CN108683507B - Method for verifying integrity of cloud certificate through traceable linked list - Google Patents
Method for verifying integrity of cloud certificate through traceable linked list Download PDFInfo
- Publication number
- CN108683507B CN108683507B CN201810417366.7A CN201810417366A CN108683507B CN 108683507 B CN108683507 B CN 108683507B CN 201810417366 A CN201810417366 A CN 201810417366A CN 108683507 B CN108683507 B CN 108683507B
- Authority
- CN
- China
- Prior art keywords
- certificate
- node
- information
- stored
- previous
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a method for verifying integrity of a cloud certificate through a traceable linked list, which is applied to a cloud server, wherein personal information of a user and one or more certificates of the user are stored in the cloud server; each certificate is stored on a corresponding certificate node; the certificate nodes are arranged in sequence according to the establishment time; except the first certificate node, other certificate nodes save path information and node digest values of the previous certificate node; the method comprises the following steps: searching the current certificate node according to the path information of the current certificate node stored in the previous certificate node; calculating a node abstract value of a previous certificate node; and verifying whether the arrangement position of the current certificate node is correct and whether the previous certificate node is tampered according to the calculated node abstract value and the stored node abstract value. The invention enables the storage mode of the cloud certificate to be more flexible, perfects the verification mode of the cloud certificate and improves the reliability of the certificate.
Description
Technical Field
The invention relates to the technical field of certificate verification, in particular to a method for verifying integrity of a cloud certificate through a traceable linked list.
Background
Along with the development of the society, applications which are convenient for people to live and work are continuously developed, different applications need different digital certificates to verify the identity of a user, so that one user may have multiple applied certificates, a large number of certificates can be stored in a cloud storage mode, and an effective management mode needs to be adopted along with the continuous increase of the certificates. Although the existing storage mode of the data linked list can provide data operation of adding, deleting, changing and checking, trace of data modification history is difficult to keep, so that the linked list only ensures correct address and does not ensure the integrity of data.
Disclosure of Invention
In view of this, the present invention provides a method for verifying integrity of a cloud certificate through a traceable linked list, so as to improve a verification manner of the cloud certificate and improve reliability of the certificate.
In a first aspect, an embodiment of the present invention provides a method for verifying integrity of a cloud certificate through a traceable linked list, where the method is applied to a cloud server, and personal information of a user and one or more certificates of the user are stored in the cloud server; each certificate is stored on a corresponding certificate node; the certificate nodes are arranged in sequence according to the establishment time; except the first certificate node, the previous certificate node of other certificate nodes stores the path information of the current certificate node of other certificates; the current certificate node also stores the node abstract value of the previous certificate node; the method comprises the following steps: searching the current certificate node according to the path information of the current certificate node stored in the previous certificate node; calculating a node abstract value of a previous certificate node; and verifying whether the arrangement position of the current certificate node is correct and whether the previous certificate node is tampered according to the calculated node abstract value and the stored node abstract value.
With reference to the first aspect, an embodiment of the present invention provides a first possible implementation manner of the first aspect, where the step of verifying, according to the calculated node digest value and the stored node digest value, whether an arrangement position of a current certificate node is correct and whether a previous certificate node is tampered with includes: judging whether the calculated node abstract value is matched with the stored node abstract value; if so, the arrangement position of the current certificate node is determined to be correct, and the previous certificate node is not tampered.
With reference to the first aspect, an embodiment of the present invention provides a second possible implementation manner of the first aspect, where path information, certificate information, and identity information of personal information, and a second digest value corresponding to the certificate information and the identity information are stored in a first certificate node; the method further comprises the following steps: calculating a second abstract value corresponding to the certificate information and the identity information; judging whether the calculated second abstract value is matched with the stored second abstract value; if so, it is determined that the first certificate node has not been tampered with.
With reference to the first aspect, an embodiment of the present invention provides a third possible implementation manner of the first aspect, where besides the first certificate node, certificate information, identity information, and a second digest value corresponding to the certificate information and the identity information are also stored in other certificate nodes; the method further comprises the following steps: calculating a second digest value of the certificate information and the identity information; judging whether the calculated second abstract value is matched with the stored second abstract value; if so, it is determined that the current certificate node has not been tampered with.
With reference to the second or third possible implementation manner of the first aspect, an embodiment of the present invention provides a fourth possible implementation manner of the first aspect, where the method further includes: receiving a certificate access request of a user; searching a certificate node corresponding to the certificate access request; judging whether the digest value of the identity information in the certificate node is matched with the first digest value of the personal information of the user; if so, determining that the personal information is not tampered; the usage rights of the certificate in the open certificate node.
With reference to the fourth possible implementation manner of the first aspect, an embodiment of the present invention provides a fifth possible implementation manner of the first aspect, where the step of opening the usage right of the certificate in the certificate node includes: judging whether the index of the certificate information of the certificate node is matched with the certificate access request or not; if so, the usage right of the certificate in the certificate node is opened.
With reference to the first aspect, an embodiment of the present invention provides a sixth possible implementation manner of the first aspect, where the certificate information includes a certificate, a public key and a private key of the certificate; the certificate comprises a signature certificate and an encryption certificate; the credential information also includes an index of the credential information.
With reference to the sixth possible implementation manner of the first aspect, an embodiment of the present invention provides a seventh possible implementation manner of the first aspect, where except for a last certificate node, path information of a subsequent certificate node is also stored in other certificate nodes; the step of searching the current certificate node through the path information of the current certificate node stored in the previous certificate node comprises the following steps: searching the current certificate node according to the path information of the current certificate node stored in the previous certificate node; extracting path information of a previous certificate node from a current certificate node; judging whether the extracted path information of the previous certificate node is consistent with the current path information of the previous certificate node; and if so, determining that the path information of the current certificate node is correct.
In a second aspect, an embodiment of the present invention provides an apparatus for verifying integrity of a cloud certificate through a traceable linked list, where the apparatus is disposed in a cloud server, and personal information of a user and one or more certificates of the user are stored in the cloud server; each certificate is stored on a corresponding certificate node; the certificate nodes are arranged in sequence according to the establishment time; except the first certificate node, the previous certificate node of other certificate nodes stores the path information of the current certificate node of other certificates; the current certificate node also stores the node abstract value of the previous certificate node; the device comprises: the searching module is used for searching the current certificate node through the path information of the current certificate node stored in the previous certificate node; the calculation module is used for calculating the node abstract value of the previous certificate node; and the verification module is used for verifying whether the arrangement position of the current certificate node is correct and whether the previous certificate node is tampered according to the calculated node abstract value and the stored node abstract value.
In a third aspect, an embodiment of the present invention provides a cloud server, where the apparatus in the second aspect is disposed in the cloud server.
The embodiment of the invention has the following beneficial effects: the invention provides a method and a device for verifying integrity of a cloud certificate through a traceable linked list and a cloud server, wherein personal information of a user and one or more certificates of the user are stored in the cloud server; each certificate is stored on a corresponding certificate node; the certificate nodes are arranged in sequence according to the establishment time; except the first certificate node, the previous certificate node of other certificate nodes stores the path information of the current certificate node of other certificates; the current certificate node also stores the node abstract value of the previous certificate node; the current certificate node can be found through the path information of the current certificate node stored in the previous certificate node; then calculating the node abstract value of the previous certificate node; according to the calculated node abstract value and the stored node abstract value, whether the arrangement position of the current certificate node is correct or not and whether the previous certificate node is tampered or not can be verified. The mode can form the certificate chain of the user, not only can verify the integrity of the certificate node information, but also can verify the integrity of the certificate chain, the verification mode is more perfect, and the reliability of the cloud certificate is improved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the invention as set forth above.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a method for verifying integrity of a cloud certificate through a traceable linked list according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a personal certificate chain according to an embodiment of the present invention;
fig. 3 is a schematic diagram of certificate information according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating a personal information provided by an embodiment of the present invention;
fig. 5 is a schematic diagram of a certificate node according to an embodiment of the present invention;
fig. 6 is a flowchart of another method for verifying integrity of a cloud certificate through a traceable linked list according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an apparatus for verifying integrity of a cloud certificate through a traceable linked list according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In consideration of the problem that the existing verification mode of the cloud certificate is incomplete, so that the reliability of the certificate is low, the embodiment of the invention provides a method and a device for verifying the integrity of the cloud certificate through a traceable linked list and a cloud server; the technology can be applied to scenes of cloud verification, access to digital certificates or authentication certificates; the techniques may be implemented in associated software or hardware, as described by way of example below.
Referring to fig. 1, a flowchart of a method for verifying integrity of a cloud certificate through a traceable linked list is shown, where the method is applied to a cloud server, where personal information of a user and one or more certificates of the user are stored in the cloud server; each certificate is stored on a corresponding certificate node; the certificate nodes are arranged in sequence according to the establishment time; except the first certificate node, the previous certificate node of other certificate nodes stores the path information of the current certificate node of other certificates; the current certificate node also holds the node digest value of the previous certificate node.
Generally, the cloud server may be a centralized storage server or a distributed storage server; when the cloud server is in distributed storage, personal information and certificate information of the same user and different certificate information can be stored in different storage nodes; that is, the storage node of the personal information and the certificate node described below may be the same server host or may be distributed to different server hosts, without being limited to physical devices.
The method comprises the following steps:
step S102, searching the current certificate node through the path information of the current certificate node stored in the previous certificate node;
step S104, calculating a node abstract value of a previous certificate node;
and step S106, verifying whether the arrangement position of the current certificate node is correct and whether the previous certificate node is tampered according to the calculated node abstract value and the stored node abstract value.
After the current certificate node is established, the path information of the current certificate node may be stored in the previous certificate node, so that the second certificate node can be found in the previous certificate node in the subsequent searching process.
The current certificate node also stores the node abstract value of the previous certificate node; the node digest value may be obtained by a function operation performed on the node digest value of the previous certificate node stored in the previous certificate node (if the previous certificate node is the first certificate node, the node digest value is the digest value of the personal information), the certificate information in the previous certificate node, and the identity information. The system can calculate the node abstract value of the previous certificate node in real time and match the node abstract value with the corresponding node abstract value stored in the current certificate node, if the matching is successful, the previous certificate node is not tampered, and meanwhile, the correct arrangement relation between the current certificate node and the previous certificate node can be determined.
As can be seen from the above, a personal certificate chain may be formed between the personal information and the certificate node of the same user, as shown in fig. 2, after the system finds the personal information of the user, it may find the next certificate node connected to it through the path information of the current node, thereby traversing all the certificate nodes of the user; even if the certificate nodes of the same user are stored in different database hosts
Path information is quickly searched; meanwhile, each certificate node also stores the digest value of the previous certificate node, so that whether the content of the previous certificate node is tampered or not is verified; each certificate node also stores the abstract value of the related information in the certificate node so as to verify whether the content in the current certificate is tampered. The certificate chain shown in fig. 2 is a general chain structure, and with this structure, the system can find all certificates of the individual from personal information, and obtain basic information of the specified certificate according to the specific type information of the certificate.
According to the method for verifying the integrity of the cloud certificate through the traceable linked list, the personal information of the user and one or more certificates of the user are stored in the cloud server; each certificate is stored on a corresponding certificate node; the certificate nodes are arranged in sequence according to the establishment time; except the first certificate node, the previous certificate node of other certificate nodes stores the path information of the current certificate node of other certificates; the current certificate node also stores the node abstract value of the previous certificate node; the current certificate node can be found through the path information of the current certificate node stored in the previous certificate node; then calculating the node abstract value of the previous certificate node; according to the calculated node abstract value and the stored node abstract value, whether the arrangement position of the current certificate node is correct or not and whether the previous certificate node is tampered or not can be verified. The mode can form the certificate chain of the user, not only can verify the integrity of the certificate node information, but also can verify the integrity of the certificate chain, the verification mode is more perfect, and the reliability of the cloud certificate is improved.
The embodiment of the invention also provides another method for verifying the integrity of the cloud certificate through the traceable linked list; the method is realized on the basis of the method shown in FIG. 1; the method is applied to a cloud server, and personal information of a user and one or more certificates of the user are stored in the cloud server; each certificate is stored on a corresponding certificate node; the certificate nodes are arranged in sequence according to the establishment time.
The first certificate node stores path information, certificate information and identity information of the personal information, and a second digest value corresponding to the certificate information and the identity information. Except the first certificate node, other certificate nodes store path information and node digest value, certificate information and identity information of the previous certificate node, and second digest values corresponding to the certificate information and the identity information.
The first digest value may be obtained through hash transformation, that is, the first digest value may be a hash value; after the first digest value is generated, no modification or update is typically allowed. Further, the identity information and the first digest value can be signed by adopting a private key of the system to obtain a signature result; the signature result can be used for protecting the integrity and the validity of the identity information and the first digest value, and the signature of the signature result is verified through a public key corresponding to the system.
The certificate information comprises a certificate, a public key and a private key of the certificate; the certificate comprises a signature certificate and an encryption certificate; the credential information also includes an index of the credential information. The certificate, the public key and the private key of the certificate can be uploaded to a cloud server by a user through terminal equipment; the index of the certificate information may be obtained by the certificate or information related to the certificate, for example, application type information of the certificate; the index of the certificate information can be generated on the terminal equipment of the user and uploaded to the cloud server, and the index of the certificate information can also be generated by the cloud server according to the information such as the certificate uploaded by the user, the public key and the private key of the certificate.
Usually, when a first certificate node is established, path information of the certificate node is also stored in a storage node corresponding to personal information, so that a system can obtain the first certificate node through path information query in the personal information; when other certificate nodes are established besides the first certificate node, the path information of the certificate node is also stored in the last certificate node, so that the system can obtain the current certificate node through the path information query in the last certificate node.
For example, FIG. 3 is a diagram illustrating credential information; the certificate information includes signature certificate information and encryption certificate information; the information in the signature certificate information and the encryption certificate information is general certificate information. The signature certificate information comprises a signature certificate, a signature certificate public key and a signature certificate private key; the encrypted certificate information includes an encrypted certificate, an encrypted certificate public key, and an encrypted certificate private key. The index of the certificate information may be obtained by the application type of the signature certificate information and the encryption certificate information.
The personal information can be stored in a storage node in a corresponding cloud server; FIG. 4 is a schematic view of personal information; the personal information comprises identity information, a first digest value, a signature result and path information of a first certificate node; in this embodiment, the personal information and the path information of the certificate node may both be full-path file names.
FIG. 5 is a schematic diagram of a certificate node; the certificate node includes path information and node digest value of a previous certificate node, certificate information, identity information, a second digest value, and path information of a next certificate. It can be understood that, in the first certificate node, the path information of the previous certificate node may be the path information of the personal information, or may be set to zero; the node abstract value can be an abstract value of personal information and can also be set to be zero; when a first certificate node is established, the path information of the next certificate of the first certificate node can also be set to be zero, and when a second certificate node is established, the path information of the second certificate node can be stored in the path information of the next certificate of the first certificate node. The first digest value and the second digest value may be obtained through hash transformation.
Referring to fig. 6, a flowchart of another method for verifying integrity of cloud certificates through a traceable linked list is shown; the method comprises the following steps:
step S602, searching a first certificate node through the path information of the first certificate node stored in the personal information;
step S604, calculating a second digest value corresponding to the certificate information and the identity information; judging whether the calculated second abstract value is matched with the stored second abstract value; if so, it is determined that the first certificate node has not been tampered with.
When a user uploads a first certificate of the user, a server needs to establish a first certificate node; after the first certificate node is established, the path information of the first certificate node may be stored in the personal information. Therefore, the position of the first certificate node can be found through personal information; meanwhile, path information of personal information is stored in the first certificate node so as to verify whether the first certificate node is matched with the path information of the first certificate node stored in the personal information; if there is a match, it can be determined that the connection relationship between the personal information and the first certificate node is normal.
The first certificate node also stores identity information, and by matching the digest value of the identity information with the first digest value in the personal information, if the matching is successful, whether the first certificate node determines the user corresponding to the personal information or not can be determined; the second digest value is obtained by performing a function operation on the certificate information and the first digest value, for example, performing a hash operation; the system can calculate the second digest values of the certificate information and the identity information in real time, then match the second digest values stored in the first certificate node, and if the matching is successful, it can be determined that the certificate information and the first digest values in the first certificate node are not tampered.
Step S606, for other certificate nodes except the first certificate node, searching the current certificate node through the path information of the current certificate node stored in the previous certificate node;
in order to form a chain of certificate chains of the same user, path information of the latter certificate node is also stored in other certificate nodes except the last certificate node; based on this, the step S202 can be specifically realized by the following steps:
step 1, searching a current certificate node through path information of the current certificate node stored in a previous certificate node;
step 2, extracting the path information of the previous certificate node from the current certificate node;
step 3, judging whether the extracted path information of the previous certificate node is consistent with the current path information of the previous certificate node; and if so, determining that the path information of the current certificate node is correct.
Step S608, calculating the node abstract value of the previous certificate node; judging whether the calculated node abstract value is matched with the stored node abstract value; if so, the arrangement position of the current certificate node is determined to be correct, and the previous certificate node is not tampered.
The node digest value may be obtained by a function operation performed on the node digest value of the previous certificate node (if the endmost certificate node is the first certificate node, the digest value is the digest value of the personal information), the certificate information in the endmost certificate node, and the identity information stored in the previous certificate node. The system can calculate the node digest value of the previous certificate node in real time and match the node digest value with the corresponding node digest value stored in the current certificate node, and if the matching is successful, the previous certificate node is not tampered.
Step S610, calculating a second abstract value of the certificate information and the identity information; judging whether the calculated second abstract value is matched with the stored second abstract value; if so, it is determined that the current certificate node has not been tampered with.
Step S612, receiving a certificate access request of a user;
step S614, finding a certificate node corresponding to the certificate access request; judging whether the digest value of the identity information in the certificate node is matched with the first digest value of the personal information of the user; if so, determining that the personal information is not tampered; the usage rights of the certificate in the open certificate node.
When authentication processing is performed through a certificate, a large operation memory is often occupied; in order to avoid a large operation load and resource waste caused by operation of using a mismatched certificate by a server, before the permission of using the certificate in a certificate node is opened, matching of a digest value of identity information and a first digest value is used as a precondition, whether the certificate node is the certificate node of the user is determined through the first digest value, and after the condition is determined, the certificate is used for operation; meanwhile, whether the personal information in the certificate chain is tampered or not can be verified.
Further, the step of opening the usage right of the certificate in the certificate node includes: judging whether the index of the certificate information of the certificate node is matched with the certificate access request or not; if so, the usage right of the certificate in the certificate node is opened. The certificate access request may include the identity information of the user, and an application type identifier or other identifier of the certificate to be accessed; the system searches the position of the personal information of the user through the identity information, further searches the certificate nodes of the user one by one through the path information, and if the index of the certificate information on the current certificate node is matched with the application type identification of the certificate, the certificate can be determined to be the certificate required by the user, so that the use authority of the certificate in the certificate node is opened.
In the above manner, all certificates applied by a person in different time and different application modes logically exist in a chain relationship to form a personal certificate chain; through the mode of the personal certificate chain, the certificate on the chain is guaranteed not to be tampered, and the validity of the certificate is guaranteed; the certificates on the certificate chain can be stored in a distributed mode, the certificate chain is not limited by the fact that all the certificates are necessarily located at the same position, the positions of the certificates can be changed, and if the certificate content is tampered, the certificate chain can be used for verifying; the personal certificate chain supports the certificate tracing function, only the personal certificate chain is added, the existing certificate chain cannot be deleted or updated, the whole life cycle of the personal certificate can be reserved, and the files encrypted by the specified certificate can be decrypted and restored; before the user uses the own certificate, the certificate of the certificate chain is matched with the personal information, the personal certificate is determined to meet the requirement, a precondition guarantee is provided for subsequent certificate operation, and the load of subsequent operation of the system is reduced.
In correspondence to the above method embodiment, referring to fig. 7, a schematic structural diagram of an apparatus for verifying integrity of a cloud certificate through a traceable linked list is shown, where the apparatus is disposed in a cloud server, and personal information of a user and one or more certificates of the user are stored in the cloud server; each certificate is stored on a corresponding certificate node; the certificate nodes are arranged in sequence according to the establishment time; except the first certificate node, the previous certificate node of other certificate nodes stores the path information of the current certificate node of other certificates; the current certificate node also stores the node abstract value of the previous certificate node; (ii) a The device includes:
a searching module 70, configured to search a current certificate node according to path information of the current certificate node stored in a previous certificate node;
a calculation module 71, configured to calculate a node digest value of a previous certificate node;
and the verification module 72 is configured to verify whether the arrangement position of the current certificate node is correct and whether the previous certificate node is tampered according to the calculated node digest value and the stored node digest value.
The embodiment of the invention also provides a cloud server, and the device for verifying the integrity of the cloud certificate through the traceable linked list is arranged in the cloud server.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working process of the cloud server may refer to the corresponding process in the foregoing method embodiment, and details are not repeated herein.
The cloud server provided by the embodiment of the invention has the same technical characteristics as the method and the device for verifying the integrity of the cloud certificate through the traceable linked list provided by the embodiment, so that the same technical problems can be solved, and the same technical effect can be achieved.
According to the method, the device and the cloud server for verifying the integrity of the cloud certificate through the traceable linked list, the cloud certificate is stored flexibly; the method comprises the steps that through traversal from a first certificate to a last certificate, whether a current certificate 'Hash values of all previous information' and a next certificate 'Hash values of all previous information' on a certificate chain are correct or not is verified, whether the certificate chain is tampered or not is determined, and the integrity of the chain is guaranteed; verifying the Hash value of the two parts of information before the certificate in an optional chain, and determining whether the certificate is tampered by acquiring the information of the front certificate and the information of the rear certificate of the certificate to ensure the integrity of the certificate; meanwhile, the burden of a background operation system can be reduced, the validity of the certificate and the matching of the certificate and the personnel information can be ensured before operation.
The method and the apparatus for verifying integrity of a cloud certificate through a traceable linked list and the computer program product of the cloud server provided by the embodiments of the present invention include a computer readable storage medium storing a program code, where instructions included in the program code may be used to execute the method described in the foregoing method embodiments, and specific implementation may refer to the method embodiments, and details are not described herein.
In addition, in the description of the embodiments of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A method for verifying integrity of cloud certificates through a traceable linked list is applied to a cloud server, wherein personal information of a user and one or more certificates of the user are stored in the cloud server; each certificate is stored on a corresponding certificate node; the certificate nodes are arranged in sequence according to the establishment time; except the first certificate node, the previous certificate node of other certificate nodes stores the path information of the current certificate node of other certificates; the current certificate node also stores the node abstract value of the previous certificate node;
the method comprises the following steps:
searching the current certificate node according to the path information of the current certificate node stored in the previous certificate node;
calculating a node digest value of the previous certificate node;
and verifying whether the arrangement position of the current certificate node is correct and whether the previous certificate node is tampered according to the calculated node abstract value and the stored node abstract value.
2. The method according to claim 1, wherein the step of verifying whether the arrangement position of the current certificate node is correct and whether the previous certificate node is tampered with based on the calculated node digest value and the stored node digest value comprises:
judging whether the calculated node abstract value is matched with the stored node abstract value;
if so, determining that the arrangement position of the current certificate node is correct and the previous certificate node is not tampered.
3. The method of claim 1, wherein the first certificate node stores path information, certificate information, identity information of the personal information, and a second digest corresponding to the certificate information and the identity information;
the method further comprises the following steps:
calculating a second digest value corresponding to the certificate information and the identity information;
judging whether the calculated second abstract value is matched with the stored second abstract value;
if so, it is determined that the first certificate node has not been tampered with.
4. The method according to claim 1, wherein besides the first certificate node, certificate information, identity information, and a second digest value corresponding to the certificate information and the identity information are stored in other certificate nodes;
the method further comprises the following steps:
calculating a second digest value of the certificate information and the identity information;
judging whether the calculated second abstract value is matched with the stored second abstract value;
if so, determining that the current certificate node has not been tampered.
5. The method according to claim 3 or 4, characterized in that the method further comprises:
receiving a credential access request of the user;
searching a certificate node corresponding to the certificate access request;
judging whether the digest value of the identity information in the certificate node is matched with the first digest value of the personal information of the user;
if yes, determining that the personal information is not tampered; opening the usage rights of the certificate in the certificate node.
6. The method according to claim 5, wherein the step of opening the right to use the certificate in the certificate node comprises:
judging whether the index of the certificate information of the certificate node is matched with the certificate access request or not;
if so, opening the use right of the certificate in the certificate node.
7. The method of claim 1, wherein the certificate information comprises a certificate, a public key and a private key of the certificate; the certificate comprises a signature certificate and an encryption certificate; the credential information also includes an index of the credential information.
8. The method according to claim 7, wherein path information of a subsequent certificate node is stored in other certificate nodes except for a last certificate node;
the step of searching the current certificate node through the path information of the current certificate node stored in the previous certificate node includes:
searching the current certificate node according to the path information of the current certificate node stored in the previous certificate node;
extracting path information of the previous certificate node from the current certificate node;
judging whether the extracted path information of the previous certificate node is consistent with the current path information of the previous certificate node or not;
and if so, determining that the path information of the current certificate node is correct.
9. An apparatus for verifying integrity of a cloud certificate via a traceable linked list, the apparatus being disposed in a cloud server, wherein personal information of a user and one or more certificates of the user are stored in the cloud server; each certificate is stored on a corresponding certificate node; the certificate nodes are arranged in sequence according to the establishment time; except the first certificate node, the previous certificate node of other certificate nodes stores the path information of the current certificate node of other certificates; the current certificate node also stores the node abstract value of the previous certificate node;
the device comprises:
the searching module is used for searching the current certificate node through the path information of the current certificate node stored in the previous certificate node;
a calculation module, configured to calculate a node digest value of the previous certificate node;
and the verification module is used for verifying whether the arrangement position of the current certificate node is correct and whether the previous certificate node is tampered or not according to the calculated node abstract value and the stored node abstract value.
10. A cloud server, wherein the apparatus of claim 9 is disposed in the cloud server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810417366.7A CN108683507B (en) | 2018-05-03 | 2018-05-03 | Method for verifying integrity of cloud certificate through traceable linked list |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810417366.7A CN108683507B (en) | 2018-05-03 | 2018-05-03 | Method for verifying integrity of cloud certificate through traceable linked list |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108683507A CN108683507A (en) | 2018-10-19 |
| CN108683507B true CN108683507B (en) | 2021-06-29 |
Family
ID=63802791
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810417366.7A Active CN108683507B (en) | 2018-05-03 | 2018-05-03 | Method for verifying integrity of cloud certificate through traceable linked list |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108683507B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101471938A (en) * | 2007-12-27 | 2009-07-01 | 华为技术有限公司 | Authentication method, system and device for point-to-point network |
| CN106533691A (en) * | 2016-10-18 | 2017-03-22 | 北京信安世纪科技有限公司 | Method and device for verifying validity of digital certificate |
| CN106972931A (en) * | 2017-02-22 | 2017-07-21 | 中国科学院数据与通信保护研究教育中心 | A kind of method of certificate transparence in PKI |
| CN107911222A (en) * | 2017-11-21 | 2018-04-13 | 沃通电子认证服务有限公司 | Digital signature generation, verification method and its equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080010449A1 (en) * | 2006-07-07 | 2008-01-10 | Michael Holtzman | Content Control System Using Certificate Chains |
-
2018
- 2018-05-03 CN CN201810417366.7A patent/CN108683507B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101471938A (en) * | 2007-12-27 | 2009-07-01 | 华为技术有限公司 | Authentication method, system and device for point-to-point network |
| CN106533691A (en) * | 2016-10-18 | 2017-03-22 | 北京信安世纪科技有限公司 | Method and device for verifying validity of digital certificate |
| CN106972931A (en) * | 2017-02-22 | 2017-07-21 | 中国科学院数据与通信保护研究教育中心 | A kind of method of certificate transparence in PKI |
| CN107911222A (en) * | 2017-11-21 | 2018-04-13 | 沃通电子认证服务有限公司 | Digital signature generation, verification method and its equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108683507A (en) | 2018-10-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109409122B (en) | File storage method, electronic device and storage medium | |
| CN110910138B (en) | Block chain data supervision method and device | |
| JP7199775B2 (en) | Data processing method, data processing device, node device, and computer program based on smart contract | |
| EP3905078A1 (en) | Identity verification method and system therefor | |
| CN107396360B (en) | Block verification method and device | |
| CN110912707B (en) | Block chain-based digital certificate processing method, device, equipment and storage medium | |
| US20240022571A1 (en) | Blockchain folding | |
| KR20170037612A (en) | Method and system for facilitating terminal identifiers | |
| EP3709568A1 (en) | Deleting user data from a blockchain | |
| CN106991148B (en) | Database verification system and method supporting full-update operation | |
| CN111970299A (en) | Block chain-based distributed Internet of things equipment identity authentication device and method | |
| CN110826092A (en) | File signature processing system | |
| CN111340483A (en) | Data management method based on block chain and related equipment | |
| Mo et al. | Enabling non-repudiable data possession verification in cloud storage systems | |
| CN109918451A (en) | Data base management method and system based on block chain | |
| CN108683507B (en) | Method for verifying integrity of cloud certificate through traceable linked list | |
| CN111817859A (en) | Data sharing method, device, equipment and storage medium based on zero knowledge proof | |
| CN111917760A (en) | Network collaborative manufacturing cross-domain fusion trust management and control method based on identification analysis | |
| CN112865981B (en) | Token acquisition and verification method and device | |
| WO2022103782A9 (en) | Centralized ledger system for device authentication | |
| CN113378120A (en) | Version authorization control method, device, equipment and storage medium based on block chain | |
| US20210089497A1 (en) | Method, device, and computer program product for managing data object | |
| CN112182009A (en) | Data updating method and device of block chain and readable storage medium | |
| CN112118229A (en) | Internet of things equipment, server security authentication method and device and electronic equipment | |
| CN108616593A (en) | Method by the way that storage of linked list high in the clouds certificate can be traced |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |