WO2022222722A1 - Id-pkc information processing method and apparatus, and node and storage medium - Google Patents

Abstract

Disclosed in the present application are an identity-based public key cryptograph (ID-PKC) information processing method and apparatus, and a node and a storage medium. The method comprises: a first node acquiring a first ID-PKC system public parameter and/or identity revocation list (IRL), wherein the state of the first ID-PKC system public parameter is valid, and the first node is an accounting node; and on the basis of a consensus mechanism, writing the acquired first ID-PKC system public parameter and/or IRL into a licensed distributed ledger.

Description

ID-PKC information processing method, device, node and storage medium

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is based on the Chinese patent with the application number 202110419392.5 and the application date on April 19, 2021, and the Chinese patent application with the application number 202111203497.3 on October 15, 2021, and claims the priority of the Chinese patent application The entire content of the Chinese patent application is incorporated herein by reference.

technical field

The present application relates to the technical field of network security, and in particular, to an IDentity-based Public Key Cryptograph (ID-PKC, IDentity-based Public Key Cryptograph) information processing method, device, node and storage medium.

Background technique

In the ID-PKC system, there is no need to use certificates to transmit public keys, so certificates and certificate management systems are no longer relied upon. In the ID-PKC system, the public parameters of the ID-PKC system and/or the Identity Revocation List (IRL, Identity Revocation List) do not need to be encrypted for transmission, but cannot be changed during transmission. Therefore, in the related art, by using the transport layer Security (TLS) protocol to realize the security of ID-PKC system public parameters and IRL transmission.

However, when using the TLS protocol, the establishment of the TLS secure channel requires the use of certificates, that is, the boot process of the ID-PKC system actually relies on the public key infrastructure (PKI)-based public key (PKI-PKC, PKI based Public Key ) Cryptography) system, which will introduce the defects of the PKI-PKC system into the ID-PKC system.

SUMMARY OF THE INVENTION

To solve related technical problems, embodiments of the present application provide an ID-PKC information processing method, device, node, and storage medium.

The technical solutions of the embodiments of the present application are implemented as follows:

The embodiment of the present application provides an ID-PKC information processing method, which is applied to the first node and includes:

Obtain the first ID-PKC system public parameters and/or IRL; the state of the first ID-PKC system public parameters is valid; the first node is an accounting node;

Based on the consensus mechanism, the acquired first ID-PKC system public parameters and/or IRL are written into the permissioned distributed ledger.

In the above scheme, the first ID-PKC system public parameter is generated by the public parameter server (PPS, Public Key Server) of the key generation center (KGC, Key Generate Center);

The first ID-PKC system public parameter includes at least one of the following:

domain name;

blockchain name;

System public parameter status;

Hash algorithm for hiding user IDs.

In the above solution, the domain name is a name defined according to a Uniform Resource Identifier (URI) or a Uniform Resource Locator (URL), or a self-defined name.

In the above scheme, the first ID-PKC system public parameters also include:

PPS name;

Identity Management Server (IMS, Identity Management Server) name.

In the above solution, the PPS name is a name defined according to URI or URL, or a self-defined name.

In the above solution, the name is defined according to URI or URL, or is a self-defined name.

In the above scheme, the IRL is generated by the IMS of KGC;

The IRL includes at least one of the following:

domain name;

blockchain name;

A collection of revocation signs.

In the above solution, the domain name is called a name defined by URI or URL, or a self-defined name.

In the above scheme, the IRL also includes:

IMS name.

In the above solution, the IMS name is a name defined according to a URI or URL, or a self-defined name.

In the above solution, the set of revocation identifiers includes at least one of the following:

Whether the revocation identification is anonymous;

revocation of identification;

Reason for revocation.

In the above scheme, the method also includes:

Obtain the public parameters of the second ID-PKC system; the state of the public parameters of the second ID-PKC system is invalid; the public parameters of the second ID-PKC system and the public parameters of the first ID-PKC system are in addition to production time and status The other parameters are the same;

Based on the consensus mechanism, write the acquired public parameters of the second ID-PKC system into the licensed distributed ledger;

Obtain the newly generated public parameters of the third ID-PKC system; the public parameters of the third ID-PKC system are updated by the public parameters of the first ID-PKC system; the state of the public parameters of the third ID-PKC system is efficient;

Based on the consensus mechanism, the acquired public parameters of the third ID-PKC system are written into the permissioned distributed ledger.

The embodiment of the present application also provides an ID-PKC information processing method, applied to the second node, including:

Obtain the first request; the first request is used to request to obtain the public parameters of the ID-PKC system;

Query the corresponding ID-PKC system public parameters from the permissioned distributed ledger;

Return a response based on the query result.

In the above solution, when querying the corresponding ID-PKC system public parameters from the licensed distributed ledger, the method includes:

Start querying from the latest block of the permissioned distributed ledger.

In the above solution, the first request carries the domain name and the blockchain name;

Use the domain name carried in the first request to query the corresponding ID-PKC system public parameters from the permissioned distributed ledger corresponding to the blockchain name.

In the above solution, the first request also carries the PPS name;

Use the domain name and/or PPS name carried in the first request to query the corresponding ID-PKC system public parameters from the permissioned distributed ledger corresponding to the blockchain name.

In the above solution, returning a response according to the query result includes:

When the corresponding ID-PKC system public parameters are not queried, an error message is returned;

or,

When the corresponding ID-PKC system public parameters are queried, and the status of the queried ID-PKC system common parameters is invalid, an error message is returned;

or,

When the corresponding ID-PKC system public parameters are queried, and the status of the queried ID-PKC system common parameters is valid, the queried ID-PKC system common parameters are returned.

The embodiment of the present application also provides an ID-PKC information processing method, applied to a third node, including:

Obtain a second request; the second request is used to request to query whether the first identification has been revoked;

Query whether the first identifier has been revoked from the licensed distributed ledger; the licensed distributed ledger records the IRL;

Return a response based on the query result.

In the above solution, the second request carries the first identifier and the blockchain name; the first identifier is used to query the permissioned distributed ledger corresponding to the blockchain name.

In the above solution, the second request carries the operation result and the blockchain name after the first identifier is operated on the hash function indicated by the ID-PKC system public parameters;

Use the operation result to query the permissioned distributed ledger corresponding to the blockchain name.

In the above solution, returning a response according to the query result includes:

When it is queried that the first identification has been revoked, first information is returned; the first information indicates that the first identification has been revoked;

or,

When the first identifier is not found, second information is returned; the second information indicates that the first identifier is valid.

The embodiment of the present application also provides an ID-PKC information processing device, which is arranged on the first node and includes:

a first obtaining unit, configured to obtain a first ID-PKC system public parameter and/or an IRL; the state of the first ID-PKC system public parameter is valid; the first node is an accounting node;

The first processing unit is configured to write the acquired public parameters and/or IRL of the first ID-PKC system into a permissioned distributed ledger based on a consensus mechanism.

The embodiment of the present application also provides an ID-PKC information processing device, including:

a second obtaining unit, configured to obtain a first request; the first request is used for requesting to obtain public parameters of the ID-PKC system;

The second processing unit is configured to query the corresponding public parameters of the ID-PKC system from the permission distributed ledger; and return a response according to the query result.

The embodiment of the present application also provides an ID-PKC information processing device, including:

a third obtaining unit, configured to obtain a second request; the second request is used to request to query whether the first identification has been revoked;

The third processing unit is configured to query whether the first identification has been revoked from the permission distributed ledger; the permission distributed ledger records the IRL; and return a response according to the query result.

The embodiment of the present application further provides a first node, including: a first communication interface and a first processor; wherein,

The first communication interface is configured to obtain the first ID-PKC system public parameters and/or IRL; the state of the first ID-PKC system public parameters is valid; the first node is an accounting node;

The first processor is configured to write the acquired public parameters and/or IRL of the first ID-PKC system into the permissioned distributed ledger based on the consensus mechanism.

The embodiment of the present application further provides a second node, including: a second communication interface and a second processor; wherein,

The second communication interface is configured to obtain a first request; the first request is used for requesting to obtain public parameters of the ID-PKC system;

The second processor is configured to query the corresponding public parameters of the ID-PKC system from the permission distributed ledger; and return a response through the second communication interface according to the query result.

The embodiment of the present application further provides a third node, including: a third communication interface and a third processor; wherein,

The third communication interface is configured to obtain a second request; the second request is used to request to query whether the first identification has been revoked;

The third processor is configured to query whether the first identification has been revoked from the permission distributed ledger; the permission distributed ledger records the IRL; and return a response through the third communication interface according to the query result.

Embodiments of the present application further provide a first node, including: a first processor and a first memory configured to store a computer program that can be executed on the processor,

Wherein, the first processor is configured to execute the steps of any method on the first node side when running the computer program.

Embodiments of the present application further provide a second node, including: a second processor and a second memory configured to store a computer program that can be executed on the processor,

Wherein, the second processor is configured to execute the steps of any method on the second node side above when running the computer program.

Embodiments of the present application further provide a third node, including: a third processor and a third memory configured to store a computer program that can be executed on the processor,

Wherein, the third processor is configured to execute the steps of any method on the third node side when running the computer program.

Embodiments of the present application further provide a storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the steps of any method on the first node side, or implements the steps of any method on the second node side. steps, or steps of implementing any method on the third node side above.

In the ID-PKC information processing method, device, node, and storage medium provided by the embodiments of the present application, the first node obtains the first ID-PKC system public parameters and/or IRL; the state of the first ID-PKC system public parameters is: Valid; the first node is a billing node; based on a consensus mechanism, the obtained first ID-PKC system public parameters and/or IRL are written into the permissioned distributed ledger; the second node obtains the first request; the first The request is used to request to obtain the public parameters of the ID-PKC system; query the corresponding public parameters of the ID-PKC system from the licensed distributed ledger; and return a response according to the query result; the third node obtains the second request; the second request is used to request Query whether the first identifier has been revoked; query whether the first identifier has been revoked from the permission distributed ledger; record the IRL in the permission distributed ledger; and return a response according to the query result. The solution provided by the embodiments of this application is based on the permissioned distributed ledger to carry out the management of the release of ID-PKC system public parameters and the management of identification revocation. By using the permissioned distributed ledger, ID-PKC system parameters and IRL can be transferred across domains, and the identification Revocation can be queried across domains, thus realizing cross-domain secure communication without relying on the PKI-PKC system and using the ID-PKC system.

Description of drawings

1 is a schematic flowchart of a method for processing ID-PKC information according to an embodiment of the present application;

2 is a schematic flowchart of a method for processing a second ID-PKC information according to an embodiment of the present application;

3 is a schematic flowchart of a method for processing a second ID-PKC information according to an embodiment of the present application;

4 is a schematic structural diagram of a first ID-PKC information processing apparatus according to an embodiment of the present application;

5 is a schematic structural diagram of a second ID-PKC information processing apparatus according to an embodiment of the present application;

6 is a schematic structural diagram of a third ID-PKC information processing apparatus according to an embodiment of the present application;

FIG. 7 is a schematic structural diagram of a first node according to an embodiment of the present application;

FIG. 8 is a schematic structural diagram of a second node according to an embodiment of the present application;

FIG. 9 is a schematic structural diagram of a third node according to an embodiment of the present application.

Detailed ways

The present application will be described in further detail below with reference to the embodiments.

Before describing the embodiments of the present application, let us first understand related technologies.

In the traditional certificate-based key system, the verifiable propagation of user identity and public key is realized by binding the public key and the identity in the certificate, and signed by a trusted third-party certification authority (CA, Certification Authority). Although certificate-based key systems have been widely used, there are some disadvantages:

(1) Certificates need to be exchanged in security applications;

(2) The validity of the certificate needs to be verified when using it;

(3) The issuance and management of certificates are very complicated.

In order to solve the above problems of certificate-based key systems such as PKI-PKC systems that rely on certificates and certificate management systems, Israeli cryptographer Shamir proposed the ID-PKC system in 1984, which can also be called (identity-based cryptography (IBC, Identity-Based Cryptograph) system). In the ID-PKC system, the main point is that there is no need to use the certificate to transmit the public key, but the user identification information such as name, Internet Protocol (IP) address, e-mail address, or mobile phone number is used as the identification information on behalf of the user. The public key and private key are calculated by KGC based on the system master key and user ID. Therefore, such systems no longer rely on certificates and certificate management systems (such as PKI-PKC systems), which greatly simplifies the management of cryptographic systems. complexity. While proposing the concept of ID-PKC, Shamir proposed an identity-based signature algorithm (IBS) using the RSA algorithm. However, Identity Based Encryption (IBE, Identity Based Encryption) failed to find an effective solution for a long time. It was not until 2001 that a secure IBE system was realized based on pairing on elliptic curves proposed by D.Boneh and M.Franklin. At present, the most efficient identity-based signature algorithm is the elliptic curve-based elliptic curve certificateless signature for identity-based encryption (ECCSI, The Elliptic Curve-based Certificateless Signatures for Identity-based Encryption) scheme.

The public parameters of the ID-PKC system do not need to be encrypted and transmitted, but they are required to be transmitted without any changes (that is, the integrity needs to be guaranteed), because the integrity of the public parameters is crucial to the correct use of the ID-PKC system. It is relatively easier to initialize an ID-PKC system within a domain than across domains, and users within a domain can securely (eg, by offline methods) obtain the user's private key and the public parameters of the ID-PKC system. The security of user private key and public parameter transmission of ID-PKC system can be realized by using Transport Layer Security (TLS) protocol, that is, a TLS secure channel is established between the user and KGC, and the public ID-PKC system public parameter is transmitted through the TLS secure channel. parameter.

On the other hand, identity revocation is required in the ID-PKC system to prevent the continued use of identities or credentials that are no longer valid or have security vulnerabilities, such as service interruption or private key disclosure. If the logo is revoked, the logo shall be set to the revoked state. The revoked logo constitutes an IRL, and a reliable channel is also required to deliver the IRL to the user. The IRL can be passed through a TLS secure channel established between the user and the KGC.

However, the establishment of a TLS secure channel requires the use of certificates, which means that the bootstrapping process of the ID-PKC system actually relies on PKI, which is contrary to the original design intent of the ID-PKC system. Furthermore, the multi-CA trust issue in certificate-based key systems is carried over to the ID-PKC system.

Based on this, in various embodiments of the present application, the issuance of public parameters of the ID-PKC system and the management of identification revocation are performed based on a permissioned distributed ledger.

In the embodiment of this application, the public parameters and/or IRL of the ID-PKC system are written into the licensed distributed ledger through the consensus mechanism of the licensed distributed ledger. By using the licensed distributed ledger, the ID-PKC system parameters and IRL can be cross-domain The ID-PKC system can be used to realize cross-domain secure communication without relying on the PKI system.

An embodiment of the present application provides an ID-PKC information processing method, which is applied to a first node. As shown in FIG. 1 , the method includes:

Step 101: obtain the first ID-PKC system public parameters and/or IRL; the state of the first ID-PKC system public parameters is valid; the first node is an accounting node;

Step 102: Based on the consensus mechanism, write the acquired public parameters and/or IRL of the first ID-PKC system into the permissioned distributed ledger.

Here, in practical application, the ID-PKC system public parameters can also be called ID-PKC system parameters, or ID-PKC parameters, it should be noted that the ID-PKC system public parameters can also be named other names , as long as it has the same function or function as the public parameter of the ID-PKC system, which is not limited in this embodiment of the present application. Correspondingly, the IRL may also use other names, as long as the functions or functions are the same as the IRL, which is not limited in this embodiment of the present application.

The permissioned distributed ledger (which may also be referred to as a consortium chain or a permissioned chain, a permissioned distributed ledger, a consortium chain, and a permissioned chain are synonyms and have the same meaning) is a blockchain, which refers to a blockchain that is shared by several institutions. Participate in the governance of the blockchain. The permissioned distributed ledger designates multiple pre-selected nodes as accounting nodes. The generation of each block is jointly determined by all pre-selected nodes using a consensus mechanism. Other access nodes can read the information on the chain, but do not ask about the accounting process. Permissioned distributed ledgers use distributed ledgers and distributed consensus technology to make data inaccessible

A modified distributed database. As long as the information published on the chain is authentic and credible.

In this embodiment of the present application, the mechanism may include a KGC of one domain. The KGC of a domain can correspond to one or more accounting nodes.

In practical application, the first ID-PKC system public parameters may be generated by KGC. Here, it should be noted that this embodiment of the present application does not limit the name of the organization that generates the public parameters of the ID-PKC system.

Among them, KGC usually contains the following three parts:

Private Key Generator (PKG, Private Key Generator), configured to generate a user's private key based on the master password and user identity securely stored in the ID-PKC system. Private keys are distributed to users through secure channels, providing confidentiality and integrity protection. Therefore, only the user with the associated identity knows the private key.

PPS, configured to provide users with ID-PKC system public parameters and policy information describing PKG operations. Since the integrity of public parameters and policy information is critical to the normal operation of the ID-PKC system, the communication channel between the user and the PPS should be trusted. Here, in practical application, the communication channel between the user and the PPS is not necessarily confidential, because the public parameters and policy information are public information that anyone can obtain. Therefore, the first ID-PKC system public parameter can be generated by the PPS of the KGC.

The IMS is configured to manage the user's identity, including ensuring the uniqueness of the user's identity within the administrative domain, maintaining the state of the identity (including valid and revoked), and issuing IRLs. The communication channel between the user and the IMS should be trusted. Here, in practical application, the communication channel between the user and the IMS is not necessarily confidential, because the ID revocation list is public information that anyone can obtain.

The public parameters of the ID-PKC system may include many parameters. In this embodiment of the present application, since the public parameters of the ID-PKC system are stored in the permissioned distributed ledger, the public parameters of the ID-PKC system need to include and permission in addition to the general parameters. Parameters associated with the distributed ledger.

Based on this, in an embodiment, the first ID-PKC system public parameter includes at least one of the following:

Domain name (that is, the name of the domain where the KGC is located);

blockchain name;

System public parameter status;

Hash algorithm for hiding user IDs.

Wherein, the domain name indicates the name of the domain where the KGC that generates the public parameters of the first ID-PKC system is located; the blockchain name can also be called the name of the licensed distributed ledger, indicating the licensed distributed ledger corresponding to the public parameters of the first ID-PKC system The system public parameter state indicates the state of the first ID-PKC system public parameter, specifically valid; the hash algorithm used to hide the user identity is used to anonymize the identity in IRL.

Here, the first ID-PKC system public parameter of the ID-PKC system public parameter may also include at least one of the following:

PPS name;

IMS name.

Wherein, the PPS name indicates the name of the PPS. The IMS name indicates the name of the IMS.

In practical application, according to the encoding method, such as the ASN.1 method, the public parameters of the ID-PKC system can be described as follows:

The meaning of each field is as follows:

version: is the version number of the public parameters of the ID-PKC system;

domainName: is the name of the domain where the KGC is located, which is used for KGC addressing. It can be a name defined by URI or URL, or a user-defined name, that is, a user-defined name;

ppsName: is the name of the PPS, which is used for PPS addressing. It can be a name defined by URI or URL, or a user-defined name, that is, a user-defined name.

imsName: is the name of the IMS, which is used for IMS addressing. It can be a name defined by URI or URL, or a user-defined name, that is, a user-defined name.

domainSerial: This field is an integer representing the unique set of ID-PKC system public parameters that can be used on domainName, that is, the set of ID-PKC system public parameters that can be used on the domain where the KGC indicated by domainName is located;

Validity: Validity field, which defines the lifetime of ID-PKC system public parameters, and is defined as the following:

id-pkcPublicParameters: is a structure that contains public parameters corresponding to the ID-PKC algorithm supported by the ID-PKC system. The structure is defined as follows:

Here, id-pkcAlgorithm: at least one ID-PKC algorithm supported by an ID-PKC system;

publicParameterData: is a Distinguished Encoding Rules (DER) encoded structure that contains the actual password parameters. The exact structure of this field depends on the algorithm.

id-PKCIdentityType: an identity used to define the type of identity used within a domain, how this field is used depends on the application;

distributedLedgerName: ID-PKC system public parameters are published on the blockchain (ie permissioned distributed ledger), this field is used to indicate the name of the distributed ledger;

hashAlgorithm: This field indicates the hash algorithm used to hide the user ID, which is used to anonymize the user ID in IRL. The definition of this field is as follows:

id-pkcParamStatus: It is used to indicate the status of the public parameters of the ID-PKC system. Specifically, there can be two statuses: valid and invalid (also called revocation). The definition of this field is as follows:

id-pkcParamExtensions: It is a set of extensions that can be used to define additional parameters that may be required by a particular implementation. The structure of this field is defined as follows:

It should be noted that: this embodiment of the present application does not limit the names of the above fields.

In practical application, in step 102, the first node may form a block based on the acquired public parameters of the first ID-PKC system based on a consensus mechanism, and then publish the formed block to the permissioned distributed ledger. In a permissioned distributed ledger, blocks are linked into a permissioned distributed ledger in chronological order (such as the chronological order in which the public parameters of the ID-PKC system are generated).

Exemplarily, the specific steps of writing the public parameters of the ID-PKC system to the permissioned distributed ledger include:

Step 1: The PPS of the KGC of a domain generates the public parameters of the ID-PKC system, and marks its status as valid, that is, the id-pkcParamStatus field is set to be valid.

Step 2: One or several accounting nodes of the KGC's PPS on the permissioned distributed ledger together with the KGC's PPS of other domains on the accounting nodes of the permissioned distributed ledger, that is, all accounting nodes on the permissioned distributed ledger , using the consensus mechanism to write the public parameters of the ID-PKC system generated by the KGC's PPS into the permissioned distributed ledger.

Among them, in practical application, KGC and accounting nodes may be co-located, and KGC and accounting nodes may also be set separately. In the case of separate settings, KGC and accounting nodes interact through secure channels.

Here, after steps 1 and 2, the uploading of the public parameters of the ID-PKC system is completed.

In practical applications, the information of the public parameters of the ID-PKC system may need to be updated, for example, the encryption algorithm has changed. Since the message on the permissioned distributed ledger cannot be deleted, it is necessary to generate a public parameter of the ID-PKC system that is the same as the public parameter of the original ID-PKC system, mark its status as invalid, and make the generated ID-PKC system public Write the parameters to the permissioned distributed ledger; then generate a public parameter of the ID-PKC system whose content has been updated, mark its status as valid and write it into the permissioned distributed ledger, thus completing the update of the public parameters of the ID-PKC system .

Based on this, in one embodiment, the method may further include:

Obtain the public parameters of the second ID-PKC system; the state of the public parameters of the second ID-PKC system is invalid; the public parameters of the second ID-PKC system and the public parameters of the first ID-PKC system are in addition to production time and status The other parameters are the same;

Based on the consensus mechanism, write the acquired public parameters of the second ID-PKC system into the licensed distributed ledger;

Obtain the newly generated third ID-PKC system public parameter; the third ID-PKC system public parameter is updated by the first ID-PKC system public parameter;

The state of the third ID-PKC system public parameter is valid;

Based on the consensus mechanism, the acquired public parameters of the third ID-PKC system are written into the permissioned distributed ledger.

Exemplarily, the specific steps of updating the public parameters of the ID-PKC system include:

Step 1: PPS generates a public parameter of the ID-PKC system with the same content as the public parameter of the ID-PKC system already on the chain (the other items are the same except for the status item and the generation time), that is, the second ID-PKC system public parameter is generated. , and mark its status as invalid;

Step 2: The PPS uses a consensus mechanism to write the public parameters of the ID-PKC system generated in step 1 into the permissioned distributed ledger with one or several billing nodes on the licensed distributed ledger together with the billing nodes of other domains. ;

Step 3: This PPS regenerates an ID-PKC system public parameter whose information content has been updated, namely generates the third ID-PKC system public parameter, and marks its state as valid;

Step 4: The PPS uses the consensus mechanism to write the ID-PKC system parameters whose information content has been updated into the permissioned distributed ledger with one or several billing nodes on the licensed distributed ledger together with the billing nodes of other domains.

In practical application, the IRL can be generated by KGC. Specifically, the IRL can be generated by the IMS of KGC.

The IRL may contain many parameters. In this embodiment of the present application, since the IRL is stored in the permissioned distributed ledger, the IRL needs to contain, in addition to the general parameters, parameters associated with the permissioned distributed ledger.

Based on this, in an embodiment, the IRL includes at least one of the following:

domain name;

blockchain name;

A collection of revocation signs.

Among them, the domain name indicates the name of the domain where the KGC that generates the IRL is located; the blockchain name can also be called the name of the permissioned distributed ledger, indicating the name of the permissioned distributed ledger corresponding to the IRL.

In one embodiment, the IRL may further include:

IMS name.

Wherein, the IMS name indicates the name of the MIS.

In one embodiment, the set of revocation identifiers includes at least one of the following:

Whether the revocation identification is anonymous;

revocation of identification;

Reason for revocation.

In practical applications, according to the encoding method, such as the ASN.1 method, the IRL can be described as follows:

The meaning of each field is as follows:

Version: is the version number of IRL;

Issuer: used to distinguish the issuer of IRL;

irlNumbe: is the issuer number of the current IRL; it starts from 0 and increases by 1 for each complete IRL release (ie, the IRL issued by KGC at a certain point in time contains all revocation identifiers), it is optional ;

deltaList: Indicates whether the current IRL is a delta IRL (that is, the revocation identifier increased at a certain point in time compared to the previous point in time), the list only contains the identity information that has been revoked since the release of the complete IRL indexed by irlNumber;

domainName: is the name of the domain where the KGC that generates the IRL is located, and is used for KGC addressing. It can be a name defined by URI or URL, or a user-defined name, that is, a custom name;

domainSerial: This field is an integer representing the unique set of IRLs that can be used on domainName, that is, the set of IRLs that can be used on the domain where the KGC indicated by domainName is located;

imsName: is the name of the IMS, which is used for IMS addressing. It can be a name defined by URI or URL, or a user-defined name, that is, a user-defined name.

thisUpdate: indicates the generation time of this IRL table;

nextUpdate: indicates the next IRL generation time, which is optional;

distributedLedgerName: IRL is published on the blockchain (i.e. permissioned distributed ledger), this field is used to indicate the name of the distributed ledger;

revokeIdentities: used to indicate the revoked identity collection, including the following fields: anonymous, identity, revokeReason, revocationDate, irlEntryExtensions. These fields are described as follows:

(1) Anonymity: It is used to indicate whether the revocation identification needs to be anonymous, that is, whether the revocation identification is anonymous. The specific description of this field is as follows:

(2) identity: It is used to describe the revocation identity. The specific description of this field is as follows:

identity::=ID-PKCIdentityInfo

ID-PKCIdentityInfo::=CHOICE{

Hash(RovokedIdendity),

RovokedIdentity,

}

Among them, if anonymous is YES, the ID-PKCIdentityInfo field corresponds to the hash value of the revocation identifier, otherwise, the ID-PKCIdentityInfo field corresponds to the revocation identifier itself;

(3) revokeReason: It is used to describe the reason for the revocation of the identity. This field is described as follows:

irlEntryExtensions: This field defines possible revocation identifier extensions.

It should be noted that: this embodiment of the present application does not limit the names of the above fields.

In practical application, in step 102, the first node may form the acquired IRL into a block based on a consensus mechanism, and then publish the formed block to the permissioned distributed ledger. In a permissioned distributed ledger, blocks are linked into a permissioned distributed ledger in chronological order (such as the time order in which the IRL was generated).

Exemplarily, the specific steps of writing the IRL number to the permissioned distributed ledger (that is, publishing the IRL (which can also be understood as issuing) on the consortium) include:

Step 1: The IMS of a domain's KGC generates an IRL;

Step 2: One or several accounting nodes of the IMS on the licensed distributed ledger, together with the accounting nodes of the IMS of the KGC of other domains on the licensed distributed ledger, that is, all the accounting nodes on the licensed distributed ledger, use Consensus mechanism that writes IRL to a permissioned distributed ledger.

After the ID-PKC system public parameters and IRL are written into the permissioned distributed ledger, users can query the ID-PKC system public parameters and IRL.

Based on this, the embodiment of the present application also provides an ID-PKC information processing method, which is applied to the second node. As shown in FIG. 2 , the method includes:

Step 201: obtain a first request; the first request is used for requesting to obtain public parameters of the ID-PKC system;

Step 202: query the corresponding ID-PKC system public parameters from the licensed distributed ledger;

Step 203: Return a response according to the query result.

Wherein, in practical application, the second node may be an accounting node or a common access node.

In practical applications, when the public parameters of the ID-PKC system are written into the permissioned distributed ledger, the domain name can be called a key; in addition, there are multiple permissioned distributed ledgers in the network. The permissioned distributed ledger where the public parameters of the ID-PKC system reside.

Based on this, in one embodiment, the first request carries the domain name and the blockchain name; accordingly, the second node uses the domain name carried in the first request to retrieve the corresponding blockchain name from the blockchain name. Allows the distributed ledger to query the corresponding ID-PKC system public parameters.

Among them, in practical application, when the public parameters of the ID-PKC system include the PPS name, and the public parameters of the ID-PKC system are written into the permission distributed ledger, the domain name and/or the PPS name can be used as the key.

Based on this, in an embodiment, the first request further carries the PPS name;

Use the domain name and/or PPS name carried in the first request to query the corresponding ID-PKC system public parameters from the permissioned distributed ledger corresponding to the blockchain name.

On a permissioned distributed ledger, blocks are linked in chronological order, so queries can start with the latest block on the permissioned distributed ledger.

When the domain name carried in the first request is not retrieved from the corresponding licensed distributed ledger, indicating that the corresponding public parameters of the ID-PKC system have not been queried, the second node returns an error message, and the error message can be Indicates that the ID-PKC system public parameter to be queried does not exist.

When the corresponding ID-PKC system public parameters are queried, and the status of the queried ID-PKC system common parameters is invalid, an error message is returned. At this time, the error message can indicate that the status of the ID-PKC system public parameters to be queried is invalid.

When the corresponding ID-PKC system public parameters are queried, and the status of the queried ID-PKC system common parameters is valid, the queried ID-PKC system common parameters are returned.

Exemplarily, the step of querying the public parameters of the ID-PKC system may include:

Step 1: The user needs to obtain the public parameters of the ID-PKC system. First, use the domainName field and/or ppsName field to initiate a query to the alliance blockchain, that is, initiate the first request; here, the user initiates the first request through the application programming interface (API). ask;

Step 2: The retrieval starts from the latest block on the blockchain (that is, the last of the entire link, retrieved from back to front). If the domainName field and/or ppsName field to be queried is not retrieved on the blockchain, then Terminate the query and return the called error information to the user (that is, ID-PKC system parameters do not exist). Check the parameters, if its status is invalid, it will return the error message to the called party (that is, ID-PKC system parameters exist but the status is invalid); if the latest ID-PKC system public parameters are valid, it will be returned to the user The public parameters of the ID-PKC system to be obtained.

The embodiment of the present application also provides an ID-PKC information processing method, which is applied to a third node. As shown in FIG. 3 , the method includes:

Step 301: Obtain a second request; the second request is used to request to query whether the first identifier has been revoked;

Step 302: Query whether the first identifier has been revoked from the permissioned distributed ledger; the permissioned distributed ledger records the IRL;

Step 303: Return a response according to the query result.

Wherein, in practical application, the third node may be an accounting node or a common access node.

In step 302, the third node inquires in the IRL whether the first identification has been revoked.

In practical applications, when IRL writes the permissioned distributed ledger, the domain name and/or IMS name (when the IRL includes the IMS name) is used as the key; in addition, there are multiple permissioned distributed ledgers in the network. The permissioned distributed ledger where the IRL to be queried resides.

Based on this, in one embodiment, the second request carries the first identifier and the blockchain name; the third node uses the first identifier in the permissioned distributed ledger corresponding to the blockchain name make an inquiry.

In practical application, the first identifier may be an anonymous identifier, that is, the first identifier is a hidden user identifier. In order to query the anonymous identifier, the first identifier may be queried using the result of a hash algorithm.

Based on this, in one embodiment, the second request carries the operation result and the blockchain name after the first identifier is operated on the hash function indicated by the public parameters of the ID-PKC system;

Use the operation result to query the permissioned distributed ledger corresponding to the blockchain name.

When it is queried that the first identification has been revoked, first information is returned; the first information indicates that the first identification has been revoked;

When the first identification is not found, second information is returned; the second information indicates that the first identification is valid.

Exemplarily, the specific process of identifying the query may include:

Step 1: The user uses the identifier to query the permissioned distributed ledger. If it is found, it means that the identifier has been revoked (that is, it has been revoked), and a user message is returned to the user (that is, the user identifier has been revoked). If not found, then Go to step 2; here, the user initiates a query request through the API;

Step 2: The user uses the hash function indicated in the public parameters of the ID-PKC system to operate on the identifier to be queried, obtain the operation result, and use the operation result to query the permissioned distributed ledger. If there is a value that is the same as the operation result, then It indicates that the user ID has been revoked, and a user message is returned to the user (that is, the user ID has been revoked); if the same value is not found, it means that the user ID is valid, and a user message is returned to the user (that is, the user ID is valid), through In the above way, whether the anonymous identification is valid can also be queried on the permissioned distributed ledger.

In practical application, in step 302, when the third node is a common node, the third node can address the corresponding IMS (which can be the same domain as the third node) according to the IMS name in the public parameters of the ID-PKC system. IMS, which may also be an IMS belonging to a different domain from the third node), and then initiates a query request to the corresponding IMS to query whether the first identifier has been revoked.

When the third node is the accounting node of the permissioned distributed ledger corresponding to the blockchain name, it is possible to directly query whether the first identification has been revoked.

It can be seen from the above description that, in the embodiment of the present application, the KGC including the PKG, the PPS and the IMS and the user terminal form a permissioned distributed ledger. After a PPS goes through the consensus process, the corresponding ID-PKC system public parameters are written on the permissioned distributed ledger. After an IMS goes through the consensus process, it writes the IRL in the corresponding domain on the permissioned distributed ledger. User terminals cannot write data on the permissioned distributed ledger, and can only read data from the permissioned distributed ledger.

In the ID-PKC information processing method provided by the embodiment of the present application, the first node obtains the public parameters and/or IRL of the first ID-PKC system; the state of the public parameters of the first ID-PKC system is valid; the first node is an accounting node; based on the consensus mechanism, the obtained first ID-PKC system public parameters and/or IRL are written into the permissioned distributed ledger; the second node obtains the first request; the first request is used to request to obtain ID- PKC system public parameters; query the corresponding ID-PKC system public parameters from the licensed distributed ledger; and return a response according to the query result; the third node obtains the second request; the second request is used to request to query whether the first identifier has been Revocation; query whether the first identifier has been revoked from the permissioned distributed ledger; the permissioned distributed ledger records the IRL; and return a response according to the query result. The solution provided by the embodiments of this application is based on the permissioned distributed ledger to carry out the management of the release of ID-PKC system public parameters and the management of identification revocation. By using the permissioned distributed ledger, ID-PKC system parameters and IRL can be transferred across domains, and the identification Revocation can be queried across domains, thus realizing cross-domain secure communication without relying on the PKI system and using the ID-PKC system.

In order to implement the method of the embodiment of the present application, the embodiment of the present application further provides an ID-PKC information processing device, which is arranged on the first node. As shown in FIG. 4 , the device includes:

a first obtaining unit 401, configured to obtain a first ID-PKC system public parameter and/or an IRL; the state of the first ID-PKC system public parameter is valid; the first node is an accounting node;

The first processing unit 402 is configured to write the acquired public parameters and/or IRL of the first ID-PKC system into a permissioned distributed ledger based on a consensus mechanism.

Wherein, in an embodiment, the first obtaining unit 401 is further configured to obtain the second ID-PKC system public parameters; the state of the second ID-PKC system public parameters is invalid; the second ID-PKC system public parameters are in an invalid state; The public parameters of the PKC system are the same as the public parameters of the first ID-PKC system except for production time and status;

The first processing unit 402 is further configured to write the acquired public parameters of the second ID-PKC system into the permission distributed ledger based on a consensus mechanism;

The first obtaining unit 401 is further configured to obtain a newly generated third ID-PKC system public parameter; the third ID-PKC system public parameter is updated by the first ID-PKC system public parameter; the The status of the public parameters of the third ID-PKC system is valid;

The first processing unit 402 is further configured to write the acquired public parameters of the third ID-PKC system into the permission distributed ledger based on a consensus mechanism.

In practical application, the first obtaining unit 401 can be realized by a communication interface in the ID-PKC information processing device; the first processing unit 402 can be realized by a communication interface in the ID-PKC information processing device combined with a processor.

In order to implement the method on the second node side in the embodiment of the present application, the embodiment of the present application further provides an ID-PKC information processing device, which is set on the second node. As shown in FIG. 5 , the device includes:

The second obtaining unit 501 is configured to obtain a first request; the first request is used for requesting to obtain public parameters of the ID-PKC system;

The second processing unit 502 is configured to query the corresponding public parameters of the ID-PKC system from the permission distributed ledger; and return a response according to the query result.

Wherein, in one embodiment, when the second processing unit 502 queries the corresponding ID-PKC system public parameters from the licensed distributed ledger, the query starts from the latest block of the licensed distributed ledger.

In one embodiment, the first request carries a domain name and a blockchain name;

The second processing unit 502 is configured to use the domain name carried in the first request to query the corresponding ID-PKC system public parameters from the permissioned distributed ledger corresponding to the blockchain name.

In one embodiment, the first request also carries the PPS name;

Use the domain name and/or PPS name carried in the first request to query the corresponding ID-PKC system public parameters from the permissioned distributed ledger corresponding to the blockchain name.

In one embodiment, the second processing unit 502 is configured as:

When the corresponding ID-PKC system public parameters are not queried, an error message is returned;

or,

When the corresponding ID-PKC system public parameters are queried, and the status of the queried ID-PKC system common parameters is invalid, an error message is returned;

or,

When the corresponding ID-PKC system public parameters are queried, and the status of the queried ID-PKC system common parameters is valid, the queried ID-PKC system common parameters are returned.

In practical application, the second obtaining unit 501 can be realized by a communication interface in the ID-PKC information processing device; the second processing unit 502 can be realized by a communication interface in the ID-PKC information processing device combined with a processor.

In order to implement the method on the third node side in the embodiment of the present application, the embodiment of the present application further provides an ID-PKC information processing device, which is set on the third node. As shown in FIG. 6 , the device includes:

The third obtaining unit 601 is configured to obtain a second request; the second request is used to request to query whether the first identification has been revoked;

The third processing unit 602 is configured to query whether the first identifier has been revoked from the permission distributed ledger; the permission distributed ledger records the IRL; and return a response according to the query result.

Wherein, in one embodiment, the second request carries the first identifier and the blockchain name; the third processing unit 602 uses the first identifier in the license distribution corresponding to the blockchain name Ledger for inquiries.

In one embodiment, the second request carries the operation result and the blockchain name after the first identifier is operated on the hash function indicated by the ID-PKC system public parameter;

The third processing unit 602 uses the operation result to query the permissioned distributed ledger corresponding to the blockchain name.

In one embodiment, the third processing unit 602 is configured as:

When it is queried that the first identification has been revoked, first information is returned; the first information indicates that the first identification has been revoked;

or,

When the first identifier is not found, second information is returned; the second information indicates that the first identifier is valid.

In practical application, the third obtaining unit 601 can be realized by a communication interface in the ID-PKC information processing device; the third processing unit 602 can be realized by a communication interface in the ID-PKC information processing device combined with a processor.

It should be noted that: when the ID-PKC information processing apparatus provided in the above-mentioned embodiments performs ID-PKC information processing, only the division of the above-mentioned program modules is used for illustration. In practical applications, the above-mentioned processing can be allocated by Different program modules are completed, that is, the internal structure of the device is divided into different program modules, so as to complete all or part of the above-described processing. In addition, the ID-PKC information processing apparatus and the ID-PKC information processing method embodiments provided by the above embodiments belong to the same concept, and the specific implementation process thereof is detailed in the method embodiments, which will not be repeated here.

Based on the hardware implementation of the above program modules, and in order to implement the method on the first node side of the embodiment of the present application, the embodiment of the present application further provides a first node. As shown in FIG. 7 , the first node 700 includes:

The first communication interface 701, capable of information interaction with other nodes (such as other billing nodes);

The first processor 702 is connected to the first communication interface 701 to realize information exchange with other nodes, and when configured to run a computer program, execute the method provided by one or more technical solutions on the first node side;

A first memory 703 on which the computer program is stored.

Specifically, the first communication interface 701 is configured to obtain the first ID-PKC system public parameters and/or IRL; the state of the first ID-PKC system public parameters is valid; the first node 700 is a recorder account node;

The first processor 702 is configured to write the acquired public parameters and/or IRL of the first ID-PKC system into a permissioned distributed ledger based on a consensus mechanism.

Wherein, in an embodiment, the first communication interface 701 is further configured to obtain the second ID-PKC system public parameters; the state of the second ID-PKC system public parameters is invalid; the second ID-PKC system The public parameters of the PKC system are the same as the public parameters of the first ID-PKC system except for production time and status;

The first processor 702 is further configured to write the acquired public parameters of the second ID-PKC system into the licensed distributed ledger based on a consensus mechanism;

The first communication interface 701 is further configured to obtain a newly generated third ID-PKC system public parameter; the third ID-PKC system public parameter is updated by the first ID-PKC system public parameter; the The status of the public parameters of the third ID-PKC system is valid;

The first processor 702 is further configured to write the acquired public parameters of the third ID-PKC system into the permission distributed ledger based on a consensus mechanism.

It should be noted that: the specific processing process of the first processor 702 can be understood with reference to the above method.

Of course, in practical application, various components in the first node 700 are coupled together through the bus system 704 . It will be appreciated that the bus system 704 is configured to enable connection communication between these components. In addition to the data bus, the bus system 704 also includes a power bus, a control bus and a status signal bus. However, for clarity of illustration, the various buses are labeled as bus system 704 in FIG. 7 .

The first memory 703 in the embodiment of the present application is configured to store various types of data to support the operation of the first node 700 . Examples of such data include: any computer program for operating on the first node 700 .

The methods disclosed in the above embodiments of the present application may be applied to the first processor 702 or implemented by the first processor 702 . The first processor 702 may be an integrated circuit chip with signal processing capability. In the implementation process, each step of the above-mentioned method may be completed by an integrated logic circuit of hardware in the first processor 702 or an instruction in the form of software. The above-mentioned first processor 702 may be a general-purpose processor, a digital signal processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. The first processor 702 may implement or execute the methods, steps, and logical block diagrams disclosed in the embodiments of this application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application can be directly embodied as being executed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the first memory 703, and the first processor 702 reads the information in the first memory 703, and completes the steps of the foregoing method in combination with its hardware.

In an exemplary embodiment, the first node 700 may be configured by one or more Application Specific Integrated Circuits (ASIC, Application Specific Integrated Circuit), DSP, Programmable Logic Device (PLD, Programmable Logic Device), Complex Programmable Logic Device ( CPLD, Complex Programmable Logic Device), Field Programmable Gate Array (FPGA, Field-Programmable Gate Array), general-purpose processor, controller, microcontroller (MCU, Micro Controller Unit), microprocessor (Microprocessor), or other An electronic component implementation is configured to perform the aforementioned method.

Based on the hardware implementation of the above program modules, and in order to implement the method on the second node side of the embodiment of the present application, the embodiment of the present application further provides a second node. As shown in FIG. 8 , the second node 800 includes:

The second communication interface 801 is capable of information interaction with other nodes and users;

The second processor 802 is connected to the second communication interface 801 to realize information interaction with other nodes and users, and is configured to execute the method provided by one or more technical solutions on the second node side when running a computer program. ;

A second memory 803 on which the computer program is stored.

Specifically, the second communication interface 801 is configured to obtain a first request; the first request is used to request to obtain public parameters of the ID-PKC system;

The second processor 802 is configured to query the corresponding public parameters of the ID-PKC system from the permission distributed ledger; and return a response through the second communication interface according to the query result.

Wherein, in one embodiment, when the second processor 802 queries the corresponding ID-PKC system public parameters from the licensed distributed ledger, the query starts from the latest block of the licensed distributed ledger.

In one embodiment, the first request carries a domain name and a blockchain name;

The second processor 802 is configured to use the domain name carried in the first request to query the corresponding ID-PKC system public parameters from the permissioned distributed ledger corresponding to the blockchain name.

In one embodiment, the first request also carries the PPS name;

The second processor 802 is configured to use the domain name and/or PPS name carried in the first request to query the corresponding ID-PKC system public parameters from the permissioned distributed ledger corresponding to the blockchain name.

In one embodiment, the second processor 802 is configured to:

When the corresponding ID-PKC system public parameters are not queried, an error message is returned;

or,

When the corresponding ID-PKC system public parameters are queried, and the status of the queried ID-PKC system common parameters is invalid, an error message is returned;

or,

When the corresponding ID-PKC system public parameters are queried, and the status of the queried ID-PKC system common parameters is valid, the queried ID-PKC system common parameters are returned.

It should be noted that: the specific processing process of the second processor 802 can be understood with reference to the above method.

Of course, in practical application, various components in the second node 800 are coupled together through the bus system 804 . It will be appreciated that the bus system 804 is configured to enable connection communication between these components. In addition to the data bus, the bus system 804 also includes a power bus, a control bus, and a status signal bus. However, for clarity of illustration, the various buses are labeled as bus system 804 in FIG. 8 .

The second memory 803 in this embodiment of the present application is configured to store various types of data to support the operation of the second node 800 . Examples of such data include: any computer program for operating on the second node 800 .

The methods disclosed in the above embodiments of the present application may be applied to the second processor 802 or implemented by the second processor 802 . The second processor 802 may be an integrated circuit chip with signal processing capability. In the implementation process, each step of the above-mentioned method may be completed by an integrated logic circuit of hardware in the second processor 802 or an instruction in the form of software. The above-mentioned second processor 802 may be a general-purpose processor, a DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. The second processor 802 may implement or execute the methods, steps, and logical block diagrams disclosed in the embodiments of this application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application can be directly embodied as being executed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the second memory 803, and the second processor 802 reads the information in the second memory 803, and completes the steps of the foregoing method in combination with its hardware.

In an exemplary embodiment, the second node 800 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general purpose processors, controllers, MCUs, Microprocessors, or other electronic components configured to perform the aforementioned methods.

Based on the hardware implementation of the above program modules, and in order to implement the method on the third node side of the embodiment of the present application, the embodiment of the present application further provides a third node. As shown in FIG. 9 , the third node 900 includes:

The third communication interface 901 is capable of information interaction with other nodes and users;

The third processor 902 is connected to the third communication interface 901 to realize information interaction with other nodes and users, and is configured to execute the method provided by one or more technical solutions on the third node side when running the computer program ;

A third memory 903 on which the computer program is stored.

Specifically, the third communication interface 901 is configured to obtain a second request; the second request is used to request to query whether the first identification has been revoked;

The third processor 902 is configured to query whether the first identifier has been revoked from the permission distributed ledger; the permission distributed ledger records the IRL; and return a response through the third communication interface according to the query result.

Wherein, in one embodiment, the second request carries the first identifier and the blockchain name, and the third processor 902 uses the first identifier in the permissioned distributed ledger corresponding to the blockchain name make an inquiry.

In one embodiment, the second request carries the operation result and the blockchain name after the first identifier is operated on the hash function indicated by the ID-PKC system public parameter;

The third processor 902 uses the operation result to query the permissioned distributed ledger corresponding to the blockchain name.

In one embodiment, the third processor 902 is configured to:

When it is queried that the first identification has been revoked, first information is returned; the first information indicates that the first identification has been revoked;

or,

When the first identifier is not found, second information is returned; the second information indicates that the first identifier is valid.

It should be noted that: the specific processing process of the third processor 902 can be understood with reference to the above method.

Of course, in practical application, various components in the third node 900 are coupled together through the bus system 904 . It will be appreciated that the bus system 904 is configured to enable connection communication between these components. In addition to the data bus, the bus system 904 also includes a power bus, a control bus and a status signal bus. However, for clarity of illustration, the various buses are labeled as bus system 904 in FIG. 9 .

The third memory 903 in the embodiment of the present application is configured to store various types of data to support the operation of the third node 900 . Examples of such data include: any computer program for operating on the third node 900 .

The methods disclosed in the above embodiments of the present application may be applied to the third processor 902 or implemented by the third processor 902 . The third processor 902 may be an integrated circuit chip with signal processing capability. In the implementation process, each step of the above-mentioned method may be completed by an integrated logic circuit of hardware in the third processor 902 or an instruction in the form of software. The above-mentioned third processor 902 may be a general-purpose processor, a DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. The third processor 902 may implement or execute the methods, steps, and logical block diagrams disclosed in the embodiments of this application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application can be directly embodied as being executed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the third memory 903, the third processor 902 reads the information in the third memory 903, and completes the steps of the foregoing method in combination with its hardware.

In an exemplary embodiment, the third node 900 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general purpose processors, controllers, MCUs, Microprocessors, or other electronic components configured to perform the aforementioned methods.

It can be understood that the memories (the first memory 703, the second memory 803, and the third memory 903) in this embodiment of the present application may be volatile memories or non-volatile memories, and may also include volatile and non-volatile memories both. Among them, the non-volatile memory can be a read-only memory (ROM, Read Only Memory), a programmable read-only memory (PROM, Programmable Read-Only Memory), an erasable programmable read-only memory (EPROM, Erasable Programmable Read-only memory) Only Memory), Electrically Erasable Programmable Read-Only Memory (EEPROM, Electrically Erasable Programmable Read-Only Memory), Magnetic Random Access Memory (FRAM, ferromagnetic random access memory), Flash Memory (Flash Memory), Magnetic Surface Memory , CD-ROM, or CD-ROM (Compact Disc Read-Only Memory); magnetic surface memory can be disk memory or tape memory. Volatile memory may be Random Access Memory (RAM), which acts as an external cache. By way of example and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory Memory (DRAM, Dynamic Random Access Memory), Synchronous Dynamic Random Access Memory (SDRAM, Synchronous Dynamic Random Access Memory), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM, Double Data Rate Synchronous Dynamic Random Access Memory), Enhanced Type Synchronous Dynamic Random Access Memory (ESDRAM, Enhanced Synchronous Dynamic Random Access Memory), Synchronous Link Dynamic Random Access Memory (SLDRAM, SyncLink Dynamic Random Access Memory), Direct Memory Bus Random Access Memory (DRRAM, Direct Rambus Random Access Memory) ). The memories described in the embodiments of the present application are intended to include, but not be limited to, these and any other suitable types of memories.

In an exemplary embodiment, an embodiment of the present application further provides a storage medium, that is, a computer storage medium, specifically a computer-readable storage medium, for example, including a first memory 703 that stores a computer program, and the above-mentioned computer program can be executed by the first node The first processor 702 of the node 700 executes the steps to complete the steps of the first node-side method. For example, it includes a second memory 803 that stores a computer program. The computer program can be executed by the second processor 802 of the second node 800. Complete the steps of the aforementioned second node-side method; another example includes a third memory 903 storing a computer program, and the aforementioned computer program can be executed by the third processor 902 of the third node 900 to complete the aforementioned steps of the aforementioned third-node-side method . The computer-readable storage medium may be memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM.

It should be noted that "first", "second", etc. are used to distinguish similar objects, and are not necessarily used to describe a specific sequence or sequence.

In addition, the technical solutions described in the embodiments of the present application may be combined arbitrarily unless there is a conflict.

The above descriptions are only preferred embodiments of the present application, and are not intended to limit the protection scope of the present application.

Claims (31)

1. An identification-based public cipher ID-PKC information processing method, applied to a first node, comprising:

   Obtain the first ID-PKC system public parameter and/or the identification revocation list IRL; the state of the first ID-PKC system public parameter is valid; the first node is an accounting node;

   Based on the consensus mechanism, the acquired first ID-PKC system public parameters and/or IRL are written into the permissioned distributed ledger.
2. The method according to claim 1, wherein the first ID-PKC system public parameter is generated by a public parameter server of a key generation center KGC;

   The first ID-PKC system public parameter includes at least one of the following:

   domain name;

   blockchain name;

   System public parameter status;

   Hash algorithm for hiding user IDs.
3. The method according to claim 2, wherein the domain name is a name defined according to a Uniform Resource Identifier URI or a Uniform Resource Locator URL, or a self-defined name.
4. The method according to claim 2, wherein the first ID-PKC system public parameter further comprises at least one of the following:

   public parameter server name;

   Identifies the management server name.
5. The method according to claim 4, wherein the public parameter server name is a name defined by URI or URL, or a self-defined name.
6. The method according to claim 4, wherein the name of the identity management server is a name defined according to URI or URL, or a self-defined name.
7. The method of claim 1, wherein the IRL is generated by an identity management server of the KGC;

   The IRL includes at least one of the following:

   domain name;

   blockchain name;

   A collection of revocation signs.
8. The method according to claim 7, wherein the domain name is a name defined by URI or URL, or a self-defined name.
9. The method of claim 7, wherein the IRL further comprises:

   Identifies the management server name.
10. The method according to claim 9, wherein the name of the identity management server is a name defined according to URI or URL, or a self-defined name.
11. The method of claim 7, wherein the set of revocation identifiers comprises at least one of the following:

    Whether the revocation identification is anonymous;

    revocation of identification;

    Reason for revocation.
12. The method according to any one of claims 1 to 11, wherein the method further comprises:

    Obtain the public parameters of the second ID-PKC system; the state of the public parameters of the second ID-PKC system is invalid; the public parameters of the second ID-PKC system and the public parameters of the first ID-PKC system are in addition to production time and status The other parameters are the same;

    Based on the consensus mechanism, write the acquired public parameters of the second ID-PKC system into the licensed distributed ledger;

    Obtain the newly generated public parameters of the third ID-PKC system; the public parameters of the third ID-PKC system are updated by the public parameters of the first ID-PKC system; the state of the public parameters of the third ID-PKC system is efficient;

    Based on the consensus mechanism, the acquired public parameters of the third ID-PKC system are written into the permissioned distributed ledger.
13. A method for processing ID-PKC information, applied to a second node, comprising:

    Obtain the first request; the first request is used to request to obtain the public parameters of the ID-PKC system;

    Query the corresponding ID-PKC system public parameters from the permissioned distributed ledger;

    Return a response based on the query result.
14. The method according to claim 13, wherein, when querying the corresponding ID-PKC system public parameters from the permissioned distributed ledger, the method comprises:

    Start querying from the latest block of the permissioned distributed ledger.
15. The method of claim 13, wherein the first request carries a domain name and a blockchain name;

    Use the domain name carried in the first request to query the corresponding ID-PKC system public parameters from the permissioned distributed ledger corresponding to the blockchain name.
16. The method of claim 15, wherein the first request further carries a public parameter server name;

    Use the domain name and/or the public parameter server name carried in the first request to query the corresponding ID-PKC system public parameters from the permissioned distributed ledger corresponding to the blockchain name.
17. The method according to any one of claims 13 to 16, wherein the returning a response according to the query result comprises:

    When the corresponding ID-PKC system public parameters are not queried, an error message is returned;

    or,

    When the corresponding ID-PKC system public parameters are queried, and the status of the queried ID-PKC system common parameters is invalid, an error message is returned;

    or,

    When the corresponding ID-PKC system public parameters are queried, and the status of the queried ID-PKC system common parameters is valid, the queried ID-PKC system common parameters are returned.
18. A method for processing ID-PKC information, applied to a third node, comprising:

    Obtain a second request; the second request is used to request to query whether the first identification has been revoked;

    Query whether the first identifier has been revoked from the licensed distributed ledger; the licensed distributed ledger records the IRL;

    Return a response based on the query result.
19. The method according to claim 18, wherein the second request carries the first identifier and the blockchain name; and the first identifier is used to query the permissioned distributed ledger corresponding to the blockchain name.
20. The method according to claim 18, wherein the second request carries an operation result and a blockchain name after the first identifier is operated on a hash function indicated by a public parameter of the ID-PKC system;

    Use the operation result to query the permissioned distributed ledger corresponding to the blockchain name.
21. The method according to any one of claims 18 to 20, wherein the returning a response according to the query result comprises:

    When it is queried that the first identification has been revoked, first information is returned; the first information indicates that the first identification has been revoked;

    or,

    When the first identifier is not found, second information is returned; the second information indicates that the first identifier is valid.
22. An ID-PKC information processing device, arranged on a first node, comprising:

    a first obtaining unit, configured to obtain a first ID-PKC system public parameter and/or an IRL; the state of the first ID-PKC system public parameter is valid; the first node is an accounting node;

    The first processing unit is configured to write the acquired public parameters and/or IRL of the first ID-PKC system into a permissioned distributed ledger based on a consensus mechanism.
23. An ID-PKC information processing device, comprising:

    a second obtaining unit, configured to obtain a first request; the first request is used for requesting to obtain public parameters of the ID-PKC system;

    The second processing unit is configured to query the corresponding public parameters of the ID-PKC system from the permission distributed ledger; and return a response according to the query result.
24. An ID-PKC information processing device, comprising:

    a third obtaining unit, configured to obtain a second request; the second request is used to request to query whether the first identification has been revoked;

    The third processing unit is configured to query whether the first identification has been revoked from the permission distributed ledger; the permission distributed ledger records the IRL; and return a response according to the query result.
25. A first node, comprising: a first communication interface and a first processor; wherein,

    the first communication interface is configured to obtain the first ID-PKC system public parameters and/or the IRL; the state of the first ID-PKC system public parameters is valid; the first node is an accounting node;

    The first processor is configured to write the acquired public parameters and/or IRL of the first ID-PKC system into the permissioned distributed ledger based on the consensus mechanism.
26. A second node, comprising: a second communication interface and a second processor; wherein,

    The second communication interface is configured to obtain a first request; the first request is used for requesting to obtain public parameters of the ID-PKC system;

    The second processor is configured to query the corresponding public parameters of the ID-PKC system from the permission distributed ledger; and return a response through the second communication interface according to the query result.
27. A third node, comprising: a third communication interface and a third processor; wherein,

    The third communication interface is configured to obtain a second request; the second request is used to request to query whether the first identification has been revoked;

    The third processor is configured to query whether the first identification has been revoked from the permission distributed ledger; the permission distributed ledger records the IRL; and return a response through the third communication interface according to the query result.
28. A first node comprising: a first processor and a first memory configured to store a computer program executable on the processor,

    Wherein, the first processor is configured to execute the steps of the method of any one of claims 1 to 12 when running the computer program.
29. A second node comprising: a second processor and a second memory configured to store a computer program executable on the processor,

    Wherein, the second processor is configured to execute the steps of the method of any one of claims 13 to 17 when running the computer program.
30. A third node comprising: a third processor and a third memory configured to store a computer program executable on the processor,

    Wherein, the third processor is configured to execute the steps of the method according to any one of claims 18 to 21 when running the computer program.
31. A storage medium on which a computer program is stored, wherein, when the computer program is executed by a processor, the steps of the method of any one of claims 1 to 12 are realized, or the steps of any one of claims 13 to 17 are realized. The steps of the method, or the steps of implementing the method of any one of claims 18 to 21.

Images