CN115883102B - Cross-domain identity authentication method and system based on identity credibility and electronic equipment - Google Patents

Cross-domain identity authentication method and system based on identity credibility and electronic equipment Download PDF

Info

Publication number
CN115883102B
CN115883102B CN202211498448.1A CN202211498448A CN115883102B CN 115883102 B CN115883102 B CN 115883102B CN 202211498448 A CN202211498448 A CN 202211498448A CN 115883102 B CN115883102 B CN 115883102B
Authority
CN
China
Prior art keywords
identity
credibility
user
security domain
domain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211498448.1A
Other languages
Chinese (zh)
Other versions
CN115883102A (en
Inventor
陈晶
何琨
杨智
吴聪
加梦
杜瑞颖
吴云坤
陈华平
纪胜龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University WHU
Original Assignee
Wuhan University WHU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University WHU filed Critical Wuhan University WHU
Priority to CN202211498448.1A priority Critical patent/CN115883102B/en
Publication of CN115883102A publication Critical patent/CN115883102A/en
Application granted granted Critical
Publication of CN115883102B publication Critical patent/CN115883102B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses a cross-domain identity authentication method, a system and electronic equipment based on identity credibility, wherein the system comprises a unique identity identification authorization module, a privacy protection module based on homomorphic encryption and zero knowledge range proof, and a management and sharing module based on identity credibility of a alliance chain. The unique identity authentication module is used for converting the digital identity of the user into a publicly verifiable unique identity, and binding the digital identity and the identity credibility is realized; the privacy protection module based on homomorphic encryption and zero knowledge range proof is used for encrypting and verifying identity credibility records publicly stored in the alliance chain account book, and guaranteeing the safety and correctness of the public records; the management and sharing module based on the identity credibility of the alliance chain is used for realizing dynamic maintenance of the identity credibility and cross-domain identity authentication. The invention provides a cross-domain unified management mode of identity credibility, and realizes the safety comparison of identity credibility between safety domains on the premise of protecting user privacy.

Description

Cross-domain identity authentication method and system based on identity credibility and electronic equipment
Technical Field
The invention belongs to the technical field of cross-domain identity authentication with privacy protection characteristics in application cryptography, relates to an identity authentication method, an identity authentication system and electronic equipment, and in particular relates to a cross-domain identity authentication method, an identity authentication system and electronic equipment based on identity credibility.
Background
Identity authentication based on a user name and a password is a common authentication mode of Web applications. The authentication service of each Web application forms an independent security domain and can only recognize digital identities in the domain. Cross-domain authentication allows a user to have the identity of only one security domain, but can be recognized by other security domains. However, each security domain can only passively accept identity credentials from outside the domain due to lack of trusted data sharing channels, and is difficult to evaluate its identity risk.
Currently, the growing Web application market causes the number of cross-domain requests to grow rapidly, and both users and service providers have higher requirements on the functions and security of the cross-domain authentication service. On one hand, a scene of multiparty credit combined credit granting exists in a credit system; similarly, in identity authentication, the identity of the same user in multiple domains can also be used as a credential source for cross-domain identity authentication; on the other hand, in order to reduce the system risk, the security protection of Web services is well done, and each enterprise and department can establish different identity credibility models according to the system security policy and privacy requirements to evaluate the credit status of the user identity in the local domain. The identity credibility model obtains the historical behavior record of the user in the local domain by analyzing the log file stored in the identity authentication server, so that the current credit level of the target identity is obtained according to a specific calculation rule; and the system may analyze user behavior preferences to dynamically monitor for abnormal authentication behavior. However, in a cross-domain scenario, it is difficult for the existing authentication framework to reliably fulfill the above requirements: first, both centralized authentication services and third party authentication services belong to a centralized service node, and there is a risk of single point failure. Secondly, due to data confidentiality requirements and user privacy considerations, each identity authentication service provider lacks a channel for public maintenance and sharing of identity state and identity risk related data, and therefore can only passively accept identity credentials from third parties. Finally, log storage methods based on traditional databases also cannot provide reliable backtracking and auditing methods for the full life cycle of data. Therefore, how to reliably store, share and compare identity credibility to realize cross-domain identity authentication on the premise of protecting user privacy is a problem to be solved.
The authentication mode based on the centralization strategy is too dependent on a single trust center, even if an authentication service cluster formed by a plurality of service nodes is introduced, the authentication service cluster can only solve the problem of single point failure caused by physical factors, and trust cannot be logically dispersed, so that decentralised identity authentication is realized. The existing distributed identity authentication scheme is generally based on a public blockchain technology, performs public maintenance on identity authentication data, provides a solution idea for cross-domain identity authentication, and has challenging problems in terms of storage efficiency and privacy protection due to low throughput of the public blockchain and lack of an access control mechanism of on-chain data.
HYPERLEDGER FABRIC the enterprise-level admission permission distributed ledger technique with a federation chain as an open source makes a special design for the above-mentioned needs of enterprise users. First, in terms of identity management, fabric divides a blockchain network into federations that are commonly maintained by multiple organizations, and defines various types of participants in the organization, such as Peer nodes, ordering service nodes, client applications for each organization, and federation chain administrators for each organization, etc. These identity information are strictly associated with the digital identities in the digital certificates distributed by the root CA and the intermediate CA; thus, the digital identity defined in the digital certificate corresponds to responsibilities in the Fabric network, as well as access rights to particular resources. Secondly, on the confirmation and consensus mechanism of the transaction, the Fabric utilizes a unified transparent treatment mode and a strict admission mechanism, and realizes the separation of transaction execution and ordering by introducing an ordering node and an endorsement mechanism; by supporting pluggable consensus protocols, a deterministic consensus algorithm is adopted in a trusted authority management mode, so that the blocks verified by the Peer nodes are guaranteed to be in a final state and correct, and the bifurcation condition in the public blockchain is avoided. Finally, fabric also supports smart contract technology. The definition of an intelligent contract is executable logic that converts a business model composed of data, rules, concept definitions, business processes, etc. of interactions between business businesses into fact records that are added to a distributed ledger. To better manage the smart contracts physically stored on the Peer nodes, fabric packages the smart contracts for a particular business process into a technology-specific container for contract installation and instantiation, which is referred to as a chain code.
While Fabric blockchains provide a channel architecture and private data to enable secure transactions between individual organizations, there is still a need to disclose data for transactions between organizations that participate in secure transactions. Therefore, aiming at confidentiality maintenance of numerical information on a federation chain ledger, homomorphic encryption cryptosystem can be adopted to ensure the calculability of ciphertext, and the ciphertext is ensured to be in a legal range interval through range proof in zero knowledge proof.
The Paillier homomorphic encryption regime is an additive homomorphic encryption scheme based on discrete logarithms and the DCRA assumption, whose security assumption can be reduced to the computational difficulty of compounding the remaining class decomposition problem. In order to reduce the time complexity of decryption operation, the Paillier homomorphic encryption system can be converted into an improvement scheme based on the partial discrete logarithm problem: the ciphertext space size is limited by selecting subgroups with smaller order generator elements g. The improved Paillier algorithm comprises the key generation step, the encryption step and the decryption step.
The goal of the scope proof based on the peterson vector commitment is to prove a given number v, proving v e 0,2 n, that is, if the number v meets the interval requirement, the length of its binary representation must be n, and the string corresponding to the binary representation consists of only 0 and 1. Under the random predictor model, the Fiat-Shamir transformation can transform an interactive protocol requiring log (n) steps into a secure and completely zero-knowledge non-interactive zero-knowledge proof system. Further, by concatenating binary expression strings of m numbers in the same range, an aggregate range certificate capable of proving n·m bits at a time can be generated in the case of adding only 2·log 2 (m) certification elements.
Disclosure of Invention
In view of the disadvantage that the authentication mode based on the centralized policy is too dependent on a single trust center and the requirement of public blockchains on efficiency and privacy protection under the requirement of storing identity authentication related data, the invention provides an identity credibility management model based on a alliance chain ledger with admission permission, realizes unified management of identity credibility on the premise of protecting user privacy, and realizes a cross-domain identity authentication method, system and electronic equipment based on identity credibility safety comparison.
The technical scheme adopted by the method is as follows: a cross-domain identity authentication method based on identity credibility comprises the following steps:
step 1: converting the digital identity of the user into a publicly verifiable unique identity, and realizing the binding of the digital identity and the identity credibility;
The authority identity source mechanism verifies the identity information provided by the user, submits legal identity information abstracts to the alliance chain account book, and distributes keys and identity dynamic identification credential generation application to the user; the user registers the digital identity by using the identity dynamic identification credential to provide a verifiable dynamic identity credential;
step 2: encrypting and verifying identity trust records publicly stored in a federation chain ledger;
After the user registers the digital identities by using the unique identity, the identity authentication service distributes homomorphic encryption keys for each digital identity; when an identity credibility record corresponding to the digital identity is generated, the identity authentication service generates a corresponding homomorphic encryption ciphertext and zero knowledge range evidence to serve as verification information of data validity;
Step 3: identity credibility configuration information management, dynamic maintenance on an identity credibility chain and verifiable comparison of identity credibility;
The alliance chain is used as a public verifiable storage medium and a trusted alliance chain code execution environment, so that identity credibility related information in a public account book is guaranteed not to be tampered, and the function defined by the chain code can be executed honest.
The system of the invention adopts the technical proposal that: a cross-domain identity authentication system based on identity credibility comprises a unique identity identification authorization module, a privacy protection module based on homomorphic encryption and zero knowledge range proof and a management and sharing module based on identity credibility of a alliance chain;
The unique identity identification authorization module is used for converting the digital identity of the user into a publicly verifiable unique identity identification, and binding the digital identity and the identity credibility is realized;
The authority identity source mechanism verifies the identity information provided by the user, submits legal identity information abstracts to the alliance chain account book, and distributes keys and identity dynamic identification credential generation application to the user; the user registers the digital identity by using the identity dynamic identification credential to provide a verifiable dynamic identity credential;
the privacy protection module based on homomorphic encryption and zero knowledge range proof is used for encrypting and verifying identity credibility records stored in the alliance chain account book in a public manner;
After the user registers the digital identities by using the unique identity, the identity authentication service distributes homomorphic encryption keys for each digital identity; when an identity credibility record corresponding to the digital identity is generated, the identity authentication service generates a corresponding homomorphic encryption ciphertext and zero knowledge range evidence to serve as verification information of data validity;
The identity credibility management and sharing module based on the alliance chain is used for identity credibility configuration information management, dynamic maintenance on the identity credibility chain and verifiable comparison of the identity credibility;
The alliance chain is used as a public verifiable storage medium and a trusted alliance chain code execution environment, so that identity credibility related information in a public account book is guaranteed not to be tampered, and the function defined by the chain code can be executed honest.
The technical scheme adopted by the electronic equipment is as follows: an electronic device, comprising:
one or more processors;
and the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors are enabled to realize the cross-domain identity authentication method based on the identity credibility.
Compared with the prior art, the invention has the advantages and positive effects mainly represented in the following aspects:
(1) The invention provides an identity credibility standard storage mode based on homomorphic encryption and non-interactive zero knowledge range proof, and under the premise of ensuring the data calculability, an identity credibility safety sharing channel is constructed, so that the unified management of multi-element heterogeneous identity credibility is realized;
(2) The invention designs an efficient compact storage mode, and realizes efficient storage of a plurality of identity credibility state records by designing a compact storage structure combining the Merker hash tree and the aggregation range evidence;
(3) The invention provides a cross-domain identity authentication method based on identity credibility. And when each security domain receives the identity credentials from outside the domain, under the supervision of a ciphertext identification chain code as a trusted third party, performing an identity credibility security comparison protocol by using ciphertext evidence, identity credibility state ciphertext record and a previously disclosed identity credibility evaluation standard to obtain a comparison result of the minimum threshold requirement of the user identity credibility and the local domain identity credibility, thereby determining whether to receive the cross-domain identity authentication request. In the process, the protocol provided by the scheme can effectively protect the security domain and the privacy of the user.
Drawings
FIG. 1 is a diagram of an overall system framework according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an authorization module based on unique identity in an embodiment of the present invention;
FIG. 3 is a schematic diagram of a privacy preserving module based on homomorphic encryption and zero knowledge range proof in an embodiment of the invention;
FIG. 4 is a schematic diagram of a security domain configuration information standard structure of a federated chain-based management and sharing module according to an embodiment of the present invention;
FIG. 5 is a diagram illustrating a comparative principle of identity trust of a federated chain-based management and sharing module in accordance with an embodiment of the present invention.
Detailed Description
For the purpose of facilitating understanding and practicing the invention by those of ordinary skill in the art, reference will now be made in detail to the present invention, examples of which are illustrated in the accompanying drawings and examples, it being understood that the examples described herein are for the purpose of illustration and explanation only and are not intended to be limiting.
The cross-domain identity authentication method based on identity credibility provided by the embodiment comprises the following steps:
step 1: converting the digital identity of the user into a publicly verifiable unique identity, and realizing the binding of the digital identity and the identity credibility;
The authority identity source mechanism verifies the identity information provided by the user, submits legal identity information abstracts to the alliance chain account book, and distributes keys and identity dynamic identification credential generation application to the user; the user registers the digital identity by using the identity dynamic identification credential to provide a verifiable dynamic identity credential;
step 2: encrypting and verifying identity trust records publicly stored in a federation chain ledger;
After the user registers the digital identities by using the unique identity, the identity authentication service distributes homomorphic encryption keys for each digital identity; when an identity credibility record corresponding to the digital identity is generated, the identity authentication service generates a corresponding homomorphic encryption ciphertext and zero knowledge range evidence to serve as verification information of data validity;
Step 3: identity credibility configuration information management, dynamic maintenance on an identity credibility chain and verifiable comparison of identity credibility;
The alliance chain is used as a public verifiable storage medium and a trusted alliance chain code execution environment, so that identity credibility related information in a public account book is guaranteed not to be tampered, and the function defined by the chain code can be executed honest.
The invention provides a cross-domain identity authentication system based on identity credibility, which consists of a unique identity identification authorization module, a privacy protection module based on homomorphic encryption and zero knowledge range proof and a management and sharing module based on identity credibility of a alliance chain, wherein a complete system architecture diagram is shown in figure 1.
The unique identity authentication module of the embodiment is used for converting the digital identity of the user into a publicly verifiable unique identity, and binding the digital identity and the identity credibility is realized;
The authority identity source mechanism verifies the identity information provided by the user, submits legal identity information abstracts to the alliance chain account book, and distributes keys and identity dynamic identification credential generation application to the user; the user registers the digital identity by using the identity dynamic identification credential to provide a verifiable dynamic identity credential;
The privacy protection module based on homomorphic encryption and zero knowledge range proof is used for encrypting and verifying identity credibility records stored in the alliance chain account book in a public manner;
After the user registers the digital identities by using the unique identity, the identity authentication service distributes homomorphic encryption keys for each digital identity; when an identity credibility record corresponding to the digital identity is generated, the identity authentication service generates a corresponding homomorphic encryption ciphertext and zero knowledge range evidence to serve as verification information of data validity;
The identity credibility management and sharing module based on the alliance chain is used for identity credibility configuration information management, dynamic maintenance on the identity credibility chain and verifiable comparison of the identity credibility;
The alliance chain is used as a public verifiable storage medium and a trusted alliance chain code execution environment, so that identity credibility related information in a public account book is guaranteed not to be tampered, and the function defined by the chain code can be executed honest.
Referring to fig. 2, the specific working process of the embodiment based on the unique identity identification authorization module includes the following steps:
step A1: the generation process of the unique identity of the user involves three entities: a user, an authoritative identity source mechanism and a federation chain ledger;
The authoritative identity source provides the user with an authentication application that contains a unique identification code appid. The user generates a user key (PrivKey User,PubKeyUser) by using an authentication application, calculates a personal information hash value and signs, and applies a unique identity mark uuid User to an authoritative identity source mechanism;
Step a1.1: distributing an authentication application program with a unique identification code appid to a user by an authoritative identity source mechanism, and generating a private key PrivKey User and a public key pubKey User by utilizing an asymmetric encryption algorithm; the user then collates personal information UserInfo into a standard storage format and calculates a digest value of the personal information h= Hash (UserInfo) and signs the personal information digest, application identification appid and identity generation timestamp, sig User (h| appid |timestamp) using his own private key PrivKey User. After the calculation is completed, the user transmits the public key PubKey User, the personal information UserInfo, the personal information abstract H, the application program identification code appid and the signature Sig User to an authoritative identity source mechanism through a secure channel by an application program;
among them, the asymmetric encryption algorithm is preferably an elliptic curve encryption algorithm based on NIST P-256 curve, and the digital signature algorithm is preferably an ECDSA (FIPS 186-3) signature algorithm.
Step a1.2: after receiving the request from the user application, the authoritative identity source calculates the user's personal information digest h= Hash (UserInfo) according to the same rules and verifies the user signature sig User using the public key PubKey User. After verifying the authenticity and integrity of the request, the authoritative identity source authority submits the personal information digest H, the application identification code appid, the identity generation Timestamp and the authority's signature of the uplink information Sig Authority (h| appid |timestamp) into the federation chain ledger, resulting in the identity address addr User, and then returns addr User as the user's unique identity uuid User to the authentication application.
Step A2: the authentication process of the unique identity of the user involves three entities: a user, a local security domain authentication server and a alliance chain account book;
The user generates a dynamic identification credential consisting of a unique identification uuid User obtained from A1, a personal information digest value H, an identification dynamic identification credential generation Timestamp, a security domain of application access, and an identity dynamic identification credential Cert of validity period by using an authentication application program, and sends the dynamic identification credential to a target authentication server.
Step a2.1: the authentication application will generate an identity dynamic identification credential cert= (appid, H, timestamp, targetDomain, lifeTime) consisting of an application identification code appid, a personal information digest value H, an identity dynamic identification credential generation Timestamp, a security domain for which access is applied, and a validity period, and sign it using a private key PrivKey User, where TargetDomain is the security domain for which access is applied, lifeTime is the validity period; then, the identity dynamic identification certificate Cert, the signature Sig User, the public key PubKey User, the personal information abstract value H and the unique identity identification uuid User are combined into an identity authentication message, and the identity authentication message is sent to a target authentication server;
in a one-time cross-domain identity authentication process, a local security domain authentication server needs to verify the identity of a user initiating an authentication request; the target authentication server needs to verify the cross-domain identity authentication message provided by the local security domain server.
Firstly, the local security domain can verify the identity credentials of the user, and the adversary needs to have the private key of the user to pass the identity authentication of the local security domain. Then, the local security domain needs to construct a legal cross-domain authentication message using a private key, so that it is difficult for an adversary to forge a cross-domain authentication request. Finally, the target authentication server can verify the authenticity of the authentication message through the public key of the local security domain authentication server and the authority record of the identity identification information abstract.
Step a2.2: after the target authentication server acquires the identity authentication message, the target authentication server uses the generated time stamp and the validity period to judge the timeliness of the identity authentication message. The identity dynamic identification credential Cert is then verified using the user public key PubKey User and the identity authentication message content. After the identity dynamic identification certificate passes verification, an authoritative record of the identity identification information abstract is obtained according to the unique identity identification uuid User, and the value H of the personal information abstract is verified. In the case where all the information provided by the user side is consistent, the target authentication server may determine that the user identity is legal. Finally, the target authentication server records the hash value of the identity dynamic identification credential and marks the hash value as used.
Please refer to fig. 3, the privacy protection module based on homomorphic encryption and zero knowledge range proof in this embodiment includes the following steps:
step B1: homomorphic encryption key distribution;
The user passes the authentication of the local security domain Web application through step A2 using the unique identity uuid User obtained from A1. Subsequently, the local secure domain Web application generates a pair of homomorphic encrypted public-private key pair public keys PK User = (n, g) for the digital identity of the user, stores the private key SK User = (p, q, α) locally, uses the private key thereof for verification of the identity reliability comparison result, and sends the public key disclosure to all participants in the system for encryption of the identity reliability. Wherein p and q are random large prime numbers, n is the product of p and q, g is a random number, and alpha is a factor of p-1 and q-1 least common multiple;
among them, the homomorphic encryption algorithm this embodiment is preferably a Paillier improvement algorithm based on the partial discrete logarithm problem (PARTIAL DISCRETE Logarithm Problem).
Step B2: and after the identity credibility ciphertext is generated and the identity credibility corresponding to the digital identity of the user is evaluated by the Web application of the local security domain, the identity credibility ciphertext is generated by using the corresponding homomorphic encryption public key PK User = (n, g) and the random number r.
Step B3: and generating an identity credibility range certificate, wherein the Web application of the local security domain selects the public parameters ParamsRP to generate a range certificate corresponding to the identity credibility ciphertext record.
Wherein, the zero knowledge range proving algorithm is preferably Bulletproof algorithm in the embodiment;
please refer to fig. 4 and fig. 5, the specific working process of the present embodiment includes the following steps:
Step C1: the management of identity reliability configuration information, wherein each security Domain stores the identity reliability configuration information in a alliance chain account book in a JSON standard storage structure form in advance, and the security Domain comprises a security Domain, a homomorphic encryption public key PHEKey, an identity reliability maximum value CreditMax, an identity reliability minimum value CREDITMIN, an identity reliability evaluation standard TrustworthinessStandard, a Timestamp, a message hash value MESSAGEHASH and a digital signature ConfigSig;
among them, the digital signature algorithm in this embodiment is preferably an ECDSA (FIPS 186-3) signature algorithm;
Step C2: dynamically maintaining on an identity credibility chain, after a user registers a digital identity in a security domain, generating identity credibility state information of the digital identity by the security domain through an identity credibility evaluation standard TrustworthinessStandard in C1, and storing one or more identity credibility state records in a alliance chain account book by adopting a standard storage mode or a compact storage mode;
for clarity of description herein, it is assumed that the security domain performs dynamic maintenance of identity trustworthiness in a standard storage mode;
Step C2.1: the security Domain adopts a standard storage mode to generate a record containing an encrypted storage structure with the information of the security Domain, a Timestamp, a former identity credibility state record PreviousCreditAddress, an identity credibility ciphertext Credit, an identity credibility range proof CreditRangeProof, a configuration information address ConfigAddress, a message hash value MESSAGEHASH, a digital signature MESSAGESIG and the like;
Step C2.2: the alliance chain code verifies the digital signature and the range proof, firstly checks the validity of the signature of the security domain Web application, and then calculates VerifyRP (paramsRP, proofRP), wherein proofRP is the identity credibility range proof; if the verification is passed, the ciphertext verification chain code stores the identity credibility state into a alliance chain account book to obtain a corresponding recorded transaction address addr; otherwise, the identity credibility state is abandoned, and the alliance chain account book does not need to be updated;
step C3: the user can use the existing digital identity to carry out cross-domain identity authentication by the verifiable comparison of identity credibility. The security domain receiving the cross-domain identity credential can select a proper minimum threshold requirement t of identity credibility according to an identity credibility evaluation standard TrustworthinessStandard disclosed in advance by the security domain providing the identity; under the supervision of a alliance chain code as a trusted third party, judging whether the identity credibility of the cross-domain identity certificate meets the minimum requirement of the local domain, thereby determining whether the cross-domain identity authentication request passes.
Step C3.1: the external security domain Ex selects a comparison parameter theta (theta > CreditMax L) according to the identity credibility configuration information of the local security domain L, and calculates a ciphertext encrypter Ex(θ,rθ of the comparison parameter theta; wherein CreditMax L is the maximum value allowed by identity credibility, and r θ is a random number adopted when encrypting theta;
Step C3.2: the external security domain Ex calculates v 1 =θ -t and applies for proof C (Ex, v 1) to the ciphertext authentication chain code, the proof content including Sig (Hash (Certificate Ex)), PK Ex,PKCC; wherein C (Ex, v 1) is the authentication proof of ciphertext v 1 of the external security domain Ex application, certificate Ex is a Certificate of the external security domain Ex, PK Ex is the public key of the external security domain Ex, and PK CC is the public key of ciphertext authentication chain code CC;
Step C3.3: the external security domain sends Encrypt Ex(θ,rθ) and C (Ex, v 1) together to the local security domain;
Step C3.4: assuming that the identity reliability of User L is v 2, the local security domain L randomly selects the linear transformation parameter k 1,k2, and applies for the Certificate C (L, k 1·v2) to the ciphertext authentication chain code, the Certificate content includes Sig (Hash (Certificate L)),EncryptL(k1,rk), PK L,PKCC; wherein, the certification L is the Certificate of the local security domain L, and r k is the random number when k is encrypted,/>For the storage address of ciphertext v 2 in the federation chain ledger, PK L is the public key of local security domain L;
Step C3.5: after the local security domain L obtains the cryptogram attestation, an intermediate result m 1,m2 for comparison will be computed,
The local security domain L also computes an intermediate result m 3,m4,m5 for verification,
Step C3.6: after all intermediate results are obtained, the local security domain L sends m 1,m2,m3,m4,m5,C(L,k1·v2) to the external security domain Ex;
Step C3.7: the external security domain Ex first verifies that in attestation C (L, k 1·v2) Whether or not to match withAnd if the corresponding identity credibility state records are consistent, immediately terminating the protocol. The external security domain will then verify the digital signature in attestation C (L, k 1·v2), terminating the protocol immediately if the digital signature verification is not passed. After ensuring the authenticity of the ciphertext, the external security domain Ex decrypts and compares d 1=Decryptex(m1) with d 2=DecryptEx(m2), thereby obtaining the comparison result of the identity credibility corresponding to the digital identity of UserL in the local security domain and the minimum threshold requirement of the identity credibility of the external security domain. Finally, the external security domain Ex decrypts d 3=DecryptEx(m3) and d 4=DecryptEx(m4) to obtain authentication information, and then calculates and verifies the following equation
If the equations are all established, proving that the local security domain L performs the protocol honest, and the external security domain Ex receives the identity credibility comparison result; otherwise, the local security domain L is proved to have fraudulent activity during the protocol execution.
Step C3.8: and the external security domain Ex judges whether the user passes the cross-domain identity authentication request or not according to the comparison result.
Step C3.9: finally, the external security domain Ex records the execution log of the identity credibility security comparison protocol in the federation chain account book.
The present invention can provide:
1. Binding of digital identity and identity credibility: the scheme converts the digital identity of the user into the unique identity identifier which can be verified, and the binding of the digital identity and the identity credibility is realized. The authoritative identity source organization verifies the identity information provided by the user, submits legal identity information abstracts to the alliance chain account book, and distributes keys and identity dynamic identification credential generation applications to the user. The user can then register the digital identity using the identity dynamic identification credential, providing a verifiable dynamic identity credential;
2. unified management of multi-element heterogeneous identity credibility: the scheme provides a standard storage structure of identity credibility configuration information, designs an identity credibility standard storage mode and a high-efficiency compact storage mode based on homomorphic encryption and non-interactive zero-knowledge range proving based on the standard storage structure, takes a Fabric alliance chain account book with admission permission as a storage medium, and realizes unified maintenance of identity credibility records on the premise of protecting user privacy.
3. Cross-domain identity authentication framework based on identity credibility: and when each security domain receives the identity credentials from outside the domain, under the supervision of a alliance chain code as a trusted third party, executing an identity credibility security comparison protocol by using ciphertext evidence and publicly stored identity credibility state ciphertext records to obtain a comparison result of minimum threshold requirements of user identity credibility and local domain identity credibility, thereby determining whether to receive the cross-domain identity authentication request. By combining the existing identity credibility management mode with cross-domain identity authentication, the scheme realizes a safe and reliable identity authentication mechanism under a cross-domain scene.
It should be understood that the foregoing description of the preferred embodiments is not intended to limit the scope of the invention, but rather to limit the scope of the claims, and that those skilled in the art can make substitutions or modifications without departing from the scope of the invention as set forth in the appended claims.

Claims (8)

1. The cross-domain identity authentication method based on identity credibility is characterized by comprising the following steps of:
step 1: converting the digital identity of the user into a publicly verifiable unique identity, and realizing the binding of the digital identity and the identity credibility;
The authority identity source mechanism verifies the identity information provided by the user, submits legal identity information abstracts to the alliance chain account book, and distributes keys and identity dynamic identification credential generation application to the user; the user registers the digital identity by using the identity dynamic identification credential to provide a verifiable dynamic identity credential;
step 2: encrypting and verifying identity trust records publicly stored in a federation chain ledger;
After the user registers the digital identities by using the unique identity, the identity authentication service distributes homomorphic encryption keys for each digital identity; when an identity credibility record corresponding to the digital identity is generated, the identity authentication service generates a corresponding homomorphic encryption ciphertext and zero knowledge range evidence to serve as verification information of data validity;
Step 3: identity credibility configuration information management, dynamic maintenance on an identity credibility chain and verifiable comparison of identity credibility;
The alliance chain is used as a public verifiable storage medium and a trusted alliance chain code execution environment, so that the identity credibility related information in a public account book is ensured not to be tampered, and the function defined by the chain code can be executed honest;
The verifiable comparison of the identity credibility is carried out, and the security domain receiving the cross-domain identity credential selects a proper minimum threshold requirement of the identity credibility according to the identity credibility evaluation standard previously disclosed by the security domain providing the identity; under the supervision of a alliance chain code as a trusted third party, judging whether the identity credibility of the cross-domain identity credential meets the minimum requirement of the local domain, thereby determining whether to pass the cross-domain identity authentication request;
the specific implementation comprises the following substeps:
Step C3.1: the user requests to use the digital identity in the existing local security domain to pass the identity authentication of the external security domain;
step C3.2: the external security domain selects a proper minimum threshold requirement of identity credibility according to an identity credibility evaluation standard which is disclosed in advance in a alliance chain account book by the local security domain, and applies ciphertext evidence of comparison parameters to the alliance chain code;
step C3.3: the local security domain applies ciphertext evidence of the user identity credibility to the alliance chain code according to the alliance chain account book record of the user identity credibility;
Step C3.4: the external security domain provides the comparison parameters and the corresponding cryptogram evidence to the local security domain;
Step C3.5: the local security domain uses the comparison parameters provided by the external security domain and the parameters owned by the own party to complete the calculation of the intermediate result and the verification information;
Step C3.6: and the external security domain obtains the identity credibility and the threshold comparison result according to the intermediate result, judges the authenticity of the comparison result by using the verification information, and submits the comparison log to the alliance chain account book.
2. The identity credibility-based cross-domain identity authentication method as claimed in claim 1, wherein: in step 1, the generation process of the unique identity of the user involves three entities: a user, an authoritative identity source mechanism and a federation chain ledger;
the generation process of the unique identity mark of the user specifically comprises the following substeps:
Step a1.1: a user generates a pair of public and private key pairs by using an asymmetric encryption algorithm through an authentication application program provided by an authoritative identity source mechanism and containing a unique identification code; then the user arranges the personal information into a standard storage format, calculates the abstract value of the personal information, uses the private key of the user to sign the abstract of the personal information, and uses the application program identification code and the identity generation timestamp; the user transmits the public key, the personal information abstract, the application program identification code and the signature to the authoritative identity source mechanism through the secure channel by the application program, and applies for the unique identity to the authoritative identity source mechanism;
Step a1.2: after receiving the request from the user application, the authoritative identity source mechanism calculates the personal information abstract of the user according to the same rule and verifies the user signature; after verifying the authenticity and integrity of the request, submitting the personal information abstract, the application program identification code, the identity generation timestamp and the signature of the authority on the uplink information to a alliance chain account book by an authoritative identity source mechanism to obtain a transaction address; the transaction address is then returned to the authentication application as the unique identity of the user.
3. The identity credibility-based cross-domain identity authentication method as claimed in claim 1, wherein: in step 1, the authentication process of the unique identity of the user involves three entities: a user, a local security domain authentication server and a alliance chain account book;
the authentication process of the unique identity of the user specifically comprises the following substeps:
step a2.1: when a user performs identity authentication, an authentication application program generates an identity dynamic identification credential consisting of an application program identification code, a personal information abstract value, an identity dynamic identification credential generation timestamp, a security domain applied for access and a validity period, and signs the identity dynamic identification credential by using a private key; then, the identity dynamic identification certificate, the signature, the public key, the personal information abstract value and the unique identity are combined into an identity authentication message, and the identity authentication message is sent to a target authentication server;
Step a2.2: after the target authentication server acquires the identity authentication message, the target authentication server uses the generated time stamp and the validity period to judge the timeliness of the identity authentication message; then using the public key of the user and the content of the identity authentication information to verify the identity dynamic identification credential; after the identity dynamic identification certificate passes verification, an authoritative record of an identity identification information abstract is obtained according to the unique identity, and the value of the personal information abstract is verified; under the condition that all information provided by a user side is consistent, the target authentication server judges that the identity of the user is legal; finally, the target authentication server records the hash value of the identity dynamic identification certificate and marks the hash value as used.
4. The identity credibility-based cross-domain identity authentication method as claimed in claim 1, wherein: the specific implementation of the step 2 comprises the following sub-steps:
step B1: homomorphic encryption key distribution;
The user provides personal identity information and a user name and a password corresponding to the digital identity in the local security domain to the local security domain authentication server to create the digital identity, and the unique identity is used for passing the authentication of the local security domain authentication server; then, the local security domain authentication server generates a pair of homomorphic encryption public and private key pairs for the digital identity of the user, safely stores the private key pairs in the local for verifying the identity credibility comparison result, and sends the public key disclosure to all participants in the system for encrypting the identity credibility;
Step B2: generating an identity credibility ciphertext;
after the local security domain authentication server evaluates the identity credibility corresponding to the digital identity of the user, the corresponding homomorphic encryption public key is used for generating an identity credibility ciphertext;
step B3: identity credibility range proof generation;
the local security domain authentication server selects the public parameters and generates a range certificate corresponding to the identity credibility ciphertext record.
5. The identity credibility-based cross-domain identity authentication method as claimed in claim 1, wherein: step 3, managing the identity credibility configuration information, wherein each security domain stores the identity credibility configuration information in a alliance chain account book in advance in a JSON standard storage structure form and signs the configuration information;
the specific implementation comprises the following substeps:
Step C1.1: the security domain selects an identity credibility evaluation standard consisting of user security behaviors and an identity credibility maximum value which can be obtained from the corresponding behaviors, wherein the identity credibility maximum value and the minimum value are the same-state encryption key pair;
step C1.2: the security domain sorts the security domain name, homomorphic encryption public key, identity credibility maximum value and minimum value, identity credibility evaluation standard, configuration generation time stamp, configuration message hash value and digital signature into a standard storage structure of JSON format;
step C1.3: the security domain submits the identity credibility configuration information to the alliance chain ledger and acquires the storage position of the security domain.
6. The identity credibility-based cross-domain identity authentication method as claimed in claim 1, wherein: in the step 3, the identity reliability chain is dynamically maintained, after a user registers a digital identity in a security domain, the security domain generates identity reliability state information of the digital identity through a previously disclosed identity reliability evaluation standard, and one or more identity reliability state records are stored in a alliance chain account book by adopting a standard storage mode or a compact storage mode;
the specific implementation comprises the following substeps:
Step C2.1: the security domain generates ciphertext of user identity credibility and a corresponding zero knowledge range proving record, forms an encryption storage structure of a standard storage mode or a compact storage structure of a compact storage mode, and submits the encryption storage structure or the compact storage structure to a alliance chain account book;
Step C2.2: in the standard storage mode, the federation chain ledger will verify the digital signature and scope proof in the encrypted storage structure; in compact storage mode, the federated chain ledger will verify the merck hash tree root and aggregate scope proof in the compact storage structure.
7. A cross-domain identity authentication system based on identity credibility is characterized in that: the system comprises a unique identity identification authorization module, a privacy protection module based on homomorphic encryption and zero knowledge range proof and a management and sharing module based on identity credibility of a alliance chain;
The unique identity identification authorization module is used for converting the digital identity of the user into a publicly verifiable unique identity identification, and binding the digital identity and the identity credibility is realized;
The authority identity source mechanism verifies the identity information provided by the user, submits legal identity information abstracts to the alliance chain account book, and distributes keys and identity dynamic identification credential generation application to the user; the user registers the digital identity by using the identity dynamic identification credential to provide a verifiable dynamic identity credential;
the privacy protection module based on homomorphic encryption and zero knowledge range proof is used for encrypting and verifying identity credibility records stored in the alliance chain account book in a public manner;
After the user registers the digital identities by using the unique identity, the identity authentication service distributes homomorphic encryption keys for each digital identity; when an identity credibility record corresponding to the digital identity is generated, the identity authentication service generates a corresponding homomorphic encryption ciphertext and zero knowledge range evidence to serve as verification information of data validity;
The identity credibility management and sharing module based on the alliance chain is used for identity credibility configuration information management, dynamic maintenance on the identity credibility chain and verifiable comparison of the identity credibility;
The alliance chain is used as a public verifiable storage medium and a trusted alliance chain code execution environment, so that the identity credibility related information in a public account book is ensured not to be tampered, and the function defined by the chain code can be executed honest;
The verifiable comparison of the identity credibility is carried out, and the security domain receiving the cross-domain identity credential selects a proper minimum threshold requirement of the identity credibility according to the identity credibility evaluation standard previously disclosed by the security domain providing the identity; under the supervision of a alliance chain code as a trusted third party, judging whether the identity credibility of the cross-domain identity credential meets the minimum requirement of the local domain, thereby determining whether to pass the cross-domain identity authentication request;
the method specifically comprises the following submodules:
Module C3.1: the user requests to use the digital identity in the existing local security domain to pass the identity authentication of the external security domain;
Module C3.2: the external security domain selects a proper minimum threshold requirement of identity credibility according to an identity credibility evaluation standard which is disclosed in advance in a alliance chain account book by the local security domain, and applies ciphertext evidence of comparison parameters to the alliance chain code;
module C3.3: the local security domain applies ciphertext evidence of the user identity credibility to the alliance chain code according to the alliance chain account book record of the user identity credibility;
module C3.4: the external security domain provides the comparison parameters and the corresponding cryptogram evidence to the local security domain;
module C3.5: the local security domain uses the comparison parameters provided by the external security domain and the parameters owned by the own party to complete the calculation of the intermediate result and the verification information;
module C3.6: and the external security domain obtains the identity credibility and the threshold comparison result according to the intermediate result, judges the authenticity of the comparison result by using the verification information, and submits the comparison log to the alliance chain account book.
8. An electronic device, comprising:
one or more processors;
Storage means for storing one or more programs which when executed by the one or more processors cause the one or more processors to implement the identity-trustworthiness-based cross-domain identity authentication method of any one of claims 1 to 6.
CN202211498448.1A 2022-11-28 2022-11-28 Cross-domain identity authentication method and system based on identity credibility and electronic equipment Active CN115883102B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211498448.1A CN115883102B (en) 2022-11-28 2022-11-28 Cross-domain identity authentication method and system based on identity credibility and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211498448.1A CN115883102B (en) 2022-11-28 2022-11-28 Cross-domain identity authentication method and system based on identity credibility and electronic equipment

Publications (2)

Publication Number Publication Date
CN115883102A CN115883102A (en) 2023-03-31
CN115883102B true CN115883102B (en) 2024-04-19

Family

ID=85764208

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211498448.1A Active CN115883102B (en) 2022-11-28 2022-11-28 Cross-domain identity authentication method and system based on identity credibility and electronic equipment

Country Status (1)

Country Link
CN (1) CN115883102B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117478329B (en) * 2023-10-16 2024-04-26 武汉大学 Multi-user collusion-resistant ciphertext retrieval method and equipment based on identity key encapsulation

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113411384A (en) * 2021-06-10 2021-09-17 华中科技大学 System and method for privacy protection in data security sharing process of Internet of things
CN113645020A (en) * 2021-07-06 2021-11-12 北京理工大学 Alliance chain privacy protection method based on safe multi-party computing
CN113691361A (en) * 2021-08-25 2021-11-23 上海万向区块链股份公司 Alliance chain privacy protection method and system based on homomorphic encryption and zero knowledge proof
WO2022007889A1 (en) * 2020-07-08 2022-01-13 浙江工商大学 Searchable encrypted data sharing method and system based on blockchain and homomorphic encryption
CN115002717A (en) * 2022-04-14 2022-09-02 河北师范大学 Internet of vehicles cross-domain authentication privacy protection model based on block chain technology
CN115277122A (en) * 2022-07-12 2022-11-01 云南财经大学 Cross-border data flow and supervision system based on block chain

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022007889A1 (en) * 2020-07-08 2022-01-13 浙江工商大学 Searchable encrypted data sharing method and system based on blockchain and homomorphic encryption
CN113411384A (en) * 2021-06-10 2021-09-17 华中科技大学 System and method for privacy protection in data security sharing process of Internet of things
CN113645020A (en) * 2021-07-06 2021-11-12 北京理工大学 Alliance chain privacy protection method based on safe multi-party computing
CN113691361A (en) * 2021-08-25 2021-11-23 上海万向区块链股份公司 Alliance chain privacy protection method and system based on homomorphic encryption and zero knowledge proof
CN115002717A (en) * 2022-04-14 2022-09-02 河北师范大学 Internet of vehicles cross-domain authentication privacy protection model based on block chain technology
CN115277122A (en) * 2022-07-12 2022-11-01 云南财经大学 Cross-border data flow and supervision system based on block chain

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Process:privacy-preserving on-chain certificate status service;Jing Chen et al.;IEEE;20210726;全文 *
基于区块链的信息网络信任支撑环境构建研究;周云;;信息安全与通信保密;20200410(04);全文 *
基于区块链的异构身份联盟与监管体系架构和关键机制;董贵山;张兆雷;李洪伟;白健;郝尧;陈宇翔;;通信技术;20200210(02);全文 *

Also Published As

Publication number Publication date
CN115883102A (en) 2023-03-31

Similar Documents

Publication Publication Date Title
US11842317B2 (en) Blockchain-based authentication and authorization
CN113014392B (en) Block chain-based digital certificate management method, system, equipment and storage medium
Sun et al. Outsourced decentralized multi-authority attribute based signature and its application in IoT
CN111614680B (en) CP-ABE-based traceable cloud storage access control method and system
Liu et al. Blockchain-cloud transparent data marketing: Consortium management and fairness
CN114710275B (en) Cross-domain authentication and key negotiation method based on blockchain in Internet of things environment
Xu et al. Accountable ring signatures: A smart card approach
Kwon Privacy preservation with X. 509 standard certificates
CN115883102B (en) Cross-domain identity authentication method and system based on identity credibility and electronic equipment
Pussewalage et al. An anonymous delegatable attribute-based credential scheme for a collaborative e-health environment
Liu et al. Efficient decentralized access control for secure data sharing in cloud computing
Mao et al. BTAA: Blockchain and TEE Assisted Authentication for IoT Systems
CN112733179A (en) Lightweight non-interactive privacy protection data aggregation method
CN114866244B (en) Method, system and device for controllable anonymous authentication based on ciphertext block chaining encryption
Kaaniche et al. Id-based user-centric data usage auditing scheme for distributed environments
Nait-Hamoud et al. Certificateless Public Key Systems Aggregation: An enabling technique for 5G multi-domain security management and delegation
Saxena et al. A Lightweight and Efficient Scheme for e-Health Care System using Blockchain Technology
Hena et al. A three-tier authentication scheme for kerberized hadoop environment
CN112950356A (en) Personal loan processing method, system, device and medium based on digital identity
Yang et al. Scalable and auditable self-agent pseudonym management scheme for intelligent transportation systems
Mishra et al. Fine-grained access control of files stored in cloud storage with traceable and revocable multi-authority CP-ABE scheme
CN105187213A (en) Method for ensuring computer information security
Chaudhari et al. Towards lightweight provable data possession for cloud storage using indistinguishability obfuscation
Yao et al. Compact and anonymous role-based authorization chain
Xu et al. HERMS: A hierarchical electronic records management system based on blockchain with distributed key generation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant