CN112118231A - Trusted identity management method based on block chain technology - Google Patents

Trusted identity management method based on block chain technology Download PDF

Info

Publication number
CN112118231A
CN112118231A CN202010850694.3A CN202010850694A CN112118231A CN 112118231 A CN112118231 A CN 112118231A CN 202010850694 A CN202010850694 A CN 202010850694A CN 112118231 A CN112118231 A CN 112118231A
Authority
CN
China
Prior art keywords
node
administrator
block chain
common
transaction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010850694.3A
Other languages
Chinese (zh)
Other versions
CN112118231B (en
Inventor
何锐
高航
张金琳
薄尊旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Shuqin Technology Co Ltd
Original Assignee
Zhejiang Shuqin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Shuqin Technology Co Ltd filed Critical Zhejiang Shuqin Technology Co Ltd
Priority to CN202010850694.3A priority Critical patent/CN112118231B/en
Publication of CN112118231A publication Critical patent/CN112118231A/en
Application granted granted Critical
Publication of CN112118231B publication Critical patent/CN112118231B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to the technical field of block chains, in particular to a trusted identity management method based on a block chain technology, which comprises the following steps: step A), importing a node system table and a node digital certificate issued by a third party, and operating an initialization module; step B) establishing an initial block chain by using an initial node system table, wherein the roles of the block chain nodes comprise an administrator node, a common node and a common black node; step C), creating a block chain running intelligent contract, and realizing the role conversion of the block chain nodes through a consensus voting mechanism; and D) performing offline interaction on the node A applying for joining and the existing node B, initiating permission admission transaction application on the link by the node B, and allowing the node A to enter if the verification of the majority of the administrator nodes is passed. The substantial effects of the invention are as follows: the trusted identity management is separated from the centralized management system, the performance bottleneck brought by the centralized node is eliminated, and the working efficiency and reliability of the block chain are improved.

Description

Trusted identity management method based on block chain technology
Technical Field
The invention relates to the technical field of block chains, in particular to a trusted identity management method based on a block chain technology.
Background
Currently, in a distributed system, there are three major architectures for trusted Identity management, which are an Identity authentication architecture Based on a PKI (Public Key Infrastructure) system, an Identity authentication architecture Based on a symmetric Key, and an Identity authentication architecture Based on an IBC (Identity-Based Cryptograph, Identity-Based cryptosystem) system. The three architectures have corresponding defects and shortcomings due to different implementation technologies and authentication process modes.
Firstly, an identity authentication framework based on a PKI system binds identity information and a public key of a certificate holder by issuing a digital certificate, so that confidentiality, integrity and non-repudiation of communication data are realized. However, the existing identity authentication architecture based on the PKI has the problems of single point failure, poor expansibility, performance bottleneck and even potential safety hazard, and the like, and the data centralized storage is opaque and has the risk of tampering and counterfeiting. All processing of the PKI system depends on a certificate authority to be carried out, and the PKI system is easy to be attacked by hackers, and once the certificate authority fails or fails, the whole system cannot operate; in the PKI system adopting a centralized mechanism, a certificate authority serves as a core authority for centralized issuing and managing of certificates and becomes an important factor influencing the performance of the system; in addition, data information is highly centralized, maintenance cost is increased, and management and application are inconvenient.
The symmetric key architecture has the advantages of fastest authentication speed and highest efficiency, but has the defect of key leakage. The reality of increasingly diversified and complicated attacks and threats in the network space also puts higher-level requirements on the security of identity authentication, so the development of the network space is limited to a certain extent.
The identity authentication framework based on the IBC directly takes the entity identification as the public key, simplifies the key management process and has the advantages of easy maintenance and the like. But the entity private key based on the IBC authentication system is generated by KGC (key generation center), which has a key escrow problem, so that it is more suitable for use in an independent small trust domain network. In addition, in the existing IBC-based authentication scheme, entity identity revocation is mainly achieved by periodically terminating KGC to send a private key, and a timely identity revocation operation cannot be achieved, which causes that the system cannot play a role in an application scenario with high security requirements.
Therefore, existing identity authentication architectures in distributed systems have their own defects, and cannot sufficiently meet the requirements of the distributed systems for trusted identity management.
The applicant searches that the chinese patent CN109376528A is the closest prior art, and discloses a trusted identity management system and method based on a block chain, which includes a block chain module, a virtual chain module and a storage module; the block chain module records the user information state and the interaction information of the user and the application server; the virtual chain module receives requests of a user and an application server and defines logic operation on the block chain module and the storage module; the storage module stores and backs up personal information of a user; the virtual chain module is positioned on the upper layer of the block chain module, and the storage module is positioned on the upper layer of the virtual chain module. The technical scheme of the method and the device for processing the user information gets rid of the labor and time cost for guaranteeing the information safety of the user and the like, and the efficiency is improved. However, the technical scheme can only guarantee the credibility of the operation on the chain, cannot effectively ensure the credible identity management and verification of the block chain node, and cannot be used as a credible identity authentication system in the prior art.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: the existing identity authentication in the distributed system is centralized, which causes the technical problems of low security and poor expansibility. The method manages the trusted identity of the node through the block chain, and improves the efficiency, reliability and safety of trusted identity management.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows: a credible identity management method based on block chain technology comprises the following steps:
step A), importing a node system table and a node digital certificate issued by a third party, operating an initialization module, and obtaining an initialized block chain link point example stored with digital certificate information;
step B) initializing a plurality of node instances by using an initial node system table, establishing an initial block chain, recording a node list participating in consensus synchronization in an initial block stage by using the node system table, wherein the roles of the block chain nodes comprise an administrator node, a common node and a common black node, and the initial node system table is locally stored;
step C), a block chain operation intelligent contract is created, the role conversion of the block chain nodes is realized through a consensus voting mechanism, a node system table is maintained, and the node system table maintained during the operation of the intelligent contract is stored in the chain;
and D) applying for the added node A to perform offline interaction with the existing node B, providing the hash value of the public key, the node BP address and the port information to the node B by the node A in an offline mode, initiating an authority admission transaction application on a chain by the node B, verifying and auditing by an administrator node, and if the verification and the audit of the majority of the administrator nodes are passed, allowing the node A to enter and broadcasting and updating the node system table. After a digital certificate issued by a third party is obtained, the digital certificate is stored locally, verification information containing a public key is submitted to an administrator node of a block chain for auditing, and the node after the audit by the administrator node can prove the authenticity of the node by means of workload, so that trusted identity management is separated from a centralized management system, and further performance bottleneck brought by the centralized node is eliminated.
Preferably, the initialization module in step a) performs the following steps:
step A1) initializing a configuration module, and obtaining configuration information containing a node system table from the configuration module;
step A2) initializing a certificate module, sending a node digital certificate issued by a third party to the certificate module, verifying after the certificate module receives the digital certificate, and returning an initialized TLS instance and a CA blacklist after the verification is passed;
step A3) initializes the P2P module, and sends the TLS instance and the content of the CA blacklist returned by the certificate module to the P2P module, and the P2P module returns an initialized P2P variable object, namely a P2P instance;
step A4) initializes the consensus synchronization module, sends the P2P instance and the node system table returned by the P2P module to the consensus synchronization module, and the consensus synchronization module returns an initialized node variable object, namely a node instance. When the initialization module initializes other modules, the digital certificate of the node issued by the third party is stored locally by the certificate module and is used for signing transactions after the digital certificate of the node is added into the blockchain, and the node role of the blockchain are recorded in a node system table imported during initialization.
Preferably, in step D), the node a applying for joining obtains a digital certificate issued by a third party, the node a provides the hash value of the public key, the node BP address and the port information to the node B, the node B initiates an permission admission transaction application contract on the link, and the hash value of the public key of the node a, the node BP address and the port information are stored in the permission admission transaction application contract. The authenticity of the node can be determined through the hash value of the public key, the node BP address and the port information.
Preferably, in step D), the method for performing verification and audit by the administrator node includes the following steps:
step D1), checking whether a node A exists in the node system table, if so, directly ending the process of applying for adding the block chain by the node A, and if not, entering the step D2);
step D2) the administrator node checks the signature of the node A, if the check fails, the information that the node A fails to apply for joining the block chain is returned, if the check passes, the node A is written into the node system table stored in the permission admission transaction application contract;
step D3) after the administrator node passes the audit of the node A applying for joining, if the node A is approved to join the block chain request, then the transaction agreeing to admission is sent to the transaction pool of the administrator node, the transaction broadcast of the transaction pool is transmitted to all other nodes in the block chain, if the node A is not approved to join the block chain request, the node A is directly returned to fail in applying for joining the block chain;
step D4) the authority admission trade application contract updates the received data in real time, the manager node uses the own private key to sign the auditing content and executes the authority admission trade application contract, and the number of the auditions in the authority admission trade application contract is plus 1;
step D5) the node B judges whether the authority admission transaction application contract checking number meets more than half of the number of the administrator nodes, if so, the step D6 is carried out, and if not, the node B continues waiting;
step D6), adding the information of the node A into the node system table, sending the node system table newly added event to the block chain, and subscribing the node information table newly added event in the block chain by the node B to finish the node A addition. The intelligent contract operated by the initial block chain in the step C) comprises an authority admission transaction application contract.
Preferably, the node role conversion realized by running the consensus voting mechanism comprises the following steps: and C), converting the common nodes into common black nodes, upgrading the common nodes into manager nodes and reducing the manager nodes into the common nodes, wherein the intelligent contract for initiating the block chain operation in the step C) comprises a node conversion contract. Through the conversion among the nodes, when the malicious node appears, the malicious node can be moved into the common black node at the first time, namely, the malicious node can be deleted at the first time, and the reliability and the safety of credible identity management are ensured.
Preferably, in the step C), the method for converting the normal node into the normal black node includes the following steps:
step C11) the administrator node B sends a request to the block chain to add the common node A in the block chain into the blacklist;
step C12) the node conversion contract receives the request and stores the data of the application operation;
step C13) the manager node checks the request of moving the common node A into the blacklist in the block chain, firstly, checks whether the node A exists in the node system table, if not, the flow of moving the common node A into the blacklist is directly finished; if so, proceed to step C14);
step C14) checking whether the role corresponding to the node A in the node system table is a common black node, if so, returning the information that the common node A fails to move into the blacklist; if not, go to step C15);
step C15) checking the signature of the applicant, if the verification fails, the transaction application fails; if the check is passed, writing the common node A into a node system table stored in a node conversion contract, and setting a role field corresponding to the node as a black node;
step C16) after the administrator node passes the audit of the request of the common node A to move into the blacklist, if not agreed, the applied transaction is still linked, if the request is agreed, the transaction agreed to be admitted is sent to the transaction pool of the administrator node, and then the transaction of the transaction pool is broadcasted to all other nodes in the block chain;
step C17), the node conversion contract updates the received data in real time, the administrator node uses the private key of the administrator node to sign the auditing content and execute the node conversion contract, and the auditing number in the node conversion contract is + 1;
step C18), the manager node B judges whether more than half of the manager nodes are satisfied to allow the common node B to move into the blacklist, if yes, the step C19 is executed, and if not, the waiting is continued;
step C19), the node conversion contract updates the system node list and the black list, and sends the event to the manager node B, and the manager node B receives the event notice sent by the node conversion contract and disconnects the common node A from the block chain.
Preferably, in step C), the method for upgrading the common node to the administrator node includes:
step C21), the manager node B sends a request to the blockchain to upgrade the common node A in the blockchain to the manager node;
step C22), the manager node in the block chain checks the request, firstly, checks whether there is node A in the node system list, if not, the process of upgrading the common node A to the manager node is directly finished; if so, perform step C23);
step C23), the administrator node continuously checks whether the role corresponding to the node A in the node system table is a common node, if not, the administrator node upgrading failure information of the common node A is returned; if it is a normal node, executing step C24);
step C24), the administrator node verifies the signature of the applicant, if the verification fails, the application transaction fails; if the check is passed, writing the common node A into a node system table stored in a node conversion contract and setting a role field corresponding to the node as an administrator node;
step C25), after the administrator node passes the audit of the request of upgrading the common node A to the administrator node, if the request is not approved, the applied transaction is still uplink, if the request is approved, the transaction approved to be admitted is sent to the transaction pool of the administrator node, and then the transaction of the transaction pool is broadcast to all other nodes in the block chain network;
step C26), the node conversion contract updates the received data in real time, the administrator node uses the private key of the administrator node to sign the auditing content and execute the node conversion contract, and the auditing number in the node conversion contract is + 1;
step C27), the administrator node B judges whether more than half of the administrator nodes are satisfied and agrees to upgrade the common node A to the administrator node, if so, the step C28) is executed, and if not, the waiting is continued;
step C28), the node transformation contract updates the system node table to add node a to the administrator node table.
Preferably, in step C), the method for reducing the administrator node to the common node includes:
step C31), the administrator node B sends a request to the block chain network to reduce the administrator node A in the network to a common node;
step C32), the administrator node in the network checks the request, firstly, checks whether there is node A in the node system table, if not, the process of the administrator node A reducing to the common node is directly finished; if so, perform step C33);
step C33), the administrator node continuously checks whether the role field corresponding to the node A in the node system table is the administrator node, if not, the information that the administrator node A is failed to be reduced to the common node is returned; if so, executing step C34);
step C34), the administrator node verifies the signature of the applicant, if the verification fails, the application transaction fails; if the verification is passed, writing the administrator node A into a node system table stored in a node conversion contract and setting the role corresponding to the node as a common node;
step C35), after the request of the administrator node to the administrator node A is reduced to the common node, if the request is not approved, the application transaction is still linked; if the request is approved, the transaction approved for admission is sent to a transaction pool of the administrator node, and then the transaction of the transaction pool is broadcasted to all other nodes in the block chain network;
step C36), the node conversion contract updates the received data in real time, the administrator node uses the private key of the administrator node to sign the auditing content and execute the node conversion contract, and the auditing number in the node conversion contract is + 1;
step C37), the administrator node B judges whether more than half of the administrator nodes are satisfied and agrees to reduce the administrator node A to be a common node, if so, the step C38) is executed, and if not, the waiting is continued;
step C38), the node transformation contract updates the system node table and deletes node a from the administrator node table.
By initiating a request in the blockchain network, if more than half of the administrator nodes agree to the request, the consensus node can be switched among the administrator nodes, the common nodes and the common black nodes, so that the chain autonomy is realized, and the reliability and the efficiency of the blockchain operation are improved.
The substantial effects of the invention are as follows: the node which acquires the digital certificate issued by the third party submits the verification information containing the public key to the audit of the administrator node of the block chain, and the node after the audit of the administrator node can provide a trusted certificate through the block chain, so that the trusted identity management is separated from a centralized management system, and the performance bottleneck brought by the centralized node is further eliminated; by means of conversion among the nodes, when a malicious node appears, the malicious node can be moved into a common black node at the first time, and reliability and safety of trusted identity management are guaranteed; the block chain autonomy is realized through an intelligent contract, and the working efficiency and the reliability of the block chain are improved.
Drawings
FIG. 1 is a block diagram of an initialization process according to an embodiment.
FIG. 2 is a block diagram illustrating an embodiment of a new node joining process.
Fig. 3 is a block diagram illustrating a process of adding a normal node to a black node according to an embodiment.
Fig. 4 is a flowchart of a general node upgrade manager node according to an embodiment.
FIG. 5 is a flowchart illustrating a process of reducing an administrator node to a normal node according to an embodiment.
Wherein: 100. initialization module, 200, configuration module, 300, certificate module, 400, P2P module, 500, consensus synchronization module.
Detailed Description
The following provides a more detailed description of the present invention, with reference to the accompanying drawings.
The first embodiment is as follows:
a credible identity management method based on block chain technology comprises the following steps:
step A), importing a node system table and a node digital certificate issued by a third party, operating an initialization module 100, and obtaining an initialized block chain link point example stored with digital certificate information.
As shown in fig. 1, the initialization module 100 performs the following steps at runtime:
step S1), the initialization module 100 creates an initialized initialization information structure field, where the initialization information structure field includes a configuration information structure field, a P2P information structure field, and a certificate information structure field, and both the created configuration information structure field and the P2P information structure field are assigned with null values or initial values. The certificate information structure field stores third party digital certificate information obtained by the node. The certificate information structure field comprises a network monitoring variable, a CA blacklist, a root certificate, a certificate and a private key, wherein the network monitoring variable is assigned with null values, and the CA blacklist, the root certificate, the certificate and the private key are determined by the content of the obtained third party numerical certificate.
Step S2), the initialization module 100 calls the configuration module 200, the configuration module 200 stores a configuration information structure field, the configuration information structure field stores a node system table and an initial node system table, the initial node system table is formulated by the nodes participating in establishing the initial chain, the initial node system table is stored locally by the nodes of the initial chain, and the node system table is used for storing and updating on the chain after the block chain starts to operate. The initial node system table stores the roles of the nodes that initiate the chain. The initialization module 100 calls the configuration module 200 to obtain the configuration information structure field, and assigns the obtained value to the created initialized configuration information structure field.
Step S3), the initialization module 100 loads the certificate module 300, and sends the root certificate, the certificate, and the private key to the certificate module 300, the certificate module 300 verifies after receiving the digital certificate, uses the root certificate in the certificate to verify the certificate of the node, after the verification is passed, the certificate module 300 exchanges the verification digital certificate with an existing administrator node B, after the verification is passed, both parties establish TLS communication connection, obtain a CA blacklist from the administrator node B, and return the TLS instance and the CA blacklist to the initialization module 100. And the public keys of the two parties are acquired by a third party during the exchange and verification of the digital certificate and are stored in the chain after being acquired. When the initial chain is created, pairing verification or verification is not carried out between the nodes, and TLS communication is directly established.
Step S4), after receiving the returned TLS instance, the initialization module 100 assigns the TLS instance to a network monitoring variable.
Step S5), the initialization module 100 provides the TLS instance and certificate information structure fields to the P2P module 400.
Step S6), the P2P module 400 returns to the P2P instance.
Step S7), the initialization module 100 sends the P2P instance and the node system table to the consensus synchronization module 500, and the consensus synchronization module 500 runs the intelligent contract to complete the initialization of the node.
And step B), initializing a plurality of node instances by using an initial node system table, establishing an initial block chain, recording a node list participating in consensus synchronization in an initial block stage by using the node system table, wherein the roles of the block chain nodes comprise an administrator node, a common node and a common black node, and locally storing the node system table.
And step C), a block chain operation intelligent contract is created, the role conversion of the block chain nodes is realized through a consensus voting mechanism, the common nodes are converted into common black nodes, the common nodes are upgraded into manager nodes, and the manager nodes are reduced into common nodes, the chain autonomy is realized, when malicious behaviors occur in the nodes, the malicious nodes can be moved into the common black nodes at the first time, namely, the malicious nodes are deleted, and the reliability and the safety of credible identity management are ensured.
And D), performing offline interaction on the node A applying for joining and the existing node B, providing the hash value, the node BP address and the port information of the public key for the node B by the node A, initiating an authority admission transaction application contract on a chain by the node B, storing the hash value, the node BP address and the port information of the public key of the node A in the authority admission transaction application contract, and verifying and auditing by the administrator node.
As shown in fig. 2, the verification audit performed by the administrator node includes the following steps:
step D1), checking whether a node A exists in the node system table, if so, directly ending the process of applying for adding the block chain by the node A, and if not, entering the step D2); step D2) the administrator node checks the signature of the node A, if the check fails, the information that the node A fails to apply for joining the block chain is returned, if the check passes, the node A is written into the node system table stored in the permission admission transaction application contract; step D3) after the administrator node passes the audit of the node A applying for joining, if the node A is approved to join the block chain request, then the transaction agreeing to admission is sent to the transaction pool of the administrator node, the transaction broadcast of the transaction pool is transmitted to all other nodes in the block chain, if the node A is not approved to join the block chain request, the node A is directly returned to fail in applying for joining the block chain; step D4) the authority admission trade application contract updates the received data in real time, the manager node uses the own private key to sign the auditing content and executes the authority admission trade application contract, and the number of the auditions in the authority admission trade application contract is plus 1; step D5) the node B judges whether the authority admission transaction application contract checking number meets more than half of the number of the administrator nodes, if so, the step D6 is carried out, and if not, the node B continues waiting; step D6), adding the information of the node A into the node system table, sending the node system table newly added event to the block chain, and subscribing the node information table newly added event in the block chain by the node B to finish the node A addition.
As shown in fig. 3, in step C), the method for converting the normal node into the normal black node includes the following steps:
step C11) the administrator node B sends a request to the block chain to add the common node A in the block chain into the blacklist; step C12) the node conversion contract receives the request and stores the data of the application operation; step C13) the manager node checks the request of moving the common node A into the blacklist in the block chain, firstly, checks whether the node A exists in the node system table, if not, the flow of moving the common node A into the blacklist is directly finished; if so, proceed to step C14); step C14) checking whether the role corresponding to the node A in the node system table is a common black node, if so, returning the information that the common node A fails to move into the blacklist; if not, go to step C15); step C15) checking the signature of the applicant, if the verification fails, the transaction application fails; if the check is passed, writing the common node A into a node system table stored in a node conversion contract, and setting a role field corresponding to the node as a black node; step C16) after the administrator node passes the audit of the request of the common node A to move into the blacklist, if not agreed, the applied transaction is still linked, if the request is agreed, the transaction agreed to be admitted is sent to the transaction pool of the administrator node, and then the transaction of the transaction pool is broadcasted to all other nodes in the block chain; step C17), the node conversion contract updates the received data in real time, the administrator node uses the private key of the administrator node to sign the auditing content and execute the node conversion contract, and the auditing number in the node conversion contract is + 1; step C18), the manager node B judges whether more than half of the manager nodes are satisfied to allow the common node B to move into the blacklist, if yes, the step C19 is executed, and if not, the waiting is continued; step C19), the node conversion contract updates the system node list and the black list, and sends the event to the manager node B, and the manager node B receives the event notice sent by the node conversion contract and disconnects the common node A from the block chain.
As shown in fig. 4, in step C), the method for upgrading the common node to the administrator node includes:
step C21), the manager node B sends a request to the blockchain to upgrade the common node A in the blockchain to the manager node; step C22), the manager node in the block chain checks the request, firstly, checks whether there is node A in the node system list, if not, the process of upgrading the common node A to the manager node is directly finished; if so, perform step C23); step C23), the administrator node continuously checks whether the role corresponding to the node A in the node system table is a common node, if not, the administrator node upgrading failure information of the common node A is returned; if it is a normal node, executing step C24); step C24), the administrator node verifies the signature of the applicant, if the verification fails, the application transaction fails; if the check is passed, writing the common node A into a node system table stored in a node conversion contract and setting a role field corresponding to the node as an administrator node; step C25), after the administrator node passes the audit of the request of upgrading the common node A to the administrator node, if the request is not approved, the applied transaction is still uplink, if the request is approved, the transaction approved to be admitted is sent to the transaction pool of the administrator node, and then the transaction of the transaction pool is broadcast to all other nodes in the block chain network; step C26), the node conversion contract updates the received data in real time, the administrator node uses the private key of the administrator node to sign the auditing content and execute the node conversion contract, and the auditing number in the node conversion contract is + 1; step C27), the administrator node B judges whether more than half of the administrator nodes are satisfied and agrees to upgrade the common node A to the administrator node, if so, the step C28) is executed, and if not, the waiting is continued; step C28), the node transformation contract updates the system node table to add node a to the administrator node table.
As shown in fig. 5, in step C), the method for reducing the administrator node to the normal node includes:
step C31), the administrator node B sends a request to the block chain network to reduce the administrator node A in the network to a common node; step C32), the administrator node in the network checks the request, firstly, checks whether there is node A in the node system table, if not, the process of the administrator node A reducing to the common node is directly finished; if so, perform step C33); step C33), the administrator node continuously checks whether the role field corresponding to the node A in the node system table is the administrator node, if not, the information that the administrator node A is failed to be reduced to the common node is returned; if so, executing step C34); step C34), the administrator node verifies the signature of the applicant, if the verification fails, the application transaction fails; if the verification is passed, writing the administrator node A into a node system table stored in a node conversion contract and setting the role corresponding to the node as a common node; step C35), after the request of the administrator node to the administrator node A is reduced to the common node, if the request is not approved, the application transaction is still linked; if the request is approved, the transaction approved for admission is sent to a transaction pool of the administrator node, and then the transaction of the transaction pool is broadcasted to all other nodes in the block chain network; step C36), the node conversion contract updates the received data in real time, the administrator node uses the private key of the administrator node to sign the auditing content and execute the node conversion contract, and the auditing number in the node conversion contract is + 1; step C37), the administrator node B judges whether more than half of the administrator nodes are satisfied and agrees to reduce the administrator node A to be a common node, if so, the step C38) is executed, and if not, the waiting is continued; step C38), the node transformation contract updates the system node table and deletes node a from the administrator node table.
The substantial effect of the embodiment is as follows: the node which acquires the digital certificate issued by the third party submits the verification information containing the public key to the audit of the administrator node of the block chain, and the node after the audit of the administrator node can provide a trusted certificate through the block chain, so that the trusted identity management is separated from a centralized management system, and the performance bottleneck brought by the centralized node is further eliminated; by means of conversion among the nodes, when a malicious node appears, the malicious node can be moved into a common black node at the first time, and reliability and safety of trusted identity management are guaranteed; the block chain autonomy is realized through an intelligent contract, and the working efficiency and the reliability of the block chain are improved.
The above-described embodiments are only preferred embodiments of the present invention, and are not intended to limit the present invention in any way, and other variations and modifications may be made without departing from the spirit of the invention as set forth in the claims.

Claims (8)

1. A trusted identity management method based on block chain technology is characterized in that,
the method comprises the following steps:
step A), importing a node system table and a node digital certificate issued by a third party, operating an initialization module, and obtaining an initialized block chain link point example stored with digital certificate information;
step B) initializing a plurality of node instances by using an initial node system table, establishing an initial block chain, recording a node list participating in consensus synchronization in an initial block stage by using the node system table, wherein the roles of the block chain nodes comprise an administrator node, a common node and a common black node;
step C), creating a block chain running intelligent contract, and realizing the role conversion of the block chain nodes through a consensus voting mechanism;
and D) applying for the added node A to perform offline interaction with the existing node B, providing the hash value of the public key, the node BP address and the port information to the node B by the node A in an offline mode, initiating an authority admission transaction application on a chain by the node B, verifying and auditing by an administrator node, and if the verification and the audit of the majority of the administrator nodes are passed, allowing the node A to enter and broadcasting and updating the node system table.
2. The method for trusted identity management based on blockchain technology as claimed in claim 1,
the initialization module in the step A) executes the following steps:
step A1) initializing a configuration module, and obtaining configuration information containing a node system table from the configuration module;
step A2) initializing a certificate module, sending a node digital certificate issued by a third party to the certificate module, verifying after the certificate module receives the digital certificate, and returning an initialized TLS instance and a CA blacklist after the verification is passed;
step A3) initializes the P2P module, and sends the TLS instance and the content of the CA blacklist returned by the certificate module to the P2P module, and the P2P module returns an initialized P2P variable object, namely a P2P instance;
step A4) initializes the consensus synchronization module, sends the P2P instance and the node system table returned by the P2P module to the consensus synchronization module, and the consensus synchronization module returns an initialized node variable object, namely a node instance.
3. A method for trusted identity management based on blockchain technology according to claim 1 or 2,
in the step D), the node A applying for joining obtains a digital certificate issued by a third party, the node A provides the hash value, the node BP address and the port information of the public key to the node B, the node B initiates an authority admission transaction application contract on a chain, and the hash value, the node BP address and the port information of the public key of the node A are stored in the authority admission transaction application contract.
4. The method for trusted identity management based on blockchain technology as claimed in claim 2,
in step D), the method for verifying and auditing by the administrator node comprises the following steps:
step D1), checking whether a node A exists in the node system table, if so, directly ending the process of applying for adding the block chain by the node A, and if not, entering the step D2);
step D2) the administrator node checks the signature of the node A, if the check fails, the information that the node A fails to apply for joining the block chain is returned, if the check passes, the node A is written into the node system table stored in the permission admission transaction application contract;
step D3) after the administrator node passes the audit of the node A applying for joining, if the node A is approved to join the block chain request, then the transaction agreeing to admission is sent to the transaction pool of the administrator node, the transaction broadcast of the transaction pool is transmitted to all other nodes in the block chain, if the node A is not approved to join the block chain request, the node A is directly returned to fail in applying for joining the block chain;
step D4) the authority admission trade application contract updates the received data in real time, the manager node uses the own private key to sign the auditing content and executes the authority admission trade application contract, and the number of the auditions in the authority admission trade application contract is plus 1;
step D5) the node B judges whether the authority admission transaction application contract checking number meets more than half of the number of the administrator nodes, if so, the step D6 is carried out, and if not, the node B continues waiting;
step D6), adding the information of the node A into the node system table, sending the node system table newly added event to the block chain, and subscribing the node information table newly added event in the block chain by the node B to finish the node A addition.
5. A method for trusted identity management based on blockchain technology according to claim 1 or 2,
the node role conversion realized by the running consensus voting mechanism comprises the following steps: and C), converting the common nodes into common black nodes, upgrading the common nodes into manager nodes and reducing the manager nodes into the common nodes, wherein the intelligent contract for initiating the block chain operation in the step C) comprises a node conversion contract.
6. The method of claim 4, wherein the identity management module is further configured to, in response to the identity management request,
in the step C), the method for converting the common node into the common black node comprises the following steps:
step C11) the administrator node B sends a request to the block chain to add the common node A in the block chain into the blacklist;
step C12) the node conversion contract receives the request, and saves the data of the application operation;
step C13) the manager node checks the request of moving the common node A into the blacklist in the block chain, firstly, checks whether the node A exists in the node system table, if not, the flow of moving the common node A into the blacklist is directly finished; if so, proceed to step C14);
step C14) checking whether the role corresponding to the node A in the node system table is a common black node, if so, returning the information that the common node A fails to move into the blacklist; if not, go to step C15);
step C15) checking the signature of the applicant, if the verification fails, the transaction application fails; if the check is passed, writing the common node A into a node system table stored in a node conversion contract, and setting a role field corresponding to the node as a black node;
step C16) after the administrator node passes the examination of the request of the common node A to move into the blacklist, if the request is not agreed, the applied transaction is still linked, if the request is agreed, the agreed transaction is sent to the transaction pool of the administrator node, and then the transaction of the transaction pool is broadcasted to all other nodes in the block chain;
step C17), the node conversion contract updates the received data in real time, the administrator node uses the private key of the administrator node to sign the auditing content and execute the node conversion contract, and the auditing number in the node conversion contract is + 1;
step C18), the manager node B judges whether more than half of the manager nodes are satisfied to allow the common node B to move into the blacklist, if yes, the step C19 is executed, and if not, the waiting is continued;
step C19), the node conversion contract updates the system node list and the black list, and sends the event to the manager node B, and the manager node B receives the event notice sent by the node conversion contract and disconnects the common node A from the block chain.
7. The method of claim 4, wherein the identity management module is further configured to, in response to the identity management request,
in step C), the method for upgrading the common node into the administrator node comprises the following steps:
step C21), the manager node B sends a request to the blockchain to upgrade the common node A in the blockchain to the manager node;
step C22), the manager node in the block chain checks the request, firstly, checks whether there is node A in the node system list, if not, the process of upgrading the common node A to the manager node is directly finished; if so, perform step C23);
step C23), the administrator node continuously checks whether the role corresponding to the node A in the node system table is a common node, if not, the administrator node upgrading failure information of the common node A is returned; if it is a normal node, executing step C24);
step C24), the administrator node verifies the signature of the applicant, if the verification fails, the application transaction fails; if the check is passed, writing the common node A into a node system table stored in a node conversion contract and setting a role field corresponding to the node as an administrator node;
step C25), after the administrator node passes the audit of the request of upgrading the common node A to the administrator node, if the request is not approved, the applied transaction is still uplink, if the request is approved, the transaction approved to be admitted is sent to the transaction pool of the administrator node, and then the transaction of the transaction pool is broadcast to all other nodes in the block chain network;
step C26), the node conversion contract updates the received data in real time, the administrator node uses the private key of the administrator node to sign the auditing content and execute the node conversion contract, and the auditing number in the node conversion contract is + 1;
step C27), the administrator node B judges whether more than half of the administrator nodes are satisfied and agrees to upgrade the common node A to the administrator node, if so, the step C28) is executed, and if not, the waiting is continued;
step C28), the node transformation contract updates the system node table to add node a to the administrator node table.
8. The method of claim 4, wherein the identity management module is further configured to, in response to the identity management request,
in the step C), the method for reducing the administrator node into the common node comprises the following steps:
step C31), the administrator node B sends a request to the block chain network to reduce the administrator node A in the network to a common node;
step C32), the administrator node in the network checks the request, firstly, checks whether there is node A in the node system table, if not, the process of the administrator node A reducing to the common node is directly finished; if so, perform step C33);
step C33), the administrator node continuously checks whether the role field corresponding to the node A in the node system table is the administrator node, if not, the information that the administrator node A is failed to be reduced to the common node is returned; if so, executing step C34);
step C34), the administrator node verifies the signature of the applicant, if the verification fails, the application transaction fails; if the verification is passed, writing the administrator node A into a node system table stored in a node conversion contract and setting the role corresponding to the node as a common node;
step C35), after the request of the administrator node to the administrator node A is reduced to the common node, if the request is not approved, the application transaction is still linked; if the request is approved, the transaction approved for admission is sent to a transaction pool of the administrator node, and then the transaction of the transaction pool is broadcasted to all other nodes in the block chain network;
step C36), the node conversion contract updates the received data in real time, the administrator node uses the private key of the administrator node to sign the auditing content and execute the node conversion contract, and the auditing number in the node conversion contract is + 1;
step C37), the administrator node B judges whether more than half of the administrator nodes are satisfied and agrees to reduce the administrator node A to be a common node, if so, the step C38) is executed, and if not, the waiting is continued;
step C38), the node transformation contract updates the system node table and deletes node a from the administrator node table.
CN202010850694.3A 2020-08-21 2020-08-21 Trusted identity management method based on block chain technology Active CN112118231B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010850694.3A CN112118231B (en) 2020-08-21 2020-08-21 Trusted identity management method based on block chain technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010850694.3A CN112118231B (en) 2020-08-21 2020-08-21 Trusted identity management method based on block chain technology

Publications (2)

Publication Number Publication Date
CN112118231A true CN112118231A (en) 2020-12-22
CN112118231B CN112118231B (en) 2022-06-10

Family

ID=73804345

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010850694.3A Active CN112118231B (en) 2020-08-21 2020-08-21 Trusted identity management method based on block chain technology

Country Status (1)

Country Link
CN (1) CN112118231B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112989317A (en) * 2021-03-24 2021-06-18 中国电子科技集团公司第三十研究所 Unified distributed PKI certificate identity management system
CN114143021A (en) * 2021-09-27 2022-03-04 电子科技大学 News information credit score system based on block chain
CN114666110A (en) * 2022-03-11 2022-06-24 成都安恒信息技术有限公司 Method for constructing and preventing tampering based on distributed feature library

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789041A (en) * 2017-02-15 2017-05-31 江苏信源久安信息科技有限公司 A kind of credible block chain method of decentralization certificate
CN107332701A (en) * 2017-06-26 2017-11-07 中国人民银行数字货币研究所 The method and system of management node
CN107426157A (en) * 2017-04-21 2017-12-01 杭州趣链科技有限公司 A kind of alliance's chain authority control method based on digital certificate and ca authentication system
CN107592293A (en) * 2017-07-26 2018-01-16 阿里巴巴集团控股有限公司 The means of communication, digital certificate management method, device and electronic equipment between block chain node
CN108667618A (en) * 2018-05-10 2018-10-16 阿里巴巴集团控股有限公司 Data processing method, device, server and the system of block chain member management
CN109474584A (en) * 2018-10-29 2019-03-15 中化能源科技有限公司 A kind of rule-based block chain network permits Adding Way automatically
CN110602217A (en) * 2019-09-17 2019-12-20 腾讯科技(深圳)有限公司 Block chain-based alliance management method, device, equipment and storage medium
CN110611647A (en) * 2019-03-06 2019-12-24 张超 Node joining method and device on block chain system
CN110609868A (en) * 2019-09-03 2019-12-24 中国人民大学 Cross-chain cooperative working method and system based on same-block chain platform
CN110636051A (en) * 2019-08-29 2019-12-31 中芯昊月(深圳)科技控股有限公司 Block chain transaction method based on multi-user CA digital certificate
US20200204364A1 (en) * 2019-04-19 2020-06-25 Alibaba Group Holding Limited Blockchain authorization information generation

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789041A (en) * 2017-02-15 2017-05-31 江苏信源久安信息科技有限公司 A kind of credible block chain method of decentralization certificate
CN107426157A (en) * 2017-04-21 2017-12-01 杭州趣链科技有限公司 A kind of alliance's chain authority control method based on digital certificate and ca authentication system
CN107332701A (en) * 2017-06-26 2017-11-07 中国人民银行数字货币研究所 The method and system of management node
CN107592293A (en) * 2017-07-26 2018-01-16 阿里巴巴集团控股有限公司 The means of communication, digital certificate management method, device and electronic equipment between block chain node
CN108667618A (en) * 2018-05-10 2018-10-16 阿里巴巴集团控股有限公司 Data processing method, device, server and the system of block chain member management
CN109474584A (en) * 2018-10-29 2019-03-15 中化能源科技有限公司 A kind of rule-based block chain network permits Adding Way automatically
CN110611647A (en) * 2019-03-06 2019-12-24 张超 Node joining method and device on block chain system
US20200204364A1 (en) * 2019-04-19 2020-06-25 Alibaba Group Holding Limited Blockchain authorization information generation
CN110636051A (en) * 2019-08-29 2019-12-31 中芯昊月(深圳)科技控股有限公司 Block chain transaction method based on multi-user CA digital certificate
CN110609868A (en) * 2019-09-03 2019-12-24 中国人民大学 Cross-chain cooperative working method and system based on same-block chain platform
CN110602217A (en) * 2019-09-17 2019-12-20 腾讯科技(深圳)有限公司 Block chain-based alliance management method, device, equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李悦: "《区块链智能合约技术与应用》", 30 November 2019 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112989317A (en) * 2021-03-24 2021-06-18 中国电子科技集团公司第三十研究所 Unified distributed PKI certificate identity management system
CN112989317B (en) * 2021-03-24 2022-03-18 中国电子科技集团公司第三十研究所 Unified distributed PKI certificate identity management system
CN114143021A (en) * 2021-09-27 2022-03-04 电子科技大学 News information credit score system based on block chain
CN114666110A (en) * 2022-03-11 2022-06-24 成都安恒信息技术有限公司 Method for constructing and preventing tampering based on distributed feature library

Also Published As

Publication number Publication date
CN112118231B (en) 2022-06-10

Similar Documents

Publication Publication Date Title
CN112118231B (en) Trusted identity management method based on block chain technology
CN111262872B (en) Enterprise block chain service platform
CN112583917B (en) CSCP-based hybrid chain construction method
CN110288480B (en) Private transaction method and device for blockchain
WO2022193985A1 (en) Data processing method and apparatus, and device and storage medium
CN112733174B (en) Authentication management method and system of block chain system and electronic equipment
US20230316273A1 (en) Data processing method and apparatus, computer device, and storage medium
CN112686668B (en) Alliance chain crossing system and method
CN112615915B (en) Method for constructing alliance chain between private chains
CN112818368A (en) Digital certificate authentication method based on block chain intelligent contract
CN113328997B (en) Alliance chain crossing system and method
CN111949602A (en) Outsourcing data safety migration method and system supporting integrity verification
WO2023045972A1 (en) Consensus method and device for blockchain system
CN113255014B (en) Data processing method based on block chain and related equipment
JP6920442B2 (en) Methods and devices for establishing communication between nodes in a blockchain system
CN113824563A (en) Cross-domain identity authentication method based on block chain certificate
He et al. A novel cryptocurrency wallet management scheme based on decentralized multi-constrained derangement
CN111797171A (en) Data synchronization system based on block chain cross-chain technology
Liu et al. Cross-heterogeneous domain authentication scheme based on blockchain
CN113328854B (en) Service processing method and system based on block chain
Zhao et al. A novel decentralized cross‐domain identity authentication protocol based on blockchain
Xie et al. A novel blockchain-based and proxy-oriented public audit scheme for low performance terminal devices
CN113221175A (en) Authorization method and system based on block chain
KR102294569B1 (en) Block Chain Management System To Build Block Chain Network
CN115526629A (en) Receipt transaction method and device based on block chain network and identity authentication device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A Trusted Identity Management Method Based on Blockchain Technology

Effective date of registration: 20220825

Granted publication date: 20220610

Pledgee: Bank of Beijing Limited by Share Ltd. Hangzhou branch

Pledgor: ZHEJIANG SHUQIN TECHNOLOGY CO.,LTD.

Registration number: Y2022330001899