CN110569674B - Authentication method and device based on block chain network - Google Patents

Abstract

The invention provides an authentication method, an authentication device, electronic equipment and a storage medium based on a blockchain network; the method comprises the following steps: generating an organization certificate signed by a blockchain network in response to a request for applying for a digital certificate sent by an organization terminal, and returning the organization certificate to the organization terminal; responding to a request for applying a digital certificate sent by a user terminal, generating a user certificate signed by the blockchain network, and returning the user certificate to the user terminal; performing consensus processing on the mechanism certificate and the user certificate, and storing the mechanism certificate and the user certificate which are obtained to be consensus in the blockchain network; and verifying the data interaction process of the organization terminal based on the organization certificate and the user certificate stored in the blockchain network. The invention can realize the safe data interaction among different mechanisms.

Description

Authentication method and device based on block chain network

Technical Field

The present invention relates to blockchain and information security technologies, and in particular, to a blockchain network-based authentication method, device, electronic apparatus, and storage medium.

Background

In blockchain network technology, communications are based on cryptography, and digital certificates play an important role in establishing trusted credentials for both parties to the communications. As an authoritative, trusted, fair third party authority that issues digital certificates, a certificate authority (CA, certificate Authority) is responsible for issuing and managing digital certificates required by entities participating in online transactions, assuming responsibility for verification of the legitimacy of public keys in a public key hierarchy.

However, the CA center provided by the related art generally performs centralized management on electronic information, and once the CA center is attacked, the digital certificate issued by the CA center is not trusted any more. In addition, the number of CA institutions is large, but different CA institutions are administrative, and user certificates can only be verified by root certificates of the affiliated CA, so that different CA cannot verify each other.

Disclosure of Invention

The embodiment of the invention provides an authentication method, an authentication device, electronic equipment and a storage medium based on a blockchain network, which can realize secure data interaction among different institutions.

The technical scheme of the embodiment of the invention is realized as follows:

the embodiment of the invention provides an authentication method based on a blockchain network, which comprises the following steps:

Generating an organization certificate signed by a blockchain network in response to a request for applying for a digital certificate sent by an organization terminal, and returning the organization certificate to the organization terminal;

responding to a request for applying a digital certificate sent by a user terminal, generating a user certificate signed by the blockchain network, and returning the user certificate to the user terminal;

performing consensus processing on the mechanism certificate and the user certificate, and storing the mechanism certificate and the user certificate which are obtained to be consensus in the blockchain network;

and verifying the data interaction process of the organization terminal based on the organization certificate and the user certificate stored in the blockchain network.

The embodiment of the invention provides an authentication device based on a blockchain network, which comprises:

a certificate generation module, configured to generate an organization certificate signed by a blockchain network in response to a request for applying a digital certificate sent by an organization terminal, and return the organization certificate to the organization terminal;

the certificate generation module is further used for responding to a request for applying for a digital certificate sent by a user terminal, generating a user certificate signed by the blockchain network and returning the user certificate to the user terminal;

The consensus module is used for carrying out consensus processing on the organization certificate and the user certificate, and storing the organization certificate and the user certificate which are obtained to be consensus in the blockchain network;

and the verification module is used for verifying the data interaction process of the organization terminal based on the organization certificate and the user certificate stored in the blockchain network.

In the above scheme, the verification module is further configured to, in response to a verification request sent by a first entity terminal in the entity terminals to verify identity information of a second entity, confirm the identity information of the second entity through a second entity certificate of the second entity stored in the blockchain network; and notifying the first institution terminal when the verification is passed, so that the first institution returns the requested data to the second institution terminal.

In the above scheme, the verification module is further configured to, in response to a verification request sent by the institution terminal to verify identity information of the user terminal, confirm the identity information of the user terminal through a user certificate of the user terminal stored in the blockchain network; and notifying the institution terminal when the authentication is passed so that the institution terminal returns the requested data to the user terminal.

In the above scheme, the verification module is further configured to obtain identity information of the user terminal and a public key of the user terminal, where the identity information is carried in the user certificate; generating a first abstract from the acquired identity information of the user terminal and the public key of the user terminal through an abstract algorithm; decrypting the user certificate through a public key of a management node in the blockchain network to generate a second abstract; and when the first abstract is consistent with the second abstract, determining that the identity information of the user terminal passes verification.

In the above scheme, the verification module is further configured to, before responding to a verification request sent by the institution terminal to verify the identity information of the user terminal; and responding to a verification request for verifying the identity information of the organization sent by the user terminal, and confirming the identity information of the organization through an organization certificate of the organization stored in the blockchain network.

In the above scheme, the verification module is further configured to obtain identity information of the mechanism and a public key of the mechanism, where the identity information is carried in the mechanism certificate; generating a third abstract by using the acquired identity information of the organization and the public key of the organization through an abstract algorithm; decrypting the mechanism certificate through a public key of a management node in the blockchain network to generate a fourth abstract; and when the third abstract and the fourth abstract are consistent, determining that the identity information of the institution passes verification.

In the above scheme, the certificate generation module is further configured to obtain identity information of the mechanism and a public key of the mechanism, which are carried in the request message; signing the identity information of the mechanism and the public key of the mechanism through the private key of the management node in the blockchain network, and generating a mechanism certificate by combining the identity information and the public key of the mechanism and the corresponding signature;

the public key is used for acquiring the identity information of the user terminal and the public key of the user terminal carried in the request message; signing the identity information of the user terminal and the public key of the user terminal through the private key of the management node in the blockchain network, and generating a user certificate by combining the identity information and the public key of the user corresponding to the user terminal and the corresponding signature.

In the above scheme, the certificate generation module is further configured to generate a fifth digest of the identity information of the organization and the public key of the organization through a digest algorithm; signing the fifth abstract through a private key of a management node in the blockchain network to generate first signature information; generating the institution certificate based on the first signature information, the identity information of the institution, and a public key of the institution;

And generating a sixth abstract from the acquired identity information of the user terminal and the public key of the user terminal through an abstract algorithm; signing the sixth abstract through a private key of a management node in the blockchain network to generate second signature information; the user certificate is generated based on the second signature information, the identity information of the user terminal, and the public key of the user terminal.

In the above scheme, the certificate generation module is further configured to, when receiving a request for applying for a digital certificate sent by an institution terminal, obtain identity information of the institution carried in the request; calling an interface with an identity information verification function to verify the acquired identity information of the mechanism; when the verification is passed, generating an organization certificate signed by the blockchain network;

when a request for applying for a digital certificate sent by a user terminal is received, acquiring identity information of the user terminal carried in the request; invoking the interface with the identity information verification function to verify the acquired identity information of the user terminal; when the verification passes, a user certificate signed by the blockchain network is generated.

An embodiment of the present invention provides an electronic device, including:

a memory for storing executable instructions;

and the processor is used for realizing the authentication method based on the blockchain network when executing the executable instructions stored in the memory.

The embodiment of the invention provides a storage medium which stores executable instructions for realizing the authentication method based on the blockchain network when being executed by a processor.

The embodiment of the invention has the following beneficial effects:

based on the characteristics of multi-node, distributed and non-tamperable of the blockchain network, digital certificates of institutions and user terminals are issued through the blockchain network, and the obtained digital certificates are stored in the blockchain network, so that identity verification among institutions can be performed based on the digital certificates stored in the blockchain network, and safety data interaction among different institutions is realized.

Drawings

FIG. 1 is a schematic diagram of an application system of a blockchain network provided by an embodiment of the present invention;

FIG. 2 is a schematic diagram of a block chain network logic architecture according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of a node in a blockchain network according to an embodiment of the present invention;

FIG. 4 is a schematic flow chart of an alternative method for blockchain network-based authentication according to an embodiment of the present invention;

FIG. 5 is a schematic flow chart of an alternative method for blockchain network-based authentication according to an embodiment of the present invention;

FIG. 6 is a schematic diagram of a related art certificate authority authentication system architecture;

FIG. 7 is a schematic diagram of a conventional public key infrastructure system and a public key infrastructure system based on a blockchain network according to an embodiment of the present invention;

FIG. 8 is a schematic diagram of a certificate status query in a public key infrastructure system based on a blockchain network provided by an embodiment of the present invention;

FIG. 9 is a flowchart illustrating a certificate issuing stage in a blockchain network-based authentication method according to an embodiment of the present invention;

fig. 10 is a flowchart of a certificate verification stage in a blockchain network-based authentication method according to an embodiment of the present invention.

Detailed Description

The present invention will be further described in detail with reference to the accompanying drawings, for the purpose of making the objects, technical solutions and advantages of the present invention more apparent, and the described embodiments should not be construed as limiting the present invention, and all other embodiments obtained by those skilled in the art without making any inventive effort are within the scope of the present invention.

In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict.

In the following description, the terms "first", "second", "third" and the like are merely used to distinguish similar objects and do not represent a specific ordering of the objects, it being understood that the "first", "second", "third" may be interchanged with a specific order or sequence, as permitted, to enable embodiments of the invention described herein to be practiced otherwise than as illustrated or described herein.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein is for the purpose of describing embodiments of the invention only and is not intended to be limiting of the invention.

Before describing embodiments of the present invention in further detail, the terms and terminology involved in the embodiments of the present invention will be described, and the terms and terminology involved in the embodiments of the present invention will be used in the following explanation.

1) Transactions (transactions), which are equivalent to computer terms "transactions," include operations that need to be submitted to a blockchain network for execution, and do not refer solely to transactions in a business context, which embodiments of the present invention follow in view of the terminology "transactions" being colloquially used in blockchain technology.

For example, a deployment (Deploy) transaction is used to install a specified smart contract to a node in a blockchain network and is ready to be invoked; call (Invoke) transactions are used to append records of transactions in the blockchain by invoking smart contracts and to operate on the blockchain's state database, including update operations (including adding, deleting, and modifying key-value pairs in the state database) and query operations (i.e., querying key-value pairs in the state database).

2) Blockchain (Blockchain) is a storage structure of encrypted, chained transactions formed by blocks (blocks).

For example, the header of each chunk may include both the hash values of all transactions in the chunk and the hash values of all transactions in the previous chunk, thereby enabling tamper-and anti-counterfeiting of transactions in the chunk based on the hash values; the newly generated transactions, after being filled into the block and passing through the consensus of the nodes in the blockchain network, are appended to the tail of the blockchain to form a chain growth.

3) A blockchain network (Blockchain Network) incorporates new blocks into a set of nodes of the blockchain by way of consensus.

4) Ledger (Ledger), a generic term for blockchains (also known as Ledger data) and state databases that are synchronized with blockchains.

Wherein the blockchain records transactions in the form of files in a file system; the state database records transactions in the blockchain in the form of different types of Key (Key) Value pairs for supporting quick queries for transactions in the blockchain.

5) Smart contacts (Smart contacts), also known as chain code (Chaincode) or application code, are deployed in programs in nodes of a blockchain network, which execute Smart Contracts invoked in received transactions to update or query key values of a state database for data.

6) Consensus (Consensus), a process in a blockchain network for agreeing on transactions in blocks among the involved nodes, the agreed blocks will be appended to the tail of the blockchain, and mechanisms for implementing Consensus include Proof of Work (PoW), proof of equity (PoS), proof of equity (stare), proof of equity (DPoS), proof of-of-status, proof of elapsed time (PoET, proof of Elapsed Time), and the like.

Referring now to fig. 1, fig. 1 is a schematic architecture diagram of an exemplary application system 100 of a blockchain network 200 according to an embodiment of the present invention, including a blockchain network 200 (exemplary shown as including a management node 210-1, a consensus node 210-2, and a consensus node 210-3), a first organization 300 (exemplary shown as a terminal 600-1 and a graphical interface 610-1 thereof attributed to the first organization 300), a second organization 400 (exemplary shown as a terminal 600-2 and a graphical interface 610-2 thereof attributed to the second organization 400), and a user 500 (exemplary shown as a terminal 600-3 and a graphical interface 610-3 attributed to the user 500), respectively, are described below.

The type of blockchain network 200 is flexible and diverse, and may be any of public, private, or federated chains, for example. Taking public chains as an example, any electronic device of a business entity, such as a user terminal and a server, can access the blockchain network 200 without authorization; taking the alliance chain as an example, after the service body obtains the authorization, the electronic device (for example, a terminal/server) under the jurisdiction of the service body can access the blockchain network 200, and at this time, the service body becomes a special node, namely a client node, in the blockchain network 200.

The types of nodes in blockchain network 200 may be diverse, and may include consensus nodes and management nodes, for example, where the consensus nodes have ordering, consensus services, and ledger functions; the management node has the function of issuing a digital certificate and can also have the function of a consensus node.

It is noted that only support traffic agent initiation transaction (e.g., for uplink stored data or query on-chain data) functionality may be provided for client nodes, which may be implemented by default or selectively (e.g., depending on the particular traffic needs of the traffic agent) for ordering functionality, consensus services and ledger functionality, etc. that the blockchain network 200 consensus nodes have. Thus, the data and service processing logic of the service body can be migrated to the blockchain network 200 to the greatest extent, and the credibility and traceability of the data and service processing process are realized through the blockchain network 200.

Blockchain network 200 receives transactions submitted from client nodes (e.g., terminal 600-1 belonging to first organization 300, terminal 600-2 belonging to second organization 400, and terminal 600-3 belonging to user 500 shown in fig. 1) of different business entities (e.g., first organization 300, second organization 400, and user 500 shown in fig. 1), performs transactions to update or query the ledger, and displays various intermediate or final results of performing the transactions at the user interfaces of the terminals (e.g., graphical interface 610-1 of terminal 600-1, graphical interface 610-2 of terminal 600-2, and graphical interface 610-3 of terminal 600-3). It will be appreciated that, in the above description, the blockchain network 200 that receives and executes transactions refers specifically to the native node 210 in the blockchain network 200, and of course, when a client node of a service entity has a function (e.g., consensus function, ledger function) of the native node 210 in the blockchain network 200, the corresponding client node may also be included.

An exemplary application of a blockchain network is described below with multiple business principals accessing the blockchain network to enable secure communications between different institutions.

Referring to fig. 1, the blockchain network 200-based authentication system 100 involves a plurality of service principals, such as a first organization 300, a second organization 400, and a user 500, that, after having been authorized, a terminal 600-1 of the first organization 300, a terminal 600-2 of the second organization 400, and a terminal 600-3 of the user 500 can access the blockchain network 200.

The service personnel of the first organization 300 logs in the digital certificate application system in the graphic interface 610-1 of the terminal 600-1, and initiates a request for applying a digital certificate to the blockchain network 200, where the request carries the identity information of the first organization 300 (for example, the identity identifier of the unified organization code of the first organization 300, etc.), and the public key generated by the terminal 600-1 of the first organization 300. Upon receiving the application request, the management node 210-1 in the blockchain network 200 invokes an interface with an authentication function to authenticate the identity information of the first organization 300. After the verification is passed, the management node 210-1 signs the identity information of the first organization 300 and the public key of the first organization 300 with its own private key, generates first signature information, and generates a first organization certificate based on the first signature information, the identity information of the first organization 300, and the public key of the first organization 300. The generated first mechanism certificate is subjected to consensus processing, and the first mechanism certificate after consensus is obtained is stored in the blockchain network 200. The blockchain network 200 also returns the generated first organization certificate to the terminal 600-1 of the first organization 300.

For convenience of description, no specific distinction is made between institution and institution terminals, and it will be understood that for the description below of an institution transmitted message, it will be understood that an institution transmitted message, and similarly, an institution transmitted message will be understood as a message transmitted to an institution terminal.

Similarly, the service personnel and the user 500 of the second organization 400 may log in the digital certificate application system in the graphical interface 610-2 of the respective terminal 600-2 and the graphical interface 610-3 of the terminal 600-3, initiate a request for applying a digital certificate to the blockchain network 200, and receive the second organization certificate of the second organization 400 and the user certificate of the user 500 returned by the blockchain network 200, respectively, which are not described herein.

When the second organization 400 requests data from the first organization 300, the second organization 400 transmits a second organization certificate issued by the blockchain network 200 to the terminal 600-1 of the first organization 300 through the terminal 600-2. After receiving the second organization certificate sent by the terminal 600-2 of the second organization 400, the terminal 600-1 of the first organization 300 sends the second organization certificate to the blockchain network 200 for verification to determine the identity information of the second organization 400. When the authentication is passed (e.g., a message is received that the authentication sent by the blockchain network 200 is passed), the requested data is returned to the terminal 600-2 of the second organization 400.

When the user 500 requests data from the first organization 300, the user 500 transmits a user certificate issued by the blockchain network 200 to the terminal 600-1 of the first organization 300 through the terminal 600-3. After receiving the user certificate sent by the terminal 600-3 of the user 500, the terminal 600-1 of the first organization 300 sends the user certificate to the blockchain network 200 for verification to determine the identity information of the user 500. When authentication is passed (e.g., a message is received that the authentication sent by the blockchain network 200 is passed), the requested data is returned to the terminal 600-3 of the user 500.

Referring to fig. 2, fig. 2 is a schematic diagram of a logic function architecture of the blockchain network 200 according to an embodiment of the present invention, including an application layer 201, a consensus layer 202, a network layer 203, a data layer 204, and a resource layer 205, which are described below.

The resource layer 205 encapsulates computing, storage and communication resources, such as in computers, servers/clusters and clouds, that implement the various nodes 210 in the blockchain network 200, abstracts and provides a unified interface to the data layer 204 to mask the variability of the underlying hardware that implements the resource layer 205.

Computing resources include various forms of processors such as Central Processing Units (CPUs), application specific integrated circuits (ASICs, application Specific Integrated Circuit), application specific integrated circuits, and Field programmable gate arrays (FPGAs, fields-Programmable Gate Array).

Storage resources include various types of storage media such as various volatile memory and non-volatile memory. The nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), or a Programmable Read-Only Memory. The volatile memory may be random access memory (RAM, random Access Memory), which acts as external cache memory.

The communication resources include various links for communication between nodes 210 of the blockchain network, between blockchain network 200 and traffic principals.

Data layer 204 encapsulates various data structures that implement the ledger, including blockchains implemented with files in a file system, a state database of key values, and presence certificates (e.g., hash trees of transactions in blocks).

The network layer 203 encapsulates the functions of Point-to-Point (P2P) network protocols, data propagation mechanisms and data verification mechanisms, access authentication mechanisms, and service body identity management.

Wherein the P2P network protocol enables communication between nodes 210 in the blockchain network 200, a data propagation mechanism ensures propagation of transactions in the blockchain network 200, and a data verification mechanism is used to enable reliability of data transmission between nodes 210 based on cryptography methods (e.g., digital certificates, digital signatures, public/private key pairs); the access authentication mechanism is used for authenticating the identity of the service entity joining the blockchain network 200 according to the actual service scene, and giving the authority of the service entity to access the blockchain network 200 when the authentication is passed; the service principal identity management is used to store the identity of the service principal that is allowed to access the blockchain network 200, as well as the rights (e.g., the type of transaction that can be initiated).

The consensus layer 202 encapsulates the functionality of the mechanism by which nodes 210 in the blockchain network 200 agree on blocks (i.e., consensus mechanism), transaction management, and ledger management.

The consensus mechanism comprises consensus algorithms such as POS, POW and DPOS, and supports the pluggable of the consensus algorithms.

The transaction management is used for verifying the digital signature carried in the transaction received by the node 210, verifying the identity information of the service entity, and judging and confirming whether the service entity has authority to conduct the transaction according to the identity information (reading the related information from the identity management of the service entity); for the business entity that obtains authorization to access the blockchain network 200, all possess the digital certificates issued by the authentication center, and the business entity signs the submitted transaction with the private key in its own digital certificate, thereby declaring its legal identity.

And (3) account book management: for maintaining a blockchain and a status database. For the block with consensus, adding to the tail of the block chain; executing the transaction in the block with consensus, updating the key value pairs in the state database when the transaction comprises an updating operation, querying the key value pairs in the state database when the transaction comprises a querying operation, and returning a query result to the business entity. Supporting query operations for multiple dimensions of a state database, comprising: querying a block based on a block sequence number (e.g., a hash value of a transaction); inquiring the block according to the block hash value; inquiring the block according to the transaction serial number; inquiring the transaction according to the transaction serial number; inquiring account data of the service body according to the account (serial number) of the service body; the blockchains in the channel are queried according to the channel name.

The application layer 201 encapsulates various services that the blockchain network can implement, including tracing, certification and verification of transactions, etc.

An exemplary architecture of a node of a blockchain network implementing embodiments of the present invention is described below, it being understood that the hardware architecture of any type of node in blockchain network 200 may be implemented in accordance with the hardware architecture described below.

Referring to fig. 3, fig. 3 is a schematic structural diagram of a node (device) 210 in a blockchain network 200 according to an embodiment of the present invention, where the node 210 shown in fig. 3 includes: at least one processor 2110, memory 2140, and at least one network interface 2120. The various components in node 210 are coupled together by bus system 2130.

The processor 2110 may be an integrated circuit chip with signal processing capabilities such as a general purpose processor, digital signal processor (DSP, digital Signal Processor), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like.

The memory 2140 may be removable, non-removable, or a combination thereof. Memory 2140 optionally includes one or more storage devices physically located remote from processor 2110.

Memory 2140 includes volatile memory or nonvolatile memory, and may also include both volatile and nonvolatile memory.

In some embodiments, memory 2140 is capable of storing data to support various operations, examples of which include programs, modules and data structures, or subsets or supersets thereof, as exemplified below.

An operating system 2141 including system programs for handling various basic system services and performing hardware-related tasks, such as a framework layer, a core library layer, a driver layer, etc., for implementing various basic services and handling hardware-based tasks;

the network communication module 2142 for reaching other computing devices via one or more (wired or wireless) network interfaces 220, an exemplary network interface 220 comprising: bluetooth, wireless compatibility authentication (WiFi), and universal serial bus (USB, universal Serial Bus), etc.;

In some embodiments, the blockchain network-based authentication device provided by the embodiments of the present invention may be implemented in software, and fig. 3 shows a blockchain network-based authentication device 2143 stored in the memory 2140, which may be software in the form of a program and a plug-in, and includes the following software modules: certificate generation module 21431, consensus module 21432, and verification module 21433, which are logical, and thus can be arbitrarily combined or further split depending on the functionality implemented. The functions of the respective modules will be described hereinafter.

The blockchain network-based authentication method provided by the embodiment of the invention is described below in connection with exemplary applications and implementations of the blockchain network and nodes therein.

Referring to fig. 4, fig. 4 is a schematic flowchart of an alternative block chain network-based authentication method according to an embodiment of the present invention, and will be described with reference to the steps shown in fig. 4.

In step S401, a management node of the blockchain network receives a request for an organization certificate sent by an organization.

Here, the institutions include government departments such as judicial, tax, government, and various units such as banks, enterprises, credit, and companies.

In some embodiments, when an organization applies for an organization certificate to a blockchain network, the organization needs to submit its own identity such as unified organization code, so that the blockchain network verifies the identity information of the organization requesting to apply for the organization certificate, and issues the organization certificate to the organization after the verification is passed.

For example, for the enterprise a, when the enterprise a needs to apply for the digital certificate of the enterprise a to the blockchain network, a service person of the enterprise a logs in to a digital certificate application system on a terminal or a server under the jurisdiction of the enterprise a, and sends a request for applying for the digital certificate to the blockchain network, where the request carries an organization code of the enterprise a. When the block chain network receives the request, an interface with an identity verification function is called to verify the organization code of the enterprise A, whether the organization code of the enterprise A is legal or not is confirmed, and the subsequent generation step of the digital certificate of the enterprise A is executed after the verification is passed. When the blockchain network detects that the organization code submitted by enterprise a is illegal, a rejection message (e.g., the organization code is illegal, please re-submit) may be returned to the terminal or server of enterprise a.

In step S402, a management node of the blockchain network generates an organization certificate signed by the blockchain network.

Here, generating an organization certificate signed by the blockchain network includes: acquiring identity information of an organization carried in a request for applying a digital certificate sent by the organization and a public key of the organization; the identity information of the organization, as well as the public key of the organization, is signed by the private key of the management node in the blockchain network to generate an organization certificate.

In some embodiments, when the organization applies for the digital certificate from the blockchain network, the terminal or the server under the jurisdiction of the organization first generates a key pair of the organization, and carries the public key of the generated key pair and the identity information of the organization in the request message. After receiving the request message, the management node of the blockchain network extracts the identity information of the organization and the public key of the organization carried in the request message. And after the identity information of the organization is obtained, an interface with an identity verification function is called to verify the identity information of the organization. After passing the verification, the identity information of the organization and the public key of the organization are formed into a first digest by using a digest algorithm, then the first digest is signed (i.e. encrypted) by the private key of the management node to form first signature information, and a digital certificate of the organization is generated based on the first signature information, the identity information of the organization and the public key of the organization.

Here, the digest algorithm may be a hash algorithm including MD5, SHA, and the like. SHA is a family of hash functions, including SHA-224, SHA-256, SHA-384, and SHA-512 algorithms. Binary value plaintext of any length (e.g., identity information of an organization and public key of an organization) can be mapped to a shorter fixed-length binary value (Hash value) using a Hash algorithm, and different plaintext are difficult to map to the same Hash value, which is called a digest in application. Here, the reason why the digest algorithm is used to generate the first digest for the identity information of the organization and the public key of the organization is that when the amount of data corresponding to the identity information of the organization and the public key of the organization that need to be signed is large, the encryption time is too long, and therefore the digest algorithm is used to generate the digest for the identity information of the organization and the public key of the organization, so that the encryption time is shortened and the system efficiency is improved. Of course, when the identity information of the organization and the data amount corresponding to the public key of the organization are small, the signature process may be directly performed without performing the digest process, and the embodiment of the present invention is not limited herein.

Here, the first digest is signed, and an asymmetric encryption algorithm may be employed. The encryption key and decryption key of the asymmetric encryption algorithm are different and are referred to as the public key and private key, respectively. The public key is generally public, and can be acquired by people, while the private key is generally owned by a system, an organization or a person and cannot be acquired by other people. The asymmetric encryption algorithm includes: RSA, elGamal, elliptic curve (Elliptic Curve Crytosystems, ECC) series algorithms. The private key (k) is a number (entropy source, i.e. randomness source), typically randomly selected.

For example, before the management node of the blockchain network receives a request sent by an organization to apply for a digital certificate, the management node generates a private key in advance by using a random number, and then generates a public key by using an elliptic curve algorithm (the elliptic curve algorithm belongs to a one-way encryption function) by using the generated private key, so as to form a key pair, and the process is irreversible.

In some embodiments, after generating the organization certificate signed by the blockchain network, the generated organization certificate is subjected to consensus processing, and the organization certificate that is obtained the consensus is saved in the blockchain network.

Here, the consensus process may adopt any consensus mechanism such as workload certification, rights and interests certification, and delegated rights and interests certification to perform consensus on the generated mechanism certificate, and store the mechanism certificate obtained consensus in the blockchain network, and then send the mechanism certificate to other nodes of the blockchain network by broadcasting.

In step S403, the management node of the blockchain network returns the generated organization certificate to the organization.

Here, the management node of the blockchain network returns the organization certificate that is obtained in common to the terminal or the server under the jurisdiction of the organization, so that the terminal or the server under the jurisdiction of the organization stores the generated organization certificate.

In step S404, the management node of the blockchain network receives a request for applying for a user certificate sent by the user terminal.

Here, when a user applies for a user certificate to the blockchain network through the user terminal, relevant information characterizing the identity of the user needs to be submitted, including biometric values (such as fingerprints, irises, voiceprints, etc.) of the user itself, passwords, identification card numbers, etc.

For example, for the user a, when the user a needs to apply for the digital certificate of the user a to the blockchain network, the user a logs in to the digital certificate application system on the user terminal, and sends a request for applying for the digital certificate to the blockchain network, where the request carries credential information such as a fingerprint, an identification card number, and the like of the user a. After receiving the request, the management node of the blockchain network extracts the ID card number of the user A carried in the request, invokes the node with the ID verification function to verify the ID card number submitted by the user A, and after the verification is passed, executes the subsequent step of generating the digital certificate of the user A.

In step S405, a management node of the blockchain network generates a user certificate.

After receiving a request for applying for a digital certificate sent by a user terminal, a management node of the blockchain network extracts identity information of the user terminal and a public key of the user terminal carried in the request, and verifies the identity information of the user terminal. And after the verification is passed, the management node of the blockchain network signs the identity information of the user terminal and the public key of the user terminal by using the private key of the management node to generate a user certificate. The specific steps for generating the user certificate are similar to those for generating the organization certificate, and the embodiments of the present invention are not described herein.

After generating the user certificate signed by the blockchain network, it is also necessary to perform consensus processing on the generated user certificate, and store the user certificate that has obtained consensus in the blockchain network.

In step S406, the management node of the blockchain network returns the generated user certificate to the user terminal.

Here, the management node of the blockchain network returns the user certificate with the consensus to the user terminal so that the user terminal saves the generated user certificate.

The blockchain network can firstly receive a request of applying for a digital certificate sent by an organization, generate an organization certificate signed by the blockchain network, and return the generated organization certificate to a terminal or a server under the jurisdiction of the organization; or firstly receiving a request for applying for the digital certificate sent by the user terminal, generating a user certificate signed by the blockchain network, and returning the generated user certificate to the user terminal; and the method can also simultaneously receive requests of applying for digital certificates sent by the institutions and the user terminals, respectively generate corresponding institution certificates and user certificates signed by the blockchain network according to the service main body sending the requests, and return the generated institution certificates and user certificates to the terminal or the server to which the corresponding service main body belongs. In other words, the steps S401 to S406 are not sequentially performed, and the steps S404 to S406 may be performed first, and then the steps S401 to S403 may be performed.

In step S407, the user terminal applies for data to the organization.

Here, when the user wishes to apply for related data to the organization, a request message for applying for the organization data may be sent to the organization through the user terminal, where the request message carries a user certificate issued by the blockchain network signature.

For example, when the user a wants to transact loan business to a certain bank, the terminal of the user a sends a corresponding request message to the terminal or the server under the jurisdiction of the bank, and the request message carries the digital certificate of the user a issued by the blockchain network signature.

In step S408, the management node of the blockchain network receives the user certificate sent by the organization.

After receiving the data request message sent by the user terminal, the terminal or the server under the jurisdiction of the organization extracts the user certificate carried in the request message, and sends the extracted user certificate to the blockchain network to verify the identity information of the user terminal.

When receiving a loan request sent by a user A through a user terminal, the bank A extracts a digital certificate of the user A carried in the loan request, and sends the extracted digital certificate of the user A to a blockchain network to verify identity information of the user A.

In step S409, the management node of the blockchain network verifies the user certificate.

Here, when receiving a user certificate transmitted by an organization, the management node of the blockchain network compares the received user certificate with the user certificate stored in the blockchain network to confirm the validity of the user certificate. Furthermore, the management node of the blockchain network also verifies the signature information of the user certificate to confirm the validity of the user certificate.

In some embodiments, when receiving a user certificate sent by an organization, a management node of the blockchain network firstly queries identity information of a user terminal and a public key of the user terminal included in the user certificate in the blockchain network, then forms a second digest of the queried identity information of the user terminal and the public key of the user terminal by using a digest algorithm, then decrypts signature information of the user certificate by using the public key of the management node of the blockchain network to generate a third digest in the signature information of the user certificate, finally judges whether the second digest is consistent with the third digest, and if so, verifies.

In other embodiments, the user may be affiliated with an organization, and the user may send a request for applying for a digital certificate to the blockchain network through the affiliated organization, that is, the user certificate signed by the blockchain network includes the identity information of the user terminal and the public key of the user terminal, and also includes the affiliated organization ID.

For example, the user a belongs to the organization a, and sends a request for applying a digital certificate to the blockchain network through the organization a, and generates a digital certificate of the user a signed by the blockchain network, where the digital certificate includes information such as identity information of the user a, a public key of the user a, and an organization a ID. Then, the user A sends a request for applying data to the mechanism B through the mechanism A, and the request carries the digital certificate of the user A. And after receiving the request, the second organization extracts the digital certificate of the user A carried in the request and sends the digital certificate of the user A to the blockchain network so as to verify the identity information of the user A. When receiving the digital certificate of the user A sent by the second organization, the management node of the blockchain network firstly inquires the first organization ID, the identity information of the user A and the public key of the user A included in the digital certificate of the user A in the blockchain network. Inquiring a public key of an organization A stored in a blockchain network according to the ID of the organization A, decrypting signature information of a digital certificate of the user A by using the inquired public key of the organization A to generate a fourth abstract in the signature information of the digital certificate of the user A, forming a fifth abstract by using an abstract algorithm by using the inquired identity information of the user A and the public key of the user A, judging whether the fourth abstract is consistent with the fifth abstract, and if the fourth abstract is consistent with the fifth abstract, verifying to pass, wherein the identity information of the user A is legal and effective.

In step S410, the management node of the blockchain network returns the verification result to the organization.

Here, after verifying the user certificate sent by the organization, the management node of the blockchain network returns the verification result to the terminal or the server under the jurisdiction of the organization.

For example, when the verification result is that the user certificate is legal, a message passing the verification is sent to a terminal or a server under the jurisdiction of the organization.

For example, when the verification result is that the user certificate is illegal, an alert message may be sent to a terminal or server under the jurisdiction of the organization (e.g., the user certificate is illegal, please keep vigilance).

In step S411, the mechanism returns the requested data to the user terminal.

Here, after receiving the authentication-passing message returned by the blockchain network, the organization returns the requested data to the user terminal, thereby realizing secure communication between the user terminal and the organization.

In some embodiments, the user terminal may verify the identity information of the institution before the user terminal applies for data to the institution, and apply for data to the institution after confirming the identity information of the institution.

For example, the user terminal may first send a message requesting authentication before applying for data to the institution. And after receiving the verification request message sent by the user terminal, the organization returns the organization certificate issued by the blockchain network signature to the user terminal. The user terminal receives the mechanism certificate returned by the mechanism and sends the received mechanism certificate to the blockchain network to confirm the identity information of the mechanism. And after receiving the verification passing message returned by the blockchain network, sending a request for applying data to an organization. Thus, the mutual authentication between the mechanism and the user terminal is realized, and the safety is further ensured.

In other embodiments, the blockchain network-based authentication method provided by the embodiment of the invention can also realize the secure interaction of data between different institutions.

Referring to fig. 5, fig. 5 is a schematic flowchart of an alternative block chain network-based authentication method according to an embodiment of the present invention, and the steps in fig. 5 will be described.

It should be noted that, the first and second institutions described below refer to institutions already having the institution certificates issued by the blockchain network signature, that is, the first and second institutions have completed the step of issuing the digital certificates.

In step S501, the second organization applies the data of the first organization to the first organization.

Here, the first mechanism and the second mechanism may be two mechanisms in different fields, or may be two mechanisms engaged in the same field.

By way of example, the first institution may be a jurisdiction and the second institution may be a bank.

By way of example, the first institution may be bank a and the second institution may be bank b.

In some embodiments, the second institution verifies the identity information of the first institution prior to the second institution applying for the first institution data to the first institution, and sends a request to the first institution to apply for the first institution data after the verification is passed.

In step S502, the first organization sends a second organization certificate to the blockchain network.

After receiving the application request sent by the second organization, the terminal or the server under the jurisdiction of the first organization extracts the second organization certificate carried in the request, and sends the extracted second organization certificate to the blockchain network to verify the identity information of the second organization.

In step S503, the blockchain network verifies the second organization certificate.

Here, upon receiving the second mechanism certificate transmitted by the first mechanism, the management node of the blockchain network compares the received second mechanism certificate with the second mechanism certificate stored in the blockchain network to confirm the validity of the second mechanism certificate. Further, the management node of the blockchain network also verifies the signature information of the second organization certificate to confirm the validity of the second organization certificate. The verification process of the signature information of the second organization certificate is similar to the verification process of the signature information of the user certificate, and the embodiments of the present invention are not described herein again.

In step S504, the blockchain network returns the validation result to the first organization.

Here, the management node of the blockchain network returns the verification result of the second mechanism certificate sent by the first mechanism to the terminal or the server under the jurisdiction of the first mechanism.

The verification result includes verification pass or verification fail.

In step S505, the first authority returns the requested data to the second authority.

When receiving the verification passing message returned by the blockchain network, the first organization returns the requested data to the second organization, so that the safe interaction of the data among different organizations is realized.

Continuing with the description below of an exemplary architecture of the blockchain network-based authentication device 2143 implemented as a software module provided by embodiments of the present invention, in some embodiments, as shown in fig. 3, the software module stored in the blockchain network-based authentication device 2143 of the memory 2140 may include: a certificate generation module 21431, a consensus module 21432, and a verification module 21433.

The certificate generation module 21431 is configured to generate an organization certificate signed by a blockchain network in response to a request for applying for a digital certificate sent by an organization, and return the organization certificate to the organization;

the certificate generation module 21431 is further configured to generate a user certificate signed by the blockchain network in response to a request for applying for a digital certificate sent by a user terminal, and return the user certificate to the user terminal;

The consensus module 21432 is configured to perform consensus processing on the mechanism certificate and the user certificate, and store the mechanism certificate and the user certificate that are obtained to be consensus in the blockchain network;

the verification module 21433 is configured to verify a data interaction procedure of the organization based on the organization certificate stored in the blockchain network and the user certificate.

In some embodiments, the verification module 21433 is further configured to confirm the identity information of a second organization by a second organization certificate of the second organization stored in the blockchain network in response to a verification request sent by a first one of the organizations to verify the identity information of the second organization; notifying the first institution when the verification is passed, so that the first institution returns the requested data to the second institution.

In some embodiments, the verification module 21433 is further configured to, in response to a verification request sent by the organization to verify the identity information of the user terminal, confirm the identity information of the user terminal through a user certificate of the user terminal stored in the blockchain network; and notifying the institution when the authentication is passed, so that the institution returns the requested data to the user terminal.

In some embodiments, the verification module 21433 is further configured to obtain identity information of the user terminal carried in the user certificate and a public key of the user terminal; generating a first abstract from the acquired identity information of the user terminal and the public key of the user terminal through an abstract algorithm; decrypting the user certificate through a public key of a management node in the blockchain network to generate a second abstract; and when the first abstract is consistent with the second abstract, determining that the identity information of the user terminal passes verification.

In some embodiments, the authentication module 21433 is further configured to, prior to responding to an authentication request sent by the institution to authenticate the identity information of the user terminal; and responding to a verification request for verifying the identity information of the organization sent by the user terminal, and confirming the identity information of the organization through an organization certificate of the organization stored in the blockchain network.

In some embodiments, the verification module 21433 is further configured to obtain identity information of the institution carried in the institution certificate, and a public key of the institution; generating a third abstract by using the acquired identity information of the organization and the public key of the organization through an abstract algorithm; decrypting the mechanism certificate through a public key of a management node in the blockchain network to generate a fourth abstract; and when the third abstract and the fourth abstract are consistent, determining that the identity information of the institution passes verification.

In some embodiments, the certificate generation module 21431 is further configured to obtain identity information of the organization and a public key of the organization carried in the request message; signing the identity information of the mechanism and the public key of the mechanism through the private key of the management node in the blockchain network, and generating a mechanism certificate by combining the identity information and the public key of the mechanism and the corresponding signature;

the public key is used for acquiring the identity information of the user terminal and the public key of the user terminal carried in the request message; signing the identity information of the user terminal and the public key of the user terminal through the private key of the management node in the blockchain network, and generating a user certificate by combining the identity information and the public key of the user corresponding to the user terminal and the corresponding signature.

In some embodiments, the certificate generation module 21431 is further configured to generate a fifth digest of the identity information of the organization and the public key of the organization by a digest algorithm; signing the fifth abstract through a private key of a management node in the blockchain network to generate first signature information; generating the institution certificate based on the first signature information, the identity information of the institution, and a public key of the institution;

And generating a sixth abstract from the acquired identity information of the user terminal and the public key of the user terminal through an abstract algorithm; signing the sixth abstract through a private key of a management node in the blockchain network to generate second signature information; the user certificate is generated based on the second signature information, the identity information of the user terminal, and the public key of the user terminal.

In some embodiments, the certificate generation module 21431 is further configured to, when receiving a request sent by an organization for applying for a digital certificate, obtain identity information of the organization carried in the request; calling an interface with an identity information verification function to verify the acquired identity information of the mechanism; when the verification is passed, generating an organization certificate signed by the blockchain network;

when a request for applying a digital certificate sent by a user terminal is received, acquiring identity information of the user terminal carried in the request; invoking the interface with the identity information verification function to verify the acquired identity information of the user terminal; when the verification passes, a user certificate signed by the blockchain network is generated.

It should be noted that, for the technical details that are not described in the blockchain network-based authentication device provided in the embodiment of the present invention, the description may be understood according to any of fig. 4, 5, and 7-10.

In the following, an exemplary application of the embodiment of the present invention in a practical application scenario will be described.

As a trusted third party in e-commerce transactions, a certificate authority (CA, certificate Authority), also known as a certificate authority, CA center or CA authority for short, assumes the responsibility of the validity check of the public key in the public key hierarchy.

For example, in different application systems of government service, for example, on-line reporting and approval, government document circulation, on-line industrial and commercial annual inspection, when a user applies a certificate to perform corresponding electronic government operation, the user uses a digital certificate to verify the identity information of the system performing the electronic government operation, and then submits the digital certificate of the user to enable the system to verify the digital certificate of the user to judge the identity information of the user, thereby completing the bidirectional authentication between the user and the application system. After the authentication is passed, the application system gives corresponding authorization according to the identity information of the user, realizes access control, establishes a secure channel, and can further submit office data to the application system and receive data returned by the application system.

However, the CA authentication method provided by the related art has the following problems: the first CA authentication system and the CA authentication system are respectively administrative, the user certificate can only be verified by the root certificate of the affiliated CA, and the mutual verification among different CAs can not be realized, so that the applicability of a CA mutual trust solution is limited, and peripheral services are required to be unified; secondly, the CA system has high manufacturing cost, and the implementation and maintenance costs (such as certificate cost, operation cost and the like) are high; third, the centralized information system, resulting in a very vulnerable CA at the core, once controlled, the CA root certificate, and the certificate that the CA has issued, will no longer be trusted.

For example, referring to fig. 6, fig. 6 is a schematic architecture diagram of a CA authentication system provided by the related art. As shown in fig. 6, different CA authorities are each administrative, and digital certificates issued to users can only be verified by the authorities that issued the digital certificates. For example, for digital certificates issued to users by judicial authorities, verification can only be performed by the judicial authorities, but not by government or tax authorities.

The embodiment of the invention provides a CA authentication method based on a block chain network, which constructs an organization and an inter-organization identity authentication based on a certificate authentication system based on the characteristics of multi-node, distributed, decentralization and the like of the block chain network. The deployment mode based on the alliance chain can be applicable to the scene of limited nodes such as enterprises, government affairs and the like. In addition, in the distributed public key implementation link, the tampering by malicious attacks can be prevented, and the deployment and later maintenance cost is reduced. Furthermore, through the synchronization and consensus mechanism of the alliance chain, the service institutions on the alliance chain can mutually identify identity information, and the expansion and adaptability are strong.

Referring to fig. 7, fig. 7 is a schematic diagram of the architecture of a conventional public key infrastructure (PKI, public Key Infrastructure) system, and a blockchain network-based PKI system provided by an embodiment of the invention. As shown in fig. 7, when employing conventional PKI techniques, a CA authority issues a certificate based on trust of a credential user (e.g., establishing a trust relationship based on contacts, briefs, etc.) in accordance with application information (e.g., device public key, device identification, etc.) submitted by the credential user. The PKI system based on the blockchain network has the characteristic of decentralizing trust, a trust relationship is established between equipment operators, and traditional centralized certificate issuing is changed into automatic and distributed realization. In addition, when the certificate is used, a certificate relying party (i.e. an authentication party needing to verify the state of the certificate) needs to inquire about a centralized CA organization by adopting the traditional PKI technology; in a blockchain network-based PKI system, a certificate relying party may query any one of a plurality of nodes in the blockchain network.

Referring to fig. 8, fig. 8 is a schematic diagram of certificate status query in a PKI system based on a blockchain network according to an embodiment of the invention. As shown in fig. 8, in the blockchain network-based PKI system, a certification user transmits a request for applying a digital certificate to a blockchain network, and the blockchain network generates the digital certificate according to the identity information of the certification user and the public key of the certification user. After verification and consensus, the digital certificate may be stored in the blockchain network. During the use of a digital certificate (e.g., existing security transport layer protocols (TLS, transport Layer Security), internet security protocols (IPSec, internet Protocol Security), etc.), a certificate user submits the digital certificate to an authenticator, which upon receiving the digital certificate, may check the correctness and validity of the digital certificate via a blockchain network to confirm the identity information of the certificate user.

The authentication method based on the blockchain network mainly comprises two stages of certificate issuing and certificate verification.

Referring to fig. 9, fig. 9 is a flowchart illustrating a certificate issuing stage in the blockchain network-based authentication method according to an embodiment of the present invention, and will be described with reference to the steps shown in fig. 9.

Step S901: the method comprises the steps that an organization A sends an application request for applying a digital certificate of the organization A to a management node of a blockchain network, and the application request carries identity marks such as unified organization codes of the organization A.

Step S902: and the organization B sends an application request for applying the digital certificate of the organization B to a management node of the blockchain network, wherein the application request carries the identity identification of the organization B such as unified organization codes and the like.

In some embodiments, the user terminal may send an application request for applying the digital certificate of the user terminal to the management node of the blockchain network, where the application request carries the biometric value, the password, the identification card number and other credential information of the user.

Step S903: when receiving an application request sent by an organization A, a management node of the blockchain network generates a digital certificate corresponding to the organization A according to the identity information of the organization A and a public key of the organization A; when receiving an application request sent by an organization B, a management node of the blockchain network generates a digital certificate corresponding to the organization B according to the identity information of the organization B and a public key of the organization B.

In some embodiments, when the management node of the blockchain network receives an application request sent by the user terminal, a digital certificate corresponding to the user terminal is generated according to the identity information of the user terminal and the public key of the user terminal.

Step S904a: issuing the generated digital certificate corresponding to the organization A according to the application request of the organization A or the characteristic information of the organization A.

Step S904b: issuing the generated digital certificate of the corresponding organization B to the organization B according to the application request of the organization B or the characteristic information of the organization B.

In some embodiments, the generated digital certificate of the corresponding user terminal is issued to the user terminal according to the application request of the user terminal or the characteristic information of the user terminal.

Step S905a: the public key information of the organization A is subjected to three-party consensus among the organization A, the organization B and the management nodes of the blockchain network through a blockchain network distributed consensus technology, namely, the public key information of the organization A is synchronized to other nodes of the blockchain network.

Step S905b: the public key information of the organization B is subjected to three-party consensus among the organization A, the organization B and the management nodes of the blockchain network through a blockchain network distributed consensus technology, namely, the public key information of the organization B is synchronized to other nodes of the blockchain network.

In some embodiments, the public key information of the user terminal is made a three-way consensus among organization a, the user terminal, and the management node of the blockchain network, that is, the public key information of the user terminal is synchronized to other nodes of the blockchain network.

Referring to fig. 10, fig. 10 is a flowchart illustrating a certificate verification stage in the blockchain network-based authentication method according to an embodiment of the present invention, and will be described with reference to the steps shown in fig. 10.

Step S101: mechanism a applies for data from mechanism B.

For example, in daily business, when data exchange is performed between different institutions, an interface based on authentication is needed, and a user signs data in a session by using a private key of the user.

In some embodiments, before organization a applies for organization B's data to organization B, organization a may verify organization B's identity information in the blockchain network, and after confirming organization B's identity information, apply for data to organization B.

Step S102: and when receiving an application request sent by the organization A, the organization B extracts a digital certificate of the organization A in the application request, and verifies the validity of the digital certificate sent by the organization A in the blockchain network so as to verify the identity information of the organization A. Meanwhile, whether the digital certificate of the organization A is issued by the upper-level organization can be verified according to the certificate file of the organization A, so that true verification is realized.

Step S103: and returning a verification result.

Step S104: after verification is passed, data can be exchanged between institution a and institution B according to messages or custom application programming interfaces (APIs, application Programming Interface).

According to the CA authentication method based on the block chain network, based on the multi-node and distributed characteristics of the block chain network, when a certain authentication node encounters technical failure or suffers malicious attack, authentication can be performed through other nodes, so that interruption of full system service caused by the malicious attack is avoided. When enterprises or individuals use the verification encryption technology, the enterprises or individuals do not need to independently deploy a CA system or apply certificates to a third-party CA organization of the traditional PKI, and only need to join an ecological system of a alliance chain. In addition, through the distributed block chain technology, the information safety and the concurrent processing capacity are ensured. Furthermore, by adopting a mode of 'self-visa + consensus mechanism', the cost brought by self-building a CA system or purchasing an authoritative CA mechanism certificate is effectively reduced.

Embodiments of the present invention provide a storage medium having stored therein executable instructions which, when executed by a processor, cause the processor to perform a blockchain network-based authentication method provided by embodiments of the present invention, such as the methods shown in fig. 4, 5, 7-10.

In some embodiments, the storage medium may be FRAM, ROM, PROM, EPROM, EE PROM, flash memory, magnetic surface memory, optical disk, or CD-ROM; but may be a variety of devices including one or any combination of the above memories.

In some embodiments, the executable instructions may be in the form of programs, software modules, scripts, or code, written in any form of programming language (including compiled or interpreted languages, or declarative or procedural languages), and they may be deployed in any form, including as stand-alone programs or as modules, components, subroutines, or other units suitable for use in a computing environment.

As an example, the executable instructions may, but need not, correspond to files in a file system, may be stored as part of a file that holds other programs or data, such as in one or more scripts in a hypertext markup language (html, hyper Text Markup Language) document, in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code).

As an example, executable instructions may be deployed to be executed on one computing device or on multiple computing devices located at one site or, alternatively, distributed across multiple sites and interconnected by a communication network.

In summary, the embodiment of the invention has the following beneficial effects:

1) Based on the multi-node and distributed characteristics of the block chain network, when one verification node encounters technical failure or suffers malicious attack, the verification can be performed through other nodes in the block chain network, so that the interruption of the whole system service caused by the malicious attack is avoided.

2) When enterprises or individuals use the verification encryption technology, the enterprises or individuals do not need to independently deploy a CA system or apply certificates to a third-party CA organization of the traditional PKI, and only need to join an ecological system of a alliance chain.

3) Through the distributed block chain technology, the information safety and the concurrent processing capability are ensured.

4) By adopting the mode of 'self-visa + consensus mechanism', the cost brought by self-building a CA system or purchasing an authoritative CA certificate is effectively reduced.

The foregoing is merely exemplary embodiments of the present invention and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and scope of the present invention are included in the protection scope of the present invention.

Claims (11)

1. A blockchain network-based authentication method, the method comprising:

responding to a request for applying a digital certificate sent by a mechanism terminal, and acquiring identity information of a mechanism carried in the request and a public key of the mechanism;

signing the identity information of the mechanism and the public key of the mechanism through the private key of the management node in the blockchain network, generating a mechanism certificate by combining the identity information and the public key of the mechanism and the corresponding signature, and returning the mechanism certificate to the mechanism terminal;

responding to a request for applying a digital certificate sent by a user terminal, and acquiring identity information of the user terminal and a public key of the user terminal carried in the request;

signing the identity information of the user terminal and the public key of the user terminal through the private key of the management node in the blockchain network, generating a user certificate by combining the identity information and the public key of the user corresponding to the user terminal and the corresponding signature, and returning the user certificate to the user terminal;

performing consensus processing on the mechanism certificate and the user certificate, and storing the mechanism certificate and the user certificate which are obtained to be consensus in the blockchain network;

And verifying the data interaction process of the organization terminal based on the organization certificate and the user certificate stored in the blockchain network.

2. The method according to claim 1, wherein said verifying a data interaction procedure of the organization terminal based on the organization certificate stored in the blockchain network and the user certificate comprises:

in response to a verification request sent by a first mechanism terminal in the mechanism terminals to verify identity information of a second mechanism, confirming the identity information of the second mechanism through a second mechanism certificate of the second mechanism stored in the blockchain network;

and notifying the first institution terminal when the verification is passed, so that the first institution terminal returns the requested data to the second institution terminal.

3. The method according to claim 1, wherein said verifying a data interaction procedure of the organization terminal based on the organization certificate stored in the blockchain network and the user certificate comprises:

responding to a verification request for verifying the identity information of the user terminal sent by the organization terminal, and confirming the identity information of the user terminal through a user certificate of the user terminal stored in the blockchain network;

And notifying the institution terminal when the authentication is passed so that the institution terminal returns the requested data to the user terminal.

4. A method according to claim 3, wherein said validating the identity information of the user terminal by means of the user certificate of the user terminal stored in the blockchain network comprises:

acquiring identity information of the user terminal carried in the user certificate and a public key of the user terminal;

generating a first abstract from the acquired identity information of the user terminal and the public key of the user terminal through an abstract algorithm;

decrypting the user certificate through a public key of a management node in the blockchain network to generate a second abstract;

and when the first abstract is consistent with the second abstract, determining that the identity information of the user terminal passes verification.

5. A method according to claim 3, characterized in that the method further comprises:

before responding to an authentication request for authenticating identity information of the user terminal sent by the institution terminal;

and responding to a verification request for verifying the identity information of the organization sent by the user terminal, and confirming the identity information of the organization through an organization certificate of the organization stored in the blockchain network.

6. The method of claim 5, wherein said validating the identity information of the institution comprises:

acquiring identity information of the mechanism and a public key of the mechanism, wherein the identity information of the mechanism and the public key of the mechanism are carried in the mechanism certificate;

generating a third abstract by using the acquired identity information of the organization and the public key of the organization through an abstract algorithm;

decrypting the mechanism certificate through a public key of a management node in the blockchain network to generate a fourth abstract;

and when the third abstract and the fourth abstract are consistent, determining that the identity information of the institution passes verification.

7. The method of claim 1, wherein signing the identity information of the organization and the public key of the organization with the private key of the management node in the blockchain network, in combination with the identity information and the public key of the organization and the corresponding signature, generates an organization certificate, comprising:

generating a fifth abstract from the identity information of the institution and the public key of the institution by an abstract algorithm;

signing the fifth abstract through a private key of a management node in the blockchain network to generate first signature information;

Generating the institution certificate based on the first signature information, the identity information of the institution, and a public key of the institution;

the signing the identity information of the user terminal and the public key of the user terminal through the private key of the management node in the blockchain network generates a user certificate by combining the identity information and the public key of the user corresponding to the user terminal and the corresponding signature, and the method comprises the following steps:

generating a sixth abstract by using the acquired identity information of the user terminal and the public key of the user terminal through an abstract algorithm;

signing the sixth abstract through a private key of a management node in the blockchain network to generate second signature information;

the user certificate is generated based on the second signature information, the identity information of the user terminal, and the public key of the user terminal.

8. The method of claim 1, wherein generating the organization certificate signed by the blockchain network in response to the request for the digital certificate sent by the organization terminal comprises:

when a request for applying a digital certificate sent by an organization terminal is received, acquiring identity information of an organization carried in the request;

Calling an interface with an identity information verification function to verify the acquired identity information of the mechanism;

when the verification is passed, generating an organization certificate signed by the blockchain network;

the generating, in response to a request sent by a user terminal to apply for a digital certificate, a user certificate signed by the blockchain network includes:

when a request for applying a digital certificate sent by a user terminal is received, acquiring identity information of the user terminal carried in the request;

invoking the interface with the identity information verification function to verify the acquired identity information of the user terminal;

when the verification passes, a user certificate signed by the blockchain network is generated.

9. A blockchain network-based authentication device, the device comprising:

the certificate generation module is used for responding to a request for applying for a digital certificate sent by a mechanism terminal and acquiring identity information of a mechanism carried in the request and a public key of the mechanism; signing the identity information of the mechanism and the public key of the mechanism through the private key of the management node in the blockchain network, generating a mechanism certificate by combining the identity information and the public key of the mechanism and the corresponding signature, and returning the mechanism certificate to the mechanism terminal;

The certificate generation module is further used for responding to a request for applying for a digital certificate sent by a user terminal, and acquiring identity information of the user terminal and a public key of the user terminal carried in the request; signing the identity information of the user terminal and the public key of the user terminal through the private key of the management node in the blockchain network, generating a user certificate by combining the identity information and the public key of the user corresponding to the user terminal and the corresponding signature, and returning the user certificate to the user terminal;

the consensus module is used for carrying out consensus processing on the organization certificate and the user certificate, and storing the organization certificate and the user certificate which are obtained to be consensus in the blockchain network;

and the verification module is used for verifying the data interaction process of the organization terminal based on the organization certificate and the user certificate stored in the blockchain network.

10. An electronic device, comprising:

a memory for storing executable instructions;

a processor for implementing the blockchain network-based authentication method of any of claims 1 to 8 when executing executable instructions stored in the memory.

11. A computer readable storage medium storing executable instructions for causing a processor to perform the blockchain network-based authentication method of any of claims 1 to 8.