CN108881471B - Union-based whole-network unified trust anchor system and construction method - Google Patents
Union-based whole-network unified trust anchor system and construction method Download PDFInfo
- Publication number
- CN108881471B CN108881471B CN201810743031.4A CN201810743031A CN108881471B CN 108881471 B CN108881471 B CN 108881471B CN 201810743031 A CN201810743031 A CN 201810743031A CN 108881471 B CN108881471 B CN 108881471B
- Authority
- CN
- China
- Prior art keywords
- trust
- server
- root
- terminal
- level
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000010276 construction Methods 0.000 title abstract description 7
- 238000000034 method Methods 0.000 claims description 72
- 230000008859 change Effects 0.000 claims description 43
- 230000008569 process Effects 0.000 claims description 42
- 238000012508 change request Methods 0.000 claims description 12
- 238000007726 management method Methods 0.000 description 14
- 238000004891 communication Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000008520 organization Effects 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
本发明提供了一种基于联盟的全网统一信任锚系统及构建方法,其中系统包括:联盟区域,联盟区域包括n个信任根服务器,各个信任根服务器互相连接;n个顶级信任服务器集合,每个顶级信任服务器集合连接一个信任根服务器,每个顶级信任服务器集合包括m个顶级信任服务器,且m个顶级信任服务器连接同一个信任根服务器;n*m个权限信任服务器集合,每个权限信任服务器集合连接一个顶级信任服务器,每个权限信任服务器集合包括j个权限信任服务器,且j个权限信任服务器连接同一个顶级信任服务器;n*m*j个终端集合,每个终端集合连接一个权限信任服务器,每个终端集合包括i个终端,i个终端连接同一个权限信任服务器。
The present invention provides a network-wide unified trust anchor system based on alliance and a construction method, wherein the system includes: an alliance area, the alliance area includes n trust root servers, and each trust root server is connected to each other; n top-level trust server sets, each A set of top-level trust servers is connected to a root-of-trust server, each set of top-level trust servers includes m top-level trust servers, and m top-level trust servers are connected to the same root-of-trust server; n*m sets of authority trust servers, each authority trusts The server set is connected to a top-level trust server, and each authority trust server set includes j authority trust servers, and j authority trust servers are connected to the same top-level trust server; n*m*j terminal sets, each terminal set is connected to one authority Trust server, each terminal set includes i terminals, and i terminals are connected to the same authority trust server.
Description
技术领域technical field
本发明涉及通信领域,尤其涉及一种基于联盟的全网统一信任锚系统及构建方法。The invention relates to the field of communications, in particular to an alliance-based network-wide unified trust anchor system and a construction method.
背景技术Background technique
由于现有TCP/IP协议不具备地址真实性鉴别等内在的安全机制,导致攻击源头和攻击者身份难以追查。路由设备基于目的地址转发分组,对数据包的来源不做验证,大量基于地址伪造的攻击行为无法跟踪,造成源地址欺骗、路由劫持、拒绝服务等大量攻击的发生,严重威胁网络的安全。解决包括地址安全在内的网络命名安全问题,构建安全可信的互联网环境,已成为亟待解决的重要课题。Since the existing TCP/IP protocol does not have inherent security mechanisms such as address authenticity identification, it is difficult to trace the source of the attack and the identity of the attacker. The routing device forwards packets based on the destination address without verifying the source of the data packets. A large number of attacks based on address forgery cannot be traced, resulting in a large number of attacks such as source address spoofing, route hijacking, and denial of service, which seriously threaten the security of the network. Solving network naming security issues including address security and building a secure and credible Internet environment has become an important issue to be solved urgently.
在网络命名安全研究方面,基于密码学的地址安全机制得到越来越多的关注,包括基于证书的公钥密码机制和自认证机制。在公钥密码体制下,公钥数字签名技术需依赖公钥基础设施(PKI)颁发的CA证书绑定实体身份和公钥,以保证实体公钥的真实性。以公钥证书的形式将用户公钥和用户身份进行绑定,形成了解决网络安全问题的成熟方案。但是,PKI通过引入可信第三方CA,由此带来证书的管理、存储和计算上的代价:一是证书的签发、发布、获取、验证、撤销等,流程较为复杂;二是需要在线的证书目录为用户随时提供证书下载和状态查询服务,增加了维护开销;三是如果用户通信的对象比较多,用户必须在本地存储和管理这些证书,增加了用户端使用开销;四是大规模密钥管理的问题一般是采用物理上增加CA的方法,而且各个CA的用户之间还存在交叉认证和信任管理的问题。In terms of network naming security research, cryptographic-based address security mechanisms have received more and more attention, including certificate-based public key cryptography and self-authentication mechanisms. Under the public key cryptosystem, the public key digital signature technology relies on the CA certificate issued by the public key infrastructure (PKI) to bind the entity identity and public key to ensure the authenticity of the entity public key. Binding the user's public key to the user's identity in the form of a public key certificate forms a mature solution to network security issues. However, PKI introduces a trusted third-party CA, which brings costs in the management, storage and calculation of certificates: first, the issuance, issuance, acquisition, verification, and revocation of certificates are complicated; second, online The certificate directory provides users with certificate download and status query services at any time, which increases maintenance overhead; third, if the user communicates with many objects, the user must store and manage these certificates locally, which increases the user-side usage overhead; fourth, large-scale encryption The problem of key management is generally to use the method of adding CAs physically, and there are also problems of cross-certification and trust management among the users of each CA.
随着移动互联网、物联网的蓬勃发展,接入互联网的传感器、可穿戴设备、智能终端数量剧增,实体鉴别所需公钥数量巨大,如何实现高效公钥的管理、远程通信实体如何得到对方的公钥、并确保公钥的真实性,将成为一项挑战,也是关系到未来互联网体系结构能否落地的重要问题。With the vigorous development of the mobile Internet and the Internet of Things, the number of sensors, wearable devices, and smart terminals connected to the Internet has increased dramatically, and the number of public keys required for entity identification is huge. It will become a challenge and an important issue related to whether the future Internet architecture can be implemented.
发明内容SUMMARY OF THE INVENTION
本发明旨在至少克服上述缺陷之一提供一种基于联盟的全网统一信任锚系统及构建方法,以实现公钥的高效管理。The present invention aims to overcome at least one of the above-mentioned defects and provide an alliance-based unified trust anchor system and construction method for the entire network, so as to realize efficient management of public keys.
为达到上述目的,本发明的技术方案具体是这样实现的:In order to achieve the above object, the technical scheme of the present invention is specifically realized in this way:
本发明的一个方面提供了一种基于联盟的全网统一信任锚系统,包括:联盟区域,联盟区域包括n个信任根服务器,各个信任根服务器互相连接;n个顶级信任服务器集合,每个顶级信任服务器集合连接一个信任根服务器,每个顶级信任服务器集合包括m个顶级信任服务器,且m个顶级信任服务器连接同一个信任根服务器;n*m个权限信任服务器集合,每个权限信任服务器集合连接一个顶级信任服务器,每个权限信任服务器集合包括j个权限信任服务器,且j个权限信任服务器连接同一个顶级信任服务器;n*m*j个终端集合,每个终端集合连接一个权限信任服务器,每个终端集合包括i个终端,i个终端连接同一个权限信任服务器;其中,每个信任根服务器,用于存储全部信任根服务器的名称和公钥信息,并存储全部顶级信任服务器的名称、地址和公钥信息,以及用于签发证书,且每个信任根服务器存储的信息完全相同,通过共识算法保证存储的信息的一致性;每个顶级信任服务器,用于存储自身的公钥信息,并存储与其连接的权限信任服务器的名称、地址和公钥信息;每个权限信任服务器,用于存储自身的公钥信息,并存储与其连接的终端的名称、地址和公钥信息。One aspect of the present invention provides an alliance-based unified trust anchor system for the entire network, including: an alliance area, where the alliance area includes n trust root servers, and each trust root server is connected to each other; n top-level trust server sets, each top-level trust server set The trust server set is connected to a trust root server, each top trust server set includes m top trust servers, and m top trust servers are connected to the same trust root server; n*m permission trust server sets, each permission trust server set Connect to a top-level trust server, each authority trust server set includes j authority trust servers, and j authority trust servers are connected to the same top-level trust server; n*m*j terminal sets, each terminal set is connected to a authority trust server , each terminal set includes i terminals, and i terminals are connected to the same authority trust server; among them, each trust root server is used to store the names and public key information of all trust root servers, and store the names of all top-level trust servers , address and public key information, and are used to issue certificates, and the information stored in each trust root server is exactly the same, and the consistency of the stored information is guaranteed through a consensus algorithm; each top-level trust server is used to store its own public key information , and store the name, address and public key information of the authority trust server connected to it; each authority trust server is used to store its own public key information and store the name, address and public key information of the terminal connected to it.
另外,每个顶级信任服务器集合连接全部信任根服务器,每个顶级信任服务器集合包括m个顶级信任服务器,且m个顶级信任服务器连接每一个信任根服务器。In addition, each top-level trust server set is connected to all trust root servers, each top-level trust server set includes m top-level trust servers, and m top-level trust servers are connected to each trust root server.
另外,顶级信任服务器,还用于向与其连接的信任根服务器发送变更请求;信任根服务器,还用于向联盟区域提出变更的决议,根据预设的决议策略在决议通过后,信任根服务器中响应顶级信任服务器的变更请求,并通过共识算法,更新联盟区域内的全部信任根服务器中存储的数据;顶级信任服务器,还用于执行变更操作。In addition, the top-level trust server is also used to send a change request to the trust root server connected to it; the trust root server is also used to propose a change resolution to the alliance area. After the resolution is passed according to the preset resolution policy, the trust root server Respond to the change request of the top-level trust server, and update the data stored in all trust root servers in the alliance area through the consensus algorithm; the top-level trust server is also used to perform the change operation.
另外,信任根服务器,还用于在联盟内提出变更的决议,根据预设的决议策略在决议通过后,变更自身的数据,并通过共识算法,更新联盟区域内全部信任根服务器中存储的数据。In addition, the trust root server is also used to propose a decision to change within the alliance. According to the preset decision strategy, after the resolution is passed, change its own data, and update the data stored in all trust root servers in the alliance area through the consensus algorithm. .
另外,终端,还用于向与其连接的权限信任服务器发送对对端终端的查询请求;权限信任服务器,还用于在没有查询到对端终端的相关信息后,向与其连接的顶级信任服务器发送查询请求;顶级信任服务器,还用于在没有查询到对端终端的相关信息后,向与其连接的信任根服务器发送查询请求;信任根服务器,还用于在没有查询到对端终端的相关信息时,向与其连接的对端终端所在的信任根服务器发送查询请求,并接收经由对端终端所在的信任根服务器依次通过其连接的对端终端所在的顶级信任服务器、对端终端所在的权限信任服务器查询得到的对端终端的相关信息,并将查询得到的对端终端的相关信息通过顶级信任服务器、权限信任服务器发送至终端。In addition, the terminal is also used to send a query request for the opposite terminal to the authority trust server connected to it; the authority trust server is also used to send a request to the top-level trust server connected to it after the relevant information of the opposite terminal has not been queried. Query request; the top-level trust server is also used to send a query request to the trust root server connected to it after the relevant information of the peer terminal is not queried; the trust root server is also used to query the relevant information of the peer terminal. When it is connected to it, send a query request to the root of trust server where the peer terminal is located, and receive the top-level trust server where the peer terminal is located and the authority trust where the peer terminal is located through the root server of trust where the peer terminal is located. The relevant information of the opposite terminal obtained by the server query, and the relevant information of the opposite terminal obtained by the query is sent to the terminal through the top-level trust server and the authority trust server.
另外,终端,还用于向与其连接的权限信任服务器发送对对端终端的认证请求;权限信任服务器,还用于在没有查询到对端终端的认证信息后,向与其连接的顶级信任服务器发送认证请求;顶级信任服务器,还用于在没有查询到对端终端的认证信息后,向与其连接的信任根服务器发送查询请求;信任根服务器,还用于在没有查询到对端终端的认证信息时,向与其连接的对端终端所在的信任根服务器发送查询请求,并接收经由对端终端所在的信任根服务器查询得到的对端终端的认证信息通过顶级信任服务器、权限信任服务器发送至终端。In addition, the terminal is also used to send an authentication request for the opposite terminal to the authority trust server connected to it; the authority trust server is also used to send an authentication request to the top-level trust server connected to it after the authentication information of the opposite terminal has not been queried. Authentication request; the top-level trust server is also used to send a query request to the trust root server connected to it after the authentication information of the peer terminal is not queried; the trust root server is also used to query the authentication information of the peer terminal. When it is connected, send a query request to the root of trust server where the opposite terminal is located, and receive the authentication information of the opposite terminal obtained by querying the root of trust server where the opposite terminal is located, and send it to the terminal through the top-level trust server and the authority trust server.
另外,终端,还用于向与其连接的权限信任服务器发送对对端终端的认证请求;权限信任服务器,还用于在没有查询到对端终端的认证信息后,向与其连接的顶级信任服务器发送认证请求;顶级信任服务器,还用于在没有查询到对端终端的认证信息后,向与其连接的信任根服务器发送查询请求;信任根服务器,还用于在没有查询到对端终端的认证信息时,向与其连接的对端终端所在的信任根服务器发送查询请求,并接收经由对端终端所在的信任根服务器依次通过其连接的对端终端所在的顶级信任服务器、对端终端所在的权限信任服务器查询得到的对端终端的认证信息,并将查询得到的对端终端的认证信息通过顶级信任服务器、权限信任服务器发送至终端。In addition, the terminal is also used to send an authentication request for the opposite terminal to the authority trust server connected to it; the authority trust server is also used to send an authentication request to the top-level trust server connected to it after the authentication information of the opposite terminal has not been queried. Authentication request; the top-level trust server is also used to send a query request to the trust root server connected to it after the authentication information of the peer terminal is not queried; the trust root server is also used to query the authentication information of the peer terminal. When it is connected to it, send a query request to the root of trust server where the peer terminal is located, and receive the top-level trust server where the peer terminal is located and the authority trust where the peer terminal is located through the root server of trust where the peer terminal is located. The authentication information of the opposite terminal obtained by the server query, and the authentication information of the opposite terminal obtained by the query is sent to the terminal through the top-level trust server and the authority trust server.
本发明另一方面提供了一种基于联盟的全网统一信任锚的构建方法,包括:构建联盟区域,将联盟区域配置为包括n个信任根服务器,各个信任根服务器互相连接,每个信任根服务器存储全部信任根服务器的名称和公钥信息,并存储全部顶级信任服务器的名称、地址和公钥信息,以及用于签发证书,且每个信任根服务器存储的信息完全相同,通过共识算法保证存储的信息的一致性;构建n个顶级信任服务器集合,配置为每个顶级信任服务器集合连接一个信任根服务器,每个顶级信任服务器集合包括m个顶级信任服务器,且m个顶级信任服务器连接同一个信任根服务器,每个顶级信任服务器存储自身的公钥信息,并存储与其连接的权限信任服务器的名称、地址和公钥信息;构建n*m个权限信任服务器集合,配置为每个权限信任服务器集合连接一个顶级信任服务器,每个权限信任服务器集合包括j个权限信任服务器,且j个权限信任服务器连接同一个顶级信任服务器,每个权限信任服务器存储自身的公钥信息,并存储与其连接的终端的名称、地址和公钥信息;构建n*m*j个终端集合,配置为每个终端集合连接一个权限信任服务器,每个终端集合包括i个终端,i个终端连接同一个权限信任服务器。Another aspect of the present invention provides a method for constructing a network-wide unified trust anchor based on alliances, including: constructing an alliance area, configuring the alliance area to include n trust root servers, each trust root server being connected to each other, each trust root server The server stores the names and public key information of all trust root servers, and stores the names, addresses and public key information of all top-level trust servers, and is used to issue certificates, and the information stored by each trust root server is exactly the same, which is guaranteed by consensus algorithm. Consistency of stored information; build n top-level trust server sets, configure each top-level trust server set to connect a trust root server, each top-level trust server set includes m top-level trust servers, and m top-level trust servers are connected to the same A trust root server, each top-level trust server stores its own public key information, and stores the name, address and public key information of the authority trust server connected to it; builds n*m authority trust server sets, configured for each authority trust server The server set is connected to a top-level trust server, and each authority trust server set includes j authority trust servers, and j authority trust servers are connected to the same top-level trust server. Each authority trust server stores its own public key information and stores the connection to it. The name, address and public key information of the terminal; build n*m*j terminal sets, configure each terminal set to connect to an authority trust server, each terminal set includes i terminals, and i terminals are connected to the same authority trust server server.
另外,方法还包括:配置每个顶级信任服务器集合连接全部信任根服务器,每个顶级信任服务器集合包括m个顶级信任服务器,且m个顶级信任服务器连接每一个信任根服务器。In addition, the method further includes: configuring each top-level trust server set to connect to all trust root servers, each top-level trust server set includes m top-level trust servers, and m top-level trust servers are connected to each trust root server.
另外,方法还包括:顶级信任服务器的变更流程;顶级信任服务器的变更流程包括:顶级信任服务器向与其连接的信任根服务器发送变更请求;信任根服务器向联盟区域提出变更的决议,根据预设的决议策略在决议通过后,信任根服务器中响应顶级信任服务器的变更请求,并通过共识算法,更新联盟区域内的全部信任根服务器中存储的数据;顶级信任服务器执行变更操作。In addition, the method further includes: a change process of the top-level trust server; the change process of the top-level trust server includes: the top-level trust server sends a change request to the trust root server connected to it; the trust root server proposes a change resolution to the federation area, according to a preset After the resolution policy is passed, the trust root server responds to the change request of the top trust server, and updates the data stored in all trust root servers in the alliance area through the consensus algorithm; the top trust server performs the change operation.
另外,方法还包括:信任根服务器的变更流程:信任根服务器的变更流程包括:信任根服务器在联盟内提出变更的决议,根据预设的决议策略在决议通过后,变更自身的数据,并通过共识算法,更新联盟区域内全部信任根服务器中存储的数据。In addition, the method further includes: a change process of the trust root server: the change process of the trust root server includes: the trust root server proposes a decision to change in the alliance, changes its own data according to a preset decision policy after the decision is passed, and passes Consensus algorithm to update the data stored in all trust root servers in the alliance area.
另外,方法还包括:终端的查询流程:终端的查询流程包括:终端向与其连接的权限信任服务器发送对对端终端的查询请求;权限信任服务器在没有查询到对端终端的相关信息后,向与其连接的顶级信任服务器发送查询请求;顶级信任服务器在没有查询到对端终端的相关信息后,向与其连接的信任根服务器发送查询请求;信任根服务器在没有查询到对端终端的相关信息时,向与其连接的对端终端所在的信任根服务器发送查询请求,并接收经由对端终端所在的信任根服务器依次通过其连接的对端终端所在的顶级信任服务器、对端终端所在的权限信任服务器查询得到的对端终端的相关信息,并将查询得到的对端终端的相关信息通过顶级信任服务器、权限信任服务器发送至终端。In addition, the method further includes: a query process of the terminal: the query process of the terminal includes: the terminal sends a query request for the opposite terminal to the authority trust server connected to it; The top-level trust server connected to it sends a query request; the top-level trust server sends a query request to the trust root server connected to it after it has not queried the relevant information of the peer terminal; when the trust root server does not query the relevant information of the peer terminal , send a query request to the root-of-trust server where the peer terminal is located, and receive the top-level trust server where the peer terminal is located and the authority trust server where the peer terminal is located via the root-of-trust server where the peer terminal is located. The relevant information of the opposite terminal obtained by the query is obtained, and the relevant information of the opposite terminal obtained by the query is sent to the terminal through the top-level trust server and the authority trust server.
另外,方法还包括:终端的认证流程;终端的认证流程包括:终端,还用于向与其连接的权限信任服务器发送对对端终端的认证请求;权限信任服务器,还用于在没有查询到对端终端的认证信息后,向与其连接的顶级信任服务器发送认证请求;顶级信任服务器,还用于在没有查询到对端终端的认证信息后,向与其连接的信任根服务器发送查询请求;信任根服务器,还用于在没有查询到对端终端的认证信息时,向与其连接的对端终端所在的信任根服务器发送查询请求,并接收经由对端终端所在的信任根服务器查询得到的对端终端的认证信息通过顶级信任服务器、权限信任服务器发送至终端。In addition, the method further includes: an authentication process of the terminal; the authentication process of the terminal includes: the terminal, which is further configured to send an authentication request for the opposite terminal to the authority trust server connected to it; After the authentication information of the end terminal, it sends an authentication request to the top-level trust server connected to it; the top-level trust server is also used to send a query request to the root-of-trust server connected to it after the authentication information of the peer terminal is not queried; the root-of-trust The server is further configured to send a query request to the root of trust server where the opposite terminal connected to it is located when the authentication information of the opposite terminal is not queried, and receive the opposite terminal obtained by querying the root of trust server where the opposite terminal is located. The authentication information is sent to the terminal through the top-level trust server and authority trust server.
另外,方法还包括:终端的认证流程;终端的认证流程包括:终端,还用于向与其连接的权限信任服务器发送对对端终端的认证请求;权限信任服务器,还用于在没有查询到对端终端的认证信息后,向与其连接的顶级信任服务器发送认证请求;顶级信任服务器,还用于在没有查询到对端终端的认证信息后,向与其连接的信任根服务器发送查询请求;信任根服务器,还用于在没有查询到对端终端的认证信息时,向与其连接的对端终端所在的信任根服务器发送查询请求,并接收经由对端终端所在的信任根服务器依次通过其连接的对端终端所在的顶级信任服务器、对端终端所在的权限信任服务器查询得到的对端终端的认证信息,并将查询得到的对端终端的认证信息通过顶级信任服务器、权限信任服务器发送至终端。In addition, the method further includes: an authentication process of the terminal; the authentication process of the terminal includes: the terminal, which is further configured to send an authentication request for the opposite terminal to the authority trust server connected to it; After the authentication information of the end terminal, it sends an authentication request to the top-level trust server connected to it; the top-level trust server is also used to send a query request to the root-of-trust server connected to it after the authentication information of the peer terminal is not queried; the root-of-trust The server is further configured to send a query request to the root-of-trust server where the opposite-end terminal connected to it is located when the authentication information of the opposite-end terminal is not queried, and receive the peer-to-peer terminal connected to the root-of-trust server through it in turn. The top-level trust server where the end terminal is located and the authority trust server where the peer terminal is located obtain the authentication information of the peer terminal, and send the queried authentication information of the peer terminal to the terminal through the top-level trust server and the authority trust server.
由上述本发明提供的技术方案可以看出,通过本发明实施例提供的基于联盟的全网统一信任锚系统及构建方法,联盟信任锚以去中心化的形式存在,通过共识算法来确保联盟区域中的各个信任根服务器的数据保持一致,在联盟中建立全网统一信任锚,共同管理公钥,这种基于联盟的去中心化的组织和管理方式可以保证各个信任根服务器的状态一致,有效地避免了目前中心化工作中存在的各种弊端,实现公钥的高效管理,使得远程通信实体可以得到对方的公钥、并确保公钥的真实性。It can be seen from the technical solutions provided by the present invention that, through the alliance-based unified trust anchor system and construction method for the entire network provided by the embodiments of the present invention, the alliance trust anchor exists in a decentralized form, and the alliance area is ensured through a consensus algorithm. The data of each trust root server is consistent, and a unified trust anchor for the whole network is established in the alliance to jointly manage public keys. This alliance-based decentralized organization and management method can ensure that the status of each trust root server is consistent and effective. It avoids various drawbacks in the current centralized work and realizes efficient management of public keys, so that remote communication entities can obtain the public key of the other party and ensure the authenticity of the public key.
附图说明Description of drawings
为了更清楚地说明本发明实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他附图。In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.
图1为本发明实施例提供的信任模型的结构示意图;FIG. 1 is a schematic structural diagram of a trust model provided by an embodiment of the present invention;
图2为本发明实施例提供的基于联盟的全网统一信任锚系统的结构示意图;2 is a schematic structural diagram of an alliance-based network-wide unified trust anchor system provided by an embodiment of the present invention;
图3为本发明实施例提供的基于联盟的全文统一信任锚系统及构建方法的流程图。FIG. 3 is a flowchart of a federation-based full-text unified trust anchor system and a construction method provided by an embodiment of the present invention.
具体实施方式Detailed ways
下面结合附图对本发明的实施方式进行详细说明。The embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
建立信任模型的基础是所有信任用户都有一个可信任根。在信任模型中,如图1所示,这是一个简单的三层信任结构,这是一种链式信任关系,比如可信任实体A1可以表示为这样一个信任链:(R,C1,A1)说明可以由A1向上回溯到产生它的信任根R。有一个根节点R作为信任的起点,这种建立信任关系的点称为信任锚。这个模型的信任路径是从根节点到叶子节点的通路构成了信任路径。The basis for building a trust model is that all trusting users have a root of trust. In the trust model, as shown in Figure 1, this is a simple three-tier trust structure, which is a chained trust relationship. For example, the trusted entity A1 can be represented as such a trust chain: (R, C1, A1) The description can be traced back from A1 up to the root of trust R that generated it. There is a root node R as the starting point of trust, and this point of establishing a trust relationship is called a trust anchor. The trust path of this model is that the path from the root node to the leaf node constitutes the trust path.
本发明采用建立联盟信任锚的方式,如图2所示,各国都有着一台信任根服务器(数据一致),各国依托于各个国家的信任根服务器的子集群由各个国家进行管理。信任根服务器由所属的国家进行维护。该联盟区域由深度最小的信任根服务器组成。联盟区域内所有的信任根服务器组成一张无向图。所有的信任根服务器之间都存在物理链路并且可以相互通信。如图2中的A、X、Y、Z所示的信任根服务器节点组成了联盟区域。The present invention adopts the method of establishing an alliance trust anchor. As shown in FIG. 2 , each country has a trust root server (with consistent data), and each country relies on the sub-cluster of the trust root server of each country to be managed by each country. The root of trust server is maintained by the country to which it belongs. The federated zone consists of the least deep root of trust servers. All trust root servers in the federation area form an undirected graph. A physical link exists between all root-of-trust servers and can communicate with each other. The trust root server nodes shown as A, X, Y, and Z in Fig. 2 form a federation area.
具体地,本发明实施例提供的基于联盟的全网统一信任锚系统,包括:Specifically, the alliance-based network-wide unified trust anchor system provided by the embodiment of the present invention includes:
联盟区域,联盟区域包括n个信任根服务器(如图所示A、X、Y、Z),各个信任根服务器互相连接;Alliance area, the alliance area includes n trust root servers (A, X, Y, Z as shown in the figure), and each trust root server is connected to each other;
n个顶级信任服务器集合,每个顶级信任服务器集合连接一个信任根服务器,每个顶级信任服务器集合包括m个顶级信任服务器(如图所示B1、B2……),且m个顶级信任服务器连接同一个信任根服务器;n top-level trust server sets, each top-level trust server set is connected to a trust root server, each top-level trust server set includes m top-level trust servers (as shown in the figure B1, B2...), and m top-level trust servers are connected the same root of trust server;
n*m个权限信任服务器集合,每个权限信任服务器集合连接一个顶级信任服务器,每个权限信任服务器集合包括j个权限信任服务器(如图所示C1、C2……或者C3、C4……),且j个权限信任服务器连接同一个顶级信任服务器;n*m authority trust server sets, each authority trust server set is connected to a top-level trust server, and each authority trust server set includes j authority trust servers (as shown in the figure C1, C2... or C3, C4...) , and j authority trust servers are connected to the same top-level trust server;
n*m*j个终端集合,每个终端集合连接一个权限信任服务器,每个终端集合包括i个终端(如图所示D1、D2……或者D3、D4……或者D5、D6……),i个终端连接同一个权限信任服务器;n*m*j terminal sets, each terminal set is connected to an authority trust server, and each terminal set includes i terminals (as shown in the figure D1, D2... or D3, D4... or D5, D6...) , i terminals are connected to the same authority trust server;
其中,in,
每个信任根服务器,用于存储全部信任根服务器的名称和公钥信息,并存储全部顶级信任服务器的名称、地址和公钥信息,以及用于签发证书,且每个信任根服务器存储的信息完全相同,通过共识算法保证存储的信息的一致性;Each trust root server is used to store the name and public key information of all trust root servers, as well as the name, address and public key information of all top-level trust servers, and the information stored by each trust root server for issuing certificates It is exactly the same, and the consistency of the stored information is guaranteed through the consensus algorithm;
每个顶级信任服务器,用于存储自身的公钥信息,并存储与其连接的权限信任服务器的名称、地址和公钥信息;Each top-level trust server is used to store its own public key information and store the name, address and public key information of the authority trust server connected to it;
每个权限信任服务器,用于存储自身的公钥信息,并存储与其连接的终端的名称、地址和公钥信息。Each authority trust server is used to store its own public key information and store the name, address and public key information of the terminal connected to it.
具体地,联盟信任锚以去中心化的形式存在,通过共识算法来确保联盟区域中的各个信任根服务器的数据保持一致,在联盟中建立全网统一信任锚,共同管理公钥,这种基于联盟的去中心化的组织和管理方式可以保证各个信任根服务器的状态一致,有效地避免了目前中心化工作中存在的各种弊端,实现公钥的高效管理,使得远程通信实体可以得到对方的公钥、并确保公钥的真实性。所用的共识算法依照具体情况确定,例如可以采用Epaxos共识算法,在联盟区域中,各节点之间主权平等,每个节点只负责本节点的工作,原则上禁止申请、修改或者绑定其他顶级信任服务器的信息。在子集群之中,各个国家可以采取例如基于multi-paxos的集群管理。在联盟区域中,各个联盟节点权利平等,所以不设置leader角色。Specifically, the alliance trust anchor exists in a decentralized form, and the consensus algorithm is used to ensure that the data of each trust root server in the alliance area is consistent, and a unified trust anchor for the whole network is established in the alliance to jointly manage the public key. The decentralized organization and management method of the alliance can ensure that the status of each trust root server is consistent, effectively avoiding various drawbacks existing in the current centralized work, and realizing the efficient management of public keys, so that remote communication entities can obtain each other's information. public key and ensure the authenticity of the public key. The consensus algorithm used is determined according to the specific situation. For example, the Epaxos consensus algorithm can be used. In the alliance area, the sovereign equality between nodes is equal, and each node is only responsible for the work of its own node. In principle, it is prohibited to apply for, modify or bind other top-level trusts server information. Among the sub-clusters, individual countries can take eg multi-paxos-based cluster management. In the alliance area, each alliance node has equal rights, so the leader role is not set.
在联盟区域中的各个信任根服务器采用非对称加密的方式,拥有其他信任根服务器的公钥,公钥更新、查询以及终端主体之间认证过程需要通过联盟的决议来通过。每个信任根服务器中保存所有顶级信任服务器的名称,地址,公钥信息,各个服务器具体存储的数据由下表所示。Each trust root server in the alliance area adopts asymmetric encryption and has the public keys of other trust root servers. The public key update, query and authentication process between terminal subjects need to be approved by the resolution of the alliance. Each trust root server stores the names, addresses, and public key information of all top-level trust servers. The specific data stored by each server is shown in the following table.
其中根信任服务器上存储的数据示例:An example of the data stored on the root trust server:
顶级信任服务器上存储的数据示例(顶级服务器上还存储自身公钥):Example of data stored on the top-level trusted server (the top-level server also stores its own public key):
权限信任服务器上存储的数据示例(权限服务器还存储自身公钥):Example of data stored on the authority trust server (the authority server also stores its own public key):
作为本发明的一个可选实施方式,每个顶级信任服务器集合连接全部信任根服务器,每个顶级信任服务器集合包括m个顶级信任服务器,且m个顶级信任服务器连接每一个信任根服务器。由此以保证顶级信任服务器可以与任一个信任根服务器进行连接并进行数据传输。As an optional embodiment of the present invention, each top-level trust server set is connected to all trust root servers, each top-level trust server set includes m top-level trust servers, and m top-level trust servers are connected to each trust root server. This ensures that the top-level trust server can connect with any trust root server and perform data transmission.
作为本发明的一个可选实施方式,顶级信任服务器,还用于向与其连接的信任根服务器发送变更请求;信任根服务器,还用于向联盟区域提出变更的决议,根据预设的决议策略在决议通过后,信任根服务器中响应顶级信任服务器的变更请求,并通过共识算法,更新联盟区域内的全部信任根服务器中存储的数据;顶级信任服务器,还用于执行变更操作。通过此种方式,顶级信任根服务器可以向与其连接的信任根服务器申请变更,在与其连接的信任根服务器接受并进行变更后,在联盟区域内进行决议,只有联盟区域内决议通过后,才可以执行变更操作,同时,联盟区域内的全部信任根服务器通过共识算法进行相同的修改,保证数据的一致性。As an optional embodiment of the present invention, the top-level trust server is also used to send a change request to the trust root server connected to it; the trust root server is also used to propose a change resolution to the alliance area, according to a preset resolution policy in the After the resolution is passed, the trust root server responds to the change request of the top trust server, and updates the data stored in all trust root servers in the alliance area through the consensus algorithm; the top trust server is also used to perform change operations. In this way, the top-level trust root server can apply for a change to the trust root server connected to it. After the trust root server connected to it accepts and makes the change, it can make a resolution in the alliance area. Only after the resolution in the alliance area is passed, can it be Perform the change operation, and at the same time, all the trust root servers in the alliance area make the same modification through the consensus algorithm to ensure the consistency of the data.
具体地,当顶级信任服务器B1中需要更新公钥时,具体流程包括:Specifically, when the public key needs to be updated in the top-level trust server B1, the specific process includes:
1、顶级信任服务器B1向它的上级信任根服务器A发送更新公钥的请求。1. The top-level trust server B1 sends a request for updating the public key to its upper-level trust root server A.
2、信任根服务器A向联盟内部提出更新公钥的决议。2. The trust root server A proposes a resolution to update the public key to the alliance.
3、决议通过后,信任根服务器A中更新顶级信任服务器B1的公钥。通过共识算法,实现各个信任根服务器中的数据达到一致。3. After the resolution is passed, the trust root server A updates the public key of the top trust server B1. Through the consensus algorithm, the data in each trust root server is consistent.
4、顶级信任服务器B1更新自身的公钥。4. The top-level trust server B1 updates its own public key.
其中,当终端实体D1中需要更新公钥时,具体流程包括:Wherein, when the public key needs to be updated in the terminal entity D1, the specific process includes:
1、终端实体D1向它的上级权限信任服务器C1发送更新公钥的请求。1. The terminal entity D1 sends a request for updating the public key to its superior authority trust server C1.
2、审核通过后,在权限信任服务器C1中更新终端实体D1的公钥。2. After the verification is passed, update the public key of the terminal entity D1 in the authority trust server C1.
3、终端实体D1更新自身的公钥。3. The terminal entity D1 updates its own public key.
当权限信任服务器C1中需要更新公钥时,具体流程包括:When the public key needs to be updated in the authority trust server C1, the specific process includes:
1、权限信任服务器C1向它的上级顶级信任服务器B1发送更新公钥的请求。1. The authority trust server C1 sends a request for updating the public key to its superior top-level trust server B1.
2、审核通过后,顶级信任服务器B1中更新权限信任服务器C1的公钥。2. After the audit is passed, the top-level trust server B1 updates the public key of the authority trust server C1.
3、权限信任服务器C1更新自身的公钥。3. The authority trust server C1 updates its own public key.
作为本发明的一个可选实施方式,信任根服务器,还用于在联盟内提出变更的决议,根据预设的决议策略在决议通过后,变更自身的数据,并通过共识算法,更新联盟区域内全部信任根服务器中存储的数据。通过此种方式,联盟区域内的某个信任根服务器如需进行数据变更,则在联盟区域内进行决议,只有联盟区域内决议通过后,才可以执行变更操作,同时,联盟区域内的全部信任根服务器通过共识算法进行相同的修改,保证数据的一致性。As an optional implementation of the present invention, the trust root server is also used to propose a decision to change in the alliance, change its own data after the resolution is passed according to a preset decision strategy, and update the data in the alliance area through a consensus algorithm All data stored in the root server is trusted. In this way, if a trust root server in the alliance area needs to change the data, it will make a resolution in the alliance area. Only after the resolution in the alliance area is passed, the change operation can be performed. At the same time, all trusts in the alliance area The root server performs the same modification through a consensus algorithm to ensure data consistency.
具体地,当信任根服务器A中需要更新公钥时,具体流程包括:Specifically, when the public key needs to be updated in the trust root server A, the specific process includes:
1、信任根服务器A在联盟内提出更新公钥的决议。1. The trust root server A proposes a resolution to update the public key within the consortium.
2、决议通过后,信任根服务器A中更新自身的公钥。通过共识算法,实现各个信任根服务器中的数据达到一致。2. After the resolution is passed, the trust root server A updates its own public key. Through the consensus algorithm, the data in each trust root server is consistent.
作为本发明的一个可选实施方式,终端,还用于向与其连接的权限信任服务器发送对对端终端的查询请求;权限信任服务器,还用于在没有查询到对端终端的相关信息后,向与其连接的顶级信任服务器发送查询请求;顶级信任服务器,还用于在没有查询到对端终端的相关信息后,向与其连接的信任根服务器发送查询请求;信任根服务器,还用于在没有查询到对端终端的相关信息时,向与其连接的对端终端所在的信任根服务器发送查询请求,并接收经由对端终端所在的信任根服务器依次通过其连接的对端终端所在的顶级信任服务器、对端终端所在的权限信任服务器查询得到的对端终端的相关信息,并将查询得到的对端终端的相关信息通过顶级信任服务器、权限信任服务器发送至终端。通过此种方式,终端如果需要查询对端终端的相关信息,则可以通过与其连接的权限信任服务器、顶级信任根服务器以及信任根服务器进行查询,此时,信任根服务器没有查询到时,则通过联盟区域的另一信任根服务器进行查询,在查询到后,通过信任根服务器、顶级信任根服务器以及权限信任服务器发送至终端。As an optional embodiment of the present invention, the terminal is further configured to send a query request for the opposite terminal to the authority trust server connected to it; Send a query request to the top-level trust server connected to it; the top-level trust server is also used to send a query request to the trust root server connected to it after the relevant information of the peer terminal is not queried; the trust root server is also used to When the relevant information of the peer terminal is queried, send a query request to the root of trust server where the peer terminal is located, and receive the top-level trust server where the peer terminal is connected via the root of trust server where the peer terminal is located. . The relevant information of the opposite terminal obtained by the authority trust server where the opposite terminal is located is queried, and the relevant information of the opposite terminal obtained by the query is sent to the terminal through the top-level trust server and the authority trust server. In this way, if the terminal needs to query the relevant information of the opposite terminal, it can query through the authority trust server, top-level trust root server and trust root server connected to it. Another root-of-trust server in the federated area performs a query, and after the query is obtained, the query is sent to the terminal through the root-of-trust server, the top-level root-of-trust server, and the authority-to-trust server.
具体地,当终端主体D1想要查询终端主体G1的公钥时,具体流程包括:Specifically, when the terminal body D1 wants to query the public key of the terminal body G1, the specific process includes:
1、终端主体D1查询它的上级权限信任服务器C1。1. The terminal principal D1 queries its superior authority trust server C1.
2、当权限信任服务器C1中没有查询到了终端主体G1的公钥时,权限信任服务器C1向它的上级顶级信任服务器B1查询。2. When the public key of the terminal body G1 is not found in the authority trust server C1, the authority trust server C1 queries its superior top-level trust server B1.
3、当顶级信任服务器B1没有查询到了终端主体G1的公钥时,顶级信任服务器B1向它的上级信任根服务器A查询。3. When the top-level trust server B1 does not query the public key of the terminal body G1, the top-level trust server B1 queries its superior trust root server A.
4、当信任根服务器A中没有查询到终端主体G1的公钥时,有两种考虑:4. When the public key of the terminal subject G1 is not queried in the trust root server A, there are two considerations:
(1)根据管理方式的考虑,只有本国的信任根服务器才能够访问本国的下级服务器。(1) According to the consideration of the management method, only the root server of trust in the country can access the subordinate servers in the country.
(2)根据效率的考虑,本国的信任根服务器也能够访问别国的下级服务器。(2) According to the consideration of efficiency, the root server of trust in one country can also access the subordinate servers in other countries.
由(1)的方式,信任根服务器A查询到终端主体G1的公钥所在的信任根服务器X。通过信任根服务器X,查询到信任根服务器X的下级顶级信任服务器E1,再由顶级信任服务器E1查询到它的下级权限信任服务器F1,最终查询终端主体G1的公钥。By means of (1), the root-of-trust server A queries the root-of-trust server X where the public key of the terminal body G1 is located. Through the trust root server X, the subordinate top trust server E1 of the trust root server X is queried, and then the top trust server E1 queries its subordinate authority trust server F1, and finally the public key of the terminal principal G1 is queried.
由(2)的方式,信任根服务器A可以直接查询到信任根服务器X的下级顶级信任服务器E1,再由顶级信任服务器E1查询到它的下级权限信任服务器F1,最终查询终端主体G1的公钥。By means of (2), the trust root server A can directly query the lower-level top-level trust server E1 of the trust-root server X, and then the top-level trust server E1 can query its lower-level authority trust server F1, and finally query the public key of the terminal subject G1. .
另外,如果不跨域,则通过如下示例执行相关操作:In addition, if it is not cross-domain, perform related operations through the following example:
当终端主体D1想要查询终端主体D2的公钥时,具体流程包括:When the terminal body D1 wants to query the public key of the terminal body D2, the specific process includes:
1、终端主体D1查询它的上级权限信任服务器C1。1. The terminal principal D1 queries its superior authority trust server C1.
2、当权限信任服务器C1中查询到了终端主体D2的公钥时,返回给终端主体D1查询到的D2的公钥。2. When the public key of the terminal body D2 is queried in the authority trust server C1, the public key of D2 queried by the terminal body D1 is returned.
当终端主体D1想要查询终端主体D5的公钥时,具体流程包括:When the terminal body D1 wants to query the public key of the terminal body D5, the specific process includes:
1、终端主体D1查询它的上级权限信任服务器C1。1. The terminal principal D1 queries its superior authority trust server C1.
2、当权限信任服务器C1中没有查询到了终端主体D5的公钥时,权限信任服务器C1向它的上级顶级信任服务器B1查询。2. When the public key of the terminal body D5 is not found in the authority trust server C1, the authority trust server C1 queries its superior top-level trust server B1.
3、当顶级信任服务器B1没有查询到了终端主体D5的公钥时,顶级信任服务器B1向它的上级信任根服务器A查询。3. When the top-level trust server B1 does not query the public key of the terminal body D5, the top-level trust server B1 queries its upper-level trust root server A.
4、信任根服务器A通过它的下级顶级信任服务器B2,然后再由顶级信任服务器B2查询到权限信任服务器C3,在权限信任服务器C3查询到了终端主体D5的公钥,返回给终端主体D1查询到的D5的公钥。4. The trust root server A passes its subordinate top-level trust server B2, and then the top-level trust server B2 queries the authority trust server C3. The authority trust server C3 queries the public key of the terminal subject D5, and returns it to the terminal subject D1. D5's public key.
具体地,终端主体之间的通讯认证考虑了两种方式:Specifically, two methods are considered for communication authentication between terminal subjects:
1、基于上级颁发证书的认证;1. Certification based on the certificate issued by the superior;
2、基于同级之间公钥的认证。2. Authentication based on public keys between peers.
因此,作为本发明的一个可选实施方式,终端,还用于向与其连接的权限信任服务器发送对对端终端的认证请求;权限信任服务器,还用于在没有查询到对端终端的认证信息后,向与其连接的顶级信任服务器发送认证请求;顶级信任服务器,还用于在没有查询到对端终端的认证信息后,向与其连接的信任根服务器发送查询请求;信任根服务器,还用于在没有查询到对端终端的认证信息时,向与其连接的对端终端所在的信任根服务器发送查询请求,并接收经由对端终端所在的信任根服务器查询得到的对端终端的认证信息通过顶级信任服务器、权限信任服务器发送至终端。通过此种方式,终端如果需要认证对端终端,则可以通过与其连接的权限信任服务器、顶级信任根服务器以及信任根服务器进行认证,此时,信任根服务器没有查询到认证信息时,则通过联盟区域的另一信任根服务器进行认证信息的查询,在查询到认证信息后,通过信任根服务器、顶级信任根服务器以及权限信任服务器发送至终端。Therefore, as an optional implementation manner of the present invention, the terminal is also used to send an authentication request for the opposite terminal to the authority trust server connected to it; the authority trust server is also used to query the authentication information of the opposite terminal when the authority trust server has not been queried. Then, send an authentication request to the top-level trust server connected to it; the top-level trust server is also used to send a query request to the trust root server connected to it after the authentication information of the peer terminal is not queried; the trust root server is also used to When the authentication information of the peer terminal is not queried, a query request is sent to the root of trust server where the peer terminal is located, and the authentication information of the peer terminal obtained through the query of the root of trust server where the peer terminal is located passes the top level The trust server and the authority trust server are sent to the terminal. In this way, if the terminal needs to authenticate the peer terminal, it can authenticate through the authority trust server, top-level trust root server and trust root server connected to it. Another root-of-trust server in the area queries the authentication information, and after the authentication information is queried, it is sent to the terminal through the root-of-trust server, the top-level root-of-trust server, and the authority-to-trust server.
具体地,当终端主体D1想要认证终端主体D5的公钥时,需要终端主体D5上级权限信任服务器C3的公钥,而顶级信任服务器B2中包含权限信任服务器C3的公钥信息,因此,只需找到顶级信任服务器B2的数据即可,具体流程包括:Specifically, when the terminal body D1 wants to authenticate the public key of the terminal body D5, the public key of the superior authority trust server C3 of the terminal body D5 is required, and the top trust server B2 contains the public key information of the authority trust server C3. Therefore, only You need to find the data of the top-level trust server B2. The specific process includes:
1、终端主体D1查询它的上级权限信任服务器C1。1. The terminal principal D1 queries its superior authority trust server C1.
2、当权限信任服务器C1中没有查询到权限信任服务器C3的公钥时,权限信任服务器C1向它的上级顶级信任服务器B1查询。2. When the public key of the authority trust server C3 is not queried in the authority trust server C1, the authority trust server C1 queries its superior top-level trust server B1.
3、当顶级信任服务器B1没有查询到权限信任服务器C3的公钥时,顶级信任服务器B1向它的上级信任根服务器A查询。3. When the top-level trust server B1 does not find the public key of the authority trust server C3, the top-level trust server B1 queries its superior trust root server A.
4、在信任根服务器A查询到了顶级信任服务器B2的数据,从而得到了权限信任服务器C3的公钥,完成认证。4. The data of the top-level trust server B2 is queried on the trust root server A, thereby obtaining the public key of the authority trust server C3, and the authentication is completed.
作为本发明的一个可选实施方式,终端,还用于向与其连接的权限信任服务器发送对对端终端的认证请求;权限信任服务器,还用于在没有查询到对端终端的认证信息后,向与其连接的顶级信任服务器发送认证请求;顶级信任服务器,还用于在没有查询到对端终端的认证信息后,向与其连接的信任根服务器发送查询请求;信任根服务器,还用于在没有查询到对端终端的认证信息时,向与其连接的对端终端所在的信任根服务器发送查询请求,并接收经由对端终端所在的信任根服务器依次通过其连接的对端终端所在的顶级信任服务器、对端终端所在的权限信任服务器查询得到的对端终端的认证信息,并将查询得到的对端终端的认证信息通过顶级信任服务器、权限信任服务器发送至终端。通过此种方式,终端如果需要认证对端终端,则可以通过与其连接的权限信任服务器、顶级信任根服务器以及信任根服务器进行认证,此时,信任根服务器没有查询到认证信息时,则通过联盟区域的另一信任根服务器进行认证信息的查询,另一信任根服务器通过与自己连接的顶级信任服务器、权限信任服务器查询认证信息,并将查询到的认证信息通过信任根服务器、顶级信任根服务器以及权限信任服务器发送至终端。As an optional embodiment of the present invention, the terminal is further configured to send an authentication request for the opposite terminal to the authority trust server connected to it; Send an authentication request to the top-level trust server connected to it; the top-level trust server is also used to send a query request to the trust root server connected to it after the authentication information of the peer terminal is not queried; the trust root server is also used to When the authentication information of the peer terminal is queried, send a query request to the root of trust server where the peer terminal is located, and receive the top-level trust server where the peer terminal is connected via the root of trust server where the peer terminal is located. . The authority trust server where the opposite terminal is located obtains the authentication information of the opposite terminal by querying, and sends the authentication information of the opposite terminal obtained by the query to the terminal through the top-level trust server and the authority trust server. In this way, if the terminal needs to authenticate the peer terminal, it can authenticate through the authority trust server, top-level trust root server and trust root server connected to it. Another trust root server in the zone queries the authentication information, and the other trust root server queries the authentication information through the top-level trust server and authority trust server connected to itself, and passes the queried authentication information through the trust root server and the top-level trust root server. And the authority trust server is sent to the terminal.
具体地,当终端主体D1想要认证终端主体D5的公钥时,终端主体D1需要认证终端主体D5的公钥,具体流程包括:Specifically, when the terminal body D1 wants to authenticate the public key of the terminal body D5, the terminal body D1 needs to authenticate the public key of the terminal body D5, and the specific process includes:
1、终端主体D1查询它的上级权限信任服务器C1。1. The terminal principal D1 queries its superior authority trust server C1.
2、当权限信任服务器C1中没有查询到终端主体D5的公钥时,权限信任服务器C1向它的上级顶级信任服务器B1查询。2. When the public key of the terminal subject D5 is not found in the authority trust server C1, the authority trust server C1 queries its superior top-level trust server B1.
3、当顶级信任服务器B1没有查询到终端主体D5的公钥时,顶级信任服务器B1向它的上级信任根服务器A查询。3. When the top-level trust server B1 fails to find the public key of the terminal principal D5, the top-level trust server B1 queries its superior trust root server A.
4、信任根服务器A通过它的下级顶级信任服务器B2进行查询。4. The trust root server A queries through its subordinate top-level trust server B2.
5、顶级信任服务器B2的下级权限信任服务器C3,从而得到了终端主体D5的公钥,完成认证。5. The subordinate authority of the top-level trust server B2 trusts the server C3, thereby obtaining the public key of the terminal subject D5, and completing the authentication.
由此可见,通过本发明提供的基于联盟的全网统一信任锚系统,联盟信任锚以去中心化的形式存在,通过共识算法来确保联盟区域中的各个信任根服务器的数据保持一致,在联盟中建立全网统一信任锚,共同管理公钥,这种基于联盟的去中心化的组织和管理方式可以保证各个信任根服务器的状态一致,有效地避免了目前中心化工作中存在的各种弊端,实现公钥的高效管理,使得远程通信实体可以得到对方的公钥、并确保公钥的真实性。It can be seen that through the alliance-based unified trust anchor system for the entire network provided by the present invention, the alliance trust anchor exists in a decentralized form, and the consensus algorithm is used to ensure that the data of each trust root server in the alliance area is consistent. This kind of alliance-based decentralized organization and management method can ensure that the status of each trust root server is consistent, and effectively avoid various drawbacks in the current centralized work. , to achieve efficient management of public keys, so that remote communication entities can obtain the public key of the other party and ensure the authenticity of the public key.
图3示出了本发明实施例提供的基于联盟的全网统一信任锚的构建方法,该方案应用于上述系统,在此仅对方法进行简单说明,其他未尽事宜,请参照上述系统的相关描述,参见图3,本发明实施例提供的基于联盟的全网统一信任锚的构建方法,包括:FIG. 3 shows a method for constructing an alliance-based unified trust anchor for the entire network provided by an embodiment of the present invention. The solution is applied to the above-mentioned system. Only the method is briefly described here. For description, referring to FIG. 3 , a method for constructing a federation-based network-wide unified trust anchor provided by an embodiment of the present invention includes:
S301,构建联盟区域,将联盟区域配置为包括n个信任根服务器,各个信任根服务器互相连接,每个信任根服务器存储全部信任根服务器的名称和公钥信息,并存储全部顶级信任服务器的名称、地址和公钥信息,以及用于签发证书,且每个信任根服务器存储的信息完全相同,通过共识算法保证存储的信息的一致性;S301 , construct an alliance area, configure the alliance area to include n trust root servers, each trust root server is connected to each other, each trust root server stores the names and public key information of all trust root servers, and stores the names of all top-level trust servers , address and public key information, and are used to issue certificates, and the information stored in each trust root server is exactly the same, and the consistency of the stored information is guaranteed through a consensus algorithm;
S302,构建n个顶级信任服务器集合,配置为每个顶级信任服务器集合连接一个信任根服务器,每个顶级信任服务器集合包括m个顶级信任服务器,且m个顶级信任服务器连接同一个信任根服务器,每个顶级信任服务器存储自身的公钥信息,并存储与其连接的权限信任服务器的名称、地址和公钥信息;S302: Build n top-level trust server sets, and configure each top-level trust server set to be connected to a trust root server, each top-level trust server set includes m top-level trust servers, and m top-level trust servers are connected to the same trust root server, Each top-level trust server stores its own public key information, and stores the name, address and public key information of the authority trust server connected to it;
S303,构建n*m个权限信任服务器集合,配置为每个权限信任服务器集合连接一个顶级信任服务器,每个权限信任服务器集合包括j个权限信任服务器,且j个权限信任服务器连接同一个顶级信任服务器,每个权限信任服务器存储自身的公钥信息,并存储与其连接的终端的名称、地址和公钥信息;S303: Build n*m authority trust server sets, and configure each authority trust server set to be connected to a top-level trust server, each authority trust server set includes j authority trust servers, and j authority trust servers are connected to the same top-level trust server Server, each authority trust server stores its own public key information, and stores the name, address and public key information of the terminal connected to it;
S304,构建n*m*j个终端集合,配置为每个终端集合连接一个权限信任服务器,每个终端集合包括i个终端,i个终端连接同一个权限信任服务器。S304: Construct n*m*j terminal sets, and configure each terminal set to be connected to one authority trust server, each terminal set includes i terminals, and i terminals are connected to the same authority trust server.
由此可见,通过本发明提供的基于联盟的全网统一信任锚构建方法,联盟信任锚以去中心化的形式存在,通过共识算法来确保联盟区域中的各个信任根服务器的数据保持一致,在联盟中建立全网统一信任锚,共同管理公钥,这种基于联盟的去中心化的组织和管理方式可以保证各个信任根服务器的状态一致,有效地避免了目前中心化工作中存在的各种弊端,实现公钥的高效管理,使得远程通信实体可以得到对方的公钥、并确保公钥的真实性。It can be seen that, through the alliance-based unified network-wide trust anchor construction method provided by the present invention, the alliance trust anchor exists in a decentralized form, and the consensus algorithm is used to ensure that the data of each trust root server in the alliance area is consistent. The alliance establishes a unified trust anchor for the entire network and jointly manages public keys. This decentralized organization and management method based on the alliance can ensure that the status of each trust root server is consistent, and effectively avoid various problems existing in the current centralized work. The disadvantage is to realize the efficient management of public keys, so that the remote communication entity can obtain the public key of the other party and ensure the authenticity of the public key.
作为本发明实施例的一个可选实施方式,基于联盟的全网统一信任锚的构建方法还包括:配置每个顶级信任服务器集合连接全部信任根服务器,每个顶级信任服务器集合包括m个顶级信任服务器,且m个顶级信任服务器连接每一个信任根服务器。由此以保证顶级信任服务器可以与任一个信任根服务器进行连接并进行数据传输。As an optional implementation of the embodiment of the present invention, the method for constructing a federation-based network-wide unified trust anchor further includes: configuring each top-level trust server set to connect to all trust root servers, and each top-level trust server set includes m top-level trust servers server, and m top-level trust servers are connected to each trust root server. This ensures that the top-level trust server can connect with any trust root server and perform data transmission.
作为本发明实施例的一个可选实施方式,基于联盟的全网统一信任锚的构建方法还包括:顶级信任服务器的变更流程;As an optional implementation manner of the embodiment of the present invention, the method for constructing an alliance-based unified trust anchor for the entire network further includes: a change process of a top-level trust server;
顶级信任服务器的变更流程包括:The top-level trust server change process includes:
顶级信任服务器向与其连接的信任根服务器发送变更请求;The top-level trust server sends a change request to the root of trust server connected to it;
信任根服务器向联盟区域提出变更的决议,根据预设的决议策略在决议通过后,信任根服务器中响应顶级信任服务器的变更请求,并通过共识算法,更新联盟区域内的全部信任根服务器中存储的数据;The trust root server proposes a change resolution to the alliance area. According to the preset decision policy, after the resolution is passed, the trust root server responds to the change request of the top-level trust server, and updates all trust root servers in the alliance area through the consensus algorithm. The data;
顶级信任服务器执行变更操作。The top-level trust server performs the change operation.
通过此种方式,顶级信任根服务器可以向与其连接的信任根服务器申请变更,在与其连接的信任根服务器接受并进行变更后,在联盟区域内进行决议,只有联盟区域内决议通过后,才可以执行变更操作,同时,联盟区域内的全部信任根服务器通过共识算法进行相同的修改,保证数据的一致性。In this way, the top-level trust root server can apply for a change to the trust root server connected to it. After the trust root server connected to it accepts and makes the change, it can make a resolution in the alliance area. Only after the resolution in the alliance area is passed, can it be Perform the change operation, and at the same time, all the trust root servers in the alliance area make the same modification through the consensus algorithm to ensure the consistency of the data.
作为本发明实施例的一个可选实施方式,基于联盟的全网统一信任锚的构建方法还包括:信任根服务器的变更流程:As an optional implementation of the embodiment of the present invention, the method for constructing a unified network-wide trust anchor based on the federation further includes: a change process of the trust root server:
信任根服务器的变更流程包括:The change process for a root of trust server includes:
信任根服务器在联盟内提出变更的决议,根据预设的决议策略在决议通过后,变更自身的数据,并通过共识算法,更新联盟区域内全部信任根服务器中存储的数据。The root of trust server proposes a decision to change within the alliance, changes its own data after the resolution is passed according to the preset decision strategy, and updates the data stored in all root-of-trust servers in the alliance area through a consensus algorithm.
通过此种方式,联盟区域内的某个信任根服务器如需进行数据变更,则在联盟区域内进行决议,只有联盟区域内决议通过后,才可以执行变更操作,同时,联盟区域内的全部信任根服务器通过共识算法进行相同的修改,保证数据的一致性。In this way, if a trust root server in the alliance area needs to change the data, it will make a resolution in the alliance area. Only after the resolution in the alliance area is passed, the change operation can be performed. At the same time, all trusts in the alliance area The root server performs the same modification through a consensus algorithm to ensure data consistency.
作为本发明实施例的一个可选实施方式,基于联盟的全网统一信任锚的构建方法还包括:终端的查询流程:As an optional implementation manner of the embodiment of the present invention, the method for constructing an alliance-based unified trust anchor for the entire network further includes: a query process of the terminal:
终端的查询流程包括:The query process of the terminal includes:
终端向与其连接的权限信任服务器发送对对端终端的查询请求;The terminal sends a query request for the opposite terminal to the authority trust server connected to it;
权限信任服务器在没有查询到对端终端的相关信息后,向与其连接的顶级信任服务器发送查询请求;The authority trust server sends a query request to the top-level trust server connected to it after it has not inquired about the relevant information of the peer terminal;
顶级信任服务器在没有查询到对端终端的相关信息后,向与其连接的信任根服务器发送查询请求;The top-level trust server sends a query request to the trust root server connected to it after it has not queried the relevant information of the peer terminal;
信任根服务器在没有查询到对端终端的相关信息时,向与其连接的对端终端所在的信任根服务器发送查询请求,并接收经由对端终端所在的信任根服务器依次通过其连接的对端终端所在的顶级信任服务器、对端终端所在的权限信任服务器查询得到的对端终端的相关信息,并将查询得到的对端终端的相关信息通过顶级信任服务器、权限信任服务器发送至终端。When the root of trust server does not query the relevant information of the peer terminal, it sends a query request to the root of trust server where the peer terminal is located, and receives the peer terminal connected to it in turn through the root of trust server where the peer terminal is located. The top-level trust server where the peer terminal is located and the authority trust server where the peer terminal is located are queried to obtain the relevant information of the peer terminal, and the relevant information of the peer terminal obtained by the query is sent to the terminal through the top-level trust server and the authority trust server.
通过此种方式,终端如果需要查询对端终端的相关信息,则可以通过与其连接的权限信任服务器、顶级信任根服务器以及信任根服务器进行查询,此时,信任根服务器没有查询到时,则通过联盟区域的另一信任根服务器进行查询,在查询到后,通过信任根服务器、顶级信任根服务器以及权限信任服务器发送至终端。In this way, if the terminal needs to query the relevant information of the opposite terminal, it can query through the authority trust server, top-level trust root server and trust root server connected to it. Another root-of-trust server in the federated area performs a query, and after the query is obtained, the query is sent to the terminal through the root-of-trust server, the top-level root-of-trust server, and the authority-to-trust server.
作为本发明实施例的一个可选实施方式,基于联盟的全网统一信任锚的构建方法还包括:终端的认证流程;As an optional implementation manner of the embodiment of the present invention, the method for constructing a network-wide unified trust anchor based on the alliance further includes: an authentication process of the terminal;
终端的认证流程包括:The authentication process of the terminal includes:
终端,还用于向与其连接的权限信任服务器发送对对端终端的认证请求;The terminal is also used to send an authentication request for the opposite terminal to the authority trust server connected to it;
权限信任服务器,还用于在没有查询到对端终端的认证信息后,向与其连接的顶级信任服务器发送认证请求;The authority trust server is also used to send an authentication request to the top-level trust server connected to it after the authentication information of the peer terminal is not queried;
顶级信任服务器,还用于在没有查询到对端终端的认证信息后,向与其连接的信任根服务器发送查询请求;The top-level trust server is also used to send a query request to the trust root server connected to it after the authentication information of the peer terminal is not queried;
信任根服务器,还用于在没有查询到对端终端的认证信息时,向与其连接的对端终端所在的信任根服务器发送查询请求,并接收经由对端终端所在的信任根服务器查询得到的对端终端的认证信息通过顶级信任服务器、权限信任服务器发送至终端。The root-of-trust server is further configured to send a query request to the root-of-trust server where the opposite-end terminal connected to it is located when the authentication information of the opposite-end terminal is not queried, and receive the pair of trust-rooted servers queried through the root-of-trust server where the opposite terminal is located. The authentication information of the terminal is sent to the terminal through the top-level trust server and the authority trust server.
通过此种方式,终端如果需要认证对端终端,则可以通过与其连接的权限信任服务器、顶级信任根服务器以及信任根服务器进行认证,此时,信任根服务器没有查询到认证信息时,则通过联盟区域的另一信任根服务器进行认证信息的查询,在查询到认证信息后,通过信任根服务器、顶级信任根服务器以及权限信任服务器发送至终端。In this way, if the terminal needs to authenticate the peer terminal, it can authenticate through the authority trust server, top-level trust root server and trust root server connected to it. Another root-of-trust server in the area queries the authentication information, and after the authentication information is queried, it is sent to the terminal through the root-of-trust server, the top-level root-of-trust server, and the authority-to-trust server.
作为本发明实施例的一个可选实施方式,基于联盟的全网统一信任锚的构建方法还包括:终端的认证流程;As an optional implementation manner of the embodiment of the present invention, the method for constructing a network-wide unified trust anchor based on the alliance further includes: an authentication process of the terminal;
终端的认证流程包括:The authentication process of the terminal includes:
终端,还用于向与其连接的权限信任服务器发送对对端终端的认证请求;The terminal is also used to send an authentication request for the opposite terminal to the authority trust server connected to it;
权限信任服务器,还用于在没有查询到对端终端的认证信息后,向与其连接的顶级信任服务器发送认证请求;The authority trust server is also used to send an authentication request to the top-level trust server connected to it after the authentication information of the peer terminal is not queried;
顶级信任服务器,还用于在没有查询到对端终端的认证信息后,向与其连接的信任根服务器发送查询请求;The top-level trust server is also used to send a query request to the trust root server connected to it after the authentication information of the peer terminal is not queried;
信任根服务器,还用于在没有查询到对端终端的认证信息时,向与其连接的对端终端所在的信任根服务器发送查询请求,并接收经由对端终端所在的信任根服务器依次通过其连接的对端终端所在的顶级信任服务器、对端终端所在的权限信任服务器查询得到的对端终端的认证信息,并将查询得到的对端终端的认证信息通过顶级信任服务器、权限信任服务器发送至终端。The root-of-trust server is also used to send a query request to the root-of-trust server where the opposite terminal is located when the authentication information of the opposite terminal is not queried, and receive the connection via the root-of-trust server where the opposite terminal is located in turn. The authentication information of the peer terminal obtained by querying the top-level trust server where the peer terminal is located and the authority trust server where the peer terminal is located, and sending the queried authentication information of the peer terminal to the terminal through the top-level trust server and the authority trust server .
通过此种方式,终端如果需要认证对端终端,则可以通过与其连接的权限信任服务器、顶级信任根服务器以及信任根服务器进行认证,此时,信任根服务器没有查询到认证信息时,则通过联盟区域的另一信任根服务器进行认证信息的查询,另一信任根服务器通过与自己连接的顶级信任服务器、权限信任服务器查询认证信息,并将查询到的认证信息通过信任根服务器、顶级信任根服务器以及权限信任服务器发送至终端。In this way, if the terminal needs to authenticate the peer terminal, it can authenticate through the authority trust server, top-level trust root server and trust root server connected to it. Another trust root server in the zone queries the authentication information, and the other trust root server queries the authentication information through the top-level trust server and authority trust server connected to itself, and passes the queried authentication information through the trust root server and the top-level trust root server. And the authority trust server is sent to the terminal.
流程图中或在此以其他方式描述的任何过程或方法描述可以被理解为,表示包括一个或更多个用于实现特定逻辑功能或过程的步骤的可执行指令的代码的模块、片段或部分,并且本发明的优选实施方式的范围包括另外的实现,其中可以不按所示出或讨论的顺序,包括根据所涉及的功能按基本同时的方式或按相反的顺序,来执行功能,这应被本发明的实施例所属技术领域的技术人员所理解。Any description of a process or method in the flowcharts or otherwise described herein may be understood to represent a module, segment or portion of code comprising one or more executable instructions for implementing a specified logical function or step of the process , and the scope of the preferred embodiments of the invention includes alternative implementations in which the functions may be performed out of the order shown or discussed, including performing the functions substantially concurrently or in the reverse order depending upon the functions involved, which should It is understood by those skilled in the art to which the embodiments of the present invention belong.
本技术领域的普通技术人员可以理解实现上述实施例方法携带的全部或部分步骤是可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,该程序在执行时,包括方法实施例的步骤之一或其组合。Those skilled in the art can understand that all or part of the steps carried by the methods of the above embodiments can be completed by instructing the relevant hardware through a program, and the program can be stored in a computer-readable storage medium, and the program can be stored in a computer-readable storage medium. When executed, one or a combination of the steps of the method embodiment is included.
在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不一定指的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任何的一个或多个实施例或示例中以合适的方式结合。In the description of this specification, description with reference to the terms "one embodiment," "some embodiments," "example," "specific example," or "some examples", etc., mean specific features described in connection with the embodiment or example , structure, material or feature is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
以上的实施例仅是对本发明的优选实施方式进行描述,并非对本发明的范围进行限定,在不脱离本发明设计精神的前提下,本领域普通工程技术人员对本发明的技术方案做出的各种变形和改进,均应落入本发明的权利要求书确定的保护范围内。The above embodiments are only to describe the preferred embodiments of the present invention, and do not limit the scope of the present invention. Variations and improvements should fall within the protection scope determined by the claims of the present invention.
Claims (14)
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810743031.4A CN108881471B (en) | 2018-07-09 | 2018-07-09 | Union-based whole-network unified trust anchor system and construction method |
| PCT/CN2018/115239 WO2020010767A1 (en) | 2018-07-09 | 2018-11-13 | Alliance-based unified trust anchor system for whole network, and construction method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810743031.4A CN108881471B (en) | 2018-07-09 | 2018-07-09 | Union-based whole-network unified trust anchor system and construction method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108881471A CN108881471A (en) | 2018-11-23 |
| CN108881471B true CN108881471B (en) | 2020-09-11 |
Family
ID=64299874
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810743031.4A Active CN108881471B (en) | 2018-07-09 | 2018-07-09 | Union-based whole-network unified trust anchor system and construction method |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN108881471B (en) |
| WO (1) | WO2020010767A1 (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109327481B (en) * | 2018-12-17 | 2021-12-14 | 北京信息科技大学 | A blockchain-based unified online authentication method and system for the entire network |
| CN109753779B (en) * | 2019-01-11 | 2020-10-30 | 北京信息科技大学 | A network-wide unified identity authentication method and system based on biometric identification |
| CN110224713B (en) * | 2019-06-12 | 2020-09-15 | 读书郎教育科技有限公司 | Safety protection method and system based on high-safety intelligent child watch |
| CN110868446A (en) * | 2019-08-29 | 2020-03-06 | 北京大学深圳研究生院 | Back IP main power network system architecture |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101129016A (en) * | 2004-12-24 | 2008-02-20 | 秦内蒂克有限公司 | Public key infrastructures |
| CN102263787A (en) * | 2011-07-08 | 2011-11-30 | 西安电子科技大学 | Dynamic Distributed CA Configuration Method |
| CN103973451A (en) * | 2014-05-05 | 2014-08-06 | 西南交通大学 | Cross-trust-domain authentication method used for distributed network system |
| CN106301792A (en) * | 2016-08-31 | 2017-01-04 | 江苏通付盾科技有限公司 | Ca authentication management method based on block chain, Apparatus and system |
| CN106372941A (en) * | 2016-08-31 | 2017-02-01 | 江苏通付盾科技有限公司 | CA authentication management method, device and system based on block chain |
| CN107070644A (en) * | 2016-12-26 | 2017-08-18 | 北京科技大学 | A kind of decentralization public key management method and management system based on trust network |
| CN107426157A (en) * | 2017-04-21 | 2017-12-01 | 杭州趣链科技有限公司 | A kind of alliance's chain authority control method based on digital certificate and ca authentication system |
| CN107613041A (en) * | 2017-09-22 | 2018-01-19 | 中国互联网络信息中心 | Blockchain-based domain name management system, domain name management method and domain name resolution method |
| CN108052530A (en) * | 2017-11-10 | 2018-05-18 | 杭州云象网络技术有限公司 | A kind of decentralization CA construction methods and its system based on alliance's chain |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7747851B1 (en) * | 2004-09-30 | 2010-06-29 | Avaya Inc. | Certificate distribution via license files |
| CN108055263B (en) * | 2017-12-11 | 2020-07-24 | 北京理工大学 | Entity authentication authority management system and method in satellite communication network |
| CN108243190A (en) * | 2018-01-09 | 2018-07-03 | 北京信息科技大学 | A trusted management method and system for network identification |
-
2018
- 2018-07-09 CN CN201810743031.4A patent/CN108881471B/en active Active
- 2018-11-13 WO PCT/CN2018/115239 patent/WO2020010767A1/en active Application Filing
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101129016A (en) * | 2004-12-24 | 2008-02-20 | 秦内蒂克有限公司 | Public key infrastructures |
| CN102263787A (en) * | 2011-07-08 | 2011-11-30 | 西安电子科技大学 | Dynamic Distributed CA Configuration Method |
| CN103973451A (en) * | 2014-05-05 | 2014-08-06 | 西南交通大学 | Cross-trust-domain authentication method used for distributed network system |
| CN103973451B (en) * | 2014-05-05 | 2017-04-12 | 西南交通大学 | Cross-trust-domain authentication method used for distributed network system |
| CN106301792A (en) * | 2016-08-31 | 2017-01-04 | 江苏通付盾科技有限公司 | Ca authentication management method based on block chain, Apparatus and system |
| CN106372941A (en) * | 2016-08-31 | 2017-02-01 | 江苏通付盾科技有限公司 | CA authentication management method, device and system based on block chain |
| CN107070644A (en) * | 2016-12-26 | 2017-08-18 | 北京科技大学 | A kind of decentralization public key management method and management system based on trust network |
| CN107426157A (en) * | 2017-04-21 | 2017-12-01 | 杭州趣链科技有限公司 | A kind of alliance's chain authority control method based on digital certificate and ca authentication system |
| CN107613041A (en) * | 2017-09-22 | 2018-01-19 | 中国互联网络信息中心 | Blockchain-based domain name management system, domain name management method and domain name resolution method |
| CN108052530A (en) * | 2017-11-10 | 2018-05-18 | 杭州云象网络技术有限公司 | A kind of decentralization CA construction methods and its system based on alliance's chain |
Non-Patent Citations (2)
| Title |
|---|
| Analysis and Design of an Adaptive Automated Trust Negotiation System;Wenliang Chen,Wenbao Jiang;《2011 International Conference on Mechatronic Science, Electric Engineering and Computer》;20110923;全文 * |
| 基于区块链技术的高效跨域认证方案;周致成,李立新,李作辉;《计算机应用》;20180210;第316-320页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2020010767A1 (en) | 2020-01-16 |
| CN108881471A (en) | 2018-11-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Cui et al. | A hybrid blockchain-based identity authentication scheme for multi-WSN | |
| CN110351381B (en) | Block chain-based Internet of things trusted distributed data sharing method | |
| CN108881471B (en) | Union-based whole-network unified trust anchor system and construction method | |
| Lacuesta et al. | A secure protocol for spontaneous wireless ad hoc networks creation | |
| CN102571591B (en) | Method, edge router and system for realizing marked network communication | |
| CN102647394B (en) | Routing device identity identifying method and device | |
| CN114629720A (en) | Industrial Internet cross-domain authentication method based on block chain and Handle identification | |
| CN113824563A (en) | Cross-domain identity authentication method based on block chain certificate | |
| CN101222331A (en) | Method and system for two-way authentication in authentication server and mesh network | |
| CN101374159A (en) | A P2P network trusted control method and system | |
| US20140006777A1 (en) | Establishing Secure Communication Between Networks | |
| Hadjichristofi et al. | A framework for key management in mobile ad hoc networks | |
| US11838854B2 (en) | 5G network slicing and resource orchestration using holochain | |
| Gómez et al. | New security services based on PKI | |
| CN108243190A (en) | A trusted management method and system for network identification | |
| CN101997875A (en) | Secure multi-party network communication platform and construction method and communication method thereof | |
| Meier et al. | Portable trust anchor for OPC UA using auto-configuration | |
| Forne et al. | Certificate status validation in mobile ad hoc networks | |
| Trossen et al. | Impact of Distributed Ledgers on Provider Networks | |
| Alphonse et al. | A method for obtaining authenticated scalable and efficient group key agreement for wireless ad-hoc networks | |
| CN1921383A (en) | Method for realizing key management based on threshold CA and X.509 public key certificate | |
| Amoretti et al. | Introducing secure peergroups in SP/sup 2/A | |
| Saha et al. | Self-organized key management based on fidelity relationship list and dynamic path | |
| CN113315762B (en) | A decentralized network authentication method for secure communication based on identity cryptography | |
| Khan et al. | A key management scheme for Content Centric Networking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| OL01 | Intention to license declared | ||
| OL01 | Intention to license declared |