CN111600900B - Single sign-on method, server and system based on block chain - Google Patents

Single sign-on method, server and system based on block chain Download PDF

Info

Publication number
CN111600900B
CN111600900B CN202010455979.7A CN202010455979A CN111600900B CN 111600900 B CN111600900 B CN 111600900B CN 202010455979 A CN202010455979 A CN 202010455979A CN 111600900 B CN111600900 B CN 111600900B
Authority
CN
China
Prior art keywords
server
user terminal
user
attribute
identity attribute
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010455979.7A
Other languages
Chinese (zh)
Other versions
CN111600900A (en
Inventor
雷虹
程一帆
刘浛
燕云
任谦
赵品行
包子健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Oxford Hainan Blockchain Research Institute Co ltd
Yunhai Chain Holdings Co ltd
Original Assignee
Oxford Hainan Blockchain Research Institute Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oxford Hainan Blockchain Research Institute Co ltd filed Critical Oxford Hainan Blockchain Research Institute Co ltd
Priority to CN202010455979.7A priority Critical patent/CN111600900B/en
Publication of CN111600900A publication Critical patent/CN111600900A/en
Application granted granted Critical
Publication of CN111600900B publication Critical patent/CN111600900B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0414Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden during transmission, i.e. party's identity is protected against eavesdropping, e.g. by using temporary identifiers, but is known to the other party or parties involved in the communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Abstract

The invention provides a single sign-on method, a server and a system based on a block chain, wherein after a sign-on request sent by a first user terminal is received, an information file comprising an address of the server is fed back to the first user terminal; receiving a user ID sent by a second user terminal; acquiring a public key corresponding to a user ID and an encrypted identity attribute from a block chain; sending an identification attribute range and a random number corresponding to the encrypted identity attribute to a second user terminal; receiving a key corresponding to the encrypted identity attribute and a signed random number fed back by the second user terminal; and decrypting the encrypted identity attribute according to the public key, the secret key and the signed random number to obtain the identity attribute, and responding to the login request according to the identity attribute. The identity provider is cancelled, so that the user manages the identity information of the user, the information safety is improved, the server does not need to maintain a plurality of interfaces, the maintenance cost is reduced, the block chain can provide services for different servers, and the cross-system single sign-on is realized.

Description

Single sign-on method, server and system based on block chain
Technical Field
The invention relates to the technical field of Internet identity authentication management, in particular to a single sign-on method, a server side and a system based on a block chain.
Background
In daily life, most users need to memorize a plurality of user names and corresponding passwords, and many users are worried about forgetting login passwords of certain websites. In order to facilitate memorization, many users use the same user name and password at different sites, which can reduce the burden, but also reduce the security, and the users also need to log in for multiple times by using different sites. Meanwhile, with the rapid development of informatization, large-scale enterprises, government departments and the like start to work by using electronic systems, and the whole office system is composed of a plurality of different subsystems, such as an Office Automation (OA) system, a financial management system, a file management system, an information query system and the like. If each system uses a separate login and authentication mechanism, the staff will log in to a different system to work each day. The frequent login operation of the user reduces the working efficiency of the staff. When a user memorizes a large number of passwords and user names, the problem that the passwords are forgotten or are mixed up easily occurs. For the above reasons, it becomes important to provide a clear login channel for the user.
Single sign-On (SSO) is a secure communication technology that helps users quickly access multiple sites in a network. Single sign-on systems are based on a secure communication protocol that enables single sign-on through the exchange of user identity information between multiple systems. When the single sign-on system is used, a user can access a plurality of systems only by logging on once without memorizing a plurality of password codes.
Existing single sign-on systems typically contain three parties: a user, a service provider, and an identity provider. The identity information of the user is stored on a server of the identity provider, and when the user accesses the service, the service provider guides the user to the identity provider for identity authentication. After the authentication is passed, the identity provider provides a login credential (ticket) to the user, the user uses the ticket as the authentication credential when accessing another application system, and the application system sends the ticket to the authentication system for verification after receiving the request, and checks the validity of the ticket. If verified, the user can access other applications without logging in again.
However, in the existing single sign-on system, since the identity provider completely grasps the identity information of the user, there is a strong possibility that the problems of misuse of the identity information and disclosure of privacy are caused. On the other hand, for the service provider, the existing solution requires the service provider to maintain interfaces of multiple identity providers, and therefore, the service provider is dependent on identity authentication by the identity provider, that is, the identity provider must be trusted to be capable of performing identity verification on a user and propagating reliable and up-to-date identity attributes, and once the identity provider has an illegal behavior, the service provider cannot know the illegal behavior, which causes a security problem.
In summary, the existing single sign-on scheme still has a security problem, and cannot solve the problem that the identity provider has an illegal behavior, and meanwhile, the interfaces of a plurality of identity providers need to be maintained, so that the maintenance cost is high.
Disclosure of Invention
In view of this, embodiments of the present invention provide a single sign-on method, a server, and a system based on a block chain, so as to solve the problems of low information security, incapability of solving the problem of violation of an identity provider, high maintenance cost, and the like in the existing single sign-on scheme.
In order to achieve the above purpose, the embodiments of the present invention provide the following technical solutions:
the first aspect of the embodiments of the present invention discloses a single sign-on method based on a block chain, the method is applicable to a server, and the method includes:
after receiving a login request sent by a first user terminal, a server feeds back an information file comprising an address of the server to the first user terminal;
the server receives a user ID sent by a second user terminal, wherein the second user terminal sends the user ID to the server based on the address of the server obtained by identifying the information file, and the user ID is stored in the second user terminal in advance;
the server side acquires a public key corresponding to the user ID and an encrypted identity attribute from a block chain, wherein the encrypted identity attribute is obtained by encrypting the identity attribute through a preset secret key;
the server sends an identification attribute range and a random number corresponding to the encrypted identity attribute to the second user terminal, so that the second user terminal signs the random number by using a private key corresponding to the second user terminal;
the server receives the key corresponding to the encrypted identity attribute and the signed random number fed back by the second user terminal;
and the server decrypts the encrypted identity attribute according to the public key, the secret key and the signed random number to obtain the identity attribute, and responds to the login request according to the identity attribute.
Preferably, the decrypting, by the server, the encrypted identity attribute according to the public key, the secret key, and the signed random number to obtain the identity attribute, and responding to the login request according to the identity attribute includes:
the server side verifies the signed random number by using the public key;
if the signed random number passes verification, the server decrypts the encrypted identity attribute according to the secret key to obtain the identity attribute;
and the server side responds to the login request by using the identity attribute.
Preferably, the obtaining, by the server, the public key corresponding to the user ID and the encrypted identity attribute from the blockchain includes:
the server side obtains an identity information document corresponding to the user ID from a block chain;
and the server analyzes the identity information document to obtain a public key and encrypted identity attribute in the identity information document.
Preferably, after receiving the login request sent by the first user terminal, the server feeds back an information file including an address of the server to the first user terminal, including:
the server generates a two-dimensional code comprising an address of the server after receiving a login request sent by a first user terminal;
and the server sends the two-dimension code to the first user terminal, and the first user terminal displays the two-dimension code.
Preferably, after the server responds to the login request according to the identity attribute, the method further includes:
and in a preset time, if the server receives a new login request sent by the first user terminal or other user terminals and receives a user ID sent by the second user terminal, responding to the new login request according to the identity attribute.
A second aspect of an embodiment of the present invention discloses a server, where the server includes:
the feedback unit is used for feeding back an information file comprising the address of the server to the first user terminal after receiving a login request sent by the first user terminal;
a first receiving unit, configured to receive a user ID sent by a second user terminal, where the second user terminal sends the user ID to the server based on an address of the server obtained by identifying the information file, and the user ID is stored in the second user terminal in advance;
the acquiring unit is used for acquiring a public key corresponding to the user ID and an encrypted identity attribute from a block chain, wherein the encrypted identity attribute is obtained by encrypting the identity attribute by a preset secret key;
a sending unit, configured to send an identifier attribute range and a random number corresponding to the encrypted identity attribute to the second user terminal, so that the second user terminal signs the random number by using a private key corresponding to the second user terminal;
a second receiving unit, configured to receive the key corresponding to the encrypted identity attribute and the signed random number fed back by the second user terminal;
and the processing unit is used for decrypting the encrypted identity attribute according to the public key, the secret key and the signed random number to obtain the identity attribute and responding to the login request according to the identity attribute.
Preferably, the processing unit is specifically configured to: and verifying the signed random number by using the public key, decrypting the encrypted identity attribute according to the secret key if the signed random number passes the verification to obtain the identity attribute, and responding the login request by using the identity attribute.
Preferably, the obtaining unit is specifically configured to: and acquiring an identity information document corresponding to the user ID from the block chain, analyzing the identity information document, and acquiring a public key and encrypted identity attribute in the identity information document.
Preferably, the feedback unit is specifically configured to: after a login request sent by a first user terminal is received, a two-dimensional code comprising the address of the server is generated, the two-dimensional code is sent to the first user terminal, and the two-dimensional code is displayed by the first user terminal.
A third aspect of the embodiments of the present invention discloses a single sign-on system based on a block chain, where the system includes: a first user terminal, a second user terminal and a server disclosed in the second aspect of the embodiments of the present invention.
Based on the above single sign-on method, server and system based on the block chain provided by the embodiments of the present invention, the method is: after receiving a login request sent by a first user terminal, feeding back an information file comprising an address of a server to the first user terminal; receiving a user ID sent by a second user terminal; acquiring a public key corresponding to the user ID and the encrypted identity attribute from the block chain; sending an identification attribute range and a random number corresponding to the encrypted identity attribute to a second user terminal, so that the second user terminal signs the random number by using a private key corresponding to the second user terminal; receiving a key corresponding to the encrypted identity attribute and a signed random number fed back by the second user terminal; and according to the public key, the secret key and the signed random number, decrypting the encrypted identity attribute to obtain the identity attribute, and responding to the login request according to the identity attribute. The identity provider is cancelled, so that a user can manage the identity information of the user, the safety of the identity information is improved, the server does not need to maintain a plurality of interfaces, only the interfaces of the blockchain need to be maintained, the maintenance cost is reduced, the blockchain can provide public services for different servers, and cross-system single sign-on is realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a single sign-on method based on a block chain according to an embodiment of the present invention;
fig. 2 is another flowchart of a single sign-on method based on a block chain according to an embodiment of the present invention;
fig. 3 is a block diagram of a server according to an embodiment of the present invention;
fig. 4 is a block diagram of a single sign-on system based on a block chain according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In this application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The background art can know that the existing single sign-on scheme is likely to cause the problems of identity information abuse and privacy disclosure, an identity provider is likely to refuse to provide services, the information security is low, the problem that the identity provider has illegal behaviors cannot be solved, and meanwhile, the service provider needs to maintain the interfaces of a plurality of identity providers, so that the maintenance cost is high.
Therefore, embodiments of the present invention provide a single sign-on method, a server and a system based on a blockchain, which enable a user to manage their own identity information by cancelling an identity provider, so as to improve the security of the identity information, the server does not need to maintain multiple interfaces, and only needs to maintain the interfaces of the blockchain, so as to reduce the maintenance cost, and the blockchain can provide public services to different servers, thereby implementing a cross-system single sign-on.
Referring to fig. 1, a flowchart of a single sign-on method based on a blockchain according to an embodiment of the present invention is shown, where the single sign-on method is applied to a server (also referred to as a service provider), and the single sign-on method includes:
step S101: and after receiving the login request sent by the first user terminal, the server feeds back an information file comprising the address of the server to the first user terminal.
In the process of implementing step S101 specifically, a user requests to log in a server by using a browser (for example only, the browser may also be a client) through a first user terminal (for example, a tablet, a computer, and the like), that is, after the first user terminal obtains an instruction of logging in the server, the first user terminal sends a login request to the server.
After the server receives a login request sent by the first user terminal, the server generates a two-dimensional code (information file) comprising the address of the server, and sends the two-dimensional code to the first user terminal, so that the first user terminal displays the two-dimensional code (information file).
Step S102: and the server receives the user ID sent by the second user terminal.
The second user terminal sends the user ID to the server based on the address of the server obtained from the identification information file, and the user ID is stored in the second user terminal in advance.
In the process of implementing step S102 specifically, after the first user terminal displays the two-dimensional code, the user scans the two-dimensional code by using a software application (APP, which is used only for example) through a second user terminal (such as a mobile phone and a tablet), so as to obtain an address of the server, and the second user terminal sends the user ID of the user to the server according to the obtained address of the server.
That is, the second user terminal identifies the information file, obtains the address of the server, and sends the user ID corresponding to the user to the server based on the address.
Step S103: the server acquires a public key corresponding to the user ID and the encrypted identity attribute (the identity attribute is identity information) from the blockchain.
It should be noted that, a preset secret key (for example, a symmetric secret key) is used to encrypt an identity attribute (an identity attribute corresponding to a user ID) of a user in advance to obtain an encrypted identity attribute, a public key corresponding to the user ID is bound in advance, and the public key corresponding to the user ID and the encrypted identity attribute are stored in a block chain.
It is understood that the user has a plurality of identity attributes (such as age, occupation, gender, and the like), and when the identity attribute of the user is encrypted, for each (or a part of) the identity attribute, the identity attribute is encrypted by using a key corresponding to the (each or each part of) the identity attribute, that is, each (or each part of) the encrypted identity attribute has a corresponding key.
In the process of implementing step S103 specifically, the server determines which identity attribute corresponding to the user needs to be obtained according to the service requirement, and the server obtains the public key corresponding to the user ID and the encrypted identity attribute (the identity attribute that the server needs to obtain) from the block chain.
It is understood that the blockchain stores therein an identity information document corresponding to the user (and the user ID), and the identity information document includes a public key bound to the user ID and an encrypted identity attribute.
In specific implementation, the server acquires an identity information document corresponding to the user ID from the blockchain, analyzes the identity information document, and acquires a public key and an encrypted identity attribute in the identity information document.
Step S104: and the server sends the identification attribute range and the random number corresponding to the encrypted identity attribute to the second user terminal, so that the second user terminal signs the random number by using a private key corresponding to the second user terminal.
As can be seen from the foregoing, the server determines which identity attribute that the user corresponds to needs to be obtained according to the actual requirement, and in the process of implementing step S104 specifically, the server sends an identification attribute range corresponding to the encrypted identity attribute (the identity attribute that the server needs to obtain) to the second user terminal, that is, the identification attribute range indicates which identity attribute the server needs to obtain for the user.
The second user terminal displays the identifier attribute range to the user, that is, displays to the user which identity attribute of the user needs to be obtained by the server, and prompts (for example, in a manner of an inquiry box) whether the user agrees to send the identity attribute corresponding to the identifier attribute range to the server.
It should be noted that, while the server sends the identifier attribute range corresponding to the encrypted identity attribute to the second user terminal, the server sends a random Number (Nonce) to the second user terminal.
If the user agrees to send the identity attribute corresponding to the identification attribute range to the server through the second user terminal, the second user terminal signs the random number by using a private key corresponding to the second user terminal (namely, the private key corresponding to the user ID).
Step S105: and the server receives the key corresponding to the encrypted identity attribute and the signed random number fed back by the second user terminal.
In the process of implementing step S105 specifically, as can be known from the foregoing, each (or each part of) identity attribute has a corresponding secret key, if the user agrees to send the identity attribute corresponding to the identifier attribute range to the server through the second user terminal, the second user terminal sends the secret key corresponding to the encrypted identity attribute corresponding to the identifier attribute range to the server, and the second user terminal sends the signed random number to the server.
That is to say, if the user agrees to send the identity attribute corresponding to the identifier attribute range to the server through the second user terminal, the server receives the signed random number sent by the second user terminal and the encrypted secret key corresponding to the identity attribute corresponding to the identifier attribute range.
Step S106: and the server decrypts the encrypted identity attribute according to the public key, the secret key and the signed random number to obtain the identity attribute, and responds to the login request according to the identity attribute.
In the process of implementing step S106, the server verifies the signed random number by using the public key (the public key corresponding to the user ID) obtained from the blockchain, that is, performs identity verification on the user.
And if the signed random number passes the verification, the server decrypts the encrypted identity attribute according to the key to obtain the identity attribute, and responds to the login request according to the identity attribute.
It can be understood that each (or each part of) encrypted identity attribute has its corresponding key, and when the server decrypts the encrypted identity attribute, the server decrypts the encrypted identity attribute by using the key corresponding to the encrypted identity attribute.
Preferably, when the second user terminal sends the key (the key corresponding to the encrypted identity attribute) and the signed random number to the server, the second user terminal records the time for sending the key and the signed random number (i.e. records the authorization time) through a software application (APP, for example only). The user sets the maximum time (hereinafter referred to as preset time) allowing the server to access for the second time through the second user terminal by using the software application, and after the server responds to the login request according to the identity attribute, in the preset time, if the server receives a new login request sent by the first user terminal or other user terminals and the server receives a user ID sent by the second user terminal, the server responds to the new login request according to the identity attribute.
That is, after the server responds to the login request according to the identity attribute, in a preset time, the user requests to log in the server through the first user terminal or other user terminals (sends a new login request to the server), the server sends an information file to the first user terminal or other user terminals, and after the user identifies the information file through the second user terminal (i.e., the server receives the user ID sent by the second user terminal), the server directly responds to the new login request by using the identity attribute obtained when the login request was processed last time (i.e., the second user terminal is not required to authorize the server again).
In the embodiment of the invention, after receiving the login request sent by the first user terminal, the server feeds back the information file comprising the address of the server to the first user terminal. And the server receives the user ID sent by the second user terminal, and acquires a public key corresponding to the user ID and the encrypted identity attribute from the block chain. And the server sends the identification attribute range and the random number corresponding to the encrypted identity attribute to the second user terminal, and receives the key corresponding to the encrypted identity attribute and the signed random number fed back by the second user terminal. And the server decrypts the encrypted identity attribute according to the public key, the secret key and the signed random number to obtain the identity attribute, and responds to the login request according to the identity attribute. The identity provider is cancelled, so that a user can manage the identity information of the user, the safety of the identity information is improved, the server does not need to maintain a plurality of interfaces, only the interfaces of the blockchain need to be maintained, the maintenance cost is reduced, the blockchain can provide public services for different servers, and cross-system single sign-on is realized.
To better explain the contents in fig. 1 in the above embodiment of the present invention, the interaction between the service provider 201 (server), the browser 202 (browser in the first user terminal), the APP203 (APP in the second user terminal), the identity chain 204 and the end user (user corresponding to the first user terminal and the second user terminal) shown in fig. 2 is exemplified, and it should be noted that fig. 2 is only used for example.
It should be noted that the identity chain 204 is a public block chain for storing an identity information document of an end user, and the identity information document includes a public key bound to a user ID (user ID of the end user) and an encrypted identity attribute.
Referring to fig. 2, another flowchart of a single sign-on method based on a blockchain according to an embodiment of the present invention is shown, including the following steps:
step S201: the browser 202 sends a login request to the service provider 201.
In the process of implementing step S201 specifically, the end user requests to log in from the service provider 201 through the browser 202, that is, when the browser 202 obtains an instruction for requesting to log in to the service provider 201, the browser 202 sends a login request to the service provider 201.
Step S202: the service provider 201 feeds back a two-dimensional code comprising the address of the service provider 201 to the browser 202, and the APP203 scans the two-dimensional code and then sends a user ID corresponding to the end user to the service provider 201.
In the process of implementing step S202 specifically, the service provider 201 feeds back the two-dimensional code including the address of the service provider 201 to the browser 202, and the browser 202 presents the two-dimensional code to the end user. The end user scans the two-dimensional code through the APP203, that is, after the APP203 obtains an instruction for scanning the two-dimensional code, the APP203 scans the two-dimensional code and sends the user ID to the service provider 201 (the two-dimensional code carries the address of the service provider 201).
Step S203: the service provider 201 finds an identity information document corresponding to the user ID from the identity chain 204 based on the user ID.
Step S204: the service provider 201 obtains an identity information document corresponding to the user ID from the identity chain 204, and obtains a public key and encrypted identity attributes from the identity information document.
Step S205: the service provider 201 sends an identification attribute range and Nonce corresponding to the encrypted identification attribute (the identification attribute of the end user that the service provider 201 needs to acquire) to the APP203, and the APP203 prompts whether the end user agrees to send the identification attribute corresponding to the identification attribute range to the service provider 201.
In the process of implementing step S205 specifically, the service provider 201 sends the identifier attribute range and Nonce to the APP203, which indicates which identity attributes of the end user need to be acquired by the service provider 201, the APP203 prompts whether the end user agrees to send the identity attributes corresponding to the identifier attribute range to the service provider 201, and if the end user agrees, the APP203 signs Nonce with the private key corresponding to the user ID.
Step S206: if the end user agrees, the APP203 sends the key corresponding to the encrypted identity attribute (the identity attribute required by the service provider 201) and the signed Nonce to the service provider 201.
It will be appreciated that after the APP203 sends the key and signed Nonce to the service provider 201, the APP203 records the authorization time and the end user can set the maximum time the service provider 201 is allowed to access for the second time through the APP 203.
After the service provider 201 receives the key and the signed Nonce sent by the APP203, the service provider 201 verifies the signed Nonce by using the obtained public key, that is, verifies the identity of the end user. If the authentication is passed, the service provider 201 decrypts the encrypted identity attribute by using the obtained key to obtain a corresponding identity attribute, and responds to the login request sent by the browser 202 according to the obtained identity attribute.
Corresponding to the above single sign-on method based on a block chain provided in the embodiment of the present invention, referring to fig. 3, the embodiment of the present invention further provides a structural block diagram of a server, where the server includes: a feedback unit 301, a first receiving unit 302, an obtaining unit 303, a sending unit 304, a second receiving unit 305, and a processing unit 306;
the feedback unit 301 is configured to feed back an information file including an address of a server to the first user terminal after receiving a login request sent by the first user terminal.
In a specific implementation, the feedback unit 301 is specifically configured to: after a login request sent by a first user terminal is received, a two-dimensional code comprising the address of a server side is generated, the two-dimensional code is sent to the first user terminal, and the two-dimensional code is displayed by the first user terminal.
A first receiving unit 302, configured to receive a user ID sent by a second user terminal, where the second user terminal sends the user ID to a server based on an address of the server obtained by using the identification information file, and the user ID is stored in the second user terminal in advance.
An obtaining unit 303, configured to obtain, from the blockchain, a public key corresponding to the user ID and the encrypted identity attribute, where the encrypted identity attribute is obtained by encrypting the identity attribute with a preset secret key.
In a specific implementation, the obtaining unit 303 is specifically configured to: and acquiring an identity information document corresponding to the user ID from the block chain, analyzing the identity information document, and acquiring a public key and encrypted identity attribute in the identity information document.
A sending unit 304, configured to send the identifier attribute range and the random number corresponding to the encrypted identity attribute to the second user terminal, so that the second user terminal signs the random number by using its own corresponding private key.
A second receiving unit 305, configured to receive the key corresponding to the encrypted identity attribute and the signed random number fed back by the second user terminal.
And the processing unit 306 is configured to decrypt the encrypted identity attribute according to the public key, the secret key and the signed random number to obtain the identity attribute, and respond to the login request according to the identity attribute.
In a specific implementation, the processing unit 306 is specifically configured to: and verifying the signed random number by using the public key, if the signed random number passes the verification, decrypting the encrypted identity attribute according to the secret key to obtain the identity attribute, and responding to the login request by using the identity attribute.
Preferably, in the preset time content, if the feedback unit 301 receives a new login request sent by the first user terminal or another user terminal, and the first receiving unit 302 receives a user ID sent by the second user terminal, the processing unit 306 is further configured to: and responding to the new login request according to the identity attribute.
In the embodiment of the invention, after receiving the login request sent by the first user terminal, the server feeds back the information file comprising the address of the server to the first user terminal. And the server receives the user ID sent by the second user terminal, and acquires a public key corresponding to the user ID and the encrypted identity attribute from the block chain. And the server sends the identification attribute range and the random number corresponding to the encrypted identity attribute to the second user terminal, and receives the key corresponding to the encrypted identity attribute and the signed random number fed back by the second user terminal. And the server decrypts the encrypted identity attribute according to the public key, the secret key and the signed random number to obtain the identity attribute, and responds to the login request according to the identity attribute. The identity provider is cancelled, so that a user can manage the identity information of the user, the safety of the identity information is improved, the server does not need to maintain a plurality of interfaces, only the interfaces of the blockchain need to be maintained, the maintenance cost is reduced, the blockchain can provide public services for different servers, and cross-system single sign-on is realized.
Corresponding to the above single sign-on method based on a block chain provided in the embodiment of the present invention, referring to fig. 4, an embodiment of the present invention further provides a structural block diagram of a single sign-on system based on a block chain, where the single sign-on system includes: a first user terminal 401, a second user terminal 402 and a server 403;
the working principle of the first user terminal 401, the second user terminal 402 and the server 403 can refer to the content shown in fig. 1 to fig. 3 in the above embodiments of the present invention, and will not be described herein again.
In summary, embodiments of the present invention provide a single sign-on method, a server, and a system based on a blockchain, where after receiving a login request sent by a first user terminal, the server feeds back an information file including an address of the server to the first user terminal. And the server receives the user ID sent by the second user terminal, and acquires a public key corresponding to the user ID and the encrypted identity attribute from the block chain. And the server sends the identification attribute range and the random number corresponding to the encrypted identity attribute to the second user terminal, and receives the key corresponding to the encrypted identity attribute and the signed random number fed back by the second user terminal. And the server decrypts the encrypted identity attribute according to the public key, the secret key and the signed random number to obtain the identity attribute, and responds to the login request according to the identity attribute. The identity provider is cancelled, so that a user can manage the identity information of the user, the safety of the identity information is improved, the server does not need to maintain a plurality of interfaces, only the interfaces of the blockchain need to be maintained, the maintenance cost is reduced, the blockchain can provide public services for different servers, and cross-system single sign-on is realized.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the system or system embodiments are substantially similar to the method embodiments and therefore are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described system and system embodiments are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (8)

1. A single sign-on method based on a block chain is characterized in that the method is applied to a server side, and the method comprises the following steps:
after receiving a login request sent by a first user terminal, a server feeds back an information file comprising an address of the server to the first user terminal;
the server receives a user ID sent by a second user terminal, wherein the second user terminal sends the user ID to the server based on the address of the server obtained by identifying the information file, and the user ID is stored in the second user terminal in advance;
the server side acquires a public key corresponding to the user ID and an encrypted identity attribute from a block chain, wherein the encrypted identity attribute is obtained by encrypting the identity attribute through a preset secret key;
the server sends an identification attribute range and a random number corresponding to the encrypted identity attribute to the second user terminal, so that the second user terminal displays the identification attribute range to a user and prompts whether the user agrees to send the identity attribute corresponding to the identification attribute range to the server in an inquiry frame mode, and if the user agrees to send the identity attribute corresponding to the identification attribute range to the server through the second user terminal, the second user terminal confirms the relevant identity attribute range and agrees to authorize the server to check corresponding identity information and signs the random number by using a private key corresponding to the second user terminal;
the server receives the key corresponding to the encrypted identity attribute and the signed random number fed back by the second user terminal;
the server side verifies the signed random number by using the public key;
if the signed random number passes verification, the server decrypts the encrypted identity attribute according to the secret key to obtain the identity attribute;
and the server side responds to the login request by using the identity attribute.
2. The method of claim 1, wherein the server obtains a public key corresponding to the user ID and the encrypted identity attribute from a blockchain, and comprises:
the server side acquires an identity information document corresponding to the user ID from a block chain;
and the server analyzes the identity information document to obtain a public key and encrypted identity attribute in the identity information document.
3. The method according to claim 1, wherein after receiving the login request sent by the first user terminal, the server feeds back an information file including an address of the server to the first user terminal, and the method includes:
the server generates a two-dimensional code comprising an address of the server after receiving a login request sent by a first user terminal;
and the server sends the two-dimension code to the first user terminal, and the first user terminal displays the two-dimension code.
4. The method of claim 1, wherein after the server responds to the login request with the identity attribute, the method further comprises:
and in a preset time, if the server receives a new login request sent by the first user terminal or other user terminals and receives a user ID sent by the second user terminal, responding to the new login request according to the identity attribute.
5. A server, the server comprising:
the feedback unit is used for feeding back an information file comprising the address of the server to the first user terminal after receiving a login request sent by the first user terminal;
a first receiving unit, configured to receive a user ID sent by a second user terminal, where the second user terminal sends the user ID to the server based on an address of the server obtained by identifying the information file, and the user ID is stored in the second user terminal in advance;
the acquiring unit is used for acquiring a public key corresponding to the user ID and an encrypted identity attribute from a block chain, wherein the encrypted identity attribute is obtained by encrypting the identity attribute by a preset secret key;
a sending unit, configured to send an identifier attribute range and a random number corresponding to the encrypted identity attribute to the second user terminal, so that the second user terminal displays the identifier attribute range to a user, and prompts, in a manner of an inquiry frame, whether the user agrees to send the identity attribute corresponding to the identifier attribute range to the server, where if the user agrees to send the identity attribute corresponding to the identifier attribute range to the server through the second user terminal, the second user terminal signs the random number using a private key corresponding to the second user terminal after confirming the relevant identifier attribute range and agreeing to authorize the server to check corresponding identity information;
a second receiving unit, configured to receive a key corresponding to the encrypted identity attribute and a signed random number fed back by the second user terminal;
the processing unit is used for verifying the signed random number by using the public key; if the signed random number passes verification, decrypting the encrypted identity attribute according to the secret key to obtain the identity attribute; and responding to the login request by using the identity attribute.
6. The server according to claim 5, wherein the obtaining unit is specifically configured to: and acquiring an identity information document corresponding to the user ID from the block chain, analyzing the identity information document, and acquiring a public key and encrypted identity attribute in the identity information document.
7. The server according to claim 5, wherein the feedback unit is specifically configured to: after a login request sent by a first user terminal is received, a two-dimensional code comprising the address of the server is generated, the two-dimensional code is sent to the first user terminal, and the two-dimensional code is displayed by the first user terminal.
8. A single sign-on system based on blockchain, the system comprising: a first user terminal, a second user terminal and a server according to any of claims 5 to 7.
CN202010455979.7A 2020-05-26 2020-05-26 Single sign-on method, server and system based on block chain Active CN111600900B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010455979.7A CN111600900B (en) 2020-05-26 2020-05-26 Single sign-on method, server and system based on block chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010455979.7A CN111600900B (en) 2020-05-26 2020-05-26 Single sign-on method, server and system based on block chain

Publications (2)

Publication Number Publication Date
CN111600900A CN111600900A (en) 2020-08-28
CN111600900B true CN111600900B (en) 2022-09-02

Family

ID=72188789

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010455979.7A Active CN111600900B (en) 2020-05-26 2020-05-26 Single sign-on method, server and system based on block chain

Country Status (1)

Country Link
CN (1) CN111600900B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112104665B (en) * 2020-11-02 2021-02-12 腾讯科技(深圳)有限公司 Block chain-based identity authentication method and device, computer and storage medium
DE102021103995A1 (en) 2021-02-19 2022-08-25 Bundesdruckerei Gmbh Reading identity attributes with a remote security element
CN114726544B (en) * 2022-04-18 2024-02-09 北京数字认证股份有限公司 Method and system for acquiring digital certificate

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107196966A (en) * 2017-07-05 2017-09-22 北京信任度科技有限公司 The identity identifying method and system of multi-party trust based on block chain
CN109617692A (en) * 2018-12-13 2019-04-12 郑州师范学院 A kind of anonymous login method and system based on block chain

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103139182B (en) * 2011-12-01 2016-04-06 北大方正集团有限公司 A kind of method that user of permission accesses, client, server and system
US10637665B1 (en) * 2016-07-29 2020-04-28 Workday, Inc. Blockchain-based digital identity management (DIM) system
CN106357640B (en) * 2016-09-18 2019-11-08 江苏通付盾科技有限公司 Identity identifying method, system and server based on block chain network
CN108173850B (en) * 2017-12-28 2021-03-19 杭州趣链科技有限公司 Identity authentication system and identity authentication method based on block chain intelligent contract
CN108234515B (en) * 2018-01-25 2020-07-24 中国科学院合肥物质科学研究院 Self-authentication digital identity management system and method based on intelligent contract
CN108632284B (en) * 2018-05-10 2021-02-23 网易(杭州)网络有限公司 User data authorization method, medium, device and computing equipment based on block chain
CN109325342B (en) * 2018-09-10 2024-03-05 平安科技(深圳)有限公司 Identity information management method, device, computer equipment and storage medium
CN109889479B (en) * 2018-12-21 2022-07-26 中积教育科技有限公司 Block chain-based user identity verification method and device and checking system
CN109936569B (en) * 2019-02-21 2021-05-28 领信智链(北京)科技有限公司 Decentralized digital identity login management system based on Ether house block chain
CN111143474B (en) * 2019-12-31 2022-07-19 浙江工业大学 One-key binding changing method for mobile phone number based on block chain technology

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107196966A (en) * 2017-07-05 2017-09-22 北京信任度科技有限公司 The identity identifying method and system of multi-party trust based on block chain
CN109617692A (en) * 2018-12-13 2019-04-12 郑州师范学院 A kind of anonymous login method and system based on block chain

Also Published As

Publication number Publication date
CN111600900A (en) 2020-08-28

Similar Documents

Publication Publication Date Title
CN108200050B (en) Single sign-on server, method and computer readable storage medium
CN111783075B (en) Authority management method, device and medium based on secret key and electronic equipment
US9741265B2 (en) System, design and process for secure documents credentials management using out-of-band authentication
CN111600900B (en) Single sign-on method, server and system based on block chain
CN101647254B (en) Method and system for the provision of services for terminal devices
CN109951480B (en) System, method, and non-transitory computer-readable storage medium for data storage
EP2200217B1 (en) Server certificate issuance system
CN109165500B (en) Single sign-on authentication system and method based on cross-domain technology
CN111770057B (en) Identity verification system and identity verification method
US20100077208A1 (en) Certificate based authentication for online services
US20050144439A1 (en) System and method of managing encryption key management system for mobile terminals
CN102457507A (en) Secure sharing method, device and system for cloud computing resources
CN103986584A (en) Double-factor identity verification method based on intelligent equipment
CN113271296B (en) Login authority management method and device
CN102739664A (en) Method for improving security of network identity authentication and devices
EP3683703A1 (en) System for authentification
EP2768178A1 (en) Method of privacy-preserving proof of reliability between three communicating parties
CN104683107A (en) Digital certificate storage method and device, and digital signature method and device
CN111447220A (en) Authentication information management method, server of application system and computer storage medium
CN111614686A (en) Key management method, controller and system
CN113553302A (en) Credit report acquisition method, system, equipment and storage medium
CN112948857A (en) Document processing method and device
CN116668190A (en) Cross-domain single sign-on method and system based on browser fingerprint
RU2698424C1 (en) Authorization control method
JP7079528B2 (en) Service provision system and service provision method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20240131

Address after: 571924, Building 8831, Walker Park, Hainan Ecological Software Park, Old City High tech Industrial Demonstration Zone, Hainan Province

Patentee after: Yunhai Chain Holdings Co.,Ltd.

Country or region after: China

Patentee after: Oxford (Hainan) blockchain Research Institute Co.,Ltd.

Address before: 571924 building 8848, Walker Park, Hainan Ecological Software Park, Laocheng high tech industry demonstration zone, Hainan Province

Patentee before: Oxford (Hainan) blockchain Research Institute Co.,Ltd.

Country or region before: China