CN112865979B - Resource conflict detection method of resource public key infrastructure based on block chain - Google Patents

Abstract

The invention discloses a resource conflict detection method of a resource public key infrastructure based on a block chain, aiming at improving the detection efficiency of resource conflict in the process of issuing a resource certificate. The technical scheme is that a resource public key infrastructure system based on a block chain is constructed and consists of a resource issuer, a resource transaction application client, a resource receiver and a block chain network, wherein the resource transaction application client consists of a resource transaction module, a resource certificate generation module and a display module; constructing a resource transaction structure and a resource tree; a resource certificate generation module of a resource issuer issues an RC and performs conflict check on the RC resource; carrying out resource conflict check on the RC issued transaction by the intelligent contract or the chain code of the block chain; a resource certificate generation module of a resource issuer issues ROA and performs resource conflict check on ROA resources; the intelligent contract or chain code performs resource conflict check on the ROA issued transaction. The invention can improve the self security of the resource certificate system and has high detection efficiency.

Description

Resource conflict detection method of resource public key infrastructure based on block chain

Technical Field

The invention belongs to the field of network information security, and particularly relates to a Resource Public Key Infrastructure Resource conflict detection method for improving RPKI (Resource Public Key Infrastructure) security based on a block chain.

Background

BGP (Border Gateway Protocol) is an interdomain routing Protocol in the Internet. However, the conventional BGP protocol is susceptible to many security threat attacks, one of the most common BGP attacks being prefix hijacking. By forging the originating AS (i.e., Autonomous system) in the BGP route advertisement information, the originating AS (i.e., the AS that originated the route advertisement information) causes traffic corresponding to these IP address prefixes to be intercepted or dropped by the hijacker's AS. The resource public key infrastructure (i.e., RPKI) is an infrastructure for supporting IP address prefix origination verification, which can provide a trusted mapping of authorized IP address prefixes to the originating AS. The IP address is equal to the network address plus the host address, and the IP address prefix refers to the address portion of the IP address corresponding to its network portion, i.e., the network address of the IP address, and is used to uniquely identify the network number of a network connected to the Internet. IP address { < address prefix >, < host number > }. To distinguish address prefixes, a "slash notation" is usually adopted, i.e., the number of bits occupied by the IP address/network prefix. For example: 192.168.24.0/22 indicates 32-bit address, the first 22 bits are network prefix, and the last 10(32-22 ═ 10) bits represent host number. In the conversion, 192.168.24.0 corresponds to a binary value of:

1100 0000(192)，1010 1000(168)，0001 1000(24)，0000 0000(0)

RPKI depends on the distribution process of Internet digital resources (INR), where the INR includes IP address resources and AS number resources, i.e. the IP address and AS number owned by the organization, and uses the Internet registration management authority RIR (regional Internet registry) AS the top-level resource issuer, the RIR can distribute its own Internet number resources to lower-level resource issuers such AS local Internet registration authority (LIR), national Internet registration authority (national Internet registry, NIR), and Internet service providers (Internet service provider, ISP), and then the lower-level resource issuers distribute downward in sequence, and provide a verifiable mapping library of IP address prefixes and AS origins through a top-down privilege hierarchy. The RPKI consists of three components: a public key infrastructure-based certificate object, a signature object for representing a route Origin authorization, roa, (route Origin authorization), and a distributed storage system for maintaining the object. The RP (resolving Party) is the user of the RPKI, which takes a copy of the set of signed objects, verifies the signature, generates a list of valid ROAs, and periodically checks for updates to the signed objects in the distributed storage system and synchronizes the updates. The ROA is authorization information for an IP address owner to authorize an AS to perform routing advertisement for the ROA, and contains a "binding relationship" between an AS number and one or more IP address prefixes.

The ROA may be used by the RP to verify whether the AS that initiates routing for a particular IP address prefix is authorized by the address owner. The BGP router uses the valid ROA list information provided by the RPs in the RPKI to distinguish between BGP routes originated by a legitimate originating AS and BGP routes that may be hijacked.

However, RPKI itself also faces security risks. One type of security problem faced by RPKI is that the resource information, such AS IP prefix and AS number, of various resource certificates rc (resource certificate) and ROA issued by the authority, AS well AS by the authority and the RP, do not perform resource conflict detection. Therefore, a malicious authorization mechanism can indirectly realize the routing prefix attack by utilizing various resource certificates and the like for issuing resource conflicts. In order to solve this problem, the following research schemes are mainly used: firstly, resource conflict check is added when an authorization mechanism issues a resource certificate; secondly, a resource conflict checking process is added when the RP verifies the resource certificate; and thirdly, an RPKI CA resource abnormal distribution protection method based on the block chain. The third method is based on the RPKI CA resource abnormal distribution protection method of the block chain, and the main idea is to deploy CA resource abnormal distribution verification contracts on the block chain, and ensure the conflict-free resource distribution and overcome the single-point fault risk possibly faced by relying on RP to verify resource conflicts through verification of a plurality of third parties. Although the method has the advantages of bidirectional authorization and single-point failure prevention, the method is more suitable for the management of the internet resource certificate compared with the former two methods, and is a latest developed technical scheme in the field of internet routing communication at present, however, the method has the main disadvantages that the method adopts a mode of traversing one by one, and checks such as resource repetition, resource coverage, resource intersection and the like are respectively carried out on each issued resource and resource certificate resource to be verified, so that the detection efficiency is low; secondly, the method mainly detects RC resource conflict and does not detect ROA resource conflict; thirdly, the method completely depends on a verification contract deployed on the blockchain, and does not consider a comprehensive scheme combining CA resource abnormity detection with blockchain intelligent contracts or blockchain codes. How to efficiently detect resource conflicts in the process of issuing various resource certificates is still a technical problem which is of great concern to the technical personnel in the field.

Disclosure of Invention

The technical problem to be solved by the invention is to provide a method for detecting resource conflicts in the issuing process of various resource certificates in a resource public key infrastructure based on a block chain, so that the detection efficiency is improved.

The technical scheme of the invention is as follows: constructing a resource public key infrastructure system based on a block chain, which consists of a resource issuer, a resource transaction application client, a resource receiver and a block chain network, wherein the resource transaction application client consists of a resource transaction module, a resource certificate generation module and a display module; constructing a resource transaction structure and a resource tree; a resource certificate generation module of a resource issuer issues an RC and performs conflict check on the RC resource; carrying out resource conflict check on the RC issued transaction by the intelligent contract or the chain code of the block chain; a resource certificate generation module of a resource issuer issues ROA and performs resource conflict check on ROA resources; the intelligent contract or chain code performs resource conflict check on the ROA issued transaction. The invention can improve the self security of the resource certificate system and has high detection efficiency.

The invention specifically comprises the following steps:

the method comprises the first step of constructing a resource public key infrastructure system RPKIB (RPKI Block chain, the working architecture of RPKI is shown in https:// www.apnic.net/get-ip/faqs/RPKI /), wherein the RPKIB consists of a resource issuer, a resource transaction application client, a resource receiver and a block chain network.

The block chain network is a decentralized system, each node in the block chain network is peer-to-peer, and the peer-to-peer node can be used as an issuer or a receiver. The block chain network eliminates the dependence problem of the original RPKI on the central node through a decentralized mechanism, and is connected with a resource issuer, a resource receiver and a resource transaction application client. The resource issuer and the resource receiver are connected with the blockchain network, and the resource transaction application client is installed on the resource issuer or the resource receiver. The resource transaction application client takes various operations of the resource certificate and the routing origin authorization ROA as transactions, and the transactions are stored in a distributed account book through the blockchain network. The distributed ledger exists in all blockchain nodes.

Resource issuer the resource issuer is connected to the blockchain network as a client of the blockchain network (similar to a bitcoin wallet, which may request query transaction status from the blockchain network).

The resource receiver is provided with a resource transaction application client, and is connected to the block chain network and used as a client of the block chain network. And the resource issuer and the resource receiver are used as transaction parties to perform transaction through the blockchain network, and the transaction is recorded in the distributed account book.

The resource transaction application client is composed of a resource transaction module, a resource certificate generation module and a display module.

The resource certificate generation module is connected with the resource transaction module; the resource certificate generation module receives information of a pre-issued RC certificate and ROA from the resource transaction module, and generates a resource certificate RC which is defined by the same RPKI according to the pre-issued RC certificate, wherein the content of the resource certificate RC comprises an X.509 certificate of standard RFC 5280 and is attached with an IP address and an AS extended identifier of RFC 3779 standard. The resource certificate generation module creates a Route Origination Authority (ROA) for a resource held by a resource recipient based on pre-issued ROA information (including an AS number and one or more IP address prefixes). An effective ROA comprises three parts: an AS number; a list of IP address prefixes; optional contents (including address prefix length, address prefix range) for limiting the IP address prefix. The resource certificate generation module sends the generated RC or ROA to the resource transaction module.

The resource transaction module is connected with the resource certificate generation module, the display module and the block chain link points, receives RC or ROA from the resource certificate generation module, receives an operation instruction about RC or ROA from the resource issuer, conducts transaction through the block chain network, and provides various operations of RC or ROA resource transaction for the resource issuer, wherein the operations comprise: issuing the RC or the ROA to the resource receiver; revoking the RC or ROA from the resource recipient; modifying RC or ROA (ROA modification is realized by issuing a new certificate under the condition that the set ROA extension item, namely IP address prefix and AS number, needs to be modified); performing an update operation on the RC (the update refers to replacing the old certificate with a new certificate before the old certificate expires, and only the certificate validity period and the serial number (serial number of the certificate) change in the old certificate update process); the RC updating operation only needs to change the validity period and the serial number of the old certificate, and does not relate to the IP address prefix and the AS number carried by the certificate; and the RC modify operation involves the IP address prefix and AS number carried by the certificate; one operation is a transaction in the RPKIB. And when the transaction is successful, the resource transaction module sends a success message to the display module, when the transaction is unsuccessful, the resource transaction module sends a conflict reason, an operation failure reason and a transaction result which are detected by the conflict to the display module, and when the operation is cancelled, the resource transaction module sends the RC and the ROA to the display module.

The display module is connected with the resource transaction module, receives the transaction success message or the conflict reason, the operation failure reason and the transaction result when the transaction is unsuccessful from the resource transaction module, and displays the transaction result; and receiving the RC and the ROA from the resource transaction module when the operation is cancelled, and displaying the specific content of the RC and the ROA.

And secondly, constructing a resource transaction structure.

The resource transaction structure comprises a transaction initiator, a transaction receiver, a transaction type, transaction contents, transaction attributes, transaction evidence and a transaction signature given by the transaction initiator. The transaction initiator refers to the resource issuer address and the transaction recipient refers to the resource recipient address. A transaction signature refers to a digital signature made by a transaction initiator on an initiated transaction in a blockchain network. The transaction types include seven types, respectively: RC issuance, RC revocation, RC updating, RC modification, ROA issuance authorization, ROA revocation and ROA modification. The transaction content is the content of the RC or ROA corresponding to the transaction. The transaction attribute comprises a transfer attribute and an expiration attribute; the transmission attribute indicates whether the IP address resource allocated to a certain organization can be reallocated to another resource authorization entity, the transmission attribute is 0, and indicates that a resource issuer does not want to perform sub-allocation on the IP address prefix resource allocated to the certain organization, at this time, the organization is called a terminal node, the IP address resource and the AS number resource owned by the organization are not subdivided, and only the terminal node can issue ROA; the transfer attribute is 1, which indicates that a resource issuer wishes to sub-allocate the IP address prefix resource allocated to a certain organization; the expiration attribute shows whether the IP address resource has lease period, the expiration attribute is 0 to indicate that the lease time is not expired, the expiration attribute is 1 to indicate that the lease time is expired, and the IP address resource should be released and returned to the original resource authorization entity. The transaction evidence represents signatures of the resource issuer and the resource receiver twice, and the evidence agreed by the two parties consists of messages transacted by the two parties and random numbers (for example, when the RC is revoked, the evidence of the transaction is RC _ revoke _ reply messages and the random number +1 issued by the holder of the RC), so that the risk that a legal IP address is possibly blocked due to a unilateral authorization protocol of the resource issuer in the current RPKI but an attacker or a behavior offender is difficult to find is overcome. The transaction signature given by the transaction initiator shows that the transaction initiator and the transaction recipient have agreed upon the transaction. For ROA operations, since the transaction initiator and the transaction recipient are the same, no evidence of two-way signatures is required. For ROA-related operations transactions, the transaction signature field given by the initiator of the transaction is NULL.

And thirdly, the resource transaction module constructs a resource tree according to the effective resource certificate RC. One node of the resource tree includes 10 domains, which are respectively: resource issuer, resource receiver, resource certificate, parent certificate identification, sub-certificate identification, IP (Internet protocol) address prefix contained in the certificate, AS (Autonomous System Autonomous System) number contained in the certificate, sub-RC resource IP prefix binary tree, sub-RC resource AS binary tree, and allocated IP address prefix bloomfilter structure in ROA (a general technology can quickly judge whether a certain element belongs to a set, https:// baike. The node is linked to the child node through a child certificate identity domain and to the parent node of the node through a parent certificate identity domain. The IP address prefix contained in the certificate and the AS number contained in the certificate are obtained by the resource transaction module through analyzing the certificate. The resource tree is stored in a distributed account book and is commonly maintained by a resource issuer and a resource receiver.

Fourthly, in a resource public key infrastructure system RPKIB based on a block chain, a resource certificate generation module of a resource issuer issues an RC, and when a new RC is issued, resource repetition, overlapping and conflict check of inclusion relation are carried out on the RC resource to be issued, wherein the method comprises the following steps:

4.1 resource certificate generation module of resource issuer carries out conflict detection to IP address prefix resource: the minimum value of the IP address prefix r to be allocated is converted into r.min, the maximum value of r is converted into r.max, the IP address prefix is a range including a minimum value and a maximum value, such as 192.168.1.0/24, the minimum value of the prefix is 192.168.1.1, the maximum value is 192.168.1.255, then r.min equals to 1, and r.max equals to 255. Retrieving a sub RC resource IP prefix binary tree of a CA to be issued, wherein the method comprises the following steps:

4.1.1 if the sub RC resource IP prefix binary tree of the CA to be issued is empty, the IP address prefix to be allocated has no resource conflict, the resource conflict detection passing value of the IP address prefix is made to be 1, the position where the CA node to be issued is inserted into the binary tree is recorded, and 4.1.2.4 is converted;

4.1.2 if the binary tree of sub-RC resource IP prefixes of the CA to be issued is not empty, the comparison is started from the root node of the binary tree of sub-RC resource IP prefixes, and each node of the binary tree records two integers represented by the allocated resources, which are represented by start _ IP and end _ IP (the two values are two values of the node record). And searching a binary IP prefix tree of the sub RC resource according to the following modes:

4.1.2.1, if r.min is less than or equal to end _ IP and r.max is greater than or equal to start _ IP, it indicates that the search is hit and there is a resource conflict, the IP address prefix resource conflict detection passing value is made to be 0, which indicates that the IP address prefix resource conflict detection is not passed, and 4.2 is switched; otherwise, turning to 4.1.2.2;

4.1.2.2 if r.min is less than or equal to end _ IP and r.max is less than start _ IP, and if the node has a left sub-tree (left branch of a sub RC resource IP prefix binary tree), continuing to search the left sub-tree of the node, updating the start _ IP and the end _ IP into two values recorded by a root node of the left sub-tree, and turning to 4.1.2.1; if r.min is less than or equal to end _ ip and r.max is less than start _ ip, and if the node has no left sub-tree, turning to 4.1.2.4;

4.1.2.3 if r.min > end _ IP and if the node has right subtree (right branch of binary tree of IP prefix of sub RC resource), continuing to search the right subtree of the node, updating start _ IP and end _ IP to two values recorded by the root node of the right subtree, and turning to 4.1.2.1; if r.min > end _ ip, and if the node has no right subtree, turn 4.1.2.4;

4.1.2.4 at this time, the IP address prefix to be allocated does not have resource conflict, the resource conflict detection passing value of the IP address prefix is made to be 1, the position where the CA node to be issued is inserted into the binary tree is recorded, and 4.2 is converted;

4.2 if the IP address prefix resource conflict detection passing value is 0 (conflict occurs), sending 'resource conflict detection failure to the resource issuer, unable to execute the issuing operation of the RC', turning to 4.1; if the resource conflict detection pass value of the IP address prefix is 1 (no conflict), 4.3 is switched.

4.3 the resource certificate generation module of the resource issuer detects the AS resource conflict: the minimum value of the AS range s to be allocated is converted to s.min, the maximum value of s is converted to two integers of s.max (the AS range is a range comprising a minimum value and a maximum value, e.g. 20-30, then s.min is 20, s.max is 30), if the AS to be allocated is a value then s.min equals s.max. Retrieving a sub RC resource AS binary tree of a CA to be issued, wherein the method comprises the following steps:

4.3.1 if the AS binary tree of the sub RC resource to be issued is empty, the AS to be allocated has no resource conflict, the AS resource conflict detection passing value is made to be 1, the position where the CA node to be issued is inserted into the binary tree is recorded, and 4.3.3 is converted;

if the binary tree of the sub RC resource AS to be issued is not empty, comparison is started from the root node of the binary tree, and each node of the binary tree records two integers (i.e. s.min and s.max) into which the allocated resource is converted, which are represented by start _ AS and end _ AS (the two values are two values of the node record), and the result is converted to 4.3.2.

4.3.2 the sub RC resource AS binary tree is searched according to the following mode:

4.3.2.1, if s.min is less than or equal to end _ AS and s.max is greater than or equal to start _ AS, it indicates that there is a resource conflict when the search is hit, and the AS resource conflict detection passing value is 0, which indicates that the AS resource conflict detection is not passed, and 4.3.3 is switched;

4.3.2.2 if s.min is less than or equal to end _ AS and s.max is less than start _ AS, if the node has left sub-tree (left branch of binary tree of sub RC resource AS), continuing to search the left sub-tree of the node, updating start _ AS and end _ AS to two values recorded by root node of the left sub-tree, and turning to 4.3.2.1; if s.min is less than or equal to end _ as and s.max is less than start _ as, and if the node does not have a left sub-tree, go to 4.3.2.4;

4.3.2.3 if s.min > end _ AS, and if the node has right sub-tree (right branch of sub RC resource AS binary tree), continuing to search the right sub-tree of the node, updating start _ AS, end _ AS to two values recorded by the root node of the right sub-tree, and turning to 4.3.2.1; if s.min > end _ as, and if the node does not have a right sub-tree, go to 4.3.2.4;

4.3.2.4, it shows that there is no resource conflict in the AS to be allocated, it sends the AS resource conflict detection passing value (1 in this case) to the resource issuer, and records the position of the CA node to be issued inserted in the binary tree, and changes to 4.3.3;

4.3.3 if the AS resource conflict detection passing value is 0 (conflict occurs), sending a message of 'failure of resource conflict detection and incapability of executing issuing operation of the RC' to the resource issuer, turning to 4.3, and performing resource conflict detection on the next RC; if the AS resource conflict detection passing value is 1 (no conflict), 4.4 is turned.

4.4 resource transaction module of resource issuer submits RC issued transaction to blockchain. The issue transaction process of submitting RC to blockchain see patents 'a bidirectional authorization method for blockchain based resource public key infrastructure' (application number: 201911168985.8) and 'a certificate transaction verification method for blockchain based resource public key infrastructure' (application number: 201911168125.4), if submission to blockchain is successful, go to 4.5; if the commit to the blockchain is unsuccessful, a 4.4 transition is made.

4.5 at this time, submitting the RC issue transaction to the blockchain successfully, generating a new node in the sub RC resource IP prefix binary tree by the resource transaction module of the resource issuer according to the binary tree position obtained in 4.1, and recording the r.min and r.max to be allocated in the new node; and generating a new node in the sub RC resource AS binary tree according to the obtained binary tree position of 4.3, and recording the s.min and s.max to be allocated in the new node.

Fifthly, carrying out resource conflict check on the received RC issued transaction by an intelligent contract or chain code deployed by a block chain platform, wherein the resource conflict check comprises the conflict check of the repetition, the overlapping and the inclusion relation of the resource conflict, and the method comprises the following steps:

5.1 Intelligent contracts or chain codes find parent certificates: intelligent contracts or chain codes (see in particular patent bidirectional authorization method for resource public key infrastructure based on blockchain (application number: 201911168985.8) and certificate transaction verification method for resource public key infrastructure based on blockchain (application number: 201911168125.4)) analyze RC-issued transaction contents received from 4.4, analyze parent certificate identification id in a certificate to be issued, and store a certificate key-vlaue structure in the parent certificate identification id (see below) ((see in particular patent bidirectional authorization method for resource public key infrastructure based on blockchain (application number: 201911168985.8)) respectively)https://baike.baidu.com/item/Key-Value/857887820210111) to locate the parent certificate. If the result of the positioning parent certificate is null, the received RC certificate content is wrong, a message of 'transaction is unsuccessful' is returned to the resource issuer, and the eighth step is carried out; otherwise, deserializing the certificate of the RC issued transaction received from 4.4 (operation of converting byte sequence of the certificate into the certificate, see encyclopedia for description of serialization and deserialization: https:// baike. baidu. com/item/serialization/2890184) to obtain a certificate structure, and locating the root nodes of the sub RC resource IP prefix binary tree and the sub RC resource AS binary tree of the parent certificate according to the certificate structure, and turning to 5.2.

5.2 intelligent contract or chain code conflict detection to IP address prefix resource: and converting the IP address prefix r to be allocated in the RC received from 4.4 into two integers of r.min and r.max. Retrieving a child RC resource IP prefix binary tree corresponding to a parent certificate node, wherein the method comprises the following steps:

5.2.1 if the sub RC resource IP prefix binary tree corresponding to the father certificate node is empty, the IP address prefix to be allocated has no resource conflict, the IP address prefix resource conflict detection passing value is made to be 1, the position where the CA node to be issued is inserted into the binary tree is recorded, and 5.3 is turned; if the binary tree of the IP prefixes of the sub RC resources corresponding to the parent certificate node is not empty, comparison is carried out from the root node of the binary tree, and each node of the binary tree records two integers (namely r.min and r.max) into which the allocated resources are converted, wherein the integers are represented by start _ IP and end _ IP, and the transition is 5.2.2.

5.2.2 the binary tree of the IP prefix of the sub RC resource is searched according to the following mode:

5.2.2.1, if r.min is less than or equal to end _ IP and r.max is greater than or equal to start _ IP, it indicates that the search is hit and there is a resource conflict, the IP address prefix resource conflict detection passing value is made to be 0, which indicates that the IP address prefix resource conflict detection is not passed, and 5.3 is turned; otherwise, 5.2.2.2 is rotated;

5.2.2.2 if r.min is less than or equal to end _ IP and r.max is less than start _ IP, and if the node has a left sub-tree (left branch of a sub RC resource IP prefix binary tree), continuing to search the left sub-tree of the node, updating the start _ IP and the end _ IP into two values recorded by the root node of the left sub-tree, and turning to 5.2.2.1; if r.min is less than or equal to end _ ip and r.max is less than start _ ip, and if the node has no left sub-tree, go to 5.2.2.4;

5.2.2.3 if r.min > end _ IP and if the node has a right subtree (right branch of the binary tree of the IP prefix of the sub RC resource), continuing to search the right subtree of the node, updating start _ IP and end _ IP into two values recorded by the root node of the right subtree, and turning to 5.2.2.1; if r.min > end _ ip, and if the node does not have a right sub-tree, go to 5.2.2.4;

5.2.2.4 there is no resource conflict for the IP address prefix to be allocated, the resource conflict detection passing value of the IP address prefix is 1, the position of the CA node to be issued inserted into the sub RC resource IP prefix binary tree is recorded, and 5.3 is switched;

5.3 if the IP address prefix resource conflict detection passing value is 0 (conflict occurs), directly sending a 'resource conflict detection failure and returning a transaction unsuccessful' message to the resource issuer, and turning to the fifth step to carry out resource conflict check on the received RC issued transaction; if the IP address prefix resource conflict detection pass value is 1 (no conflict), 5.4 is turned.

5.4 the intelligent contract or chain code carries out conflict detection on the AS resource: the AS range s in the RC certificate received from 4.4 is converted into two integers s.min and s.max, if AS is a value, s.min equals s.max. Retrieving a sub RC resource AS binary tree of a CA in a received RC certificate, wherein the method comprises the following steps:

5.4.1 if the sub RC resource AS binary tree in the received RC certificate is empty, the AS to be distributed has no resource conflict, the AS resource conflict detection passing value is made to be 1, the position where the CA node to be issued is inserted in the binary tree is recorded, and 5.4.3 is converted;

if the sub-RC resource AS binary tree in the received RC certificate is not empty, the comparison is started from the root node of the sub-RC resource AS binary tree in the RC certificate, and each node in the sub-RC resource AS binary tree in the RC certificate records two integers (i.e. s.min and s.max) into which the allocated resources are converted, which are represented by start _ AS and end _ AS, and then 5.4.2.

5.4.2 searching the sub RC resource AS binary tree in the RC certificate according to the following mode:

5.4.2.1, if s.min is less than or equal to end _ AS and s.max is greater than or equal to start _ AS, it indicates that there is a resource conflict when the search is hit, and the AS resource conflict detection passing value is 0, which indicates that the AS resource conflict detection is not passed, and 5.4.3 is turned;

5.4.2.2 if s.min is less than or equal to end _ AS and s.max is less than start _ AS, and if the node has left sub-tree (left branch of sub-RC resource AS binary tree in RC certificate), continue searching the left sub-tree of the node, using start _ AS and end _ AS to represent two values recorded by the root node of the left sub-tree, and go to 5.4.2.1; if s.min ≦ end _ as and s.max < start _ as, and if the node does not have a left sub-tree, go to 5.4.2.4.

5.4.2.3 if s.min > end _ AS, and if the node has right sub-tree (right branch of sub-RC resource AS binary tree in RC certificate), continuing to search the right sub-tree of the node, updating start _ AS and end _ AS to two values recorded by the root node of the right sub-tree, and turning to 5.4.2.1; if s.min > end _ as, and if the node does not have a right sub-tree, go to 5.4.2.4;

5.4.2.4, it is shown that there is no resource conflict in the AS in the RC certificate received at this time, an AS resource conflict detection passing value (1 at this time) is sent to the resource issuer, and the position where the sub RC resource AS binary tree is inserted into the CA node to be issued in the RC certificate is recorded, and 5.4.3 is converted;

5.4.3 if the AS resource conflict detection passing value is 0 (conflict occurs), sending a message of 'resource conflict detection fails and the issuing operation of the RC cannot be executed' to the resource issuer, and turning to 5.4; if the AS resource conflict detection pass value is 1 (no conflict), 5.5 is turned.

5.5 if the block chain reaches a consensus (namely the node in the block chain network reaches a uniform consensus opinion on the transaction), recording the received RC certificate, generating a new node in the sub RC resource IP prefix binary tree according to the position, which is obtained in 5.2, of the CA node to be issued which is supposed to be inserted in the sub RC resource IP prefix binary tree, and recording r.min and r.max in the new node; and generating a new node in the sub RC resource AS binary tree according to the position of the sub RC resource AS binary tree to be inserted into the CA node to be issued in the RC certificate, which is obtained in the step 5.4, and recording values of s.min and s.max in the new node.

Sixthly, the resource certificate generation module of the resource issuer issues the ROA, and when a new ROA is issued, the resource conflict check is locally performed on the ROA resource to be issued, and the method comprises the following steps:

6.1 conflict detection is carried out on the ROA resources, and the method comprises the following steps:

6.1.1 converting the IP address prefix in the ROA to be issued into a character string str, and respectively calculating hash functions h (1, str) and h (2, str) … … h (k, str) according to k hash functions selected by the bloomfilter structure. And then checking whether h (1, str) and h (2, str) … … h (k, str) bits of a BitSet (a bit operation library for realizing the bloomfilter function) are 1, if any bit is not 1, judging that str is not recorded, indicating that the ROA resource conflict does not occur, and enabling the ROA resource conflict detection passing value to be 1 (no conflict), and turning to 6.2. If all bits are 1, 6.1.2 is performed.

6.1.2 traversing all the owned ROA records according to all ROA lists of records issued by a CA by a resource issuer, comparing the IP address prefixes in the ROA to be issued with the IP address prefixes contained in the issued ROA one by one, checking whether the same IP address prefixes exist, if yes, sending a message of 'occurrence of ROA resource conflict, the resource issuer can not issue the ROA', making the ROA resource conflict detection value be 0, and turning to the sixth step to continue to perform resource conflict detection on the new ROA; if not, return value of ROA resource conflict detection is made to be 1 (no conflict), and 6.2 is executed.

6.2 resource issuer submits ROA issued transaction to blockchain by ROA resource conflict check. The transaction process of submitting ROA to blockchain is described in patent certificate transaction verification method of resource public key infrastructure based on blockchain (application number: 201911168125.4), and if submission to blockchain is successful, 6.3 is executed. And if the submission to the block chain is not successful, the sixth step is carried out.

6.3 storing the ROA information successfully issued, recording newly issued ROA identification information in an ROA list of the resource issuer node, setting the h (1, str) and h (2, str) … … h (k, str) of the corresponding BitSet of the resource issuer node as 1, and turning to the seventh step.

Seventhly, carrying out resource conflict check on the received ROA issued transaction by using an intelligent contract or chain code deployed by the block chain platform, and checking whether the ROA resource issued with the repeated IP address prefix exists or not, wherein the method comprises the following steps:

7.1 Smart contracts or chain codes look up parent certificates: and the intelligent contract or the chain code analyzes the received ROA issued transaction content, analyzes a parent certificate identifier id in the certificate to be issued, and positions the parent certificate in a stored certificate key-vlaue structure according to the parent certificate identifier id. If the result of the positioning of the parent certificate is null, the received ROA certificate content is wrong, a message of 'transaction is unsuccessful' is sent to the display module, and the eighth step is carried out; otherwise, deserializing a certificate structure from the requested certificate, positioning the BitSet of the IP address prefix bloomfilter structure of the allocated ROA corresponding to the parent certificate node, and turning to 7.2.

7.2 conflict detection is carried out on the ROA resources, and the method comprises the following steps:

7.2.1 converting the IP address prefix in the ROA received in the step 6.2 into a character string str, and respectively calculating hash functions h (1, str) and h (2, str) … … h (k, str) according to k hash functions selected by the bloomfilter. Then, whether the h (1, str) th bit and the h (2, str) … … h (k, str) th bit of the BitSet are 1 or not is checked, if any one of the bits is not 1, it can be determined that str is not recorded, and if the ROA resource collision does not occur, the return value of the ROA resource collision detection is 1 (no collision), and 7.3 is executed. If all bits are 1, 7.2.2 is performed.

7.2.2 traversing all owned ROA nodes according to all ROA lists recorded by the father certificate node, comparing the IP address prefixes in the ROA to be checked with the IP address prefixes contained in the issued ROA one by one, checking whether the same IP address prefixes exist, if yes, sending a message of 'occurrence of ROA resource conflict, failure of resource conflict detection and unsuccessful transaction' to a display module, wherein the return value of ROA resource conflict detection is 0, and turning to the eighth step; if not, the return value of ROA resource conflict detection is 1 (no conflict) and 7.3 is executed.

7.3 if the blockchain agrees, recording the ROA information successfully issued, recording newly issued ROA identification information in the ROA list of the parent certificate node, setting the h (1, str) and h (2, str) … … h (k, str) of the BitSet corresponding to the parent certificate node as 1, and going to the eighth step.

And eighthly, finishing.

The method of the invention is different from the background technology in that: the method adopts a more efficient resource conflict detection method, and has better computational complexity than an RPKI CA resource abnormal distribution protection technology based on a block chain (see a certificate transaction verification method of resource public key infrastructure based on the block chain (application number: 201911168125.4)); the invention covers RC resource conflict detection and ROA resource conflict detection; the invention is a comprehensive solution combining CA local resource abnormity detection and block chain intelligent contract/block chain code.

The invention can achieve the following technical effects:

1. the invention uses the block chain technology, and because of the fault tolerance of the block chain network, the fault of the whole block chain network can not be caused after some nodes go wrong, so that the RPKIB constructed in the first step also has certain fault tolerance.

2. The invention discloses a rapid resource conflict detection method for RPKI RC and ROA constructed on a block chain, which effectively improves the self-security of a resource certificate system. By the method for rapidly detecting the resource conflict increased when the CA issues the RC or the ROA, the potential safety hazard caused by the error of the transaction contents of the RC and the ROA of the block chain can be effectively reduced, and the method can help to immediately judge the CA which has a behavior error or is possibly attacked. By adding the resource conflict rapid detection function of the RC and the ROA in the intelligent contract or the chain code, whether the RC and the ROA submitted by the CA have resource conflict can be rapidly detected, the RC and the ROA submitted by the CA can be immediately found when the CA is attacked to cause errors, and the RC and the ROA submitted with the resource conflict can also be immediately found, so that the running correctness of the system is ensured.

3. The computational complexity of the RC resource conflict detection method is O (log)₂n), where n is the number of resources of a child RC issued by the parent node of the RC; the computational complexity of the ROA resource conflict detection method is O (l), which is superior to the RPKI resource conflict detection method mentioned in the current publication.

Drawings

FIG. 1 is a general structure diagram of a resource public key infrastructure RPKIB based on a block chain constructed in the first step of the invention;

FIG. 2 is a block diagram of a resource transaction structure according to a second step of the present invention;

FIG. 3 is a structural diagram of a resource tree according to a third step of the present invention;

fig. 4 is an overall flow chart of the present invention.

Detailed Description

As shown in fig. 4, the present invention comprises the steps of:

firstly, a resource public key infrastructure system RPKIB based on a block chain is constructed, as shown in FIG. 1, the RPKIB is composed of a resource issuer, a resource transaction application client, a resource receiver and a block chain network.

The resource issuer and the resource receiver are connected with the blockchain network, and the resource transaction application client is installed on the resource issuer or the resource receiver. The resource transaction application client takes various operations of the resource certificate and the routing origin authorization ROA as transactions, and the transactions are stored in a distributed account book through the blockchain network. The distributed ledger exists in all blockchain nodes.

Resource issuer the resource issuer is connected to the blockchain network as a client of the blockchain network.

The resource receiver is provided with a resource transaction application client, and is connected to the block chain network and used as a client of the block chain network. And the resource issuer and the resource receiver are used as transaction parties to perform transaction through the blockchain network, and the transaction is recorded in the distributed account book.

The resource transaction application client is composed of a resource transaction module, a resource certificate generation module and a display module.

The resource certificate generation module is connected with the resource transaction module; the resource certificate generation module receives information of a pre-issued RC certificate and ROA from the resource transaction module, and generates a resource certificate RC which is defined by the same RPKI according to the pre-issued RC certificate, wherein the content of the resource certificate RC comprises an X.509 certificate of standard RFC 5280 and is attached with an IP address and an AS extended identifier of RFC 3779 standard. The resource certificate generation module creates a Route Origination Authority (ROA) for a resource held by a resource recipient based on pre-issued ROA information (including an AS number and one or more IP address prefixes). An effective ROA comprises three parts: an AS number; a list of IP address prefixes; optional contents (including address prefix length, address prefix range) for limiting the IP address prefix. The resource certificate generation module sends the generated RC or ROA to the resource transaction module.

The resource transaction module is connected with the resource certificate generation module, the display module and the block chain link points, receives RC or ROA from the resource certificate generation module, receives an operation instruction about RC or ROA from the resource issuer, conducts transaction through the block chain network, and provides various operations of RC or ROA resource transaction for the resource issuer, wherein the operations comprise: issuing the RC or the ROA to the resource receiver; revoking the RC or ROA from the resource recipient; modifying RC or ROA; updating the RC; the RC updating operation only needs to change the validity period and the serial number of the old certificate, and does not relate to the IP address prefix and the AS number carried by the certificate; and the RC modify operation involves the IP address prefix and AS number carried by the certificate; one operation is a transaction in the RPKIB. And when the transaction is successful, the resource transaction module sends a success message to the display module, when the transaction is unsuccessful, the resource transaction module sends a conflict reason, an operation failure reason and a transaction result which are detected by the conflict to the display module, and when the operation is cancelled, the resource transaction module sends the RC and the ROA to the display module.

The display module is connected with the resource transaction module, receives the transaction success message or the conflict reason, the operation failure reason and the transaction result when the transaction is unsuccessful from the resource transaction module, and displays the transaction result; and receiving the RC and the ROA from the resource transaction module when the operation is cancelled, and displaying the specific content of the RC and the ROA.

And secondly, constructing a resource transaction structure.

The resource transaction structure is shown in fig. 2 and includes a transaction initiator, a transaction receiver, a transaction type, a transaction content, a transaction attribute, a transaction evidence, and a transaction signature given by the transaction initiator. The transaction initiator refers to the resource issuer address and the transaction recipient refers to the resource recipient address. A transaction signature refers to a digital signature made by a transaction initiator on an initiated transaction in a blockchain network. The transaction types include seven types, respectively: RC issuance, RC revocation, RC updating, RC modification, ROA issuance authorization, ROA revocation and ROA modification. The transaction content is the content of the RC or ROA corresponding to the transaction. The transaction attribute comprises a transfer attribute and an expiration attribute; the transmission attribute indicates whether the IP address resource allocated to a certain organization can be reallocated to another resource authorization entity, the transmission attribute is 0, and indicates that a resource issuer does not want to perform sub-allocation on the IP address prefix resource allocated to the certain organization, at this time, the organization is called a terminal node, the IP address resource and the AS number resource owned by the organization are not subdivided, and only the terminal node can issue ROA; the transfer attribute is 1, which indicates that a resource issuer wishes to sub-allocate the IP address prefix resource allocated to a certain organization; the expiration attribute shows whether the IP address resource has lease period, the expiration attribute is 0 to indicate that the lease time is not expired, the expiration attribute is 1 to indicate that the lease time is expired, and the IP address resource should be released and returned to the original resource authorization entity. The transaction evidence represents signatures of the resource issuer and the resource receiver twice, and the evidence agreed by the two parties consists of messages transacted by the two parties and random numbers (for example, when the RC is revoked, the evidence of the transaction is RC _ revoke _ reply messages and the random number +1 issued by the holder of the RC), so that the risk that a legal IP address is possibly blocked due to a unilateral authorization protocol of the resource issuer in the current RPKI but an attacker or a behavior offender is difficult to find is overcome. The transaction signature given by the transaction initiator shows that the transaction initiator and the transaction recipient have agreed upon the transaction. For ROA operations, since the transaction initiator and the transaction recipient are the same, no evidence of two-way signatures is required. For ROA-related operations transactions, the transaction signature field given by the initiator of the transaction is NULL.

And thirdly, the resource transaction module constructs a resource tree according to the effective resource certificate RC. As shown in fig. 3, a node of the resource tree includes 10 domains, which are respectively: the resource issuing method comprises a resource issuer, a resource receiver, a resource certificate, a parent certificate identifier, a child certificate identifier, an IP address prefix contained in the certificate, an AS number contained in the certificate, a child RC resource IP prefix binary tree, a child RC resource AS binary tree, and an allocated IP address prefix bloomfilter structure in ROA. The node is linked to the child node through a child certificate identity domain and to the parent node of the node through a parent certificate identity domain. The IP address prefix contained in the certificate and the AS number contained in the certificate are obtained by the resource transaction module through analyzing the certificate. The resource tree is stored in a distributed account book and is commonly maintained by a resource issuer and a resource receiver.

Fourthly, in a resource public key infrastructure system RPKIB based on a block chain, a resource certificate generation module of a resource issuer issues an RC, and when a new RC is issued, resource repetition, overlapping and conflict check of inclusion relation are carried out on the RC resource to be issued, wherein the method comprises the following steps:

4.1 resource certificate generation module of resource issuer carries out conflict detection to IP address prefix resource: and converting the minimum value of the prefix r of the IP address to be distributed into r.min, and converting the maximum value of r into r.max. Retrieving a sub RC resource IP prefix binary tree of a CA to be issued, wherein the method comprises the following steps:

4.1.1 if the sub RC resource IP prefix binary tree of the CA to be issued is empty, the IP address prefix to be allocated has no resource conflict, the resource conflict detection passing value of the IP address prefix is made to be 1, the position where the CA node to be issued is inserted into the binary tree is recorded, and 4.1.2.4 is converted;

4.1.2 if the binary tree of sub-RC resource IP prefixes of the CA to be issued is not empty, the comparison is started from the root node of the binary tree of sub-RC resource IP prefixes, and each node of the binary tree records two integers represented by the allocated resources, which are represented by start _ IP and end _ IP (the two values are two values of the node record). And searching a binary IP prefix tree of the sub RC resource according to the following modes:

4.1.2.1, if r.min is less than or equal to end _ IP and r.max is greater than or equal to start _ IP, it indicates that the search is hit and there is a resource conflict, the IP address prefix resource conflict detection passing value is made to be 0, which indicates that the IP address prefix resource conflict detection is not passed, and 4.2 is switched; otherwise, turning to 4.1.2.2;

4.1.2.2 if r.min is less than or equal to end _ IP and r.max is less than start _ IP, and if the node has a left sub-tree (left branch of a sub RC resource IP prefix binary tree), continuing to search the left sub-tree of the node, updating the start _ IP and the end _ IP into two values recorded by a root node of the left sub-tree, and turning to 4.1.2.1; if r.min is less than or equal to end _ ip and r.max is less than start _ ip, and if the node has no left sub-tree, turning to 4.1.2.4;

4.1.2.3 if r.min > end _ IP and if the node has right subtree (right branch of binary tree of IP prefix of sub RC resource), continuing to search the right subtree of the node, updating start _ IP and end _ IP to two values recorded by the root node of the right subtree, and turning to 4.1.2.1; if r.min > end _ ip, and if the node has no right subtree, turn 4.1.2.4;

4.1.2.4 at this time, the IP address prefix to be allocated does not have resource conflict, the resource conflict detection passing value of the IP address prefix is made to be 1, the position where the CA node to be issued is inserted into the binary tree is recorded, and 4.2 is converted;

4.2 if the IP address prefix resource conflict detection passing value is 0 (conflict occurs), sending 'resource conflict detection failure to the resource issuer, unable to execute the issuing operation of the RC', turning to 4.1; if the resource conflict detection pass value of the IP address prefix is 1 (no conflict), 4.3 is switched.

4.3 the resource certificate generation module of the resource issuer detects the AS resource conflict: the minimum value of the AS range s to be allocated is converted to s.min, the maximum value of s is converted to two integers of s.max (the AS range is a range comprising a minimum value and a maximum value, e.g. 20-30, then s.min is 20, s.max is 30), if the AS to be allocated is a value then s.min equals s.max. Retrieving a sub RC resource AS binary tree of a CA to be issued, wherein the method comprises the following steps:

4.3.1 if the AS binary tree of the sub RC resource to be issued is empty, the AS to be allocated has no resource conflict, the AS resource conflict detection passing value is made to be 1, the position where the CA node to be issued is inserted into the binary tree is recorded, and 4.3.3 is converted;

if the binary tree of the sub RC resource AS to be issued is not empty, comparison is started from the root node of the binary tree, and each node of the binary tree records two integers (i.e. s.min and s.max) into which the allocated resource is converted, which are represented by start _ AS and end _ AS (the two values are two values of the node record), and the result is converted to 4.3.2.

4.3.2 the sub RC resource AS binary tree is searched according to the following mode:

4.3.2.1, if s.min is less than or equal to end _ AS and s.max is greater than or equal to start _ AS, it indicates that there is a resource conflict when the search is hit, and the AS resource conflict detection passing value is 0, which indicates that the AS resource conflict detection is not passed, and 4.3.3 is switched;

4.3.2.2 if s.min is less than or equal to end _ AS and s.max is less than start _ AS, if the node has left sub-tree (left branch of binary tree of sub RC resource AS), continuing to search the left sub-tree of the node, updating start _ AS and end _ AS to two values recorded by root node of the left sub-tree, and turning to 4.3.2.1; if s.min is less than or equal to end _ as and s.max is less than start _ as, and if the node does not have a left sub-tree, go to 4.3.2.4;

4.3.2.3 if s.min > end _ AS, and if the node has right sub-tree (right branch of sub RC resource AS binary tree), continuing to search the right sub-tree of the node, updating start _ AS, end _ AS to two values recorded by the root node of the right sub-tree, and turning to 4.3.2.1; if s.min > end _ as, and if the node does not have a right sub-tree, go to 4.3.2.4;

4.3.2.4, it shows that there is no resource conflict in the AS to be allocated, it sends the AS resource conflict detection passing value (1 in this case) to the resource issuer, and records the position of the CA node to be issued inserted in the binary tree, and changes to 4.3.3;

4.3.3 if the AS resource conflict detection passing value is 0 (conflict occurs), sending a message of 'failure of resource conflict detection and incapability of executing issuing operation of the RC' to the resource issuer, turning to 4.3, and performing resource conflict detection on the next RC; if the AS resource conflict detection passing value is 1 (no conflict), 4.4 is turned.

4.4 resource transaction module of resource issuer submits RC issued transaction to blockchain by RC resource conflict check. If the submission to the blockchain is successful, 4.5 is carried out; if the commit to the blockchain is unsuccessful, a 4.4 transition is made.

4.5 at this time, submitting the RC issue transaction to the blockchain successfully, generating a new node in the sub RC resource IP prefix binary tree by the resource transaction module of the resource issuer according to the binary tree position obtained in 4.1, and recording the r.min and r.max to be allocated in the new node; and generating a new node in the sub RC resource AS binary tree according to the obtained binary tree position of 4.3, and recording the s.min and s.max to be allocated in the new node.

Fifthly, carrying out resource conflict check on the received RC issued transaction by an intelligent contract or chain code deployed by a block chain platform, wherein the resource conflict check comprises the conflict check of the repetition, the overlapping and the inclusion relation of the resource conflict, and the method comprises the following steps:

5.1 Intelligent contracts or chain codes find parent certificates: and the intelligent contract or the chain code analyzes the RC issued transaction content received from 4.4, analyzes the parent certificate identifier id in the certificate to be issued, and positions the parent certificate in the stored certificate key-vlaue structure according to the parent certificate identifier id. If the result of the positioning parent certificate is null, the received RC certificate content is wrong, a message of 'transaction is unsuccessful' is returned to the resource issuer, and the eighth step is carried out; otherwise, deserializing (converting byte sequence of the certificate into operation of the certificate) the certificate of the RC issued transaction received from 4.4 to obtain a certificate structure, positioning root nodes of a sub RC resource IP prefix binary tree and a sub RC resource AS binary tree of the parent certificate according to the certificate structure, and converting to 5.2.

5.2 intelligent contract or chain code conflict detection to IP address prefix resource: and converting the IP address prefix r to be allocated in the RC received from 4.4 into two integers of r.min and r.max. Retrieving a child RC resource IP prefix binary tree corresponding to a parent certificate node, wherein the method comprises the following steps:

5.2.1 if the sub RC resource IP prefix binary tree corresponding to the father certificate node is empty, the IP address prefix to be allocated has no resource conflict, the IP address prefix resource conflict detection passing value is made to be 1, the position where the CA node to be issued is inserted into the binary tree is recorded, and 5.3 is turned; if the binary tree of the IP prefixes of the sub RC resources corresponding to the parent certificate node is not empty, comparison is carried out from the root node of the binary tree, and each node of the binary tree records two integers (namely r.min and r.max) into which the allocated resources are converted, wherein the integers are represented by start _ IP and end _ IP, and the transition is 5.2.2.

5.2.2 the binary tree of the IP prefix of the sub RC resource is searched according to the following mode:

5.2.2.1, if r.min is less than or equal to end _ IP and r.max is greater than or equal to start _ IP, it indicates that the search is hit and there is a resource conflict, the IP address prefix resource conflict detection passing value is made to be 0, which indicates that the IP address prefix resource conflict detection is not passed, and 5.3 is turned; otherwise, 5.2.2.2 is rotated;

5.2.2.2 if r.min is less than or equal to end _ IP and r.max is less than start _ IP, and if the node has a left sub-tree (left branch of a sub RC resource IP prefix binary tree), continuing to search the left sub-tree of the node, updating the start _ IP and the end _ IP into two values recorded by the root node of the left sub-tree, and turning to 5.2.2.1; if r.min is less than or equal to end _ ip and r.max is less than start _ ip, and if the node has no left sub-tree, go to 5.2.2.4;

5.2.2.3 if r.min > end _ IP and if the node has a right subtree (right branch of the binary tree of the IP prefix of the sub RC resource), continuing to search the right subtree of the node, updating start _ IP and end _ IP into two values recorded by the root node of the right subtree, and turning to 5.2.2.1; if r.min > end _ ip, and if the node does not have a right sub-tree, go to 5.2.2.4;

5.2.2.4 there is no resource conflict for the IP address prefix to be allocated, the resource conflict detection passing value of the IP address prefix is 1, the position of the CA node to be issued inserted into the sub RC resource IP prefix binary tree is recorded, and 5.3 is switched;

5.3 if the IP address prefix resource conflict detection passing value is 0 (conflict occurs), directly sending a 'resource conflict detection failure and returning a transaction unsuccessful' message to the resource issuer, and turning to the fifth step to carry out resource conflict check on the received RC issued transaction; if the IP address prefix resource conflict detection pass value is 1 (no conflict), 5.4 is turned.

5.4 the intelligent contract or chain code carries out conflict detection on the AS resource: the AS range s in the RC certificate received from 4.4 is converted into two integers s.min and s.max, if AS is a value, s.min equals s.max. Retrieving a sub RC resource AS binary tree of a CA in a received RC certificate, wherein the method comprises the following steps:

5.4.1 if the sub RC resource AS binary tree in the received RC certificate is empty, the AS to be distributed has no resource conflict, the AS resource conflict detection passing value is made to be 1, the position where the CA node to be issued is inserted in the binary tree is recorded, and 5.4.3 is converted;

if the sub-RC resource AS binary tree in the received RC certificate is not empty, the comparison is started from the root node of the sub-RC resource AS binary tree in the RC certificate, and each node in the sub-RC resource AS binary tree in the RC certificate records two integers (i.e. s.min and s.max) into which the allocated resources are converted, which are represented by start _ AS and end _ AS, and then 5.4.2.

5.4.2 searching the sub RC resource AS binary tree in the RC certificate according to the following mode:

5.4.2.1, if s.min is less than or equal to end _ AS and s.max is greater than or equal to start _ AS, it indicates that there is a resource conflict when the search is hit, and the AS resource conflict detection passing value is 0, which indicates that the AS resource conflict detection is not passed, and 5.4.3 is turned;

5.4.2.2 if s.min is less than or equal to end _ AS and s.max is less than start _ AS, and if the node has left sub-tree (left branch of sub-RC resource AS binary tree in RC certificate), continue searching the left sub-tree of the node, using start _ AS and end _ AS to represent two values recorded by the root node of the left sub-tree, and go to 5.4.2.1; if s.min ≦ end _ as and s.max < start _ as, and if the node does not have a left sub-tree, go to 5.4.2.4.

5.4.2.3 if s.min > end _ AS, and if the node has right sub-tree (right branch of sub-RC resource AS binary tree in RC certificate), continuing to search the right sub-tree of the node, updating start _ AS and end _ AS to two values recorded by the root node of the right sub-tree, and turning to 5.4.2.1; if s.min > end _ as, and if the node does not have a right sub-tree, go to 5.4.2.4;

5.4.2.4, it is shown that there is no resource conflict in the AS in the RC certificate received at this time, an AS resource conflict detection passing value (1 at this time) is sent to the resource issuer, and the position where the sub RC resource AS binary tree is inserted into the CA node to be issued in the RC certificate is recorded, and 5.4.3 is converted;

5.4.3 if the AS resource conflict detection passing value is 0 (conflict occurs), sending a message of 'resource conflict detection fails and the issuing operation of the RC cannot be executed' to the resource issuer, and turning to 5.4; if the AS resource conflict detection pass value is 1 (no conflict), 5.5 is turned.

5.5 if the block chain reaches a consensus (namely the node in the block chain network reaches a uniform consensus opinion on the transaction), recording the received RC certificate, generating a new node in the sub RC resource IP prefix binary tree according to the position, which is obtained in 5.2, of the CA node to be issued which is supposed to be inserted in the sub RC resource IP prefix binary tree, and recording r.min and r.max in the new node; and generating a new node in the sub RC resource AS binary tree according to the position of the sub RC resource AS binary tree to be inserted into the CA node to be issued in the RC certificate, which is obtained in the step 5.4, and recording values of s.min and s.max in the new node.

Sixthly, the resource certificate generation module of the resource issuer issues the ROA, and when a new ROA is issued, the resource conflict check is locally performed on the ROA resource to be issued, and the method comprises the following steps:

6.1 conflict detection is carried out on the ROA resources, and the method comprises the following steps:

6.1.1 converting the IP address prefix in the ROA to be issued into a character string str, and respectively calculating hash functions h (1, str) and h (2, str) … … h (k, str) according to k hash functions selected by the bloomfilter structure. And then checking whether h (1, str) and h (2, str) … … h (k, str) bits of a BitSet (a bit operation library for realizing the bloomfilter function) are 1, if any bit is not 1, judging that str is not recorded, indicating that the ROA resource conflict does not occur, and enabling the ROA resource conflict detection passing value to be 1 (no conflict), and turning to 6.2. If all bits are 1, 6.1.2 is performed.

6.1.2 traversing all the owned ROA records according to all ROA lists of records issued by a CA by a resource issuer, comparing the IP address prefixes in the ROA to be issued with the IP address prefixes contained in the issued ROA one by one, checking whether the same IP address prefixes exist, if yes, sending a message of 'occurrence of ROA resource conflict, the resource issuer can not issue the ROA', making the ROA resource conflict detection value be 0, and turning to the sixth step to continue to perform resource conflict detection on the new ROA; if not, return value of ROA resource conflict detection is made to be 1 (no conflict), and 6.2 is executed.

6.2 resource issuer submits ROA issued transaction to blockchain by ROA resource conflict check. If the commit to the blockchain is successful, 6.3 is performed. And if the submission to the block chain is not successful, the sixth step is carried out.

6.3 storing the ROA information successfully issued, recording newly issued ROA identification information in an ROA list of the resource issuer node, setting the h (1, str) and h (2, str) … … h (k, str) of the corresponding BitSet of the resource issuer node as 1, and turning to the seventh step.

Seventhly, carrying out resource conflict check on the received ROA issued transaction by using an intelligent contract or chain code deployed by the block chain platform, and checking whether the ROA resource issued with the repeated IP address prefix exists or not, wherein the method comprises the following steps:

7.1 Smart contracts or chain codes look up parent certificates: and the intelligent contract or the chain code analyzes the received ROA issued transaction content, analyzes a parent certificate identifier id in the certificate to be issued, and positions the parent certificate in a stored certificate key-vlaue structure according to the parent certificate identifier id. If the result of the positioning of the parent certificate is null, the received ROA certificate content is wrong, a message of 'transaction is unsuccessful' is sent to the display module, and the eighth step is carried out; otherwise, deserializing a certificate structure from the requested certificate, positioning the BitSet of the IP address prefix bloomfilter structure of the allocated ROA corresponding to the parent certificate node, and turning to 7.2.

7.2 conflict detection is carried out on the ROA resources, and the method comprises the following steps:

7.2.1 converting the IP address prefix in the ROA received in the step 6.2 into a character string str, and respectively calculating hash functions h (1, str) and h (2, str) … … h (k, str) according to k hash functions selected by the bloomfilter. Then, whether the h (1, str) th bit and the h (2, str) … … h (k, str) th bit of the BitSet are 1 or not is checked, if any one of the bits is not 1, it can be determined that str is not recorded, and if the ROA resource collision does not occur, the return value of the ROA resource collision detection is 1 (no collision), and 7.3 is executed. If all bits are 1, 7.2.2 is performed.

7.2.2 traversing all owned ROA nodes according to all ROA lists recorded by the father certificate node, comparing the IP address prefixes in the ROA to be checked with the IP address prefixes contained in the issued ROA one by one, checking whether the same IP address prefixes exist, if yes, sending a message of 'occurrence of ROA resource conflict, failure of resource conflict detection and unsuccessful transaction' to a display module, wherein the return value of ROA resource conflict detection is 0, and turning to the eighth step; if not, the return value of ROA resource conflict detection is 1 (no conflict) and 7.3 is executed.

7.3 if the blockchain agrees, recording the ROA information successfully issued, recording newly issued ROA identification information in the ROA list of the parent certificate node, setting the h (1, str) and h (2, str) … … h (k, str) of the BitSet corresponding to the parent certificate node as 1, and going to the eighth step.

And eighthly, finishing.

Claims (5)

1. A resource conflict detection method of resource public key infrastructure based on block chain is characterized by comprising the following steps:

firstly, constructing a resource public key infrastructure system RPKIB based on a block chain, wherein the RPKIB consists of a resource issuer, a resource transaction application client, a resource receiver and a block chain network;

the block chain network is connected with the resource issuer, the resource receiver and the resource transaction application client; the resource issuer and the resource receiver are connected with the blockchain network and used as clients of the blockchain network, and the resource transaction application client is installed on the resource issuer or the resource receiver; the resource transaction application client takes various operations of a resource certificate and routing origin authorization ROA as transactions and carries out the transactions through a blockchain network, and transaction records are stored in a distributed account book; the distributed account book exists in all the block chain nodes;

the resource transaction application client consists of a resource transaction module, a resource certificate generation module and a display module;

the resource certificate generation module is connected with the resource transaction module; the resource certificate generation module receives a pre-issued RC certificate, namely a resource certificate, and ROA, namely information of routing origin authorization from the resource transaction module, and generates a resource certificate RC which is defined by RPKI according to the pre-issued RC certificate; the resource certificate generation module creates a ROA for the resource held by the resource receiver according to the pre-issued ROA information; the resource certificate generation module sends the generated RC or ROA to the resource transaction module;

the resource transaction module is connected with the resource certificate generation module, the display module and the block chain link points, receives RC or ROA from the resource certificate generation module, receives an operation instruction about RC or ROA from the resource issuer, conducts transaction through the block chain network, and provides various operations of RC or ROA resource transaction for the resource issuer, wherein the operations comprise: issuing the RC or the ROA to the resource receiver; revoking the RC or ROA from the resource recipient; modifying RC or ROA; updating the RC; the RC updating operation only needs to change the validity period and the serial number of the old certificate and does not relate to the IP address prefix and the AS number carried by the certificate; the RC modification operation relates to an IP address prefix and an AS number carried by the certificate; one operation is a transaction in the RPKIB; when the transaction is successful, the resource transaction module sends a success message to the display module, when the transaction is unsuccessful, the resource transaction module sends a conflict reason, an operation failure reason and a transaction result which are detected by the conflict to the display module, and when the operation is cancelled, the resource transaction module sends the RC and the ROA to the display module;

the display module is connected with the resource transaction module, receives the transaction success message or the conflict reason, the operation failure reason and the transaction result when the transaction is unsuccessful from the resource transaction module, and displays the transaction result; receiving the RC and the ROA from the resource transaction module during the cancel operation, and displaying the specific contents of the RC and the ROA;

secondly, constructing a resource transaction structure, wherein the resource transaction structure comprises a transaction initiator, a transaction receiver, a transaction type, transaction contents, transaction attributes, transaction evidence and a transaction signature given by the transaction initiator;

thirdly, the resource transaction module constructs a resource tree according to the effective resource certificate RC; one node of the resource tree includes 10 domains, which are respectively: the system comprises a resource issuer, a resource receiver, a resource certificate, a parent certificate identifier, a child certificate identifier, an IP address prefix contained in the certificate, an AS (autonomous System) number contained in the certificate, a child RC resource IP prefix binary tree, a child RC resource AS binary tree and an allocated IP address prefix bloomfilter structure in ROA; the node is linked to the child node through the child certificate identification domain and is linked to the father node of the node through the father certificate identification domain; the IP address prefix contained in the certificate and the AS number contained in the certificate are obtained by the resource transaction module through analyzing the certificate; the resource tree is stored in a distributed account book and is maintained by a resource issuer and a resource receiver together;

fourthly, in a resource public key infrastructure system RPKIB based on a block chain, a resource certificate generation module of a resource issuer issues RC, and resource repetition, overlapping and conflict check of inclusion relation are carried out on RC resources to be issued, wherein the method comprises the following steps:

4.1 resource certificate generation module of resource issuer carries out conflict detection to IP address prefix resource: converting the minimum value of the IP address prefix r to be allocated into r.min, converting the maximum value of r into r.max, and retrieving the sub RC resource IP prefix binary tree of the CA to be issued, wherein the method comprises the following steps:

4.1.1 if the sub RC resource IP prefix binary tree of the CA to be issued is empty, the IP address prefix to be allocated has no resource conflict, the resource conflict detection passing value of the IP address prefix is made to be 1, the position where the CA node to be issued is inserted into the binary tree is recorded, and 4.1.2.4 is converted;

4.1.2 if the binary tree of the IP prefix of the sub RC resource of the CA to be issued is not empty, starting comparison from the root node of the binary tree of the IP prefix of the sub RC resource, wherein each node of the binary tree records two integers represented by allocated resources and is represented by start _ IP and end _ IP; and searching a binary tree of the IP prefixes of the sub RC resources:

4.1.2.1, if r.min is less than or equal to end _ IP and r.max is greater than or equal to start _ IP, it indicates that the search is hit and there is a resource conflict, the IP address prefix resource conflict detection passing value is made to be 0, which indicates that the IP address prefix resource conflict detection is not passed, and 4.2 is switched; otherwise, turning to 4.1.2.2;

4.1.2.2 if r.min is less than or equal to end _ IP and r.max is less than start _ IP, and if the node has a left sub-tree, namely a left branch of a sub RC resource IP prefix binary tree, continuing to search the left sub-tree of the node, updating the start _ IP and the end _ IP into two values recorded by a root node of the left sub-tree, and turning to 4.1.2.1; if r.min is less than or equal to end _ ip and r.max is less than start _ ip, and if the node has no left sub-tree, turning to 4.1.2.4;

4.1.2.3 if r.min > end _ IP and if the node has right sub-tree, namely right branch of binary tree of IP prefix of sub RC resource, continuing to search the right sub-tree of the node, updating start _ IP and end _ IP to two values recorded by root node of the right sub-tree, and turning to 4.1.2.1; if r.min > end _ ip, and if the node has no right subtree, turn 4.1.2.4;

4.1.2.4, the IP address prefix resource conflict detection passing value is 1, the position where the CA node to be issued is inserted into the binary tree is recorded, and 4.2 is converted;

4.2 if the IP address prefix resource conflict detection passing value is 0, sending 'resource conflict detection failure, unable to execute the issuing operation of the RC' to the resource issuer, and turning to 4.1; if the IP address prefix resource conflict detection passing value is 1, 4.3 is switched;

4.3 the resource certificate generation module of the resource issuer detects the AS resource conflict: converting the minimum value of the AS range s to be distributed into s.min, converting the maximum value of s into s.max, and if the AS to be distributed is a value, then s.min is equal to s.max; retrieving a sub RC resource AS binary tree of a CA to be issued, wherein the method comprises the following steps:

4.3.1 if the AS binary tree of the sub RC resource to be issued is empty, the AS to be allocated has no resource conflict, the AS resource conflict detection passing value is made to be 1, the position where the CA node to be issued is inserted into the binary tree is recorded, and 4.3.3 is converted; if the AS binary tree of the sub RC resource to be issued is not empty, comparing from the root node of the binary tree, recording two integers converted from the distributed resource by each node of the binary tree, expressing by start _ AS and end _ AS, and converting to 4.3.2;

4.3.2 the sub RC resource AS binary tree is searched according to the following mode:

4.3.2.1, if s.min is less than or equal to end _ AS and s.max is greater than or equal to start _ AS, it indicates that there is a resource conflict when the search is hit, and the AS resource conflict detection passing value is 0, which indicates that the AS resource conflict detection is not passed, and 4.3.3 is switched;

4.3.2.2 if s.min is less than or equal to end _ as and s.max is less than start _ as, if the node has left sub-tree, continue searching the left sub-tree of the node, update start _ as, end _ as to two values recorded by the root node of the left sub-tree, turn to 4.3.2.1; if s.min is less than or equal to end _ as and s.max is less than start _ as, and if the node does not have a left sub-tree, go to 4.3.2.4;

4.3.2.3 if s.min > end _ as, and if the node has right sub-tree, continue searching the right sub-tree of the node, update start _ as, end _ as to two values recorded by the root node of the right sub-tree, go to 4.3.2.1; if s.min > end _ as, and if the node does not have a right sub-tree, go to 4.3.2.4;

4.3.2.4, sending an AS resource conflict detection passing value of '1' to the resource issuer, recording the position of a CA node to be issued inserted in the binary tree, and converting to 4.3.3;

4.3.3 if the AS resource conflict detection passing value is 0, sending a message of 'failure of resource conflict detection and incapability of executing the issuing operation of the RC' to the resource issuer, turning to 4.3, and performing resource conflict detection on the next RC; if the AS resource conflict detection passing value is 1, 4.4 is converted;

4.4 the resource transaction module of the resource issuer submits the RC issued transaction to the blockchain, if the submission to the blockchain is successful, 4.5 is switched; if the submission to the block chain is unsuccessful, 4.4 is switched;

4.5 the resource transaction module of the resource issuer generates a new node in the sub RC resource IP prefix binary tree according to the binary tree position obtained in 4.1, and records the r.min and r.max to be allocated in the new node; generating a new node in the sub RC resource AS binary tree according to the obtained binary tree position of 4.3, and recording the s.min and s.max to be distributed in the new node;

fifthly, carrying out resource conflict check on the received RC issued transaction by an intelligent contract or chain code deployed by a block chain platform, wherein the resource conflict check comprises the conflict check of the repetition, the overlapping and the inclusion relation of the resource conflict, and the method comprises the following steps:

5.1 Intelligent contracts or chain codes find parent certificates: the intelligent contract or the chain code analyzes the RC issued transaction content received from 4.4, analyzes a parent certificate identifier id in the certificate to be issued, and positions the parent certificate in a stored certificate key-vlaue structure according to the parent certificate identifier id; if the result of the positioning parent certificate is null, the received RC certificate content is wrong, a message of 'transaction is unsuccessful' is returned to the resource issuer, and the eighth step is carried out; otherwise, deserializing a certificate structure from the certificate of the RC issued transaction received at 4.4, positioning a root node of a child RC resource IP prefix binary tree and a child RC resource AS binary tree of the parent certificate according to the certificate structure, and converting to 5.2;

5.2 intelligent contract or chain code conflict detection to IP address prefix resource: converting an IP address prefix r to be distributed in the RC received from the 4.4 into two integers of r.min and r.max; retrieving a child RC resource IP prefix binary tree corresponding to a parent certificate node, wherein the method comprises the following steps:

5.2.1 if the sub RC resource IP prefix binary tree corresponding to the father certificate node is empty, the IP address prefix to be allocated has no resource conflict, the IP address prefix resource conflict detection passing value is made to be 1, the position where the CA node to be issued is inserted into the binary tree is recorded, and 5.3 is turned; if the binary tree of the IP prefix of the sub RC resource corresponding to the parent certificate node is not empty, the comparison is started from the root node of the binary tree, each node of the binary tree records two integers converted from the distributed resource, the two integers are represented by start _ IP and end _ IP, and the two integers are converted to 5.2.2;

5.2.2 the binary tree of the IP prefix of the sub RC resource is searched according to the following mode:

5.2.2.1, if r.min is less than or equal to end _ IP and r.max is greater than or equal to start _ IP, it indicates that the search is hit and there is a resource conflict, the IP address prefix resource conflict detection passing value is made to be 0, which indicates that the IP address prefix resource conflict detection is not passed, and 5.3 is turned; otherwise, 5.2.2.2 is rotated;

5.2.2.2 if r.min is less than or equal to end _ ip and r.max is less than start _ ip, if the node has a left sub-tree, continuing to search the left sub-tree of the node, updating the start _ ip and the end _ ip into two values recorded by the root node of the left sub-tree, and turning to 5.2.2.1; if r.min is less than or equal to end _ ip and r.max is less than start _ ip, and if the node has no left sub-tree, go to 5.2.2.4;

5.2.2.3 if r.min > end _ ip and if the node has a right subtree, continuing to search the right subtree of the node, updating start _ ip and end _ ip into two values recorded by the root node of the right subtree, and turning to 5.2.2.1; if r.min > end _ ip, and if the node does not have a right sub-tree, go to 5.2.2.4;

5.2.2.4 there is no resource conflict for the IP address prefix to be allocated, the resource conflict detection passing value of the IP address prefix is 1, the position of the CA node to be issued inserted into the sub RC resource IP prefix binary tree is recorded, and 5.3 is switched;

5.3 if the IP address prefix resource conflict detection passing value is 0, directly sending a message of 'failure of resource conflict detection and unsuccessful transaction' to the resource issuer, and turning to the fifth step to carry out resource conflict check on the received RC issued transaction; if the IP address prefix resource conflict detection passing value is 1, 5.4 is turned;

5.4 the intelligent contract or chain code carries out conflict detection on the AS resource: converting the AS range s in the RC certificate received from 4.4 into two integers of s.min and s.max, wherein if the AS is a value, s.min is equal to s.max; retrieving a sub RC resource AS binary tree of a CA in a received RC certificate, wherein the method comprises the following steps:

5.4.1 if the sub RC resource AS binary tree in the received RC certificate is empty, the AS to be distributed has no resource conflict, the AS resource conflict detection passing value is made to be 1, the position where the CA node to be issued is inserted in the binary tree is recorded, and 5.4.3 is converted; if the sub-RC resource AS binary tree in the received RC certificate is not empty, comparing from a root node of the sub-RC resource AS binary tree in the RC certificate, recording two integers converted from the distributed resources by each node of the sub-RC resource AS binary tree in the RC certificate, representing by start _ AS and end _ AS, and converting to 5.4.2;

5.4.2 searching the sub RC resource AS binary tree in the RC certificate according to the following mode:

5.4.2.1, if s.min is less than or equal to end _ AS and s.max is greater than or equal to start _ AS, it indicates that there is a resource conflict when the search is hit, and the AS resource conflict detection passing value is 0, which indicates that the AS resource conflict detection is not passed, and 5.4.3 is turned;

5.4.2.2 if s.min is less than or equal to end _ as and s.max is less than start _ as, if the node has left sub-tree, continue searching the left sub-tree of the node, using start _ as and end _ as to represent two values recorded by the root node of the left sub-tree, and turn to 5.4.2.1; if s.min is less than or equal to end _ as and s.max is less than start _ as, and if the node does not have a left sub-tree, go to 5.4.2.4;

5.4.2.3 if s.min > end _ as, and if the node has right sub-tree, continue searching the right sub-tree of the node, update start _ as, end _ as to two values recorded by the root node of the right sub-tree, go to 5.4.2.1; if s.min > end _ as, and if the node does not have a right sub-tree, go to 5.4.2.4;

5.4.2.4, sending an AS resource conflict detection passing value of '1' to the resource issuer, recording the position of inserting the RC resource AS binary tree into the CA node to be issued in the RC certificate, and converting to 5.4.3;

5.4.3 if the AS resource conflict detection passing value is 0, sending a message of 'failure of resource conflict detection and incapability of executing the issuing operation of the RC' to the resource issuer, and turning to 5.4; if the AS resource conflict detection passing value is 1, 5.5 is carried out;

5.5 if the block chain reaches the consensus, recording the received RC certificate, generating a new node in the sub RC resource IP prefix binary tree according to the position, which is obtained in 5.2, of the CA node to be issued, which is to be inserted into the sub RC resource IP prefix binary tree, and recording r.min and r.max in the new node; generating a new node in the sub RC resource AS binary tree according to the position, to be inserted into the CA node to be issued, of the sub RC resource AS binary tree in the RC certificate, obtained in step 5.4, and recording values of s.min and s.max in the new node;

sixthly, the resource certificate generation module of the resource issuer issues the ROA and checks the resource conflict of the ROA resource to be issued, wherein the method comprises the following steps:

6.1 conflict detection is carried out on the ROA resources, and the method comprises the following steps:

6.1.1 converting an IP address prefix in the ROA to be issued into a character string str, and respectively calculating hash functions h (1, str) and h (2, str) … … h (k, str) according to k hash functions selected by the bloomfilter structure; then checking whether h (1, str) and h (2, str) … … h (k, str) bits of the BitSet are 1, if any one bit is not 1, judging that str is not recorded, indicating that ROA resource conflict does not occur, and turning to 6.2 if the ROA resource conflict detection passing value is 1; if all bits are 1, 6.1.2 is executed;

6.1.2 traversing all the owned ROA records according to all ROA lists of the records issued by the CA by the resource issuer, comparing the IP address prefixes in the ROA to be issued with the IP address prefixes contained in the issued ROA one by one, checking whether the same IP address prefixes exist, if yes, sending a message of 'occurrence of ROA resource conflict, the resource issuer being unable to issue the ROA', making the ROA resource conflict detection value be 0, and turning to the sixth step; if not, making the return value of the ROA resource conflict detection be 1, and executing 6.2;

6.2 the resource issuer submits the ROA issue transaction to the blockchain through ROA resource conflict check; if the commit to the blockchain is successful, 6.3 is executed; if the submission to the block chain is unsuccessful, the sixth step is carried out;

6.3 storing the ROA information successfully issued, recording newly issued ROA identification information in an ROA list of the resource issuer node, setting the h (1, str) and h (2, str) … … h (k, str) bits of the corresponding BitSet of the resource issuer node as 1, and turning to the seventh step;

seventhly, carrying out resource conflict check on the received ROA issued transaction by using an intelligent contract or chain code deployed by the block chain platform, and checking whether the ROA resource issued with the repeated IP address prefix exists or not, wherein the method comprises the following steps:

7.1 Smart contracts or chain codes look up parent certificates: the method comprises the steps that an intelligent contract or chain code analyzes received ROA issued transaction content, analyzes a parent certificate identification id in a certificate to be issued, and positions the parent certificate in a stored certificate key-vlaue structure according to the parent certificate identification id; if the result of the positioning of the parent certificate is null, the received ROA certificate content is wrong, a message of 'transaction is unsuccessful' is sent to the display module, and the eighth step is carried out; otherwise, deserializing a certificate structure from the requested certificate, positioning the BitSet of the IP address prefix bloomfilter structure of the allocated ROA corresponding to the parent certificate node, and turning to 7.2;

7.2 conflict detection is carried out on the ROA resources, and the method comprises the following steps:

7.2.1 converting the IP address prefix in the ROA received in the step 6.2 into a character string str, and respectively calculating hash functions h (1, str) and h (2, str) … … h (k, str) according to k hash functions selected by the bloomfilter; then checking whether h (1, str) and h (2, str) … … h (k, str) bits of the BitSet are 1, if any one bit is not 1, judging that str is not recorded, indicating that ROA resource conflict does not occur, setting a return value of ROA resource conflict detection to be 1, and executing 7.3; if all bits are 1, 7.2.2 is executed;

7.2.2 traversing all owned ROA nodes according to all ROA lists recorded by the father certificate node, comparing the IP address prefixes in the ROA to be checked with the IP address prefixes contained in the issued ROA one by one, checking whether the same IP address prefixes exist, if yes, sending a message of 'occurrence of ROA resource conflict, failure of resource conflict detection and unsuccessful transaction' to a display module, wherein the return value of ROA resource conflict detection is 0, and turning to the eighth step; if not, the return value of the ROA resource conflict detection is 1, and 7.3 is executed;

7.3 if the blockchain agrees, recording the ROA information successfully issued, recording newly issued ROA identification information in an ROA list of a parent certificate node, setting the h (1, str) and h (2, str) … … h (k, str) of the BitSet corresponding to the parent certificate node as 1, and going to the eighth step;

and eighthly, finishing.

2. The method AS claimed in claim 1, wherein the content of the resource certificate RC includes x.509 certificate of standard RFC 5280, and is accompanied by IP address and AS extension identifier of RFC 3779 standard.

3. The method of claim 1, wherein the ROA comprises three parts: an AS number; a list of IP address prefixes; optional content for limiting the IP address prefix, wherein the optional content comprises address prefix length and address prefix range.

4. The method according to claim 1, wherein the transaction initiator in the resource transaction structure in the second step refers to the resource issuer address, and the transaction receiver refers to the resource receiver address; the transaction signature refers to a digital signature made by a transaction initiator on an initiated transaction in the blockchain network; the transaction types include seven types, respectively: RC issue, RC cancel, RC update, RC modification, ROA issue authorized by routing origin, ROA cancel, ROA modification; the transaction content is the content of the RC or ROA corresponding to the transaction; the transaction attribute comprises a transfer attribute and an expiration attribute; the transmission attribute indicates whether the IP address resource allocated to a certain organization can be reallocated to another resource authorization entity, the transmission attribute is 0, and indicates that a resource issuer does not want to perform sub-allocation on the IP address prefix resource allocated to the certain organization, at this time, the organization is called a terminal node, the IP address resource and the AS number resource owned by the organization are not subdivided, and only the terminal node can issue ROA; the transfer attribute is 1, which indicates that a resource issuer wishes to sub-allocate the IP address prefix resource allocated to a certain organization; the expiration attribute shows whether the IP address resource has a lease term, the expiration attribute is 0 to indicate that the lease time is not expired, and the expiration attribute is 1 to indicate that the lease time is expired; the transaction evidence represents the signatures of the resource issuer and the resource receiver twice, and the evidence agreed by the two parties consists of messages and random numbers of the transaction of the two parties; the transaction signature given by the transaction initiator shows that the transaction initiator and the transaction receiver agree on the transaction; for ROA related operations transactions, the transaction signature field given by the transaction initiator is NULL.

5. The method as claimed in claim 1, wherein the step 5.1 of deserialization of the certificate refers to an operation of converting a byte sequence of the certificate into the certificate.

Images