CN111970299A

CN111970299A - Block chain-based distributed Internet of things equipment identity authentication device and method

Info

Publication number: CN111970299A
Application number: CN202010876191.3A
Authority: CN
Inventors: 唐毅
Original assignee: Shanghai Heshu Software Co ltd
Current assignee: Shanghai Heshu Software Co ltd
Priority date: 2020-08-26
Filing date: 2020-08-26
Publication date: 2020-11-20

Abstract

The invention discloses a distributed Internet of things equipment identity authentication device and method based on a block chain, wherein the method comprises the following steps: the method comprises the steps that equipment information is obtained by the Internet of things equipment, and access request information is generated according to the equipment information; the block chain edge node carries out credibility verification on the access request information, and when the credibility verification passes, a node certificate, node certificate information and a node signature are obtained, and node verification information is generated; the Internet of things equipment carries out node verification according to the node verification information, and when the node verification passes, an equipment certificate, equipment certificate information and an equipment signature are obtained, and equipment verification information is generated; and the block chain edge node performs equipment verification according to the equipment verification information, and when the equipment verification passes, the equipment identity authentication is judged to be successful. When the Internet of things equipment is accessed, multiple times of verification are carried out between the Internet of things equipment and the block chain link points, and the safety of the access of the Internet of things equipment is improved.

Description

Block chain-based distributed Internet of things equipment identity authentication device and method

Technical Field

The invention relates to the technical field of Internet of things, in particular to a distributed Internet of things equipment identity authentication device and method based on a block chain.

Background

In recent years, the popularization and rapid development of the technology of the internet of things enable the application of the internet of things to be visible everywhere in daily life and play an important role in various fields. However, the limitations of the internet of things devices, the complex network environment and the current access control system based on the centralized and hierarchical structure bring new challenges to the field of internet of things. Firstly, due to the problems of wide equipment distribution, complex application environment, limited computing capacity and the like, huge data infrastructure construction and cost investment are brought to a centralized network mode. Secondly, the existing centralized platforms of the internet of things are incompatible with each other, so that cooperative work and information sharing among the devices of the internet of things on different platforms are difficult to realize. In addition, the centralized platform has poor capability of resisting malicious attacks, private data is easy to leak, and the security is weak.

The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.

Disclosure of Invention

The invention mainly aims to provide a distributed Internet of things equipment identity authentication device and method based on a block chain, and aims to solve the technical problem of poor safety in the Internet of things equipment identity authentication process.

In order to achieve the above object, the present invention provides a block chain-based distributed internet of things device identity authentication method, which includes:

the method comprises the steps that equipment information is obtained by the Internet of things equipment, access request information is generated according to the equipment information, and the access request information is sent to a block chain edge node;

the block chain edge node carries out credibility verification on the access request information, acquires a node certificate, node certificate information and a node signature when the credibility verification passes, generates node verification information according to the node certificate, the node certificate information and the node signature, and sends the node verification information to the Internet of things equipment;

the Internet of things equipment carries out node verification according to the node verification information, acquires an equipment certificate, equipment certificate information and an equipment signature when the node verification passes, generates equipment verification information according to the equipment certificate, the equipment certificate information and the equipment signature, and sends the equipment verification information to the block chain edge node;

and the block chain edge node performs equipment verification according to the equipment verification information, and when the equipment verification passes, the equipment identity authentication is judged to be successful.

Preferably, the performing, by the blockchain edge node, device verification according to the device verification information, and after determining that the device identity authentication is successful when the device verification passes, the method further includes:

the block chain edge node generates an authentication success instruction and sends the authentication success instruction to the Internet of things equipment;

and the IOT equipment accesses the blockchain edge network where the blockchain edge node is located based on the authentication success instruction.

Preferably, the block chain edge node performs trust verification on the access request information, acquires a node certificate, node certificate information, and a node signature when the trust verification passes, generates node verification information according to the node certificate, the node certificate information, and the node signature, and sends the node verification information to the internet of things device, and specifically includes:

the blockchain edge node extracts equipment information from the access request information, determines equipment identification and historical access point information according to the equipment information, and determines the historical blockchain edge node and the historical access time of the last access of the internet of things equipment according to the historical access point information;

the block chain edge node sends the equipment identifier and the historical access time to the historical block chain edge node, so that the historical block chain edge node feeds back access verification information based on the equipment identifier and the historical time;

the block chain edge node carries out credibility verification on the access request information according to the access verification information;

when the reliability verification passes, the block chain edge node acquires a node certificate, node certificate information and a node signature, generates node verification information according to the node certificate, the node certificate information and the node signature, and sends the node verification information to the Internet of things equipment.

Preferably, the internet of things device performs node verification according to the node verification information, acquires a device certificate, device certificate information, and a device signature when the node verification passes, generates device verification information according to the device certificate, the device certificate information, and the device signature, and sends the device verification information to the blockchain edge node, and specifically includes:

the Internet of things equipment extracts the node certificate, the node certificate information and the node signature from the node verification information;

the Internet of things equipment extracts a node public key from the node certificate, carries out node certificate verification according to the node public key and the node certificate information, and carries out node signature verification on the node signature when the node signature passes the verification;

when the node signature verification passes, the Internet of things equipment acquires an equipment certificate, equipment certificate information and an equipment signature, generates equipment verification information according to the equipment certificate, the equipment certificate information and the equipment signature, and sends the equipment verification information to the block chain edge node.

Preferably, the internet of things device extracts a node public key from the node certificate, performs node certificate verification according to the node public key and the node certificate information, and performs node signature verification on the node signature when the node certificate verification passes, specifically including:

the Internet of things equipment extracts a node public key from the node certificate, determines a node public key hash value according to the node public key, and determines a first MPT root value according to the node public key hash value and the node certificate information;

the Internet of things equipment acquires a first block to be compared from a block chain edge network where the block chain edge node is located, and determines a first MPT root value to be compared corresponding to the first block to be compared;

and the Internet of things equipment compares the first MPT root value with the first MPT root value to be compared, and performs node signature verification on the node signature when the first MPT root value is the same as the first MPT root value to be compared.

Preferably, the block chain edge node performs device verification according to the device verification information, and when the device verification passes, it determines that the identity authentication is successful, specifically including:

the blockchain edge node extracts the device certificate, the device certificate information, and the device signature from the device authentication information;

the block chain edge node extracts an equipment public key from the equipment certificate, carries out equipment certificate verification according to the equipment public key and the equipment node certificate information, and carries out equipment signature verification on the equipment signature when the verification is passed;

and when the equipment signature verification passes, the block chain edge node judges that the identity authentication is successful.

Preferably, the block chain edge node extracts an equipment public key from the equipment certificate, performs equipment certificate verification according to the equipment public key and the equipment node certificate information, and performs equipment signature verification on the equipment signature when the equipment certificate verification passes, specifically including:

the block chain edge node extracts an equipment public key from the equipment certificate, determines an equipment public key hash value according to the equipment public key, and determines a second MPT root value according to the equipment public key hash value and the equipment certificate information;

the block chain edge node acquires a second block to be compared from a block chain edge network, and determines a second MPT root value to be compared corresponding to the second block to be compared;

and the block chain edge node compares the second MPT root value with the second MPT root value to be compared, and performs device signature verification on the device signature when the second MPT root value is the same as the second MPT root value to be compared.

Preferably, before the internet of things device acquires device information, generates access request information according to the device information, and sends the access request information to the block chain edge node, the method further includes:

a block chain edge node generates a node registration request and sends the node registration request to law enforcement equipment;

the law enforcement equipment generates a node certificate issuing instruction based on the node registration request and sends the node certificate issuing instruction to certificate authorization equipment;

the certificate authorization equipment generates a node certificate according to the node certificate issuing instruction and adds the node certificate to a public database;

and the law enforcement equipment acquires the node certificate and the node certificate information corresponding to the node certificate from the public database and sends the node certificate and the node certificate information to the block chain edge node.

the method comprises the steps that equipment of the Internet of things generates an equipment registration request, and the equipment registration request is sent to law enforcement equipment;

the law enforcement device generates a device certificate issuing instruction based on the device registration request and sends the device certificate issuing instruction to a certificate authorization device;

the certificate authorization equipment generates an equipment certificate according to the equipment certificate issuing instruction and adds the equipment certificate to a public database;

the law enforcement equipment acquires the equipment certificate and equipment certificate information corresponding to the equipment certificate from the public database and sends the equipment certificate and the equipment certificate information to the equipment of the Internet of things.

In addition, in order to achieve the above object, the present invention further provides a device for authenticating an identity of a distributed internet of things device based on a blockchain, where the device for authenticating an identity of a distributed internet of things device based on a blockchain includes: the method comprises the steps that Internet of things equipment and block chain edge nodes are arranged;

the Internet of things equipment is used for acquiring equipment information, generating access request information according to the equipment information and sending the access request information to the edge node of the block chain;

the block chain edge node is used for verifying the credibility of the access request information, acquiring a node certificate, node certificate information and a node signature when the credibility verification passes, generating node verification information according to the node certificate, the node certificate information and the node signature, and sending the node verification information to the Internet of things equipment;

the Internet of things equipment is used for carrying out node verification according to the node verification information, acquiring an equipment certificate, equipment certificate information and an equipment signature when the node verification passes, generating equipment verification information according to the equipment certificate, the equipment certificate information and the equipment signature, and sending the equipment verification information to the block chain edge node;

and the block chain edge node is used for carrying out equipment verification according to the equipment verification information and judging that the equipment identity authentication is successful when the equipment verification passes.

The identity authentication method of the distributed Internet of things equipment based on the block chain comprises the steps that equipment information is obtained through the Internet of things equipment, access request information is generated according to the equipment information, and the access request information is sent to a block chain edge node; the block chain edge node carries out credibility verification on the access request information, acquires a node certificate, node certificate information and a node signature when the credibility verification passes, generates node verification information according to the node certificate, the node certificate information and the node signature, and sends the node verification information to the Internet of things equipment; the Internet of things equipment carries out node verification according to the node verification information, acquires an equipment certificate, equipment certificate information and an equipment signature when the node verification passes, generates equipment verification information according to the equipment certificate, the equipment certificate information and the equipment signature, and sends the equipment verification information to the block chain edge node; and the block chain edge node performs equipment verification according to the equipment verification information, and when the equipment verification passes, the equipment identity authentication is judged to be successful. When the Internet of things equipment is accessed, multiple times of verification are carried out between the Internet of things equipment and the block chain link points, and the safety of the access of the Internet of things equipment is improved.

Drawings

Fig. 1 is a schematic flowchart of a distributed internet of things device identity authentication method based on a block chain according to a first embodiment of the present invention;

fig. 2 is a schematic flowchart of a distributed internet of things device identity authentication method based on a block chain according to a second embodiment of the present invention;

fig. 3 is a schematic flowchart of a third embodiment of the identity authentication method for a distributed internet of things device based on a block chain according to the present invention;

fig. 4 is a schematic flowchart of a fourth embodiment of the identity authentication method for a distributed internet of things device based on a block chain according to the present invention;

fig. 5 is a functional module diagram of a distributed internet of things device identity authentication apparatus based on a block chain according to a first embodiment of the present invention.

The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.

Detailed Description

It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

Referring to fig. 1, the invention provides a distributed internet of things equipment identity authentication method based on a block chain, which includes:

step S10, the Internet of things equipment acquires equipment information, generates access request information according to the equipment information, and sends the access request information to the block chain edge node.

It should be noted that the distributed internet of things device identity authentication based on the blockchain in this embodiment is adapted to a distributed internet of things device identity authentication architecture based on the blockchain, in the distributed internet of things device identity authentication architecture based on the blockchain, information such as digital identities is stored in a novel blockdata structure, a distributed internet of things device identity authentication mechanism is provided according to relevant knowledge of cryptography, and a detailed flow of device certificate issuance and identity authentication is designed. The security analysis is carried out on the lock lifting mechanism from the aspects of right constraint, equipment privacy protection, attack resisting capability and the like among all entities, and the performances of 3 aspects of security attribute, calculation cost and storage cost are contrastively analyzed. The result shows that the identity authentication mechanism can resist various malicious attacks, can realize highly-safe distributed Internet of things identity authentication, and has certain advantages in performance.

It should be understood that, the internet of things device acquires the device information, and the device information may include the device identifier and the historical access point information, and may also include other information, which is not limited in this embodiment. And generating access request information according to the equipment information, and sending the access request information to the block chain edge node.

It should be understood that for a blockchain edge network, there are multiple blockchain edge nodes in the blockchain edge network.

Step S20, the block chain edge node verifies the credibility of the access request information, when the credibility passes, a node certificate, node certificate information and a node signature are obtained, node verification information is generated according to the node certificate, the node certificate information and the node signature, and the node verification information is sent to the Internet of things equipment.

It should be understood that the blockchain edge node extracts the device information from the access request information, and determines the device identifier and the historical access point information according to the device information, and then may determine the historical blockchain edge node and the historical access time of the last access of the internet of things device according to the historical access point information. The historical access time refers to the time when the Internet of things equipment accesses the historical block chain edge node last time.

It should be appreciated that the blockchain edge node sends the device identification and the historical access time to the historical blockchain edge node to prove whether the internet of things device has ever accessed. If the historical block chain edge node has the access record of the Internet of things equipment at the historical access time, the reliability of the access request information is high.

It can be understood that after the credibility verification passes, the blockchain edge node acquires the node certificate, the node certificate information and the node signature, generates node verification information according to the node certificate, the node certificate information and the node signature, and sends the node verification information to the internet of things device. The node certificate, the node certificate information, and the node signature may be obtained from a local database of the blockchain edge node, or may be obtained in other obtaining manners, which is not limited in this embodiment.

Step S30, the Internet of things equipment carries out node verification according to the node verification information, when the node verification passes, the Internet of things equipment obtains an equipment certificate, equipment certificate information and an equipment signature, equipment verification information is generated according to the equipment certificate, the equipment certificate information and the equipment signature, and the equipment verification information is sent to the block chain edge node.

It should be understood that the node verification is performed on the blockchain edge node by the internet of things device, and the node verification is divided into node certificate verification and node signature verification.

It can be understood that, when the node verification passes, device verification information is generated according to the device certificate, the device certificate information and the device signature, and is sent to the blockchain edge node. The device certificate, the device certificate information, and the device signature may be obtained from a local database of the internet of things device, or may be obtained in other obtaining manners, which is not limited in this embodiment.

And step S40, the block chain edge node carries out equipment verification according to the equipment verification information, and when the equipment verification passes, the equipment identity authentication is judged to be successful.

It should be understood that the device verification of the internet of things device is performed by the blockchain edge node, and the device verification is divided into device certificate verification and device signature verification.

It can be understood that when the device passes the verification, the device identity authentication is determined to be successful, and the internet of things device may be allowed to access the blockchain edge network.

In the embodiment, equipment information is acquired through Internet of things equipment, access request information is generated according to the equipment information, and the access request information is sent to a block chain edge node; the block chain edge node carries out credibility verification on the access request information, acquires a node certificate, node certificate information and a node signature when the credibility verification passes, generates node verification information according to the node certificate, the node certificate information and the node signature, and sends the node verification information to the Internet of things equipment; the Internet of things equipment carries out node verification according to the node verification information, acquires an equipment certificate, equipment certificate information and an equipment signature when the node verification passes, generates equipment verification information according to the equipment certificate, the equipment certificate information and the equipment signature, and sends the equipment verification information to the block chain edge node; and the block chain edge node performs equipment verification according to the equipment verification information, and when the equipment verification passes, the equipment identity authentication is judged to be successful. When the Internet of things equipment is accessed, multiple times of verification are carried out between the Internet of things equipment and the block chain link points, and the safety of the access of the Internet of things equipment is improved.

Further, as shown in fig. 2, a second embodiment of the block chain-based distributed internet of things device identity authentication method according to the present invention is proposed based on the first embodiment, and in this embodiment, after step S40, the method further includes:

step S501, the block chain edge node generates an authentication success instruction, and sends the authentication success instruction to the Internet of things equipment.

It should be understood that after the above steps of multiple verification, the blockchain edge node determines that the device identity authentication is successful, which indicates that the internet of things device is safe and accessible, generates an authentication success instruction, and sends the authentication success instruction to the internet of things device.

Step S502, the Internet of things equipment accesses the block chain edge network where the block chain edge node is located based on the authentication success instruction.

It should be understood that, after receiving the authentication success instruction sent by the blockchain edge node, the internet of things device may access the blockchain edge network where the blockchain edge node is located based on the authentication success instruction.

In this embodiment, an authentication success instruction is generated by the blockchain edge node, and the authentication success instruction is sent to the internet of things device, where the internet of things device accesses the blockchain edge network where the blockchain edge node is located based on the authentication success instruction. Therefore, after the verification is successful, the block chain edge node generates an authentication success instruction, and the Internet of things equipment accesses the block chain edge network based on the authentication success instruction, so that the equipment access safety is improved.

Further, the step S20 includes:

step S201, the blockchain edge node extracts equipment information from the access request information, determines an equipment identifier and historical access point information according to the equipment information, and determines a historical blockchain edge node and historical access time of last access of the Internet of things equipment according to the historical access point information.

It should be understood that the internet of things device is located within the coverage range of the blockchain edge node, and sends access request information to the blockchain edge node, where the access request information may include information such as a geographic location of the internet of things device, a sending time of a message, a device identifier of the internet of things device, and historical access point information, and may also include other information, which is not limited in this embodiment.

It can be understood that the blockchain edge network extracts the device information from the access request information, determines the device identifier and the historical access point information according to the device information, and then determines the historical blockchain edge node and the historical access time of the last access of the internet of things device according to the historical access point information. The historical access time refers to the time when the Internet of things equipment accesses the historical block chain edge node last time.

Step S202, the block chain edge node sends the device identifier and the historical access time to the historical block chain edge node, so that the historical block chain edge node feeds back access verification information based on the device identifier and the historical time.

It can be understood that the historical blockchain edge node verifies the device identifier and the historical access time to generate access verification information. For example, when the access information of the internet of things equipment at the historical access time is found, the access verification information is verified successfully; and when the access information of the Internet of things equipment at the historical access time cannot be searched, the access verification information is verification failure.

It should be noted that the device identifier may be information that can be used to describe the identity of the device, such as a device name, a device ID, a device identification code, and may also be other information, which is not limited in this embodiment.

Step S203, the block chain edge node performs reliability verification on the access request information according to the access verification information.

It should be understood that, the block chain edge node performs credibility verification on the access request information according to the access verification information, and when the access verification information is successful, the credibility verification is passed; and when the access authentication information is authentication failure, the credibility authentication is not passed.

Step S204, when the block chain edge node passes the credibility verification, obtaining a node certificate, node certificate information and a node signature, generating node verification information according to the node certificate, the node certificate information and the node signature, and sending the node verification information to the Internet of things equipment.

It can be understood that when the credibility verification passes, node verification information is generated according to the node certificate, the node certificate information and the node signature, the node verification information is sent to the internet of things equipment, and the internet of things equipment performs the next verification.

In this embodiment, device information is extracted from the access request information through the blockchain edge node, a device identifier and historical access point information are determined according to the device information, and a historical blockchain edge node and a historical access time of the last access of the internet of things device are determined according to the historical access point information; the block chain edge node sends the equipment identifier and the historical access time to the historical block chain edge node, so that the historical block chain edge node feeds back access verification information based on the equipment identifier and the historical time; the block chain edge node carries out credibility verification on the access request information according to the access verification information; when the reliability verification passes, the block chain edge node acquires a node certificate, node certificate information and a node signature, generates node verification information according to the node certificate, the node certificate information and the node signature, and sends the node verification information to the Internet of things equipment. Therefore, the equipment identification and the historical access time are extracted from the access request information, the credibility verification is carried out according to the equipment identification and the historical access time, and the subsequent steps are continued when the credibility verification passes, so that the safety is further improved.

Further, before the step S10, the method further includes:

a block chain edge node generates a node registration request and sends the node registration request to law enforcement equipment; the law enforcement equipment generates a node certificate issuing instruction based on the node registration request and sends the node certificate issuing instruction to certificate authorization equipment; the certificate authorization equipment generates a node certificate according to the node certificate issuing instruction and adds the node certificate to a public database; and the law enforcement equipment acquires the node certificate and the node certificate information corresponding to the node certificate from the public database and sends the node certificate and the node certificate information to the block chain edge node.

It should be noted that, in this embodiment, law enforcement devices and certificate authorization devices are included in addition to the internet of things devices and the blockchain edge nodes. The primary responsibilities of law enforcement equipment include registration of the equipment and generation of identity parameters for it, authorization of certificates authorizing the equipment to issue certificates, and returning certificates to the equipment. The law enforcement equipment collects the transaction transmitted by the certificate authorization equipment to generate a block, and transmits the block to all blockchain edge nodes for verification. The linkability between the device certificate and its real identity is encrypted using the key of the law enforcement device and stored in the blockchain. In the event of a dispute, the law enforcement equipment is able to display the true identity.

The certificate authorization device is responsible for generating the certificates of the blockchain edge network node and the internet of things device after receiving the certificate issuance instruction sent by the law enforcement device, generating a certificate issuance transaction and returning the certificate issuance transaction to the law enforcement device. And storing the certificate into a public database, and maintaining the public database together with the law enforcement equipment.

It should be noted that the public database is maintained by both the certificate authority device and the law enforcement device, the certificate is stored in the form of a tree-like storage structure MPT (merkel patricia tree), the value of the MPT root node is used as the certificate root, and is finally stored in the block header together with the transaction root of the CMT (time-series merkel tree). The node certificate information in this embodiment may include storage information of the node certificate in the public database, and may also include other information, which is not limited in this embodiment.

It should be appreciated that in issuing node certificates for blockchain edge nodes, the system is first initialized, system parameters are set, and broadcast throughout the network within the system. Key pairs for the law enforcement device and the certificate authority device are generated and broadcast within the system for other entities to send encrypted messages to. The blockchain edge nodes generate key pairs, the law enforcement equipment registers for the blockchain edge nodes and orders the certificate authorization equipment to issue node certificates, and then the law enforcement equipment sends the node certificates to the blockchain edge nodes.

It will be appreciated that the law enforcement device sends a node certificate issuance instruction to the certificate authority device, the certificate authority device generates a node certificate, the certificate authority device will also add the node certificate as a new leaf node of the MPT to the public database, and then the certificate authority device sends the certificate issuance transaction result to the law enforcement device. And the law enforcement equipment receives the certificate issued transaction result, packages the certificate issued transaction result into a new block, broadcasts the new block to the blockchain edge network, and selects a billing node by the blockchain edge node through a consensus algorithm and chains the block.

It should be understood that the law enforcement device retrieves the node certificate issued by the certificate authority device for the blockchain edge node and the node certificate information from the public database and sends the node certificate and the node certificate information to the blockchain edge node. The node certificate information includes a query path of the node certificate in the MPT of the database, and includes all nodes on a path from the root node of the MPT to the leaf node where the device certificate is located.

It can be understood that the law enforcement device sends the node certificate and the node certificate information to the blockchain edge node, and the blockchain edge node may store the node certificate and the node certificate information in a local database, or may also store the node certificate and the node certificate information in other storage manners, such as cloud storage, which is not limited in this embodiment.

In this embodiment, a node registration request is generated by a blockchain edge node, and the node registration request is sent to a law enforcement device; the law enforcement equipment generates a node certificate issuing instruction based on the node registration request and sends the node certificate issuing instruction to certificate authorization equipment; the certificate authorization equipment generates a node certificate according to the node certificate issuing instruction and adds the node certificate to a public database; and the law enforcement equipment acquires the node certificate and the node certificate information corresponding to the node certificate from the public database and sends the node certificate and the node certificate information to the block chain edge node. Therefore, the certificate is issued to the blockchain edge node, and the safety and the effectiveness of certificate issuance are improved.

Further, before the step S10, the method further includes:

the method comprises the steps that equipment of the Internet of things generates an equipment registration request, and the equipment registration request is sent to law enforcement equipment; the law enforcement device generates a device certificate issuing instruction based on the device registration request and sends the device certificate issuing instruction to a certificate authorization device; the certificate authorization equipment generates an equipment certificate according to the equipment certificate issuing instruction and adds the equipment certificate to a public database; the law enforcement equipment acquires the equipment certificate and equipment certificate information corresponding to the equipment certificate from the public database and sends the equipment certificate and the equipment certificate information to the equipment of the Internet of things.

It should be noted that, in this embodiment, a bit string randomly generated by the internet of things device is used as a private key, and an elliptic curve key generation algorithm is used to obtain a public key. The device registration request is encrypted with the law enforcement device public key and sent to the law enforcement device using an elliptic curve digital signature algorithm. And receiving the equipment certificate returned by the law enforcement equipment, and simultaneously receiving and verifying the reliability proving message transmitted by the node.

It should be noted that the blockchain edge network is responsible for storing all transactions in the system, and commonly links the packed blocks, and broadcasts the latest block information in the system. And registering the identity in the law enforcement equipment, receiving the digital certificate, processing the equipment identity parameters transmitted by the law enforcement equipment, and generating an equipment signature. And when the equipment of the Internet of things in the region requests access, the equipment signature is used as a part of the node reliability certificate. And receiving the equipment access request information and verifying the identity. And establishing an intelligent contract and dividing access authority for the access equipment.

The embodiment provides a digital certificate issuing scheme, the identity of the internet of things equipment and the identity of the block chain edge node are verified through a digital signature, the digital signature adopts asymmetric encryption and is generated by encryption of a private key of a sender, and a receiver needs to hold a public key of the sender to verify the signature. The public key is encrypted using a digital certificate to ensure its secure transmission.

It should be understood that the internet of things device generates a key pair, sends a device registration request to the law enforcement device, and the law enforcement device receives the device registration request sent by the internet of things device and verifies whether the message source is reliable, then encrypts the ID of the internet of things device through a hash function, and creates an identity LINK of the internet of things device.

It will be appreciated that the law enforcement device sends a device certificate issuance instruction to the certificate authority device, the certificate authority device generates a device certificate, the certificate authority device will also add the device certificate as a new leaf node of the MPT to the public database, and then the certificate authority device sends the certificate issuance transaction result to the law enforcement device. And the law enforcement equipment receives the certificate issued transaction result, packages the certificate issued transaction result into a new block, broadcasts the new block to the blockchain edge network, and selects a billing node by the blockchain edge node through a consensus algorithm and chains the block.

It should be understood that the certificate issuance transaction result includes a law enforcement device certificate command and a certificate authorization device signature, the certificate issuance process is authenticated by two organizations, namely a block chain and the internet of things, and if a certificate dispute occurs, the certificate transaction content can be queried for adjudication. And the law enforcement equipment broadcasts and sends the identity parameters of the Internet of things equipment to the blockchain edge network, and the blockchain edge node receives and stores the parameters as the parameters for identity authentication of the Internet of things equipment.

It should be understood that the law enforcement device retrieves the device certificate issued by the certificate authority device for the internet of things device and the device certificate information from the public database and sends the device certificate and the device certificate information to the internet of things device. The device certificate information includes an inquiry path of the device certificate in the MPT of the database, and includes all nodes on a path from the root node of the MPT to the leaf node where the device certificate is located.

It can be understood that the law enforcement device sends the device certificate and the device certificate information to the internet of things device, and the internet of things device may store the device certificate and the device certificate information in a local database, or may also store the device certificate and the device certificate information in other storage manners, such as cloud storage, and the like, which is not limited in this embodiment.

In the embodiment, an equipment registration request is generated through equipment of the internet of things, and the equipment registration request is sent to law enforcement equipment; the law enforcement device generates a device certificate issuing instruction based on the device registration request and sends the device certificate issuing instruction to a certificate authorization device; the certificate authorization equipment generates an equipment certificate according to the equipment certificate issuing instruction and adds the equipment certificate to a public database; the law enforcement equipment acquires the equipment certificate and equipment certificate information corresponding to the equipment certificate from the public database and sends the equipment certificate and the equipment certificate information to the equipment of the Internet of things. Therefore, the certificate is issued to the equipment of the Internet of things, and the safety and the effectiveness of certificate issuance are improved.

Further, as shown in fig. 3, a third embodiment of the distributed internet of things device identity authentication method based on a block chain is proposed based on the first embodiment or the second embodiment of the present invention, and in this embodiment, based on the first embodiment, the description is made, where the step S30 includes:

step S301, the internet of things device extracts the node certificate, the node certificate information, and the node signature from the node verification information.

It should be noted that the node verification information includes a node signature generated by the blockchain edge node, and when the system is initialized, the certificate authorization device issues a node certificate for the blockchain edge node and node certificate information corresponding to the node certificate. When the system is initialized, the certificate authorization equipment issues a node certificate for the blockchain edge node and stores the node certificate in a public database, and then the law enforcement equipment sends the node certificate to the blockchain edge node, wherein the node certificate information comprises all node information on a path from an MPT root node to a leaf node where the node certificate is located.

Step S302, the Internet of things equipment extracts a node public key from the node certificate, carries out node certificate verification according to the node public key and the node certificate information, and carries out node signature verification on the node signature when the node signature passes the verification.

Further, the step S302 includes:

the Internet of things equipment extracts a node public key from the node certificate, determines a node public key hash value according to the node public key, and determines a first MPT root value according to the node public key hash value and the node certificate information; the Internet of things equipment acquires a first block to be compared from a block chain edge network where the block chain edge node is located, and determines a first MPT root value to be compared corresponding to the first block to be compared; and the Internet of things equipment compares the first MPT root value with the first MPT root value to be compared, and performs node signature verification on the node signature when the first MPT root value is the same as the first MPT root value to be compared.

It can be understood that the internet of things device first takes out the public key in the node certificate, determines the hash value of the node public key according to the node public key, calculates whether the key value formed by the path in the node certificate information corresponds to the hash value of the node public key, and then calculates the first MPT root value according to the hash value of the path node. As the new certificate is issued, the MPT root is updated accordingly, so that the calculated first MPT root needs to be compared with the MPT root included in the newly issued block, and if the first MPT root is consistent with the MPT root, the node certificate is valid. And finally, verifying the node signature by utilizing the bilinear mapping, and proving that the identity of the edge node of the block chain is reliable.

It can be understood that the way to obtain the MPT root value contained in the newly released chunk may be: and acquiring a first block to be compared from the block chain edge network, wherein the first block to be compared is the latest issued block, and determining a first MPT root value to be compared corresponding to the first block to be compared.

It is understood that comparing the first MPT root value with the first MPT root value to be compared can determine whether the node certificate is valid.

Step S303, when the node signature verification passes, the Internet of things equipment acquires an equipment certificate, equipment certificate information and an equipment signature, generates equipment verification information according to the equipment certificate, the equipment certificate information and the equipment signature, and sends the equipment verification information to the block chain edge node.

It should be understood that, when both the node certificate verification and the node signature verification pass, device verification information is generated according to the device certificate, the device certificate information, and the device signature, and is sent to the blockchain edge node.

In this embodiment, the node certificate information, and the node signature are extracted from the node verification information by the internet of things device; the Internet of things equipment extracts a node public key from the node certificate, carries out node certificate verification according to the node public key and the node certificate information, and carries out node signature verification on the node signature when the node signature passes the verification; when the node signature verification passes, the Internet of things equipment acquires an equipment certificate, equipment certificate information and an equipment signature, generates equipment verification information according to the equipment certificate, the equipment certificate information and the equipment signature, and sends the equipment verification information to the block chain edge node. Therefore, the internet of things equipment verifies the block chain edge node according to the node verification information, and the subsequent steps are carried out after the verification is passed, so that the safety of equipment access is further improved.

Further, as shown in fig. 4, a fourth embodiment of the block chain-based distributed internet of things device identity authentication method according to the present invention is provided based on the first embodiment, the second embodiment, or the third embodiment, in this embodiment, based on the first embodiment, the block chain-based distributed internet of things device identity authentication system further includes an information query module, and the step S40 includes:

step S401, the blockchain edge node extracts the device certificate, the device certificate information, and the device signature from the device verification information.

It should be noted that the device verification information includes a device signature generated by the internet of things device, and when the system is initialized, the certificate authorization device issues a device certificate for the internet of things device, and device certificate information corresponding to the device certificate. When the system is initialized, the certificate authorization equipment issues the equipment certificate for the equipment of the Internet of things and stores the equipment certificate in a public database, and then the law enforcement equipment sends the equipment certificate to the equipment of the Internet of things, wherein the equipment certificate information contains all node information on a path from an MPT root node to a leaf node where the node certificate is located.

Step S402, the block chain edge node extracts an equipment public key from the equipment certificate, carries out equipment certificate verification according to the equipment public key and the equipment node certificate information, and carries out equipment signature verification on the equipment signature when the verification is passed.

Further, the step S402 includes:

the block chain edge node extracts an equipment public key from the equipment certificate, determines an equipment public key hash value according to the equipment public key, and determines a second MPT root value according to the equipment public key hash value and the equipment certificate information; the block chain edge node acquires a second block to be compared from a block chain edge network, and determines a second MPT root value to be compared corresponding to the second block to be compared; and the block chain edge node compares the second MPT root value with the second MPT root value to be compared, and performs device signature verification on the device signature when the second MPT root value is the same as the second MPT root value to be compared.

It can be understood that the public key in the device certificate is taken out by the edge node of the block chain, the hash value of the device public key is determined according to the device public key, whether the key value formed by the path in the device certificate information corresponds to the hash value of the device public key is calculated, and then the second MPT root value is calculated according to the hash value of the path node. As the new certificate is issued, the MPT root is updated accordingly, so that the calculated second MPT root needs to be compared with the MPT root included in the newly issued block, and if the calculated second MPT root is consistent with the MPT root included in the newly issued block, the device certificate is valid. And finally, verifying the equipment signature by using the bilinear mapping bilinearity, and proving that the identity of the equipment of the Internet of things is reliable.

It can be understood that the way to obtain the MPT root value contained in the newly released chunk may be: and acquiring a second block to be compared from the block chain edge network, wherein the second block to be compared is the latest issued block, and determining a second MPT root value to be compared corresponding to the second block to be compared.

It is understood that comparing the second MPT root value with the second MPT root value to be compared can determine whether the node certificate is valid.

It should be understood that, since the node verification is performed before and the device verification is performed after, a new block may or may not be issued in the process, and thus, the first block to be compared and the second block to be compared may or may not be the same; accordingly, the first MPT root to be compared and the second MPT root to be compared may be the same or different, and this embodiment does not limit this.

Step S403, when the device signature verification passes, the block chain edge node determines that the identity authentication is successful.

It should be understood that the authentication is determined to be successful when both the device certificate verification and the device signature verification pass.

In this embodiment, a block chain technology is introduced, and an identity authentication architecture based on block chain distributed internet of things equipment is provided. The mutual restriction of power dispersion is realized by setting a block chain and an Internet of things equipment architecture, and the public database is combined, so that the operation of entities in the architecture is open and transparent and can be checked, and the abuse of the power is prevented.

Secondly, a distributed identity authentication scheme of the Internet of things is formulated by combining a cryptography technology. The security of key transmission is ensured by the digital certificate technology, a novel block data structure is introduced, and a receiver can verify whether the certificate of the sender is reliable or not, so that the certificate inquiry time is saved, and the requirement on the storage space is reduced. Before the equipment of the Internet of things accesses the block chain network, the reliability of the access node is verified, and then the node verifies the equipment identity, so that the bidirectional identity authentication of the equipment and the node is realized. In addition, the difficulty of signature forgery and cracking and the high safety of the access process are ensured through a pre-signature mechanism.

In this embodiment, the blockchain edge node extracts the device certificate, the device certificate information, and the device signature from the device authentication information; the block chain edge node extracts an equipment public key from the equipment certificate, carries out equipment certificate verification according to the equipment public key and the equipment node certificate information, and carries out equipment signature verification on the equipment signature when the verification is passed; and when the equipment signature verification passes, the block chain edge node judges that the identity authentication is successful. Therefore, the block chain edge network verifies the Internet of things equipment according to the equipment verification information, and subsequent steps are carried out after the verification is passed, so that the safety of equipment access is further improved.

Referring to fig. 5, fig. 5 is a functional module schematic diagram of a first embodiment of a block chain-based distributed internet of things device identity authentication apparatus according to the present invention, where the block chain-based distributed internet of things device identity authentication apparatus includes: the internet of things device 10 and the blockchain edge node 20;

the internet of things device 10 is configured to obtain device information, generate access request information according to the device information, and send the access request information to the block chain edge node 20.

It should be understood that, the internet of things device 10 acquires the device information, and the device information may include the device identifier and the historical access point information, and may also include other information, which is not limited in this embodiment. And generating access request information according to the device information, and sending the access request information to the blockchain edge node 20.

It should be understood that for a blockchain edge network, there are multiple blockchain edge nodes 20 in the blockchain edge network.

The blockchain edge node 20 is configured to perform trust level verification on the access request information, obtain a node certificate, node certificate information, and a node signature when the trust level verification passes, generate node verification information according to the node certificate, the node certificate information, and the node signature, and send the node verification information to the internet of things device 10.

It should be understood that the blockchain edge node 20 extracts the device information from the access request information, and determines the device identifier and the historical access point information according to the device information, and then may determine the historical blockchain edge node and the historical access time of the last access of the internet-of-things device according to the historical access point information. The historical access time refers to the time when the internet of things device 10 last accesses the historical block chain edge node.

It should be appreciated that the blockchain edge node 20 sends the device identification and historical access time to the historical blockchain edge node to prove whether the internet of things device 10 has ever accessed it. If the historical block chain edge node has the access record of the Internet of things equipment at the historical access time, the reliability of the access request information is high.

It can be understood that after the trust level verification passes, the blockchain edge node 20 obtains the node certificate, the node certificate information, and the node signature, generates node verification information according to the node certificate, the node certificate information, and the node signature, and sends the node verification information to the internet of things device 10. The node certificate, the node certificate information, and the node signature may be obtained from a local database of the blockchain edge node 20, or may be obtained in other obtaining manners, which is not limited in this embodiment.

The internet of things device 10 is configured to perform node verification according to the node verification information, obtain a device certificate, device certificate information, and a device signature when the node verification passes, generate device verification information according to the device certificate, the device certificate information, and the device signature, and send the device verification information to the blockchain edge node 20.

It should be understood that the internet of things device 10 performs node verification on the blockchain edge node 20, and the node verification is divided into node certificate verification and node signature verification.

It is understood that, when the node verification passes, device verification information is generated according to the device certificate, the device certificate information, and the device signature, and is sent to the blockchain edge node 20. The device certificate, the device certificate information, and the device signature may be obtained from a local database of the internet of things device 10, or may be obtained in other obtaining manners, which is not limited in this embodiment.

And the block chain edge node 20 is configured to perform device verification according to the device verification information, and determine that the device identity authentication is successful when the device verification passes.

It should be understood that the blockchain edge node 20 performs device verification on the internet of things device 10, and the device verification is divided into device certificate verification and device signature verification.

In this embodiment, when the internet of things equipment is accessed, multiple times of verification are performed between the internet of things equipment and the block chain link points, so that the access safety of the internet of things equipment is improved.

In an embodiment, the blockchain edge node 20 is further configured to generate an authentication success instruction, and send the authentication success instruction to the internet of things device;

the internet of things device 10 is further configured to access the blockchain edge network where the blockchain edge node is located based on the authentication success instruction.

In an embodiment, the blockchain edge node 20 is further configured to extract device information from the access request information, determine a device identifier and historical access point information according to the device information, and determine a historical blockchain edge node and a historical access time of a last access of the internet of things device according to the historical access point information;

the blockchain edge node 20 is further configured to send the device identifier and the historical access time to the historical blockchain edge node, so that the historical blockchain edge node feeds back access verification information based on the device identifier and the historical access time;

the block chain edge node 20 is further configured to perform reliability verification on the access request information according to the access verification information;

the block chain edge node 20 is further configured to obtain a node certificate, node certificate information, and a node signature when the reliability verification passes, generate node verification information according to the node certificate, the node certificate information, and the node signature, and send the node verification information to the internet of things device 10.

In an embodiment, the internet of things device 10 is further configured to extract the node certificate, the node certificate information, and the node signature from the node verification information;

the internet of things device 10 is further configured to extract a node public key from the node certificate, perform node certificate verification according to the node public key and the node certificate information, and perform node signature verification on the node signature when the node signature passes the verification;

the internet of things device 10 is further configured to obtain a device certificate, device certificate information, and a device signature when the node signature verification passes, generate device verification information according to the device certificate, the device certificate information, and the device signature, and send the device verification information to the blockchain edge node 20.

In an embodiment, the internet of things device 10 is further configured to extract a node public key from the node certificate, determine a node public key hash value according to the node public key, and determine a first MPT root value according to the node public key hash value and the node certificate information;

the internet of things device 10 is further configured to obtain a first block to be compared from the blockchain edge network where the blockchain edge node is located, and determine a first MPT root value to be compared, which corresponds to the first block to be compared;

the internet of things device 10 is further configured to compare the first MPT root value with the first MPT root value to be compared, and perform node signature verification on the node signature when the first MPT root value is the same as the first MPT root value to be compared.

In an embodiment, the blockchain edge node 20 is further configured to extract the device certificate, the device certificate information, and the device signature from the device authentication information;

the block chain edge node 20 is further configured to extract an equipment public key from the equipment certificate, perform equipment certificate verification according to the equipment public key and the equipment node certificate information, and perform equipment signature verification on the equipment signature when the verification is passed;

the block chain edge node 20 is further configured to determine that the identity authentication is successful when the device signature verification passes.

In an embodiment, the blockchain edge node 20 is further configured to extract an apparatus public key from the apparatus certificate, determine an apparatus public key hash value according to the apparatus public key, and determine a second MPT root value according to the apparatus public key hash value and the apparatus certificate information;

the blockchain edge node 20 is further configured to obtain a second block to be compared from the blockchain edge network, and determine a second MPT root value to be compared corresponding to the second block to be compared;

the block chain edge node 20 is further configured to compare the second MPT root value with the second MPT root value to be compared, and perform device signature verification on the device signature when the second MPT root value is the same as the second MPT root value to be compared.

In an embodiment, the device for identity authentication of distributed internet of things based on a blockchain further comprises a law enforcement device and a certificate authorization device;

the blockchain edge node 20 is further configured to generate a node registration request and send the node registration request to the law enforcement device;

the law enforcement equipment is further used for generating a node certificate issuing instruction based on the node registration request and sending the node certificate issuing instruction to the certificate authorization equipment;

the certificate authorization equipment is further used for generating a node certificate according to the node certificate issuing instruction and adding the node certificate to a public database;

the law enforcement device is further configured to obtain the node certificate and node certificate information corresponding to the node certificate from the public database, and send the node certificate and the node certificate information to the blockchain edge node 20.

In an embodiment, the internet of things device 10 is further configured to generate a device registration request, and send the device registration request to the law enforcement device;

the law enforcement device is further used for generating a device certificate issuing instruction based on the device registration request and sending the device certificate issuing instruction to the certificate authorization device;

the certificate authority equipment is also used for generating an equipment certificate according to the equipment certificate issuing instruction and adding the equipment certificate to a public database;

the law enforcement device is further configured to obtain the device certificate and device certificate information corresponding to the device certificate from the public database, and send the device certificate and the device certificate information to the internet of things device.

Other embodiments or specific implementation methods of the distributed internet of things equipment identity authentication device based on the block chain according to the present invention may refer to the above method embodiments, and are not described herein again.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.

Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a computer-readable storage medium (such as ROM/RAM, magnetic disk, optical disk) as described above, and includes several instructions for enabling an intelligent terminal (which may be a mobile phone, a computer, a terminal, an air conditioner, or a network terminal) to execute the method according to the embodiments of the present invention.

The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims

1. A distributed Internet of things equipment identity authentication method based on a block chain is characterized by comprising the following steps:

2. The method for identity authentication of distributed internet of things devices based on a blockchain according to claim 1, wherein the blockchain edge node performs device authentication according to the device authentication information, and when the device authentication passes, after determining that the device identity authentication succeeds, the method further comprises:

3. The identity authentication method of the distributed internet of things equipment based on the block chain as claimed in claim 1, wherein the block chain edge node performs trust verification on the access request information, acquires a node certificate, node certificate information and a node signature when the trust verification passes, generates node verification information according to the node certificate, the node certificate information and the node signature, and sends the node verification information to the internet of things equipment, and specifically comprises:

4. The identity authentication method for the distributed internet of things equipment based on the blockchain as claimed in any one of claims 1 to 3, wherein the internet of things equipment performs node verification according to the node verification information, acquires an equipment certificate, equipment certificate information and an equipment signature when the node verification passes, generates equipment verification information according to the equipment certificate, the equipment certificate information and the equipment signature, and sends the equipment verification information to the blockchain edge node, and specifically comprises:

5. The identity authentication method of the distributed internet of things equipment based on the block chain as claimed in claim 4, wherein the internet of things equipment extracts a node public key from the node certificate, performs node certificate verification according to the node public key and the node certificate information, and performs node signature verification on the node signature when the node certificate verification passes, specifically comprising:

6. The identity authentication method for the distributed internet of things equipment based on the blockchain as claimed in any one of claims 1 to 3, wherein the blockchain edge node performs equipment verification according to the equipment verification information, and when the equipment verification passes, the identity authentication is determined to be successful, specifically comprising:

7. The identity authentication method of the distributed internet of things device based on the blockchain as claimed in claim 6, wherein the blockchain edge node extracts a device public key from the device certificate, performs device certificate verification according to the device public key and the device node certificate information, and performs device signature verification on the device signature when the device certificate verification passes, specifically comprising:

8. The identity authentication method for the distributed internet of things equipment based on the blockchain as claimed in any one of claims 1 to 3, wherein before the internet of things equipment acquires equipment information, generates access request information according to the equipment information, and sends the access request information to a blockchain edge node, the identity authentication method further comprises:

9. The identity authentication method for the distributed internet of things equipment based on the blockchain as claimed in any one of claims 1 to 3, wherein before the internet of things equipment acquires equipment information, generates access request information according to the equipment information, and sends the access request information to a blockchain edge node, the identity authentication method further comprises:

10. The utility model provides a distributed thing networking equipment identity authentication device based on block chain which characterized in that, distributed thing networking equipment identity authentication device based on block chain includes: the method comprises the steps that Internet of things equipment and block chain edge nodes are arranged;