CN108259438B - Authentication method and device based on block chain technology - Google Patents

Authentication method and device based on block chain technology Download PDF

Info

Publication number
CN108259438B
CN108259438B CN201611248779.4A CN201611248779A CN108259438B CN 108259438 B CN108259438 B CN 108259438B CN 201611248779 A CN201611248779 A CN 201611248779A CN 108259438 B CN108259438 B CN 108259438B
Authority
CN
China
Prior art keywords
identity information
application program
information
cloud service
authorized
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611248779.4A
Other languages
Chinese (zh)
Other versions
CN108259438A (en
Inventor
邹能人
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Suzhou Software Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Suzhou Software Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Suzhou Software Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201611248779.4A priority Critical patent/CN108259438B/en
Publication of CN108259438A publication Critical patent/CN108259438A/en
Application granted granted Critical
Publication of CN108259438B publication Critical patent/CN108259438B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Abstract

The embodiment of the invention discloses an authentication method based on a block chain technology, which comprises the following steps: obtaining authorized identity information of each initial application program using the cloud service, and establishing a block chain based on the obtained identity information, wherein the established block chain comprises a block in which identification information of corresponding authorized identity information is stored; obtaining authorized identity information of a new application using the cloud service; when the authorization identity information of a new application program using the cloud service and the acquired ith identity information meet a preset authentication condition, generating a block for storing identification information of the authorization identity information of the new application program, and adding the generated block to a corresponding block chain to obtain a new block chain; and acquiring a block corresponding to the new application program in the new block chain, and registering the new application program based on the information stored in the acquired block. The embodiment of the invention also discloses an authentication device based on the block chain technology.

Description

Authentication method and device based on block chain technology
Technical Field
The invention relates to the technical field of computers, in particular to an authentication method and device based on a block chain technology.
Background
Platform-as-a-Service (PaaS) is a mode in which a server Platform is provided as a Service, PaaS is a mode of cloud computing, and provides an operating Platform for developed applications (apps), wherein services provided by the Platform also include an identity authentication Service. In the cloud computing era, identity information is increasingly diversified, and the problem of identity authentication security is more and more prominent. Therefore, in order to solve the problem of identity authentication security, an identity authentication model in a PaaS environment is provided, and the model enables a PaaS cloud service provider to provide efficient and flexible identity authentication service for application programs on the PaaS cloud service provider. The model has the advantages that the requirement that the same developer develops a plurality of relatively independent identity authentications which are the same or similar is met at low cost; the method is compatible with local identities and OpenID identities representing the trend of joint identity authentication, and has good expansibility so as to be compatible with more types of identities.
Open Authorization (Oauth) is an Open standard that allows third-party applications to access various information stored on a service by a user without providing the user name and password to the third-party application, provided the user can authorize the third-party application.
OpenID is a decentralized identity authentication technology widely used in cloud computing, provides a way for a user to pass through multiple cloud services with one identity, and also solves the problem that a user cannot log in due to loss of a cloud identity credential registered at a cloud provider. However, OpenID also frequently exposes security vulnerabilities such as: the user can not access the resources owned by the cloud identity of the user after logging in the cloud service by the OpenID identity, and the OpenID technology does not perform authentication and fine-grained authorization on the cloud service requesting identity information. Therefore, the following problems exist in constructing an identity authentication model of the PaaS platform:
OpenID technology security issues, such as: the phenomenon of 'phishing' (i.e. electronic fraud) exists, and when a user logs in to a website called OpenID (open user ID) support, the input user name and password can be sent to a fraud webpage; OpenID relies on the Uniform Resource Locator (URL) identification of the correct machine routed to the internet, which in turn relies on a domain name resolution system that performs network address mapping, which is known to have potential safety hazards.
Disclosure of Invention
In order to solve the above technical problems, embodiments of the present invention are expected to provide an authentication method and apparatus based on a block chain technology, so as to ensure security of identity authentication on a PaaS platform.
The technical scheme of the invention is realized as follows:
the embodiment of the invention provides an authentication method based on a block chain technology, which comprises the following steps:
obtaining authorized identity information of each initial application program using the cloud service, and establishing a block chain based on the obtained identity information, wherein the established block chain comprises a block in which identification information of corresponding authorized identity information is stored;
obtaining authorized identity information of a new application using the cloud service;
when the authorization identity information of the new application program using the cloud service and the acquired ith identity information meet a preset authentication condition, generating a block for storing identification information of the authorization identity information of the new application program, and adding the generated block to a block chain corresponding to the acquired ith identity information to obtain a new block chain, wherein i is an integer from 1 to n, and n represents the number of the acquired identity information;
and when the new application program is determined to need to be registered by using the cloud service, acquiring a block corresponding to the new application program in the new block chain, and registering the new application program based on the information stored in the acquired block.
In the foregoing solution, after obtaining the authorized identity information of the new application using the cloud service, the method further includes: according to a preset similarity calculation method, calculating the similarity between the authorized identity information of the new application program using the cloud service and each acquired identity information;
the preset authentication conditions include: the similarity between the authorized identity information of the new application program using the cloud service and the obtained ith identity information is greater than a similarity threshold value.
In the foregoing solution, the preset authentication condition further includes: and the authorization identity information of the new application program using the cloud service is verified by the user.
In the above solution, the authorization identity information of the new application includes at least one of the following information: user name, mailbox, contact, age, occupation.
In the above scheme, the identification information of the authorization identity information of the new application program is: and partial information in the authorization identity information of the new application program.
In the above scheme, the method further comprises: and setting access authority information for each application program using the cloud service, wherein the access authority information is used for indicating whether the necessary authorized resources of the corresponding application program are allowed to be used or not and/or indicating whether the non-necessary authorized resources of the corresponding application program are allowed to be used or not, and the necessary authorized resources of the corresponding application program are the resources of the cloud service which must be used for ensuring the corresponding application program to run.
The embodiment of the invention also provides an authentication device based on the block chain technology, which comprises: the system comprises an establishing module, an obtaining module, an authentication module and a login module; wherein the content of the first and second substances,
the system comprises an establishing module, a judging module and a judging module, wherein the establishing module is used for acquiring the authorized identity information of each initial application program using the cloud service, and establishing a block chain based on the acquired identity information, and the established block chain comprises a block in which the identification information of the corresponding authorized identity information is stored;
the acquisition module is used for acquiring the authorized identity information of a new application program using the cloud service;
the authentication module is used for generating a block for storing identification information of the authorized identity information of the new application program when the authorized identity information of the new application program using the cloud service and the acquired ith identity information meet preset authentication conditions, and adding the generated block to a block chain corresponding to the acquired ith identity information to obtain a new block chain, wherein i is an integer from 1 to n, and n represents the number of the acquired identity information;
and the login module is used for acquiring a block corresponding to the new application program in the new block chain when the new application program is determined to need to be logged in by using the cloud service, and logging in the new application program based on the information stored in the acquired block.
In the above scheme, the authentication module is further configured to calculate, according to a preset similarity calculation method, a similarity between the authorized identity information of the new application using the cloud service and each acquired identity information;
the preset authentication conditions include: the similarity between the authorized identity information of the new application program using the cloud service and the obtained ith identity information is greater than a similarity threshold value.
In the foregoing solution, the preset authentication condition further includes: and the authorization identity information of the new application program using the cloud service is verified by the user.
In the above solution, the authorization identity information of the new application includes at least one of the following information: user name, mailbox, contact, age, occupation.
In the above scheme, the identification information of the authorization identity information of the new application program is: and partial information in the authorization identity information of the new application program.
In the above scheme, the apparatus further comprises: an authorization module; the authorization module is used for setting access authority information for each application program using the cloud service, wherein the access authority information is used for indicating whether the necessary authorized resources of the corresponding application program are allowed to be used or not and/or indicating whether the non-necessary authorized resources of the corresponding application program are allowed to be used or not, and the necessary authorized resources of the corresponding application program are the resources of the cloud service which must be used for ensuring the operation of the corresponding application program.
In the embodiment of the invention, the authorized identity information of each initial application program using the cloud service is acquired, a block chain is established based on the acquired identity information, and the established block chain comprises a block in which the identification information of the corresponding authorized identity information is stored; obtaining authorized identity information of a new application using the cloud service; when the authorization identity information of the new application program using the cloud service and the acquired ith identity information meet a preset authentication condition, generating a block for storing identification information of the authorization identity information of the new application program, and adding the generated block to a block chain corresponding to the acquired ith identity information to obtain a new block chain, wherein i is an integer from 1 to n, and n represents the number of the acquired identity information; and when the new application program is determined to need to be registered by using the cloud service, acquiring a block corresponding to the new application program in the new block chain, and registering the new application program based on the information stored in the acquired block. Therefore, the security of identity authentication on the PaaS platform is ensured.
Drawings
FIG. 1 is a block chain according to an embodiment of the present invention;
FIG. 2 is a flowchart of a first embodiment of a method for authentication based on blockchain technology;
FIG. 3 is a diagram illustrating an authorization process based on a blockchain technique according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating an authentication process based on a block chain technique according to an embodiment of the present invention;
FIG. 5 is a flowchart of a second embodiment of the authentication method based on the blockchain technique according to the present invention;
FIG. 6 is a flowchart illustrating a method of authentication based on the blockchain technique according to a third embodiment of the present invention;
fig. 7 is a block chain technology-based authentication apparatus according to an embodiment of the present invention.
Detailed Description
The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.
Block chaining techniques
A Block chain (Block chain) is also called as a distributed book, is an Internet database technology, and is a technical scheme for maintaining a reliable database collectively through decentralized and trust-removing processes. The characteristic of the decentralized distributed structure system of the block chain can ensure that each node can also verify the correctness of the data recorded by other nodes while participating in the recording. Each node is peer-to-peer, and data is disclosed among the nodes.
The blockchain is the core technology of the bitcoin system, and is proposed for the first time in the bitcoin paper published by this clever 2008. The purpose of the blockchain is to achieve a decentralized payment system as required by bitcoin systems. Such a system needs to solve the trust problem of both parties to the transaction, the double payment problem, the problem of the byzantine general. To achieve such a goal, the current wisdom has been introduced in the paper in terms of transaction patterns, workload proofs, network architectures, reward mechanisms, authentication patterns, etc.
The clever paper in the publication emphasizes that the description of the bitcoin on the blockchain is for implementing the bitcoin system, and thus the description of the blockchain technology system itself is not clear. The block chain technology system was studied more intensively by the subsequent researchers. Yuanying, Wang leap in a block chain review article details the block chain technology system. The blockchain comprises a plurality of contents from a bottom-layer data structure to a consensus mechanism to a top-layer application protocol, and each part of contents has different functions, so that each part of contents is introduced by adopting a hierarchical structure.
Fig. 1 is a schematic diagram of a basic structure of a blockchain in an embodiment of the present invention, as shown in fig. 1, the basic structure of the blockchain is divided into 6 layers, including: data layer, network layer, consensus layer, excitation layer, contract layer, and application layer. Each layer respectively completes a core function, and the layers are mutually matched to realize a decentralized trust mechanism.
Wherein, the application layer includes: programmable odds, programmable finance, and programmable society; the contract layer comprises: script code, algorithm mechanism and contract mechanism; the excitation layer includes: an issuance mechanism and an assignment mechanism; the consensus layer comprises: proof of workload (Proof of Work, PoW), Proof of rights of interest (Proof of stamp, PoS), Proof of equity authorization (release Proof of stamp, DPoS), and the like.
The data layer and the network layer are used for realizing the main functions of the block chain, and the data layer mainly describes the physical form of the block chain technology and comprises the following steps: data blocks, chain structures, timestamps, hash functions, Merkle trees, encryption algorithms, etc. The block chain comprises two main characteristics: data blocks and chain structures. The physical realization of the block chain technology is a chain formed by connecting a plurality of blocks with the same specification in sequence through a chain structure. The first block in the chain becomes a created block which is established by system designers, and after the created block is established, a new block is generated by nodes in the block chain network according to an establishing rule, and after verification, the new block is linked to the main chain. The main chain is continuously extended along with the running time of the system. For example, the main chain of the bitcoin block chain has 415291 blocks by 2016, 6, 8, and the blocks contain information required to be recorded by specific applications, such as transaction information stored in the bitcoin block chain. In order to ensure the security of each block, many techniques are adopted in the prior art, such as: the timestamp technology ensures that each block is linked according to a time sequence, the hash function ensures that the transaction information is not tampered, the merkle tree records specific transaction information, and the asymmetric encryption realizes identity authentication and the like. It should be noted that the above-mentioned block chain structure is only a basic format, and the block chain can be adaptively changed according to different application environments.
Each tile in the chain of tiles may include: a block head and a block body. The blocks are generated chronologically one after the other, each block records all the transaction information that it occurred during the creation, and all the blocks are collected to form a set for recording all the transaction information.
The main purpose of the network layer is to realize information exchange between nodes in the blockchain network, including: P2P network, propagation mechanism, and authentication mechanism, etc. The blockchain network is essentially a Peer-to-Peer network (P2P), where each node both receives and generates information. Communication is maintained between nodes by maintaining a common blockchain. In a block chain network, each node is fair and can create a new block, the node creates the new block and then sends the new block to other nodes in a broadcast mode, the other nodes verify block information, the new block is approved only after at least 51% of users verify the new block, and the node in the network links the block to a main chain table. The specific block verification method depends on the verification mechanism established by each node in the practical application.
The embodiment of the invention realizes the identity authentication on the PaaS platform based on the block chain bottom layer (namely a data layer and a network layer) technology.
First embodiment
Fig. 2 is a flowchart of a first embodiment of the authentication method based on the blockchain technique according to the present invention, as shown in fig. 2, the method includes:
step 200: the method comprises the steps of obtaining authorized identity information of each initial application program using the cloud service, and establishing a block chain based on the obtained identity information, wherein the established block chain comprises a block in which identification information of corresponding authorized identity information is stored.
In this step, the authorized identity information of each initial application includes at least one of the following information: username, mailbox, contact, age, occupation, etc.
In practical applications, when a user uses an application program, the user usually needs to use personal identity information to perform account registration, when the account registration usually needs to input personal identity information such as a user name, a mailbox, a contact way, an age or a occupation, and identity information of the same user in multiple applications has great similarity. Therefore, the identity information of all application programs registered by the user can be found through the identity information similarity principle, and the identity information registered by the same user in different application programs is combined to establish a user identity information block chain, wherein each block stores identification information corresponding to authorization information required when the user logs in the application programs. Here, the identification information is used to log in the corresponding application after the authorization information is authenticated.
Step 201: authorized identity information of a new application using the cloud service is obtained.
Taking the implementation of the Oauth2 protocol on the PaaS platform as an example, when a user logs in a new application program in the cloud service for the first time by using Oauth2, identity discovery and association operations need to be performed, where the identity discovery and association operations occur after the user authorizes identity information of the new application program, and the Oauth2 service performs the identity discovery and association operations by sending the authorized identity information to the cloud service.
Step 202: when the authorization identity information of the new application program using the cloud service and the obtained ith identity information meet a preset authentication condition, generating a block for storing identification information of the authorization identity information of the new application program, adding the generated block to a block chain corresponding to the obtained ith identity information to obtain a new block chain, wherein i is an integer from 1 to n, and n represents the number of the obtained identity information.
After obtaining the authorized identity information of the new application program using the cloud service, the method further comprises the following steps: and calculating the similarity between the authorized identity information of the new application program using the cloud service and each acquired identity information according to a preset similarity calculation method.
The preset authentication conditions may include: the similarity between the authorized identity information of the new application program using the cloud service and the obtained ith identity information is greater than a similarity threshold value.
In practical implementation, the preset authentication conditions may further include: and the authorization identity information of the new application program using the cloud service is verified by the user.
For example, the preset similarity calculation method may be that similarity is obtained by counting the number of pieces of information that the authorized identity information has the same as each piece of identity information in the cloud service, for example, the number of pieces of information is set to represent the similarity of the authorized identity information, the number of pieces of information is set to 0 during initialization, and when any piece of information such as a user name, a password, a mobile phone number, a mailbox, or a nickname is the same, the number of pieces of information is increased by 1. After calculating the similarity between the authorized identity information and all the acquired identity information, judging whether the value of the same information number between the authorized identity information and the ith identity information acquired in the cloud service is greater than a similarity threshold value, if so, generating a block for storing identification information of the authorized identity information of a new application program, and adding the generated block to a block chain corresponding to the acquired ith identity information.
The identification information of the authorization identity information of the new application program is as follows: and partial information in the authorization identity information of the new application program.
Exemplary, the authorization identity information includes: when the user name, the mailbox and the contact information are used, the user name can be used as the identification information of the identity information of the application program, and the user name is stored in the corresponding block of the application program.
Step 203: and when the new application program is determined to need to be registered by using the cloud service, acquiring a block corresponding to the new application program in the new block chain, and registering the new application program based on the information stored in the acquired block.
In this step, after the identity information association is completed, that is, after the creation of the new block chain is completed, the user may directly access the resource of the application program corresponding to the cloud service using the identification information stored in the block.
The embodiment of the invention can also comprise: and setting access authority information for each application program using the cloud service, wherein the access authority information is used for indicating whether the necessary authorized resources of the corresponding application program are allowed to be used or not and/or indicating whether the non-necessary authorized resources of the corresponding application program are allowed to be used or not, and the necessary authorized resources of the corresponding application program are the resources of the cloud service which must be used for ensuring the corresponding application program to run. Therefore, fine-grained authorization is realized to improve the adaptivity of the PaaS platform.
According to the embodiment of the invention, the combination of all identity information of the same user in the cloud service is realized, the multi-identity authentication is realized, the safety and the reliability of the identity authentication are ensured, and the Oauth2 protocol in the prior art does not combine various identity information in the cloud service.
Fig. 3 is a schematic diagram of an authorization process based on a block chain technology in an embodiment of the present invention, as shown in fig. 3, after a user obtains identity information registered by a third-party application, a PaaS platform performs digital signature on the identity information authorized by the third-party application, specifically, the PaaS platform performs digital signature on the authorized identity information, sends the digital signature to a Secure Hash Algorithm (SHA) verifier to perform encryption to generate a check code, the PaaS platform creates a corresponding block for the generated check code and stores the check code in the new block, the PaaS platform authenticates and authorizes the created new block, verifies block information, and adds the block to the corresponding block chain after the block passes verification, thereby completing authorization and authentication of user identity information.
Fig. 4 is a schematic diagram of an authentication process based on a blockchain technology in an embodiment of the present invention, as shown in fig. 4, a user sends an authentication request through a third-party application, after the authentication request is propagated to a cloud service through a P2P network, a PaaS platform verifies the authentication request through verification code information stored in a corresponding blockchain, and propagates a verification result through a P2P network, and when the authentication request information matches the verification code information stored in the blockchain, the third-party application directly accesses a data storage space corresponding to the cloud service and acquires an authorized resource.
In the embodiment of the invention, the authorized identity information of each initial application program using the cloud service is acquired, a block chain is established based on the acquired identity information, and the established block chain comprises a block in which the identification information of the corresponding authorized identity information is stored; obtaining authorized identity information of a new application using the cloud service; when the authorization identity information of the new application program using the cloud service and the acquired ith identity information meet a preset authentication condition, generating a block for storing identification information of the authorization identity information of the new application program, and adding the generated block to a block chain corresponding to the acquired ith identity information to obtain a new block chain, wherein i is an integer from 1 to n, and n represents the number of the acquired identity information; and when the new application program is determined to need to be registered by using the cloud service, acquiring a block corresponding to the new application program in the new block chain, and registering the new application program based on the information stored in the acquired block. Therefore, the security of identity authentication on the PaaS platform is ensured, and fine-grained authorization is realized to improve the adaptivity of the PaaS platform.
Second embodiment
To further illustrate the object of the present invention, the first embodiment of the present invention is further illustrated.
Fig. 5 is a flowchart of a second embodiment of the authentication method based on the blockchain technique according to the present invention, as shown in fig. 5, the method includes:
step 500: and establishing a corresponding block chain by using the identity information of all the application programs authorized by the user.
It can be understood that, when the same user registers a plurality of different applications using similar identity information, the identity information registered by each application may be used to establish an application authorization information block chain corresponding to the user.
Step 501: obtaining the authorized identity information of the new application.
When the user registers a new application again with similar identity information, the new identity information is obtained and identity discovery and federation operations are performed.
Step 502: and calculating the similarity between the new authorized identity information and the authorized identity information in the cloud service.
Optionally, first, all authorized identity information similar to the new authorized identity information in the cloud service is obtained, specifically, the obtained authorized identity information includes at least one piece of information whose information is the same as the new authorized identity information, for example, a user name, a mailbox, a phone, or the like; and secondly, calculating the similarity between the new authorized identity information and the obtained ith authorized identity information, wherein the higher the similarity is, the higher the possibility that the new authorized identity information and the obtained authorized identity information come from the same user is, and if the same user is determined, different authorized identity information can be combined together to establish an identity information block chain of the user.
Step 503: judging whether the similarity is greater than a similarity threshold value, if so, executing a step 504; if not, go to step 507.
Step 504: a block for storing identification information of authorized identification information of a new application is generated.
And when the similarity is greater than the similarity threshold, the new authorized identity information is associated with the authorized identity information in the cloud service, and the information may be the authorized information of the same user to different third-party applications. At this time, partial information of the new authorization information may be stored in a corresponding block as identification information, where in order to ensure personal privacy information of the user, the partial information may be a user name or other non-privacy information; the identification information may also be ciphertext information generated by encrypting the authorized identity information through an encryption algorithm, and the common encryption algorithm includes: digital Encryption Standard (DES), International Data Encryption Algorithm (IDEA), and public key Encryption Algorithm (Ron Rivest, Adi Shamir, Leonard Adleman, RSA). The identification information may also be digest information generated by performing a hash operation on the authorization identity information.
Step 505: judging whether the block passes the PaaS platform verification, if so, executing the step 506; if not, go to step 507.
In this step, the PaaS platform may generate a challenge response by using the newly generated block and send the challenge response to the user, so as to determine whether the matched identity is the identity information of the user in the cloud service, if so, determine that the block passes authentication, if not, the block fails authentication, which indicates that the new authorized identity information authentication fails, and at this time, execute the identity authentication service according to the existing Oauth2 protocol.
Step 506: and after the generated block is added to a block chain corresponding to the acquired ith identity information, the authentication and authorization of the PaaS platform are completed.
Specifically, after the block authentication is passed, the block is propagated on the PaaS platform through the P2P network to update the identity information block chain corresponding to the user.
Step 507: the authentication service is performed according to the existing Oauth2 protocol.
In practical implementation, if the user identity information is successfully combined, when the user accesses the cloud service by using Oauth2, the Oauth2 service may directly utilize the third-party application on the identification information cloud service stored in the tile without the user authorization, and at this time, the data space of the cloud service accessed by the user is actually the data space corresponding to the cloud identity in the cloud service. If identity federation fails, i.e., no similar identity information is found or user validation fails, then the authentication service is performed according to the existing Oauth2 protocol.
In the Oauth2 protocol, because the cloud service authenticates the user by verifying the user Oauth2 identity information sent by the Oauth2 service, at this time, all operations and data after the user logs in are associated with the Oauth2 identity, a malicious attacker can use the Oauth2 identity to retrieve the activity information of the OpenID identity in different cloud services to probe the user privacy, and such an attack is particularly common in social networks.
However, in the embodiment of the present invention, due to the introduction of identity information discovery and association, automatic association of new authorized identity information is realized without requiring a user to input all authorized identity information, thereby reducing user burden and avoiding the problem that resources cannot be accessed due to forgetting identity information. Meanwhile, under the condition that the identity information is successfully combined, the identity information transmitted to the third-party cloud service by the Oauth2 service only comprises the identification information of the identity information of the user login application program, and all operations and data after the user login are only associated with the identification information, so that privacy spy can be prevented to a certain extent, and the user privacy is protected.
Third embodiment
To further illustrate the object of the present invention, the first embodiment of the present invention is further illustrated.
Fig. 6 is a flowchart of an authentication method based on the blockchain technology according to a third embodiment of the present invention, as shown in fig. 6, after the identity information authorized by the user is authenticated, the user may directly access the corresponding resource in the cloud service according to the authorization information stored in the newly established blockchain, and perform fine-grained authorization on the accessed resource, where a specific execution process may be as follows:
step 600: and setting access authority for the resource of each third-party application program in the cloud service.
Specifically, the scope field in the Oauth2 protocol for specifying the requested resource is subject to attribute restriction, and when a third-party application sends an access request, the resource requested in the scope is labeled with a tag of "must authorize" and "optional authorize". Wherein, the 'must authorize' means that the access right of the marked resource is not limited, and the 'optional authorize' means that the marked resource user can freely set the access right.
In the prior art, when a third-party application requests a resource of a certain cloud service, authorization of a user needs to be obtained, and the OAuth2 protocol sends the request by specifying all resources to be accessed at one time in a scope field. However, in most OAuth implementations, the user can only respond to an acceptance or denial of a one-time request for authorization of a resource, and is not free to choose to authorize or de-authorize a particular resource. Especially, in the process of identity information authorization, for example, when the third party cloud service requests sensitive information such as a phone number and an address which the user does not want to authorize, the user cannot be denied because the user needs to use the function of the third party application program, which seriously reduces the security of user resources. Therefore, the embodiment of the invention ensures the security of user resources and improves the self-adaptability of the PaaS platform by performing fine-grained authorization on the accessed resources.
Step 601: and the third-party application program directly accesses the data space of the third application program in the cloud service through the authorization information stored in the blockchain.
Step 602: and the user carries out authorization setting on the resource which is requested to be accessed by the third-party application program.
Illustratively, the third application program a sends a resource access request to the cloud service, the cloud service logs in the third-party application program according to authorization information stored in a corresponding block by the third-party application program a, and then sends the resource information requested to be accessed to the user, and the user performs authorization selection on the resource. The user can only choose to accept the authorization for the resource which is 'necessary to be authorized', and the flexible setting of authorization can be carried out for the resource which is 'optional authorized', for example, the number of times of authorization, the time of authorization, the object of authorization and the like, and the authorization can also be refused. The resource cloud service which needs to be authorized can be directly authorized without reminding the user, and the resource which can be authorized optionally can remind the user to perform authorization selection. By performing fine-grained authorization on the resources, namely dividing the resources into 'necessary authorization' and 'optional authorization', on one hand, the functions of the third-party application program are not affected, and on the other hand, the sensitive resources of the user are also protected.
Step 603: and the third-party application program accesses the resources authorized by the user on the cloud service according to the authorization setting of the user.
Specifically, the resource which is authorized necessarily can be obtained unconditionally, and the resource which is authorized optionally can be obtained only when the authorization condition is satisfied, otherwise, the resource can not be obtained.
Third embodiment
Aiming at the method of the embodiment of the invention, the embodiment of the invention also provides an authentication device based on the block chain technology. Fig. 7 is a schematic structural diagram of an apparatus for authentication based on the blockchain technique according to an embodiment of the present invention, as shown in fig. 7, the apparatus includes: the system comprises an establishing module 700, an obtaining module 701, an authentication module 702 and a login module 703; wherein the content of the first and second substances,
an establishing module 700, configured to obtain authorized identity information of each initial application using a cloud service, and establish a block chain based on the obtained identity information, where the established block chain includes a block in which identification information of corresponding authorized identity information is stored;
an obtaining module 701, configured to obtain authorized identity information of a new application using a cloud service;
an authentication module 702, configured to generate a block for storing identification information of the authorized identity information of the new application program using the cloud service when the authorized identity information of the new application program and the obtained ith identity information meet a preset authentication condition, add the generated block to a block chain corresponding to the obtained ith identity information to obtain a new block chain, where i is an integer from 1 to n, and n represents the number of the obtained identity information;
a logging module 703, configured to, when it is determined that the new application needs to be logged in using the cloud service, acquire a block in the new blockchain corresponding to the new application, and log in the new application based on information stored in the acquired block.
Preferably, the authentication module 702 is further configured to calculate similarity between the authorized identity information of the new application using the cloud service and each acquired identity information according to a preset similarity calculation method;
the preset authentication conditions may include: the similarity between the authorized identity information of the new application program using the cloud service and the obtained ith identity information is greater than a similarity threshold value.
The preset authentication conditions may further include: and the authorization identity information of the new application program using the cloud service is verified by the user.
Optionally, the authorized identity information of the new application includes at least one of the following information: user name, mailbox, contact, age, occupation.
Preferably, the identification information of the authorized identity information of the new application is: and partial information in the authorization identity information of the new application program.
Preferably, the apparatus may further comprise: an authorization module; the authorization module is used for setting access authority information for each application program using the cloud service, wherein the access authority information is used for indicating whether the necessary authorized resources of the corresponding application program are allowed to be used or not and/or indicating whether the non-necessary authorized resources of the corresponding application program are allowed to be used or not, and the necessary authorized resources of the corresponding application program are the resources of the cloud service which must be used for ensuring the operation of the corresponding application program.
In practical applications, the establishing module 700, the obtaining module 701, the authenticating module 702, and the logging module 703 may be implemented by a Central Processing Unit (CPU), a microprocessor Unit (MPU), a Digital Signal Processor (DSP), a Field Programmable Gate Array (FPGA), or the like in the terminal device.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.

Claims (10)

1. A method of authentication based on a blockchain technique, the method comprising:
obtaining authorized identity information of each initial application program using the cloud service, and establishing a block chain based on the obtained identity information, wherein the established block chain comprises a block in which identification information of corresponding authorized identity information is stored;
obtaining authorized identity information of a new application using the cloud service;
according to a preset similarity calculation method, calculating the similarity between the authorized identity information of the new application program using the cloud service and each acquired identity information;
when the authorization identity information of the new application program using the cloud service and the acquired ith identity information meet a preset authentication condition, generating a block for storing identification information of the authorization identity information of the new application program, and adding the generated block to a block chain corresponding to the acquired ith identity information to obtain a new block chain, wherein i is an integer from 1 to n, and n represents the number of the acquired identity information; wherein the preset authentication conditions include: the similarity between the authorization identity information of the new application program using the cloud service and the obtained ith identity information is greater than a similarity threshold value;
and when the new application program is determined to need to be registered by using the cloud service, acquiring a block corresponding to the new application program in the new block chain, and registering the new application program based on the information stored in the acquired block.
2. The method according to claim 1, wherein the preset authentication condition further comprises: and the authorization identity information of the new application program using the cloud service is verified by the user.
3. The method of claim 1, wherein the authorized identity information of the new application comprises at least one of: user name, mailbox, contact, age, occupation.
4. The method according to claim 1, wherein the identification information of the authorized identity information of the new application is: and partial information in the authorization identity information of the new application program.
5. The method of claim 1, further comprising: and setting access authority information for each application program using the cloud service, wherein the access authority information is used for indicating whether the necessary authorized resources of the corresponding application program are allowed to be used or not and/or indicating whether the non-necessary authorized resources of the corresponding application program are allowed to be used or not, and the necessary authorized resources of the corresponding application program are the resources of the cloud service which must be used for ensuring the corresponding application program to run.
6. An apparatus for authentication based on block chain technology, the apparatus comprising: the system comprises an establishing module, an obtaining module, an authentication module and a login module; wherein the content of the first and second substances,
the system comprises an establishing module, a judging module and a judging module, wherein the establishing module is used for acquiring the authorized identity information of each initial application program using the cloud service, and establishing a block chain based on the acquired identity information, and the established block chain comprises a block in which the identification information of the corresponding authorized identity information is stored;
the acquisition module is used for acquiring the authorized identity information of a new application program using the cloud service;
the authentication module is used for calculating the similarity between the authorized identity information of the new application program using the cloud service and each acquired identity information according to a preset similarity calculation method;
the authentication module is used for generating a block for storing identification information of the authorized identity information of the new application program when the authorized identity information of the new application program using the cloud service and the acquired ith identity information meet preset authentication conditions, and adding the generated block to a block chain corresponding to the acquired ith identity information to obtain a new block chain, wherein i is an integer from 1 to n, and n represents the number of the acquired identity information; wherein the preset authentication conditions include: the similarity between the authorization identity information of the new application program using the cloud service and the obtained ith identity information is greater than a similarity threshold value;
and the login module is used for acquiring a block corresponding to the new application program in the new block chain when the new application program is determined to need to be logged in by using the cloud service, and logging in the new application program based on the information stored in the acquired block.
7. The apparatus of claim 6, wherein the preset authentication condition further comprises: and the authorization identity information of the new application program using the cloud service is verified by the user.
8. The apparatus of claim 6, wherein the authorized identity information of the new application comprises at least one of: user name, mailbox, contact, age, occupation.
9. The apparatus according to claim 6, wherein the identification information of the authorized identity information of the new application is: and partial information in the authorization identity information of the new application program.
10. The apparatus of claim 6, further comprising: an authorization module; the authorization module is used for setting access authority information for each application program using the cloud service, wherein the access authority information is used for indicating whether the necessary authorized resources of the corresponding application program are allowed to be used or not and/or indicating whether the non-necessary authorized resources of the corresponding application program are allowed to be used or not, and the necessary authorized resources of the corresponding application program are the resources of the cloud service which must be used for ensuring the operation of the corresponding application program.
CN201611248779.4A 2016-12-29 2016-12-29 Authentication method and device based on block chain technology Active CN108259438B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611248779.4A CN108259438B (en) 2016-12-29 2016-12-29 Authentication method and device based on block chain technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611248779.4A CN108259438B (en) 2016-12-29 2016-12-29 Authentication method and device based on block chain technology

Publications (2)

Publication Number Publication Date
CN108259438A CN108259438A (en) 2018-07-06
CN108259438B true CN108259438B (en) 2021-02-05

Family

ID=62721555

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611248779.4A Active CN108259438B (en) 2016-12-29 2016-12-29 Authentication method and device based on block chain technology

Country Status (1)

Country Link
CN (1) CN108259438B (en)

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109391611B (en) * 2018-08-17 2021-03-02 深圳壹账通智能科技有限公司 User personal information encryption authorization method, device, equipment and readable storage medium
CN109005186B (en) * 2018-08-20 2020-12-11 杭州复杂美科技有限公司 Method, system, equipment and storage medium for isolating user identity information
CN108989354B (en) * 2018-09-03 2021-06-15 湖北文理学院 Identity verification method and device
CN109255010A (en) * 2018-09-05 2019-01-22 明涛(保定)信息技术服务有限公司 A kind of block chain patent arrangement process
CN108898039A (en) * 2018-09-06 2018-11-27 深圳市晓控通信科技有限公司 A kind of shatter-resistant based on block chain technology and energy-efficient barcode scanning gun
CN109325342B (en) * 2018-09-10 2024-03-05 平安科技(深圳)有限公司 Identity information management method, device, computer equipment and storage medium
CN109347799B (en) * 2018-09-13 2019-10-15 深圳市图灵奇点智能科技有限公司 A kind of identity information management method and system based on block chain technology
CN109450849B (en) * 2018-09-26 2021-05-25 汤建男 Cloud server networking method based on block chain
CN109388639A (en) * 2018-09-29 2019-02-26 四川赢才多多科技有限公司 Storage based on block chain technology records mould group
CN111274612B (en) * 2018-12-04 2022-12-02 北京京东尚科信息技术有限公司 Practitioner trust verification method and system, witness service system and storage medium
WO2020113546A1 (en) * 2018-12-07 2020-06-11 北京大学深圳研究生院 Privacy protection and identity management method and system for multi-mode identifier network
CN109617692B (en) * 2018-12-13 2022-04-26 郑州师范学院 Anonymous login method and system based on block chain
CN109961292B (en) * 2019-03-22 2022-04-01 杭州复杂美科技有限公司 Block chain verification code application method, equipment and storage medium
CN110213046A (en) * 2019-05-30 2019-09-06 全链通有限公司 Auth method, equipment and storage medium based on alliance's block chain
CN111147477B (en) * 2019-12-24 2023-04-18 深圳前海微众银行股份有限公司 Verification method and device based on block chain network
CN111159736B (en) * 2019-12-25 2022-03-25 联通(广东)产业互联网有限公司 Application control method and system of block chain
CN111641695B (en) * 2020-05-19 2022-10-28 全链通有限公司 Block chain-based application program authorized use method, device and storage medium
CN113204744B (en) * 2021-04-07 2024-04-23 西安链融科技有限公司 Software authorization system and method based on distributed identity
CN113642019B (en) * 2021-08-16 2023-07-25 中国人民解放军国防科技大学 Double-layer grouping Bayesian-busy-court fault-tolerant consensus method and system

Also Published As

Publication number Publication date
CN108259438A (en) 2018-07-06

Similar Documents

Publication Publication Date Title
CN108259438B (en) Authentication method and device based on block chain technology
KR102440626B1 (en) Digital certificate management methods, devices, computer devices and storage media
US20220394468A1 (en) Secure mobile initiated authentication
US11165579B2 (en) Decentralized data authentication
US9621355B1 (en) Securely authorizing client applications on devices to hosted services
Yavari et al. An improved blockchain-based authentication protocol for IoT network management
WO2018112946A1 (en) Registration and authorization method, device and system
US8978115B2 (en) Home realm discovery in mixed-mode federated realms
Anakath et al. Privacy preserving multi factor authentication using trust management
KR102254499B1 (en) Method for oauth service through blockchain, and terminal and server using the same
CN110048848B (en) Method, system and storage medium for sending session token through passive client
CN114679293A (en) Access control method, device and storage medium based on zero trust security
US20130125222A1 (en) System and Method for Vetting Service Providers Within a Secure User Interface
CN110235410A (en) Replace the method for the login of user using the block chain database of the agreement based on UTXO and by the certification based on PKI and utilizes its server
Abbasi et al. Veidblock: Verifiable identity using blockchain and ledger in a software defined network
CN112671720B (en) Token construction method, device and equipment for cloud platform resource access control
US20200374137A1 (en) Systems, methods, and storage media for permissioned delegation in a computing environment
Maganis et al. Opaak: using mobile phones to limit anonymous identities online
Chang et al. A practical secure and efficient enterprise digital rights management mechanism suitable for mobile environment
US20170104748A1 (en) System and method for managing network access with a certificate having soft expiration
US11924211B2 (en) Computerized device and method for authenticating a user
Abubakar et al. A lightweight and user-centric two-factor authentication mechanism for iot based on blockchain and smart contract
Tiwari et al. Design and Implementation of Enhanced Security Algorithm for Hybrid Cloud using Kerberos
US20220263818A1 (en) Using a service worker to present a third-party cryptographic credential
CN111245600B (en) Authentication method and system based on block chain technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant