Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of one or more embodiments of the specification, as detailed in the claims which follow.
It should be noted that: in other embodiments, the steps of the corresponding methods are not necessarily performed in the order shown and described herein. In some other embodiments, the method may include more or fewer steps than those described herein. Moreover, a single step described in this specification may be broken down into multiple steps for description in other embodiments; multiple steps described in this specification may be combined into a single step in other embodiments.
Fig. 1 is a flowchart of an authentication method provided in an exemplary embodiment. As shown in fig. 1, the method applied to the server may include the following steps:
step 102, the server receives an authentication request, the authentication request is initiated by the client for an event to be authenticated, and the event to be authenticated is declared to be related to a specified object.
In one embodiment, the specified object is the object specified by the "declaration". The designated object may be an individual, an organization (e.g., a business, etc.), or both. The number of the designated objects may be one or more, and the specification does not limit this.
In an embodiment, the association relationship between the "event to be authenticated" and the "specified object" may be declared in any form, which is not limited in this specification. For example, the content of the "event to be authenticated" and the information of the "specified object" may be presented in the same image, for example, the image may be a poster for promotion, the content of the "event to be authenticated" is the promotional content in the poster, and the information of the "specified object" is a celebrity photo in the poster, which is equivalent to declaring that the celebrity is endorsement of the promotional content in the poster; for another example, the content of the "event to be authenticated" and the information of the "specified object" may be printed on the same paper, for example, the paper may be a business card, the content of the "event to be authenticated" is position information in the business card, and the information of the "specified object" is a name in the business card, which is equivalent to declaring that an issuer of the business card (i.e., a user corresponding to the name) is in a corresponding position.
And 104, the server side acquires a transaction event related to the event to be authenticated from the block chain, and the transaction event is signed by a transaction related object through a pre-registered digital identity.
In an embodiment, the transaction-related object may be registered in advance at the service end to obtain a corresponding digital identity; alternatively, the transaction related object may be registered at another service provider to obtain a corresponding digital identity, and the other service provider may provide an identity authentication service to the server, or open an access right to the obtained mapping relationship between the entity identity and the digital identity to the server, so that the server may perform identity authentication by itself.
In one embodiment, the transaction-related object may be an organization, which may use its own entity identity to register with the service provider or other service provider to obtain the corresponding digital identity. The transaction related object can be an individual, and the individual can use the entity identity of the individual to register at the server or other service providers to obtain the corresponding digital identity; alternatively, when the individual is an employee of a structure or has some association, the individual may first obtain a certificate of an organization, obtain a signature implemented by a digital identity registered by the organization, which is equivalent to the organization endorsing the identity of the individual, and then the individual may register with the server or other service provider to obtain a corresponding digital identity through the signature. Of course, the transaction-related object may also obtain the digital identity in other ways, which is not limited in this specification.
In one embodiment, when there is a single transaction-related object, the signature for the transaction event is a single signature; when there are multiple transaction-associated objects, the signature for the transaction event is a multiple signature.
In an embodiment, the transaction related object may be a publisher of the transaction event, that is, the transaction related object signs the transaction event and then publishes the transaction event to the blockchain (directly publishes the transaction event to the blockchain through a corresponding blockchain node of the transaction related object, or submits the transaction related object to the server and publishes the transaction event to the blockchain through a corresponding blockchain node of the server).
In an embodiment, the transaction related object is not a publisher of the transaction event, and the transaction related object can be signed and then submitted to the publisher to publish the transaction event to the blockchain; the transaction related object may authenticate the issuer and the transaction event respectively, for example, to confirm that the identity of the issuer is real and reliable, to confirm that the content of the transaction event is real and reliable, and to sign the transaction event after the authentication is confirmed, otherwise, to not implement the signature. When the identity of the publisher is authenticated, the publisher and the transaction related object may be restricted from having a preset association relationship, for example, the transaction related object is an enterprise, the publisher is an internal employee of the enterprise, and further, for example, the transaction related object is a person, the publisher is an address book friend of the transaction related object, and when the preset association relationship does not exist, the identity of the publisher is considered to be not authenticated.
In an embodiment, the publisher may publish the transaction event to the blockchain through its corresponding blockchain node.
In an embodiment, the publisher may submit the transaction event to the server, and publish the transaction event to the blockchain through its corresponding blockchain link point by the server. The server can verify the identity of the publisher and the content of the transaction event: if the signature included in the transaction event is the signature of the publisher and the identity of the publisher is registered to the server or other service providers, the server can consider that the identity of the publisher and the content of the transaction event are both true and reliable and can publish the transaction event to the blockchain; if the signature included in the transaction event is the signature of the transaction related object other than the issuing party, the server may verify whether the preset association relationship exists between the issuing party and the transaction related object, for example, the transaction related object is an enterprise, the issuing party is an internal employee of the enterprise, further, the transaction related object is a person, the issuing party is an address book friend of the transaction related object, and the like.
The server side can inquire the digital identity registered by the publisher in advance; when the digital identity of the publisher is registered based on the signature provided by the transaction correlation object to the publisher, the server determines that the preset correlation relationship exists. For example, the issuing party may request the transaction related object to authenticate the entity identity of the issuing party in advance, and after the transaction related object approves the entity identity of the issuing party, the issuing party may be provided with a digital signature (obtained by signing with a private key of the transaction related object), and the issuing party may register its own digital identity based on the digital signature, so that the digital identity of the issuing party already establishes an association relationship with the digital identity of the transaction related object when registering. Then, after receiving the transaction event submitted by the issuing party, the server may verify the identity of the issuing party and the content of the transaction event based on the association relationship.
In one embodiment, the transaction (transfer) described in this specification refers to a piece of data that a user creates through a client of a blockchain and needs to be finally published to a distributed database of the blockchain. The transactions in the blockchain are classified into narrow transactions and broad transactions. A narrowly defined transaction refers to a transfer of value issued by a user to a blockchain; for example, in a conventional bitcoin blockchain network, the transaction may be a transfer initiated by the user in the blockchain. The broad transaction refers to a piece of business data with business intention, which is issued to the blockchain by a user; for example, an operator may build a federation chain based on actual business requirements, relying on the federation chain to deploy some other types of online business unrelated to value transfer (e.g., authentication business, rental service, vehicle dispatching business, insurance claim settlement business, credit service, medical service, etc.), and in such federation chain, the transaction may be a business message or business request with business intent issued by a user in the federation chain.
In one embodiment, by storing the transaction event in the blockchain, the content of the transaction event can be ensured to be secure and reliable, cannot be tampered, and can be checked from the blockchain account book at any time, so that the method has extremely high reliability and credibility.
In one embodiment, the server may obtain transaction anchor information, which is declared to be related to the event to be authenticated; then, the server side obtains the transaction event corresponding to the transaction anchoring information from the block chain, and the transaction event is used as the transaction event related to the event to be authenticated. For example, when a transaction event is issued to the blockchain based on a certain transaction, the transaction anchor information may be information such as a transaction serial number; for another example, when the transaction event is generated as a certain intelligent contract in the blockchain, the transaction anchor information may be information such as a name of the intelligent contract, a transaction serial number corresponding to the intelligent contract, and the like.
In an embodiment, the server may obtain event content of the transaction event, so as to be used for authenticating consistency between the transaction event and the event to be authenticated, and ensure that the transaction event may be used for implementing identity authentication related to the event to be authenticated. Particularly, when the server side obtains the transaction event through the transaction anchoring information, the phenomenon that a lawbreaker makes wrong guidance to the server side after changing the transaction anchoring information can be avoided. For example, for a propaganda poster containing a photo of a celebrity, transaction anchoring information can be presented in the propaganda poster in the form of a two-dimensional code and the like, and if a lawbreaker anchors the two-dimensional code as a transaction event obtained by signing other events by the celebrity, the lawbreaker can be accurately identified by checking the event content of the transaction event, so that misjudgment is avoided.
In one embodiment, the server may invoke an intelligent contract, the intelligent contract being used to authenticate consistency between the transaction event and the event to be authenticated; similar to the above embodiments, this embodiment may also ensure that the transaction event may be used to implement identity authentication related to the event to be authenticated, and only the operation of determining the consistency may be automatically completed by the intelligent contract, but not completed by the server, so as to reduce the processing pressure of the server, and may also ensure objectivity and fairness of the authentication result based on the automatic execution characteristics of the intelligent contract.
In one embodiment, the server may return the event content of the transaction event to the client for the client (or its user) to know the details or for it to verify the consistency between the transaction event and the event to be authenticated.
And 106, the server determines the entity identity of the transaction related object according to the signature of the transaction event and the pre-recorded mapping relationship between the entity identity and the digital identity of each object, so as to authenticate whether the specified object is the transaction related object.
In one embodiment, by obtaining a transaction event related to an event to be authenticated and verifying a signature for the transaction event, it can be accurately determined whether a declared relationship between the event to be authenticated and a specified object is authentic or not, for example, when a celebrity photo is contained on a promotion poster, whether the celebrity is actually endorsed in promotion content on the poster, whether a position contained on a business card is authentic or not, and the like.
In an embodiment, the server may send the determined entity identity of the transaction related object to the client, so that the client or its user compares the entity identity of the transaction related object with the entity identity of the designated object to determine whether the two are consistent.
In an embodiment, the server may actively compare the entity identity of the transaction related object with the entity identity of the designated object, so as to authenticate whether the designated object is the transaction related object, and further return an authentication result to the client. The authentication result may only include a "whether" determination result, or may further include an entity identity of the transaction-related object, so that the client (or the user thereof) can know details of the determination result, or can verify the determination result.
Fig. 2 is a flow chart of another authentication method provided by an example embodiment. As shown in fig. 2, the method applied to the client may include the following steps:
step 202, a client initiates an authentication request to a server for an event to be authenticated to instruct the server to acquire a transaction event related to the event to be authenticated from a block chain, wherein the transaction event is signed by a transaction related object through a pre-registered digital identity.
In an embodiment, the transaction-related object may be registered in advance at the service end to obtain a corresponding digital identity; alternatively, the transaction related object may be registered at another service provider to obtain a corresponding digital identity, and the other service provider may provide an identity authentication service to the server, or open an access right to the obtained mapping relationship between the entity identity and the digital identity to the server, so that the server may perform identity authentication by itself.
In one embodiment, the transaction-related object may be an organization, which may use its own entity identity to register with the service provider or other service provider to obtain the corresponding digital identity. The transaction related object can be an individual, and the individual can use the entity identity of the individual to register at the server or other service providers to obtain the corresponding digital identity; alternatively, when the individual is an employee of a structure or has some association, the individual may first obtain a certificate of an organization, obtain a signature implemented by a digital identity registered by the organization, which is equivalent to the organization endorsing the identity of the individual, and then the individual may register with the server or other service provider to obtain a corresponding digital identity through the signature. Of course, the transaction-related object may also obtain the digital identity in other ways, which is not limited in this specification.
In one embodiment, when there is a single transaction-related object, the signature for the transaction event is a single signature; when there are multiple transaction-associated objects, the signature for the transaction event is a multiple signature.
In one embodiment, the transaction (transfer) described in this specification refers to a piece of data that a user creates through a client of a blockchain and needs to be finally published to a distributed database of the blockchain. The transactions in the blockchain are classified into narrow transactions and broad transactions. A narrowly defined transaction refers to a transfer of value issued by a user to a blockchain; for example, in a conventional bitcoin blockchain network, the transaction may be a transfer initiated by the user in the blockchain. The broad transaction refers to a piece of business data with business intention, which is issued to the blockchain by a user; for example, an operator may build a federation chain based on actual business requirements, relying on the federation chain to deploy some other types of online business unrelated to value transfer (e.g., authentication business, rental service, vehicle dispatching business, insurance claim settlement business, credit service, medical service, etc.), and in such federation chain, the transaction may be a business message or business request with business intent issued by a user in the federation chain.
In one embodiment, the client may identify a barcode pattern (e.g., barcode, two-dimensional code, etc.) associated with the event to be authenticated, and obtain transaction anchoring information; then, the client may upload the transaction anchor information to the server, so that the server obtains the transaction event from the blockchain. For example, when a transaction event is issued to the blockchain based on a certain transaction, the transaction anchor information may be information such as a transaction serial number; for another example, when the transaction event is generated as a certain intelligent contract in the blockchain, the transaction anchor information may be information such as a name of the intelligent contract, a transaction serial number corresponding to the intelligent contract, and the like.
Step 204, the client receives the entity identity of the transaction related object for authenticating whether a designated object is the transaction related object, wherein the designated object is declared to be related to the event to be authenticated, and the entity identity of the transaction related object is determined by the server according to the signature of the transaction event, and the pre-recorded mapping relationship between the entity identity and the digital identity of each object; or, the client receives an identity authentication result returned by the server, where the identity authentication result is used to indicate whether the designated object is the transaction-related object.
In one embodiment, by obtaining a transaction event related to an event to be authenticated and verifying a signature for the transaction event, it can be accurately determined whether a declared relationship between the event to be authenticated and a specified object is authentic or not, for example, when a celebrity photo is contained on a promotion poster, whether the celebrity is actually endorsed in promotion content on the poster, whether a position contained on a business card is authentic or not, and the like.
In one embodiment, the specified object is the object specified by the "declaration". The designated object may be an individual, an organization (e.g., a business, etc.), or both. The number of the designated objects may be one or more, and the specification does not limit this.
In an embodiment, the association relationship between the "event to be authenticated" and the "specified object" may be declared in any form, which is not limited in this specification. For example, the content of the "event to be authenticated" and the information of the "specified object" may be presented in the same image, for example, the image may be a poster for promotion, the content of the "event to be authenticated" is the promotional content in the poster, and the information of the "specified object" is a celebrity photo in the poster, which is equivalent to declaring that the celebrity is endorsement of the promotional content in the poster; for another example, the content of the "event to be authenticated" and the information of the "specified object" may be printed on the same paper, for example, the paper may be a business card, the content of the "event to be authenticated" is position information in the business card, and the information of the "specified object" is a name in the business card, which is equivalent to declaring that an issuer of the business card (i.e., a user corresponding to the name) is in a corresponding position.
In an embodiment, the client may receive event content of the transaction event returned by the server, so as to authenticate consistency between the transaction event and the event to be authenticated, and ensure that the transaction event may be used to implement identity authentication related to the event to be authenticated. Particularly, when the server side obtains the transaction event through the transaction anchoring information, the phenomenon that a lawbreaker makes wrong guidance to the server side after changing the transaction anchoring information can be avoided. For example, for a propaganda poster containing a photo of a celebrity, transaction anchoring information can be presented in the propaganda poster in the form of a two-dimensional code and the like, and if a lawbreaker anchors the two-dimensional code as a transaction event obtained by signing other events by the celebrity, the lawbreaker can be accurately identified by checking the event content of the transaction event, so that misjudgment is avoided. For example, when the transaction event is inconsistent with the to-be-authenticated event, it indicates that the transaction event is not a transaction event related to the to-be-authenticated event, and therefore the client may determine that the designated object is not a transaction-associated object of the transaction event related to the to-be-authenticated event.
In an embodiment, the client may receive a content authentication result returned by the server, where the content authentication result is used to indicate consistency between the transaction event and the event to be authenticated. In other words, the server side can authenticate the consistency between the transaction event and the to-be-authenticated event, and obtain the content authentication result to inform the client side. Further, the client can also receive the event content of the transaction event returned by the server, so that the client (or a user thereof) can know details or verify the consistency between the transaction event and the event to be authenticated.
Fig. 3 is a schematic diagram of registering a digital identity according to an exemplary embodiment. As shown in fig. 3, the certification authority (specifically, the service-side application running on the electronic device corresponding to the certification authority) may provide a registration function of the digital identity through means of entity authentication, data analysis, indirect authentication, and the like.
Taking enterprise AA as an example, the enterprise AA may be provided with materials and information required for registration, and the authentication authority may assign a corresponding digital identity, such as enterprise digital identity 1, to the enterprise AA after passing the verification; meanwhile, the certification authority may record the mapping relationship between the enterprise entity identity 1 of the enterprise AA and the enterprise digital identity 1, so as to facilitate the subsequent identity certification. The certification authority also issues a public-private key pair to the enterprise AA for the enterprise AA to generate a digital signature (or, electronic signature) that characterizes its enterprise digital identity 1.
Similarly, the enterprise BB may register with the certification authority and obtain a corresponding digital identity, such as enterprise digital identity 2. Meanwhile, the certification authority can record the mapping relation between the enterprise entity identity 2 of the enterprise BB and the enterprise digital identity 2, and issue a public and private key pair for generating the digital signature to the enterprise BB.
Similarly to the process of registering digital identities by the enterprises AA and BB, an individual may also register with a certificate authority in a similar manner to obtain the corresponding digital identity. For example, user a may provide the certification authority with the materials and information required for registration, and the certification authority may assign a corresponding digital identity, such as user digital identity 1, to user a upon verification. Meanwhile, the certification authority may record the mapping relationship between the user entity identity 1 of the user a and the user digital identity 1, so as to facilitate the subsequent identity certification. The certification authority also issues a public-private key pair to user a for user a to generate a digital signature characterizing his user digital identity 1.
In addition to registering with the certification authority to obtain a digital identity in a similar manner as user a, user B may also complete registration via enterprise BB if there is some association between user B and enterprise BB, such as user B being an employee of enterprise BB. For example, user B may present authentication to enterprise BB, which is often more simplified in terms of the materials and information etc. that need to be provided than if user B is directly registered with the authentication structure, and enterprise BB confirms that user B can be provided with a digital signature, such as enterprise digital signature 2 generated by a private key, after authentication; and user B may register with the certificate authority based on the enterprise digital signature 2 to obtain a digital identity assigned by the certificate authority, such as user digital identity 2. Meanwhile, the certification authority may record the mapping relationship between the user entity identity 2 of the user B and the user digital identity 2, and issue a public and private key pair for generating a digital signature to the user B.
Based on the above description, any enterprise, person, etc. may register with the certification authority so that the certification authority may record the mapping relationship between the entity identity and the assigned digital identity of each enterprise or person, respectively, and issue a public-private key pair for generating a digital signature.
The authentication scheme of the present specification will be described in detail below with reference to fig. 4 to 5, taking the example of publicizing celebrity endorsement information on a poster.
Fig. 4 is a schematic diagram of an information certificate provided in an exemplary embodiment. As shown in fig. 4, assuming that user a is a celebrity, user a may store information related to the blockchain certificate when user a agrees to have a poster authorized to make a promotion on xxx, i.e., user a agrees to endorse the xxx.
In an embodiment, the user device 1 used by the user a may be any type of mobile phone, tablet, personal computer, etc., and this specification does not limit this. The user a is enabled to complete the operation of storing the relevant information to the blockchain by the client side application running on the user equipment 1. For example, user a may generate credential information such as "i'm authorized xxx" on the user device 1 and sign the credential information by invoking a private key issued by a certificate authority, such as to obtain a corresponding digital signature SIG U1. Before the private key is called to generate the signature, the identity of the user A can be verified, such as password verification, input habit verification or physiological characteristic verification based on fingerprints, voiceprints, human faces, irises and the like, and the signature is allowed to be generated after the verification is passed, otherwise, the signature is not allowed to be generated.
Of course, the generation of the certification information "i authorize xxx" and the digital signature SIG _ U1 may actually be performed by the certification authority, and the user device 1 may be used only to provide the user a with an interactive interface, to perform authentication (especially based on physiological characteristics; of course, for password authentication, input habit authentication, etc., may also be performed by the certification authority), and to perform data transmission with the certification authority, so that the user a may instruct the certification authority to generate the certification information and the digital signature.
In one embodiment, the user device 1 may be configured as a blockchain node in a blockchain, and then the user device 1 may submit a blockchain transaction [ i authorize xxx; SIG _ U1], causes the blockchain transaction [ i authorize xxx; SIG _ U1 is recorded into a blockchain ledger maintained uniformly by each blockchain node.
In an embodiment, the user equipment 1 itself is not configured as a blockchain node, then the user equipment 1 may submit the above-mentioned blockchain transaction [ i authorizes xxx; SIG _ U1], which may also cause the blockchain transaction [ i authorize xxx; SIG _ U1 is recorded into a blockchain ledger maintained uniformly by each blockchain node. For example, the certification authority may be configured as a blockchain node, and through a client-side application running on the user device 1, a service-side application running at the certification authority, the user device 1 may send the attestation information "i authorize xxx" and the digital signature SIG _ U1 to the certification authority, and submit the above-described blockchain transaction [ i authorize xxx; SIG _ U1 ].
In one embodiment, xxx is authorized for the blockchain transaction issued [ i authorize; SIG _ U1], may form a corresponding access interface to facilitate access during subsequent authentication. For example, the access interface may be presented in the form of a two-dimensional code, and the tile link points may transmit the two-dimensional code to a production facility (e.g., a business AA) that promotes the poster so that the business AA may add the two-dimensional code to the promotion poster.
When user B views the promotional poster as shown in fig. 4, it is naturally assumed that user a may endorse the xxx product, but that a lawbreaker may use the photo of user a at will, based on the xxx product promoted by the promotional poster and the photo of user a, user B can authenticate with the two-dimensional code on the promotional poster to determine whether user a indeed authorizes endorsement of the xxx product.
Fig. 5 is a schematic diagram of an authentication and authorization scenario provided by an exemplary embodiment. As shown in fig. 5, it is assumed that a client-side application program runs on the electronic device 2 used by the user B, and the camera module on the electronic device 2 may be called to scan the two-dimensional code on the poster shown in fig. 4, and upload the scanned content of the two-dimensional code identified to the certification authority, so that the certification authority performs certification processing.
In an embodiment, the two-dimensional code scanning content includes the access interface information generated in the embodiment shown in fig. 4, and the certification authority may query the blockchain ledger based on the two-dimensional code scanning content:
in the first case, the certification authority may not inquire any blockchain transaction, which indicates that the two-dimensional code on the poster is useless information set by a lawless person at will, and the user a does not issue certification information for authorizing the xxx product to the blockchain, so the certification authority may determine that the certification is failed, that is, the user a is not authorized.
In the second case, the certification authority may access the corresponding blockchain transaction, but the blockchain transaction does not contain a digital signature or contains a digital signature other than SIG _ U1 corresponding to user a, indicating that the two-dimensional code on the poster is counterfeit information set by a lawless person at will, and user a does not issue certification information for authorizing the xxx products to the blockchain, so that the certification authority may determine that the certification is failed, that is, user a is not authorized.
In a third case, the certification authority may access a corresponding blockchain transaction having a digital signature SIG U1 contained therein, and may determine that the digital signature SIG U1 corresponds to user a based on the mapping recorded in fig. 3 and the record of issuance of the public-private key pair. Then the blockchain transaction has a certain probability of containing proof of authorization of user a to the xxx product; however, with a certain probability, the blockchain transaction may contain proof information that the user a authorizes other products, but not authorization information for xxx products, and thus the certification authority may further certify the content contained in the blockchain transaction to ensure that the proof information contained in the blockchain transaction is "i authorize xxx" or similar description, rather than "i authorize yyy" or other irrelevant content.
In an embodiment, the authentication authority may return authentication information to the user device 2 so that the user device 2 may present the relevant content to the user B. For example, when the blockchain transaction accessed by the authentication structure does contain the certification information "i authorize xxx" and the digital signature SIG _ U1, the certification information may include the certification information "i authorize xxx" and the entity identity "user a" corresponding to the digital signature SIG _ U1 (the digital signature may reflect the digital identity, and further, in combination with the mapping relationship between the digital identity and the entity identity, the entity identity may be determined), as shown in fig. 5.
In an embodiment, the authentication information may further include an authentication conclusion, such as "authenticated" or "authorized", "unauthorized" or "unauthorized", etc. Of course, the authentication conclusion is not necessary; even if the authentication information only contains the content contained in the blockchain transaction, the entity information corresponding to the contained digital signature and the like, the user B can also determine whether the user A is authorized by viewing the authentication information and combining the content in the promotion poster. For example, when the authentication information contains "no inquiry of authorization information", "i authorizes yyy", "signature: user C, user B may determine that user a does not authorize the xxx product, when user C, user unsigned, etc.
Similar to the above-mentioned "poster publicity" embodiment, the technical solution of the present specification can be obviously applied to many other scenarios, and can be used to implement a fast and accurate authentication operation.
For example, user B may wish to certify a job on his/her own business card to indicate the authenticity of the job. Assuming that the user B belongs to the director of the enterprise AA, the chairman of the enterprise BB, and the CEO of the enterprise CC at the same time, the user B may set the job information "user B: the enterprise AA-director, the enterprise BB-chairman and the enterprise CC-CEO are respectively submitted to each enterprise for authentication, and each enterprise can respectively carry out signature through a private key held by the enterprise after the authentication is passed, so that the user B can obtain a multiple digital signature SIG _ M of the position information. Then, the user B may submit a blockchain transaction, which includes the position information and the multiple digital signature SIG _ M, to the blockchain account book through the user device 2, and the user B may obtain an access interface for the blockchain transaction and print a two-dimensional code corresponding to the access interface on the business card of the user B.
Then, when the user B distributes the business card to the user X, the user X may request authentication by the authentication agency by scanning the two-dimensional code on the business card. The certification authority may query the blockchain transaction from the blockchain, such as the embodiment shown in fig. 5, and the blockchain transaction contains the position information "user B: enterprise AA-director, enterprise BB-chairman, enterprise CC-CEO ", and multiple digital signatures SIG _ M corresponding to enterprise AA, enterprise BB, and enterprise CC, the certification authority may transmit the job information" user B: and returning the information of the enterprise AA, the enterprise BB, the chairperson, the enterprise CC-CEO' and the enterprise AA, the enterprise BB and the enterprise CC corresponding to the multiple digital signature SIG _ M to the user X, so that the user X determines the authenticity of the position information actually marked on the business card.
For example, when the name card is marked with the director of the user B as the enterprise AA, the chairperson of the enterprise BB and the CEO of the enterprise CC, that is, the name card content is declared to be related to the enterprise AA, the enterprise BB, the enterprise CC and the enterprise DD; then, if the signatures of enterprise AA, enterprise BB and enterprise CC are included in the blockchain transaction, and the position marked on the business card is consistent with the position information included in the blockchain transaction, the position information marked on the business card may be considered to be authentic. However, if the signature information is inconsistent or the job information is inconsistent, it indicates that the job information marked on the business card may not be authentic.
FIG. 6 is a schematic block diagram of an apparatus provided in an exemplary embodiment. Referring to fig. 6, at the hardware level, the apparatus includes a processor 602, an internal bus 604, a network interface 606, a memory 608 and a non-volatile memory 610, but may also include hardware required for other services. The processor 602 reads the corresponding computer program from the non-volatile memory 610 into the memory 608 and runs it, forming an authentication device on a logical level. Of course, besides software implementation, the one or more embodiments in this specification do not exclude other implementations, such as logic devices or combinations of software and hardware, and so on, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.
Referring to fig. 7, in a software implementation, the authentication apparatus may include:
a request receiving unit 701 that causes a server to receive an authentication request initiated by a client for an event to be authenticated, the event to be authenticated being declared as being related to a specified object;
an event obtaining unit 702, configured to enable the server to obtain, from a blockchain, a transaction event related to the event to be authenticated, where the transaction event is signed by a transaction related object through a pre-registered digital identity;
the identity determining unit 703 enables the server to determine the entity identity of the transaction-related object according to the signature of the transaction event and the pre-recorded mapping relationship between the entity identity and the digital identity of each object, so as to authenticate whether the designated object is the transaction-related object.
Optionally, the event obtaining unit 702 is specifically configured to:
enabling the server to acquire transaction anchoring information, wherein the transaction anchoring information is declared to be related to the event to be authenticated;
and enabling the server to acquire the transaction event corresponding to the transaction anchoring information from the blockchain to serve as the transaction event related to the event to be authenticated.
Optionally, a content obtaining unit 704 or a contract invoking unit 705 is further included; wherein:
the content obtaining unit 704 is configured to enable the server to obtain event content of the transaction event, so as to authenticate consistency between the transaction event and the event to be authenticated;
the contract invoking unit 705 is configured to enable the server to invoke an intelligent contract, where the intelligent contract is used to authenticate consistency between the transaction event and the event to be authenticated.
Optionally, the method further includes:
the authentication unit 706 authenticates the server to determine whether the specified object is the transaction-related object, so as to return an authentication result to the client.
Optionally, the method further includes:
the returning unit 707 enables the server to return the entity identity of the transaction related object and/or the event content of the transaction event to the client.
Alternatively to this, the first and second parts may,
the transaction event is issued to the blockchain by the transaction correlation object;
or, after the transaction-related object signs the transaction event, the transaction event is issued to the blockchain by an issuer distinct from the transaction-related object.
Alternatively to this, the first and second parts may,
the transaction event is distributed to a block chain by the publisher through the corresponding block chain link points;
alternatively, the apparatus further comprises: the issuing unit 708 enables the server to receive the transaction event submitted by the issuer and issue the transaction event to the blockchain through the corresponding blockchain link.
Optionally, the method further includes:
a verification unit 709, configured to enable the server to verify whether a preset association relationship exists between the issuer and a transaction association object corresponding to a signature included in the transaction event;
when the preset association relationship exists, the issuing unit 708 enables the server to issue the transaction event to the blockchain.
Optionally, the verification unit 709 is specifically configured to:
enabling the server to inquire the digital identity pre-registered by the publisher;
and when the digital identity of the publisher is registered based on the signature provided by the transaction correlation object to the publisher, enabling the server to judge that the preset correlation relationship exists.
FIG. 8 is a schematic block diagram of an apparatus provided in an exemplary embodiment. Referring to fig. 8, at the hardware level, the apparatus includes a processor 802, an internal bus 804, a network interface 806, a memory 808, and a non-volatile memory 810, but may also include hardware required for other services. The processor 802 reads the corresponding computer program from the non-volatile memory 810 into the memory 808 and runs it, forming an authentication device on a logical level. Of course, besides software implementation, the one or more embodiments in this specification do not exclude other implementations, such as logic devices or combinations of software and hardware, and so on, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.
Referring to fig. 9, in a software implementation, the authentication apparatus may include:
a request unit 901, enabling a client to initiate an authentication request to a server for an event to be authenticated, so as to instruct the server to obtain a transaction event related to the event to be authenticated from a block chain, where the transaction event is signed by a transaction related object through a pre-registered digital identity;
an identity receiving unit 902, configured to enable the client to receive an entity identity of the transaction related object, so as to authenticate whether a specified object is the transaction related object, where the specified object is declared to be related to the event to be authenticated, and the entity identity of the transaction related object is determined by the server according to a signature of the transaction event, and a mapping relationship between a pre-recorded entity identity and a digital identity of each object; or, the client receives an identity authentication result returned by the server, where the identity authentication result is used to indicate whether the designated object is the transaction-related object.
Optionally, the method further includes:
an identifying unit 903, configured to enable the client to identify a barcode pattern associated with the event to be authenticated, so as to obtain transaction anchoring information;
an uploading unit 904, enabling the client to upload the transaction anchor information to the server, so that the server obtains the transaction event from the blockchain.
Optionally, a content receiving unit 905 or a result receiving unit 906 is further included; wherein:
the content receiving unit 905 is configured to enable the client to receive event content of the transaction event returned by the server, so as to authenticate consistency between the transaction event and the event to be authenticated;
the result receiving unit 906 is configured to enable the client to receive a content authentication result returned by the server, where the content authentication result is used to indicate consistency between the transaction event and the event to be authenticated.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage media or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The terminology used in the description of the one or more embodiments is for the purpose of describing the particular embodiments only and is not intended to be limiting of the description of the one or more embodiments. As used in one or more embodiments of the present specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in one or more embodiments of the present description to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments herein. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The above description is only for the purpose of illustrating the preferred embodiments of the one or more embodiments of the present disclosure, and is not intended to limit the scope of the one or more embodiments of the present disclosure, and any modifications, equivalent substitutions, improvements, etc. made within the spirit and principle of the one or more embodiments of the present disclosure should be included in the scope of the one or more embodiments of the present disclosure.