key of the user may be maintained by the second intelligent contract.

Referring to fig. 4, fig. 4 illustrates another block chain-based key management method according to an exemplary embodiment of the present disclosure.

In this embodiment, the key management method based on the blockchain may be applied to a blockchain service platform. A user can initiate a signature processing operation aiming at a digital file needing signature processing through a client; the client can perform data interaction with the blockchain service platform, and the blockchain service platform can further perform data interaction with the blockchain, so that signature processing of the digital file by using the digital seal of the user is completed.

In conjunction with the network environment shown in FIG. 1, the client described above may run on device 3 in user-side computing device 101; the blockchain service platform may run on the server side 102. The blockchain may be any type of blockchain that provides intelligent contract functionality.

In one embodiment, the public key of the user may be divided into several public key fragments, and at least one cloud storage node stored in the cloud storage system is managed in a distributed manner.

step 402: and receiving a signature request sent by a client when the client passes the identity authentication of the user in response to the signature processing operation initiated by the user and aiming at the target digital file.

And the client can construct a signature request under the condition that the identity authentication of the user passes, and send the signature request to the blockchain service platform, so that the blockchain service platform can receive the signature request.

Step 404: and in response to the signing request, invoking authorization logic contained in the first intelligent contract, generating authorization information for signing the target digital file by using the digital seal of the user, signing the authorization information based on a private key of the user, so that a signing service end responds to the authorization information after the obtained signature, firstly obtaining the plurality of public key fragments from the at least one storage node, splicing the plurality of public key fragments, then verifying the signature of the authorization information based on the public key of the user obtained by splicing, and signing the target digital file based on the digital seal of the user after the verification is passed.

In this embodiment, the block chain service platform may respond to the signature request when receiving the signature request, construct, as a contract invocation transaction, a standard transaction format supported by the block chain, using invocation data for invoking the first intelligent contract, and issue the contract invocation transaction to the block chain, where all block chain link points in the block chain agree on the contract invocation transaction. After agreement is reached, the contract invocation transaction may be packaged into a block by a blockchain node in the blockchain that is an accounting node. For the contract invocation transaction packaged into a block, each block link point in the block chain may invoke the first intelligent contract in response to the contract invocation transaction.

Specifically, the authorization logic included in the first intelligent contract may be called by the block chain node, that is, a part of codes corresponding to the authorization logic in the codes of the first intelligent contract is executed, authorization information for signing the target digital file using the digital seal of the user is generated, the authorization information is signed based on the private key of the user, and subsequently, the signing service end may respond to the obtained signed authorization information, first obtain the plurality of public key fragments from the at least one storage node, and splice the obtained plurality of public key fragments. Since the plurality of public key fragments are obtained by splitting the public key of the user, in this case, the public key of the user can be recovered by splicing the plurality of public key fragments.

For the specific implementation of the signature service side, reference may be made to the step 204, which is not described herein again.

In one embodiment, the signature server is a centralized signature server.

In one embodiment, the signature service end is a second intelligent contract which is deployed on the blockchain and used for signature processing of digital files;

the signing processing of the authorization information based on the private key of the user is performed, so that a signature server responds to the authorization information after the obtained signature, first obtains the plurality of public key fragments from the at least one storage node, and performs splicing processing on the plurality of public key fragments, then verifies the signature of the authorization information based on the public key of the user obtained through the splicing processing, and performs signing processing on the target digital file based on the digital seal of the user after the verification is passed, which may include:

signing the authorization information based on the private key of the user, submitting the signed authorization information to the second intelligent contract as a calling parameter called by a cross contract, calling a public key splicing logic contained in the second intelligent contract by the cross contract, acquiring the plurality of public key fragments from the at least one storage node, and splicing the plurality of public key fragments; and (c) a second step of,

and responding to the completion of the splicing processing of the public key of the user, further calling signature logic contained in the second intelligent contract, verifying the signature of the authorization information based on the public key of the user obtained by the splicing processing, and performing signature processing on the target digital file based on the digital seal of the user after the verification is passed.

In an embodiment shown, the blockchain service platform may further:

receiving a public key of the user, which is acquired and sent by the client in response to an escrow operation initiated by the user and aiming at the private key of the user;

responding to the received public key of the user, calling public key segmentation logic contained in the first intelligent contract, and performing segmentation processing on the public key of the user to obtain a plurality of public key fragments; and the number of the first and second groups,

and responding to the completion of the public key segmentation processing of the user, further calling storage logic contained in the first intelligent contract, distributing at least one storage node from a distributed storage system, and respectively storing the plurality of public key fragments to the at least one storage node.

In one illustrated embodiment, the first intelligent contract performs data interaction with the distributed storage system through a predictive program;

the storing the plurality of public key fragments to the at least one storage node respectively may include:

sending the public key fragments to the at least one storage node for storage through the language predicting machine program;

the obtaining the plurality of public key fragments from the at least one storage node may include:

reading the public key fragments stored by the at least one storage node through the prediction machine program.

In one embodiment, the allocating at least one storage node from the distributed storage system may include:

at least one storage node is randomly allocated from the distributed storage system.

In one illustrated embodiment, the first smart contract is deployed in a TEE hosted on a node device in the blockchain;

based on the secret key maintained in the TEE, encrypting the plurality of public key fragments, and respectively storing the encrypted plurality of public key fragments to the at least one storage node;

the obtaining the plurality of public key fragments from the at least one storage node and splicing the plurality of public key fragments may include:

and acquiring the encrypted public key fragments from the at least one storage node, decrypting the encrypted public key fragments based on the secret key maintained in the TEE, and splicing the decrypted public key fragments.

The specific implementation of each step in the embodiment shown in fig. 4 may refer to the embodiment shown in fig. 2, and this description is not repeated here.

In correspondence with the foregoing embodiments of the method for key management based on a blockchain, the present specification also provides embodiments of a device for key management based on a blockchain.

The embodiment of the key management device based on the block chain in the specification can be applied to the electronic equipment. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. Taking a software implementation as an example, as a logical device, the device is formed by reading, by a processor of the electronic device where the device is located, a corresponding computer program instruction in the nonvolatile memory into the memory for operation. From a hardware aspect, as shown in fig. 5, the present specification is a hardware structure diagram of an electronic device in which a key management apparatus based on a block chain is located, where, in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 5, the electronic device in which the apparatus is located in the embodiment may also include other hardware according to an actual function of the key management based on the block chain, which is not described again.

Referring to fig. 6, fig. 6 is a block diagram of a key management device based on a blockchain according to an exemplary embodiment of the present disclosure.

The above-mentioned key management apparatus based on block chain can be applied to a client running on an electronic device as shown in fig. 5; a first intelligent contract used for managing a private key of a user is deployed on the blockchain; the public key of the user is divided into a plurality of public key fragments which are stored in at least one storage node in a distributed mode.

The above key management device based on a block chain may include:

the authentication module 601 is used for responding to signature processing operation initiated by the user and aiming at the target digital file and performing identity authentication on the user;

a calling module 602, configured to, if the identity authentication of the user passes, call an authorization logic included in the first intelligent contract, generate authorization information for signing and sealing the target digital file using the digital seal of the user, perform signature processing on the authorization information based on a private key of the user, so that a signing and sealing service end, in response to the obtained authorization information after signature, first obtain the public key fragments from the at least one storage node, perform splicing processing on the public key fragments, then verify a signature of the authorization information based on the public key of the user obtained through the splicing processing, and perform signature processing on the target digital file based on the digital seal of the user after the verification passes.

Referring to fig. 7, fig. 7 is a block diagram of another key management device based on a blockchain according to an exemplary embodiment of the present disclosure.

The above key management apparatus based on block chain can be applied to a block chain service platform running on an electronic device as shown in fig. 5; a first intelligent contract used for managing a private key of a user is deployed on the blockchain; the public key of the user is divided into a plurality of public key fragments which are stored in at least one storage node in a distributed mode.

The above block chain-based key management apparatus may include:

a receiving module 701, configured to receive a signature request sent by a client when an identity authentication of the user passes in response to a signature processing operation initiated by the user and directed to a target digital file;

the calling module 702 is configured to, in response to the signing request, call authorization logic included in the first intelligent contract, generate authorization information for signing the target digital file using the digital seal of the user, perform signature processing on the authorization information based on a private key of the user, so that the signing service end, in response to the obtained authorization information after signature, first obtain the plurality of public key fragments from the at least one storage node, perform splicing processing on the plurality of public key fragments, then verify the signature of the authorization information based on the public key of the user obtained through the splicing processing, and perform signature processing on the target digital file based on the digital seal of the user after the verification is passed.

For the device embodiments, they substantially correspond to the method embodiments, and so reference may be made to some of the descriptions of the method embodiments for their relevant points.

The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the technical solution of the present specification.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.

In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both permanent and non-permanent, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage media or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.

The terminology used in the description of the one or more embodiments is for the purpose of describing the particular embodiments only and is not intended to be limiting of the description of the one or more embodiments. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.

It should be understood that although the terms first, second, third, etc. may be used in one or more embodiments of the present description to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments herein. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.

The above description is only for the purpose of illustrating the preferred embodiments of the one or more embodiments of the present disclosure, and is not intended to limit the scope of the one or more embodiments of the present disclosure, and any modifications, equivalent substitutions, improvements, etc. made within the spirit and principle of the one or more embodiments of the present disclosure should be included in the scope of the one or more embodiments of the present disclosure.

Claims

1. A key management method based on block chain is applied to a client; a first intelligent contract used for managing a private key of a user is deployed on the blockchain; the public key of the user is divided into a plurality of public key fragments which are stored in at least one storage node in a distributed manner; the method comprises the following steps:

if the identity authentication of the user passes, the authorization logic contained in the first intelligent contract is called, authorization information for signing the target digital file by using the digital seal of the user is generated, signature processing is carried out on the authorization information based on the private key of the user, so that the signature service end responds to the authorization information after the obtained signature, the plurality of public key fragments are obtained from the at least one storage node firstly, the plurality of public key fragments are spliced, then the signature of the authorization information is verified based on the public key of the user obtained through the splicing processing, and signature processing is carried out on the target digital file based on the digital seal of the user after the verification is passed.

2. The method of claim 1, the user's public key is partitioned into a number of public key shards, distributively hosting at least one cloud storage node stored in a cloud storage system.

3. The method of claim 1, the signature server being a centralized signature server.

4. The method of claim 1, wherein the signing service is a second intelligent contract deployed on the blockchain for signing a digital file;

the signing processing is performed on the authorization information based on the private key of the user, so that a signing service end responds to the authorization information after the obtained signature, firstly obtains the plurality of public key fragments from the at least one storage node, performs splicing processing on the plurality of public key fragments, verifies the signature of the authorization information based on the public key of the user obtained through the splicing processing, and performs signing processing on the target digital file based on the digital seal of the user after the verification is passed, and the signing processing method comprises the following steps:

signing the authorization information based on the private key of the user, submitting the signed authorization information to the second intelligent contract as a call parameter called by a cross-contract, calling a public key splicing logic contained in the second intelligent contract by the cross-contract, acquiring the plurality of public key fragments from the at least one storage node, and splicing the plurality of public key fragments; and (c) a second step of,

5. The method of claim 1, further comprising:

responding to a hosting operation initiated by the user and aiming at the public key of the user, acquiring the public key of the user, calling a public key segmentation logic contained in the first intelligent contract, and performing segmentation processing on the public key of the user to obtain a plurality of public key fragments; and the number of the first and second groups,

6. The method of claim 5, the first smart contract interacting with the distributed storage system through a predictive program;

the storing the plurality of public key fragments to the at least one storage node respectively includes:

the obtaining the public key fragments from the at least one storage node comprises:

reading the plurality of public key fragments stored by the at least one storage node through the predicting machine program.

7. The method of claim 5, the allocating at least one storage node from a distributed storage system, comprising:

8. The method of claim 5, the first intelligent contract deployed in a TEE hosted on a node device in the blockchain;

the acquiring the plurality of public key fragments from the at least one storage node and splicing the plurality of public key fragments comprises:

9. A key management method based on block chain is applied to a block chain service platform; a first intelligent contract used for managing a private key of a user is deployed on the blockchain; the public key of the user is divided into a plurality of public key fragments which are stored in at least one storage node in a distributed manner; the method comprises the following steps:

10. The method of claim 9, the user's public key is partitioned into a number of public key shards, distributively hosting at least one cloud storage node stored in a cloud storage system.

11. The method of claim 9, the signature server being a centralized signature server.

12. The method of claim 9, wherein the signing service is a second intelligent contract deployed on the blockchain for signing a digital file;

signing the authorization information based on the private key of the user, submitting the signed authorization information to the second intelligent contract as a calling parameter called by a cross contract, calling a public key splicing logic contained in the second intelligent contract by the cross contract, acquiring the plurality of public key fragments from the at least one storage node, and splicing the plurality of public key fragments; and the number of the first and second groups,

13. The method of claim 9, further comprising:

14. The method of claim 13, the first smart contract interacting with the distributed storage system through a predictive program;

the public key fragments are respectively sent to the at least one storage node for storage through the language predictive engine program;

the obtaining the plurality of public key fragments from the at least one storage node includes:

15. The method of claim 13, the allocating at least one storage node from a distributed storage system, comprising:

16. The method of claim 13, the first smart contract deployed in a TEE hosted on a node device in the blockchain;

17. A key management device based on a block chain is applied to a client; a first intelligent contract used for managing a private key of a user is deployed on the blockchain; the public key of the user is divided into a plurality of public key fragments which are stored in at least one storage node in a distributed manner; the device comprises:

18. A key management device based on a block chain is applied to a block chain service platform; a first intelligent contract used for managing a private key of a user is deployed on the blockchain; the public key of the user is divided into a plurality of public key fragments which are stored in at least one storage node in a distributed manner; the device comprises:

19. An electronic device, comprising:

a processor;

a memory for storing processor-executable instructions;

wherein the processor implements the method of any of claims 1-8 or 9-16 by executing the executable instructions.

20. A computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the method of any one of claims 1-8 or 9-16.