CN112702346B - Distributed identity authentication method and system based on alliance chain - Google Patents

Distributed identity authentication method and system based on alliance chain Download PDF

Info

Publication number
CN112702346B
CN112702346B CN202011549865.5A CN202011549865A CN112702346B CN 112702346 B CN112702346 B CN 112702346B CN 202011549865 A CN202011549865 A CN 202011549865A CN 112702346 B CN112702346 B CN 112702346B
Authority
CN
China
Prior art keywords
user
consensus
node
identity
distributed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011549865.5A
Other languages
Chinese (zh)
Other versions
CN112702346A (en
Inventor
颜拥
郭少勇
孙歆
熊翱
姚影
张旺
代美玲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Electric Power Research Institute of State Grid Zhejiang Electric Power Co Ltd
Original Assignee
Beijing University of Posts and Telecommunications
Electric Power Research Institute of State Grid Zhejiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications, Electric Power Research Institute of State Grid Zhejiang Electric Power Co Ltd filed Critical Beijing University of Posts and Telecommunications
Priority to CN202011549865.5A priority Critical patent/CN112702346B/en
Publication of CN112702346A publication Critical patent/CN112702346A/en
Application granted granted Critical
Publication of CN112702346B publication Critical patent/CN112702346B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Power Engineering (AREA)
  • Computer And Data Communications (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to the technical field of identity authentication, and provides a distributed identity authentication method and system based on a alliance chain, wherein the authentication method comprises the following steps of S1: when a user applies for service to an enterprise, providing a digital identity DID and a public key; s2: the enterprise compares the DID with a DID database of local notes; if remarks exist in the database, analyzing the authority of the database according to the remarks; otherwise, entering S4; s3: if the authority is satisfied, providing service for the user; otherwise, enter S5: s4: if the local database has no remark, the local database is commonly recognized with the blockchain network, the authority of the local database is queried, and S3 is returned; s5: issuing a failure report to a user, and prompting the user to update information; s6: after the user updates the information, providing service and consensus to the blockchain network; in the consensus process, a dynamic weight mechanism is adopted, and nodes with weights greater than or equal to a preset value are selected for selective broadcasting; the weight of the node is in direct proportion to the frequency of the operation of the enterprise uploading user behavior corresponding to the node, and the network load can be reduced.

Description

Distributed identity authentication method and system based on alliance chain
Technical Field
The invention relates to the technical field of identity authentication, in particular to a distributed identity authentication method and system based on a alliance chain.
Background
The identity authentication technology of the traditional internet application mainly takes a user name password as a main part, and real name authentication is completed by combining real identity information in reality after successful registration. As internet applications are more and more, different applications need to register different accounts repeatedly, which is very unfriendly to users, and passwords between different accounts of the same user are generally associated, so that the risk of password leakage is easily caused. Different internet applications are not mutually communicated in the application level, mutual trust is difficult, users often need to open proving materials to different business parties when operating across business, a large number of repeated operations exist, and the efficiency is quite low.
For this reason, a patent with a patent number CN109600357a appears, which discloses a distributed identity authentication system, a method and a server, and the distributed identity authentication system solves the security problem existing in the traditional centralized authentication method through a key characteristic storage technology, a multi-role joint authentication technology and a multi-fragment random authentication technology. The distributed identity authentication system consists of a client, an authentication cloud and a management system. The client side mainly provides two functions of registration and authentication; the authentication cloud is formed by multi-node distribution, so that effective and reliable storage, access and update of a large number of fragment security information are realized; the management system monitors the state of the platform and ensures the safe storage and access of the data. The invention realizes a decentralised security authentication system from four dimensions of access security, authentication security, storage security and connection security, and can avoid network attack and information theft possibly faced by a centralized control point in the traditional interconnection system.
The distributed identity authentication system uses a P2P networking technology to form a distributed identity authentication network, all nodes are interconnected and communicated through NAT penetration technology, and a user identity information key is stored in a hash characteristic mode to provide random node joint authentication service for users. The key characteristic storage technology, the multi-role joint authentication technology and the multi-fragment random authentication technology are used for solving the security problem existing in the traditional centralized authentication method. The distributed identity authentication system obtains higher security through the user information fragment storage, but is very dependent on a stable network environment, and the system stability is not high.
Disclosure of Invention
The invention aims to overcome the defect that the existing identity authentication system has high requirement on network load, and provides a distributed identity authentication method and system based on a alliance chain.
To achieve the above object, the present invention is achieved in a first aspect by the following technical solutions: the distributed identity authentication method based on the alliance chain is used for authenticating the identity of a user applying for service to an enterprise; the alliance chain consists of enterprises with the same target users and a shared data mechanism, the target users of the alliance chain enterprises register and acquire the distributed digital identities, and the distributed digital identities, public keys and user rights of the users are issued to the blockchain network for consensus with the enterprises; the distributed identity authentication method comprises the following steps,
S1: when the target user applies for service to any enterprise in the alliance chain, the distributed digital identity and public key information generated during registration of the target user are provided through a user terminal;
S2: the enterprise compares the distributed digital identity of the user with a user distributed digital identity database of local remarks; if remarks exist in the database, analyzing the authority of the database according to the remarks; otherwise, entering S4;
s3: if the authority is satisfied, providing service for the user; otherwise, enter S5:
S4: if the local database has no remark, the local database is commonly recognized with the blockchain network, the authority of the local database is queried, and S3 is returned;
s5: issuing a failure report to a user, and prompting the user to update identity information evidence required by service;
s6: after the user updates the identity information, providing service for the user, and consensus the behavior operation of the user with shared value to the blockchain network;
Each node of the blockchain network corresponds to an enterprise in the alliance chain, a dynamic weight mechanism is adopted in the consensus process of the enterprise and the blockchain network, and nodes with weights greater than or equal to a preset value are selected for selective broadcasting;
In the dynamic weight mechanism, the weight of a node is proportional to the frequency of behavioral operations that the enterprise corresponding to the node uploads the user with shared value.
The invention further preferably comprises the following steps: each consensus node maintains a weight vector table W T={w1,w2,...,wi,…,wN, wherein the weight W i reflects the dynamic communication performance and the credibility of the i node; w T is updated continuously along with the progress of the consensus, a time decay function is introduced, and after each round of consensus is finished, each consensus node updates W T maintained by itself according to the voting and communication conditions of the consensus.
The invention further preferably comprises the following steps: if the i node successfully participates in the commit operation instruction stage in the consensus process, the whole network increases the weight value of the i node; if the node participating in the commit operation instruction does not exist after the consensus is finished, judging that the communication capacity is poor, and reducing the weight value of the whole network according to the time attenuation function.
The invention further preferably comprises the following steps: during the broadcast phase of the consensus flow, nodes will broadcast voting messages within their respective broadcast domains and the size of the broadcast domains will be dynamically updated with W T.
The invention further preferably comprises the following steps: the size of the broadcast domain is represented by a dynamic parameter p, where p=n/N, N is the number of nodes in the selective broadcast domain.
The invention further preferably comprises the following steps: the dynamic weight mechanism is realized by dynamically using a Bayesian fault tolerance algorithm-DPBFT; the DPBFT algorithm comprises the following steps in a consistency protocol stage: 1) PRE-preparation phase: the master node gives a number n to a received request m sent by a client, generates a PRE-PREPARE message, broadcasts the PRE-PREPARE message to all nodes participating in consensus in a whole network, and generates a message format of < PRE-PREPARE, v, n, d, m >, wherein v is a view number, d is an abstract of m through hash function operation; 2) Preparation stage: generating a PRE message after receiving the PRE-PREPARE message sent by the master node by the slave node, determining a selective broadcasting domain according to the WT and the p value, and selectively broadcasting the PREPARE message to the nodes in the own consensus domain. The message format is < PREPARE, v, n, d, i >, i is the node number. In this stage, each node receives the PREPARE messages broadcast by all other nodes, the node verifies the authenticity of the messages, mainly compares n, v and m fields, and if more than (2f+1) preparation messages are correct, the node enters the COMMIT stage; 3) A COMMIT stage: the node generates a COMMIT message and broadcasts the COMMIT message to other nodes, wherein the message format is < COMMIT, v, n, d and i >, the other nodes can verify the COMMIT message, mainly verify d and v fields, and after verification is passed, the request consensus process can be completed; 4) An ADJUST phase: and scoring the situation of each participating consensus node according to the consensus result. A score of 0-100 is discretized for each node based on the time the respective node submitted the commit. According to the formulaWherein Q i is the score of the current round of consensus of the inode, T i is the time of commit of the inode, and T is the total time taken for the first commit to occur until the end of consensus. The score of the first node submitting the commit is 100, and the score of the node not participating in the commit is 0; and dynamically adjusting the weight of each node according to a formula W i=(1-q)*wi+q*Qi, wherein q is the proportion of the weight in the previous state in the new weight, and W i is the i node weight value in the previous state.
The invention further preferably comprises the following steps: before applying for service, the user firstly becomes a target user of the alliance chain enterprise through registration; the registration process is as follows:
1) The user applies for registering the distributed digital identity to the trusted authority;
2) The trusted authority provides a registration interface for the user and issues registration identity related requirements and policies;
3) The user provides identity information according to the requirement, a public and private key pair of the user is generated through the user terminal according to an elliptic curve encryption algorithm, the private key user stores the public key and the identity information, and the public key and the identity information are sent to a trusted authority center;
4) The trusted authority center performs validity verification and repeatability verification on the user information so as to prevent the user from forging personal real information registration and prevent the user from repeatedly registering;
5) After verification is successful, the trusted authority center generates a distributed digital identity-DID for the user according to the identity information type and the registration timestamp provided by the user, the DID is a carrier for digital signature verification of the user authority by the trusted authority center according to the private key of the trusted authority center, and enterprises can verify the digital signature;
6) The trusted authority binds the user DID, the user public key and the user authority together and issues the bound user DID, the user public key and the user authority to the blockchain network for consensus;
7) After the consensus is finished, the alliance chain enterprises remark the user DID at the local end;
8) And the trusted authority center returns the user registration result and the DID distributed to the user, and extracts the user identity information, encrypts and stores the abstract in the local.
The present invention provides in a second aspect a federated chain-based distributed identity authentication system employing the federated chain-based distributed identity authentication method described in the first aspect, the federated chain-based distributed identity authentication system comprising,
The trusted authority center server is responsible for issuing a digital certificate for a user and a blockchain network node, providing a distributed Digital Identity (DID) for the user, binding and issuing the authenticated DID of the user and a public key thereof to a blockchain network for consensus, and informing the user of the position of the digital certificate and the DID of the user on the blockchain network after the consensus is successful;
the block chain network is composed of a plurality of block chain link points, each block chain node is maintained by an enterprise in the alliance chain and is responsible for receiving DID and user public key binding information and user login state information sent by the trusted authority center and user valuable behavior records, classifying and packaging the DID and user public key binding information and user valuable behavior records to generate blocks, consensus the blocks on the block chain network and returning a consensus result to the trusted authority center;
the enterprise terminal provides service for the user, and when the user performs identity authentication through the DID, the enterprise terminal inquires whether the user is a registered target user on the blockchain network and generates transaction consensus on the blockchain network according to the login state and behavior information of the user;
the user terminal generates a public key pair and a private key pair through an elliptic curve encryption algorithm, provides personal real identity information of the user to the trusted authority for verification, and stores the DID received from the trusted authority and the block hash value stored with the DID for identity verification among enterprises.
In summary, the invention has the following beneficial effects:
1. The user only needs to perform one-time identity registration at the authorization center. After successful registration, all enterprises in the alliance chain can enjoy the service at the same time without repeated registration.
2. When the user and the enterprise conduct service communication, the identity of the user is hidden, the enterprise does not know the true identity of the user, and only knows the authority of the user. The enterprise wants to know the identity of the user, the user needs to be applied for, and the authorization center can publish real information to the enterprise after the user agrees.
3. Optimizing PBFT algorithm, reducing invalid communication times of nodes in the consensus process by introducing selective broadcast domain, and improving the consensus efficiency; meanwhile, because the selective broadcast domain factor p and the fraction adjustment attenuation factor q are introduced into PBFT algorithm, the block chain consensus efficiency is improved, meanwhile, the block chain is more suitable for the network fluctuation condition, and the block chain network can bear faster uplink information speed, so that the load on the network is reduced.
Drawings
FIG. 1 is a block diagram of a distributed authentication system based on a federated chain.
FIG. 2 is a flowchart of a distributed identity authentication method based on a federated chain.
Fig. 3 is a flow chart of the improved PBFT algorithm.
Fig. 4 is a plot of experimental results data for the trading delay of algorithm PBFT versus algorithm DPBFT at different p values.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings.
The present embodiment is merely illustrative of the present invention and is not intended to be limiting, and modifications thereof without creative contribution can be made by those skilled in the art after reading the present specification, as long as they are protected by patent laws within the scope of claims of the present invention.
As shown in fig. 1, the present embodiment provides a distributed identity authentication system based on a federation chain, which includes a trusted authority (server), a blockchain network, an enterprise (terminal), and a user (terminal).
The trusted authority center server is responsible for issuing a digital certificate for a user and a blockchain network node, providing a distributed digital identity-DID (Decentralized Identity) for the user, binding and issuing the authenticated user DID and a public key thereof to the blockchain network for consensus, and informing the user of the position of the digital certificate and the DID of the user on the blockchain network after the consensus is successful.
The block chain network is composed of a plurality of block chain link points, each block chain node is maintained by an enterprise in the alliance chain and is responsible for receiving DID and user public key binding information and user login state information sent by the trusted authority center and user valuable behavior records, classifying and packaging the DID and user public key binding information and user valuable behavior records to generate blocks, consensus the blocks to the block chain network and returning consensus results to the trusted authority center.
And the enterprise terminal provides service for the user, and when the user performs identity authentication through the DID, the enterprise terminal inquires whether the user is a registered target user on the blockchain network and generates transaction consensus on the blockchain network according to the login state and behavior information of the user.
The user terminal generates a public key pair and a private key pair through an elliptic curve encryption algorithm, provides personal real identity information of the user to the trusted authority for verification, and stores the DID received from the trusted authority and the block hash value stored with the DID for identity verification among enterprises.
A alliance chain is formed between enterprises with the same target users and hopes to share data, a set of distributed identity Information Schemes (DIDs) of the users are formulated together, and the DIDs are transmitted to a trusted authentication center for execution and generation. The scheme assumes that the trusted authentication center is completely trusted, the user identity information is stored in the trusted authentication center instead of the blockchain node in an encrypted mode, and the blockchain network only stores identity authority identification, public keys and user behavior information which are irrelevant to the user true identity information, so that the problem that the user identity information is illegally stolen is solved.
The distributed identity authentication method based on the alliance chain is used for authenticating the identity of the user applying for the service to the enterprise. The alliance chain is composed of enterprises with the same target users and a shared data mechanism, the target users of the alliance chain enterprises register and acquire the distributed digital identities, and the distributed digital identities, public keys and user rights of the users are issued to the blockchain network for consensus with the enterprises. Before the user is registered as the target user of the alliance chain enterprise before applying for service, the user needs to register.
As shown in fig. 2, the registration flow is as follows:
1) The user applies for registering the distributed digital identity to the trusted authority;
2) The trusted authority provides a registration interface for the user and issues registration identity related requirements and policies;
3) The user provides identity information according to the requirement, a public and private key pair of the user is generated through the user terminal according to an elliptic curve encryption algorithm, the private key user stores the public key and the identity information, and the public key and the identity information are sent to a trusted authority center;
4) The trusted authority center performs validity verification and repeatability verification on the user information so as to prevent the user from forging personal real information registration and prevent the user from repeatedly registering;
5) After verification is successful, the trusted authority center generates a distributed digital identity-DID for the user according to the identity information type and the registration timestamp provided by the user, the DID is a carrier for digital signature verification of the user authority by the trusted authority center according to the private key of the trusted authority center, and enterprises can verify the digital signature;
6) The trusted authority binds the user DID, the user public key and the user authority together and issues the bound user DID, the user public key and the user authority to the blockchain network for consensus;
7) After the consensus is finished, the alliance chain enterprises remark the user DID at the local end;
8) And the trusted authority center returns the user registration result and the DID distributed to the user, and extracts the user identity information, encrypts and stores the abstract in the local.
The distributed identity authentication method comprises the following steps:
s1: when the target user applies for service to any enterprise in the alliance chain, the distributed digital identity and public key information generated during registration of the target user are provided through a user terminal;
S2: the enterprise compares the distributed digital identity of the user with a user distributed digital identity database of local remarks; if remarks exist in the database, analyzing the authority of the database according to the remarks; otherwise, entering S4;
s3: if the authority is satisfied, providing service for the user; otherwise, enter S5:
S4: if the local database has no remark, the local database is commonly recognized with the blockchain network, the authority of the local database is queried, and S3 is returned;
s5: issuing a failure report to a user, and prompting the user to update identity information evidence required by service;
s6: after the identity information certificate is updated by the user, the user is provided with service, and the behavior operation of the user with shared value is commonly known to the blockchain network.
Each node of the blockchain network corresponds to an enterprise in the alliance chain, a dynamic weight mechanism is adopted in the consensus process of the enterprise and the blockchain network, and nodes with weights greater than or equal to a preset value are selected for selective broadcasting. In the dynamic weight mechanism, the weight of a node is proportional to the frequency of behavioral operations that the enterprise corresponding to the node uploads the user with shared value.
Each consensus node maintains a weight vector table W T={w1,w2,...,wi,…,wN, where the weight W i reflects the dynamic communication performance and trustworthiness of the inode. Higher weight means better communication performance of the corresponding node and higher reliability. W T is updated continuously along with the progress of the consensus, a time decay function is introduced, and after each round of consensus is finished, each consensus node updates W T maintained by itself according to the voting and communication conditions of the consensus. If the i node successfully participates in the commit operation instruction stage in the consensus process, the whole network increases the weight value of the i node; if the node participating in the commit operation instruction does not exist after the consensus is finished, judging that the communication capacity is poor, and reducing the weight value of the whole network according to the time attenuation function.
In this embodiment, during the broadcast phase of the consensus flow, nodes will broadcast voting messages in their respective broadcast domains and the size of the broadcast domain will be dynamically updated with W T. The size of the selective broadcast domain is represented by a dynamic parameter p, p=n/N, N being the number of nodes in the selective broadcast domain.
As shown in fig. 3, the dynamic weighting mechanism is implemented by dynamically using the bayer fault tolerance algorithm-DPBFT, and DPBFT is formed after the improvement on the basis of the PBFT algorithm. Firstly, the voting weight of the consensus node is initialized, and a normal PBFT voting process is started. And then dynamically adjusting the weight according to the voting result to construct a selective broadcasting domain. The DPBFT algorithm is generally similar to the conventional PBFT algorithm flow, except that the corresponding modifications are made during the broadcast phase of the coherency protocol. The main functional description of the improved algorithm consistency protocol stage is described herein:
1) PRE-preparation phase: the master node gives a number n to a received request m sent by a client, generates a PRE-PREPARE message, broadcasts the PRE-PREPARE message to all nodes participating in consensus in a whole network, and the message format is < PRE-PREPARE, v, n, d, m >, wherein v is a view number, d is a digest of m, and is generated through hash function operation.
2) Preparation stage: generating a PRE message after receiving the PRE-PREPARE message sent by the master node by the slave node, determining a selective broadcasting domain according to the WT and p values, selectively broadcasting the PREPARE message to the nodes in the own common domain, wherein the message format is < PREPARE, v, n, d, i >, i is the node number, each node receives the PREPARE message broadcasted by all other nodes at the stage, the node can verify the authenticity of the message, mainly compares n, v and m fields, and if more than (2f+1) preparation messages are correct, the node enters the COMMIT stage.
3) A COMMIT stage: the node generates a COMMIT message and broadcasts the COMMIT message to other nodes, the message format is < COMMIT, v, n, d, i >, the other nodes can verify the COMMIT message, mainly verify d and v fields, and after verification is passed, the request consensus process can be completed.
4) An ADJUST phase: scoring each participating consensus node according to the consensus result, discretizing 0-100 score for each node according to the time of submitting the commit of each node, and according to the formulaWherein Q i is the score of the round consensus of the i node, T i is the time of submitting the commit by the i node, T is the total time spent from the occurrence of the first commit to the end of the consensus, the score of the node submitted by the first commit is 100, and the score of the node not participating in the commit is 0; and dynamically adjusting the weight of each node according to a formula W i=(1-q)*wi+q*Qi, wherein q is the proportion of the weight in the previous state in the new weight, and W i is the i node weight value in the previous state.
The algorithm flow is as follows:
(1) The blockchain network initiates the work. After the federation chain is constructed, each node is numbered {0,1,2, …, N-1}. While initializing a weight table W T={w1,w2,...,wi,…,wN for each node, the initial weight is set to 100,
(2) The client initiates a transaction request to the master node, the master node numbers the request message after receiving the request, and then the master node executes a consistency protocol.
(3) And executing a consistency protocol by all consensus nodes, and executing PBFT a consistency protocol algorithm to broadcast the consensus to the whole network when the weight of all the nodes is 100 in the first consensus. And after the consensus is finished, scoring the consensus performance according to the setting of the ADJUST stage for all nodes.
(4) And after the consistency protocol execution is finished, adjusting a weight table of each node. The next consensus is performed.
A multi-node alliance chain experiment system is realized through the GO programming language and is used for simulating the user registration and user behavior uplink consensus process in the design scheme. Performance tests were performed on the original PBFT algorithm and the DPBFT algorithm set forth herein in this system.
The experimental results are shown in fig. 4, and the performance differences between PBFT and DPBFT at different p-value selections are mainly analyzed. Under the condition that the attenuation factors q are adjusted by different node numbers and the same fraction, the transaction delays of PBFT and DPBFT algorithms are compared, and meanwhile, a factor p affecting the size of a broadcast domain is introduced to observe the influence of the factor p on the transaction delays. To make the experimental result data more objective, each data was an average value taken after repeating the test 20 times.
In fig. 4, the transaction delays of the DPBFT algorithm and the PBFT algorithm with the same q value and different p values are smaller than the transaction delay generated by the normal PBFT algorithm by the DPBFT algorithm as can be seen from the experimental results. The size of p determines the size of the node-selective broadcast domain when the number of blockchain network nodes and the attenuation factor q are determined. It can also be seen from the figure that the smaller p is, the smaller the transaction delay is, and the higher the consensus efficiency is.

Claims (7)

1. The distributed identity authentication method based on the alliance chain is used for authenticating the identity of a user applying for service to an enterprise; the method is characterized in that the alliance chain consists of enterprises with the same target users and a shared data mechanism, the target users of the alliance chain enterprises register and acquire the distributed digital identities and the distributed digital identities, public keys and user rights of the users are issued to the blockchain network for consensus with the enterprises; the distributed identity authentication method comprises the following steps:
S1: when the target user applies for service to any enterprise in the alliance chain, the distributed digital identity-DID and public key information generated during registration are provided through a user terminal; the DID is a carrier for digital signature verification of user rights by a trusted authority center according to a private key of the trusted authority center, and an enterprise verifies the digital signature;
S2: the enterprise compares the distributed digital identity of the user with a user distributed digital identity database of local remarks; if remarks exist in the database, analyzing the authority of the database according to the remarks; otherwise, entering S4;
s3: if the authority is satisfied, providing service for the user; otherwise, enter S5:
S4: if the local database has no remark, the local database is commonly recognized with the blockchain network, the authority of the local database is queried, and S3 is returned;
s5: issuing a failure report to a user, and prompting the user to update identity information evidence required by service;
s6: after the user updates the identity information, providing service for the user, and consensus the behavior operation of the user with shared value to the blockchain network;
Each node of the blockchain network corresponds to an enterprise in the alliance chain, a dynamic weight mechanism is adopted in the consensus process of the enterprise and the blockchain network, and nodes with weights greater than or equal to a preset value are selected for selective broadcasting;
In the dynamic weight mechanism, the weight of a node is in direct proportion to the frequency of the behavior operation with shared value of the user uploaded by the enterprise corresponding to the node;
the dynamic weight mechanism is realized by dynamically using a Bayesian fault tolerance algorithm-DPBFT; the DPBFT algorithm comprises the following steps in a consistency protocol stage:
1) PRE-preparation phase: the master node gives a number n to a received request m sent by a client, generates a PRE-PREPARE message, broadcasts the PRE-PREPARE message to all nodes participating in consensus in a whole network, and generates a message format of < PRE-PREPARE, v, n, d, m >, wherein v is a view number, d is an abstract of m through hash function operation;
2) Preparation stage: generating a PRE message after receiving the PRE-PREPARE message sent by the master node by the slave node, determining a selective broadcasting domain according to W T and p values, selectively broadcasting the PREPARE message to nodes in the own consensus domain, wherein the message format is < PREPARE, v, n, d, i >, i is the node number, in this stage, each node receives PREPARE messages broadcast by all other nodes, the node can verify the authenticity of the messages, compares n and v fields, and enters a COMMIT stage if more than (2f+1) preparation messages are correct; w T represents a weight vector table, and p represents a dynamic parameter;
3) A COMMIT stage: the node generates a COMMIT message and broadcasts the COMMIT message to other nodes, the message format is < COMMIT, v, n, d, i >, the other nodes can verify the COMMIT message, d and v fields are verified, and after verification is passed, the request consensus process can be completed;
4) An ADJUST phase: scoring each participating consensus node according to the consensus result, discretizing 0-100 score for each node according to the time of submitting the commit of each node, and according to the formula Wherein Q i is the score of the round consensus of the i node, T i is the time of submitting the commit by the i node, T is the total time spent from the occurrence of the first commit to the end of the consensus, the score of the node submitted by the first commit is 100, and the score of the node not participating in the commit is 0; and dynamically adjusting the weight of each node according to a formula W i=(1-q)*wi+q*Qi, wherein q is the proportion of the weight in the previous state in the new weight, and W i is the i node weight value in the previous state.
2. The federation chain-based distributed identity authentication method according to claim 1, wherein each consensus node maintains a weight vector table W T={w1,w2,...,wi,…,wN, wherein weight W i reflects dynamic communication performance and trustworthiness of inodes; w T is updated continuously along with the progress of the consensus, a time attenuation function is introduced, after each round of the consensus is finished, each consensus node updates W T maintained by the consensus according to the voting and communication conditions of the consensus, and N represents the total number of the consensus nodes.
3. The distributed identity authentication method based on a federation chain according to claim 2, wherein if an inode successfully participates in a commit instruction phase in a consensus process, the whole network increases a weight value of the inode; if the node participating in the commit operation instruction does not exist after the consensus is finished, judging that the communication capacity is poor, and reducing the weight value of the whole network according to the time attenuation function.
4. The federation-chain-based distributed identity authentication method of claim 2, wherein, during a broadcast phase of the consensus flow, nodes will broadcast voting messages within respective broadcast domains and the size of the broadcast domains will be dynamically updated with W T.
5. The federation-chain-based distributed identity authentication method of claim 4, wherein the size of the broadcast domain is represented by a dynamic parameter p, p=n/N, N being the number of nodes in the selective broadcast domain.
6. The distributed identity authentication method based on the federation chain according to claim 1, wherein the user becomes a target user of the federation chain enterprise by registering before applying for the service; the registration process is as follows:
1) The user applies for registering the distributed digital identity to the trusted authority;
2) The trusted authority provides a registration interface for the user and issues registration identity related requirements and policies;
3) The user provides identity information according to the requirement, a public and private key pair of the user is generated through the user terminal according to an elliptic curve encryption algorithm, the private key user stores the public key and the identity information, and the public key and the identity information are sent to a trusted authority center;
4) The trusted authority center performs validity verification and repeatability verification on the user information so as to prevent the user from forging personal real information registration and prevent the user from repeatedly registering;
5) After verification is successful, the trusted authority center generates a distributed digital identity-DID for the user according to the identity information type and the registration timestamp provided by the user;
6) The trusted authority binds the user DID, the user public key and the user authority together and issues the bound user DID, the user public key and the user authority to the blockchain network for consensus;
7) After the consensus is finished, the alliance chain enterprises remark the user DID at the local end;
8) And the trusted authority center returns the user registration result and the DID distributed to the user, and extracts the user identity information, encrypts and stores the abstract in the local.
7. A distributed identity authentication system based on a federation chain, which adopts the distributed identity authentication method based on the federation chain as claimed in any one of claims 1 to 6, and is characterized in that the distributed identity authentication system based on the federation chain comprises:
The trusted authority center server is responsible for issuing a digital certificate for a user and a blockchain network node, providing a distributed Digital Identity (DID) for the user, binding and issuing the authenticated DID of the user and a public key thereof to a blockchain network for consensus, and informing the user of the position of the digital certificate and the DID of the user on the blockchain network after the consensus is successful;
the block chain network is composed of a plurality of block chain link points, each block chain node is maintained by an enterprise in the alliance chain and is responsible for receiving DID and user public key binding information and user login state information sent by the trusted authority center and user valuable behavior records, classifying and packaging the DID and user public key binding information and user valuable behavior records to generate blocks, consensus the blocks on the block chain network and returning a consensus result to the trusted authority center;
the enterprise terminal provides service for the user, and when the user performs identity authentication through the DID, the enterprise terminal inquires whether the user is a registered target user on the blockchain network and generates transaction consensus on the blockchain network according to the login state and behavior information of the user;
the user terminal generates a public key pair and a private key pair through an elliptic curve encryption algorithm, provides personal real identity information of the user to the trusted authority for verification, and stores the DID received from the trusted authority and the block hash value stored with the DID for identity verification among enterprises.
CN202011549865.5A 2020-12-24 2020-12-24 Distributed identity authentication method and system based on alliance chain Active CN112702346B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011549865.5A CN112702346B (en) 2020-12-24 2020-12-24 Distributed identity authentication method and system based on alliance chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011549865.5A CN112702346B (en) 2020-12-24 2020-12-24 Distributed identity authentication method and system based on alliance chain

Publications (2)

Publication Number Publication Date
CN112702346A CN112702346A (en) 2021-04-23
CN112702346B true CN112702346B (en) 2024-05-10

Family

ID=75509828

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011549865.5A Active CN112702346B (en) 2020-12-24 2020-12-24 Distributed identity authentication method and system based on alliance chain

Country Status (1)

Country Link
CN (1) CN112702346B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113239078B (en) * 2021-05-17 2022-09-20 国网河南省电力公司信息通信公司 Data rapid query method based on alliance chain
CN113407925B (en) * 2021-06-11 2022-05-17 国网浙江省电力有限公司电力科学研究院 Application-free reconstruction docking method and system between application system and IAM system
CN113626781B (en) * 2021-07-19 2024-01-23 中国科学院信息工程研究所 Block chain efficient authentication method based on trusted group
CN113746916B (en) * 2021-09-01 2024-06-18 北京泰尔英福科技有限公司 Third party service providing method, system and related nodes based on block chain
CN113541970B (en) * 2021-09-17 2021-11-26 中国信息通信研究院 Method and system for using distributed identifier
CN114024766B (en) * 2021-11-23 2023-06-20 重庆邮电大学 Zero trust identity authentication method for edge computing node
CN114139203B (en) * 2021-12-03 2022-10-14 成都信息工程大学 Block chain-based heterogeneous identity alliance risk assessment system and method and terminal
CN114640500B (en) * 2022-02-14 2023-07-28 南京邮电大学 Service-based alliance chain efficient consensus method
CN114884702A (en) * 2022-04-19 2022-08-09 海南大学 Identity registration method, identity authentication method and identity management system
CN114697048B (en) * 2022-06-01 2022-08-26 天津市普迅电力信息技术有限公司 Block chain-based carbon emission data sharing method and system
CN115150072A (en) * 2022-06-20 2022-10-04 中国联合网络通信集团有限公司 Cloud network issuing authentication method, equipment, device and storage medium
CN116527372B (en) * 2023-05-16 2023-12-15 深圳建安润星安全技术有限公司 Internet-based data security interaction system and method
CN116415307B (en) * 2023-06-06 2023-09-01 中国电子科技集团公司第二十八研究所 Distributed trusted data service system and method

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450877A (en) * 2018-10-25 2019-03-08 北京九州云腾科技有限公司 Distributed IDaaS Unified Identification system based on block chain
CN109767199A (en) * 2018-12-10 2019-05-17 西安电子科技大学 PBFT common recognition system and method, block chain data processing system based on prestige
CN110061851A (en) * 2019-04-28 2019-07-26 广州大学 A kind of across trust domain authentication method and system of decentralization
CN110535836A (en) * 2019-08-12 2019-12-03 安徽师范大学 A kind of trust block chain common recognition method of based role classification
CN110958111A (en) * 2019-12-09 2020-04-03 广东电网有限责任公司 Electric power mobile terminal identity authentication mechanism based on block chain
CN111082943A (en) * 2019-12-06 2020-04-28 西安电子科技大学 Efficient block chain consensus method
WO2020113545A1 (en) * 2018-12-07 2020-06-11 北京大学深圳研究生院 Method for generating and managing multimodal identified network on the basis of consortium blockchain voting consensus algorithm
CN111738743A (en) * 2020-05-27 2020-10-02 国网电力科学研究院有限公司 Block chain-based customer service interaction method and device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450877A (en) * 2018-10-25 2019-03-08 北京九州云腾科技有限公司 Distributed IDaaS Unified Identification system based on block chain
WO2020113545A1 (en) * 2018-12-07 2020-06-11 北京大学深圳研究生院 Method for generating and managing multimodal identified network on the basis of consortium blockchain voting consensus algorithm
CN109767199A (en) * 2018-12-10 2019-05-17 西安电子科技大学 PBFT common recognition system and method, block chain data processing system based on prestige
CN110061851A (en) * 2019-04-28 2019-07-26 广州大学 A kind of across trust domain authentication method and system of decentralization
CN110535836A (en) * 2019-08-12 2019-12-03 安徽师范大学 A kind of trust block chain common recognition method of based role classification
CN111082943A (en) * 2019-12-06 2020-04-28 西安电子科技大学 Efficient block chain consensus method
CN110958111A (en) * 2019-12-09 2020-04-03 广东电网有限责任公司 Electric power mobile terminal identity authentication mechanism based on block chain
CN111738743A (en) * 2020-05-27 2020-10-02 国网电力科学研究院有限公司 Block chain-based customer service interaction method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘廷峰 ; 周平 ; 李江鑫 ; .基于区块链的泛在电力物联网身份认证技术研究.网络空间安全.2019,(07),全文. *
基于拜占庭容错的区块链共识算法研究;张良嵩;《中国优秀硕士学位论文全文数据库 信息科技辑》(第07期);第2-3章 *

Also Published As

Publication number Publication date
CN112702346A (en) 2021-04-23

Similar Documents

Publication Publication Date Title
CN112702346B (en) Distributed identity authentication method and system based on alliance chain
CN109871669B (en) Data sharing solution based on block chain technology
Kubilay et al. CertLedger: A new PKI model with certificate transparency based on blockchain
Alphand et al. IoTChain: A blockchain security architecture for the Internet of Things
TW202038221A (en) Retrieving public data for blockchain networks using trusted execution environments
US20090158394A1 (en) Super peer based peer-to-peer network system and peer authentication method thereof
CN113507458B (en) Cross-domain identity authentication method based on block chain
CN101193103B (en) A method and system for allocating and validating identity identifier
CN113328997B (en) Alliance chain crossing system and method
CN113824563B (en) Cross-domain identity authentication method based on block chain certificate
CN111294339B (en) Homogeneous alliance chain cross-chain method and device based on Fabric architecture
CN113228560A (en) Issuing apparatus and method for issuing, and requesting apparatus and method for requesting digital certificate
Li et al. Blockchain-based group key agreement protocol for vehicular ad hoc networks
CN113343213A (en) Multi-CA cross-domain authentication method based on block chain in distributed autonomous network
Le et al. A lightweight block validation method for resource-constrained iot devices in blockchain-based applications
Wang et al. Achieving fine-grained and flexible access control on blockchain-based data sharing for the Internet of Things
Kubilay et al. KORGAN: An efficient PKI architecture based on PBFT through dynamic threshold signatures
CN114930770A (en) Certificate identification method and system based on distributed ledger
Dirksen et al. Logpicker: Strengthening certificate transparency against covert adversaries
CN112039837A (en) Electronic evidence preservation method based on block chain and secret sharing
CN116506118A (en) Identity privacy protection method in PKI certificate transparentization service
KR100747147B1 (en) A Peer to Peer system which provides benefit to all of content provider, operator of the network and distributor and provides securities in the network
CN116964572A (en) Block chain-based federal learning device, method and system
Popescu et al. A certificate revocation scheme for a large-scale highly replicated distributed system
Wang et al. Reducing revocation latency in iov using edge computing and permissioned blockchain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant