CN116668167A

CN116668167A - Intelligent contract method for data communication based on block chain

Info

Publication number: CN116668167A
Application number: CN202310769384.2A
Authority: CN
Inventors: 余益民; 王会源; 张玉; 杨潜
Original assignee: Yunnan Nongyou Technology Co ltd; Yunnan University of Finance and Economics
Current assignee: Yunnan Nongyou Technology Co ltd; Yunnan University of Finance and Economics
Priority date: 2023-06-26
Filing date: 2023-06-26
Publication date: 2023-08-29

Abstract

The invention provides an intelligent contract method based on data communication of a blockchain, which is characterized in that an intelligent contract is introduced into the blockchain, DID of A is acquired, friend information is checked from local storage of the blockchain, DID documents corresponding to the DID are inquired and acquired from the blockchain according to the DID, a public key of A is obtained, identity verification is carried out, a verification partner is an owner of a private key of A, a random number r is generated, ciphertext c is obtained by encrypting the public key of A and is sent to A, the A decrypts by using the private key after receiving, the decrypted random number is encrypted and sent to B, and verification is carried out by B. The invention encrypts the information into a short hash value, the encrypted and decrypted data quantity is small, the execution efficiency of the cryptographic algorithm is high, and the reliable exchange of communication data is ensured by the automatic execution of the intelligent contract; and constructing an information transmission mode based on a blockchain, and constructing a corresponding intelligent contract to realize the secure communication and identity authenticity verifiable of information transmission between the data sender A and the data receiver B.

Description

Intelligent contract method for data communication based on block chain

Technical Field

The invention belongs to the technical field of big data encryption communication, and particularly relates to an intelligent contract method for data communication based on a block chain.

Background

Blockchain-based communication systems have become an effective way to solve the problem of privacy security, but currently, the communication systems combine blockchain technology to store private data into blockchains mostly, which brings about higher security for blockchain applications, but also retains the disadvantages of blockchains, and because blockchains have limited storage space and long data block-out time, the throughput of the system is low, and are not suitable for all data storage and functions to be realized in a link environment, so that the problem of data transmission efficiency should be considered in the communication among blockchain users. Moreover, the public chain needs a large number of nodes to participate in order to ensure the stable and safe operation of the system, which is not suitable for single-organization dominant application, and the alliance chain is more suitable; it is difficult to meet the actual communication requirements simply by constructing a communication system using a blockchain. In addition, in the conventional trusted communication scheme in the client/server mode, the digital identity of the user is completely mastered by the service provider, and once server data is revealed, a huge privacy revealing risk is brought to all users.

In view of the privacy requirements of the communication system, a secure trusted communication system should fulfil the following conditions: (1) autonomous grasping of identity information: each node accessing the communication blockchain is provided with one or more identity marks which do not disclose the real privacy, so that the privacy disclosure problem caused by the central identity platform is prevented. And the users corresponding to the two identifications can be ensured to mutually verify the validity of the identity of the other party. (2) privacy protection: the user uses the pseudonym to communicate with other users, the communication data does not exist in the third party, the pseudonym information is not associated with the true identity of the user, and the privacy security of the user is protected.

Disclosure of Invention

The present invention solves the above-mentioned technical problems of the background art. A smart contract method for blockchain-based data communications is provided.

The invention adopts the following technical scheme:

the intelligent contract method based on the data communication of the block chain introduces intelligent contracts into the block chain, and ensures the reliable exchange of communication data through the automatic execution of the intelligent contracts; constructing an information transmission mode based on a blockchain, and constructing a corresponding intelligent contract to realize the secure communication and the verifiable identity authenticity of the information transmission between a data sender A and a data receiver B, wherein the method specifically comprises the following steps of: the identity authenticity verification process comprises the following steps: when the data receiver B receives the message from the data sender A, the DID of the A is acquired firstly, friend information is checked from the local storage of the data receiver B, and if friends exist, data exchange is performed; if no friend exists, inquiring the block chain according to the DID to acquire the corresponding DID document to obtain the public key of A, performing identity verification, verifying that the opposite party is the owner of the private key of A, generating a random number r, encrypting by using the public key of A to obtain a ciphertext c, sending the ciphertext c to A, decrypting by using the private key after receiving by A, encrypting by using the decrypted random number to B, and verifying by B.

Preferably, the authentication process is: inquiring whether the partner has a verifiable statement issued by a alliance agency, if so, verifying the authenticity of the digital signature of the agency, and determining the legitimacy of the identity A.

Preferably, the data verification mainly verifies the correctness of the digital signature by: when the data receiver B receives the message from the data sender A, the original message in the message is separated from the digital signature to obtain a digital signature S and a message ciphertext c; b uses the public key pk of A _A Decrypting the digital signature to obtain a data digest value; and B, recalculating the digest value of the original message by using the same hash algorithm, comparing the decrypted digest value with the recalculated digest value, and indicating that the message is credible if the decrypted digest value is consistent with the recalculated digest value.

Preferably, the intelligent contracts include an identity inquiry and verification intelligent contract, a data transmission intelligent contract, a data receiving intelligent contract, a message reminding intelligent contract and a message transfer intelligent contract, wherein the intelligent contract performs data interaction with an external API.

Preferably, the IPFS distributed storage protocol is employed in the blockchain.

In step one, when a long message or an attachment needs to be sent between users, a sender can encrypt the long message or the attachment by using a key, upload the encrypted long message or the attachment to an IPFS network to obtain a unique hash index value, encrypt the unique hash index value as a message, send the encrypted long message or the symmetric key of the attachment to a receiver together, obtain a hash address and the symmetric key through decryption, then inquire the address of a node where the long message or the attachment resource is located through the IPFS network, establish point-to-point transmission with a target node, obtain data from the address, finally synthesize the original message into a plaintext message, and decrypt the plaintext message by using the symmetric key.

In the above steps, the digital signature process is:

(1) The message sender carries out hash algorithm on the plaintext message m to obtain a message digest value h ₁ ＝H(m)；

(2) The sender of the message encrypts h using a private key to obtain a digital signature s= Emc (sk, h ₁ )；

(3) The message sender encrypts the message plaintext m together with the digital signature S using the symmetric key k, resulting in encrypted information c=enc ((m, S), k);

(4) The message sender encrypts the symmetric key k by using the public key of the receiver in an asymmetric encryption mode;

(5) The message sender sends the encrypted symmetric key and the digital signature information to the message receiver;

after receiving the message, the receiver decrypts the message by using the private key to obtain the signature file and the symmetric key k, and compares the locally calculated message hash value with h, and if the message hash value is consistent with h, the message is not tampered.

In the above steps, the comparison process is as follows:

(1) After receiving the information, the message receiver decrypts the message using its own private key to obtain a symmetric key k=dec (c, sk).

(2) The message receiver decrypts the message using the symmetric key k to obtain (m, S) =dec (c, k),

(3) The message receiver decrypts the digital signature ciphertext using the sender' S public key to obtain h=dec (S, pk)

(4) Encrypting the original text m by adopting the same hash digest algorithm to obtain a digest value h ₂ ＝H(m)；

(5) Judging h ₁ ＝h ₂ Whether the message is established or not, if so, the message is not tampered.

Preferably, the method comprises the steps of,

the encryption improvement algorithm is as follows:

(1) And (3) key generation: as with the RSA key generation algorithm described above, the public key pk= (e, n) and the private key sk= (d, n) are generated.

(2) Encryption process: a splitting the message plaintext m into several pieces of length L (L<log ₂ n) data segment (m ₁ ,m ₂ …m _n ) The method comprises the steps of carrying out a first treatment on the surface of the At the same time, a random number r (r>0) And the r length is consistent with the message fragment; and then, respectively carrying out encryption operation on each data segment. The specific algorithm is as follows: fragment data m _i And r to obtain ciphertext fragment (c) ₁ ,c ₂ …c _j ) Encrypting by using a public key e to obtain a decryption key mu;

μ＝Enc(r,e)＝r ^e modn

c _i ＝(m _i r)modn,i＝1,2,…,j

mu, c ₁ ,c ₂ …c _j Combined as ciphertext c;

(3) Decryption: before decryption, the receiver needs to split the ciphertext to restore μ, c ₁ ,c ₂ …c _j The method comprises the steps of carrying out a first treatment on the surface of the Decrypting with the private key d to obtain a random number r=dec (μ, d); then decrypting once by using random number r to obtain message segment m _i ；

r＝Dec(μ,d)＝μ ^d modn＝r ^e*d modn

m _i ＝Dec(c _i ,r)＝(c _i r ^-1 )modn＝m _i rr ^-1 modn,i＝1,2,…,j

Message fragments (m ₁ ,m ₂ …m _j ) Splicing to obtain a plaintext m;

note that there is an inverse r to r in the decryption process ^-1 Is that r should be chosen to be n-prime.

The beneficial effects of the invention are as follows:

(1) The DID bound with the public key information is used as a user ID, and the user does not need to register with a central server, so that anonymity is achieved; the information is stored and received in an encrypted mode, so that the safety of the information is realized; other parts of the communication system may be based on prior art (third party storage, etc.). In order to avoid that the same secret key is used for encrypting the communication message for multiple times, malicious nodes are associated to cause the identity or data of a user to be revealed, a random number r is added according to a probability encryption idea during encryption, the random number is encrypted and sent to the opposite side together with a ciphertext fragment during encryption, even the same plaintext message is encrypted, ciphertext encrypted by using different secret keys is inconsistent, and therefore attack of selecting plaintext is resisted.

(2) Because the message is encrypted into a short hash value, the encrypted and decrypted data volume is small, and the execution efficiency of the cryptographic algorithm is high. The intelligent contract has larger error in the result in the experimental process due to the experimental environment, so that the average time shows the execution efficiency of the intelligent contract, and the requirement of the communication process on time delay is basically met.

(3) When new nodes in the blockchain are added, unified registration standards are needed, and the new nodes are input into a user routing table under the control of intelligent contracts through the identification of alliance members. The DID of the sender is provided in the data packet during communication to invoke the intelligent contract by the receiver to verify identity legitimacy to the blockchain.

(4) When the user communicates, the two parties pass through interaction authentication identity with the blockchain and negotiate a symmetric key for encrypting communication data through a handshake protocol, and call an intelligent contract to provide end-to-end encryption communication for the opposite party address. After receiving the information, the receiver can independently verify the validity of the identity of the opposite party and the credibility of the data.

(5) The communication data size is divided into short messages within 1KB and long messages above 1KB, the long messages are stored in an IPFS in an encrypted mode, and hash addresses corresponding to the long messages are sent. After receiving the information, the receiver acquires the information from the IPFS and verifies the information, and the communication time delay of the long message is improved by using the transmission mode of the IPFS network in many-to-one mode.

Drawings

FIG. 1 is a general block diagram of a system of the present invention;

FIG. 2 is a diagram of a system model architecture of the present invention;

FIG. 3 is a block diagram of a data store of the present invention;

FIG. 4 is a diagram showing the relationship between conventional identity authentication and decentralization authentication according to the present invention;

FIG. 5 is a flow chart of authentication of node identity according to the present invention;

FIG. 6 is a flow chart of the present model provided herein;

FIG. 7 is a diagram of the intelligent contract invocation relationship provided by the present invention;

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Examples

The trusted communication scheme based on the blockchain provided in the embodiment is based on the existing on-chain communication model, ensures the safety of user identity and data by introducing an IPFS system and a DID identifier, is oriented to groups or scenes with higher requirements on communication privacy, such as enterprises, different institutions or countries,

therefore, the reliable operation of the system can be ensured to the maximum by adopting the form of the alliance chain, and different groups are used as an alliance member to participate in the block chain consensus so as to ensure the normal operation of the communication environment. Under the alliance chain mechanism, the distributed digital identity and the third-party distributed storage network are tightly combined, and a corresponding communication protocol is designed based on the intelligent contract, so that the intelligent contract does not need to depend on a third-party service mechanism, and secure communication, identity and message verification in the blockchain application is realized.

The system is divided into three layers, namely a storage layer, a contract layer and an application layer, and the system architecture is shown in figure 1.

The storage layer is responsible for storing identity information documents and communication data in a safe and reliable manner, wherein the blockchain mainly stores user DID document data, and the communication data is mainly stored in the IPFS network in a blocking mode. The intelligent contract layer is responsible for calling the intelligent contracts with corresponding functions to execute specific business logic of the intelligent contracts through the set corresponding rules to complete different functions in the communication process.

The application layer is a variety of functions implemented by the system, including data uploading, data receiving, authentication, etc.

Firstly, deploying blockchains into different nodes by relying on an Ethernet, independently generating public and private keys and DID identifications by each alliance node and all light nodes, issuing verifiable credentials to the nodes according to internal requirements of different alliance members to prove the authenticity of a certain attribute, and deploying IPFS nodes of all users.

In this embodiment, the blockchain related technology is referred to and used as a part of the communication system, and the main inventive idea is as follows:

the DID bound with the public key information is used as a user ID, and the user does not need to register with a central server, so that anonymity is achieved; the information is stored and received in an encrypted mode, so that the safety of the information is realized; other parts of the communication system may be based on prior art (third party storage, etc.).

Based on research of a alliance chain and an on-chain communication mechanism, the problem of communication privacy protection in a scene of a block chain communication system is further researched, the uplink of unnecessary information is reduced, and the defects of high communication time delay and high cost in a block chain environment are optimized by adopting a mode of verifying safety transmission under a data chain on an identity chain.

The main parameters and symbols involved are shown in table 1.

The symbols and their meanings as referred to in Table 1

A trusted communication model is designed by means of the idea of a blockchain, the distributed storage system IPFS and the distributed digital identity DID, and the trusted communication model mainly comprises the blockchain design, the node identity management, the hybrid encryption algorithm and the trusted communication method. As shown in fig. 2, the trusted data communication model based on the blockchain proposed in this embodiment includes 5 parts, respectively: data sender a, data receiver B, distributed storage IPFS, blockchain networks, and smart contracts.

(1) Message sender: first, the party initiating the communication generates the original plaintext data m and sends a data message through the device. The message sender already has a digital identity DID _A Together with the binding, a public-private key pair (pk _A ,sk _A ) And verifiable claims issued by federation authorities, and nodes accessing the IPFS network.

(2) The data receiver: and actively searching information from the blockchain by the party passively receiving the message, downloading data from the IPFS after decryption, and then carrying out hash operation to verify the authenticity of the message, thereby completing data communication. Consistent with the sender, there are DID and IPFS nodes.

(3) Intelligent contract: and the system is responsible for communicating users with blockchain and IPFS networks and communicating link security, and provides an automatic management method based on policy definition.

(4) IPFS: and the third party storage network is responsible for uploading and downloading data, returning the hash value of the message abstract after receiving the message, and realizing the efficient transmission of mass data.

(5) Block chain network: and the user registration identity DID, the DID document and other privacy data information are stored, packaged and commonly recognized, and then added into a chain structure to be unchanged, and maintained by alliance members.

Data storage structure

Considering the importance of the communication content in different scenes, the data in the model of this embodiment may be selectively stored on the chain, and for the important or private data, it may be recorded in the blockchain network to prevent the counterpart from denying and losing the data.

And non-important data is stored through the IPFS system so as to improve communication efficiency. When privacy data with traceable requirements are uplink, short messages smaller than 1KB can be directly stored in a block after being encrypted, long messages larger than 1KB are firstly stored in an IPFS system, and then file addresses are uplink stored.

When digest data of a private message needs to be uploaded, in order to ensure the credibility and non-tamper ability of the data content, in this embodiment, a hash digest calculation is performed on each group of communication data, and the digest value is recorded and stored by the structure as shown in fig. 3.

The communication data of each group are packed into a data block (DataBlock), and the data block comprises a data head and a data body, wherein the data head consists of a time stamp t and a total hash value of the data block of the merck tree structure; the data body contains a plurality of data entries, each data entry containing a timestamp associated with the piece of data, a sender DID, a receiver DID, a message data signature, and an address of the message in the IPFS system. The size of each piece of data is controlled within 1KB, so that the verification of the node is facilitated.

In the case of a normal message or attachment, the metadata hash value stored in the data entry is the IPFS file hash address value. In the block, each data entry is stored in a merck tree structure, facilitating verification of the data.

Hybrid encryption mechanism

In the decentralizing network, privacy security mainly depends on the reliability of a cryptography algorithm, a symmetric encryption mode has higher efficiency than a public key encryption mode, and private transmission of a secret key is performed in the public key encryption mode, namely, a hybrid encryption mode is adopted, so that the advantages of two cryptomechanisms are considered.

The P2P communication network adopted by the blockchain mainly guarantees the communication safety from two aspects of access and exit of the nodes and network communication safety guarantee, and for the alliance chain, the joining and exiting of the nodes depend on a strict access and exit mechanism of the nodes, and illegal nodes are not allowed to join the network.

However, in practical applications, some nodes may have a lucky mind on malicious behaviors due to anonymous trust of identity information, so that the legality of the nodes must be ensured according to a safe and reliable cryptography algorithm. Before communication, authentication needs to be carried out between nodes and a symmetric key is generated, and then the nodes encrypt and decrypt the message by using the symmetric key. The identity verification is used for verifying the validity and the authenticity of the identity of the node, and preventing the node without the legal identity from joining the network and sending malicious information; the purpose of the symmetrical encryption of the messages is to prevent the messages from being tampered maliciously in the sending process, and meanwhile, the privacy isolation of different messages of the same node is ensured.

In the block chain communication system, cryptography ensures the security of data transmission, in the embodiment, a hybrid encryption scheme is designed by referring to a WeChat encryption transmission flow, so as to achieve the secure exchange of keys, digital signature and verification are provided, RAS is adopted as a public key encryption scheme, and AES is adopted as a symmetric encryption scheme.

The symmetric encryption has the advantages of high encryption efficiency, high speed, short key length and the like, and is widely applied to encryption and decryption of larger data. The public key encryption mechanism has high security but poor performance, and particularly has more obvious encryption and decryption on larger data. Thus, combining two cryptographic mechanisms, employing hybrid encryption has become a solution to the performance and security problems.

The RSA encryption algorithm is a widely used first generation algorithm of asymmetric encryption, the principle is based on the mathematical difficulty of large prime number decomposition, and although a plurality of encryption algorithms with better performance and key length than the RSA algorithm, such as elliptic curve encryption algorithm ECC, and the like, are present, the random number generator is deeply researched according to elliptic curve generation provided by national security technology and standard in the United states, and the random number generator possibly has loopholes, and Microsoft and NSA release the loophole patches and notices successively. The RSA algorithm still has very high security after increasing the key length. The HTTPS protocol, which is widely used, employs the RSA algorithm.

AES is also a typical symmetric encryption algorithm, and has the advantages of high efficiency and high security, and can solve the problem of slow encryption and decryption speed of the RSA algorithm. The characteristics of the two cryptographic algorithms used in this embodiment are shown in table 2.

Table 2 characteristics of two encryption algorithms

The parameter generation process of the RSA public key encryption scheme comprises the following steps:

(1) Two large primes p, q are generated at the local system.

(2) N=pq is calculated, and the euler function Φ (n) = (p-1) (q-1) is calculated.

(3) An odd number e is selected that is mutually exclusive with Φ (n), i.e., e (e < Φ (n)) satisfying gcd (e, Φ (n))=1, the public encryption key pk= (e, n).

(4) D (1<d < Φ (n)) satisfying e×d mod Φ (n) =1 is calculated as a private key, and the private key requiring confidentiality is sk= (d, n).

The encryption process of RSA is: firstly, the plaintext messages are grouped in sequence and are digitized, the length of each group of plaintext after grouping cannot be larger than log (n), and then, each plaintext is subjected to independent encryption and decryption operation.

And (3) the data encryption process, namely performing the following operation on the public key e and the plaintext m to be encrypted to obtain the ciphertext c.

c＝m ^e mod n

Decryption process of RSA: the plaintext m is obtained by the following operation using the private key d and the ciphertext c.

m＝c ^d mod n

The digital signature process is as follows:

(1) The message sender carries out hash algorithm on the plaintext message m to obtain a message digest value h ₁ ＝H(m)。

(2) The sender of the message encrypts h using a private key to obtain a digital signature s=enc (sk, h) ₁ )。

(3) The message sender encrypts the message plaintext m together with the digital signature S using the symmetric key k, resulting in the encrypted information c=enc ((m, S), k).

(4) The sender of the message encrypts the symmetric key k using the public key of the receiver in an asymmetric encryption manner.

(5) The message sender sends the encrypted symmetric key and the digital signature information to the message recipient.

The main process is as follows:

(4) Encrypting the original text m by adopting the same hash digest algorithm to obtain a digest value h ₂ ＝H(m)。

When a message is encrypted using a symmetric key, since the communication contents may be identical a plurality of times, the use of the same key for a long time may cause the leakage of ciphertext data. In order to minimize the probability of information leakage and prevent a malicious node from performing multiple result analysis on encryption of a key, so as to obtain partial information of the node, in this embodiment, an RSA-based probability encryption improvement algorithm is adopted, and the algorithm is described as follows:

(1) Key generation

As with the RSA key generation algorithm described above, the public key pk= (e, n) and the private key sk= (d, n) are generated.

(2) Encryption process

A splitting the message plaintext m into several pieces of length L (L<log ₂ n) data segment (m ₁ ,m ₂ …m _n ) The method comprises the steps of carrying out a first treatment on the surface of the At the same time, a random number r (r>0) And the r length is consistent with the message fragment; then for each data segmentAnd (5) performing encryption operation. The specific algorithm is as follows: fragment data m _i And r to obtain ciphertext fragment (c) ₁ ,c ₂ …c _j ) The decryption key mu is obtained by encrypting with the public key e.

μ＝Enc(r,e)＝r ^e modn

c _i ＝(m _i r)modn,i＝1,2,…,j

Mu, c ₁ ,c ₂ …c _j Combined as ciphertext c.

(3) Decryption process

Before decryption, the receiver needs to split the ciphertext to restore μ, c ₁ ,c ₂ …c _j The method comprises the steps of carrying out a first treatment on the surface of the Decrypting with the private key d to obtain a random number r=dec (μ, d); then decrypting once by using random number r to obtain message segment m _i ；

r＝Dec(μ,d)＝μ ^d modn＝r ^e*d modn

m _i ＝Dec(c _i ,r)＝(c _i r ^-1 )modn＝m _i rr ^-1 modn,i＝1,2,…,j

Finally the message segment (m ₁ ,m ₂ …m _j ) And splicing to obtain a plaintext m. Note that in order to satisfy the inverse r to r exists in the decryption process ^-1 Is that r should be chosen to be n-prime.

Distributed storage

The generation of the blockchain is to realize the decentralization, so that the trade can reach consensus in the environment without a central mechanism. As a mechanism of the bottom layer, the blockchain enables data to flow safely, so that the trust problem is solved, but the blockchain is low in storage efficiency and high in cost, and in order to ensure the safety of the data, one blockdata needs to be stored by a plurality of nodes, so that the storage resources of the whole network are greatly wasted. The IPFS is used as a distributed storage protocol, is combined with an excitation layer of the blockchain Filecoin, attracts more nodes to participate in storage, has an automatic deduplication function while in distributed storage, has the characteristic of guaranteeing that content is not tamperable, stores a unique permanently-usable file address onto a non-tamperable blockchain, reduces storage pressure of the blockchain to a great extent, reduces data storage redundancy, and expands the application range of the blockchain. The combination of the two technologies can solve the current safety and reliability problems and adapt to high-concurrency network application. Today there are many cases where IPFS is used to build a distributed communication protocol, such as Berty protocol, etc.

Therefore, in this embodiment, the IPFS technique is used as a way to make up for the shortage of the amount of storage in the blockchain, when a long message or an attachment needs to be sent between users, the sender may encrypt the long message or the attachment with the key k, upload the encrypted long message or the attachment to the IPFS network, obtain the unique hash index value hash, encrypt the hash as a message, and send the symmetric key for encrypting the long message or the attachment to the receiver together. The file encryption storage algorithm may be described as:

the receiver obtains the hash address and the symmetric key through decryption, then inquires the address of the node where the long message or the accessory resource is located through the IPFS network, establishes point-to-point transmission with the target node, obtains data from the point-to-point transmission, finally synthesizes the original message into a plaintext message, and decrypts the plaintext message by using the symmetric key. When a message is stored in a plurality of nodes, other nodes can transmit simultaneously, and the communication efficiency can be greatly improved. In the blockchain environment, the data is not subjected to any third-party organization, and the data is guaranteed to be tamper-proof through encryption technology and signature. The file acquisition and decryption algorithm process can be described as:

block chain based trusted communication model

Node identity management

Three security threats brought by hackers can be faced in the process of data transmission in the network, including data theft, data tampering and data fraud. In order to make the message more secure and reliable, the identity of the communicating user needs to be managed first.

In the area-centric identity management, a user can have multiple pieces of independent and controllable identity information for different applications, and the decentralized identity DID has the following characteristics compared with the conventional Public Key Infrastructure (PKI) -based identity system.

Decentralizing: is a blockchain-based system to avoid the threat of a central authority in hosting identity information.

The identity is autonomously controllable: DID is not limited to third party authorization, but rather is based on Distributed Public Key Infrastructure (DPKI), with each user's identity information being determined by his own, rather than by a trusted third party.

Trusted data exchange: the data related to identity is maintained on a blockchain basis and thus the identity provider may not be involved in the identity verification process.

(1) Node identity registration

User identity and data privacy are 2 important issues in trusted communications, and in this embodiment, a blockchain node identity management scheme based on distributed digital identities is adopted. Before joining the network, the communication node needs to locally generate a public and private key pair according to a system public key algorithm mechanism, and generate a DID Document < DID Document >. And finally, uploading the DID document to a blockchain network, and after network sharing, the whole network node can find and verify whether the DID belongs to a legal node of the blockchain network.

(2) Node identity verification

The authentication specifically comprises two parts, namely, an authentication opposite party can authenticate the statement VC and the authentication opposite party, wherein the purpose of the authentication VC is to prove that the authentication opposite party has legal identity in the alliance communication network, and the validity of the digital signature of the authentication opposite party can prove that the opposite party is really the owner of the private key. Firstly, carrying out identity authentication on a VC, obtaining the DID of an Issuer from an Issuer field in a VC DID file, then obtaining a public key of the Issuer from the DID file, and carrying out authentication on the identity of the Issuer by using the public key, thereby determining the identity of the Issuer.

And secondly, verifying the identity of the other party. The authentication process is mainly applied to the challenge-response mechanism: a firstly obtains the public key pk of the DID provided by B by searching the corresponding DID Document from the DID resolution _B Generating a random number k, encrypting the k by using a public key and transmitting the encrypted k to B; b after receiving it uses its own private key sk _B Encrypting k to obtain ciphertext c, merging DID of the user with c, packaging and sending to A; a receives the decryption c and compares it with the locally generated k, and if it is consistent, B can be proved to be in identity. This process is shown in fig. 5.

Trusted communication protocol

The blockchain trusted communications protocol is an end-to-end, connection-oriented protocol for reliable, orderly and authenticated communications between different nodes on the chain. Blockchain networks have low throughput and poor flexibility, so they must be optimized with specific contractual agreements to promote communication capabilities and can only provide a trusted communication model for applications built thereon.

In the communication process, firstly, a user exchanges a DID and a public key pk through a blockchain and a handshake protocol, inquires and verifies the legitimacy of the identity of the opposite party from the blockchain through the DID, then negotiates a symmetric key, and the encryption process is similar to an encryption mechanism of a PGP protocol. For short message information, a user can also directly transmit encryption information through a communication link in an asymmetric encryption mode, for larger file data and the like, a communication sender can encrypt and then upload the file to an IPFS network to obtain a returned data address value, and a corresponding intelligent contract is called in a blockchain to remind a receiver. The recipient obtains the file from the IPFS and decrypts it and the communication process is shown in fig. 6.

The sender and the receiver can locally register the DID and public-private key pairs according to the unified standard and record the DID and public-private key pairs on the chain. In the initial communication stage, a sender starts a transaction, packages a message ciphertext C or a symmetric key k into a block transaction, and communicates the block transaction with a node for verification.

Triggering the smart contract event to send a message to the recipient reminding the smart contract.

The recipient may decrypt the message to obtain the data address and key, download the data from the IPFS, decrypt and verify the data integrity using the key.

Intelligent contracts for data collaboration on and off links

Once the data in the blockchain is agreed and stored, the transaction is permanently written into the block and cannot be changed, and the mechanism ensures the credibility of the data on the chain. The correct flow of data in communication is not separated from an intelligent contract mechanism, and an intelligent contract is essentially a code running in a blockchain environment, can describe actual business logic by using a machine language, is deployed in a blockchain network, is started after reaching preset conditions, and is executed according to logic functions. In this embodiment, the communication mode is combined with the blockchain technology, and an intelligent contract is introduced into the blockchain, so that reliable exchange of communication data is ensured by automatic execution of the intelligent contract. On the basis, an information transmission mode based on a block chain is constructed, and a corresponding intelligent contract is constructed to realize the whole information transmission flow, so that the stability and the safety of information transmission are ensured. The communication system is no longer dependent on a third party service authority, thereby meeting the requirements of secure communication and message verifiability in blockchain applications.

According to specific requirements, the smart contracts are roughly divided into several contents: identity inquiry and verification intelligent contracts, data transmission intelligent contracts, data receiving intelligent contracts, message reminding intelligent contracts, message transfer intelligent contracts and the like. The main calling relationship of the intelligent contract in the model of the embodiment is shown in fig. 7.

Message authentication

The message verification algorithm refers to that the communication parties verify the credibility of the identity information and the data of the communication parties. The identity authenticity verification process comprises the following steps:

(1) When the data receiver B receives the message from the data sender A, the DID of the A is firstly obtained, friend information is checked from the local storage of the data receiver B, if no friend exists, the corresponding DID document is inquired and obtained from the blockchain according to the DID, and the public key pk of the A is obtained _A And carrying out identity verification, wherein the main process is as follows:

(2) Inquiring whether the partner has a verifiable statement issued by a alliance agency, if so, verifying the authenticity of the digital signature of the agency, and determining the legitimacy of the identity A.

(3) The other party is verified as the owner of the private a key. Generating a random number r, encrypting by using the public key of A to obtain a ciphertext c, sending the ciphertext c to A, decrypting by using the private key after receiving the ciphertext c, encrypting and sending the decrypted random number to B, and verifying by B.

The data verification mainly verifies the correctness of the digital signature, and the main process is as follows:

(1) When the data receiver B receives the message from the data sender A, the original message in the message is separated from the digital signature to obtain a digital signature S and a message ciphertext c.

(2) B uses the public key pk of A _A And decrypting the digital signature to obtain a data digest value.

(3) B recalculates the digest value of the original message using the same hash algorithm.

(4) Comparing the decrypted digest value with the recalculated digest value, and if the decrypted digest value is consistent with the recalculated digest value, indicating that the message is credible.

Security analysis

Encryption algorithm security analysis

The security of the RSA algorithm relies on the difficulty of large factorization.

Assuming that the malicious node obtains the public key (e, n) of a and overhears the encrypted message c, since d in the private key required for decryption cannot be obtained, n can only be obtained by calculation according to ciphertext data, and then n is decomposed into p and q which meet the condition, so that the push key d is calculated. However, there is no solution to solve the problem of factorization of a large number in a polynomial time calculation, so that the security of the RSA cryptographic algorithm depends on the length of n. The key length of the RSA algorithm is 1024 bits or more today, which is safe for a long time in the future.

In order to avoid that the same secret key is used for encrypting the communication message for multiple times, malicious nodes are associated to cause the identity or data of a user to be revealed, a random number r is added according to a probability encryption idea during encryption, the random number is encrypted and sent to the opposite side together with a ciphertext fragment during encryption, even the same plaintext message is encrypted, ciphertext encrypted by using different secret keys is inconsistent, and therefore attack of selecting plaintext is resisted.

Performance analysis

In order to test the efficiency of the scheme, the encryption algorithm, the probability encryption algorithm and the communication related operation adopted in the scheme are simulated, the time cost of the password related operation on the device is tested first, the data adopts the text with the size of 1KB, the RSA key length bit is 1024 bits, and the AES key length bit is 128 bits. The results are shown in Table 4:

TABLE 4 encryption and decryption time

Because long message or large file data are stored and IPFS, both parties communicate and transmit data bit hash values, so that the time for encrypting the communication data by using RSA and AES is less, and the requirement of encrypting the data in communication can be met.

The execution efficiency of the intelligent contract affects the efficiency of implementing the system function, so in the environment described in this embodiment, the execution time of the intelligent contract function is simply tested, and since the execution of the intelligent contract is subject to the complexity and the busyness of the network, the average result value is measured three times, and the execution results of several intelligent contracts mainly related in this embodiment are shown in table 5:

TABLE 5 Intelligent contract execution efficiency

As can be seen from the results of tables 4 and 5, since the message is encrypted to a short hash value, the amount of data encrypted and decrypted is small, and the execution efficiency of the cryptographic algorithm is high. The intelligent contract has larger error in the result in the experimental process due to the experimental environment, so that the average time shows the execution efficiency of the intelligent contract, and the requirement of the communication process on time delay is basically met.

The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, alternatives, and improvements that fall within the spirit and scope of the invention.

Claims

1. The intelligent contract method based on the data communication of the block chain introduces intelligent contracts into the block chain, and ensures the reliable exchange of communication data through the automatic execution of the intelligent contracts; the method is characterized by comprising the following steps of: the identity authenticity verification process comprises the following steps: when the data receiver B receives the message from the data sender A, the DID of the A is acquired firstly, friend information is checked from the local storage of the data receiver B, and if friends exist, data exchange is performed;

if no friend exists, inquiring the block chain according to the DID to acquire the corresponding DID document to obtain the public key of A, performing identity verification, verifying that the opposite party is the owner of the private key of A, generating a random number r, encrypting by using the public key of A to obtain a ciphertext c, sending the ciphertext c to A, decrypting by using the private key after receiving by A, encrypting by using the decrypted random number to B, and verifying by B.

2. The intelligent contract method for blockchain-based data communications of claim 1, wherein: the identity verification process comprises the following steps: inquiring whether the partner has a verifiable statement issued by a alliance agency, if so, verifying the authenticity of the digital signature of the agency, and determining the legitimacy of the identity A.

3. The intelligent contract method for blockchain-based data communications of claim 1, wherein: the data verification mainly verifies the process of the correctness of the digital signature as follows: when the data receiver B receives the message from the data sender A, the original message is eliminated firstSeparating the message from the digital signature to obtain a digital signature S and a message ciphertext c; b uses the public key pk of A _A Decrypting the digital signature to obtain a data digest value; and B, recalculating the digest value of the original message by using the same hash algorithm, comparing the decrypted digest value with the recalculated digest value, and indicating that the message is credible if the decrypted digest value is consistent with the recalculated digest value.

4. The intelligent contract method for blockchain-based data communications of claim 1, wherein: the intelligent contracts comprise an identity inquiry and verification intelligent contract, a data transmission intelligent contract, a data receiving intelligent contract, a message reminding intelligent contract and a message transfer intelligent contract, and the intelligent contracts conduct data interaction with an external API.

5. The intelligent contract method for blockchain-based data communications of claim 1, wherein: IPFS distributed storage protocol is employed in the blockchain.

6. The intelligent contract method for blockchain-based data communications of claim 5, wherein: in step one, when long messages or attachments need to be sent between users, a sender encrypts the long messages or attachments by using a key, uploads the encrypted long messages or attachments to an IPFS network to obtain a unique hash index value, encrypts the unique hash index value as a message, sends the encrypted long messages or attachments to a receiver together with a symmetric key, the receiver obtains a hash address and the symmetric key through decryption, queries the address of a node where the long message or the attachment resource is located through the IPFS network, establishes point-to-point transmission with a target node, obtains data from the point-to-point transmission, finally synthesizes the original message into a plaintext message, and decrypts the plaintext message by using the symmetric key.

7. The intelligent contract method for blockchain-based data communications of claim 1, wherein: the digital signature process is as follows:

(2) The sender of the message encrypts h using a private key to obtain a digital signature s=enc (sk, h) ₁ )；

8. The intelligent contract method for blockchain-based data communications of claim 7, wherein: the process is as follows:

(1) After receiving the information, the message receiver decrypts the information by using the private key of the message receiver to obtain a symmetric key k=dec (c, sk);

9. The intelligent contract method for blockchain-based data communications of claim 1, wherein:

the encryption improvement algorithm is as follows:

(1) And (3) key generation: as with the RSA key generation algorithm described above, the public key pk= (e, n) and the private key sk= (d, n) are generated;

(2) Encryption process: a, splitting the message plaintext m into a plurality of pieces with the length L (L < L)og ₂ n) data segment (m ₁ ，m ₂ …m _n ) The method comprises the steps of carrying out a first treatment on the surface of the Generating a random number r (r > 0) at the same time, wherein the length of r is consistent with the message fragment; then, each data segment is respectively subjected to encryption operation, and the specific algorithm is as follows: fragment data m _i And r to obtain ciphertext fragment (c) ₁ ，c ₂ …c _j ) Encrypting by using a public key e to obtain a decryption key mu;

μ＝Enc(r，e)＝r ^e modn

c _i ＝(m _i r)modn，i＝1,2，...，j

mu, c ₁ ，c ₂ …c _j Combined as ciphertext c;

(3) Decryption: before decryption, the receiver needs to split the ciphertext to restore μ, c ₁ ，c ₂ …c _j The method comprises the steps of carrying out a first treatment on the surface of the Decrypting with the private key d to obtain a random number r=dec (μ, d); then decrypting once by using random number r to obtain message segment m _i ；

r＝Dec(μ，d)＝μ ^d modn＝r ^e*d modn

m _i ＝Dec(c _i ，r)＝(c _i r ^-1 )modn＝m _i rr ^-1 modn，i＝1,2，...，j

Message fragments (m ₁ ，m ₂ …m _j ) Splicing to obtain plaintext m, wherein r is inverse to r in decryption process ^-1 Is that r should be chosen to be n-prime.