Disclosure of Invention
In view of the foregoing, it is necessary to provide a blockchain node device, an authentication method, an apparatus, and a storage medium thereof, by embedding or integrating a hardware token chip in a blockchain link point device, binding of a token and the blockchain link point device is achieved, security of authentication information is improved, and authentication of the blockchain link point device can be automatically performed.
To achieve the above object, a first aspect of the present invention provides a blockchain link point device, in which a blockchain program is installed, the blockchain node device further comprising: a hardware token chip and a hardware token driver;
the block chain program is used for calling the hardware token driver when the block chain node equipment triggers node authentication;
the hardware token driver is used for calling a reading interface in the hardware token chip when being called, and reading first authentication information obtained by operation of the hardware token chip;
the hardware token chip is used for obtaining first authentication information through operation and returning the first authentication information to the hardware token driver;
The blockchain program is further used for generating second authentication information containing the first authentication information after reading the first authentication information returned by the hardware token driver, and sending an authentication request carrying the second authentication information to an authentication server of the blockchain network.
In an alternative embodiment, the hardware token driver is located at the operating system kernel layer; the hardware token chip is arranged on the main board and is connected with the bus of the main board.
In an alternative embodiment, the hardware token chip operates to obtain first authentication information when called by the hardware token driver; or the hardware token chip periodically and automatically calculates to obtain the first authentication information.
To achieve the above object, a second aspect of the present invention provides a blockchain node device authentication method, which is applied to a blockchain node device with a built-in hardware token chip, the method including:
when the block chain node equipment triggers node authentication, acquiring first authentication information obtained by operation of the hardware token chip;
generating second authentication information containing the first authentication information;
Sending an authentication request carrying the second authentication information to an authentication server in a blockchain network;
and receiving an authentication result returned after the authentication server verifies the authentication request.
In an optional embodiment, the obtaining the first authentication information obtained by the operation of the hardware token chip includes:
and calling a reading interface in the hardware token chip through a hardware token driver to read the first authentication information obtained by the operation of the hardware token chip.
In an optional embodiment, the obtaining the first authentication information obtained by the operation of the hardware token chip includes:
acquiring the time of triggering node authentication by the block chain node equipment;
and calculating the time and the random number by adopting a prestored cryptographic algorithm to obtain a data result which is used as the first authentication information.
In an alternative embodiment, the generating the second authentication information including the first authentication information includes:
acquiring a pre-stored target field, wherein the target field comprises a communication protocol;
and encapsulating the target field and the first authentication information according to a structure specified by a message standard to generate the second authentication information.
In an alternative embodiment, after said generating the second authentication information comprising the first authentication information, the method further comprises:
encoding the second authentication information according to a preset format;
the sending the authentication request carrying the second authentication information to an authentication server in a blockchain network includes: and sending an authentication request carrying the encoded second authentication information to an authentication server in the blockchain network.
In an alternative embodiment, the blockchain node device triggers node authentication by one or more of the following combinations:
when the start of the block chain node equipment is detected, determining that the block chain node equipment triggers node authentication;
when the blockchain node device is detected to request blockchain transaction, determining that the blockchain node device triggers node authentication.
In an alternative embodiment, the method further comprises:
and if the authentication result is that the block chain node equipment is successfully authenticated, accessing the block chain network.
To achieve the above object, a third aspect of the present invention provides a blockchain link point device authentication apparatus that operates in a blockchain node device having a hardware token chip built therein, the apparatus comprising:
The operation module is used for acquiring first authentication information obtained by operation of the hardware token chip when the blockchain node equipment triggers node authentication;
the generation module is used for generating second authentication information containing the first authentication information;
the sending module is used for sending an authentication request carrying the second authentication information to an authentication server in the blockchain network;
and the receiving module is used for receiving an authentication result returned after the authentication server verifies the authentication request.
In order to achieve the above object, a fourth aspect of the present invention provides a blockchain node device, the blockchain node device including a processor and a memory, the memory storing a blockchain node device authentication download program executable on the processor, the blockchain node device authentication download program implementing the blockchain node device authentication method when executed by the processor.
To achieve the above object, a fifth aspect of the present invention provides a computer-readable storage medium having stored thereon a blockchain node device authenticated download program executable by one or more processors to implement the blockchain node device authentication method.
According to the technical scheme, the blockchain node equipment authentication method, the blockchain node equipment authentication device and the storage medium have the advantages that the hardware token chip is embedded or integrated in the blockchain node equipment, so that the binding of the token and the blockchain node equipment is realized, and the hardware token chip has the advantages of dynamicity (authentication information generated each time is different), randomness (the authentication information generated each time is random and unpredictable), disposability (the generated authentication information can only be used once and cannot be reused), theft resistance, uncopyability and the like, so that the security of the authentication information is ensured, and the authentication information cannot be stolen, lost or transferred; in addition, the hardware token chip provides a reading interface of authentication information, the generated authentication information can be read by a blockchain program, when the blockchain node equipment triggers node authentication, an authentication request can be automatically generated and sent to an authentication server in a blockchain network, and the node authentication process is automatic without manual intervention; after the node authentication is passed, the blockchain node equipment can acquire qualification and establish connection with other blockchain node equipment in other blockchain networks to participate in consensus, so that the security of the blockchain network is improved as a whole, and the blockchain node equipment connected into the blockchain network is ensured to be standardized trusted hardware.
Detailed Description
In order that the above-recited objects, features and advantages of the present invention will be more clearly understood, a more particular description of the invention will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings. It should be noted that, without conflict, the embodiments of the present invention and features in the embodiments may be combined with each other.
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein in the description of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to the appended drawings and appended detailed description.
Example 1
Referring to fig. 1 and fig. 2, a block chain node device according to a preferred embodiment of the present invention is shown.
The blockchain point device 100 needs to pass the validation of the blockchain network 200 before requesting access to the blockchain network 200. When the blockchain network 200 verifies that the blockchain link node device 100 is legal, the blockchain node device 100 is successfully accessed into the blockchain network 200; when the blockchain network 200 verifies that the blockchain link point device 100 is illegitimate, the blockchain point device 100 is denied access to the blockchain network 200.
In this embodiment, the blockchain point device 100 refers to a computer that installs the blockchain program 10 and the hardware token driver 12, integrates or embeds the hardware token chip 14, and can participate in blockchain consensus and accounting. In the hierarchical architecture of the blockchain point device 100, the blockchain program 10 belongs to an application layer, the hardware token driver 12 belongs to an operating system kernel layer, and the hardware token chip 14 belongs to a hardware layer.
The blockchain program 10 is a software program running at an application layer and is responsible for the consensus and billing logic of the blockchain point device 100, and when the blockchain point device 100 triggers node authentication, the hardware token driver 12 is called to read the first authentication information obtained by the operation of the hardware token chip 14.
The hardware token driver 12 is a driver module located at the kernel layer of the operating system, and provides an application programming interface (Application Programming Interface, API) for the blockchain program 10 at the application layer. When called by the blockchain program 10, the blockchain program is responsible for calling a reading interface in the hardware token chip 14 and reading first authentication information obtained by operation of the hardware token chip 14, and simultaneously returns the first authentication information to the blockchain program 10.
The hardware token chip 14 is integrated or embedded on the motherboard of the block link point device 100, and is connected to a bus of the motherboard, such as an Inter-Integrated Circuit (I2C) bus, a serial peripheral interface (Serial Peripheral Interface, SPI) bus, or other suitable computer bus. The hardware token chip 14 stores a token in advance, and when the token is called by the hardware token driver, the first authentication information is obtained by calculating the time and the random number by using a prestored cryptographic algorithm. The generated first authentication information may be recognized and read by the hardware token driver 12, but the first authentication information cannot be written or modified. If the hardware token chip 14 is forcibly removed, the first authentication information is lost and the function is disabled. Even if installed on other computers, the first authentication information thereof cannot be read any more.
In some embodiments, the hardware token chip 14 may include, but is not limited to: a password generation chip, an algorithm coprocessor, a data memory, bus pins and corresponding signal processors (e.g., pins and signal processors conforming to the I2C bus protocol are required if an I2C bus is to be attached). The password generating chip runs a special password algorithm and generates a current password according to the current time or the using times; the algorithm coprocessor is used for carrying out algorithm operation of an authentication algorithm; the data memory is used for storing the security key and the data; the bus pins and the corresponding signal processors are used for being connected with a bus of the computer main board and are responsible for carrying out data exchange with the kernel driver.
The blockchain program 10 is further configured to generate second authentication information including the first authentication information after reading the first authentication information returned by the hardware token driver, and send an authentication request carrying the second authentication information to an authentication server of the blockchain network 200.
In an alternative embodiment, the blockchain program 10 is further configured to encode the second authentication information according to a preset format after generating the second authentication information, and send an authentication request carrying the encoded second authentication information to an authentication server of the blockchain network 200.
As shown in fig. 2, an authentication server 20 and several blockchain node devices 22 may be present in the blockchain network 200. The plurality of blockchain node devices 22 are interconnected by peer-to-peer (P2P) connections to form the blockchain network 200. The authentication server 20 is responsible for receiving an authentication request sent by the block link point device 100 and verifying the validity of the authentication request. If the authentication server 20 verifies that the authentication request is legal, it confirms that the block link node device 100 is a trusted node, and returns an authentication result that the block link node device authentication is successful to the block link node device 100. If the authentication server 20 verifies that the authentication request is illegal, it confirms that the block link point device 100 is an untrusted node, and returns an authentication result of block link point device authentication failure to the block link point device 100. The authentication server 20 may be built in the blockchain network 200 or an authentication service of an integrated third party.
In this embodiment, the hardware token chip 14 is integrated or embedded in the block link point device 100, so that the hardware token chip 14 can be bound with the block link point device 100, thereby ensuring the security of the token; in addition, the authentication information in the hardware token chip can be read by an application program, so that manual intervention is not needed in the subsequent authentication process, and the authentication information is not stolen, lost or transferred. The blockchain network 200 can ensure that the accessed or agreed blockchain point devices are standardized trusted hardware through authentication of the blockchain point device 100 based on the hardware token chip 14.
Example two
Referring to fig. 3, a flowchart of a preferred embodiment of a blockchain node device authentication method according to the present invention is shown.
The block chain node equipment authentication method is applied to the block chain node equipment, the sequence of the steps in the flow chart can be changed according to different requirements, and certain steps can be omitted.
And S31, when the blockchain node equipment triggers node authentication, acquiring first authentication information obtained by operation of the hardware token chip.
In the embodiment of the invention, the blockchain program, the hardware token driver and the integrated or embedded hardware token chip are installed in the blockchain node device.
When the blockchain node equipment triggers node authentication, the blockchain program calls a read interface of the hardware token driver, the hardware token driver calls a read interface of the hardware token chip, and the hardware token chip generates first authentication information when detecting a call signal; and after the hardware token driver reads the first authentication information obtained by the operation of the hardware token chip, returning the first authentication information to the blockchain program, wherein the blockchain program reads the first authentication information.
It should be appreciated that the read parameters of the read interface of the hardware token driver called by the blockchain program are not the same as the read parameters of the read interface of the hardware token chip called by the hardware token driver. The read interface of the hardware token driver is to encapsulate information to the blockchain program, and the read interface of the hardware token chip is to encapsulate information to the hardware token driver.
In an alternative embodiment, the blockchain node device may trigger node authentication by one or more of the following combinations:
When the start of the block chain node equipment is detected, determining that the block chain node equipment triggers node authentication;
when the blockchain node device is detected to request blockchain transaction, determining that the blockchain node device triggers node authentication.
In this alternative embodiment, typically, when the blockchain node device initiates connection to a blockchain network, the blockchain network needs to authenticate the blockchain node device to determine whether the blockchain node device is a trusted node. Or when the blockchain node equipment needs to conduct blockchain transaction, transaction information is put into a data packet and broadcast to a blockchain network, and identity authentication is conducted on the blockchain node equipment by the blockchain network so as to determine whether the blockchain node equipment is a trusted node or not.
In an optional embodiment, the obtaining the first authentication information obtained by the operation of the hardware token chip includes:
acquiring the time of triggering node authentication by the block chain node equipment;
and calculating the time and the random number by adopting a prestored cryptographic algorithm to obtain a data result which is used as the first authentication information.
In this alternative embodiment, the hardware token chip has a token pre-stored therein, for example: KEY tokens based on public KEY infrastructure (Public Key Infrastructure, PKI) technology, challenge/response based tokens and dynamic password based tokens.
Because the time interval between the block chain node device triggering node authentication and the hardware token driver calling the hardware token chip is almost negligible, the calling time of the read interface of the hardware token chip, which is called by the hardware token driver, can be used as the time of the block chain node device triggering node authentication. When the reading interface of the hardware token chip is called by the hardware token driver, the hardware token chip obtains the calling time of the hardware token driver, adopts a cryptographic algorithm to carry out cryptographic operation on the calling time and the generated random number, and returns the calculated data result to the hardware token driver as first authentication information. The cryptographic operation is prior art and the present invention is not described in detail herein.
The random number is an unpredictable number that the hardware token chip generates using a specialized algorithm. Because the uncertain factors such as time, random number and the like are added into the first authentication information, the first authentication information can only be used once, so that an attacker cannot acquire the first authentication information by stealing a password or replay attack, and the security of the first authentication information obtained by the operation of the hardware token chip is higher.
When receiving the authentication request, the authentication server of the blockchain network generates a random number, adopts the same cryptographic algorithm to carry out cryptographic operation, whether the authentication request is valid is determined by comparing whether the generated random number is the same as the random number in the received authentication request. And if the generated random number is the same as the random number in the received authentication request, the authentication server determines that the authentication request is valid. And if the generated random number is different from the random number in the received authentication request, determining that the authentication request is invalid.
S32, generating second authentication information containing the first authentication information.
In the embodiment of the invention, after the first authentication information is read by the blockchain program, the first authentication information is not directly sent to an authentication server of the blockchain network for verification, but the second authentication information meeting the requirement is generated according to the first authentication information and then sent to the authentication server of the blockchain network.
In an alternative embodiment, the generating the second authentication information including the first authentication information includes:
acquiring a pre-stored target field, wherein the target field comprises a communication protocol;
And encapsulating the target field and the first authentication information according to a structure specified by a message standard to generate the second authentication information.
In this alternative embodiment, the blockchain program reads the pre-stored target field and generates the second authentication information in conjunction with the first authentication information.
The target fields may include, but are not limited to: message version number, authentication purpose, computer device identification, internet protocol (Internet Protocol Address, IP) address of the computer, media access control (Media Access Control Address, MAC) address of the computer, communication protocol, etc.
In an alternative embodiment, after said generating the second authentication information comprising the first authentication information, the method further comprises:
and encoding the second authentication information according to a preset format.
The blockchain node device encodes, e.g., compresses or encrypts, the generated second authentication information according to a format in which the information is transmitted in the blockchain network. Enabling the second authentication information to be transmitted into the blockchain network. The sending the authentication request carrying the second authentication information to the authentication server in the blockchain network is: and sending an authentication request carrying the encoded second authentication information to an authentication server in the blockchain network.
S33, sending an authentication request carrying the second authentication information to an authentication server in the blockchain network.
And after the second authentication information is encoded by the blockchain node equipment, an authentication request is sent to the blockchain network, wherein the authentication request carries the encoded second authentication information.
And after receiving the authentication request, the blockchain network forwards the authentication request to an authentication server for verification to determine that the blockchain node equipment is a trusted node.
S34, receiving an authentication result returned after the authentication server verifies the authentication request.
And if the authentication server verifies that the authentication request is legal, confirming that the block chain link point equipment is a trusted node, and returning an authentication result of successful authentication of the block chain node equipment to the block chain node equipment. And if the authentication server verifies that the authentication request is illegal, confirming that the blockchain node equipment is an untrusted node, and returning an authentication result of failed authentication of the blockchain node equipment to the blockchain node equipment.
The authentication server verifies the authentication request according to a token algorithm, such as a KEY token based on public KEY infrastructure (Public Key Infrastructure, PKI) technology, a challenge/response token, a dynamic password token, and the like, and specific verification methods belong to the prior art and are not described herein.
In an optional embodiment, if the authentication result is that the blockchain node device authentication is successful, the method further includes:
and accessing the blockchain network.
In this optional embodiment, when the blockchain node device needs to access to the blockchain network, the blockchain network needs to verify an authentication request, if the authentication succeeds to indicate that the blockchain node device is authenticated successfully, the blockchain node device may send an access request carrying the authentication result to the blockchain network, and after receiving the access request, the blockchain network responds to the access request and verifies the authentication result. When verification is passed, the blockchain network allows the blockchain node device to access the blockchain network, and the blockchain node device accesses the blockchain network when receiving an allowing response of the blockchain network.
In an alternative embodiment, the blockchain network prohibits the blockchain node device from accessing the blockchain network when verification fails, and the blockchain node device may send an authentication request to an authentication server in the blockchain network again when receiving a prohibition response of the blockchain network.
In summary, the blockchain node device authentication method of the invention embeds or integrates the hardware token chip in the blockchain node device, thereby realizing the binding of the token and the blockchain node device, and ensuring the security of the authentication information without being stolen, lost or transferred because the hardware token chip has the advantages of dynamism (the authentication information generated each time is different), randomness (the authentication information generated each time is random and unpredictable), disposability (the generated authentication information can only be used once and can not be reused), theft resistance, non-replicability and the like; in addition, the hardware token chip provides a reading interface of authentication information, the generated authentication information can be read by a blockchain program, when the blockchain node equipment triggers node authentication, an authentication request can be automatically generated and sent to an authentication server in a blockchain network, and the node authentication process is automatic without manual intervention; after the node authentication is passed, the blockchain node equipment can acquire qualification and establish connection with other blockchain node equipment in other blockchain networks to participate in consensus, so that the security of the blockchain network is improved as a whole, and the blockchain node equipment connected into the blockchain network is ensured to be standardized trusted hardware.
For further explanation of the blockchain node device authentication method of the present invention, please refer to fig. 4, which is a signaling diagram illustrating a preferred embodiment of a blockchain network authentication of a blockchain node device.
S41, when the blockchain node equipment triggers node authentication, the blockchain program calls a reading interface of the hardware token driver.
S42, the hardware token driver calls a reading interface of the hardware token chip.
S43, the hardware token chip calculates to obtain first authentication information and returns the first authentication information to the hardware token driver.
S44, the hardware token driver reads the first authentication information and returns the first authentication information to the blockchain program.
S45, the blockchain program reads the first authentication information and generates second authentication information containing the first authentication information.
And S46, the block chain program encodes the second authentication information according to a preset format and simultaneously sends an authentication request carrying the encoded second authentication information to an authentication server in the block chain network.
And S47, the authentication server performs validity verification on the authentication request to obtain an authentication result.
S48, the authentication server returns the authentication result to the blockchain program.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the invention.
Example III
Referring to fig. 5, fig. 5 is a functional block diagram of a block link point device authentication apparatus according to a preferred embodiment of the present invention.
In some embodiments, the blockchain node device authentication means operates in a blockchain node device. The blockchain node device authentication apparatus may include a plurality of functional modules that are comprised of program code segments. Program code for each program segment in the blockchain node device authentication apparatus may be stored in memory and executed by at least one processor to perform some or all of the steps in the blockchain node device authentication method described in fig. 3.
In this embodiment, the blockchain node device authentication apparatus 50 may be divided into a plurality of functional modules according to the functions performed by the same. The functional module may include: the device comprises an operation module 501, a generation module 502, an encoding module 503, a sending module 504, a receiving module 505 and an access module 506. The module referred to in the present invention refers to a series of computer program segments capable of being executed by at least one processor and of performing a fixed function, stored in a memory. In some embodiments, the function of each module will be described in detail in the following embodiments.
The operation module 501 is configured to obtain the first authentication information obtained by the operation of the hardware token chip when the blockchain node device triggers node authentication.
In the embodiment of the invention, the blockchain program, the hardware token driver and the integrated or embedded hardware token chip are installed in the blockchain node device.
When the blockchain node equipment triggers node authentication, the blockchain program calls a read interface of the hardware token driver, the hardware token driver calls a read interface of the hardware token chip, and the hardware token chip generates first authentication information when detecting a call signal; and after the hardware token driver reads the first authentication information obtained by the operation of the hardware token chip, returning the first authentication information to the blockchain program, wherein the blockchain program reads the first authentication information.
It should be appreciated that the read parameters of the read interface of the hardware token driver called by the blockchain program are not the same as the read parameters of the read interface of the hardware token chip called by the hardware token driver. The read interface of the hardware token driver is to encapsulate information to the blockchain program, and the read interface of the hardware token chip is to encapsulate information to the hardware token driver.
In an alternative embodiment, the blockchain node device may trigger node authentication by one or more of the following combinations:
when the start of the block chain node equipment is detected, determining that the block chain node equipment triggers node authentication;
when the blockchain node device is detected to request blockchain transaction, determining that the blockchain node device triggers node authentication.
In this alternative embodiment, typically, when the blockchain node device initiates connection to a blockchain network, the blockchain network needs to authenticate the blockchain node device to determine whether the blockchain node device is a trusted node. Or when the blockchain node equipment needs to conduct blockchain transaction, transaction information is put into a data packet and broadcast to a blockchain network, and identity authentication is conducted on the blockchain node equipment by the blockchain network so as to determine whether the blockchain node equipment is a trusted node or not.
In an optional embodiment, the obtaining the first authentication information obtained by the operation of the hardware token chip includes:
acquiring the time of triggering node authentication by the block chain node equipment;
And calculating the time and the random number by adopting a prestored cryptographic algorithm to obtain a data result which is used as the first authentication information.
In this alternative embodiment, the hardware token chip has a token pre-stored therein, for example: KEY tokens based on public KEY infrastructure (Public Key Infrastructure, PKI) technology, challenge/response based tokens and dynamic password based tokens.
Because the time interval between the block chain node device triggering node authentication and the hardware token driver calling the hardware token chip is almost negligible, the calling time of the read interface of the hardware token chip, which is called by the hardware token driver, can be used as the time of the block chain node device triggering node authentication. When the reading interface of the hardware token chip is called by the hardware token driver, the hardware token chip obtains the calling time of the hardware token driver, adopts a cryptographic algorithm to carry out cryptographic operation on the calling time and the generated random number, and returns the calculated data result to the hardware token driver as first authentication information. The cryptographic operation is prior art and the present invention is not described in detail herein.
The random number is an unpredictable number that the hardware token chip generates using a specialized algorithm. Because the uncertain factors such as time, random number and the like are added into the first authentication information, the first authentication information can only be used once, so that an attacker cannot acquire the first authentication information by stealing a password or replay attack, and the security of the first authentication information obtained by the operation of the hardware token chip is higher.
When an authentication server of the blockchain network receives an authentication request, a random number is generated, the same cryptographic algorithm is adopted for carrying out cryptographic operation, and whether the authentication request is valid or not is determined by comparing whether the generated random number is the same as the random number in the received authentication request. And if the generated random number is the same as the random number in the received authentication request, the authentication server determines that the authentication request is valid. And if the generated random number is different from the random number in the received authentication request, determining that the authentication request is invalid.
A generating module 502, configured to generate second authentication information including the first authentication information.
In the embodiment of the invention, after the first authentication information is read by the blockchain program, the first authentication information is not directly sent to an authentication server of the blockchain network for verification, but the second authentication information meeting the requirement is generated according to the first authentication information and then sent to the authentication server of the blockchain network.
In an alternative embodiment, the generating module 502 generates the second authentication information including the first authentication information includes:
acquiring a pre-stored target field, wherein the target field comprises a communication protocol;
and encapsulating the target field and the first authentication information according to a structure specified by a message standard to generate the second authentication information.
In this alternative embodiment, the blockchain program reads the pre-stored target field and generates the second authentication information in conjunction with the first authentication information.
The target fields may include, but are not limited to: message version number, authentication purpose, computer device identification, internet protocol (Internet Protocol Address, IP) address of the computer, media access control (Media Access Control Address, MAC) address of the computer, communication protocol, etc.
The encoding module 503 is configured to encode the second authentication information according to a preset format.
The blockchain node device encodes, e.g., compresses or encrypts, the generated second authentication information according to a format in which the information is transmitted in the blockchain network. Enabling the second authentication information to be transmitted into the blockchain network.
A sending module 504, configured to send an authentication request carrying the second authentication information to an authentication server in a blockchain network; or sending an authentication request carrying the encoded second authentication information to an authentication server in the blockchain network.
And after the second authentication information is encoded by the blockchain node equipment, an authentication request is sent to the blockchain network, wherein the authentication request carries the encoded second authentication information.
And after receiving the authentication request, the blockchain network forwards the authentication request to an authentication server for verification to determine that the blockchain node equipment is a trusted node.
And the receiving module 505 is configured to receive an authentication result returned after the authentication server verifies the authentication request.
And if the authentication server verifies that the authentication request is legal, confirming that the block chain link point equipment is a trusted node, and returning an authentication result of successful authentication of the block chain node equipment to the block chain node equipment. And if the authentication server verifies that the authentication request is illegal, confirming that the blockchain node equipment is an untrusted node, and returning an authentication result of failed authentication of the blockchain node equipment to the blockchain node equipment.
The authentication server verifies the authentication request according to a token algorithm, such as a KEY token based on public KEY infrastructure (Public Key Infrastructure, PKI) technology, a challenge/response token, a dynamic password token, and the like, and specific verification methods belong to the prior art and are not described herein.
In an optional embodiment, if the authentication result is that the blockchain node device authentication is successful, the apparatus further includes:
an access module 506 for accessing the blockchain network.
In this optional embodiment, when the blockchain node device needs to access to the blockchain network, the blockchain network needs to verify an authentication request, if the authentication succeeds to indicate that the blockchain node device is authenticated successfully, the blockchain node device may send an access request carrying the authentication result to the blockchain network, and after receiving the access request, the blockchain network responds to the access request and verifies the authentication result. When verification is passed, the blockchain network allows the blockchain node device to access the blockchain network, and the blockchain node device accesses the blockchain network when receiving an allowing response of the blockchain network.
In an alternative embodiment, the blockchain network prohibits the blockchain node device from accessing the blockchain network when verification fails, and the blockchain node device may send an authentication request to an authentication server in the blockchain network again when receiving a prohibition response of the blockchain network.
In summary, the blockchain node device authentication device embeds or integrates the hardware token chip in the blockchain node device, so that the binding of the token and the blockchain node device is realized, and the hardware token chip has the advantages of dynamic property (authentication information generated each time is different), randomness (the authentication information generated each time is random and unpredictable), one-time property (the generated authentication information can only be used once and can not be reused), theft resistance, non-replicability and the like, thereby ensuring the security of the authentication information and preventing the theft, loss or transfer; in addition, the hardware token chip provides a reading interface of authentication information, the generated authentication information can be read by a blockchain program, when the blockchain node equipment triggers node authentication, an authentication request can be automatically generated and sent to an authentication server in a blockchain network, and the node authentication process is automatic without manual intervention; after the node authentication is passed, the blockchain node equipment can acquire qualification and establish connection with other blockchain node equipment in other blockchain networks to participate in consensus, so that the security of the blockchain network is improved as a whole, and the blockchain node equipment connected into the blockchain network is ensured to be standardized trusted hardware.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the invention.
Example IV
Fig. 6 is another schematic block chain node device according to a preferred embodiment of the present invention for implementing the block chain link point device authentication method. The block link point apparatus 6 comprises a memory 61, at least one processor 62, a computer program 63 stored in the memory 61 and executable on the at least one processor 62, and at least one communication bus 64.
It will be appreciated by those skilled in the art that the schematic diagram shown in fig. 6 is merely an example of the block link point device 6 and is not meant to be limiting of the block link point device 6, and may include more or fewer components than shown, or may combine certain components, or different components, e.g., the block link point device 6 may also include input and output devices, network access devices, etc.
The block link point device 6 further includes, but is not limited to, any electronic product that can interact with a user by means of a keyboard, a mouse, a remote control, a touch pad, or a voice control device, such as a personal computer, a tablet, a smart phone, a personal digital assistant (Personal Digital Assistant, PDA), a game console, an interactive internet protocol television (Internet Protocol Television, IPTV), a smart wearable device, etc. The network in which the block link point device 6 is located includes, but is not limited to, the internet, a wide area network, a metropolitan area network, a local area network, a virtual private network (Virtual Private Network, VPN), and the like.
The at least one processor 62 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field-programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. The processor 62 may be a microprocessor or the processor 62 may be any conventional processor or the like, the processor 62 being the control center of the block link point device 6, the various interfaces and lines being utilized to connect the various portions of the entire block link point device 6.
The memory 61 may be used to store the computer program 66 and/or modules/units, and the processor 62 may implement various functions of the blockchain node device 6 by executing or executing the computer program and/or modules/units stored in the memory 61 and invoking data stored in the memory 61. The memory 61 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program (such as a sound playing function, an image playing function, etc.) required for at least one function, and the like; the storage data area may store data created according to the use of the block link point device 6, or the like. In addition, the memory 61 may include a nonvolatile memory such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other nonvolatile solid state storage device.
Preferably, the processor 62 executes the above instructions to implement the following steps:
when the block chain node equipment triggers node authentication, acquiring first authentication information obtained by operation of the hardware token chip;
generating second authentication information containing the first authentication information;
sending an authentication request carrying the second authentication information to an authentication server in a blockchain network;
and receiving an authentication result returned after the authentication server verifies the authentication request.
Further, the processor 62 obtains the first authentication information obtained by the operation of the hardware token chip, which includes:
acquiring the time of triggering node authentication by the block chain node equipment;
and calculating the time and the random number by adopting a prestored cryptographic algorithm to obtain a data result which is used as the first authentication information.
Further, the processor 62 generates second authentication information including the first authentication information includes:
acquiring a pre-stored target field, wherein the target field comprises a communication protocol;
and encapsulating the target field and the first authentication information according to a structure specified by a message standard to generate the second authentication information.
Further, after the second authentication information including the first authentication information is generated, the processor 62 executes the above instructions to further implement the following steps:
encoding the second authentication information according to a preset format;
the sending the authentication request carrying the second authentication information to an authentication server in a blockchain network includes: and sending an authentication request carrying the encoded second authentication information to an authentication server in the blockchain network.
Further, the blockchain node device triggers node authentication by one or more of the following combinations:
when the start of the block chain node equipment is detected, determining that the block chain node equipment triggers node authentication;
when the blockchain node device is detected to request blockchain transaction, determining that the blockchain node device triggers node authentication.
Further, if the authentication result is that the blockchain node device authentication is successful, the processor 62 executes the above instruction to further implement the following steps:
and accessing the blockchain network.
The specific implementation method of the above instructions by the processor 62 may refer to the description of the relevant steps in the corresponding embodiment of fig. 3, which is not repeated herein.
The modules/units integrated by the block link point device 6 may be stored in a computer readable storage medium if implemented in the form of software functional units and sold or used as a stand alone product. Based on such understanding, the present invention may implement all or part of the flow of the method of the above embodiment, or may be implemented by instructing related hardware by a computer program, where the computer program may be stored in a computer readable storage medium, and the computer program may implement the steps of each of the method embodiments described above when executed by a processor. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), an electrical carrier wave signal, a telecommunication signal, a software distribution medium, etc. It should be noted that the computer readable medium contains content that can be appropriately scaled according to the requirements of jurisdictions in which such content is subject to legislation and patent practice, such as in certain jurisdictions in which such content is subject to legislation and patent practice, the computer readable medium does not include electrical carrier signals and telecommunication signals.
In the several embodiments provided in the present invention, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is merely a logical function division, and there may be other manners of division when actually implemented.
The modules described as separate components may or may not be physically separate, and components shown as modules may or may not be physical units, may be located in one place, or may be distributed over multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units can be realized in a form of hardware or a form of hardware and a form of software functional modules.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned. Furthermore, it is evident that the word "comprising" does not exclude other elements or steps, and that the singular does not exclude a plurality. A plurality of units or means recited in the system claims can also be implemented by means of software or hardware by means of one unit or means. The terms second, etc. are used to denote a name, but not any particular order.
Finally, it should be noted that the above-mentioned embodiments are merely for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made to the technical solution of the present invention without departing from the spirit and scope of the technical solution of the present invention.