CN117768170A

CN117768170A - Access authentication method, device, edge device and storage medium

Info

Publication number: CN117768170A
Application number: CN202311746567.9A
Authority: CN
Inventors: 李彬; 苏新明; 温冬
Original assignee: Xi'an Huaxun Technology Co ltd
Current assignee: Xi'an Huaxun Technology Co ltd
Priority date: 2023-12-18
Filing date: 2023-12-18
Publication date: 2024-03-26

Abstract

The application provides an access authentication method, an access authentication device, edge equipment and a storage medium, wherein the access authentication method comprises the following steps: and carrying out identity authentication according to the target consensus identity to obtain an identity authentication result, if the identity authentication result is authentication passing, carrying out consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block respectively, broadcasting user consensus authentication requests to other verifier nodes, so that the other verifier nodes carry out consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block respectively, and acquiring an access authentication result according to the first block authentication result, the first signature authentication result, the second block authentication result and the second signature authentication result, and sending the access authentication result to the access equipment. The multiple verifier nodes perform authentication together, the user authentication authorization security level is improved, the authentication process is changed into traceable authentication based on the blockchain account book, the edge equipment bears the verifier nodes to participate in the authentication process, and the overall security level of the edge network is improved.

Description

Access authentication method, device, edge device and storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to an access authentication method, an access authentication device, an edge device, and a storage medium.

Background

Identity authentication is a process of confirming the identity of an operator in a computer and a computer network system, so that whether the user has access and use authority to a certain resource is determined, an attacker can be prevented from impersonating a legal user to obtain the access authority of the resource, and the safety of the system and data is ensured.

At present, the conventional edge system and equipment generally perform authentication and trust based on a user password and a local authentication mode, wherein the edge equipment is equipment deployed in an edge network in the Internet of things and is used for Internet of things purposes such as network communication, protocol processing, data acquisition, real-time calculation and the like.

However, the authentication and trust method can only realize simple and basic authentication functions, and has low security level.

Disclosure of Invention

In view of this, the embodiments of the present application provide an access authentication method, apparatus, edge device, and storage medium, so as to perform identity authentication together with a verifier node in a distributed edge system and a blockchain private chain network based on the edge device, thereby improving the security level of user authentication and trust.

In a first aspect, an embodiment of the present application provides an access authentication method applied to any one verifier node in a blockchain private chain network and a distributed edge system based on an edge device, where the method includes:

receiving a user consensus authentication request sent by an access device, wherein the user consensus authentication request comprises the following steps: the method comprises the steps of identifying a target consensus identity, a hash value to be authenticated of a last block in a user consensus authentication account book and a signature to be verified, wherein the signature to be verified is obtained by calculation based on the target consensus identity and the hash value of the last block in the user consensus authentication account book;

carrying out identity authentication according to the target consensus identity to obtain an identity authentication result;

if the identity authentication result is authentication passing, carrying out consistency authentication on the hash value to be authenticated of the last block and the signature to be authenticated respectively to obtain a first block authentication result and a first signature authentication result;

broadcasting the user consensus authentication request to other verifier nodes in the block chain private chain network and the distributed edge system, so that the other verifier nodes respectively carry out consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block to obtain a second block authentication result and a second signature authentication result;

Obtaining an access authentication result according to the first block authentication result, the first signature authentication result, the second block authentication result and the second signature authentication result;

and sending the access authentication result to the access equipment.

In an alternative embodiment, the method further comprises:

if the access authentication result is authentication passing, a last block is newly added in a user consensus authentication account maintained by the verifier node, and the access authentication result is recorded in the newly added last block in the user consensus authentication account maintained by the verifier node;

broadcasting the access authentication result to the other verifier nodes, so that the other verifier nodes respectively add a last block in the user consensus authentication account book maintained by each other, and recording the access authentication result in the last block added in the user consensus authentication account book maintained by the other verifier nodes respectively;

and sending the hash value of the newly added last block in the user consensus authentication account book maintained by the verifier node to the access equipment.

In an optional implementation manner, the step of performing identity authentication according to the target consensus identity to obtain an identity authentication result includes:

Carrying out validity authentication on the target consensus identity to obtain an identity authentication result;

performing validity authentication on the user information corresponding to the target consensus identity to obtain a user information authentication result;

and obtaining the identity authentication result according to the identity authentication result and the user information authentication result.

In an optional embodiment, the user consensus authentication request further includes: the signature to be verified is calculated based on the target consensus identity, a hash value of a last block in the user consensus authentication account book and the first timestamp information; the method further comprises the steps of:

according to the target consensus identity, second timestamp information of a last user consensus authentication request is obtained, wherein the last user consensus authentication request comprises: the target consensus identity;

determining the interval duration of the session request according to the first timestamp information and the second timestamp information;

performing validity authentication on the session request interval duration to obtain a session authentication result;

and if the identity authentication result is authentication passing, performing consistency authentication on the hash value to be authenticated of the last block and the signature to be authenticated to obtain a first block authentication result and a first signature authentication result, wherein the method comprises the following steps of:

And if the identity authentication result and the session authentication result are authentication passing, respectively carrying out consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block to obtain a first block authentication result and a first signature authentication result.

In an optional embodiment, the user consensus authentication request further includes: the signature to be verified is calculated based on the target consensus identity, the hash value of the last block in the user consensus authentication account book, the first timestamp information and the verification code information; the method further comprises the steps of:

consistency authentication is carried out on the verification code information, validity authentication is carried out on the verification code information according to the first timestamp information, and a verification code authentication result is obtained;

if the identity authentication result and the session authentication result are authentication passing, performing consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block respectively to obtain a first block authentication result and a first signature authentication result, including:

and if the identity authentication result, the session authentication result and the verification code authentication result are authentication passing, respectively carrying out consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block to obtain the first block authentication result and the first signature authentication result.

In an optional embodiment, the user consensus authentication request further includes: the signature to be verified is calculated based on the target consensus identity, the hash value of the last block in the user consensus authentication ledger and the address information of the access equipment; the method further comprises the steps of:

performing validity authentication on the address information of the access equipment to obtain an address authentication result;

and if the identity authentication result and the address authentication result are authentication passing, respectively carrying out consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block to obtain the first block authentication result and the first signature authentication result.

In an optional implementation manner, the performing consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block to obtain a first block authentication result and a first signature authentication result includes:

Acquiring an actual hash value of a last block in a user consensus authentication account book maintained by the verifier node;

consistency authentication is carried out on the hash value to be authenticated of the last block according to the actual hash value, and the authentication result of the first block is obtained;

calculating a target signature according to the target consensus identity and the hash value of the user consensus authentication account block;

and carrying out consistency authentication on the signature to be verified according to the target signature to obtain the first signature authentication result.

In a second aspect, an embodiment of the present application further provides an access authentication apparatus, including:

the receiving module is used for receiving a user consensus authentication request sent by the access equipment, wherein the user consensus authentication request comprises the following components: the method comprises the steps of identifying a target consensus identity, a hash value to be authenticated of a last block in a user consensus authentication account book and a signature to be verified, wherein the signature to be verified is calculated based on the target consensus identity and the hash value of the user consensus authentication account book block;

the authentication module is used for carrying out identity authentication according to the target consensus identity to obtain an identity authentication result;

the authentication module is further configured to, if the identity authentication result is authentication pass, perform consistency authentication on the hash value to be authenticated of the last block and the signature to be authenticated, to obtain a first block authentication result and a first signature authentication result;

The broadcasting module is used for broadcasting the user consensus authentication request to other verifier nodes in a block chain private chain network and a distributed edge system, so that the other verifier nodes respectively carry out consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block to obtain a second block authentication result and a second signature authentication result;

the acquisition module is used for acquiring an access authentication result according to the first block authentication result, the first signature authentication result, the second block authentication result and the second signature authentication result;

and the sending module is used for sending the access authentication result to the access equipment.

In an alternative embodiment, the apparatus further comprises:

the new adding module is used for adding a last block in the user consensus authentication account book maintained by the verifier node if the access authentication result is authentication passing, and recording the access authentication result in the last block added in the user consensus authentication account book maintained by the verifier node;

the broadcasting module is further configured to broadcast the access authentication result to the other verifier nodes, so that the other verifier nodes respectively add a last block in the user consensus authentication ledger maintained by each verifier node, and record the access authentication result in the last block added in the user consensus authentication ledger maintained by the other verifier nodes respectively;

The sending module is further configured to send, to the access device, a hash value of a last block newly added in the user consensus authentication ledger maintained by the verifier node.

In an alternative embodiment, the authentication module is specifically configured to:

In an optional embodiment, the user consensus authentication request further includes: the user consensus authentication request first timestamp information; the acquisition module is further configured to:

the acquisition module is further configured to determine a session request interval duration according to the first timestamp information and the second timestamp information;

the authentication module is further used for carrying out validity authentication on the session request interval duration to obtain a session authentication result;

The authentication module is specifically configured to:

In an optional embodiment, the user consensus authentication request further includes: verification code information; the authentication module is further configured to:

the authentication module is specifically configured to:

In an optional embodiment, the user consensus authentication request further includes: address information of the access device; the authentication module is further configured to:

the authentication module is specifically configured to:

In a third aspect, an embodiment of the present application further provides an edge device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor in communication with the memory over the bus when the edge device is running, the processor executing the machine-readable instructions to perform the method of any of the first aspects.

In a fourth aspect, embodiments of the present application further provide a computer readable storage medium, on which a computer program is stored, which computer program is executed by a processor, the processor executing the method according to any of the first aspects.

The application provides an access authentication method, an access authentication device, edge equipment and a storage medium, wherein the access authentication method comprises the following steps: and carrying out identity authentication according to the target consensus identity to obtain an identity authentication result, if the identity authentication result is authentication passing, carrying out consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block respectively, broadcasting user consensus authentication requests to other verifier nodes, so that the other verifier nodes carry out consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block respectively, and acquiring an access authentication result according to the first block authentication result, the first signature authentication result, the second block authentication result and the second signature authentication result, and sending the access authentication result to the access equipment. The multiple verifier nodes perform authentication together, so that the user authentication authorization security level is improved, the authentication process is changed into traceable authentication based on the blockchain account book, meanwhile, the edge equipment bears the verifier nodes to participate in the authentication process, and the overall security level of the edge network can be improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered limiting the scope, and that other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic flow chart of an access authentication method provided in an embodiment of the present application;

fig. 2 is a second flow chart of an access authentication method according to an embodiment of the present application;

fig. 3 is a flowchart illustrating a third method for access authentication according to an embodiment of the present application;

fig. 4 is a flow chart diagram of an access authentication method provided in an embodiment of the present application;

fig. 5 is a flowchart fifth of an access authentication method provided in an embodiment of the present application;

fig. 6 is a flowchart of an access authentication method according to an embodiment of the present application;

FIG. 7 is a schematic diagram of a blockchain private chain network system provided in an embodiment of the present application;

fig. 8 is a schematic structural diagram of an access authentication device according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of an edge device according to an embodiment of the present application.

Detailed Description

For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, which are generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, as provided in the accompanying drawings, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, are intended to be within the scope of the present application.

Aiming at the problem that the security level of authentication and trust based on a user password and a local authentication mode is low, the distributed system based on a blockchain private chain network is built by using edge equipment in a local area network, a decentralization authority certification (Proof of Authority, POA) consensus mechanism based on the blockchain private chain network system is used, and the user consensus trust method of multiple verifiers is carried out based on the edge equipment, so that the multiple verifier nodes jointly provide authentication and trust capability, the user authentication and trust security level is improved, and the authentication process is changed into traceable authentication based on a blockchain account book, meanwhile, the edge equipment bears the verifier nodes to participate in the authentication process, and the integral security level of the edge network can be improved. The POA is a consensus mechanism in the blockchain technology, and identity authority is used as a verifier and a basis for participating in blockchain transactions.

Fig. 1 is a schematic flow chart of an access authentication method provided in an embodiment of the present application, where an execution body of the embodiment may be any one verifier node in a blockchain private chain network and a distributed edge system based on an edge device.

The edge equipment is equipment which is deployed in an edge network in the Internet of things and used for the purposes of Internet of things such as network communication, protocol processing, data acquisition, real-time calculation and the like, the blockchain private chain network works on the edge network, an edge system is arranged on the edge equipment, and a plurality of edge equipment serve as verifier nodes to participate in building the blockchain private chain network and the distributed edge system.

As shown in fig. 1, the method may include:

s101, receiving a user consensus authentication request sent by an access device.

The access device sends a user consensus authentication request to a block chain private chain network and a distributed edge system based on the edge device, any verifier node is randomly selected to receive the user consensus authentication request, and the user consensus authentication request comprises: the method comprises the steps of identifying a target consensus identity, a hash value to be authenticated of a last block in a user consensus authentication account book and a signature to be verified, wherein the signature to be verified is calculated based on the target consensus identity and the hash value of the user consensus authentication account book block.

The target consensus identity is the consensus identity of the user, and can be POA identity string code, wherein the POA identity string code is a character string with certain complexity and composed of special alphanumeric characters, and the string code can be encrypted by using a plaintext string code or a private key according to the security requirement, and the length and the strength are customized by an application system.

The hash value to be authenticated of the last block in the user consensus authentication account is the hash value of the last block in the user consensus authentication account carried in the user consensus request, the hash value of the last block can be returned to the access equipment by the verifier node after the authentication of the last user consensus authentication request is passed, when the access authentication of the last user consensus authentication request is passed, the verifier node can newly add a block, namely the last block, in the maintained user consensus authentication account, record the access authentication result in the last block, and return the hash value of the last block to the access equipment.

S102, carrying out identity authentication according to the target consensus identity to obtain an identity authentication result.

The identity authentication result is authentication passing or authentication failing, the identity authentication is carried out on the target consensus identity according to a plurality of preset consensus identity, if the target consensus identity belongs to one of the preset consensus identity, the identity authentication result is identity authentication passing, and if the target consensus identity does not belong to the preset consensus identity, the identity authentication result is identity authentication failing. The plurality of preset identity marks are valid identity marks registered in advance, and are stored locally in the edge device or may be stored in a third party database, which is not particularly limited in this embodiment.

The edge devices can respectively register preset consensus identity marks in advance as user identities for user authentication.

It is worth noting that the verifier node can adopt the user consensus intelligent contract to carry out identity authentication on the target consensus identity, the user consensus intelligent contract complies with the POA block chain specification, and specific contract contents are realized based on business rules.

And S103, if the identity authentication result is authentication passing, carrying out consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block respectively to obtain a first block authentication result and a first signature authentication result.

And if the identity authentication result is authentication passing, carrying out consistency authentication on the hash value to be authenticated of the last block to obtain a first block authentication result, and carrying out authentication on the signature to be authenticated to obtain a first signature authentication result.

The verifier node can acquire an actual hash value of a last block in a user consensus authentication account book maintained by the verifier node, perform consistency authentication on a hash value to be authenticated of the last block according to the actual hash value to obtain a first block authentication result, if the actual hash value is consistent with the hash value to be authenticated of the last block, the first block authentication result is authentication passing, and if the actual hash value is inconsistent with the hash value to be authenticated of the last block, the first block authentication result is authentication failing.

The verifier node can also adopt a preset consensus authentication signature algorithm, calculate a target signature according to the target consensus identity and the hash value of the last block in the user consensus authentication account book, and perform consistency authentication on the signature to be authenticated according to the target signature, if the target signature is consistent with the signature to be authenticated, the authentication result of the first signature is authentication passing, and if the target signature is inconsistent with the signature to be authenticated, the authentication result of the first signature is authentication failing. The preset consensus authentication signature algorithm may be, for example, SHA256 or a private key signature algorithm.

And S104, broadcasting user consensus authentication requests to other verifier nodes in the block chain private chain network and the distributed edge system, so that the other verifier nodes respectively carry out consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block, and a second block authentication result and a second signature authentication result are obtained.

Broadcasting a user consensus authentication request to other verifier nodes in the block chain private chain network and the distributed edge system, wherein the other verifier nodes can perform consistency authentication on hash values to be authenticated of the last block to obtain a second block authentication result, and perform consistency authentication on signatures to be authenticated to obtain a second signature authentication result.

The other verifier nodes can acquire the actual hash value of the last block in the user consensus authentication account book maintained by the other verifier nodes, perform consistency authentication on the hash value to be authenticated of the last block according to the actual hash value to obtain a second block authentication result, if the actual hash value is consistent with the hash value to be authenticated of the last block, the second block authentication result is authentication passing, and if the actual hash value is inconsistent with the hash value to be authenticated of the last block, the second block authentication result is authentication failing.

The other verifier nodes can also adopt a preset consensus authentication signature algorithm, calculate a target signature according to the target consensus identity and the hash value of the last block in the user consensus authentication account book, and carry out consistency authentication on the signature to be authenticated according to the target signature, if the target signature is consistent with the signature to be authenticated, the second signature authentication result is authentication passing, and if the target signature is inconsistent with the signature to be authenticated, the second signature authentication result is authentication failing.

S105, obtaining an access authentication result according to the first block authentication result, the first signature authentication result, the second block authentication result and the second signature authentication result.

Obtaining a block authentication result according to the first block authentication result and the second block authentication result, obtaining a signature authentication result according to the first signature authentication result and the second signature authentication result, if the authentication result reaching the preset number in the first block authentication result and the second signature authentication result is authentication passing, the block authentication result is authentication passing, and if the authentication result reaching the preset number in the first signature authentication result and the second signature authentication result is authentication passing, the signature authentication result is authentication passing.

The predetermined number may be, for example, more than half.

And acquiring an access authentication result according to the block authentication result and the signature authentication result, wherein the access authentication result is authentication passing if the block authentication result and the signature authentication result are both authentication passing, and the access authentication result is authentication failing if at least one of the block authentication result and the signature authentication result is authentication failing.

S106, sending an access authentication result to the access equipment.

Sending an access authentication result to the access device, the access authentication result comprising: and if the target identity authentication result is that the identity authentication is passed, the access equipment can access the edge system, and if the target identity authentication result is that the identity authentication is not passed, the access equipment cannot access any edge equipment in the blockchain private chain network system.

In this embodiment, the multiple verifier nodes perform authentication together, so that the user authentication authorization security level is improved, the authentication process is changed into the traceable authentication based on the blockchain account book, and meanwhile, the edge device bears the verifier nodes to participate in the authentication process, so that the overall security level of the edge network can be improved.

Fig. 2 is a second flowchart of an access authentication method provided in the embodiment of the present application, as shown in fig. 2, in an alternative implementation manner, the method may further include:

and S201, if the access authentication result is authentication passing, a last block is newly added in the user consensus authentication account maintained by the verifier node, and the access authentication result is recorded in the last block newly added in the user consensus authentication account maintained by the verifier node.

If the access authentication result is authentication passing, a last block is newly added in the user consensus authentication account maintained by the verifier node, and the access authentication result is recorded in the last block newly added in the user consensus authentication account maintained by the verifier node, wherein the user consensus authentication account can be understood as a user consensus authentication transaction account and a consensus authentication credential.

Of course, the block authentication result and the signature authentication result may be recorded in the last block newly added in the maintained user consensus authentication ledger to form a chained record.

S202, broadcasting access authentication results to other verifier nodes, enabling the other verifier nodes to respectively add a last block in the user consensus authentication account book maintained by each verifier node, and recording the access authentication results in the last block newly added in the user consensus authentication account book maintained by the other verifier nodes.

And each verifier node independently maintains a user consensus authentication account, when authentication passes, the other verifier nodes broadcast access authentication results, the other verifier nodes newly add a last block in the user consensus authentication account maintained by each verifier node respectively, and the access authentication results are recorded in the newly added last block in the user consensus authentication account maintained by the other verifier nodes respectively.

It should be noted that the number of blocks in the user consensus authentication ledger maintained by each verifier node is identical, and the hash value of each block is identical, that is, the hash value of the last block in the user consensus authentication ledger maintained by the verifier node is identical to the hash value of the last block in the user consensus authentication ledger maintained by other verifier nodes.

Of course, other verifier nodes can also record the block authentication result and the signature authentication result in the last block newly added in the maintained user consensus authentication ledger to form a chained record.

S203, sending the hash value of the newly added last block in the user consensus authentication account maintained by the verifier node to the access equipment.

And sending the hash value of the newly added last block in the user consensus authentication account book maintained by the verifier node to the access equipment, so that the access equipment carries the hash value as a hash value to be authenticated when the user consensus authentication request is initiated next time.

In this embodiment, the authentication process is changed to a traceable authentication based on the blockchain ledger.

In some embodiments, if the access authentication result is that the authentication is not passed, the verifier node may record a status that the user trust is not passed according to the user consensus intelligent contract, and if the number of times that the user trust is not passed reaches a preset number threshold, the user trust line is insufficient, the user is notified to be a non-trusted user, and the non-trusted user cannot access the edge device and the edge system in the edge network any more.

It should be noted that, the credit line complies with the POA blockchain specification, the user access system needs to ensure a non-negative user credit line, and the user with the negative credit line will lose the access right of the system, and the recovery of the credit line depends on the system management flow.

Fig. 3 is a flowchart of a third embodiment of an access authentication method provided in the present application, as shown in fig. 3, in an optional implementation manner, step S102 performs identity authentication according to a target consensus identity, and obtains an identity authentication result, which may include:

s301, carrying out validity authentication on the target consensus identity to obtain an identity authentication result.

And authenticating the target consensus identity according to the preset effective consensus identity, comparing whether the preset effective consensus identity is consistent with the target consensus identity, if the target consensus identity belongs to the preset effective consensus identity, determining that the identity authentication result is authentication pass, and if the target consensus identity does not belong to the preset effective consensus identity, determining that the identity authentication result is authentication fail.

It should be noted that, if the target consensus identity is a private key encrypted identity, the target consensus identity may be compared with a preset valid consensus identity after decrypting by using the public key.

S302, carrying out validity authentication on the user information corresponding to the target consensus identity to obtain a user information authentication result.

The identification and user information have a corresponding relation, the user information corresponding to the target identification is inquired, the user information corresponding to the target identification is compared, a user information authentication result is obtained, if the user information corresponding to the target identification belongs to preset effective user information, the user information authentication result is authentication passing, and if the target identification does not belong to preset effective user information, the user information authentication result is authentication failing.

S303, obtaining an identity authentication result according to the identity authentication result and the user information authentication result.

If the identity authentication result and the user information authentication result are both authentication passing, the first identity authentication result is the identity authentication passing, and if at least one of the identity authentication result and the user information authentication result is the identity authentication failing, the first identity authentication result is the identity authentication failing.

In the embodiment, the target consensus identity and the user information are subjected to validity authentication, so that the consensus authentication is more comprehensive, and the user authentication authorization security level is improved.

In an optional embodiment, the user consensus authentication request further includes: the first timestamp information of the user consensus authentication request, where the first timestamp information is a timestamp of the user consensus authentication request, fig. 4 is a schematic flow chart of an access authentication method provided in an embodiment of the present application, and as shown in fig. 4, the method may further include:

s401, acquiring second time stamp information of the last user consensus authentication request according to the target consensus identity.

The last user consensus authentication request comprises the following steps: the target consensus identity is identified, and the last user consensus authentication request is the last received user consensus authentication request.

The method comprises the steps of pre-storing time stamp information of a user consensus authentication request initiated each time based on a target consensus identity, and inquiring second time stamp information of the user consensus authentication request initiated last based on the target consensus identity, namely time stamp information of the user consensus authentication request received last time by a verifier node, according to the target consensus identity.

S402, determining the first session request interval duration according to the first time stamp information and the second time stamp information.

S403, validity authentication is carried out on the first session request interval duration, and a session authentication result is obtained.

And taking the time interval between the first time stamp information and the second time stamp information as a session request interval duration, wherein the session request interval duration is the session request interval duration determined by the verifier node.

If the session request interval duration exceeds the preset interval duration, the session authentication result is authentication passing, and if the session request interval duration does not exceed the preset interval duration, the session authentication result is that the session authentication does not pass, wherein the preset interval duration can be 30 minutes, for example.

It should be noted that, the verifier node may employ a user consensus smart contract to perform validity authentication on the session request interval duration.

The signature to be verified is calculated based on the target consensus identity, the hash value of the last block in the user consensus authentication account book and the first time stamp information, and then the verifier node can calculate a target signature according to the target consensus identity, the hash value of the last block in the user consensus authentication account book and the first time stamp information, and perform consistency verification on the signature to be authenticated according to the target signature to obtain a first signature authentication result. The second signature authentication result is obtained in a similar manner.

Step S103, if the identity authentication result is authentication pass, carrying out consistency authentication on the hash value to be authenticated and the signature to be verified of the last block respectively to obtain a first block authentication result and a first signature authentication result, wherein the step comprises the following steps:

s404, if the identity authentication result and the session authentication result are authentication passing, respectively carrying out consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block to obtain a first block authentication result and a first signature authentication result.

In this embodiment, the same identity identifier that repeatedly initiates the user identity authentication request within the effective duration may be stolen, so repeated login is not allowed, illegal users can be prevented from stealing information through session authentication, and the user authentication authorization security level is improved.

In an optional embodiment, the user consensus authentication request further includes: fig. 5 is a flowchart fifth of an access authentication method according to an embodiment of the present application, where, as shown in fig. 5, the method may further include:

s501, carrying out consistency authentication on the verification code information, and carrying out validity authentication on the verification code information according to the first time stamp information to obtain a verification code authentication result.

The verifier node may send target verification code information to the access device, where the target verification code information may be a dynamic verification code, and then the verifier node receives a user consensus authentication request sent by the access device, where the user consensus authentication request includes: and the verifier node performs consistency authentication on the verification code information in the user consensus authentication request according to the target verification code information, if the target verification code information is consistent with the verification code information, the verification is passed, and if the target verification code information is inconsistent with the verification code information, the verification is failed.

And carrying out validity authentication on the verification code information according to the time stamp of the target verification code information and the first time stamp information, calculating the time interval between the time stamp of the target verification code information and the first time stamp information, if the time interval exceeds a preset valid time interval, indicating that the verification code information is not transmitted in the validity period, not passing the authentication, and if the time interval does not exceed the preset valid time interval, indicating that the verification code information is transmitted in the validity period, passing the authentication.

If the consistency and the validity verification of the verification code are both passed, the verification code authentication result is that the authentication is passed, and if at least one of the consistency and the validity verification of the verification code is not passed, the verification code authentication result is that the authentication is not passed.

The first time stamp information and the verification code information can form one-time password (One Time Password, OTP) information, the first time stamp information is used when the user consensus authentication request is verified, and the verification code information is automatically generated and maintained by the system.

The signature to be verified is obtained by calculation based on the target consensus identity, the hash value of the last block in the user consensus authentication account book, the first timestamp information and the verification code information, and then the verifier node can calculate a target signature according to the target consensus identity, the hash value of the last block in the user consensus authentication account book, the first timestamp information and the verification code information, and perform consistency verification on the signature to be authenticated according to the target signature to obtain a first signature authentication result. The second signature authentication result is obtained in a similar manner.

Step S404, if the identity authentication result and the session authentication result are both authentication, performing consistency authentication on the hash value to be authenticated and the signature to be verified of the last block, to obtain a first block authentication result and a first signature authentication result, which may include:

S502, if the identity authentication result, the session authentication result and the verification code authentication result are authentication passing, respectively carrying out consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block to obtain a first block authentication result and a first signature authentication result.

In the embodiment, the consistency authentication and the validity authentication are carried out on the verification code information, so that the consensus authentication is more comprehensive, the access security is ensured, and the user authentication authorization security level is improved.

In an optional embodiment, the user consensus authentication request further includes: fig. 6 is a flowchart sixth of an access authentication method according to an embodiment of the present application, where, as shown in fig. 6, the method may further include:

s601, performing validity authentication on address information of access equipment to obtain a first address authentication result.

The address information of the access device may be a media access control address (Media Access Control Address, MAC) or an internet protocol address (Internet Protocol Address, IP).

And carrying out legal authentication on the address information of the access equipment according to the preset legal address information to obtain a first address authentication result, wherein if the address information of the access equipment is consistent with the preset legal address information, the first address authentication result is that the address authentication is passed, and if the address information of the access equipment is inconsistent with the preset legal address information, the first address authentication result is that the address authentication is not passed.

The verifier node can register preset legal address information to form an authentication consensus node white list, and can perform validity verification on the address information of the access device by comparing the white list.

Step S103, if the identity authentication result is authentication passing, performing consistency authentication on the hash value to be authenticated and the signature to be verified of the last block, to obtain a first block authentication result and a first signature authentication result, which may include:

s602, if the identity authentication result and the address authentication result are authentication passing, respectively carrying out consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block to obtain a first block authentication result and a first signature authentication result.

The signature to be verified is obtained by calculation based on the target consensus identity, the hash value of the last block in the user consensus authentication account and the address information of the access device, and the verifier node can calculate a target signature according to the target consensus identity, the hash value of the last block in the user consensus authentication account and the address information of the access device, and perform consistency verification on the signature to be authenticated according to the target signature to obtain a first signature authentication result. The second signature authentication result is obtained in a similar manner.

In some embodiments, the signature to be verified is calculated based on the target consensus identity, the hash value of the last block in the user consensus authentication ledger, the first timestamp information, the verification code information and the address information of the access device, and then the verifier node may further calculate the target signature according to the target consensus identity, the hash value of the last block in the user consensus authentication ledger, the first timestamp information, the verification code information and the address information of the access device, and perform consistency verification on the signature to be authenticated according to the target signature to obtain the first signature authentication result.

In the embodiment, the legitimacy of the access equipment is authenticated, so that the consensus authentication is more comprehensive, the access safety is ensured, the illegal user is prevented from accessing, and the user authentication trust-giving safety level is improved.

Based on the above embodiments, fig. 7 is a schematic diagram of a blockchain private chain network system provided in the embodiment of the present application, as shown in fig. 7, at least 3 edge devices form an edge network structure, and the edge devices respectively are verifier 1, verifier 2 … …, and verifier X participate in building the blockchain private chain network and the distributed edge system, using the POA algorithm as a consensus algorithm. The edge device is provided with an edge system.

The verifier 1 receives a user consensus authentication request sent by the client 1, wherein the request comprises: the method comprises the steps of target consensus identity identification, first time stamp information of a user consensus authentication request, verification code information, address information of access equipment, hash value to be authenticated of a last block in a user consensus authentication account book and signature to be authenticated of information carried in the user consensus authentication request.

The verifier 1 performs consensus authentication according to the user consensus authentication request, and broadcasts the user consensus authentication request to the verifier 2 … … verifier X, so that the verifier 2 … … verifies the user consensus authentication request to perform consensus authentication respectively, and if all the verifiers pass the authentication, all the verifiers update the newly added last block in the user consensus authentication account book maintained respectively, so that the client 1 can normally access the edge system, namely the client 1 is a legal user.

Similarly, the verifier 1 receives the user consensus authentication request sent by the client 2, performs consensus authentication, and broadcasts the user consensus authentication request to the verifier 1 and the verifier … …, and if the authentication is not passed, the client accesses the edge system to be illegitimate, namely the client 2 is an illegitimate user.

In this embodiment, by using the user consensus authentication and trust method, the edge device can implement a convenient and simple user authentication function, and by adding the security mechanism of the blockchain POA, a user authentication function with higher security can be implemented, the tamper and attack protection of the user and system authentication and trust information is changed from a single local protection mode to multi-node blockchain protection, the security level of the system can be greatly improved, and meanwhile, the POA identity serial code is used to replace a local user password, so that the information quantity and operation input during system login can be reduced, and the convenience during system login can be improved.

Based on the same inventive concept, the embodiment of the present application further provides a consensus authentication device corresponding to the consensus authentication method, and since the principle of solving the problem by the device in the embodiment of the present application is similar to that of the foregoing consensus authentication method in the embodiment of the present application, the implementation of the device may refer to the implementation of the method, and the repetition is omitted.

Fig. 8 is a schematic structural diagram of an access authentication apparatus provided in an embodiment of the present application, where the apparatus may be integrated in an edge device. As shown in fig. 8, the apparatus may include:

the receiving module 701 is configured to receive a user consensus authentication request sent by an access device, where the user consensus authentication request includes: the method comprises the steps of identifying a target consensus identity, a hash value to be authenticated of a last block in a user consensus authentication account book and a signature to be verified, wherein the signature to be verified is calculated based on the target consensus identity and the hash value of the user consensus authentication account book block;

The authentication module 702 is configured to perform identity authentication according to the target consensus identity, and obtain an identity authentication result;

the authentication module 702 is further configured to, if the identity authentication result is authentication pass, perform consistency authentication on the hash value to be authenticated and the signature to be verified of the last block, to obtain a first block authentication result and a first signature authentication result;

a broadcasting module 703, configured to broadcast a user consensus authentication request to other verifier nodes in the blockchain private chain network and the distributed edge system, so that the other verifier nodes perform consistent authentication on the hash value to be authenticated and the signature to be authenticated of the last block, respectively, to obtain a second block authentication result and a second signature authentication result;

an obtaining module 704, configured to obtain an access authentication result according to the first block authentication result, the first signature authentication result, the second block authentication result, and the second signature authentication result;

a sending module 705, configured to send an access authentication result to the access device.

In an alternative embodiment, the apparatus further comprises:

a new adding module 706, configured to add a last block to the user consensus authentication ledger maintained by the verifier node if the access authentication result is authentication pass, and record the access authentication result in the last block added to the user consensus authentication ledger maintained by the verifier node;

The broadcasting module 703 is further configured to broadcast the access authentication result to other verifier nodes, so that the other verifier nodes respectively add a last block in the user consensus authentication ledger maintained by each verifier node, and record the access authentication result in the last block added in the user consensus authentication ledger maintained by the other verifier nodes respectively;

the sending module 705 is further configured to send, to the access device, a hash value of a last block newly added in the user consensus authentication ledger maintained by the verifier node.

In an alternative embodiment, the authentication module 702 is specifically configured to:

carrying out validity authentication on the user information corresponding to the target consensus identity to obtain a user information authentication result;

and obtaining an identity authentication result according to the identity authentication result and the user information authentication result.

In an optional embodiment, the user consensus authentication request further includes: first timestamp information of the user consensus authentication request; the obtaining module 704 is further configured to:

according to the target consensus identity, obtaining second time stamp information of a last user consensus authentication request, wherein the last user consensus authentication request comprises: a target consensus identity;

The obtaining module 704 is further configured to determine a session request interval duration according to the first timestamp information and the second timestamp information;

the authentication module 702 is further configured to perform validity authentication on the session request interval duration, and obtain a session authentication result;

the authentication module 702 is specifically configured to:

and if the identity authentication result and the session authentication result are authentication passing, respectively carrying out consistency authentication on the hash value to be authenticated and the signature to be verified of the last block to obtain a first block authentication result and a first signature authentication result.

In an optional embodiment, the user consensus authentication request further includes: verification code information; authentication module 702 is further configured to:

consistency authentication is carried out on the verification code information, validity authentication is carried out on the verification code information according to the first time stamp information, and a verification code authentication result is obtained;

the authentication module 702 is specifically configured to:

and if the identity authentication result, the session authentication result and the verification code authentication result are authentication passing, respectively carrying out consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block to obtain a first block authentication result and a first signature authentication result.

In an optional embodiment, the user consensus authentication request further includes: accessing address information of the device; authentication module 702 is further configured to:

the authentication module 702 is specifically configured to:

and if the identity authentication result and the address authentication result are authentication passing, respectively carrying out consistency authentication on the hash value to be authenticated and the signature to be verified of the last block to obtain a first block authentication result and a first signature authentication result.

acquiring an actual hash value of a last block in a user consensus authentication account book maintained by a verifier node;

consistency authentication is carried out on the hash value to be authenticated of the last block according to the actual hash value, and a first block authentication result is obtained;

and carrying out consistency authentication on the signature to be verified according to the target signature to obtain a first signature authentication result.

The process flow of each module in the apparatus and the interaction flow between the modules may be described with reference to the related descriptions in the above method embodiments, which are not described in detail herein.

Fig. 9 is a schematic structural diagram of an edge device according to an embodiment of the present application, as shown in fig. 9, where the device may include: a processor 801, a memory 802, and a bus 803, the memory 802 storing machine-readable instructions executable by the processor 801, the processor 801 executing machine-readable instructions to perform the above-described method when the edge device is running, the processor 801 communicating with the memory 802 via the bus 803.

Embodiments of the present application also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the above-described method.

In the embodiments of the present application, the computer program may also execute other machine readable instructions when executed by a processor to perform the methods as described in other embodiments, and the specific implementation of the method steps and principles are referred to in the description of the embodiments and are not described in detail herein.

In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments provided in the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

It should be noted that: like reference numerals and letters in the following figures denote like items, and thus once an item is defined in one figure, no further definition or explanation of it is required in the following figures, and furthermore, the terms "first," "second," "third," etc. are used merely to distinguish one description from another and are not to be construed as indicating or implying relative importance.

Finally, it should be noted that: the foregoing examples are merely specific embodiments of the present application, and are not intended to limit the scope of the present application, but the present application is not limited thereto, and those skilled in the art will appreciate that while the foregoing examples are described in detail, the present application is not limited thereto. Any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or make equivalent substitutions for some of the technical features within the technical scope of the disclosure of the present application; such modifications, changes or substitutions do not depart from the spirit and scope of the corresponding technical solutions. Are intended to be encompassed within the scope of this application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. An access authentication method applied to any one verifier node of a blockchain private chain network and a distributed edge system based on an edge device, the method comprising:

and sending the access authentication result to the access equipment.

2. The method according to claim 1, wherein the method further comprises:

3. The method of claim 1, wherein the step of performing identity authentication according to the target consensus identity to obtain an identity authentication result comprises:

4. The method of claim 1, wherein the user consensus authentication request further comprises: the signature to be verified is calculated based on the target consensus identity, a hash value of a last block in the user consensus authentication account book and the first timestamp information; the method further comprises the steps of:

5. The method of claim 4, wherein the user consensus authentication request further comprises: the signature to be verified is calculated based on the target consensus identity, the hash value of the last block in the user consensus authentication account book, the first timestamp information and the verification code information; the method further comprises the steps of:

6. The method of claim 1, wherein the user consensus authentication request further comprises: the signature to be verified is calculated based on the target consensus identity, the hash value of the last block in the user consensus authentication ledger and the address information of the access equipment; the method further comprises the steps of:

7. The method according to any one of claims 1-6, wherein performing consistency authentication on the hash value to be authenticated and the signature to be authenticated of the last block to obtain a first block authentication result and a first signature authentication result, respectively, includes:

8. An access authentication apparatus, comprising:

9. An edge device, comprising: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor in communication with the memory over the bus when the edge device is running, the processor executing the machine-readable instructions to perform the method of any one of claims 1 to 7.

10. A computer readable storage medium, characterized in that it has stored thereon a computer program which, when executed by a processor, performs the method of any of claims 1 to 7.