CN116633553A

CN116633553A - Block chain based WPKI certificate management method for Internet of things

Info

Publication number: CN116633553A
Application number: CN202310504500.8A
Authority: CN
Inventors: 李欣; 李元正
Original assignee: Beijing Guotai Netcom Technology Co ltd; Chengdu Guotai Wangxin Technology Co ltd
Current assignee: Beijing Guotai Netcom Technology Co ltd; Chengdu Guotai Wangxin Technology Co ltd
Priority date: 2023-05-06
Filing date: 2023-05-06
Publication date: 2023-08-22

Abstract

The invention discloses a block chain-based WPKI certificate management method for the Internet of things, which comprises the steps that an edge computing server is used as a block chain node at the edge side, close to a mobile terminal, of an Internet of things communication network, and a block chain network is constructed; registering all entities in the blockchain network on the blockchain; the entity comprises a mobile terminal, a wireless application server, a wireless application gateway and a CA server; applying certificates to the CA server by using the mobile terminal, the wireless application server and the wireless application gateway, and based on a PBFT consensus mechanism, linking the certificates issued by the CA server and the certificate states; the mobile terminal, the wireless application server and the wireless application gateway are used for storing the certificate serial numbers and inquiring certificates on the blockchain so as to carry out certificate verification, certificate use, certificate revocation and certificate status updating. The invention not only increases the security of certificate storage, but also simplifies the management of WPKI certificates, and has better performance of issuing, verifying and revoking the certificates.

Description

Block chain based WPKI certificate management method for Internet of things

Technical Field

The invention relates to the technical field of certificate management of the Internet of things, in particular to a block chain-based WPKI certificate management method of the Internet of things.

Background

With the development of the internet of things and wireless network applications, the security problem of wireless transmission attracts attention. How to provide confidentiality, integrity protection, and identity authentication for both parties to a communication for wireless transmission has become a focus of academic and industrial attention. Although the conventional PKI provides security assurance for information transfer, it is difficult to adapt to a large calculation amount of encryption algorithms such as RSA in PKI and a large storage space required by an x.509 certificate due to relatively weak CPU, calculation power and bandwidth resources of the mobile device. Therefore, the WAP forum proposed the WPKI specification in 2000, expanding and supplementing the relevant content in PKI. WPKI, the "wireless public key infrastructure", is a set of key and certificate management platform infrastructure that introduces the PKI (Public Key Infrastrcture) security mechanism in internet e-commerce into the wireless network environment, following established standards. It is used to manage public keys and digital certificates used in a mobile network environment, effectively establishing a secure and trusted wireless network environment. WPKI is not a completely new PKI standard, which is an optimized extension of traditional PKI technology applied to wireless environments. It employs an optimized ECC elliptic curve encryption and compressed x.509 digital certificate. The method also adopts a certificate management public key, and verifies the identity of the user through a trusted authority-authentication Center (CA) of a third party, thereby realizing the safe transmission of information.

In recent years, wireless network applications, particularly, internet of things, have been widely used. Wireless network applications are mainly applications related to mobile terminals, such as mobile phones, mobile handheld devices, etc.; in the aspect of wireless application, the industrial and informatization department issues data display in the day before, by the end of 2022, the total number of mobile communication base stations in China reaches 1083 ten thousand, the total number of mobile network terminals reaches 35.28 hundred million users, and the mobile terminal application is spread over the aspects of social life. In the aspect of the Internet of things, by the end of 2022 years, the number of terminal users of the mobile Internet of things in China reaches 18.45 hundred million users, which is increased by 4.47 hundred million users compared with the end of 2021 years, and accounts for 70% of the total world, the scheme of the cooperative development of the narrowband Internet of things, the 4G and 5G multi-networks is formed preliminarily, and the method is widely applied to the fields of public service, the Internet of vehicles, intelligent retail, intelligent home and the like, and the scales of the method respectively reach 4.96 hundred million, 3.75 hundred million, 2.5 hundred million and 1.92 hundred million users. However, the security problems of the wireless network and the internet of things are more and more prominent, and five general categories are summarized, including botnet attacks, national-level APT attacks, illegal data theft, intelligent internet-connected automobile attacks, medical equipment security attacks and the like. The main reason for the security problem is that the WPKI is not deployed in place due to too fast development, and the most main reason is that the WPKI itself has two problems, namely that the WPKI comprises two types of certificates, namely, x.509v3 or X509V4 for the mobile terminal, and the other type is a WTLS certificate for a WAP gateway and an application server, and the two types of certificates have respective release, use, verification and revocation mechanisms, so that the management is complex. The certificate management of the two WPKIs adopts a centralized mode, and the CA not only needs to issue certificates for each terminal, but also needs to centrally manage the certificates, including certificate retrieval, state inquiry and the like. With the increasing number of terminals, centralized management mechanisms result in performance bottlenecks that are difficult to overcome. Thirdly, the CA of the WPKI is usually arranged behind the WAP gateway and is far away from the wireless terminal, and the CA needs to pass through the WAP gateway no matter whether the certificate is applied, the certificate is searched or the certificate status is inquired, so that the CA is accessed for a long time. The wide application of the WPKI in the wireless network is greatly influenced, and the WPKI becomes an important reason for the security problem of the wireless network and the Internet of things.

Currently, blockchain technology is evolving faster. Essentially, the system is a shared database, is a distributed account book technology based on a point-to-point network, and has the characteristics of distributed storage, decentralization, non-tampering and traceability. Based on the characteristics, the blockchain technology lays a solid 'trust' foundation, is widely applied to data security, becomes a better scheme for solving the problem of traditional certificate revocation, and has many research achievements at present. Certcoin designed a completely decentralised PKI using the consistency provided by the Namecin blockchain; murat et al propose a new PKI architecture based on blockchain-based certificate transparency. In particular, rabieh et al use Bloom filters to reduce the size of CRLs, medury et al use cuckoo filters to quickly verify revoked certificates, and use blockchain issue filters.

With the rapid development of wireless networks, mobile terminals, particularly internet of things, are widely applied, and particularly the advent of 5G networks has greatly pushed this process. However, as 5G networks are more complex, the likelihood of network attacks increases substantially.

A typical 5G communication network is shown in fig. 1, and includes four layers, a bottommost access layer, in which a mobile terminal accesses the 5G network through a base station and an edge computing server is typically deployed; the intermediate layer is a carrier layer, which is not represented in fig. 1 for reduced complexity; the third layer is a 5G core network where WAP gateways are typically deployed; the core network links to the external internet, on which a wireless application service center and a WPKI trusted third party CA are deployed. The mobile terminal accesses a wireless application server on the internet and a CA server of the WPKI through the 5G network. In fig. 1, the dashed line represents a communication line from the mobile terminal to the wireless application through the WAP gateway, which has a long transmission path and is complex in network technology. In order to ensure the security of the transmission data, it is necessary to authenticate the identity of the entity on the transmission line and prevent the transmission data from being tampered and leaked. Currently, wireless application systems typically employ trusted third party WPKI certificates for entity authentication, with encryption and signing to ensure confidentiality and integrity of data (see fig. 1). However, current WPKI certificate management has three problems.

Problem 1: WPKI has two types of certificates and is complex to manage. In WPKI, two classes of certificates are included, one is x.509v3 or X509V4 for mobile terminals and the other is WTLS certificate for WAP gateway and application server. These two types of certificates have respective mechanisms of issuing, using, verifying and revoking, and are relatively complex to manage.

Problem 2: the WPKI certificate adopts centralized management, and the CA server is easy to attack and also easy to generate performance bottlenecks. In WPKI, two classes of certificates are included, one is x.509v3 or X509V4 for mobile terminals and the other is WTLS certificate for WAP gateway and application server. Both types of certificate issuance and revocation are responsible for centralization Mo Heng by the CA server. The user's query for WPKI certificates and certificate status is also done centrally in the LDP database and CRL list of the CA server. With the increase of mobile terminals, such centralized management is not only vulnerable to network attacks, but also to performance bottlenecks.

Problem 3: certificate access performance is costly. As can be seen from fig. 1, the mobile terminal needs to query the certificate and the certificate status in a CA server on the internet, and this line has a long transmission path, complex network technology and high time overhead. Particularly, with the popularization of mobile applications, the mobile terminals have more and more security requirements, and the development of wireless applications is seriously hampered by performance problems.

Disclosure of Invention

Aiming at the defects in the prior art, the invention provides a WPKI certificate management method based on the block chain for the Internet of things, wherein certificates issued and withdrawn by a CA server are stored on the block chain which is very close to the mobile terminal, and the retrieval of the WPKI certificate or certificate state by the mobile terminal, a WAP gateway, a wireless application server and the like is performed on the block chain. Because the blockchain has the characteristics of decentralization, transparency, traceability, non-falsification and forging, data security, self-establishment of credit and the like, the problems that the WPKI certificate is subjected to centralized management, a CA server is easy to suffer from attack and performance bottleneck and the like are solved, and the performance of the mobile terminal for accessing the certificate is very high.

In order to achieve the aim of the invention, the invention adopts the following technical scheme:

a WPKI certificate management method of the Internet of things based on a blockchain comprises the following steps:

s1, constructing a block chain network by taking an edge computing server as a block chain node at the edge side, close to a mobile terminal, in an Internet of things communication network;

s2, registering all entities in the blockchain network on the blockchain; the entity comprises a mobile terminal, a wireless application server, a wireless application gateway and a CA server;

S3, applying certificates to the CA server by using the mobile terminal, the wireless application server and the wireless application gateway, and based on a PBFT consensus mechanism, linking the certificates issued by the CA server and the certificate status;

s4, the mobile terminal, the wireless application server and the wireless application gateway are utilized to store the certificate serial numbers and inquire certificates on the blockchain so as to carry out certificate verification, certificate use, certificate revocation and certificate status updating.

Optionally, in step S2, all entities in the blockchain network are registered on the blockchain, which specifically includes:

generating a pair of public and private keys by using an entity, and then signing and encrypting the public keys by using a certificate of a blockchain;

the entity is utilized to send the registration request, the public key and the signed ciphertext to the blockchain;

decrypting the public key and the signed ciphertext by using the blockchain through the private key, verifying the signature to obtain the public key of the entity, generating the address of the entity, and signing and encrypting the address of the entity by using the public key of the entity;

returning the address and the signed ciphertext to the entity by using the blockchain;

and decrypting the address and the signed ciphertext by using the entity, and verifying the signature to obtain the address of the entity.

Optionally, in step S3, a certificate is applied to the CA server by using the mobile terminal, the wireless application server, and the wireless application gateway, which specifically includes:

generating a pair of public and private keys by using an entity of the mobile terminal, the wireless application server or the wireless application gateway, and then signing and encrypting the public keys by using a certificate of the CA server;

the entity is utilized to send the certificate request, the public key and the signed ciphertext to the CA server;

decrypting the public key and the signed ciphertext by using the CA server through the private key, verifying the signature to obtain the public key of the entity, generating a certificate of the entity, and signing and encrypting the certificate of the entity by using the public key of the entity;

issuing a certificate and a certificate state of the entity to a blockchain by using a CA server;

verifying the entity certificate by using the blockchain, signing and encrypting the certificate serial number by using the entity certificate;

returning the certificate serial number and the signed ciphertext to the entity by using the blockchain; ,

decrypting the certificate serial number and the signed ciphertext by using the entity, verifying the signature, obtaining the certificate serial number and storing the certificate serial number and the signed ciphertext in the SIM.

Optionally, the certificates applied by the mobile terminal, the wireless application server and the wireless application gateway all adopt X.509 certificates, and the certificate structures comprise a version, a serial number, a signature algorithm identifier, a publisher name, a validity period, a subject name, a public key, a publisher ID, a subject ID, a signature algorithm and a signature.

Optionally, in step S3, based on the PBFT consensus mechanism, the certificate issued by the CA server and the certificate status are uplink, which specifically includes:

sending a REQUEST to the master node by using a CA server, and signing the REQUEST;

the master node is utilized to receive the REQUEST of the CA server, and whether the signature of the REQUEST message < REQUEST, o, t, c > is correct or not is checked; if the request is correct, the master node allocates a number to order the requests of the CA server, and then broadcasts a message of < < PRE-PREPARE, v, n, d >, cert > or < < PRE-PREPARE, v, n, d >, certs > to other replica nodes; if the request is illegal, discarding the request;

receiving a PRE-PREPARE message of the master node by using the copy node, and checking whether the PRE-PREPARE message signature is correct or not; whether the current copy node has received a PRE-PREPARE with the same v and the number also being n, but different signatures; whether the abstracts of the information d and the information m are consistent; whether n is within the interval H, H; if the request is correct, the duplicate node sends a message of < PREPARE, v, n, d, i > to other nodes; if the request is illegal, discarding the request;

the other nodes receive the < PREPARE, v, n, d, i > message of the duplicate node and check whether the signature of the < PREPARE, v, n, d, i > message is correct; whether the current copy node has received n under the same view v; whether n is within the interval H, H; d is the same as d in the PRE-pprespere currently received; if the request is correct, judging whether the duplicate node receives 2f+1 PREPARE messages passing verification, if so, sending a message < COMMIT, v, n, d, i > to other nodes including the master node; otherwise, the method comprises the steps of; if the request is illegal, discarding the request;

Other nodes receive the COMMIT message and verify whether the signature of the COMMIT message of the duplicate node is correct; whether the current copy node has received n under the same view v; d is consistent with the abstract of m; whether n is within the interval H, H; if the request is correct, judging whether the duplicate node i receives 2f+1 COMMIT messages passing verification, if so, operating the request operation o of the CA, and returning < REPLY, v, t, c, i, r > to the CA; otherwise, the method comprises the steps of; if the request is illegal, the request is discarded.

Optionally, performing certificate verification and using in step S4 specifically includes:

acquiring a certificate serial number of a second mobile terminal by using a first mobile terminal, and calling a retrieval contract interface to acquire a certificate and a certificate state corresponding to the certificate serial number;

signing and encrypting the certificate and the certificate status by using the blockchain;

returning the certificate and the ciphertext of the certificate state and the signature to the first mobile terminal by using the block chain;

decrypting the certificate and the certificate state and the signed ciphertext by using the first mobile terminal, and verifying the signature to obtain the certificate and the certificate state of the second mobile terminal.

Optionally, performing certificate revocation in step S4 specifically includes:

signing and encrypting a certificate serial number to be revoked by using a certificate issued by the first mobile terminal through the CA server;

The method comprises the steps that a first mobile terminal is used for sending a certificate revocation request, a certificate serial number needing to be revoked and a signed ciphertext to a CA server;

decrypting the certificate serial number and the signed ciphertext through a private key by using the CA server, and verifying the signature to obtain the certificate serial number which needs to be revoked by the first mobile terminal;

the CA server is used for calling a certificate revocation contract interface to generate the latest revocation state of the certificate on the blockchain and issuing the latest revocation state to the blockchain;

signing and encrypting the latest certificate revocation status by using a blockchain;

returning the latest certificate revocation status and the signed ciphertext to the first mobile terminal by using the block chain;

and decrypting the latest certificate revocation status and the signed ciphertext by using the first mobile terminal, and verifying the signature to obtain the latest certificate revocation status.

Optionally, the updating the certificate status in step S4 specifically includes:

the CA server is used for calling a certificate revocation contract interface to generate the latest revocation status of the certificate to be updated on the blockchain, and the latest revocation status is issued to the blockchain;

signing and encrypting the latest revocation status of the certificate to be updated by using the blockchain;

returning the latest revocation status of the certificate to be updated and the signed ciphertext to the CA server by using the block chain;

And decrypting the latest revocation status of the certificate to be updated and the ciphertext of the signature by using the CA server, and verifying the signature to obtain the latest revocation status of the certificate to be updated.

The invention has the following beneficial effects:

the invention provides a WPKI certificate management method based on a blockchain, which is used for uniformly managing two types of certificates combined into one type of certificate, storing the certificate on the blockchain, only storing a serial number of the certificate by a mobile terminal, and designing a certificate application, use, verification and revocation mechanism based on the blockchain; therefore, the security of certificate storage is improved, the management of WPKI certificates is simplified, and the performance of issuing, verifying and cancelling the certificates is good, so that the wide application of the Internet of things and wireless network application can be promoted.

Drawings

FIG. 1 is a schematic deployment diagram of a 5G wireless network communication network and a WPKI;

FIG. 2 is a schematic flow chart of a block chain based WPKI certificate management method of the Internet of things of the present invention;

FIG. 3 is a schematic diagram of a blockchain-based WPKI certificate management architecture in accordance with the present invention;

FIG. 4 is a schematic diagram of a mobile terminal registration process according to the present invention;

FIG. 5 is a schematic diagram of a registration process of a wireless application server according to the present invention;

FIG. 6 is a schematic diagram of a certificate application flow chart of the present invention;

FIG. 7 is a schematic flow chart of the PBFT consensus algorithm of the present invention;

FIG. 8 is a schematic diagram of a certificate verification and usage flow scheme of the present invention;

FIG. 9 is a schematic diagram of a certificate revocation flow of the present invention;

fig. 10 is a schematic diagram of a certificate status update procedure according to the present invention.

Detailed Description

The following description of the embodiments of the present invention is provided to facilitate understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and all the inventions which make use of the inventive concept are protected by the spirit and scope of the present invention as defined and defined in the appended claims to those skilled in the art.

As shown in fig. 2, the embodiment of the invention provides a block chain-based WPKI certificate management method for the internet of things, which comprises the following steps S1 to S4:

in an optional embodiment of the present invention, the present embodiment is based on an edge computing technology, and on an edge side, where a mobile terminal approaches, in an internet of things communication network, an edge computing server is used as a blockchain node, so as to generate a faster network service response, thereby meeting requirements in terms of real-time service, application intelligence, security, privacy protection, and the like.

The node items deployed in this embodiment are relatively fixed. The administrative domain of the CA server is a security domain comprising n base stations, and m access networks. The block link points are deployed on edge servers of the access network, so the deployed nodes are less than m. If the security domain managed by the CA server is large, the deployed nodes m are relatively large, and if the security domain is small, the deployed nodes m are small.

The chain deployed in this embodiment is a federated chain. The authorized node is allowed to join the network and the information can be viewed according to the rights.

The blockchain deployed in this embodiment runs a mature PBFT consensus protocol. The specific requirements of the node further include assuming that the number of failed nodes is f, the number of the entire service nodes is |r|=3f+1, and f is the maximum number of copies that are likely to fail.

In this embodiment, the performance of the edge server is high. If the access network serves more base stations and more terminals, the performance requirement of the edge server serving as the blockchain node is higher. Since the retrieval of the credentials and the credentials status of all terminals under the access network is done by the edge server.

The blockchain network constructed in this embodiment is shown in fig. 3, in which edge servers connected by solid lines constitute the blockchain network of this embodiment. A total of four entities are included, specifically defined as follows:

Blockchain: the blockchain is abbreviated as BC and is used for storing various WPKI certificates and certificate states;

wireless Application Server: and the wireless application server is abbreviated as WAS and provides wireless application service for the mobile terminal.

Mobile Terminal: a mobile terminal, abbreviated MT. The same concept as the mobile user in this solution.

Wireless Application Point Gateway: the wireless application gateway, abbreviated as WAP, provides connectivity for mobile terminals and wireless application services.

in an optional embodiment of the present invention, in step S2, all entities in the blockchain network are registered on the blockchain, specifically including:

The present embodiment first formally defines the relevant sets and intelligent contract interfaces involved in a blockchain network, as shown in table 1.

TABLE 1

A 2.1x.509 certificate is defined. In the scheme, whether the WAP gateway, the WAS or the mobile terminal is adopted, the applied certificates uniformly adopt X.509 certificates, and the certificate structure is as follows.

Definition 2.2CertificateState: certificate status. In this scheme, the status of the certificate includes valid, revoked, and unknown, denoted by valid, cancel, and unknow, respectively.

Definition 2.3.C_save (authentication rt): the certificate stores a contract interface. In this scheme, the function of c_save () is to store the WAP gateway, WAS, and the certificate Cert applied by the mobile terminal onto the blockchain. There is only one parameter, the type is a certificate, execution returns true successfully, otherwise return false.

Definition 2.4cs_save (CertificateSerialNumber, certS): certificate status stores contract interfaces. In this scheme, the cs_save () function is to store the certificate status of the WAP gateway, WAS, and mobile terminal onto the blockchain. The method comprises two parameters, wherein the first is a certificate serial number, the second is a certificate state, execution is successfully returned to true, and otherwise, false is returned.

Definition 2.5c_cancer (CertificateSerialNumber): certificate revocation contract interfaces. In this scheme, the function of c_cancer () is to revoke a certificate with a sequence number of certificateserial number. There is only one parameter, the type is the certificate serial number, execution returns true successfully, otherwise return false.

Definition 2.6c_search (CertificateSerialNumber): the certificate retrieves the contract interface. In this scheme, the function of c_search () is to Search the blockchain for certificates with serial numbers of certificateserial numbers. There is only one parameter, the type is the serial number of the certificate, the execution returns the certificate successfully, otherwise, returns null.

Definition 2.7cs_search (CertificateSerialNumber): certificate status retrieves the contract interface. In this scheme, the cs_search () function searches for a certificate status with a serial number of certificateserial number in the blockchain. There is only one parameter, the type is the certificate serial number, the execution returns to the certificate state successfully, otherwise, returns to null.

Next, the registration of entities on the blockchain in this embodiment is described. Implementation of this embodiment requires first having the associated entity register on the blockchain. Since both these four types of entities, including MT, WAP, WAS and CA, need to operate on the blockchain, they all have to register on the blockchain.

Fig. 4 is a registration flow of MT on blockchain, i.e., blockchain creating MT user. The confidentiality and the integrity of the information are guaranteed in the registration process, and the method comprises five steps:

(1) MT generates a pair of public and private keys (K) with Kgen () _pubMT ，K _priMT ) Then use the certificate Cert of Blockchain _BC For K _pubMT Encryption and signing.

(2) The MT sends the registration request, together with the ciphertext of the public key and the signature, to Blockchain.

(3) The Blockchain decrypts and verifies the signature by using the private key to obtain the public key K of the MT _pubMT The account address Addr of the MT is then generated with age (). Reusing public key K of MT _pubMT Addr is signed and encrypted.

(4) Blockchain returns Addr's signature and encryption to the MT.

(5) MT decrypts and verifies the signature to obtain Addr.

The registration procedure of the WAP gateway is the same as that of the MT and will not be repeated here. The registration of WAS and CA server is identical to the registration of MT, but the intermediate is forwarded through WAP gateway. As shown in fig. 5. The detailed description of the flow is not repeated.

in an optional embodiment of the present invention, in step S3, the certificate is applied to the CA server by using the mobile terminal, the wireless application server, and the wireless application gateway, which specifically includes:

The certificates applied by the mobile terminal, the wireless application server and the wireless application gateway all adopt X.509 certificates, and the certificate structures comprise a version, a serial number, a signature algorithm identifier, a publisher name, a validity period, a main body name, a public key, a publisher ID, a theme ID, a signature algorithm and a signature.

In step S3, based on the PBFT consensus mechanism, the certificate issued by the CA server and the certificate status are uplink, which specifically includes:

Specifically, in this embodiment, the MT, WAP gateway and WAS all need to apply certificates to CA, and the application flows are consistent. Take MT application certificates as an example. It is assumed that a mobile terminal MT is to apply for certificates to CA.

The implementation flow is shown in fig. 6. The implementation process specifically comprises the following steps:

(1) MT generates a pair of public and private keys (K) with Kgen () _pubMT ，K _priMT ) Then using certificate Cert of CA _CA For K _pubMT Signature and encryption.

(2) The MT sends the certificate request and the ciphertext of the public key and signature to the CA server.

(3) The CA server decrypts and verifies the signature by using the private key to obtain the public key K of the MT _pubMT Certificate Cert for MT is then generated with CertGen () _MT . Reusing public key K of MT _pubMT For Cert _MT Signature and encryption.

(4) The CA server will Cert _MT And CerTS (Certs) _MT Published to Blockchain.

(5) Blockchain is used for Cert _MT The certificate is verified. And using Cert _MT The CertificateSerialNumber is signed and encrypted together.

(6) Blockchain returns the cryptogram of the CertificateSerialNumber and signature to the MT.

(7) The MT decrypts the ciphertext and verifies the signature. The certificate serial number CertificateSerialNumber is saved to its own SIM.

The four entities involved in this embodiment include a WAP gateway, a WAS, an MT, and a CA, which all need to interact with the blockchain, but the three entities such as the WAP gateway, the WAS, and the MT only perform a query operation in the blockchain, do not involve a change of data on the blockchain, do not involve a problem of data uplink, and both a certificate issued by the CA and a certificate status need to be uplink. Thus, the present embodiment next describes a consensus running process of issuing a certificate or a certificate status uplink by the CA.

The interactive PBFT is a state machine replica replication algorithm, as shown in fig. 7, i.e. the service models as a state machine that replicates at different nodes of the distributed system. The state machine copies each save the state of the service and also implement the operation of the service. The set of all copies is represented using capital R and each copy is represented using an integer from 0 to |r| -1. For convenience of description, it is generally assumed that the number of failed nodes is f, the number of entire service nodes is |r|=3f+1, and f is the maximum number of copies that are likely to fail. Although there may be more than 3f+1 copies, additional copies may not improve reliability in addition to degrading performance. All copies operate in a rotation called View. In a certain view, one copy serves as a primary node (primary), and the other copy nodes serve as backup nodes (backup). Views are integers numbered consecutively. The master node is calculated from the formula p=v mod|r|, v is the view number, p is the copy number, and |r| is the number of copy sets. The view rotation process needs to be started when the master node fails.

In this embodiment, the certificates issued by the CA and the states of the certificates need to be uplink. The certificate and certificate status uplink flow of the CA based on the PBFT consensus algorithm is as follows:

(1) REQUEST. The CA sends a "certificate or certificate status uplink REQUEST" < REQUEST, o, t, c > to the master node p. O is the specific operation of the REQUEST, t is the timestamp appended by the client at the time of the REQUEST, c is the CA identity, and the REQUEST contains the message content Cert or CerTS, and the message digest d (Cert) or d (CerTS). The CA signs the request.

(2) PRE-PREPARE. The master node receives the request of the CA and needs to check whether the signature of the CA request message is correct or not. The illegal request is discarded. And (3) correctly requesting, and allocating a number n which is mainly used for ordering the CA requests. Then broadcasting a master node PRE-prepared message request "< < PRE-preparation, v, n, d >, cert > or < < PRE-preparation, v, n, d >, certS > to other duplicate nodes. v is the view number, d is d (Cert) or d (CerTS), the message content of < PRE-PREPARE, v, n, d >, cert > is the certificate Cert, the message content of < PRE-PREPARE, v, n, d >, certs > is the certificate status Certs, the master node signs < PRE-PREPARE, v, n, d >, PRE-PREPARE represents the master node PRE-preparation phase. n is [ H, H ] to be within a certain range section, where H is equal to the number of the last stable checkpoint, h=h+l, where L is a specified value equal to an integer multiple of the checkpoint cycle processing request number K, and may be set to l=2k.

(3) Preparation. The copy node i receives the PRE-PREPARE message of the master node, and needs to check whether the signature of the PRE-PREPARE message of the master node is correct or not; then checking whether the current copy node has received a PRE-PREPARE with the same v and the number also being n, but different signatures; finally checking whether the abstracts of the information d and the information m are consistent; whether n is within the interval H, H. Etc. Discarding if illegitimate. If the request is correct, the copy node i sends a message < PREPARE, v, n, d, i > to other nodes including the master node, v, n, d, m is the same as the content of the PRE-PREPARE message, and i is the current copy node number. Replica node i signs < PREPARE, v, n, d, i >. PRE-PREPARE and PREPARE messages are recorded into log for use in recovering outstanding request operations during a view rotation. The PREPARE phase results in dropping the PREPARE phase request if a view rotation occurs.

(4) COMMIT. The master node and the duplicate node receive the "node ready message" PREPARE, and need to perform the following checks: whether the copy node PREPARE message signature is correct or not; whether the current copy node has received n under the same view v; whether n is within the interval H, H; d is the same as d in the PRE-pprespere that has been currently received. The illegal request is discarded. If the duplicate node i receives 2f+1 authenticated PREPARE messages, indicating that most nodes in the network have received the grant information, then a < COMMIT, v, n, d, i > message is sent to other nodes, including the master node, with v, n, d, i being the same as the PREPARE message. < COMMIT, v, n, d, i > signs the duplicate node i. And recording the COMMIT message into a log for recovering the unfinished request operation in the view rotation process. And recording the PREPARE messages sent by other duplicate nodes into log. The COMMIT phase is used to ensure that most nodes in the network have received enough information to agree, and if a view rotation occurs in the COMMIT phase, the original request of the COMMIT phase is saved, the knowledge is not reached, and the request number is not lost.

(5) REPLY. The master node and the duplicate node receive the COMMIT and need to check: whether the copy node COMMIT message signature is correct or not; whether the current copy node has received n under the same view v; d is consistent with the abstract of m; whether n is within the interval H, H. The illegal request is discarded. If the duplicate node i receives 2f+1 authenticated COMMIT messages, indicating that most nodes in the current network have reached consensus, running the request operation o of the CA, and returning < REPLY, v, t, c, i, r > to the CA, r: and if the client receives f+1 identical REPLY messages, the client indicates that the request initiated by the CA has reached the whole network consensus, otherwise, the CA needs to judge whether to resend the request to the master node. And recording COMMIT messages sent by other duplicate nodes into log.

In an alternative embodiment of the present invention, the performing certificate verification and use in step S4 specifically includes:

The certificate revocation in step S4 specifically includes:

The step S4 of updating the certificate status specifically includes:

Specifically, in this embodiment, it is assumed that an existing mobile terminal a is to verify and use the certificate of another mobile terminal B. B, the certificate serial number CertificateSerialNumber of the self _B And sending the certificate to A, and verifying and using the certificate by the A. A specific flow is shown in fig. 8.

In the flow illustrated in fig. 8, ensuring confidentiality and integrity of information includes the steps of:

(1) MT obtains CertificateSerialNumber by calling CS_Search () and C_Search () contract interfaces _B Corresponding certificate status and certificates.

(2) Blockchain will sign and encrypt the certificate status and certificate;

(3) blockchain returns the ciphertext to the MT;

(4) MT decrypts and verifies the certificate status and certificate to obtain CerTS _B And Cert _B 。

In this embodiment, if the perceived terminal a leaks the private key, the certificate Cert of the perceived terminal a needs to be revoked _A . The implementation flow of this embodiment is shown in fig. 9. As can be seen from fig. 9, the revocation procedure of the light certificate comprises the steps of:

(1) certificate Cert of CA for mobile terminal A _CA For certificate serial number CertificateSerialNumber to be revoked _A Signing and encrypting.

(2) The mobile terminal A requests the certificate to be revoked and the certificate serial number Certification SerialNumber to be revoked _A Together with the encryption, is sent to the CA server.

(3) The CA server decrypts and verifies the certificate by using the private key to obtain the certificate serial number to be revoked by the mobile terminal A.

(4) The CA server calls C_Cancel (Certification SerialNumber _A ) The contract interface generates the latest revocation status of the certificate on the blockchain and issues it to the blockchain.

(5) Blockchain signs and encrypts the latest certificate revocation status CertS.

(6) The Blockchain encrypts the latest certificate revocation state CerTS and the signature together and returns the encrypted certificate revocation state CerTS and the signature to the mobile terminal A.

(7) Mobile terminal A vs E (CerTS, K _priBC ) Decrypt and Sign (CerTS, K) _priBC ) And (5) performing verification. The latest revocation status information of the certificate is obtained.

Since the present embodiment stores the certificate status in the blockchain, the update of the certificate status requires the CA to perform an update operation on the blockchain. When issuing a certificate, the CA saves the validity period of the certificate, and once the validity period passes, the CA immediately calls a certificate revocation contract interface to update the state of the certificate. The specific flow is shown in fig. 10.

As can be seen from fig. 10, the revocation procedure of the light certificate includes the steps of:

(1) the CA server calls C_Cancel (Certification SerialNumber _A ) The contract interface generates the latest revocation status of the certificate on the blockchain and issues it to the blockchain.

(2) Blockchain signs and encrypts the latest certificate revocation status CertS.

(3) The Blockchain encrypts the latest certificate revocation state CerTS and the signature together and returns the encrypted certificate revocation state CerTS and the signature to the CA.

(4) CA pair E (CerTS, K) _priBC ) Decrypt and Sign (CerTS, K) _priBC ) And (5) performing verification. The latest revocation status information of the certificate is obtained.

The WPKI certificate management method based on the blockchain has the following 3 characteristics.

(1) Safety. The security of the scheme is expressed in two aspects, firstly, information is transmitted among the mobile terminal, the WAP gateway, the WAS and the CA, and confidentiality and integrity protection are carried out; secondly, in the scheme, the mobile terminal, the WAP gateway, the WAS and the CA firstly perform identity authentication before communication, and only if the identity authentication is passed, the application, the verification and the revocation of the light certificate can be performed, so that the identity security is ensured.

(2) Reliability. First, the certificate is issued by a third party authentication center CA, which is a well-trusted center. Secondly, the storage and management of certificates and certificate states are on a Blockchain, which is essentially a distributed database in which all nodes participate in data verification, storage and maintenance together, and the data is generated and stored in blocks (blocks) and is connected into a chain (chain) data structure according to time sequence. The blockchain is a novel collaboration paradigm which is formed by using a consensus mechanism and network communication and is tamper-proof and spurious-proof, and has the characteristics of decentralization, non-tamper-proof, whole-course trace, traceability, collective maintenance, openness, transparency and the like. Thus, the present solution is trusted.

(3) High efficiency. In general, the third party trusted authentication center CA provides certificate services for a wide range of users, not only is limited to a perception terminal, but also the efficiency of the CA in terms of certificate application, verification and revocation gradually decreases with the increase of service objects, so that more third party trusted authentication centers CA need to be built to meet the requirements, but the cross authentication between different CAs is time-consuming. The block chain technology deployed at the edge side is adopted in the scheme, so that the communication distance of the mobile terminal is short, the operation flow and the operation process are simple, and the performance bottleneck caused by centralized service can be reduced by the service mode of regional centralization. Efficiency is higher than that of conventional WPKI. .

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The principles and embodiments of the present invention have been described in detail with reference to specific examples, which are provided to facilitate understanding of the method and core ideas of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.

Those of ordinary skill in the art will recognize that the embodiments described herein are for the purpose of aiding the reader in understanding the principles of the present invention and should be understood that the scope of the invention is not limited to such specific statements and embodiments. Those of ordinary skill in the art can make various other specific modifications and combinations from the teachings of the present disclosure without departing from the spirit thereof, and such modifications and combinations remain within the scope of the present disclosure.

Claims

1. The WPKI certificate management method for the Internet of things based on the blockchain is characterized by comprising the following steps of:

2. The WPKI certificate management method of the block chain-based internet of things as claimed in claim 1, wherein in step S2, all entities in the block chain network are registered on the block chain, specifically comprising:

3. The block chain-based WPKI certificate management method of the internet of things as claimed in claim 1, wherein in step S3, certificates are applied to the CA server by using the mobile terminal, the wireless application server and the wireless application gateway, specifically comprising:

4. A blockchain-based WPKI certificate management method for the internet of things as claimed in claim 1 or 3, wherein certificates applied by the mobile terminal, the wireless application server and the wireless application gateway all adopt x.509 certificates, and the certificate structures comprise a version, a serial number, a signature algorithm identifier, a publisher name, a validity period, a subject name, a public key, a publisher ID, a subject ID, a signature algorithm and a signature.

5. The WPKI certificate management method of the block chain-based internet of things as claimed in claim 1, wherein in step S3, based on a PBFT consensus mechanism, a certificate issued by a CA server and a certificate status are uplink, specifically comprising:

6. The WPKI certificate management method of the block chain based internet of things as claimed in claim 1, wherein the certificate verification and use in step S4 specifically includes:

7. The blockchain-based WPKI certificate management method of the internet of things as claimed in claim 1, wherein the certificate revocation in step S4 specifically includes:

8. The blockchain-based WPKI certificate management method of the internet of things as claimed in claim 1, wherein the updating of the certificate status in step S4 specifically includes: