CN115514504A - Cross-alliance node authentication method and device, computer equipment and storage medium - Google Patents

Cross-alliance node authentication method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN115514504A
CN115514504A CN202110627257.XA CN202110627257A CN115514504A CN 115514504 A CN115514504 A CN 115514504A CN 202110627257 A CN202110627257 A CN 202110627257A CN 115514504 A CN115514504 A CN 115514504A
Authority
CN
China
Prior art keywords
certificate
node
alliance
public key
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110627257.XA
Other languages
Chinese (zh)
Inventor
孙海锋
黄凯
任亚坤
江海龙
何浪
邓燕辉
吴进喜
钟绍柏
张强
冯文韬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SF Technology Co Ltd
Original Assignee
SF Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SF Technology Co Ltd filed Critical SF Technology Co Ltd
Priority to CN202110627257.XA priority Critical patent/CN115514504A/en
Publication of CN115514504A publication Critical patent/CN115514504A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Abstract

The application relates to a cross-alliance node authentication method, a cross-alliance node authentication device, computer equipment and a storage medium, wherein the method comprises the following steps: receiving a node authentication request sent by a first node in a first alliance network, wherein the node authentication request comprises a first public key certificate corresponding to the first node; acquiring a first root certificate corresponding to the first alliance network from a preset certificate chain; the certificate chain comprises a plurality of blocks, and each block comprises a root certificate corresponding to at least one different alliance network; performing certificate verification on the first public key certificate by using the first root certificate to obtain a certificate verification result; and determining whether the first node passes the authentication or not according to the certificate authentication result, thereby realizing cross-alliance node authentication and cross-alliance trust transfer, enabling the nodes belonging to different alliances to carry out mutual authentication, and effectively improving the information transfer efficiency of the nodes in different alliances.

Description

Cross-alliance node authentication method and device, computer equipment and storage medium
Technical Field
The present application relates to the field of blockchain technologies, and in particular, to a cross-federation node authentication method and apparatus, a computer device, and a storage medium.
Background
With the development of computer technology and cryptography, the block chain has the characteristics of decentralization, strong security consensus mechanism, openness, transparency, non-falsification and the like, so that the block chain is increasingly widely applied. The alliance chain is one of the block chains, has the characteristics of high performance, high safety and privacy, easiness in supervision and the like, and gradually becomes a masterforce for block chain industry development.
In the prior art, different federation chains are independent of each other, and a node can be added to a corresponding federation chain after authentication and acquire information from the inside of the federation chain to which the node belongs. However, mutual independence between the alliances and the alliances enables the alliances to become a data island and a trust island, and information transfer of nodes in different alliances is prevented.
Disclosure of Invention
In view of the foregoing, it is necessary to provide a cross-federation node authentication method, apparatus, computer device, and storage medium.
A cross-federation node authentication method applied to a second node in a second federated network, the method comprising:
receiving a node authentication request sent by a first node in a first alliance network, wherein the node authentication request comprises a first public key certificate corresponding to the first node;
acquiring a first root certificate corresponding to the first alliance network from a preset certificate chain; the certificate chain comprises a plurality of blocks, and each block comprises a root certificate corresponding to at least one different alliance network;
performing certificate verification on the first public key certificate by using the first root certificate to obtain a certificate verification result;
and determining whether the first node passes the authentication according to the certificate authentication result.
In one embodiment, the determining whether the first node is authenticated according to the certificate verification result includes:
when the certificate verification result is that the certificate passes verification, acquiring a first digital signature corresponding to the first node from the node authentication request;
performing node verification on the first node according to the first digital signature and the first public key certificate;
and when the node verification result is that the verification is passed, the first node is authenticated to be passed.
In one embodiment, the performing node verification on the first node according to the first digital signature and the first public key certificate includes:
acquiring a first public key corresponding to the first node from the first public key certificate, and decrypting the first digital signature by using the first public key to obtain a first random number corresponding to the first node;
acquiring a second random number, and signing the first random number and the second random number by adopting a private key corresponding to the second node to obtain a second digital signature;
sending the second digital signature to the first node, and receiving a third digital signature returned by the first node for the second digital signature; the first node is used for decrypting the received second digital signature to obtain a first decryption result, and encrypting the decryption result by adopting a private key corresponding to the first node to obtain a third digital signature;
and performing node verification on the first node according to the third digital signature and the first public key.
In one embodiment, the sending the second digital signature to the first node includes:
acquiring a second public key certificate corresponding to the second node, and sending the second digital signature and the second public key certificate to the first node;
the first node is configured to obtain a second root certificate corresponding to the second federation network from the certificate chain, perform certificate verification on the second public key certificate based on the second root certificate, and obtain a decryption result corresponding to the second digital signature according to the second public key certificate after the certificate verification is passed.
In one embodiment, the performing node verification on the first node according to the third digital signature and the first public key includes:
decrypting the third digital signature by adopting the first public key to obtain a first decryption result;
and when the first decryption result is matched with the second random number, determining that the node verification result of the first node is verified.
A federation join authentication method, the method comprising:
acquiring a root certificate corresponding to a candidate alliance network to be joined;
determining a plurality of alliance networks corresponding to the current certificate chain; the certificate chain comprises a plurality of blocks, and each block comprises a root certificate corresponding to at least one different alliance network;
sending a certificate authentication request to each of the plurality of federated networks; the certificate authentication request comprises root certificates of the candidate alliance networks, and each alliance network determines whether to pass the certificate authentication of the candidate alliance network or not based on the root certificates of the candidate alliance networks;
and when feedback information which passes certificate authentication and is returned by a target number of the plurality of alliance networks is received, performing uplink operation on the root certificate of the candidate alliance network in the certificate chain.
In one embodiment, the sending a certificate authentication request to each of the plurality of federated networks comprises:
acquiring block data corresponding to a preset block in a current certificate chain, and acquiring a first hash value corresponding to the block data;
signing the block data by adopting a private key corresponding to the candidate alliance network to obtain a fourth digital signature;
generating a certificate authentication request according to the fourth digital signature, the first hash value and the root certificate of the candidate alliance network;
sending the certificate authentication request to each of the plurality of federated networks based on a Byzantine fault tolerance algorithm;
each of the plurality of alliance networks is configured to, when receiving the certificate authentication request and agreeing to the candidate alliance network to join, extract a third public key corresponding to the candidate alliance network from a root certificate of the candidate alliance network, decrypt the fourth digital signature with the third public key to obtain a second decryption result, obtain a second hash value corresponding to the second decryption result, and determine that the certificate authentication of the candidate alliance network passes when the second hash value matches the first hash value.
An apparatus for cross-federation node authentication applied to a second node in a second federated network, the apparatus comprising:
a node authentication request receiving module, configured to receive a node authentication request sent by a first node in a first alliance network, where the node authentication request includes a first public key certificate corresponding to the first node;
a first root certificate acquisition module, configured to acquire a first root certificate corresponding to the first alliance network from a preset certificate chain; the certificate chain comprises a plurality of blocks, and each block comprises a root certificate corresponding to at least one different alliance network;
the certificate verification module is used for performing certificate verification on the first public key certificate by adopting the first root certificate to obtain a certificate verification result;
and the node authentication module is used for determining whether the first node passes the authentication according to the certificate authentication result.
An affiliation-joining authentication apparatus, the apparatus comprising:
the candidate root certificate acquisition module is used for acquiring a root certificate corresponding to a candidate alliance network to be joined;
the network determining module is used for determining a plurality of alliance networks corresponding to the current certificate chain; the certificate chain comprises a plurality of blocks, and each block comprises a root certificate corresponding to at least one different alliance network;
a certificate authentication request sending module, configured to send a certificate authentication request to each of the plurality of federation networks; the certificate authentication request comprises root certificates of the candidate alliance networks, and each alliance network determines whether certificate authentication of the candidate alliance networks passes or not based on the root certificates of the candidate alliance networks;
and the uplink module is used for executing uplink operation on the root certificate of the candidate alliance network in the certificate chain when receiving feedback information which passes certificate authentication and is returned by a target number of alliance networks in the plurality of alliance networks.
A computer device comprising a memory storing a computer program and a processor implementing the steps of the method as claimed in any one of the preceding claims when the computer program is executed by the processor.
A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of the preceding claims.
When a node authentication request sent by a first node in a first alliance network is received, the node authentication request comprises a first public key certificate corresponding to the first node, a second node in a second alliance network can obtain a first root certificate corresponding to the first alliance network from a preset certificate chain, the first public key certificate is adopted to carry out certificate verification on the first public key certificate to obtain a certificate verification result, whether the first node is authenticated or not is determined according to the certificate verification result, the node authentication across alliances and the trust transfer across alliances are achieved, the nodes belonging to different alliances can carry out mutual authentication, and the information transfer efficiency of the nodes in different alliances is effectively improved.
Drawings
FIG. 1 is a diagram of an application environment for a cross-federation node authentication method, under an embodiment;
FIG. 2 is a flowchart illustrating a cross-federation node authentication method, according to an embodiment;
FIG. 3 is a diagram of a certificate chain in one embodiment;
FIG. 4 is a flowchart illustrating a federated join authentication method in one embodiment;
FIG. 5 is a block diagram that illustrates authentication of a device across federated nodes, in one embodiment;
FIG. 6 is a block diagram of an federating authentication device in one embodiment;
FIG. 7 is a diagram of the internal structure of a computer device in one embodiment;
fig. 8 is an internal structural view of a computer device in another embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The cross-federation node authentication method provided by the application can be applied to an application environment as shown in fig. 1, wherein the application environment can include a plurality of federation networks, such as a first federation network and a second federation network; each alliance network can comprise a plurality of nodes, a plurality of nodes in the same alliance network can jointly maintain alliance chains in the alliance network, a plurality of nodes in the same alliance network can share data on the alliance chains, and a plurality of nodes can conduct transactions or communicate with each other. The nodes in the alliance network may be terminal devices or servers, and the servers may be implemented by independent servers or a server cluster formed by a plurality of servers.
In one embodiment, as shown in fig. 2, a cross-federation node authentication method is provided, which is described by taking as an example that the method is applied to a second node in the second federated network in fig. 1, and the second node may be any node in the second federated network. Specifically, the present embodiment may include the following steps:
step 201, a node authentication request sent by a first node in a first alliance network is received.
As an example, the first node may be any node in the first federation network, and the node authentication request may include a first public key certificate corresponding to the first node.
In practical application, a first node in a first alliance network and a second node in a second alliance network belong to different alliance networks, when the first node intends to perform cross-alliance transaction with the second node, the first node can obtain a first public key certificate corresponding to the first node, generate a node authentication request containing the first public key certificate, and send the node authentication request to the second node in the second alliance network, so that the second node receives the node authentication request.
Step 202, obtaining a first root certificate corresponding to the first alliance network from a preset certificate chain.
The certificate chain includes a plurality of blocks, each block may include root certificates corresponding to at least one different federation network, that is, the root certificates included in the blocks are different, and each block may include one or more root certificates.
In a specific implementation, each federation network may have a corresponding Certificate Authority (CA), which may be an Authority responsible for issuing and managing digital certificates, as a trusted third party in electronic transactions, and which assumes responsibility for validity checking of public keys in a public key hierarchy. Each certificate authority can issue a root certificate for the alliance network, the root certificate is associated with the identity information of the certificate authority, and the root certificates can correspond to the alliance networks one to one.
For root certificates corresponding to multiple federation networks, in practical applications, a certificate chain may be constructed in advance, as shown in fig. 3, where the certificate chain may include multiple blocks, and each block may include at least one root certificate corresponding to one federation network. The certificate chain is used as one block chain, and has the characteristics of decentralization, no tampering, whole-process trace retaining, traceability, collective maintenance, public transparency and the like, so that each root certificate on the certificate chain is real and credible. The federation networks corresponding to each root certificate on the certificate chain may have a trusted relationship with each other.
After receiving a node authentication request from a first node in the first federated network, a block corresponding to the first federated network may be determined from the certificate chain, and a first root certificate corresponding to the first federated network may be obtained from the block.
Step 203, performing certificate verification on the first public key certificate by using the first root certificate to obtain a certificate verification result.
After the first root certificate of the first alliance network is obtained, the first root certificate can be adopted to perform certificate verification on the first public key certificate of the first node, and a corresponding certificate verification result is obtained. Specifically, because the public key certificate corresponding to each node in the first alliance network is issued by the certificate authority corresponding to the first alliance network, and the first root certificate is associated with the identity of the certificate authority, based on this, the first root certificate can be used to perform validity verification on the certificate of the first public key certificate.
And step 204, determining whether the first node passes the authentication according to the certificate verification result.
After the certificate verification structure is obtained, whether the first node passes the authentication or not can be determined according to the certificate verification result. Specifically, when the certificate verification result indicates that the authentication fails, the first node is not authenticated; if the certificate verification result is that the verification is passed, it can be determined that the public key certificate corresponding to the first node passes the verification, and whether the first node passes the authentication is further determined based on the public key certificate of the first node.
In this embodiment, when a node authentication request sent by a first node in a first alliance network is received, where the node authentication request includes a first public key certificate corresponding to the first node, a second node in a second alliance network may obtain a first root certificate corresponding to the first alliance network from a preset certificate chain, perform certificate verification on the first public key certificate by using the first root certificate, obtain a certificate verification result, and determine whether to pass authentication on the first node according to the certificate verification result, thereby implementing node authentication across alliances and trust transfer across alliances, enabling nodes belonging to different alliances to perform mutual authentication, and effectively improving information transfer efficiency of nodes in different alliances.
In one embodiment, the determining whether the first node is authenticated according to the certificate verification result may include:
when the certificate verification result is that the certificate passes verification, acquiring a first digital signature corresponding to the first node from the node authentication request; performing node verification on the first node according to the first digital signature and the first public key certificate; and when the node verification result is verification passing, the first node is authenticated.
In a specific implementation, the first node may obtain a random number, sign the random number by using a private key corresponding to the first node to obtain a first digital signature, and then generate a node authentication request based on the first digital signature and the first public key certificate.
When the second node verifies the first public key certificate and confirms that the certificate authentication result is that the certificate passes, the first public key certificate provided by the first node is determined to be legal, a first digital signature generated in advance by the first node can be obtained from the node authentication request, the first node is verified according to the first digital signature and the first public key certificate, and when the node authentication result is that the first node passes, the first node can be authenticated.
In this embodiment, when the certificate verification result is that the first node passes verification, the first digital signature corresponding to the first node may be obtained from the node authentication request, and the first node is verified according to the first digital signature and the first public key certificate.
In an embodiment, the performing node verification on the first node according to the first digital signature and the first public key certificate may include:
acquiring a first public key corresponding to the first node from the first public key certificate, and decrypting the first digital signature by using the first public key to obtain a first random number corresponding to the first node; acquiring a second random number, and signing the first random number and the second random number by adopting a private key corresponding to the second node to obtain a second digital signature; sending the second digital signature to the first node, and receiving a third digital signature returned by the first node for the second digital signature; and performing node verification on the first node according to the third digital signature and the first public key.
The first node is used for decrypting the received second digital signature to obtain a first decryption result, and encrypting the decryption result by adopting a private key corresponding to the first node, wherein the third digital signature is obtained by the first node;
in practical application, the first digital signature is obtained by encrypting the random number by using the private key of the first node, the private key of the first node is paired with the public key, the second node can obtain the first public key corresponding to the first node from the first public key certificate, and decrypt the first digital signature by using the first public key, and if the decryption is successful, the first random number corresponding to the first node is obtained, so that the first digital signature can be determined to be generated by the first node.
After the first random number is obtained, the second node may further randomly generate a second random number, sign the first random number and the second random number by using a private key corresponding to the second node to obtain a second digital signature, and send the second digital signature to the first node.
After receiving the second digital signature, the first node may decrypt the second digital signature to obtain a corresponding first decryption result. After the first decryption result is obtained, the first node may encrypt the decryption result by using a private key corresponding to the first node to obtain a third digital signature, and return the third digital signature to the second node. After receiving the third digital signature, the second node may perform node verification on the first node according to the third digital signature and the first public key.
In this embodiment, a first public key corresponding to a first node may be obtained from a first public key certificate, the first public key is used to decrypt a first digital signature to obtain a first random number corresponding to the first node, a second random number is obtained, a private key corresponding to a second node is used to sign the first random number and the second random number to obtain a second digital signature, the second digital signature is sent to the first node, a third digital signature returned by the first node for the second digital signature is received, and node verification is performed on the first node according to the third digital signature and the first public key.
In one embodiment, the sending the second digital signature to the first node may include the steps of:
and acquiring a second public key certificate corresponding to the second node, and sending the second digital signature and the second public key certificate to the first node.
The first node is used for acquiring a second root certificate corresponding to the second alliance network from the certificate chain, performing certificate verification on the second public key certificate based on the second root certificate, and acquiring a decryption result corresponding to the second digital signature according to the second public key certificate after the verification is passed.
In a specific implementation, the second node may send the second digital signature and the second public key certificate to the first node together with a second public key certificate corresponding to the second node. After receiving the second digital signature and the second public key certificate, the first node may determine a block corresponding to the second federation network from the certificate chain, obtain a second root certificate corresponding to the second federation network from the block, and perform certificate verification on the second public key certificate by using the second root certificate, where the verification process is similar to the verification process of the first public key certificate, and details are not described here.
After the verification is passed, the first node may determine that the second node is a node in the plurality of federation networks corresponding to the certificate chain, and if the second public key certificate is legal, the second digital signature may be decrypted based on the second public key certificate, so as to obtain a decryption result corresponding to the second digital signature.
In this embodiment, the second node may obtain a second public key certificate corresponding to the second node, and send the second digital signature and the second public key certificate to the first node, the first node obtains a second root certificate corresponding to the second federation network from the certificate chain, performs certificate verification on the second public key certificate based on the second root certificate, and after the verification is passed, obtains a decryption result corresponding to the second digital signature according to the second public key certificate, thereby implementing mutual verification of public key certificates by nodes in different federation networks, and providing a basis for implementing information circulation and trust transfer of different federation network nodes.
In one embodiment, the node verifying the first node according to the third digital signature and the first public key may include:
decrypting the third digital signature by adopting the first public key to obtain a first decryption result; and when the first decryption result is matched with the second random number, determining that the node verification result of the first node is verified.
In practical applications, although the first digital signature is generated by the first node, due to the presence of a replay attack, there is a case where the first digital signature is generated by the first node but retransmitted by the attacker. Replay Attacks (Replay Attacks), also known as Replay Attacks and Replay Attacks, may refer to an attacker sending a data packet that has been received by a destination host to achieve the purpose of spoofing, and in the process of identity authentication, replay Attacks will destroy the correctness of authentication. Replay attacks may be performed by the initiator or by an adversary that intercepts and retransmits the data. The attacker steals the authentication credentials by using network monitoring or other methods, and then retransmits the authentication credentials to the authentication server.
Based on this, the first node may generate a third digital signature after obtaining the decryption result of the second digital signature, and send the third digital signature to the second node. After receiving the third digital signature, the second node may decrypt the third digital signature using the first public key certificate of the first node to obtain a first decryption result therein, and determine whether the first decryption result matches the second random number, for example, whether the first decryption result is equal to the second random number.
When the first decryption result is matched with the second random number, it can be determined that the first digital signature and the third digital signature are indeed generated and sent by the first node, and then it can be determined that the node verification result of the first node is verified. When the first decryption result does not match the second random number, it may be determined that the node verification result is not verified, and the second node may send rejection information to the first node.
In this embodiment, the third digital signature is decrypted by using the first public key to obtain a first decryption result, and when the first decryption result matches the second random number, the node verification result of the first node is determined to be verification-passed, so that replay supply can be effectively prevented, and reliability of node verification is improved.
In order to enable those skilled in the art to better understand the above steps, the following is an example to illustrate the embodiments of the present application, but it should be understood that the embodiments of the present application are not limited thereto.
In practical application, a certificate chain including a plurality of root certificates corresponding to the federation networks may be preset. The ith alliance network is provided with a node A, and a public key, a private key and a public key certificate corresponding to the node A are respectively as follows: PK A 、SK A And Cert A Certificate Cert A Issued by the certificate authority of its i-th federated network; the jth alliance network has a node B, and the public key, the private key and the public key certificate corresponding to the node B are respectively: PK B 、SK B And Cert B Public key certificate Cert B Issued by the certificate authority of its jth federated network. When the node A and the node B are about to carry out cross-alliance transaction, the node authentication of the alliance of the money can be realized through the following modes:
1. the node A selects a first random number R A Calculating a first digital signature σ A =sign(SK A ,R A ) And sign the first digital signature sigma A And a first public key certificate Cert A To the node B.
2. Node B receives sigma A And Cert A Then, a first root certificate Cert of the i-th alliance network is obtained from the certificate chain root(i) And use the first root certificate Cert root(i) And carrying out validity verification on the first public key certificate of the node A. If the authentication is passed, then Cert is verified from the first public key certificate A Extracting the public key of node A, for sigma A Decrypting to obtain R A Then selecting a second random number R B Calculating a second digital signature σ B =sign(SK B ,R A ,R B ) And applying a second digital signature σ B And a second public key certificate Cert B To node a.
3. Node A receives the second digital signature σ B And a second public key certificate Cert B Then, a second certificate Cert of the jth alliance is obtained from the certificate chain root(j) And using the second certificate Cert root(j) Second public key certificate Cert to node B B And carrying out validity verification. If the verification is passed, then the certificate Cert is verified from the second public key certificate B Extracting the public key of node B, for sigma B Decrypting to obtain R A’ And R B If R is A’ And R A If the two sides are not equal, the node B sends rejection information to the node B, and the node authentication of the two sides is finished; if R is A’ And R A Equal, then for random number R B Signing to obtain a third digital signature sigma A1 =sign(SK A ,R B ) And signing the third digital signature sigma A1 And sent to the node B.
4. The node B receives the third digital signature sigma A1 Thereafter, the public key PK of the node A is used A Decrypt it to obtain R B’ And determining R B’ And R B If not, sending rejection information to the node A, and finishing the node authentication of the two parties; if so, the node A and the node B mutually realize authentication, and the next transaction can be carried out.
In one embodiment, as shown in fig. 4, a cross-federation node authentication method is provided, which is described by way of example as applied to the federation network in fig. 1. Specifically, the present embodiment may include the following steps:
step 401, obtaining a root certificate corresponding to a candidate alliance network to be joined.
In practical application, a trusted relationship may exist among a plurality of alliance networks, and for the plurality of alliance networks in which the trusted relationship exists, nodes in different alliance networks may perform node authentication and node transaction across alliances. When the candidate alliance network is to be added into the plurality of alliance networks and a credibility relationship is established between the candidate alliance network and the plurality of alliance networks, a root certificate corresponding to the candidate alliance network to be added can be obtained.
Step 402, determining a plurality of federation networks corresponding to the current certificate chain.
The certificate chain includes a plurality of blocks, and each block may include a root certificate corresponding to at least one different federation network. Specifically, each federated network may have a corresponding certificate authority, each certificate authority may sign a root certificate for the federated network, the root certificate is associated with identity information of the certificate authority, and the root certificates may correspond to the federated networks one to one. For root certificates corresponding to multiple federation networks, a corresponding certificate chain may be constructed, where the certificate chain may include multiple blocks, the root certificates in the blocks are different from one another, and each block may include one or more root certificates.
When the candidate federation networks are intended to establish a trusted relationship with the federation networks corresponding to the certificate chain, a plurality of federation networks corresponding to the current certificate chain may be determined.
Step 403, sending a certificate authentication request to each of the plurality of federation networks.
The certificate authentication request comprises root certificates of candidate alliance networks, and each alliance network determines whether certificate authentication of the candidate alliance networks passes or not based on the root certificates of the candidate alliance networks.
In practical applications, the candidate federation networks may generate a certificate authentication request including a root certificate corresponding to the candidate federation network, and send the certificate authentication request to each of the plurality of federation networks corresponding to the certificate chain. After receiving the certificate authentication request, if each alliance network allows the candidate alliance network to join, whether the candidate alliance network passes the certificate authentication of the candidate alliance network can be determined based on the root certificate in the certificate authentication request.
And step 404, when feedback information which is returned by a target number of the plurality of alliance networks and passes certificate authentication is received, performing uplink operation on the root certificate of the candidate alliance network in the certificate chain.
As an example, the feedback information may include feedback information passing certificate authentication or feedback information rejecting certificate authentication, the target number may be a number exceeding a preset threshold, and the preset threshold may be determined according to the number corresponding to the plurality of federation networks, and in an example, the preset threshold may be 2f "1, where f is a positive integer and f = (n-1)/3,n is the total number corresponding to the plurality of federation networks.
After receiving the certificate authentication request, each alliance may generate corresponding feedback information for whether to allow the candidate alliance network to join and pass the certificate authentication of the candidate alliance network, and return the feedback information to the candidate alliance network.
After receiving the feedback information of the multiple federation networks, determining the feedback information passing certificate authentication from the multiple feedback information, and when the corresponding number of the feedback information passing certificate authentication is a target number, performing uplink operation on the root certificate of the candidate federation network in the certificate chain, and adding the root certificate of the candidate federation network into the certificate chain.
In this embodiment, a plurality of alliance networks corresponding to a current certificate chain are determined by obtaining a root certificate corresponding to a candidate alliance network to be joined, where the certificate chain includes a plurality of blocks, each block includes a root certificate corresponding to at least one different alliance network, and then a certificate authentication request including a root certificate of the candidate alliance network can be sent to each alliance network in the plurality of alliance networks, each alliance network determines whether to pass certificate authentication of the candidate alliance network based on the root certificate of the candidate alliance network, when feedback information which passes certificate authentication and is returned by a target number of alliance networks in the plurality of alliance networks is received, uplink operation can be performed on the root certificate of the candidate alliance network in the certificate chain, a trusted relationship between different alliance networks can be established through the certificate chain, a basis is provided for node authentication and trust transfer across alliances, and information transfer efficiency of nodes in different alliances can be effectively improved.
In one embodiment, the sending of the certificate authentication request to each of the plurality of federation networks may include:
acquiring block data corresponding to a preset block in a current certificate chain, and acquiring a first hash value corresponding to the block data; signing the block data by adopting a private key corresponding to the candidate alliance network to obtain a fourth digital signature; generating a certificate authentication request according to the fourth digital signature, the first hash value and the root certificate of the candidate alliance network; sending the certificate authentication request to each of the plurality of federated networks based on a Byzantine fault tolerance algorithm.
When receiving a certificate authentication request and agreeing to the addition of the candidate alliance network, each alliance network in the plurality of alliance networks extracts a third public key corresponding to the candidate alliance network from a root certificate of the candidate alliance network, decrypts the fourth digital signature by adopting the third public key to obtain a second decryption result, obtains a second hash value corresponding to the second decryption result, and determines that the certificate authentication of the candidate alliance network passes when the second hash value is matched with the first hash value.
In a specific implementation, the candidate federation network may determine a predetermined block in the current certificate chain, which may be the last block of the current certificate chain. After the predetermined block is determined, block data corresponding to the predetermined block may be obtained, and a hash value corresponding to the block data is determined as the first hash value.
After the block data is obtained, the block data may be signed by using a private key corresponding to the candidate alliance network, so as to obtain a corresponding fourth digital signature. After the fourth digital signature is obtained, a certificate authentication request may be generated by using the fourth digital signature, the first hash value, and the root certificates of the candidate federation networks, and the certificate authentication request may be sent to the plurality of federation networks based on a byzantine fault-tolerant algorithm.
After receiving the certificate authentication request, each of the plurality of federation networks may determine whether to approve joining of a candidate federation and add its corresponding root certificate to the certificate chain. If the candidate alliance network is not approved to join, feedback information which rejects passing of authentication can be generated, and the feedback information is returned to the candidate alliance network. If the candidate alliance network is allowed to join, the alliance network can obtain a root certificate of the candidate alliance network from the certificate authentication request, and the root certificate is adopted to decrypt the fourth digital signature to obtain a second decryption result. After the second decryption result is obtained, a second hash value corresponding to the second decryption result can be obtained, whether the second hash value is matched with the first hash value or not is judged, if the second hash value is matched with the first hash value, feedback information passing certificate authentication can be generated through certificate authentication of the candidate alliance network, and information feedback is carried out based on a Byzantine fault-tolerant algorithm.
In this embodiment, whether candidate federation networks are allowed to join may be determined by the plurality of federation networks together based on a voting mechanism of a byzantine fault-tolerant algorithm, and a valid and valid root certificate is added to the certificate chain, so that consistency and authenticity of the plurality of federation networks during decision making can be improved, and reliability of the certificate chain is enhanced.
In an embodiment, a cross-federation node authentication method in the present application may also be applied to an authentication platform that determines whether to perform uplink operation on a root certificate of a candidate federation network in a current certificate chain by sending certificate authentication requests for the candidate federation networks to a plurality of federation networks and acquiring corresponding feedback information.
In order to enable those skilled in the art to better understand the above steps, the following is an example to illustrate the embodiments of the present application, but it should be understood that the embodiments of the present application are not limited thereto.
The current certificate chain includes root certificates (as shown in fig. 3) corresponding to the n federation networks, and the root certificate, the public key, and the private key corresponding to the n +1 th federation network are respectively: cert root(n+1) 、PK n+1 And SK n+1 . When the (n + 1) th alliance network is to join and the corresponding root certificate is added to the certificate chain, the following steps can be executed:
1. the (n + 1) th alliance network may calculate the first hash value h of the nth block of the certificate chain in the following manner, and obtain the fourth digital signature σ corresponding to the nth block.
h=hash(block n )
σ=sign(SK n+1 ,block n )
Wherein the hash can be sha236 algorithm, block n Is the block data of the nth block.
Upon obtaining the first hash value and the fourth digital signature, a content Cert may be generated root(n+1) H and sigma, and sending certificate authentication requests to the n federation networks of the certificate chain through a Byzantine error-tolerant algorithm.
2. After the n alliance networks receive the certificate authentication request, a Byzantine fault-tolerant algorithm can be operated to judge whether the n +1 alliance is agreed to join the certificate chain, and if 2f +1 (f = (n-1)/3) alliance networks approve the approval, the n alliance networks agree to approve the approvalThe n +1 th alliance is added, and a root certificate Cert is added root(n+1) Appending to a certificate chain; otherwise, rejecting the (n + 1) th alliance to join.
In practical application, after each alliance network receives the certificate authentication request, if the n +1 th alliance network is not approved to join, a Byzantine fault-tolerant algorithm can be operated to vote against.
If the n +1 th alliance is agreed to join, the root certificate Cert of the n +1 th alliance network can be verified root(n+1) Whether it is valid. In particular, the federation network may be trusted with a root certificate Cert root(n+1) Extracting public key PK n+1 Then adopts the public key PK n+1 Decrypting the fourth digital signature sigma to obtain block n And to block n And carrying out Hash operation to obtain a second Hash value. After obtaining the second hash value, the second hash value may be compared with h in the certificate authentication request. If equal, a Byzantine fault tolerance algorithm may be run with positive votes (corresponding to feedback information in this application that passed the authentication), otherwise negative votes (corresponding to feedback information in this application that rejected the authentication).
It should be understood that, although the steps in the flowcharts of fig. 2 and 4 are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in fig. 2 and 4 may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a portion of the steps or stages in other steps.
In one embodiment, as shown in fig. 5, there is provided a cross-federation node authentication apparatus applicable to a second node in a second federated network, the apparatus comprising:
a node authentication request receiving module 501, configured to receive a node authentication request sent by a first node in a first alliance network, where the node authentication request includes a first public key certificate corresponding to the first node;
a first root certificate obtaining module 502, configured to obtain a first root certificate corresponding to the first alliance network from a preset certificate chain; the certificate chain comprises a plurality of blocks, and each block comprises a root certificate corresponding to at least one different alliance network;
the certificate verification module 503 is configured to perform certificate verification on the first public key certificate by using the first root certificate, so as to obtain a certificate verification result;
a node authentication module 504, configured to determine whether the first node is authenticated according to the certificate authentication result.
In one embodiment, the node authentication module 504 includes:
a first digital signature obtaining sub-module, configured to obtain, from the node authentication request, a first digital signature corresponding to the first node when the certificate verification result is that verification passes;
the node verification sub-module is used for performing node verification on the first node according to the first digital signature and the first public key certificate;
and the authentication passing sub-module is used for passing the authentication of the first node when the node verification result is verification passing.
In one embodiment, the node verification sub-module includes:
a first random number obtaining unit, configured to obtain a first public key corresponding to the first node from the first public key certificate, and decrypt the first digital signature by using the first public key to obtain a first random number corresponding to the first node;
the second digital signature acquisition unit is used for acquiring a second random number and signing the first random number and the second random number by adopting a private key corresponding to the second node to obtain a second digital signature;
a third digital signature acquisition unit, configured to send the second digital signature to the first node, and receive a third digital signature returned by the first node for the second digital signature; the first node is used for decrypting the received second digital signature to obtain a first decryption result, and encrypting the decryption result by adopting a private key corresponding to the first node to obtain a third digital signature;
and the third digital signature verification unit is used for performing node verification on the first node according to the third digital signature and the first public key.
In an embodiment, the third digital signature obtaining unit is specifically configured to obtain a second public key certificate corresponding to the second node, and send the second digital signature and the second public key certificate to the first node;
the first node is configured to obtain a second root certificate corresponding to the second federation network from the certificate chain, perform certificate verification on the second public key certificate based on the second root certificate, and obtain a decryption result corresponding to the second digital signature according to the second public key certificate after the certificate verification is passed.
In one embodiment, the third digital signature verification unit includes:
a first decryption result obtaining subunit, configured to decrypt, using the first public key, the third digital signature to obtain the first decryption result;
and the matching subunit is used for determining that the node verification result of the first node is verification-passed when the first decryption result is matched with the second random number.
For specific definition of a cross-federation node authentication device, refer to the above definition of a cross-federation node authentication method, which is not described herein again. The modules in the cross-federation node authentication device can be wholly or partially realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, as shown in fig. 6, there is provided an apparatus for authenticating a node across federations, the apparatus comprising:
a candidate root certificate obtaining module 601, configured to obtain a root certificate corresponding to a candidate alliance network to be joined;
a federation network determining module 602, configured to determine a plurality of federation networks corresponding to a current certificate chain; the certificate chain comprises a plurality of blocks, and each block comprises a root certificate corresponding to at least one different alliance network;
a certificate authentication request sending module 603, configured to send a certificate authentication request to each of the plurality of federation networks; the certificate authentication request comprises root certificates of the candidate alliance networks, and each alliance network determines whether certificate authentication of the candidate alliance networks passes or not based on the root certificates of the candidate alliance networks;
a uplink module 604, configured to perform uplink operation on the root certificate of the candidate federation network in the certificate chain when receiving feedback information that is returned by a target number of federation networks of the plurality of federation networks and passes certificate authentication.
In one embodiment, the certificate authentication request sending module 603 includes:
the first hash value acquisition submodule is used for acquiring block data corresponding to a preset block in a current certificate chain and acquiring a first hash value corresponding to the block data;
the fourth digital signature acquisition sub-module is used for signing the block data by adopting a private key corresponding to the candidate alliance network to obtain a fourth digital signature;
a certificate authentication request generation submodule, configured to generate a certificate authentication request according to the fourth digital signature, the first hash value, and the root certificate of the candidate federation network;
a Byzantine fault-tolerant algorithm triggering sub-module, configured to send the certificate authentication to each of the plurality of federation networks based on a Byzantine fault-tolerant algorithm;
each of the plurality of alliance networks is configured to, when receiving the certificate authentication request and agreeing to the candidate alliance network to join, extract a third public key corresponding to the candidate alliance network from a root certificate of the candidate alliance network, decrypt the fourth digital signature by using the third public key to obtain a second decryption result, obtain a second hash value corresponding to the second decryption result, and determine that the certificate authentication of the candidate alliance network passes when the second hash value matches the first hash value.
For specific limitations of an alliance joining authentication apparatus, reference may be made to the above limitations of an alliance joining authentication method, which are not described herein again. Each module in the above-described one allied joining authentication apparatus may be wholly or partially implemented by software, hardware, or a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 7. The computer device comprises a processor, a memory, a communication interface, a display screen and an input device which are connected through a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the computer device is used for communicating with an external terminal in a wired or wireless manner, and the wireless manner can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a cross-federation node authentication method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 8. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing root certificates of the candidate federated networks. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a federated join authentication method.
It will be appreciated by those skilled in the art that the configurations shown in fig. 7 and 8 are only block diagrams of partial configurations relevant to the present application, and do not constitute a limitation on the computer device to which the present application is applied, and a particular computer device may include more or less components than those shown in the figures, or may combine some components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
receiving a node authentication request sent by a first node in a first alliance network, wherein the node authentication request comprises a first public key certificate corresponding to the first node;
acquiring a first root certificate corresponding to the first alliance network from a preset certificate chain; the certificate chain comprises a plurality of blocks, and each block comprises a root certificate corresponding to at least one different alliance network;
performing certificate verification on the first public key certificate by using the first root certificate to obtain a certificate verification result;
and determining whether the first node passes the authentication according to the certificate authentication result.
In one embodiment, the steps in the other embodiments described above are also implemented when the computer program is executed by a processor.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
receiving a node authentication request sent by a first node in a first alliance network, wherein the node authentication request comprises a first public key certificate corresponding to the first node;
acquiring a first root certificate corresponding to the first alliance network from a preset certificate chain; the certificate chain comprises a plurality of blocks, and each block comprises a root certificate corresponding to at least one different alliance network;
performing certificate verification on the first public key certificate by using the first root certificate to obtain a certificate verification result;
and determining whether the first node passes the authentication according to the certificate authentication result.
In one embodiment, the computer program when executed by the processor also implements the steps of the other embodiments described above.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
acquiring a root certificate corresponding to a candidate alliance network to be joined;
determining a plurality of alliance networks corresponding to the current certificate chain; the certificate chain comprises a plurality of blocks, and each block comprises a root certificate corresponding to at least one different alliance network;
sending a certificate authentication request to each of the plurality of federated networks; the certificate authentication request comprises root certificates of the candidate alliance networks, and each alliance network determines whether certificate authentication of the candidate alliance networks passes or not based on the root certificates of the candidate alliance networks;
and when feedback information which passes certificate authentication and is returned by a target number of the plurality of alliance networks is received, performing uplink operation on the root certificate of the candidate alliance network in the certificate chain.
In one embodiment, the steps in the other embodiments described above are also implemented when the computer program is executed by a processor.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
acquiring a root certificate corresponding to a candidate alliance network to be joined;
determining a plurality of alliance networks corresponding to the current certificate chain; the certificate chain comprises a plurality of blocks, and each block comprises a root certificate corresponding to at least one different alliance network;
sending a certificate authentication request to each of the plurality of federated networks; the certificate authentication request comprises root certificates of the candidate alliance networks, and each alliance network determines whether to pass the certificate authentication of the candidate alliance network or not based on the root certificates of the candidate alliance networks;
and when feedback information which passes certificate authentication and is returned by a target number of the plurality of alliance networks is received, performing uplink operation on the root certificate of the candidate alliance network in the certificate chain.
In one embodiment, the computer program when executed by the processor also performs the steps in the other embodiments described above.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
All possible combinations of the technical features in the above embodiments may not be described for the sake of brevity, but should be considered as being within the scope of the present disclosure as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, and these are all within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (11)

1. A cross-federation node authentication method applied to a second node in a second federated network, the method comprising:
receiving a node authentication request sent by a first node in a first alliance network, wherein the node authentication request comprises a first public key certificate corresponding to the first node;
acquiring a first root certificate corresponding to the first alliance network from a preset certificate chain; the certificate chain comprises a plurality of blocks, and each block comprises a root certificate corresponding to at least one different alliance network;
performing certificate verification on the first public key certificate by using the first root certificate to obtain a certificate verification result;
and determining whether the first node passes the authentication according to the certificate authentication result.
2. The method of claim 1, wherein the determining whether the first node is authenticated according to the certificate verification result comprises:
when the certificate verification result is that the certificate passes verification, acquiring a first digital signature corresponding to the first node from the node authentication request;
performing node verification on the first node according to the first digital signature and the first public key certificate;
and when the node verification result is that the verification is passed, the first node is authenticated to be passed.
3. The method of claim 2, wherein the performing node verification on the first node according to the first digital signature and the first public key certificate comprises:
acquiring a first public key corresponding to the first node from the first public key certificate, and decrypting the first digital signature by using the first public key to obtain a first random number corresponding to the first node;
acquiring a second random number, and signing the first random number and the second random number by adopting a private key corresponding to the second node to obtain a second digital signature;
sending the second digital signature to the first node, and receiving a third digital signature returned by the first node for the second digital signature; the first node is used for decrypting the received second digital signature to obtain a first decryption result, and encrypting the decryption result by adopting a private key corresponding to the first node to obtain a third digital signature;
and performing node verification on the first node according to the third digital signature and the first public key.
4. The method of claim 3, wherein sending the second digital signature to the first node comprises:
acquiring a second public key certificate corresponding to the second node, and sending the second digital signature and the second public key certificate to the first node;
the first node is configured to obtain a second root certificate corresponding to the second federation network from the certificate chain, perform certificate verification on the second public key certificate based on the second root certificate, and obtain a decryption result corresponding to the second digital signature according to the second public key certificate after the certificate verification is passed.
5. The method of claim 4, wherein the performing node verification on the first node according to the third digital signature and the first public key comprises:
decrypting the third digital signature by adopting the first public key to obtain a first decryption result;
and when the first decryption result is matched with the second random number, determining that the node verification result of the first node is verified.
6. An alliance joining authentication method, comprising:
acquiring a root certificate corresponding to a candidate alliance network to be joined;
determining a plurality of alliance networks corresponding to the current certificate chain; the certificate chain comprises a plurality of blocks, and each block comprises a root certificate corresponding to at least one different alliance network;
sending a certificate authentication request to each of the plurality of federated networks; the certificate authentication request comprises root certificates of the candidate alliance networks, and each alliance network determines whether certificate authentication of the candidate alliance networks passes or not based on the root certificates of the candidate alliance networks;
and when feedback information which passes certificate authentication and is returned by a target number of the plurality of alliance networks is received, performing uplink operation on the root certificate of the candidate alliance network in the certificate chain.
7. The method of claim 6, wherein sending a certificate authentication request to each of the plurality of federated networks comprises:
acquiring block data corresponding to a preset block in a current certificate chain, and acquiring a first hash value corresponding to the block data;
signing the block data by adopting a private key corresponding to the candidate alliance network to obtain a fourth digital signature;
generating a certificate authentication request according to the fourth digital signature, the first hash value and the root certificate of the candidate alliance network;
sending the certificate authentication request to each of the plurality of federated networks based on a Byzantine fault tolerance algorithm;
each of the plurality of alliance networks is configured to, when receiving the certificate authentication request and agreeing to the candidate alliance network to join, extract a third public key corresponding to the candidate alliance network from a root certificate of the candidate alliance network, decrypt the fourth digital signature with the third public key to obtain a second decryption result, obtain a second hash value corresponding to the second decryption result, and determine that the certificate authentication of the candidate alliance network passes when the second hash value matches the first hash value.
8. An apparatus for cross-federation node authentication, applied to a second node in a second federated network, the apparatus comprising:
a node authentication request receiving module, configured to receive a node authentication request sent by a first node in a first alliance network, where the node authentication request includes a first public key certificate corresponding to the first node;
a first root certificate acquisition module, configured to acquire a first root certificate corresponding to the first alliance network from a preset certificate chain; the certificate chain comprises a plurality of blocks, and each block comprises a root certificate corresponding to at least one different alliance network;
the certificate verification module is used for verifying the first public key certificate by adopting the first root certificate to obtain a certificate verification result;
and the node authentication module is used for determining whether the first node passes the authentication according to the certificate authentication result.
9. An affiliation-joining authentication apparatus, the apparatus comprising:
the candidate root certificate acquisition module is used for acquiring a root certificate corresponding to a candidate alliance network to be joined;
the network determining module is used for determining a plurality of alliance networks corresponding to the current certificate chain; the certificate chain comprises a plurality of blocks, and each block comprises a root certificate corresponding to at least one different alliance network;
a certificate authentication request sending module, configured to send a certificate authentication request to each of the plurality of federation networks; the certificate authentication request comprises root certificates of the candidate alliance networks, and each alliance network determines whether certificate authentication of the candidate alliance networks passes or not based on the root certificates of the candidate alliance networks;
and the uplink module is used for executing uplink operation on the root certificate of the candidate alliance network in the certificate chain when receiving feedback information which passes certificate authentication and is returned by a target number of alliance networks in the plurality of alliance networks.
10. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 7 when executing the computer program.
11. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
CN202110627257.XA 2021-06-04 2021-06-04 Cross-alliance node authentication method and device, computer equipment and storage medium Pending CN115514504A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110627257.XA CN115514504A (en) 2021-06-04 2021-06-04 Cross-alliance node authentication method and device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110627257.XA CN115514504A (en) 2021-06-04 2021-06-04 Cross-alliance node authentication method and device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115514504A true CN115514504A (en) 2022-12-23

Family

ID=84499827

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110627257.XA Pending CN115514504A (en) 2021-06-04 2021-06-04 Cross-alliance node authentication method and device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115514504A (en)

Similar Documents

Publication Publication Date Title
Zhaofeng et al. Blockchain-based decentralized authentication modeling scheme in edge and IoT environment
Wazid et al. Design of secure key management and user authentication scheme for fog computing services
Bera et al. Designing blockchain-based access control protocol in IoT-enabled smart-grid system
Odelu et al. Provably secure authenticated key agreement scheme for distributed mobile cloud computing services
Chuang et al. An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics
Abdi Nasib Far et al. LAPTAS: lightweight anonymous privacy-preserving three-factor authentication scheme for WSN-based IIoT
WO2018112946A1 (en) Registration and authorization method, device and system
US9715590B2 (en) System and device for verifying the integrity of a system from its subcomponents
CN110832519A (en) Improving integrity of communications between blockchain networks and external data sources
US20150317481A1 (en) System and device for verifying the integrity of a system from its subcomponents
US11063941B2 (en) Authentication system, authentication method, and program
US8667283B2 (en) Soft message signing
CN113301022B (en) Internet of things equipment identity security authentication method based on block chain and fog calculation
Dewanta et al. A mutual authentication scheme for secure fog computing service handover in vehicular network environment
Jan et al. A verifiably secure ECC based authentication scheme for securing IoD using FANET
TW201426383A (en) System and method for identifying users
CN112651037A (en) Off-chain data access method and system of block chain system
US11429702B2 (en) Method of verification of a biometric authentication
CN114049121B (en) Block chain based account resetting method and equipment
Chen et al. Security analysis and improvement of user authentication framework for cloud computing
CN115378604A (en) Identity authentication method of edge computing terminal equipment based on credit value mechanism
Alzuwaini et al. An Efficient Mechanism to Prevent the Phishing Attacks.
CN115277010A (en) Identity authentication method, system, computer device and storage medium
Duan et al. Design of anonymous authentication scheme for vehicle fog services using blockchain
Liou et al. T-auth: A novel authentication mechanism for the IoT based on smart contracts and PUFs

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination