CN110958229A - Credible identity authentication method based on block chain - Google Patents

Credible identity authentication method based on block chain Download PDF

Info

Publication number
CN110958229A
CN110958229A CN201911143182.7A CN201911143182A CN110958229A CN 110958229 A CN110958229 A CN 110958229A CN 201911143182 A CN201911143182 A CN 201911143182A CN 110958229 A CN110958229 A CN 110958229A
Authority
CN
China
Prior art keywords
server
bcca
block chain
information service
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911143182.7A
Other languages
Chinese (zh)
Inventor
魏松杰
李莎莎
崔聪
吕伟龙
王佳贺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Science and Technology
CERNET Corp
Original Assignee
Nanjing University of Science and Technology
CERNET Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Science and Technology, CERNET Corp filed Critical Nanjing University of Science and Technology
Priority to CN201911143182.7A priority Critical patent/CN110958229A/en
Publication of CN110958229A publication Critical patent/CN110958229A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/72Signcrypting, i.e. digital signing and encrypting simultaneously
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a block chain-based trusted identity authentication method.A block chain certificate server transmits trust through a cross-domain model based on a block chain and realizes the authentication process of a user terminal and an information service entity in different trust domains, and the information service entity obtains a complete signature through an arbitration entity communication server and realizes authentication on the complete signature through an identity authentication server. The information service entity only stores part of keys, the rest of keys are stored in the arbitration entity communication server, the information service entity obtains the complete signature of the message through the arbitration entity communication server, and the capability of canceling the decryption or the signature can be realized by stopping sending the signaling through the arbitration entity communication server, so that the problem that the entity identity in the IBC system is difficult to cancel is solved, the problems of more certificate checking times, low cross-domain authentication and the like are solved, and the decentralization and higher safety of the block chain system are ensured.

Description

Credible identity authentication method based on block chain
Technical Field
The invention relates to the technical field of network space security, in particular to a block chain-based trusted identity authentication method.
Background
In a heterogeneous network environment, information interaction between different application domains becomes extremely frequent for users due to continuous expansion of application domains providing network resources and services. In order to ensure that the user does not bring extra identity authentication overhead and burden when accessing the network service resources of the same or different trust domains, and simultaneously can realize access control and authority management among different domains, a cross-domain identity authentication mechanism facing to the global property is required to be adopted, so that the risk of illegal access of the network resources is fundamentally prevented. Therefore, for the complex interaction relationship existing in different kinds of information service entities in a certain spatial range, it is very promising to research the cross-domain authentication mechanism between the user and the information service entity in a large-scale network environment.
The cross-domain authentication specifically refers to a complete identity authentication process performed by a user across trusted domains, and not only needs to ensure reliability of trust establishment, high efficiency of authentication speed, safety of the authentication process and the like, but also needs to solve unified authentication management of different trusted domain authentication systems on the user. In a distributed service system, currently, cross-domain authentication research work is mainly developed based on 3 frameworks, namely an authentication framework based on a symmetric key; the second is a PKI system authentication architecture based on a digital certificate, and the third is an authentication architecture based on an IBC system. The three architectures show certain advantages and disadvantages due to the difference between the authentication process and the technology. The authentication based on the symmetric key architecture has the fastest speed and the highest efficiency, but has the defect of key leakage, and in view of the practical situation that the attacks and threats of the network space are increasingly diversified and complicated, correspondingly, higher-level requirements are also provided for the security of the identity authentication, so the development of the identity authentication is limited to a certain extent. The certification framework based on the PKI system is most widely used, solves the problem of symmetric key management, is suitable for constructing a large-scale application environment, and has good expansibility and flexibility, but the process needs to consume a large amount of time and energy to manage the digital certificate, thereby increasing the burden of communication and calculation in the certification process, and having some disadvantages. At present, a cross-domain authentication model based on the IBC becomes a mainstream, so that the authentication process is not dependent on a certificate mechanism, but directly takes an entity effective identifier as a public key, the key management process is simplified, and the IBC has the advantages of easiness in maintenance and the like. However, the entity private key based on the IBC authentication system is generated by KGC, and has a key escrow problem, so that it is more suitable for use in an independent small trust domain network. In addition, in the existing IBC-based authentication scheme, entity identity revocation is mainly achieved by periodically terminating KGC to send a private key, and a timely identity revocation operation cannot be achieved, which causes that the system cannot play a role in an application scenario with high security requirements. It is easy to find that the existing cross-domain authentication models are more or less limited to a certain extent, and cannot fully meet the complete requirement of cross-domain authentication between a user and an information service entity.
Therefore, how to solve the problem that the real identity in the IBC system is difficult to be revoked is a problem that needs to be solved urgently by those skilled in the art.
Disclosure of Invention
In view of this, the invention provides a block chain-based trusted identity authentication method, which solves the problem that an entity identity in an IBC system is difficult to revoke.
In order to achieve the purpose, the invention adopts the following technical scheme:
a credible identity authentication method based on a block chain comprises the following steps:
step 1: first blockchain certificate server BCCA1Receiving an identity authentication request initiated by a user end to a cross-domain information service entity, and performing BCCA (certificate-based authentication and authorization) with a second block chain certificate server2Completing inter-domain authentication through a block chain certificate, and exchanging a system public key; wherein the first block chain certificate server BCCA1And a second blockchain certificate server BCCA2Located in different IBC domains;
step 2: first blockchain certificate server BCCA1Generating a session key, and transmitting the session key and an authentication request to an identity authentication server after the session key is encrypted based on the identity; second blockchain certificate server BCCA2Generating a session key, and sending the session key and the authentication request to an information service entity after encrypting based on the identity;
and step 3: the information service entity receives the second block chain certificate server BCCA2After receiving the authentication request, the information service entity requests a signature signaling to an arbitration entity communication server of the domain, obtains a complete signature of the message through the arbitration entity communication server, and sends the complete signature and the encrypted message to an identity authentication server;
step S4: and after the identity authentication server receives the complete signature and the encrypted message, decrypting the message, verifying the complete signature, and after the verification is successful, transmitting the session key and the timestamp to the user side based on identity encryption, wherein the user side finally obtains the session key.
Preferably, step 1 specifically comprises:
user side selection timestamp T1BCCA to a first blockchain certificate server1Initiating an identity authentication request for a cross-domain information service entity, and performing identity-based signature operation on the identity authentication request by using a private key;
first blockchain certificate server BCCA1Confirming user identity validity and time stamp T1After the update, inquiring a second block chain certificate server BCCA (binary coded redundancy) corresponding to the information service entity2First blockchain certificate server BCCA1Selecting a timestamp T2And with the ID of the information service entityISE2Block chain certificate CertBCCA1Sending the encrypted authentication request to a second block chain certificate server BCCA2
Second blockchain certificate server BCCA2Decrypting a first blockchain certificate server BCCA1Of the message, acknowledgement timestamp T2If it is fresh, then it will cooperate with the ID authentication server to inquire CertBCCA1If the certificate status is judged to be valid, the authentication request is responded; second blockchain certificate server BCCA2The public key P of the domain to be locatedpublice2And a time stamp T3Encrypted and sent to a first block chain certificate server BCCA1
First blockchain certificate server BCCA1Decrypting BCCA from a second blockchain certificate server2Of the message, acknowledgement timestamp T3Fresh, keeping public key Ppublice2First Block chain certificate Server BCCA1The public key P of the domain to be locatedpublice1And a time stamp T4Encrypted and sent to a second block chain certificate server BCCA2
Preferably, step 2 specifically comprises:
first blockchain certificate server BCCA1Calculating a session key K based on the following formula, and sending the session key K and an authentication request to an identity authentication server;
Figure BDA0002281491790000041
wherein H1(. cndot.) represents a hash operation,
Figure BDA0002281491790000042
in order to be the identity of the user,
Figure BDA0002281491790000043
for the identity of the information service entity, s1Is IBC1A system key of the domain, | | represents OR operation, and]a representative group operation;
second blockchain certificate server BCCA2Calculating a session key K ' based on the following formula, encrypting the session key K ' based on the identity, and sending the encrypted session key K ' and the authentication request to an identity authentication server information service entity;
Figure BDA0002281491790000044
wherein H1(. represents a hash operation, ID)U1For the user identity, IDISE2For the identity of the information service entity, s2Is IBC2A system key of the domain, | | represents OR operation, and]representing a group operation.
Preferably, in step 3, after receiving the authentication request, the information service entity requests a signature signaling to the mediation entity communication server in the local domain, and the information service entity obtains a complete signature of the message through the mediation entity communication server specifically includes:
KGC divides the private key of the information service entity into two parts in advance, and respectively sends the two parts to the arbitration entity communication server and the information service entity; the Chinese and English of KGC are all called: key Generation Center.
After receiving the authentication request, the information service entity acquires the other private keys from the arbitration entity communication server;
the information service entity obtains a complete signature through a part of private keys received by the information service entity and the rest private keys obtained from the communication server of the arbitration entity.
Preferably, in step S3, the sending, by the information service entity, the fully signed and encrypted message to the identity authentication server specifically includes:
the information service entity encrypts the message by using the session key and sends the encrypted message and the obtained complete signature to the identity authentication server; wherein, the information service entity encrypts the message according to the following formula:
Figure BDA0002281491790000051
wherein m is a message.
Preferably, step S4 specifically includes:
the identity authentication server decrypts the C through the session key K to obtain a message m, verifies the complete signature through an mIBS signature algorithm, and if the message m passes the mIBS signature algorithm, the identity authentication server trusts the shared session key K which is K', and successfully authenticates the message;
and encrypting the session key and the timestamp based on the identity and then sending the encrypted session key and the timestamp to the user side, and finally obtaining the session key by the user side.
Preferably, the block chain is an alliance block chain, and the cooperation between the network nodes of the alliance block chain is divided into 3 steps:
each IBC domain regional chain certificate service area BCCA initiates a transaction signature with information authorization in a block chain certificate and sends the transaction signature to a non-verification node NVP;
the NVP of the non-verification node verifies the received transaction signatures, sequences the transactions in sequence according to the time stamps and broadcasts the transactions to the VP;
the verification node VP is logged into the block chain after the block is identified.
Preferably, the blockchain certificate servers of different domains are respectively used as an initiator and a receiver of the blockchain transaction to issue transactions, so that authorization trust is realized, and meanwhile trust authorization is managed according to a blockchain transaction recording mode.
Preferably, the signature and signature algorithm in the digital certificate are omitted from the blockchain certificate, and the hash value of the blockchain certificate is recorded in the blockchain after the blockchain certificate is generated. When a cross-domain authentication request is received, a non-verification node of the block chain system only needs to check a certificate in the block chain;
and a uniform resource locator module which does not provide certificate revocation check service in the blockchain certificate realizes the control of the whole life cycle of the certificate by means of blockchain transaction.
According to the technical scheme, compared with the prior art, the trusted identity authentication method based on the block chain is disclosed in the invention, only part of keys are stored in the information service entity, the rest of keys are stored in the arbitration entity communication server, the information service entity obtains the complete signature of the message through the arbitration entity communication server, the capability of canceling the decryption or signature can be realized by stopping sending the signaling through the arbitration entity communication server, the problem that the entity identity in the IBC system is difficult to cancel is solved, the problems of more times of certificate inspection, low cross-domain authentication and the like are solved, and the decentralization and higher security of the block chain system are ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a general framework diagram of a block chain-based trusted identity authentication method provided in the present invention;
FIG. 2 is a block chain system node topology diagram provided by the present invention;
FIG. 3 is a block diagram of a blockchain certificate provided by the present invention;
fig. 4 is a diagram of an arbitration-based IBC domain structure provided by the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, an embodiment of the present invention discloses a block chain-based trusted identity authentication method, which specifically includes the following steps:
step 1: first blockchain certificate server BCCA1Receiving an identity authentication request initiated by a user end to a cross-domain information service entity, and performing BCCA (certificate-based authentication and authorization) with a second block chain certificate server2Completing inter-domain authentication through a block chain certificate, and exchanging a system public key; wherein the first block chain certificate server BCCA1And a second blockchain certificate server BCCA2Located in different IBC domains;
wherein, the user selects the time stamp T1BCCA to a first blockchain certificate server1Initiating a pair crossThe domain information service entity identity authentication request specifically comprises:
Figure BDA0002281491790000071
wherein IBS () represents an identity-based signature algorithm on a message;
and the private key is used for carrying out identity-based signature operation on the identity authentication request so as to prove the validity of the private key.
The block chain adopted in the present invention is an alliance block chain, and as shown in fig. 2, the cooperation between the block chain network nodes is divided into 3 steps:
(1) each IBC domain blockchain certificate server BCCA initiates a transaction signature with information authorization in the initiation blockchain certificate and sends the transaction signature to the non-verification node NVP.
(2) And the non-verification node NVP verifies the received transaction signatures, sequences the transaction signatures in sequence according to the time stamps, and broadcasts the transaction signatures to the verification node VP.
(3) The verification node VP is logged into the block chain after the block is identified.
The VP is responsible for executing data consensus consistency operation, the NVP is responsible for executing synchronization and inspection operation, and transaction operation is not executed, so that the burden of the VP in the authentication interaction process can be effectively reduced, and network congestion and delay caused by overlarge traffic are avoided.
Wherein, finish the authentication among the domains through the block chain certificate, exchange the step of the public parameter and public key generating algorithm includes specifically:
(1)
Figure BDA0002281491790000081
the block chain server BCCA1 of the domain where the user side is located confirms that the identity of the user U1 is legal and the timestamp T1After the information service entity is fresh, inquiring the effective position of a second block chain certificate server BCCA2 corresponding to the information service entity, otherwise, terminating the session; then, the first blockchain certificate server BCCA1Selecting a timestamp T2With information service entities
Figure BDA0002281491790000082
Block chain certificate
Figure BDA0002281491790000083
Sending the encrypted authentication request to a second block chain certificate server BCCA2
Wherein encry (m) represents an encryption algorithm that is asymmetric for message m;
(2)BCCA2→BCCA1:{Encry(Ppublic2,T3)}
second blockchain certificate server BCCA2Decrypting a first blockchain certificate server BCCA1Of the message, acknowledgement timestamp T2If it is fresh, then it will cooperate with the ID authentication server to inquire CertBCCA1If the certificate status is judged to be valid, the authentication Request is responded2(ii) a Second blockchain certificate server BCCA2The public key P of the domain to be locatedpublice2And a time stamp T3Encrypted and sent to a first block chain certificate server BCCA1
(3)BCCA1→BCCA2:{Encry(Ppublic1,T4)}
First blockchain certificate server BCCA1Decrypting BCCA from a second blockchain certificate server2Of the message, acknowledgement timestamp T3Fresh, keeping public key Ppublice2First Block chain certificate Server BCCA1The public key P of the domain to be locatedpublice1And a time stamp T4Encrypted and sent to a second block chain certificate server BCCA2
The structure of the blockchain certificate is shown in fig. 3, and the blockchain certificate mainly has the following innovations in two aspects:
1. the signature and signature algorithm in the digital certificate are omitted from the block chain certificate. Only the domain blockchain agent, namely the verification node of the blockchain system, needs to generate a blockchain certificate and then the hash value of the blockchain certificate is recorded into the blockchain. When receiving the cross-domain authentication request, the non-verification node of the blockchain system checks the certificate in the blockchain.
2. A uniform resource locator module in the blockchain certificate that does not provide certificate revocation checking services. The whole life cycle of the certificate can be controlled by means of blockchain transaction.
Step 2: first blockchain certificate server BCCA1Generating a session key, and transmitting the session key and the authentication request to an identity authentication server; the method specifically comprises the following steps:
Figure BDA0002281491790000091
wherein IBE denotes an identity-based encryption algorithm for messages, H1(. cndot.) represents a hash operation,
Figure BDA0002281491790000092
in order to be the identity of the user,
Figure BDA0002281491790000093
for the identity of the information service entity, s1Is the system key of the first IBC domain, | | represents OR operation, and]a representative group operation;
first blockchain certificate server BCCA1Calculating a session key K according to the formula, encrypting the identity and then sending the encrypted identity to an identity authentication server IAS;
second blockchain certificate server BCCA2Generating a session key, encrypting the session key based on the identity, and sending the encrypted session key and the authentication request to an information service entity, wherein the method specifically comprises the following steps:
Figure BDA0002281491790000094
wherein H1(. represents a hash operation, ID)U1For the user identity, IDISE2For the identity of the information service entity, s2Is a system key of the second IBC domain, | | represents OR operation]A representative group operation;
second blockchain certificate server BCCA2Calculating a session key K '(and K' is K) based on the formula, encrypting based on the identity and sending to the information serviceThe service entity ISE.
And step 3: the information service entity receives the second block chain certificate server BCCA2After the message of (2), the timestamp T is verified6The method comprises the steps that (1) the authentication request is responded, the session key K' is stored, the information service entity requests a signature signaling from an arbitration entity communication server SEM of the local domain after receiving the authentication request, the information service entity obtains a complete signature of a message through the arbitration entity communication server, and the information service entity sends the complete signature and an encrypted message to an identity authentication server; wherein, only part of the keys are stored in the information service entity, and the rest of the keys are stored in the communication server of the arbitration entity.
Because the key is incomplete, before decryption or signature operation, a part of the key must be acquired from the SEM, and further, the administrator can command the SEM to stop signaling to the user to revoke the decryption or signature capability. Similarly, since only a part of the key is stored in the SEM, a complete decryption or signature operation cannot be realized. Since the user side and the SEM do not need to establish a secure channel, even if an attacker intercepts the decryption or signature signaling, part of the key cannot be decrypted or signed.
Referring to fig. 4, the communication server SEM and KGC of the arbitration entity belong to two different entities in the system, and the KGC is only responsible for generating the private key for the inside of the system, and the communication server SEM of the arbitration entity is responsible for providing signaling for the user using the password service in the whole system life cycle, and the specific steps are as follows:
KGC divides the private key of the information service entity into two parts in advance, and respectively sends the two parts to the arbitration entity communication server and the information service entity;
after receiving the authentication request, the information service entity acquires the other private keys from the arbitration entity communication server;
the information service entity obtains a complete signature through a part of private keys received by the information service entity and the rest private keys obtained from the arbitration entity communication server, and returns a signature result to the user side.
The sending, by the information service entity ISE, the completely signed and encrypted message to the identity authentication server IAS specifically includes:
Figure BDA0002281491790000101
wherein S ismIs the signature result; g is a verification factor;
the information service entity ISE encrypts the message by using the session key and sends the encrypted message and the obtained complete signature to an identity authentication server IAS; the information service entity ISE calculates the ciphertext C, and the signature result (S) according to the above formulamAnd g) are sent to the identity authentication server IAS together.
Step S4: and after the identity authentication server receives the complete signature and the encrypted message, decrypting the message, verifying the complete signature, and after the verification is successful, transmitting the session key and the timestamp to the user side based on identity encryption, wherein the user side finally obtains the session key.
The IAS sends the session key and the timestamp to the U1 based on the identity encryption, which specifically includes:
IAS→U1:{IBE(True,K,T7)}
the IAS decrypts the ciphertext C through the session key K to obtain a message m and signs the complete signature (S) by using an mIBS signature algorithmmAnd g) carrying out verification. After the authentication, the identity authentication server IAS trusts the shared session key K ═ K', and finally sends the successful authentication message, the session key K and the timestamp to the user side U1 based on the identity encryption, otherwise, terminates the session.
The mIBS signature algorithm specifically comprises the following steps: a parameter generation (Setup) phase, a key generation (KeyGen) phase, a signature (Sign) phase and a verification (Verify) phase, which are described in detail one by one below:
the Setup phase:
setting the order to be prime number N (N > 2)λ) Of (D) is a circulating group (G)1,+),(G2T, +), wherein G1The generator is P, a bilinear mapping e is selected as G1×G1→G2And satisfy the requirements of computability, non-degeneration and bilinear;
selecting a hash function H1:{0,1}*→G1 *And H2:{0,1}n×G2 *→ZN *Wherein G is1 *And G2 *Each represents G1\ {0} and G2\{1};
KGC random selection
Figure BDA0002281491790000111
As system master key, and calculating system master public key as Ppublic=[s]P, so the master key pair is (s, P)public) (ii) a KGC stores s in secret, public parameters (N, P, G)1,G2,e,Ppublic,H1,H2);
Message space M ═ (0,1)nSpace of signatures
Figure BDA0002281491790000112
KeyGen stage:
suppose a user identifier in the system is ID e {0,1}nKGC calculates its public key PIDAnd a private key dIDAs shown in formulas (4.1) and (4.2):
Figure BDA0002281491790000121
dID=sPID(4.2)
wherein S is a master key of the system;
the KGC then segments the user-generated key, specifically, the KGC randomly selects
Figure BDA0002281491790000122
The calculation is made according to equations (4.3) and (4.4) as follows:
Figure BDA0002281491790000123
Figure BDA0002281491790000124
wherein s isIDA user key;
finally, KGC will
Figure BDA0002281491790000125
Is sent to the user by the user terminal,
Figure BDA0002281491790000126
and (4) storing by SEM.
Sign stage:
assuming that the message to be signed is M ∈ M, in order to obtain the correct signature of the message M, the process is divided into three steps as follows:
1. before the user signs the message m
(1) Randomly selecting any point
Figure BDA0002281491790000127
And any integer
Figure BDA0002281491790000128
Computing group G1The medium element q is a group of elements,
q=e(kP1,P) (4.5)
(2) the integer g is calculated and the integer g,
g=H2(m,q) (4.6)
(3) the signature is calculated, Suser, and,
Figure BDA0002281491790000129
(4) and sending the signature Request to the SEM, wherein the signature Request is (q, g, Suser).
2. After SEM receives user signature
(1) Checking whether the user ID is revoked, if so, performing the step (2)
(2) SEM calculation signature Signaling SSEMAnd synthesizing the complete signature result Sm
Figure BDA0002281491790000131
Sm=Suser+SSEM(4.8)
(3) Calculation of P according to equation (4.1)IDAnd verifying the correctness of element q:
q'=e(Sm,P)·e(PID-Ppublic)g(4.9)
if and only if q' is q, it indicates that m-signed application is legitimate, and the final SEM will SSEMAnd sending the data to the user. It should be noted that even each time the user selects the same P before signing the message m1And k, but according to the nature of the hash function, only the message m is signed twice1≠m2Signed signalling identical SSEM1≠SSEM2And further ensures the freshness of the signaling.
3. User signature
Likewise, to validate the target signaling SSEMWhether the signaling is valid or not, the user marked as ID receives SSEMThen, recalculating SmAnd q ', output signature < S if and only if q' ═ qm,g>。
A Verify stage:
recalculating g 'from the result of q',
g'=H2(m,q') (4.10)
accepting a user' S signature < S for a message if and only if g ═ gm,g>。
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (9)

1. A credible identity authentication method based on a block chain is characterized by comprising the following steps:
step 1: first blockchain certificate server BCCA1Receiving an identity authentication request initiated by a user end to a cross-domain information service entity, and performing BCCA (certificate-based authentication and authorization) with a second block chain certificate server2Completing inter-domain authentication through a block chain certificate, and exchanging a system public key; wherein the first block chain certificate server BCCA1And a second blockchain certificate server BCCA2Located in different IBC domains;
step 2: first blockchain certificate server BCCA1Generating a session key, and transmitting the session key and an authentication request to an identity authentication server after the session key is encrypted based on the identity; second blockchain certificate server BCCA2Generating a session key, and sending the session key and the authentication request to an information service entity after encrypting based on the identity;
and step 3: the information service entity receives the second block chain certificate server BCCA2After receiving the authentication request, the information service entity requests a signature signaling to an arbitration entity communication server of the domain, obtains a complete signature of the message through the arbitration entity communication server, and sends the complete signature and the encrypted message to an identity authentication server;
step S4: and after the identity authentication server receives the complete signature and the encrypted message, decrypting the message, verifying the complete signature, and after the verification is successful, transmitting the session key and the timestamp to the user side based on identity encryption, wherein the user side finally obtains the session key.
2. The method for authenticating the trusted identity based on the block chain according to claim 1, wherein the step 1 specifically comprises:
user side selection timestamp T1BCCA to a first blockchain certificate server1Initiating an identity authentication request for a cross-domain information service entity, and performing identity-based signature operation on the identity authentication request by using a private key;
first blockchain certificate server BCCA1Confirming user identity validity and time stamp T1After the update, inquiring a second block chain certificate server BCCA (binary coded redundancy) corresponding to the information service entity2First blockchain certificate server BCCA1Selecting a timestamp T2And with the ID of the information service entityISE2Block chain certificate CertBCCA1Sending the encrypted authentication request to a second block chain certificate server BCCA2
Second blockchain certificate server BCCA2Decrypting a first blockchain certificate server BCCA1Of the message, acknowledgement timestamp T2If it is fresh, then it will cooperate with the ID authentication server to inquire CertBCCA1If the certificate status is judged to be valid, the authentication request is responded; second blockchain certificate server BCCA2The public key P of the domain to be locatedpublice2And a time stamp T3Encrypted and sent to a first block chain certificate server BCCA1
First blockchain certificate server BCCA1Decrypting BCCA from a second blockchain certificate server2Of the message, acknowledgement timestamp T3Fresh, keeping public key Ppublice2First Block chain certificate Server BCCA1The public key P of the domain to be locatedpublice1And a time stamp T4Encrypted and sent to a second block chain certificate server BCCA2
3. The method according to claim 2, wherein the step 2 specifically includes:
first blockchain certificate server BCCA1Calculating a session key K based on the following formula, and sending the session key K and an authentication request to an identity authentication server;
Figure FDA0002281491780000021
wherein H1(. cndot.) represents a hash operation,
Figure FDA0002281491780000022
in order to be the identity of the user,
Figure FDA0002281491780000023
for the identity of the information service entity, s1Is IBC1A system key of the domain, | | represents OR operation, and]a representative group operation;
second blockchain certificate server BCCA2Calculating a session key K ' based on the following formula, encrypting the session key K ' based on the identity, and sending the encrypted session key K ' and the authentication request to an identity authentication server information service entity;
Figure FDA0002281491780000024
wherein H1(. represents a hash operation, ID)U1For the user identity, IDISE2For the identity of the information service entity, s2Is IBC2A system key of the domain, | | represents OR operation, and]representing a group operation.
4. The method as claimed in claim 3, wherein in step 3, after receiving the authentication request, the information service entity requests a signature signaling to the mediation entity communication server of the local domain, and the information service entity obtains a complete signature of the message through the mediation entity communication server specifically includes:
KGC divides the private key of the information service entity into two parts in advance, and respectively sends the two parts to the arbitration entity communication server and the information service entity;
after receiving the authentication request, the information service entity acquires the other private keys from the arbitration entity communication server;
the information service entity obtains a complete signature through a part of private keys received by the information service entity and the rest private keys obtained from the communication server of the arbitration entity.
5. The method according to claim 4, wherein in step S3, the step of sending the fully signed and encrypted message to the identity authentication server by the information service entity specifically includes:
the information service entity encrypts the message by using the session key and sends the encrypted message and the obtained complete signature to the identity authentication server; wherein, the information service entity encrypts the message according to the following formula:
Figure FDA0002281491780000031
wherein m is a message.
6. The method according to claim 5, wherein the step S4 specifically includes:
the identity authentication server decrypts the C through the session key K to obtain a message m, verifies the complete signature through an mIBS signature algorithm, and if the message m passes the mIBS signature algorithm, the identity authentication server trusts the shared session key K which is K', and successfully authenticates the message;
and encrypting the session key and the timestamp based on the identity and then sending the encrypted session key and the timestamp to the user side, and finally obtaining the session key by the user side.
7. The method according to any one of claims 2 to 6, wherein the blockchain is a federation blockchain, and the collaboration between network nodes of the federation blockchain is divided into 3 steps:
each IBC domain regional chain certificate service area BCCA initiates a transaction signature with information authorization in a block chain certificate and sends the transaction signature to a non-verification node NVP;
the NVP of the non-verification node verifies the received transaction signatures, sequences the transactions in sequence according to the time stamps and broadcasts the transactions to the VP;
the verification node VP is logged into the block chain after the block is identified.
8. The method of claim 7, wherein blockchain certificate servers of different domains are respectively used as an initiator and a receiver of blockchain transactions to issue transactions, thereby implementing authorization trust, and managing trust authorization in a blockchain transaction record manner.
9. The method according to claim 8, wherein the block chain certificate omits a signature and signature algorithm in a digital certificate, generates a block chain certificate, and then records a hash value of the block chain certificate in the block chain, and when a cross-domain authentication request is received, a non-verification node of the block chain system checks the certificate in the block chain;
and a uniform resource locator module which does not provide certificate revocation check service in the blockchain certificate realizes the control of the whole life cycle of the certificate by means of blockchain transaction.
CN201911143182.7A 2019-11-20 2019-11-20 Credible identity authentication method based on block chain Pending CN110958229A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911143182.7A CN110958229A (en) 2019-11-20 2019-11-20 Credible identity authentication method based on block chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911143182.7A CN110958229A (en) 2019-11-20 2019-11-20 Credible identity authentication method based on block chain

Publications (1)

Publication Number Publication Date
CN110958229A true CN110958229A (en) 2020-04-03

Family

ID=69978050

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911143182.7A Pending CN110958229A (en) 2019-11-20 2019-11-20 Credible identity authentication method based on block chain

Country Status (1)

Country Link
CN (1) CN110958229A (en)

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111682943A (en) * 2020-05-20 2020-09-18 厦门区块链云科技有限公司 Distributed digital identity system based on block chain
CN111835528A (en) * 2020-07-16 2020-10-27 广州大学 Decentralized Internet of things cross-domain access authorization method and system
CN112134883A (en) * 2020-09-22 2020-12-25 北京八分量信息科技有限公司 Method and device for quickly authenticating trust relationship between nodes based on trusted computing and related products
CN112134892A (en) * 2020-09-24 2020-12-25 南京邮电大学 Service migration method in mobile edge computing environment
CN112184245A (en) * 2020-09-30 2021-01-05 深圳前海微众银行股份有限公司 Cross-block-chain transaction identity confirmation method and device
CN112565294A (en) * 2020-12-23 2021-03-26 杭州天谷信息科技有限公司 Identity authentication method based on block chain electronic signature
CN112583596A (en) * 2020-06-08 2021-03-30 四川大学 Complete cross-domain identity authentication method based on block chain technology
CN113014392A (en) * 2021-02-19 2021-06-22 湖南大学 Block chain-based digital certificate management method, system, equipment and storage medium
CN113672942A (en) * 2021-04-29 2021-11-19 中国电子科技集团公司第三十研究所 PKI certificate cross-domain authentication method based on block chain
CN113743939A (en) * 2021-09-16 2021-12-03 中国银行股份有限公司 Identity authentication method, device and system based on block chain
CN113824570A (en) * 2021-11-23 2021-12-21 北京中超伟业信息安全技术股份有限公司 Block chain-based security terminal authentication method and system
CN114036472A (en) * 2021-11-05 2022-02-11 西北工业大学 Cross-domain authentication method between Kerberos and PKI security domains based on alliance chain
CN114338795A (en) * 2021-12-23 2022-04-12 杭州趣链科技有限公司 Data communication method and device for block chain client
CN114598533A (en) * 2022-03-10 2022-06-07 昆明理工大学 Block chain side chain cross-chain identity trusted authentication and data encryption transmission method
CN114666042A (en) * 2021-12-31 2022-06-24 贵州大学 White spirit traceability system information authentication method based on position and SM2 and related equipment
CN114884698A (en) * 2022-04-12 2022-08-09 西北工业大学 Kerberos and IBC security domain cross-domain authentication method based on alliance chain
WO2022199569A1 (en) * 2021-03-22 2022-09-29 中国移动通信有限公司研究院 Configuration method and apparatus for terminal device, and communication device
CN115714673A (en) * 2022-11-03 2023-02-24 哈尔滨工程大学 Real-time certificate revocation method based on multiple intermediate entities in cross-domain authentication process
CN115914243A (en) * 2021-08-17 2023-04-04 中移物联网有限公司 Information processing method and device and storage medium
CN116155514A (en) * 2023-03-01 2023-05-23 电子科技大学 Blockchain-based cross-domain internet of things equipment privacy protection authentication method
CN116321159A (en) * 2023-01-14 2023-06-23 国网湖北省电力有限公司荆门供电公司 Distributed station data transmission method based on Beidou communication service
CN117499159A (en) * 2023-12-27 2024-02-02 杭州字节方舟科技有限公司 Block chain-based data transaction method and device and electronic equipment
CN115714673B (en) * 2022-11-03 2024-07-05 哈尔滨工程大学 Real-time certificate revocation method based on multiple intermediate entities in cross-domain authentication process

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3337091A1 (en) * 2016-12-16 2018-06-20 Bull SAS Traceability of a chain of multi-player processes by a blockchain, providing at least two levels of confidence for the stored information
CN108737391A (en) * 2018-05-03 2018-11-02 西安电子科技大学 Information service entities identity manages system and identifies quick cancelling method
CN108737370A (en) * 2018-04-05 2018-11-02 西安电子科技大学 A kind of cross-domain Verification System of Internet of Things based on block chain and method
CN110190970A (en) * 2019-06-25 2019-08-30 电子科技大学 Based on publicly-owned chain can anonymity revocation ring signatures and its generation and cancelling method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3337091A1 (en) * 2016-12-16 2018-06-20 Bull SAS Traceability of a chain of multi-player processes by a blockchain, providing at least two levels of confidence for the stored information
CN108737370A (en) * 2018-04-05 2018-11-02 西安电子科技大学 A kind of cross-domain Verification System of Internet of Things based on block chain and method
CN108737391A (en) * 2018-05-03 2018-11-02 西安电子科技大学 Information service entities identity manages system and identifies quick cancelling method
CN110190970A (en) * 2019-06-25 2019-08-30 电子科技大学 Based on publicly-owned chain can anonymity revocation ring signatures and its generation and cancelling method

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
JIAHE WANGEMAIL,SONGJIE WEI,HAOZHE LIU: "Decentralized Identity Authentication with Trust Distributed in Blockchain Backbone", 《INTERNATIONAL CONFERENCE ON BLOCKCHAIN》 *
SONGJIE WEI,SHUAI LI: "Blockchain-Based Access Verification Protocol in LEO Constellation Using IBE Keys", 《SECURITY AND COMMUNICATION NETWORKS》 *
周致成等: "基于区块链技术的高效跨域认证方案", 《计算机应用》 *
谢艳容等: "一种新的信息服务实体跨域认证模型", 《计算机科学》 *
马晓婷等: "基于区块链技术的跨域认证方案", 《电子学报》 *

Cited By (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111682943A (en) * 2020-05-20 2020-09-18 厦门区块链云科技有限公司 Distributed digital identity system based on block chain
CN112583596B (en) * 2020-06-08 2021-09-28 四川大学 Complete cross-domain identity authentication method based on block chain technology
CN112583596A (en) * 2020-06-08 2021-03-30 四川大学 Complete cross-domain identity authentication method based on block chain technology
CN111835528A (en) * 2020-07-16 2020-10-27 广州大学 Decentralized Internet of things cross-domain access authorization method and system
CN111835528B (en) * 2020-07-16 2023-04-07 广州大学 Decentralized Internet of things cross-domain access authorization method and system
CN112134883A (en) * 2020-09-22 2020-12-25 北京八分量信息科技有限公司 Method and device for quickly authenticating trust relationship between nodes based on trusted computing and related products
CN112134883B (en) * 2020-09-22 2023-05-30 北京八分量信息科技有限公司 Method, device and related product for carrying out rapid authentication on trust relationship between nodes based on trusted computing
CN112134892A (en) * 2020-09-24 2020-12-25 南京邮电大学 Service migration method in mobile edge computing environment
CN112184245B (en) * 2020-09-30 2024-04-26 深圳前海微众银行股份有限公司 Transaction identity confirmation method and device for cross-region block chain
CN112184245A (en) * 2020-09-30 2021-01-05 深圳前海微众银行股份有限公司 Cross-block-chain transaction identity confirmation method and device
CN112565294A (en) * 2020-12-23 2021-03-26 杭州天谷信息科技有限公司 Identity authentication method based on block chain electronic signature
CN112565294B (en) * 2020-12-23 2023-04-07 杭州天谷信息科技有限公司 Identity authentication method based on block chain electronic signature
CN113014392A (en) * 2021-02-19 2021-06-22 湖南大学 Block chain-based digital certificate management method, system, equipment and storage medium
WO2022199569A1 (en) * 2021-03-22 2022-09-29 中国移动通信有限公司研究院 Configuration method and apparatus for terminal device, and communication device
CN113672942A (en) * 2021-04-29 2021-11-19 中国电子科技集团公司第三十研究所 PKI certificate cross-domain authentication method based on block chain
CN113672942B (en) * 2021-04-29 2023-05-09 中国电子科技集团公司第三十研究所 PKI certificate cross-domain authentication method based on blockchain
CN115914243A (en) * 2021-08-17 2023-04-04 中移物联网有限公司 Information processing method and device and storage medium
CN113743939A (en) * 2021-09-16 2021-12-03 中国银行股份有限公司 Identity authentication method, device and system based on block chain
CN114036472A (en) * 2021-11-05 2022-02-11 西北工业大学 Cross-domain authentication method between Kerberos and PKI security domains based on alliance chain
CN114036472B (en) * 2021-11-05 2024-03-29 西北工业大学 Kerberos and PKI security inter-domain cross-domain authentication method based on alliance chain
CN113824570A (en) * 2021-11-23 2021-12-21 北京中超伟业信息安全技术股份有限公司 Block chain-based security terminal authentication method and system
CN114338795A (en) * 2021-12-23 2022-04-12 杭州趣链科技有限公司 Data communication method and device for block chain client
CN114666042A (en) * 2021-12-31 2022-06-24 贵州大学 White spirit traceability system information authentication method based on position and SM2 and related equipment
CN114666042B (en) * 2021-12-31 2023-06-27 贵州大学 White spirit traceability system information authentication method and related equipment based on position and SM2
CN114598533A (en) * 2022-03-10 2022-06-07 昆明理工大学 Block chain side chain cross-chain identity trusted authentication and data encryption transmission method
CN114598533B (en) * 2022-03-10 2024-04-26 昆明理工大学 Block chain side chain cross-chain identity trusted authentication and data encryption transmission method
CN114884698A (en) * 2022-04-12 2022-08-09 西北工业大学 Kerberos and IBC security domain cross-domain authentication method based on alliance chain
CN114884698B (en) * 2022-04-12 2023-03-07 西北工业大学 Kerberos and IBC security domain cross-domain authentication method based on alliance chain
CN115714673A (en) * 2022-11-03 2023-02-24 哈尔滨工程大学 Real-time certificate revocation method based on multiple intermediate entities in cross-domain authentication process
CN115714673B (en) * 2022-11-03 2024-07-05 哈尔滨工程大学 Real-time certificate revocation method based on multiple intermediate entities in cross-domain authentication process
CN116321159A (en) * 2023-01-14 2023-06-23 国网湖北省电力有限公司荆门供电公司 Distributed station data transmission method based on Beidou communication service
CN116321159B (en) * 2023-01-14 2024-01-02 国网湖北省电力有限公司荆门供电公司 Distributed station data transmission method based on Beidou communication service
CN116155514A (en) * 2023-03-01 2023-05-23 电子科技大学 Blockchain-based cross-domain internet of things equipment privacy protection authentication method
CN117499159A (en) * 2023-12-27 2024-02-02 杭州字节方舟科技有限公司 Block chain-based data transaction method and device and electronic equipment
CN117499159B (en) * 2023-12-27 2024-03-26 杭州字节方舟科技有限公司 Block chain-based data transaction method and device and electronic equipment

Similar Documents

Publication Publication Date Title
CN110958229A (en) Credible identity authentication method based on block chain
CN107919956B (en) End-to-end safety guarantee method in cloud environment facing to Internet of things
CN112153608B (en) Vehicle networking cross-domain authentication method based on side chain technology trust model
KR100860404B1 (en) Device authenticaton method and apparatus in multi-domain home networks
Seth et al. Practical security for disconnected nodes
JP4709815B2 (en) Authentication method and apparatus
US7987366B2 (en) Key management for network elements
CN103491540B (en) The two-way access authentication system of a kind of WLAN based on identity documents and method
US20020154782A1 (en) System and method for key distribution to maintain secure communication
US8019989B2 (en) Public-key infrastructure in network management
Liu et al. Bua: A blockchain-based unlinkable authentication in vanets
CN114362993B (en) Block chain assisted Internet of vehicles security authentication method
CN105516119A (en) Cross-domain identity authentication method based on proxy re-signature
CN112039660B (en) Internet of things node group identity security authentication method
CN112351019B (en) Identity authentication system and method
CN114884698B (en) Kerberos and IBC security domain cross-domain authentication method based on alliance chain
CN115514474A (en) Industrial equipment trusted access method based on cloud-edge-end cooperation
Tong et al. CCAP: a complete cross-domain authentication based on blockchain for Internet of Things
Guehguih et al. Blockchain-based privacy-preserving authentication and message dissemination scheme for vanet
Zhang et al. NDN-MPS: supporting multiparty authentication over named data networking
CN112055333A (en) LTE-R vehicle-ground wireless communication security authentication method without certificate proxy signature
KR20100002424A (en) Method for generating secure key using certificateless public key
KR101042834B1 (en) A Self-Certified Signcryption Method for Mobile Communications
Raza et al. Design and implementation of a security manager for WirelessHART networks
Bussa et al. Formal Verification of a V2X Privacy Preserving Scheme Using Proverif

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200403