CN112560005A - Identity trusted service system, method, electronic device and computer readable medium - Google Patents
Identity trusted service system, method, electronic device and computer readable medium Download PDFInfo
- Publication number
- CN112560005A CN112560005A CN202011388662.2A CN202011388662A CN112560005A CN 112560005 A CN112560005 A CN 112560005A CN 202011388662 A CN202011388662 A CN 202011388662A CN 112560005 A CN112560005 A CN 112560005A
- Authority
- CN
- China
- Prior art keywords
- trusted
- authority
- node
- certificate
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 230000008520 organization Effects 0.000 claims abstract description 51
- 238000012795 verification Methods 0.000 claims abstract description 32
- 230000007246 mechanism Effects 0.000 claims description 25
- 238000004891 communication Methods 0.000 claims description 22
- 238000004590 computer program Methods 0.000 claims description 10
- 230000005540 biological transmission Effects 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 11
- 239000003795 chemical substances by application Substances 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000013524 data verification Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application provides an identity trusted service system, an identity trusted service method, electronic equipment and a computer readable medium, and belongs to the technical field of block chains. The system comprises: the block chain network comprises a plurality of nodes, wherein each node is stored with a trusted authority certificate chain which comprises all account certificates issued by a plurality of trusted authorities; and the target node is used for performing signature verification on the service data sent by the target trusted authority by using the account certificate in the trusted authority certificate chain, wherein the target trusted authority is an authority used for transmitting the service data in the plurality of trusted authorities, and the target node is a node deployed on the target trusted authority. The method and the device realize data transmission among the block link points corresponding to the trusted organization, and guarantee smooth and quick service collaboration.
Description
Technical Field
The present application relates to the field of blockchain technologies, and in particular, to a system, a method, an electronic device, and a computer-readable medium for trusted identity service.
Background
The CA, as the issuer of digital certificates and third party trust authorities, is the core of the PKI system. At present, each CA mechanism can only trust the digital certificate issued by the CA mechanism, namely, each CA mechanism has a trust domain, and the digital certificate exceeding the trust domain can not be trusted. For example: the A organization needs to communicate with the B organization through the border gateway and the trust gateway, and after acquiring the data of the B organization, the A organization authenticates the identity of the B organization.
Because data transmission also needs to pass through the border gateway and the trust gateway, the data in the certificate trust library of the application system is at risk of being tampered, so that the credibility of data information transmitted between CA mechanisms is poor, and business cooperation is difficult.
Disclosure of Invention
An object of the embodiments of the present application is to provide an identity trusted service system, an identity trusted service method, an electronic device, and a computer-readable medium, so as to solve the problem of difficulty in business collaboration. The specific technical scheme is as follows:
in a first aspect, an identity trusted service system is provided, the system including:
the block chain network comprises a plurality of nodes, wherein each node is stored with a trusted authority certificate chain which comprises all account certificates issued by a plurality of trusted authorities;
and the target node is used for performing signature verification on the service data sent by the target trusted authority by using the account certificate in the trusted authority certificate chain, wherein the target trusted authority is an authority used for transmitting the service data in the plurality of trusted authorities, and the target node is a node deployed on the target trusted authority.
Optionally, the system comprises:
the first trusted authority is used for signing original data sent by a first account through a private key to obtain the service data carrying a digital signature, and sending the service data to a first node, wherein the first account is an account opened in the first trusted authority;
the first node is configured to perform signature verification on the service data through a public key of the first account in the certificate chain of the trusted authority.
Optionally, the system comprises:
the second trusted authority is used for sending an inquiry request to a second node when the inquiry request sent by a second account is received, wherein the inquiry request is used for requesting to inquire the service data, and the second account is an account opened in the second trusted authority;
and the second node is used for verifying the authenticity of the service data sent by the first node through the public key of the certificate chain of the trusted authority, and sending a verification passing result to the second trusted authority under the condition of passing the verification.
Optionally, the service data includes authority certificate issuance data, and the system includes:
the target trusted authority is used for signing the authority certificate issuing data and uploading the authority certificate issuing data carrying the digital signature to the target node;
and the target node is used for uploading the organization certificate issuing data carrying the digital signature to the block chain network under the condition that the digital signature is verified to be true.
Optionally, the service data includes certificate revocation data, and the system includes:
the target trusted authority is used for signing the certificate revocation data of the authority and uploading the certificate revocation data carrying the digital signature to the target node;
and the target node is used for uploading the certificate revocation data carrying the digital signature to the block chain network under the condition that the digital signature is verified to be true.
Optionally, the system comprises:
a plurality of nodes in the blockchain network, wherein each node has a trusted channel therebetween;
and each block chain link point corresponds to a trusted mechanism, wherein a plurality of trusted mechanisms are connected through a peer-to-peer network.
In a second aspect, an identity trusted service method is provided, which is applied to a target node, and includes:
acquiring service data sent by a target trusted authority, wherein the target node is a node deployed on the target trusted authority, and the target trusted authority is an authority used for transmitting the service data in a plurality of trusted authorities;
and performing signature verification on the service data through account certificates in a certificate chain of a trusted authority, wherein each node is stored with the certificate chain of the trusted authority, the certificate chain of the trusted authority comprises all account certificates issued by a plurality of trusted authorities, and the plurality of nodes form a block chain network.
Optionally, the business data includes authority certificate issuance data,
the acquiring of the service data sent by the target trusted authority includes: acquiring organization certificate issuing data which is sent by the target trusted organization and carries a digital signature;
the signature verification of the authority certificate issuance data by an account certificate in a trusted authority certificate chain comprises: and uploading the organization certificate issuance data carrying the digital signature to the block chain network under the condition that the digital signature is verified to be true.
In a third aspect, an electronic device is provided, which includes a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
a processor for implementing any of the method steps described herein when executing the program stored in the memory.
In a fourth aspect, a computer-readable storage medium is provided, in which a computer program is stored which, when being executed by a processor, carries out any of the method steps.
The embodiment of the application has the following beneficial effects:
the embodiment of the application provides an identity trusted service system, which comprises: the block chain network comprises a plurality of nodes, wherein each node is stored with a trusted authority certificate chain which comprises all account certificates issued by a plurality of trusted authorities; and the target node is used for performing signature verification on the service data sent by the target trusted authority by using the account certificate in the certificate chain of the trusted authority, wherein the target trusted authority is an authority used for transmitting the service data in the plurality of trusted authorities, and the target node is a node deployed on the target trusted authority. According to the method, the identity credible service system of the cross-organization is constructed, the same public and private key is adopted by the credible organization and the nodes of the credible organization, the block chain CA and the organization self-built CA are fused, data transmission between the block chain link points corresponding to the credible organization is realized, and the smooth and quick cooperation of services is guaranteed. Through the characteristics of safety, transparency, common account book and non-falsification of the block chain network, the transparency in the data exchange process is improved, and the credibility of the identity of the credible institution is ensured.
Of course, not all of the above advantages need be achieved in the practice of any one product or method of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
FIG. 1 is a block chain data processing structure in the embodiment of the present application;
FIG. 2 is a block chain structure in the present application;
FIG. 3 is a block chain network functional structure diagram according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a cross-organization identity trusted service system in an embodiment of the present application;
FIG. 5 is a diagram illustrating an embodiment of a system including a trusted channel;
FIG. 6 is a schematic diagram of an overall system in an embodiment of the present application;
FIG. 7 is a schematic illustration of an embodiment of the present application for issuing or revoking a certificate for an organization;
FIG. 8 is a flow chart of data collaboration in an embodiment of the present application;
fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the following description, reference is made to "one embodiment" which describes a subset of all possible embodiments, but it is understood that "one embodiment" describes the same subset or a different subset of all possible embodiments, and may be combined with each other without conflict.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein is for the purpose of describing embodiments of the invention only and is not intended to be limiting of the invention.
Before further detailed description of the embodiments of the present invention, terms and expressions referred to in the embodiments of the present invention are described, and the terms and expressions referred to in the embodiments of the present invention are applicable to the following explanations.
(1) Transactions (transactions), equivalent to the computer term "Transaction," include operations that need to be committed to a blockchain network for execution and do not refer solely to transactions in the context of commerce, which embodiments of the present invention follow in view of the convention in blockchain technology that colloquially uses the term "Transaction.
For example, a deployment (deployment) transaction is used to install a specified smart contract to a node in a blockchain network and is ready to be invoked; the Invoke (Invoke) transaction is used to append records of the transaction in the blockchain by invoking the smart contract and to perform operations on the state database of the blockchain, including update operations (including adding, deleting, and modifying key-value pairs in the state database) and query operations (i.e., querying key-value pairs in the state database).
(2) A Block chain (Blockchain) is a storage structure for encrypted, chained transactions formed from blocks (blocks).
(3) A Blockchain Network (Blockchain Network) incorporates new blocks into a set of nodes of a Blockchain in a consensus manner.
(4) Ledger (legger) is a general term for blockchains (also called Ledger data) and state databases synchronized with blockchains. Wherein, the blockchain records the transaction in the form of a file in a file system; the state database records the transaction in the blockchain in the form of different types of Key (Key) Value pairs for supporting quick query of the transaction in the blockchain.
(5) Intelligent Contracts (Smart Contracts), also known as chain codes (chaincodes) or application codes, are programs deployed in nodes of a blockchain network, and the nodes execute the intelligent Contracts called in received transactions to update or query key-value data of a state database.
(6) Consensus (Consensus), a process in a blockchain network, is used to agree on transactions in a block among a plurality of nodes involved, the agreed block is to be appended to the end of the blockchain, and the mechanisms for achieving Consensus include Proof of workload (PoW, Proof of Work), Proof of rights and interests (PoS, Proof of equity (DPoS), Proof of right of stock (DPoS), Proof of Elapsed Time (PoET, Proof of Elapsed Time), and so on.
An exemplary application of the block chain network provided by the embodiment of the present invention is described below, as shown in fig. 1, fig. 1 is a schematic diagram of an identity trusted service system provided by the embodiment of the present invention, and includes a block chain network 101, a consensus node 102, an authentication center 103, a service entity 104, a client node 104-1, a service entity 105, and a client node 105-1, which are described below respectively:
the type of blockchain network 101 is flexible and may be any of a public chain, a private chain, or a federation chain, for example. Taking a public link as an example, electronic devices such as a user terminal and a server of any service agent can access the blockchain network 101 without authorization; taking a federation chain as an example, an electronic device (e.g., a terminal/server) under the jurisdiction of a service entity after obtaining authorization may access the blockchain network 101, and at this time, become a client node in the blockchain network 101.
In some embodiments, the client node 104 may act as a mere watcher of the blockchain network 101, i.e., provides functionality to support a business entity to initiate a transaction (e.g., for uplink storage of data or querying of data on a chain), and may be implemented by default or selectively (e.g., depending on the specific business requirements of the business entity) for the functions of the consensus node 102 of the blockchain network 101, such as a ranking function, a consensus service, and an accounting function, etc. Therefore, the data and the service processing logic of the service subject can be migrated to the blockchain network 101 to the maximum extent, and the credibility and traceability of the data and service processing process are realized through the blockchain network 101.
Consensus nodes in blockchain network 101 receive transactions submitted from different business entities, such as client node 104-1 of business entity 104 shown in fig. 1, perform the transactions to update the ledger or query the ledger, and various intermediate or final results of performing the transactions may be returned for display in client node 104-1 of business entity 104.
For example, client node 104-1 may subscribe to events of interest in blockchain network 101, such as transactions occurring in a particular organization/channel in blockchain network 101, and corresponding transaction notifications are pushed by consensus node 102 to client node 104-1, thereby triggering corresponding business logic in client node 104-1.
As an example of a block chain, as shown in fig. 2, fig. 2 is a schematic structural diagram of a block chain in a block chain network 101 according to an embodiment of the present invention, where a header of each block may include hash values of all transactions in the block and also include hash values of all transactions in a previous block, a record of a newly generated transaction is filled in the block and is added to a tail of the block chain after being identified by nodes in the block chain network, so as to form a chain growth, and a chain structure based on hash values between blocks ensures tamper resistance and forgery prevention of transactions in the block.
An exemplary functional architecture of a blockchain network provided by the embodiment of the present invention is described below, as shown in fig. 3, fig. 3 is a schematic functional architecture diagram of a blockchain network 101 provided by the embodiment of the present invention, and includes an application layer 301, a consensus layer 302, a network layer 303, a data layer 304, and a resource layer 305, which are described below:
the application layer 301 encapsulates various services that the blockchain network can implement, including tracing, crediting, and verifying transactions.
The consensus layer 302 encapsulates the functions of the mechanism by which the nodes 102 in the blockchain network 101 agree on a block (i.e., a consensus mechanism), transaction management, and ledger management. The consensus mechanism comprises consensus algorithms such as POS, POW and DPOS, and the pluggable consensus algorithm is supported. The transaction management is used for verifying the digital signature carried in the transaction received by the node 101, verifying the identity information of the service body 104, and determining whether the service body has the authority to perform the transaction (reading the relevant information from the service body identity management) according to the identity information; for the service agents authorized to access the blockchain network 101, the service agents all have digital certificates issued by the certificate authority, and the service agents sign the submitted transactions by using private keys in the digital certificates of the service agents, so that the legal identities of the service agents are declared. The ledger administration is used to maintain blockchains and state databases. For the block with the consensus, adding the block to the tail of the block chain; executing the transaction in the acquired consensus block, updating the key-value pairs in the state database when the transaction comprises an update operation, querying the key-value pairs in the state database when the transaction comprises a query operation and returning a query result to the client node of the business entity. Supporting query operations for multiple dimensions of a state database, comprising: querying the chunk based on the chunk sequence number (e.g., hash value of the transaction); inquiring the block according to the block hash value; inquiring a block according to the transaction serial number; inquiring the transaction according to the transaction serial number; inquiring account data of a business main body according to an account (serial number) of the business main body; and inquiring the block chain in the channel according to the channel name.
The network layer 303 encapsulates the functions of a point-to-point (P2P, point) network protocol, a data propagation mechanism and a data verification mechanism, an access authentication mechanism, and service agent identity management.
The P2P network protocol implements communication between nodes 102 in the blockchain network 101, the data propagation mechanism ensures propagation of transactions in the blockchain network 101, and the data verification mechanism implements reliability of data transmission between the nodes 102 based on cryptography methods (e.g., digital certificates, digital signatures, public/private key pairs); the access authentication mechanism is used for authenticating the identity of a service subject added to the block chain network 101 according to an actual service scene, and endowing the service subject with the authority of accessing the block chain network 101 when the authentication is passed; the business entity 104 identity management is used to store the identity of the business entity 104 that is allowed to access the blockchain network 101, as well as the permissions (e.g., the types of transactions that can be initiated).
The resource layer 305 encapsulates the computing, storage, and communication resources that implement each node 102 in the blockchain network 101.
The embodiment of the application provides an identity credible service system which can be used for cooperation of data between organizations and improves data traceability.
An identity trusted service system provided in the embodiments of the present application will be described in detail below with reference to specific embodiments, where the identity trusted service system includes multiple trusted authorities for transmitting service data. Each trusted authority is provided with a node on the blockchain network, a plurality of nodes form the blockchain network, each node in the blockchain network is stored with the same trusted authority certificate chain, and the trusted authority certificate chain comprises all account certificates issued by a plurality of trusted authorities, that is, each node comprises all account certificates issued by a plurality of trusted authorities.
Each trusted authority has an open account through which a user can log in the trusted authority, so that the trusted authority uploads service data to the blockchain network or obtains the service data from the blockchain network, and the target node is used for performing signature verification on the received or sent service data. Accounts, trusted authorities, and nodes are in a one-to-one correspondence.
The trusted authority certificate chain comprises all account certificates issued by a plurality of trusted authorities, and trusted storage, value distribution of business cooperation and traceability and auditability of data exchange of the authority certificate chain can be realized. The certificate chain of the trusted authority is stored in the block chain, so that the artificial tampering is prevented, and the safety and the data traceability are improved.
FIG. 4 is a schematic diagram of an identity trusted service system across organizations. As can be seen from fig. 4, the system includes A, B, C and D four nodes, each node stores a trusted authority certificate chain (a-B-C-D), each authority corresponding node also has a corresponding public key and a private key, each node has a trusted channel, and multiple trusted authorities are connected through P2P (peer-to-peer network).
By constructing an identity credible service system of a cross-organization, a same set of public and private keys are adopted by a credible organization and nodes of the credible organization, and a block chain CA and an organization self-built CA are fused, so that data transmission between block chain link points corresponding to the credible organization is realized, and smooth and rapid service cooperation is guaranteed. Through the characteristics of safety, transparency, common account book and non-falsification of the block chain network, the transparency in the data exchange process is improved, and the credibility of the identity of the credible institution is ensured. In addition, the trust gateway and the access gateway are not needed, and the construction of the certificate trust chain is simplified by integrating the certificate chain of the trusted authority through the block chain nodes.
As an optional implementation manner, the process of establishing the cross-organization identity trusted service system is as follows: at A, B, C, D, four organizations deploy block chain nodes, and access the block chain network according to corresponding security specifications, thereby ensuring the security of data transmission and node communication, and simultaneously establishing a trusted channel between the nodes, as shown in fig. 5, which is a schematic diagram of a system including a trusted channel. And then building an identity trusted service system across the institutions based on block chain nodes deployed by A, B, C, D four institutions, and respectively deploying the identity trusted service system in private networks of the four institutions. Through a cross-organization identity trusted service system, A, B, C, D certificate chains of four organizations are uploaded to respective block chain link points, and a trusted organization certificate chain is formed after consensus as a trusted source for cross-organization user certificate CA verification. Fig. 6 is a schematic diagram of the whole system.
In the data cooperation process, the first node firstly links the service data of the first trusted mechanism to the block chain network, then the second node verifies the service data, and the verification is successful, so that the credibility of the identity of the first mechanism is indicated. The first node corresponds to a first mechanism, and the second node corresponds to a second mechanism.
The business data includes organization certificate issuance data. When the organization certificate is issued, the target trusted organization signs the organization certificate issuing data by adopting a private key, then uploads the organization certificate issuing data carrying the digital signature to the target node, and the target node acquires a public key corresponding to the private key from a trusted organization certificate chain and opens the organization certificate issuing data through the public key. If the target node can open the certificate issuing data of the organization and indicates that the identity of the target trusted organization is trusted, the target node uploads the certificate issuing data of the organization to the block chain network; and if the target node cannot open the certificate issuing data of the organization, which indicates that the identity of the target trusted organization is not trusted, the target node cannot upload the certificate issuing data of the organization to the block chain network.
The business data also includes certificate of authority revoking data. When the organization certificate is issued, the target trusted authority signs the organization certificate revocation data by adopting a private key, then uploads the organization certificate revocation data carrying the digital signature to a target node, and the target node acquires a public key corresponding to the private key from a trusted authority certificate chain and opens the organization certificate revocation data through the public key. If the target node can open the certificate revocation data of the organization, and the identity of the target trusted authority is trusted, the target node uploads the certificate revocation data of the organization to the block chain network; and if the target node cannot open the certificate revocation data of the organization, which indicates that the identity of the target trusted authority is not trusted, the target node cannot upload the certificate revocation data of the organization to the block chain network.
Figure 7 is a schematic diagram of an organization certificate issuance or revocation. As can be seen from the figure, the target trusted authority signs the authority certificate issuance data or the authority certificate revocation data by using the CA service private key, and then sends the authority certificate issuance data or the authority certificate revocation data to the target node, and the target node verifies the validity of the identity of the target trusted authority by using the CA service public key, and links the authority certificate issuance data or the authority certificate revocation data if the verification is passed.
According to the method and the system, a trusted authority certificate chain mutual trust mechanism is utilized, cross-organization multi-party automatic mutual trust is realized, the validity of the transaction identity is verified, and the data transmission safety is improved.
As an alternative embodiment, the system comprises: the first trusted authority is used for signing the original data sent by the first account through a private key to obtain service data carrying a digital signature, and sending the service data to the first node; and the first node is used for carrying out signature verification on the service data through a public key of a first account in the certificate chain of the trusted authority.
FIG. 8 is a flow chart of data collaboration. As shown in fig. 8, the first trusted authority has an open first account, the user Su logs in the first account and initiates a piece of original data for the service, and the first trusted authority signs the original data by using a private key of the first account by calling an intelligent contract to obtain service data with a digital signature, and sends the service data to the first node. Specifically, the signature is performed by using a private key, which may be hash operation (hash) performed on the original data to obtain an abstract of the original data, and the digital signature is obtained by encrypting the abstract by using the private key. After the first node obtains the service data, the identity of the first trusted authority needs to be verified, so that the first node obtains a public key of a first account from a certificate chain of the trusted authority, the identity of the first trusted authority is verified through the public key, if the verification is passed, the first node links the service data to a block chain, and the block chain broadcasts the service data to a second trusted authority corresponding to the second node; if the verification fails, the first node will not uplink the service data. In addition, the first node also feeds back the uplink result to the first trusted authority.
As an alternative embodiment, the system comprises: the second trusted authority is used for sending a query request to the second node when receiving the query request sent by the second account, wherein the query request is used for requesting to query the service data; and the second node is used for verifying the authenticity of the service data sent by the first node through the public key of the certificate chain of the trusted authority and sending a verification passing result to the second trusted authority under the condition of passing the verification.
As shown in fig. 8, if the user Sv of the second trusted authority wants to check the service data, the user Sv logs in the second account and sends a query request for requesting to query the service data. And the second trusted authority sends the query request to the second node, and the second node needs to verify the validity of the service data. Specifically, after the second node acquires the service data carrying the digital signature through the intelligent contract, the public key of the first trusted authority is acquired from the certificate chain of the trusted authority on the second node, whether the signature of the service data is correct or not is verified, if the signature of the second node is verified to be unverified, the fact that the certificate chain of the trusted authority has a problem is indicated, and the second node feeds the problem back to the second trusted authority; if the second node verifies that the signature passes the verification, the digital signature needs to be decrypted through the public key to obtain the abstract of the service data, then the second node performs hash operation on the original data to obtain the abstract of the original data, if the second node judges that the abstract of the service data is the same as the abstract of the original data and indicates that the service data passes the verification, the second node feeds back the verification success result to a second trusted authority, and the service data can be checked by a user Sv; if the second node judges that the abstract of the service data is different from the abstract of the original data, the service data is not verified, the second node feeds back a verification failure result to the second trusted authority, and the user Sv cannot check the service data.
The block chain link points are mutually trusted, and the block chain link points respectively manage the authentication mechanism of the internal main body of the trusted mechanism, so that the method is convenient and fast. In addition, the identity of the trusted authority and the authenticity of the service data are verified, the uplink data are authenticated by the plurality of nodes, the reliability of the data is improved, and the block chain network is adopted, so that the authentication in the trusted authority is more transparent.
Optionally, an embodiment of the present application further provides a processing flow of the cross-organization identity trusted service method, and a specific process is as follows.
The first trusted organization comprises a first service platform, when a user Su of the first trusted organization logs in a first account, login authentication of the user is carried out through unified identity authentication service, after the user Su logs in the first service platform, original data used for services are launched on the first trusted organization, a data packet file is formed after original cleaning and conversion and is transferred to the first service platform, a block chain service SDK is arranged in the first service platform, hash operation is carried out on the original data through the SDK to obtain an abstract, the abstract is encrypted through a private key to obtain a digital signature of the original data, and service data with the digital signature are generated. The first trusted authority sends the service data to a first node in the block chain network, the first node adopts a public key of the first trusted authority of the trusted authority certificate chain to verify that the signature passes, then the service data is synchronized to other nodes in the block chain network, such as a second node, the second node sends the service data to a second trusted authority, and at the moment, a user in the second trusted authority cannot check the service data.
The second trusted authority comprises a second service platform, and when a user Sv in the second trusted authority logs in a second account, the user logs in and authenticates through the unified identity authentication service. And if the second node judges that the abstract of the service data is the same as the abstract of the original data, the second node indicates that the service data passes the verification and the identity of the user Su passes the verification.
In the following, for the sake of clarity of the present application, the working principle of the intelligent contract is first briefly described:
constructing an intelligent contract: the intelligent contract is made by a plurality of users in the block chain, and can be used for any transaction between any users. The agreement defines the rights and obligations of the parties to the transaction, which are programmed electronically by the developer, the code containing conditions that trigger the automatic execution of the contract.
Storing the intelligent contract: once the encoding is completed, the intelligent contract is uploaded to the blockchain network, that is, each node of the whole network can receive the intelligent contract.
Executing the intelligent contract: the intelligent contract can regularly check whether related events and trigger conditions exist or not, the events meeting the conditions are pushed to a queue to be verified, the verification nodes on the block chain firstly carry out signature verification on the events to ensure the validity of the events, most verification nodes agree with the events, the intelligent contract is successfully executed, and a user is informed of the successful execution.
Based on the same technical concept, an embodiment of the present invention further provides an electronic device, as shown in fig. 9, including a processor 901, a communication interface 902, a memory 903 and a communication bus 904, where the processor 901, the communication interface 902, and the memory 903 complete mutual communication through the communication bus 904,
a memory 903 for storing computer programs;
the processor 901 is configured to implement the above steps when executing the program stored in the memory 903.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In a further embodiment provided by the present invention, there is also provided a computer readable storage medium having stored therein a computer program which, when executed by a processor, implements the steps of any of the methods described above.
In a further embodiment provided by the present invention, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the methods of the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is merely exemplary of the present application and is presented to enable those skilled in the art to understand and practice the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. An identity trusted service system, the system comprising:
the block chain network comprises a plurality of nodes, wherein each node is stored with a trusted authority certificate chain which comprises all account certificates issued by a plurality of trusted authorities;
and the target node is used for performing signature verification on the service data sent by the target trusted authority by using the account certificate in the trusted authority certificate chain, wherein the target trusted authority is an authority used for transmitting the service data in the plurality of trusted authorities, and the target node is a node deployed on the target trusted authority.
2. The system of claim 1, wherein the system comprises:
the first trusted authority is used for signing original data sent by a first account through a private key to obtain the service data carrying a digital signature, and sending the service data to a first node, wherein the first account is an account opened in the first trusted authority;
the first node is configured to perform signature verification on the service data through a public key of the first account in the certificate chain of the trusted authority.
3. The system of claim 2, wherein the system comprises:
the second trusted authority is used for sending an inquiry request to a second node when the inquiry request sent by a second account is received, wherein the inquiry request is used for requesting to inquire the service data, and the second account is an account opened in the second trusted authority;
and the second node is used for verifying the authenticity of the service data sent by the first node through the public key of the certificate chain of the trusted authority, and sending a verification passing result to the second trusted authority under the condition of passing the verification.
4. The system of claim 1, wherein the business data comprises authority certificate issuance data, the system comprising:
the target trusted authority is used for signing the authority certificate issuing data and uploading the authority certificate issuing data carrying the digital signature to the target node;
and the target node is used for uploading the organization certificate issuing data carrying the digital signature to the block chain network under the condition that the digital signature is verified to be true.
5. The system of claim 1, wherein the business data comprises certificate of authority revocation data, the system comprising:
the target trusted authority is used for signing the certificate revocation data of the authority and uploading the certificate revocation data carrying the digital signature to the target node;
and the target node is used for uploading the certificate revocation data carrying the digital signature to the block chain network under the condition that the digital signature is verified to be true.
6. The system of claim 1, wherein the system comprises:
a plurality of nodes in the blockchain network, wherein each node has a trusted channel therebetween;
and each block chain link point corresponds to a trusted mechanism, wherein a plurality of trusted mechanisms are connected through a peer-to-peer network.
7. An identity trusted service method applied to a target node is characterized by comprising the following steps:
acquiring service data sent by a target trusted authority, wherein the target node is a node deployed on the target trusted authority, and the target trusted authority is an authority used for transmitting the service data in a plurality of trusted authorities;
and performing signature verification on the service data through account certificates in a certificate chain of a trusted authority, wherein each node is stored with the certificate chain of the trusted authority, the certificate chain of the trusted authority comprises all account certificates issued by a plurality of trusted authorities, and the plurality of nodes form a block chain network.
8. The method of claim 7, wherein the business data comprises organization certificate issuance data,
the acquiring of the service data sent by the target trusted authority includes: acquiring organization certificate issuing data which is sent by the target trusted organization and carries a digital signature;
the signature verification of the authority certificate issuance data by an account certificate in a trusted authority certificate chain comprises: and uploading the organization certificate issuance data carrying the digital signature to the block chain network under the condition that the digital signature is verified to be true.
9. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 7 to 8 when executing a program stored in the memory.
10. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any of the claims 7-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011388662.2A CN112560005A (en) | 2020-12-01 | 2020-12-01 | Identity trusted service system, method, electronic device and computer readable medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011388662.2A CN112560005A (en) | 2020-12-01 | 2020-12-01 | Identity trusted service system, method, electronic device and computer readable medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112560005A true CN112560005A (en) | 2021-03-26 |
Family
ID=75047331
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011388662.2A Pending CN112560005A (en) | 2020-12-01 | 2020-12-01 | Identity trusted service system, method, electronic device and computer readable medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112560005A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114465797A (en) * | 2022-02-08 | 2022-05-10 | 南京第三极区块链科技有限公司 | Block chain-based distributed equipment certificate distribution system and use method thereof |
| CN116016518A (en) * | 2022-12-30 | 2023-04-25 | 支付宝(杭州)信息技术有限公司 | Anti-fraud blockchain system, account processing method, device and equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109992953A (en) * | 2019-02-18 | 2019-07-09 | 深圳壹账通智能科技有限公司 | Digital certificate on block chain signs and issues, verification method, equipment, system and medium |
| CN110011988A (en) * | 2019-03-21 | 2019-07-12 | 平安科技(深圳)有限公司 | Based on the certification authentication method and device of block chain, storage medium, electronic device |
| US20190253265A1 (en) * | 2018-11-07 | 2019-08-15 | Alibaba Group Holding Limited | Managing communications among consensus nodes and client nodes |
| CN111552991A (en) * | 2020-04-29 | 2020-08-18 | 支付宝实验室(新加坡)有限公司 | Block chain transaction method and device |
| CN111612456A (en) * | 2020-04-27 | 2020-09-01 | 深圳壹账通智能科技有限公司 | Expired digital certificate management and control method, system, device and storage medium |
| CN111934870A (en) * | 2020-09-22 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Method, apparatus, device and medium for updating root certificate in block chain network |
-
2020
- 2020-12-01 CN CN202011388662.2A patent/CN112560005A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190253265A1 (en) * | 2018-11-07 | 2019-08-15 | Alibaba Group Holding Limited | Managing communications among consensus nodes and client nodes |
| CN109992953A (en) * | 2019-02-18 | 2019-07-09 | 深圳壹账通智能科技有限公司 | Digital certificate on block chain signs and issues, verification method, equipment, system and medium |
| CN110011988A (en) * | 2019-03-21 | 2019-07-12 | 平安科技(深圳)有限公司 | Based on the certification authentication method and device of block chain, storage medium, electronic device |
| CN111612456A (en) * | 2020-04-27 | 2020-09-01 | 深圳壹账通智能科技有限公司 | Expired digital certificate management and control method, system, device and storage medium |
| CN111552991A (en) * | 2020-04-29 | 2020-08-18 | 支付宝实验室(新加坡)有限公司 | Block chain transaction method and device |
| CN111934870A (en) * | 2020-09-22 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Method, apparatus, device and medium for updating root certificate in block chain network |
Non-Patent Citations (1)
| Title |
|---|
| 钱思杰等: "基于改进PBFT算法的PKI跨域认证方案", 《网络与信息安全学报》, vol. 6, no. 04, 31 August 2020 (2020-08-31), pages 37 - 44 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114465797A (en) * | 2022-02-08 | 2022-05-10 | 南京第三极区块链科技有限公司 | Block chain-based distributed equipment certificate distribution system and use method thereof |
| CN114465797B (en) * | 2022-02-08 | 2023-09-05 | 南京第三极区块链科技有限公司 | Distributed equipment certificate distribution system based on blockchain and application method thereof |
| CN116016518A (en) * | 2022-12-30 | 2023-04-25 | 支付宝(杭州)信息技术有限公司 | Anti-fraud blockchain system, account processing method, device and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110569674B (en) | Authentication method and device based on block chain network | |
| US11533164B2 (en) | System and method for blockchain-based cross-entity authentication | |
| US11025435B2 (en) | System and method for blockchain-based cross-entity authentication | |
| JP7076682B2 (en) | Data processing methods, devices, electronic devices and computer programs based on blockchain networks | |
| EP3788523B1 (en) | System and method for blockchain-based cross-entity authentication | |
| CN110915183B (en) | Block chain authentication via hard/soft token validation | |
| WO2021000420A1 (en) | System and method for blockchain-based cross-entity authentication | |
| CN110599213B (en) | Article management method and device based on blockchain network and electronic equipment | |
| US20200084027A1 (en) | Systems and methods for encryption of data on a blockchain | |
| CN110598434B (en) | House information processing method and device based on blockchain network, electronic equipment and storage medium | |
| CN112712452A (en) | Approval information processing method and device based on block chain | |
| CN112560005A (en) | Identity trusted service system, method, electronic device and computer readable medium | |
| CN112702419B (en) | Data processing method, device, equipment and storage medium based on block chain | |
| CN112837023A (en) | Business collaboration platform, method and device of organization and electronic equipment | |
| CN111178896B (en) | Bus taking payment method, device and storage medium | |
| Durán et al. | An architecture for easy onboarding and key life-cycle management in blockchain applications | |
| CN116975901A (en) | Identity verification method, device, equipment, medium and product based on block chain | |
| Alblooshi | Blockchain-based Ownership Management for Medical IoT (MIoT) Devices and their Data | |
| CN117556401A (en) | Electronic signature method and device based on third party platform | |
| CN115250179A (en) | Cross-chain transaction method, device, electronic equipment and system | |
| CN115049413A (en) | Method and system for online dynamic interactive subscription of electronic contract | |
| CN112597512A (en) | Temperature data control method and device based on block chain and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |