CN112583596B - Complete cross-domain identity authentication method based on block chain technology - Google Patents

Complete cross-domain identity authentication method based on block chain technology Download PDF

Info

Publication number
CN112583596B
CN112583596B CN202010511018.3A CN202010511018A CN112583596B CN 112583596 B CN112583596 B CN 112583596B CN 202010511018 A CN202010511018 A CN 202010511018A CN 112583596 B CN112583596 B CN 112583596B
Authority
CN
China
Prior art keywords
domain
authentication
information
user
authentication server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010511018.3A
Other languages
Chinese (zh)
Other versions
CN112583596A (en
Inventor
兰晓
张红霞
陈兴蜀
金泓键
曹琪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan University
Original Assignee
Sichuan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan University filed Critical Sichuan University
Priority to CN202010511018.3A priority Critical patent/CN112583596B/en
Publication of CN112583596A publication Critical patent/CN112583596A/en
Application granted granted Critical
Publication of CN112583596B publication Critical patent/CN112583596B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a block chain technology-based complete cross-domain identity authentication method, which comprises the following steps: (1) and a system initialization stage: the process mainly realizes the processes of initialization of public and private keys of a domain entity, establishment of a block chain network, deployment of chain codes, domain information storage and the like; (2) and the intra-domain authentication stage: the stage mainly realizes the application, verification, updating and revocation of the user identity; (3) and a cross-domain authentication stage: the interaction between the user to be authenticated and the authentication server, and between the authentication server and the block chain is adopted, so that the complete cross-domain authentication of the user is safely realized at the stage; the step (1) and the step (2) can be executed only once. The invention improves the authentication efficiency, ensures the authentication safety and realizes the complete cross-domain entity identity authentication.

Description

Complete cross-domain identity authentication method based on block chain technology
Technical Field
The invention relates to the field of cross-domain identity authentication, in particular to a complete cross-domain identity authentication method based on a block chain technology.
Background
Block chaining techniques: the block chain technology combines a series of computer technologies and cryptography technologies such as distributed storage, point-to-point communication, a consensus mechanism and an encryption algorithm, and the like, and realizes a highly trusted node network without participation of a third party. The block chains can be divided into three categories according to whether the network has a node admission mechanism and whether the main bodies having control authority are centralized: public, private, and federation chains. As a representative of a federation chain-the superbugt is a Linux foundation-initiated blockchain technology project that is dedicated to developing cross-industry commercial blockchain platform technology. The super account book combines three functional categories of member management, block chain technology and intelligent contracts, and is suitable for the consensus range among organizations.
Intelligent contract: an intelligent contract is an automated, self-validating and self-executing contract computer protocol that allows for the execution of predetermined logic without intervention by a third party. The widely used term "smart contract" is referred to as "chain code" in the super ledger. Similar to the intelligent contracts in the etherhouses, the chain codes in the super account book also have self-execution logic, but compared with the chain codes in the super account book, the chain codes in the super account book have more functions and are realized by integrating a large number of cryptographic algorithms, so that the chain codes are more friendly to users in the process of program development.
Digital signature: digital signatures are a technique that can determine the authenticity of information sources and ensure data integrity. A typical digital signature scheme mainly comprises the following three algorithms: 1) key generation algorithm- (pk, sk) ← sigλ): and transmitting a security parameter lambda to generate a public key pk and a private key sk. The public key is used for verifying the signature, and the private key is used for generating the signature; 2) signature algorithm- σ ← sig.sign (sk; m): using a private key sk of a signer to generate a signature sigma of the signer for the message m; 3) signature verification algorithm-sig.verify (pk; m, σ): using the public key pk of the signer, it is verified whether σ is the signature of the message m. If the verification is successful, the verification returns '1', otherwise, the verification returns '0'.
The hash algorithm: a cryptographic hash algorithm is a method for mapping an input message of any length to a short message digest of a fixed length, and is mainly applied in scenarios of ensuring data integrity, unidirectional data encryption, digital signature, and the like. The hashing algorithm has two basic characteristics: 1) unidirectional: for any given x, hash (x) is relatively easy to calculate. Given y, finding x that satisfies y hash (x) is computationally infeasible; 2) impact resistance: given the Hash algorithm Hash (), two different messages x are to be found1≠x2Hash value Hash (x)1)=Hash(x2) Is computationally infeasible.
Existing cross-domain authentication protocols can be broadly divided into three categories: a cross-domain authentication protocol Based on a conventional PKI, a cross-domain authentication protocol Based on an IBE (Identity-Based Encryption) technology, and a cross-domain authentication protocol Based on a block chain technology. The cross-domain authentication protocol based on the traditional PKI can be well compatible with the existing PKI topological structure, but has the problem of certificate management, so that the cross-domain process additionally increases the problems of certificate management, transfer overhead and the like. The cross-domain authentication protocol based on the IBE technology well solves the problems of complicated certificate management and the like caused by the traditional PKI authentication protocol, but increases authentication calculation and communication overhead to a certain extent. In addition to the above problems, most authentication protocols cannot achieve entity identity authentication across domains completely because of the premise assumption of the same cryptology system for different domains. The existing cross-domain authentication protocol based on the block chain technology can greatly reduce the authentication calculation overhead of the protocol while solving the problem of certificate management, improve the authentication efficiency to a certain extent, but cannot realize the complete cross-domain entity identity authentication.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a complete cross-domain identity authentication method based on a block chain technology, which is realized based on a super ledger of an alliance chain, and realizes complete cross-domain entity identity authentication on the premise of ensuring the security of an authentication process and improving the cross-domain authentication efficiency.
In order to solve the technical problems, the invention adopts the technical scheme that:
a full cross-domain identity authentication method based on a block chain technology comprises the following steps:
a) system initialization
(i) Domain entity public and private key initialization
All entities in the domain A and the domain B comprise corresponding domain proxy servers and all users in the domain, and respective public and private keys are initialized according to a domain cryptography system;
(ii) building block chain network and deploying chain codes
The step is authentication server AS in domain A and domain BAAnd ASBEstablishing a block chain network; after permission, authentication servers AS in domain A and domain BAAnd ASBAdding the link code into a block chain network, and deploying the previously defined link code; the chain code includes three functions;
Figure GDA0003225959010000031
Figure GDA0003225959010000032
Figure GDA0003225959010000033
Figure GDA0003225959010000034
the function processes the domain information storage request sent by the domain authentication server, and stores the public key hash value of the domain authentication server
Figure GDA0003225959010000035
Signature algorithm Sign of domain in which the key is locatedXHash with Hash algorithmXAs a value, a key value pair
Figure GDA0003225959010000036
Storing the form of (1) into a blockchain network;
Figure GDA0003225959010000037
the function processes the user identity information storage request sent by the domain authentication server and stores the public key hash value of the user
Figure GDA0003225959010000038
As a key, the public key hash value of the domain authentication server in which it is located
Figure GDA0003225959010000039
And status state as a value, key value pair
Figure GDA00032259590100000310
Storing the form of (1) into a blockchain network;
Figure GDA00032259590100000311
the function processes a user identity verification request sent by a domain authentication server;
(iii) domain information storage
Authentication server AS in domain A and domain BAAnd ASBSending a domain information storage request to a blockchain network BC
Figure GDA0003225959010000041
Storing the signature and hash algorithm information of each domain into a block chain network;
b) intra-domain authentication
The method comprises the operations of application, verification, updating and revocation of user identity;
(i) application for
After system initialization, users in domain A and domain B
Figure GDA0003225959010000042
Authentication server AS towards home domainXSending a registration application information request domain identity authentication;
(ii) authentication
Domain authentication server AS for X domainXWithin receiving domain users
Figure GDA0003225959010000043
After the sent registration application information, the user is requested to do
Figure GDA0003225959010000044
And authenticates the user
Figure GDA0003225959010000045
Storing the identity information of the mobile terminal into the blockchain network;
(iii) updating
User' s
Figure GDA0003225959010000046
When updating identity information, the AS server needs to be authenticated to the local domainXSubmitting the identity updating application information and requesting the domain authentication server ASXUpdating the identity information of the related user; after passing the verification, the domain authentication server ASXUser identity information in the block chain account book is updated;
(iv) revocation
At the user
Figure GDA0003225959010000047
Before leaving the local domain, the authentication server AS of the local domain needs to be provided withXSubmitting user identity revocation information to revoke the identity information of the user on the block chain account book;
c) cross-domain authentication
(i)
Figure GDA0003225959010000048
I.e. users in domain a
Figure GDA0003225959010000049
Requesting access to an authentication server AS in domain BB
(ii)
Figure GDA00032259590100000410
I.e. the authentication server AS in domain BBResponding to users in domain A
Figure GDA00032259590100000411
The sent access request information generates a random number N by using a random number generation algorithm and sends the random number N to the user in the domain A
Figure GDA00032259590100000412
Return message { N };
(iii)
Figure GDA0003225959010000051
i.e. users in domain a
Figure GDA0003225959010000052
Authentication server AS in receiving Domain BBAfter the returned message, the random number N is signed and generated by using the own private signature key
Figure GDA0003225959010000053
Then to the authentication server ASBSending messages
Figure GDA0003225959010000054
Wherein the content of the first and second substances,
Figure GDA0003225959010000055
and
Figure GDA0003225959010000056
respectively correspond to users
Figure GDA0003225959010000057
The private key and the public key of (c),
Figure GDA0003225959010000058
is a Domain A authentication Server ASAThe public key of (2);
(iv)
Figure GDA0003225959010000059
namely domain B authentication Server ASBReceiving a user in Domain A
Figure GDA00032259590100000510
After the returned message, the transaction information is started to be sent to the blockchain network
Figure GDA00032259590100000511
Wherein Verify is a predefined function in the blockchain network chain code;
(v)BC→ASBi.e. receiving authentication server AS from domain B, { VerRes }, i.e. receiving authentication server AS from domain BBAfter the transaction information has occurred, the blockchain BC starts to execute the function defined in advance in the chain code
Figure GDA00032259590100000512
And after the execution is finished, the domain B authentication server sends a chain code verification result { VerRes };
Domain-B authentication server ASBVerification authentication result information { VerRes }: if the returned information is authentication success information, the authentication is successfully completed, otherwise, the authentication fails.
Further, the function call process at the (v) point in the step (3) is specifically as follows:
step 1) obtaining domain A signature algorithm and hash algorithm information { SignA,HashA}
According to a store in advance in the blockchain network
Figure GDA00032259590100000513
The key-value pair information, according to the domain A authentication server AS in the return messageAPublic key hash information of
Figure GDA00032259590100000514
The chain code is used as a key value to inquire the account book; if the inquiry is wrong, the authentication is directly interrupted, and the domain B is authenticated by the AS serverBReturning error information that VerRes 'the user in the session N declares that the domain where the user is located is wrong'; if the inquiry is successful, continuing the following authentication process;
step 2) verifying the signature
Figure GDA00032259590100000515
To return a signature in a message
Figure GDA0003225959010000061
Public key
Figure GDA0003225959010000062
Random number N and signature algorithm Sign of user's place returned from last stepAThe chain code verifies the correctness of the signature as a parameter; if the verification fails, the authentication is directly interrupted, and the AS server is authenticated to the domain BBReturning error information of VerRes that the user in the conversation N declares that the public key has errors; if the verification is successful, continuing the following authentication process;
step 3) verifying the user identity information
According to a store in advance in the blockchain network
Figure GDA0003225959010000063
Key value pair information to return the user's public key in a message
Figure GDA0003225959010000064
And the domain Hash algorithm Hash returned in the step 1)AThe chain code verifies the correctness of the user identity information as a parameter;
the query information is null: directly interrupting the authentication and authenticating the AS server to the domain BBReturning error information of VerRes 'users in the session N do not exist';
in querying information
Figure GDA0003225959010000065
Authentication server AS with Domain BBComing from
Figure GDA0003225959010000066
Inconsistency: directly interrupting the authentication and authenticating the AS server to the domain BBReturning error information that VerRes 'the user in the session N declares that the domain where the user is located is wrong';
state in the query message is false: directly interrupting the authentication and authenticating the AS server to the domain BBReturning error information of VerRes 'the user identity in the session N is unavailable';
and (4) query success: authenticating a Server AS to Domain BBReturning success information of VerRes 'user verification success in session N'.
Compared with the prior art, the invention has the beneficial effects that: the full cross-domain authentication between the entities is realized efficiently and safely. By introducing the block chain as a trusted third party, the entity identity authentication across the domains is completely realized while the calculation burden of the authentication server is reduced and the authentication security is ensured.
Drawings
Fig. 1 is a flowchart of a full cross-domain authentication method based on a block chain technique implemented in the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments. Table 1 is a description of the relevant protocol symbols.
Table 1 description of related protocol symbols
Figure GDA0003225959010000071
System initialization
The method mainly comprises three parts of domain entity public and private key initialization, block chain network establishment, chain code deployment and domain information storage.
(i) Domain entity public and private key initialization
All entities in the domain A and the domain B comprise corresponding domain proxy servers and all users in the domain, and respective public and private keys are initialized according to a domain cryptography system.
(ii) Building block chain network and deploying chain codes
The step is authentication server AS in domain A and domain BAAnd ASBA blockchain network is established. After permission, authentication servers AS in domain A and domain BAAnd ASBThe method is added into a block chain network, and a chain code defined in advance is deployed. The specific information of the chain code function is as follows:
·
Figure GDA0003225959010000081
the function mainly processes the domain information storage request sent by the domain authentication server and stores the public key hash value of the domain authentication server
Figure GDA0003225959010000082
As a key, the signature Sign of the domain in which it is locatedXHash with Hash algorithmXAs a value with a key value pair
Figure GDA0003225959010000083
Is stored in the blockchain network.
·
Figure GDA0003225959010000084
The function mainly processes the user identity information storage request sent by the domain authentication server and stores the public key hash value of the user
Figure GDA0003225959010000085
As a key, the public key hash value of the domain authentication server in which it is located
Figure GDA0003225959010000086
And status state as a value with key value pairs
Figure GDA0003225959010000087
Is stored in the blockchain network.
·
Figure GDA0003225959010000088
The function mainly processes a user authentication request sent by the domain authentication server.
(iii) Domain information storage
Authentication server AS in domain A and domain BAAnd ASBSending a domain information storage request to a blockchain network BC
Figure GDA0003225959010000089
And storing the signature and the hash algorithm information of each domain into the block chain network.
Intra-domain authentication
In order to manage the user identity in the domain with finer granularity, similar to the life cycle process of the traditional CA certificate, the user identity in the cross-domain authentication method of the invention also relates to the operations of application, verification, updating and revocation.
(i) Application for
After system initialization, users in domain A and domain B
Figure GDA00032259590100000810
Authentication server AS towards home domainXAnd sending registration application information to request the intra-domain identity authentication.
Figure GDA00032259590100000811
Figure GDA0003225959010000091
(ii) Authentication
Domain authentication server AS for X domainXWithin receiving domain users
Figure GDA0003225959010000092
After the sent registration application information, the user is requested to do
Figure GDA0003225959010000093
And authenticates the user
Figure GDA0003225959010000094
Is stored in the blockchain network.
Figure GDA0003225959010000095
Figure GDA0003225959010000101
(iii) Updating
User' s
Figure GDA0003225959010000102
When updating identity information, the AS server needs to be authenticated to the local domainXSubmitting the identity updating application information and requesting the domain authentication server ASXAnd updating the related user identity information. After passing the verification, the domain authentication server ASXThe user identity information in the blockchain ledger is updated.
Figure GDA0003225959010000103
(iv) Revocation
At the user
Figure GDA0003225959010000104
Before leaving the local domain, the authentication server AS of the local domain needs to be provided withXAnd submitting user identity revocation information to revoke the identity information of the user on the block chain book.
Figure GDA0003225959010000105
Figure GDA0003225959010000111
(III) Cross-Domain authentication
As shown in fig. 1, cross-domain authentication in practical sense mainly includes the following steps:
(i)
Figure GDA0003225959010000112
users in domain a
Figure GDA0003225959010000113
Requesting access to an authentication server AS in domain BB
(ii)
Figure GDA0003225959010000114
Authentication server AS in Domain BBResponding to users in domain A
Figure GDA0003225959010000115
The sent access request information generates a random number N by using a random number generation algorithm and sends the random number N to the user in the domain A
Figure GDA0003225959010000116
Return message N.
(iii)
Figure GDA0003225959010000117
Users in domain a
Figure GDA0003225959010000118
Authentication server AS in receiving Domain BBAfter the returned message, the random number N is signed by using the own private signature key and sent to the authentication server ASBSending messages
Figure GDA0003225959010000119
Wherein the content of the first and second substances,
Figure GDA00032259590100001110
and
Figure GDA00032259590100001111
respectively correspond to users
Figure GDA00032259590100001112
The private key and the public key of (c),
Figure GDA00032259590100001113
is a Domain A authentication Server ASAThe public key of (2).
(iv)
Figure GDA00032259590100001114
Domain-B authentication server ASBReceiving a user in Domain A
Figure GDA00032259590100001115
After the returned message, the transaction information is started to be sent to the blockchain network
Figure GDA00032259590100001116
Wherein Verify is a predefined function of the blockchain network code.
(v)BC→ASB:{VerRes}
Receiving authentication Server AS from Domain BBAfter the transaction information has occurred, the blockchain BC starts to execute the function defined in advance in the chain code
Figure GDA0003225959010000121
The specific process is as follows:
(1) obtaining Domain A signature Algorithm and Hash Algorithm information SignA,HashA}
According to a store in advance in the blockchain network
Figure GDA0003225959010000122
The key-value pair information, according to the domain A authentication server AS in the return messageAPublic key hash information of
Figure GDA0003225959010000123
And the chain code takes the chain code as a key value to inquire the account book. If the inquiry is wrong, the domain does not exist, the authentication is directly interrupted, and the AS server is authenticated to the domain BBAnd returning error information of VerRes 'the user in the session N declares that the domain where the user is located is wrong'. If the query is successful, the following authentication process continues.
(2) Verifying signatures
Figure GDA0003225959010000124
To return a signature in a message
Figure GDA0003225959010000125
Public key
Figure GDA0003225959010000126
Random number N and signature algorithm Sign of user's place returned from last stepAThe chain code verifies the correctness of the signature as a parameter. If the verification fails, the stated public key of the user is wrong, the authentication is directly interrupted, and the domain B is authenticated by the AS serverBAn error message is returned for VerRes "users in session N claim the public key is wrong". If the verification is successful, the following authentication process continues.
(3) Verifying user identity information
According to a store in advance in the blockchain network
Figure GDA0003225959010000127
Key value pair information to return the user's public key in a message
Figure GDA0003225959010000128
And the domain Hash algorithm Hash returned in the step (1)AThe chain code verifies the correctness of the user identity information as a parameter.
Query information is null: the user does not exist in each domain, the authentication is directly interrupted, and the AS server is authenticated to the domain BBReturn an error message of VerRes "user not present in session N".
In the query information
Figure GDA0003225959010000129
Authentication server AS with Domain BBComing from
Figure GDA00032259590100001210
Inconsistency: the user declares that the domain where the user is located is wrong, the authentication is directly interrupted, and the AS server is authenticated to the domain BBAnd returning error information of VerRes 'the user in the session N declares that the domain where the user is located is wrong'.
State in query information is false: although the user is really a legal user in the domain, the identity of the user is already revoked and can not be used continuously, the authentication is directly interrupted, and the AS server is authenticated to the domain BBReturning an error message of VerRes 'user identity in session N is unavailable'.
Query success: the purport information of the user is consistent with the block chain storage information, the user identity is successfully verified, and the domain B is authenticated by the AS serverBReturning success information of VerRes 'user verification success in session N'.
Domain-B authentication server ASBVerification authentication result information { VerRes }: if the returned information is authentication success information, the authentication is successfully completed, otherwise, the authentication fails.

Claims (2)

1. A full cross-domain identity authentication method based on a block chain technology is characterized by comprising the following steps:
(1) system initialization
(i) Domain entity public and private key initialization
All entities in the domain A and the domain B comprise corresponding domain proxy servers and all users in the domain, and respective public and private keys are initialized according to a domain cryptography system;
(ii) building block chain network and deploying chain codes
The step is authentication server AS in domain A and domain BAAnd ASBEstablishing a block chain network; after permission, authentication servers AS in domain A and domain BAAnd ASBAdding the link code into a block chain network, and deploying the previously defined link code; the chain code includes three functions;
Figure FDA0003225959000000011
Figure FDA0003225959000000012
Figure FDA0003225959000000013
Figure FDA0003225959000000014
the function processes the domain information storage request sent by the domain authentication server, and stores the public key hash value of the domain authentication server
Figure FDA0003225959000000015
As a key, the signature Sign of the domain in which it is locatedXHash with Hash algorithmXAs a value with a key value pair
Figure FDA0003225959000000016
Storing the form of (1) into a blockchain network;
Figure FDA0003225959000000017
the function processes the user identity information storage request sent by the domain authentication server and stores the public key hash value of the user
Figure FDA0003225959000000018
As a key, the public key hash value of the domain authentication server in which it is located
Figure FDA0003225959000000019
And status state as a value with key value pairs
Figure FDA00032259590000000110
Storing the form of (1) into a blockchain network;
Figure FDA00032259590000000111
the function processes a user identity verification request sent by a domain authentication server;
(iii) domain information storage
Authentication server AS in domain A and domain BAAnd ASBSending a domain information storage request to a blockchain network BC
Figure FDA0003225959000000021
Storing the signature and hash information of each domain into a block chain network;
(2) intra-domain authentication
The method comprises the operations of application, verification, updating and revocation of user identity;
(i) application for
After system initialization, users in domain A and domain B
Figure FDA0003225959000000022
Authentication server AS towards home domainXSending a registration application information request domain identity authentication;
(ii) authentication
Domain authentication server AS for X domainXWithin receiving domain users
Figure FDA0003225959000000023
After the sent registration application information, the user is requested to do
Figure FDA0003225959000000024
And authenticates the user
Figure FDA0003225959000000025
Storing the identity information of the mobile terminal into the blockchain network;
(iii) updating
User' s
Figure FDA0003225959000000026
When updating identity information, the AS server needs to be authenticated to the local domainXSubmitting the identity updating application information and requesting the domain authentication server ASXUpdating the identity information of the related user; after passing the verification, the domain authentication server ASXUser identity information in the block chain account book is updated;
(iv) revocation
At the user
Figure FDA0003225959000000027
Before leaving the local domain, the authentication server AS of the local domain needs to be provided withXSubmitting user identity revocation information to revoke the identity information of the user on the block chain account book;
(3) cross-domain authentication
(i)
Figure FDA0003225959000000028
I.e. users in domain a
Figure FDA0003225959000000029
Requesting access to an authentication server AS in domain BB
(ii)
Figure FDA00032259590000000210
I.e. the authentication server AS in domain BBResponding to users in domain A
Figure FDA00032259590000000211
The sent access request information generates a random number N by using a random number generation algorithm and sends the random number N to the user in the domain A
Figure FDA00032259590000000212
Return message { N };
(iii)
Figure FDA0003225959000000031
i.e. users in domain a
Figure FDA0003225959000000032
Authentication server AS in receiving Domain BBAfter the returned message, the random number N is signed by using the own private signature key and sent to the authentication server ASBSending messages
Figure FDA0003225959000000033
Wherein the content of the first and second substances,
Figure FDA0003225959000000034
and
Figure FDA0003225959000000035
respectively correspond to users
Figure FDA0003225959000000036
The private key and the public key of (c),
Figure FDA0003225959000000037
is a Domain A authentication Server ASAThe public key of (2);
(iv)ASB→BC:
Figure FDA0003225959000000038
namely domain B authentication Server ASBReceiving a user in Domain A
Figure FDA0003225959000000039
After the returned message, the transaction information is started to be sent to the blockchain network
Figure FDA00032259590000000310
Wherein Verify is a predefined function in the blockchain network chain code;
(v)BC→ASB{ Ver Res }, i.e. received from the domain B authentication server ASBAfter the transaction information has occurred, the blockchain BC starts to execute the function defined in advance in the chain code
Figure FDA00032259590000000311
And after the execution is finished, the domain B authentication server sends a chain code verification result { Ver Res };
Domain-B authentication server ASBVerification authentication result information { Ver Res }: if the returned information is authentication success information, the authentication is successfully completed, otherwise, the authentication fails.
2. The method according to claim 1, wherein the function call procedure at the (v) th point in the step (3) is specifically as follows:
step 1) obtaining domain A signature algorithm and hash algorithm information { SignA,HashA}
According to a store in advance in the blockchain network
Figure FDA00032259590000000312
The key-value pair information, according to the domain A authentication server AS in the return messageAPublic key hash information of
Figure FDA00032259590000000313
The chain code is used as a key value to inquire the account book; if the inquiry is wrong, the authentication is directly interrupted, and the domain B is authenticated by the AS serverBReturning error information of Ver Res that the user in the conversation N declares that the domain where the user is located is wrong; if the inquiry is successful, continuing the following authentication process;
step 2) verifying the signature
Figure FDA00032259590000000314
To return a signature in a message
Figure FDA0003225959000000041
Public key
Figure FDA0003225959000000042
Random number N and signature algorithm Sign of user's place returned from last stepAThe chain code verifies the correctness of the signature as a parameter; if the verification fails, the authentication is directly interrupted, and the AS server is authenticated to the domain BBReturning error information of Ver Res 'the user in the conversation N declares that the public key has errors'; if the verification is successful, continuing the following authentication process;
step 3) verifying the user identity information
According to a store in advance in the blockchain network
Figure FDA0003225959000000043
Key value pair information to return the user's public key in a message
Figure FDA0003225959000000044
And the domain Hash algorithm Hash returned in the step 1)AThe chain code verifies the correctness of the user identity information as a parameter;
the query information is null: directly interrupting the authentication and authenticating the AS server to the domain BBReturning error information of Ver Res 'users in the conversation N do not exist';
in querying information
Figure FDA0003225959000000045
Authentication server AS with Domain BBComing from
Figure FDA0003225959000000046
Inconsistency: directly interrupting the authentication and authenticating the AS server to the domain BBReturning error information of Ver Res that the user in the conversation N declares that the domain where the user is located is wrong;
state in the query message is false: directly interrupting the authentication and authenticating the AS server to the domain BBReturning error information of Ver Res 'the user identity in the conversation N is unavailable';
and (4) query success: authenticating a Server AS to Domain BBReturning success information of Ver Res 'user verification success in session N'.
CN202010511018.3A 2020-06-08 2020-06-08 Complete cross-domain identity authentication method based on block chain technology Active CN112583596B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010511018.3A CN112583596B (en) 2020-06-08 2020-06-08 Complete cross-domain identity authentication method based on block chain technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010511018.3A CN112583596B (en) 2020-06-08 2020-06-08 Complete cross-domain identity authentication method based on block chain technology

Publications (2)

Publication Number Publication Date
CN112583596A CN112583596A (en) 2021-03-30
CN112583596B true CN112583596B (en) 2021-09-28

Family

ID=75119368

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010511018.3A Active CN112583596B (en) 2020-06-08 2020-06-08 Complete cross-domain identity authentication method based on block chain technology

Country Status (1)

Country Link
CN (1) CN112583596B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113194469B (en) * 2021-04-28 2022-05-13 四川师范大学 5G unmanned aerial vehicle cross-domain identity authentication method, system and terminal based on block chain
CN113162949A (en) * 2021-05-13 2021-07-23 北京工业大学 Cross-domain identity authentication scheme of industrial Internet of things equipment based on block chain
CN113259381A (en) * 2021-06-15 2021-08-13 南京邮电大学 Intelligent medical cross-domain authentication method based on combination of block chain and IBC
CN113507458B (en) * 2021-06-28 2023-01-31 电子科技大学 Cross-domain identity authentication method based on block chain
CN113343213A (en) * 2021-07-01 2021-09-03 北京邮电大学 Multi-CA cross-domain authentication method based on block chain in distributed autonomous network
CN113676447A (en) * 2021-07-12 2021-11-19 海南大学 Block chain-based scientific and technological service platform cross-domain identity authentication scheme
CN113824563B (en) * 2021-09-07 2023-03-28 电子科技大学 Cross-domain identity authentication method based on block chain certificate
CN114024749B (en) * 2021-11-05 2022-11-29 西北工业大学 Industrial equipment logic cross-domain access authentication method based on inter-domain cooperation of central nodes

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109194610A (en) * 2018-07-24 2019-01-11 北京交通大学 Vehicle-mounted mist data lightweight anonymous access authentication method based on block chain auxiliary
CN110061851A (en) * 2019-04-28 2019-07-26 广州大学 A kind of across trust domain authentication method and system of decentralization
CN110958229A (en) * 2019-11-20 2020-04-03 南京理工大学 Credible identity authentication method based on block chain
CN110995718A (en) * 2019-12-09 2020-04-10 广东电网有限责任公司 Power terminal cross-domain authentication mechanism based on block chain

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103780618B (en) * 2014-01-22 2016-11-09 西南交通大学 A kind of based on across the isomery territory authentication accessing mandate bill and session cipher negotiating method
CN108810073B (en) * 2018-04-05 2021-05-04 西安电子科技大学 Block chain-based Internet of things multi-domain access control system and method
BR112019008000B1 (en) * 2018-11-16 2022-03-15 Advanced New Technologies Co., Ltd Computer-implemented method for authenticating a domain name, computer-implemented method, non-transient computer-readable medium, and system for implementing a method
CN109743172B (en) * 2018-12-06 2021-10-15 国网山东省电力公司电力科学研究院 Cross-domain network authentication method based on alliance block chain V2G and information data processing terminal

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109194610A (en) * 2018-07-24 2019-01-11 北京交通大学 Vehicle-mounted mist data lightweight anonymous access authentication method based on block chain auxiliary
CN110061851A (en) * 2019-04-28 2019-07-26 广州大学 A kind of across trust domain authentication method and system of decentralization
CN110958229A (en) * 2019-11-20 2020-04-03 南京理工大学 Credible identity authentication method based on block chain
CN110995718A (en) * 2019-12-09 2020-04-10 广东电网有限责任公司 Power terminal cross-domain authentication mechanism based on block chain

Also Published As

Publication number Publication date
CN112583596A (en) 2021-03-30

Similar Documents

Publication Publication Date Title
CN112583596B (en) Complete cross-domain identity authentication method based on block chain technology
CN112039872B (en) Cross-domain anonymous authentication method and system based on block chain
JP7109569B2 (en) Digital certificate verification method and its device, computer equipment and computer program
US10742426B2 (en) Public key infrastructure and method of distribution
CN113301022B (en) Internet of things equipment identity security authentication method based on block chain and fog calculation
CN111294352A (en) Data security authentication method between cloud and edge node
CN110959163A (en) Computer-implemented system and method for enabling secure storage of large blockchains on multiple storage nodes
CN110930153B (en) Block chain privacy data management method and system based on hidden third party account
US11228450B2 (en) Method and apparatus for performing multi-party secure computing based-on issuing certificate
CN111815321A (en) Transaction proposal processing method, device, system, storage medium and electronic device
CN113824563A (en) Cross-domain identity authentication method based on block chain certificate
CN115378604A (en) Identity authentication method of edge computing terminal equipment based on credit value mechanism
Bellare et al. Deterring certificate subversion: efficient double-authentication-preventing signatures
KR20220006097A (en) Method and device for public key management using blockchain
CN114125773A (en) Vehicle networking identity management system and management method based on block chain and identification password
Pang et al. Efficient and secure certificateless signature scheme in the standard model
CN114297678A (en) Operation method, device, equipment and storage medium of union chain system
CN112039837B (en) Electronic evidence preservation method based on block chain and secret sharing
Liu et al. A blockchain-based cross-domain authentication management system for IoT devices
Liou et al. T-auth: A novel authentication mechanism for the IoT based on smart contracts and PUFs
Yang et al. Blockchain-based conditional privacy-preserving authentication protocol with implicit certificates for vehicular edge computing
CN116389111A (en) Identity authentication mode of alliance chain under strong authority control mode based on identification
CN115841330A (en) Block chain cross-domain identity management and control system and method
CN114374700B (en) Trusted identity management method supporting wide area collaboration based on master-slave multiple chains
Li et al. Cross-Domain Authentication Scheme for IoT Devices Based on BlockChain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant