Disclosure of Invention
In view of this, embodiments of the present invention provide a single sign-on method, a server, and a system based on a block chain, so as to solve the problems of low information security, incapability of solving the problem of violation of an identity provider, high maintenance cost, and the like in the existing single sign-on scheme.
In order to achieve the above purpose, the embodiments of the present invention provide the following technical solutions:
the first aspect of the embodiments of the present invention discloses a single sign-on method based on a block chain, the method is applicable to a server, and the method includes:
after receiving a login request sent by a first user terminal, a server feeds back an information file comprising an address of the server to the first user terminal;
the server receives a user ID sent by a second user terminal, wherein the second user terminal sends the user ID to the server based on the address of the server obtained by identifying the information file, and the user ID is stored in the second user terminal in advance;
the server side acquires a public key corresponding to the user ID and an encrypted identity attribute from a block chain, wherein the encrypted identity attribute is obtained by encrypting the identity attribute through a preset secret key;
the server sends an identification attribute range and a random number corresponding to the encrypted identity attribute to the second user terminal, so that the second user terminal signs the random number by using a private key corresponding to the second user terminal;
the server receives the key corresponding to the encrypted identity attribute and the signed random number fed back by the second user terminal;
and the server decrypts the encrypted identity attribute according to the public key, the secret key and the signed random number to obtain the identity attribute, and responds to the login request according to the identity attribute.
Preferably, the decrypting, by the server, the encrypted identity attribute according to the public key, the secret key, and the signed random number to obtain the identity attribute, and responding to the login request according to the identity attribute includes:
the server side verifies the signed random number by using the public key;
if the signed random number passes verification, the server decrypts the encrypted identity attribute according to the secret key to obtain the identity attribute;
and the server side responds to the login request by using the identity attribute.
Preferably, the obtaining, by the server, the public key corresponding to the user ID and the encrypted identity attribute from the blockchain includes:
the server side obtains an identity information document corresponding to the user ID from a block chain;
and the server analyzes the identity information document to obtain a public key and encrypted identity attribute in the identity information document.
Preferably, after receiving the login request sent by the first user terminal, the server feeds back an information file including an address of the server to the first user terminal, including:
the server generates a two-dimensional code comprising an address of the server after receiving a login request sent by a first user terminal;
and the server sends the two-dimension code to the first user terminal, and the first user terminal displays the two-dimension code.
Preferably, after the server responds to the login request according to the identity attribute, the method further includes:
and in a preset time, if the server receives a new login request sent by the first user terminal or other user terminals and receives a user ID sent by the second user terminal, responding to the new login request according to the identity attribute.
A second aspect of an embodiment of the present invention discloses a server, where the server includes:
the feedback unit is used for feeding back an information file comprising the address of the server to the first user terminal after receiving a login request sent by the first user terminal;
a first receiving unit, configured to receive a user ID sent by a second user terminal, where the second user terminal sends the user ID to the server based on an address of the server obtained by identifying the information file, and the user ID is stored in the second user terminal in advance;
the acquiring unit is used for acquiring a public key corresponding to the user ID and an encrypted identity attribute from a block chain, wherein the encrypted identity attribute is obtained by encrypting the identity attribute by a preset secret key;
a sending unit, configured to send an identifier attribute range and a random number corresponding to the encrypted identity attribute to the second user terminal, so that the second user terminal signs the random number by using a private key corresponding to the second user terminal;
a second receiving unit, configured to receive the key corresponding to the encrypted identity attribute and the signed random number fed back by the second user terminal;
and the processing unit is used for decrypting the encrypted identity attribute according to the public key, the secret key and the signed random number to obtain the identity attribute and responding to the login request according to the identity attribute.
Preferably, the processing unit is specifically configured to: and verifying the signed random number by using the public key, decrypting the encrypted identity attribute according to the secret key if the signed random number passes the verification to obtain the identity attribute, and responding the login request by using the identity attribute.
Preferably, the obtaining unit is specifically configured to: and acquiring an identity information document corresponding to the user ID from the block chain, analyzing the identity information document, and acquiring a public key and encrypted identity attribute in the identity information document.
Preferably, the feedback unit is specifically configured to: after a login request sent by a first user terminal is received, a two-dimensional code comprising the address of the server is generated, the two-dimensional code is sent to the first user terminal, and the two-dimensional code is displayed by the first user terminal.
A third aspect of the embodiments of the present invention discloses a single sign-on system based on a block chain, where the system includes: a first user terminal, a second user terminal and a server disclosed in the second aspect of the embodiments of the present invention.
Based on the above single sign-on method, server and system based on the block chain provided by the embodiments of the present invention, the method is: after receiving a login request sent by a first user terminal, feeding back an information file comprising an address of a server to the first user terminal; receiving a user ID sent by a second user terminal; acquiring a public key corresponding to the user ID and the encrypted identity attribute from the block chain; sending an identification attribute range and a random number corresponding to the encrypted identity attribute to a second user terminal, so that the second user terminal signs the random number by using a private key corresponding to the second user terminal; receiving a key corresponding to the encrypted identity attribute and a signed random number fed back by the second user terminal; and according to the public key, the secret key and the signed random number, decrypting the encrypted identity attribute to obtain the identity attribute, and responding to the login request according to the identity attribute. The identity provider is cancelled, so that a user can manage the identity information of the user, the safety of the identity information is improved, the server does not need to maintain a plurality of interfaces, only the interfaces of the blockchain need to be maintained, the maintenance cost is reduced, the blockchain can provide public services for different servers, and cross-system single sign-on is realized.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In this application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The background art can know that the existing single sign-on scheme is likely to cause the problems of identity information abuse and privacy disclosure, an identity provider is likely to refuse to provide services, the information security is low, the problem that the identity provider has illegal behaviors cannot be solved, and meanwhile, the service provider needs to maintain the interfaces of a plurality of identity providers, so that the maintenance cost is high.
Therefore, embodiments of the present invention provide a single sign-on method, a server and a system based on a blockchain, which enable a user to manage their own identity information by cancelling an identity provider, so as to improve the security of the identity information, the server does not need to maintain multiple interfaces, and only needs to maintain the interfaces of the blockchain, so as to reduce the maintenance cost, and the blockchain can provide public services to different servers, thereby implementing a cross-system single sign-on.
Referring to fig. 1, a flowchart of a single sign-on method based on a blockchain according to an embodiment of the present invention is shown, where the single sign-on method is applied to a server (also referred to as a service provider), and the single sign-on method includes:
step S101: and after receiving the login request sent by the first user terminal, the server feeds back an information file comprising the address of the server to the first user terminal.
In the process of implementing step S101 specifically, a user requests to log in a server by using a browser (for example only, the browser may also be a client) through a first user terminal (for example, a tablet, a computer, and the like), that is, after the first user terminal obtains an instruction of logging in the server, the first user terminal sends a login request to the server.
After the server receives a login request sent by the first user terminal, the server generates a two-dimensional code (information file) comprising the address of the server, and sends the two-dimensional code to the first user terminal, so that the first user terminal displays the two-dimensional code (information file).
Step S102: and the server receives the user ID sent by the second user terminal.
The second user terminal sends the user ID to the server based on the address of the server obtained from the identification information file, and the user ID is stored in the second user terminal in advance.
In the process of implementing step S102 specifically, after the first user terminal displays the two-dimensional code, the user scans the two-dimensional code by using a software application (APP, which is used only for example) through a second user terminal (such as a mobile phone and a tablet), so as to obtain an address of the server, and the second user terminal sends the user ID of the user to the server according to the obtained address of the server.
That is, the second user terminal identifies the information file, obtains the address of the server, and sends the user ID corresponding to the user to the server based on the address.
Step S103: the server acquires a public key corresponding to the user ID and the encrypted identity attribute (the identity attribute is identity information) from the blockchain.
It should be noted that, a preset secret key (for example, a symmetric secret key) is used to encrypt an identity attribute (an identity attribute corresponding to a user ID) of a user in advance to obtain an encrypted identity attribute, a public key corresponding to the user ID is bound in advance, and the public key corresponding to the user ID and the encrypted identity attribute are stored in a block chain.
It is understood that the user has a plurality of identity attributes (such as age, occupation, gender, and the like), and when the identity attribute of the user is encrypted, for each (or a part of) the identity attribute, the identity attribute is encrypted by using a key corresponding to the (each or each part of) the identity attribute, that is, each (or each part of) the encrypted identity attribute has a corresponding key.
In the process of implementing step S103 specifically, the server determines which identity attribute corresponding to the user needs to be obtained according to the service requirement, and the server obtains the public key corresponding to the user ID and the encrypted identity attribute (the identity attribute that the server needs to obtain) from the block chain.
It is understood that the blockchain stores therein an identity information document corresponding to the user (and the user ID), and the identity information document includes a public key bound to the user ID and an encrypted identity attribute.
In specific implementation, the server acquires an identity information document corresponding to the user ID from the blockchain, analyzes the identity information document, and acquires a public key and an encrypted identity attribute in the identity information document.
Step S104: and the server sends the identification attribute range and the random number corresponding to the encrypted identity attribute to the second user terminal, so that the second user terminal signs the random number by using a private key corresponding to the second user terminal.
As can be seen from the foregoing, the server determines which identity attribute that the user corresponds to needs to be obtained according to the actual requirement, and in the process of implementing step S104 specifically, the server sends an identification attribute range corresponding to the encrypted identity attribute (the identity attribute that the server needs to obtain) to the second user terminal, that is, the identification attribute range indicates which identity attribute the server needs to obtain for the user.
The second user terminal displays the identifier attribute range to the user, that is, displays to the user which identity attribute of the user needs to be obtained by the server, and prompts (for example, in a manner of an inquiry box) whether the user agrees to send the identity attribute corresponding to the identifier attribute range to the server.
It should be noted that, while the server sends the identifier attribute range corresponding to the encrypted identity attribute to the second user terminal, the server sends a random Number (Nonce) to the second user terminal.
If the user agrees to send the identity attribute corresponding to the identification attribute range to the server through the second user terminal, the second user terminal signs the random number by using a private key corresponding to the second user terminal (namely, the private key corresponding to the user ID).
Step S105: and the server receives the key corresponding to the encrypted identity attribute and the signed random number fed back by the second user terminal.
In the process of implementing step S105 specifically, as can be known from the foregoing, each (or each part of) identity attribute has a corresponding secret key, if the user agrees to send the identity attribute corresponding to the identifier attribute range to the server through the second user terminal, the second user terminal sends the secret key corresponding to the encrypted identity attribute corresponding to the identifier attribute range to the server, and the second user terminal sends the signed random number to the server.
That is to say, if the user agrees to send the identity attribute corresponding to the identifier attribute range to the server through the second user terminal, the server receives the signed random number sent by the second user terminal and the encrypted secret key corresponding to the identity attribute corresponding to the identifier attribute range.
Step S106: and the server decrypts the encrypted identity attribute according to the public key, the secret key and the signed random number to obtain the identity attribute, and responds to the login request according to the identity attribute.
In the process of implementing step S106, the server verifies the signed random number by using the public key (the public key corresponding to the user ID) obtained from the blockchain, that is, performs identity verification on the user.
And if the signed random number passes the verification, the server decrypts the encrypted identity attribute according to the key to obtain the identity attribute, and responds to the login request according to the identity attribute.
It can be understood that each (or each part of) encrypted identity attribute has its corresponding key, and when the server decrypts the encrypted identity attribute, the server decrypts the encrypted identity attribute by using the key corresponding to the encrypted identity attribute.
Preferably, when the second user terminal sends the key (the key corresponding to the encrypted identity attribute) and the signed random number to the server, the second user terminal records the time for sending the key and the signed random number (i.e. records the authorization time) through a software application (APP, for example only). The user sets the maximum time (hereinafter referred to as preset time) allowing the server to access for the second time through the second user terminal by using the software application, and after the server responds to the login request according to the identity attribute, in the preset time, if the server receives a new login request sent by the first user terminal or other user terminals and the server receives a user ID sent by the second user terminal, the server responds to the new login request according to the identity attribute.
That is, after the server responds to the login request according to the identity attribute, in a preset time, the user requests to log in the server through the first user terminal or other user terminals (sends a new login request to the server), the server sends an information file to the first user terminal or other user terminals, and after the user identifies the information file through the second user terminal (i.e., the server receives the user ID sent by the second user terminal), the server directly responds to the new login request by using the identity attribute obtained when the login request was processed last time (i.e., the second user terminal is not required to authorize the server again).
In the embodiment of the invention, after receiving the login request sent by the first user terminal, the server feeds back the information file comprising the address of the server to the first user terminal. And the server receives the user ID sent by the second user terminal, and acquires a public key corresponding to the user ID and the encrypted identity attribute from the block chain. And the server sends the identification attribute range and the random number corresponding to the encrypted identity attribute to the second user terminal, and receives the key corresponding to the encrypted identity attribute and the signed random number fed back by the second user terminal. And the server decrypts the encrypted identity attribute according to the public key, the secret key and the signed random number to obtain the identity attribute, and responds to the login request according to the identity attribute. The identity provider is cancelled, so that a user can manage the identity information of the user, the safety of the identity information is improved, the server does not need to maintain a plurality of interfaces, only the interfaces of the blockchain need to be maintained, the maintenance cost is reduced, the blockchain can provide public services for different servers, and cross-system single sign-on is realized.
To better explain the contents in fig. 1 in the above embodiment of the present invention, the interaction between the service provider 201 (server), the browser 202 (browser in the first user terminal), the APP203 (APP in the second user terminal), the identity chain 204 and the end user (user corresponding to the first user terminal and the second user terminal) shown in fig. 2 is exemplified, and it should be noted that fig. 2 is only used for example.
It should be noted that the identity chain 204 is a public block chain for storing an identity information document of an end user, and the identity information document includes a public key bound to a user ID (user ID of the end user) and an encrypted identity attribute.
Referring to fig. 2, another flowchart of a single sign-on method based on a blockchain according to an embodiment of the present invention is shown, including the following steps:
step S201: the browser 202 sends a login request to the service provider 201.
In the process of implementing step S201 specifically, the end user requests to log in from the service provider 201 through the browser 202, that is, when the browser 202 obtains an instruction for requesting to log in to the service provider 201, the browser 202 sends a login request to the service provider 201.
Step S202: the service provider 201 feeds back a two-dimensional code comprising the address of the service provider 201 to the browser 202, and the APP203 scans the two-dimensional code and then sends a user ID corresponding to the end user to the service provider 201.
In the process of implementing step S202 specifically, the service provider 201 feeds back the two-dimensional code including the address of the service provider 201 to the browser 202, and the browser 202 presents the two-dimensional code to the end user. The end user scans the two-dimensional code through the APP203, that is, after the APP203 obtains an instruction for scanning the two-dimensional code, the APP203 scans the two-dimensional code and sends the user ID to the service provider 201 (the two-dimensional code carries the address of the service provider 201).
Step S203: the service provider 201 finds an identity information document corresponding to the user ID from the identity chain 204 based on the user ID.
Step S204: the service provider 201 obtains an identity information document corresponding to the user ID from the identity chain 204, and obtains a public key and encrypted identity attributes from the identity information document.
Step S205: the service provider 201 sends an identification attribute range and Nonce corresponding to the encrypted identification attribute (the identification attribute of the end user that the service provider 201 needs to acquire) to the APP203, and the APP203 prompts whether the end user agrees to send the identification attribute corresponding to the identification attribute range to the service provider 201.
In the process of implementing step S205 specifically, the service provider 201 sends the identifier attribute range and Nonce to the APP203, which indicates which identity attributes of the end user need to be acquired by the service provider 201, the APP203 prompts whether the end user agrees to send the identity attributes corresponding to the identifier attribute range to the service provider 201, and if the end user agrees, the APP203 signs Nonce with the private key corresponding to the user ID.
Step S206: if the end user agrees, the APP203 sends the key corresponding to the encrypted identity attribute (the identity attribute required by the service provider 201) and the signed Nonce to the service provider 201.
It will be appreciated that after the APP203 sends the key and signed Nonce to the service provider 201, the APP203 records the authorization time and the end user can set the maximum time the service provider 201 is allowed to access for the second time through the APP 203.
After the service provider 201 receives the key and the signed Nonce sent by the APP203, the service provider 201 verifies the signed Nonce by using the obtained public key, that is, verifies the identity of the end user. If the authentication is passed, the service provider 201 decrypts the encrypted identity attribute by using the obtained key to obtain a corresponding identity attribute, and responds to the login request sent by the browser 202 according to the obtained identity attribute.
Corresponding to the above single sign-on method based on a block chain provided in the embodiment of the present invention, referring to fig. 3, the embodiment of the present invention further provides a structural block diagram of a server, where the server includes: a feedback unit 301, a first receiving unit 302, an obtaining unit 303, a sending unit 304, a second receiving unit 305, and a processing unit 306;
the feedback unit 301 is configured to feed back an information file including an address of a server to the first user terminal after receiving a login request sent by the first user terminal.
In a specific implementation, the feedback unit 301 is specifically configured to: after a login request sent by a first user terminal is received, a two-dimensional code comprising the address of a server side is generated, the two-dimensional code is sent to the first user terminal, and the two-dimensional code is displayed by the first user terminal.
A first receiving unit 302, configured to receive a user ID sent by a second user terminal, where the second user terminal sends the user ID to a server based on an address of the server obtained by using the identification information file, and the user ID is stored in the second user terminal in advance.
An obtaining unit 303, configured to obtain, from the blockchain, a public key corresponding to the user ID and the encrypted identity attribute, where the encrypted identity attribute is obtained by encrypting the identity attribute with a preset secret key.
In a specific implementation, the obtaining unit 303 is specifically configured to: and acquiring an identity information document corresponding to the user ID from the block chain, analyzing the identity information document, and acquiring a public key and encrypted identity attribute in the identity information document.
A sending unit 304, configured to send the identifier attribute range and the random number corresponding to the encrypted identity attribute to the second user terminal, so that the second user terminal signs the random number by using its own corresponding private key.
A second receiving unit 305, configured to receive the key corresponding to the encrypted identity attribute and the signed random number fed back by the second user terminal.
And the processing unit 306 is configured to decrypt the encrypted identity attribute according to the public key, the secret key and the signed random number to obtain the identity attribute, and respond to the login request according to the identity attribute.
In a specific implementation, the processing unit 306 is specifically configured to: and verifying the signed random number by using the public key, if the signed random number passes the verification, decrypting the encrypted identity attribute according to the secret key to obtain the identity attribute, and responding to the login request by using the identity attribute.
Preferably, in the preset time content, if the feedback unit 301 receives a new login request sent by the first user terminal or another user terminal, and the first receiving unit 302 receives a user ID sent by the second user terminal, the processing unit 306 is further configured to: and responding to the new login request according to the identity attribute.
In the embodiment of the invention, after receiving the login request sent by the first user terminal, the server feeds back the information file comprising the address of the server to the first user terminal. And the server receives the user ID sent by the second user terminal, and acquires a public key corresponding to the user ID and the encrypted identity attribute from the block chain. And the server sends the identification attribute range and the random number corresponding to the encrypted identity attribute to the second user terminal, and receives the key corresponding to the encrypted identity attribute and the signed random number fed back by the second user terminal. And the server decrypts the encrypted identity attribute according to the public key, the secret key and the signed random number to obtain the identity attribute, and responds to the login request according to the identity attribute. The identity provider is cancelled, so that a user can manage the identity information of the user, the safety of the identity information is improved, the server does not need to maintain a plurality of interfaces, only the interfaces of the blockchain need to be maintained, the maintenance cost is reduced, the blockchain can provide public services for different servers, and cross-system single sign-on is realized.
Corresponding to the above single sign-on method based on a block chain provided in the embodiment of the present invention, referring to fig. 4, an embodiment of the present invention further provides a structural block diagram of a single sign-on system based on a block chain, where the single sign-on system includes: a first user terminal 401, a second user terminal 402 and a server 403;
the working principle of the first user terminal 401, the second user terminal 402 and the server 403 can refer to the content shown in fig. 1 to fig. 3 in the above embodiments of the present invention, and will not be described herein again.
In summary, embodiments of the present invention provide a single sign-on method, a server, and a system based on a blockchain, where after receiving a login request sent by a first user terminal, the server feeds back an information file including an address of the server to the first user terminal. And the server receives the user ID sent by the second user terminal, and acquires a public key corresponding to the user ID and the encrypted identity attribute from the block chain. And the server sends the identification attribute range and the random number corresponding to the encrypted identity attribute to the second user terminal, and receives the key corresponding to the encrypted identity attribute and the signed random number fed back by the second user terminal. And the server decrypts the encrypted identity attribute according to the public key, the secret key and the signed random number to obtain the identity attribute, and responds to the login request according to the identity attribute. The identity provider is cancelled, so that a user can manage the identity information of the user, the safety of the identity information is improved, the server does not need to maintain a plurality of interfaces, only the interfaces of the blockchain need to be maintained, the maintenance cost is reduced, the blockchain can provide public services for different servers, and cross-system single sign-on is realized.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the system or system embodiments are substantially similar to the method embodiments and therefore are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described system and system embodiments are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.