CN113014392B - Block chain-based digital certificate management method, system, equipment and storage medium - Google Patents

Block chain-based digital certificate management method, system, equipment and storage medium Download PDF

Info

Publication number
CN113014392B
CN113014392B CN202110190971.7A CN202110190971A CN113014392B CN 113014392 B CN113014392 B CN 113014392B CN 202110190971 A CN202110190971 A CN 202110190971A CN 113014392 B CN113014392 B CN 113014392B
Authority
CN
China
Prior art keywords
certificate
node
authority
holder
applicant
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110190971.7A
Other languages
Chinese (zh)
Other versions
CN113014392A (en
Inventor
马超群
王一然
周中定
李信儒
兰秋军
万丽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan University
Original Assignee
Hunan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan University filed Critical Hunan University
Priority to CN202110190971.7A priority Critical patent/CN113014392B/en
Publication of CN113014392A publication Critical patent/CN113014392A/en
Application granted granted Critical
Publication of CN113014392B publication Critical patent/CN113014392B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • H04L9/3221Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3249Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Abstract

The invention discloses a block chain-based digital certificate management method, a system, equipment and a storage medium, wherein in the method, a certificate template can be issued only after a registration program, strict control is carried out from the source of certificate issuance, and the certificate template and a sending record of each certificate can be traced, so that the problem of certificate forgery is thoroughly solved, the certificate inspection cost can be reduced, and the certificate inspection efficiency can be improved. Before issuing the certificate and verifying the certificate, secure connection needs to be established between an applicant and an issuer and between a holder and a verifier, and the adopted DID technology provides a foundation for secure communication and increases the security of certificate transmission. In addition, the certificate verifier can complete the validity verification of the certificate based on the verifiable statement provided by the holder, and the generation process of the verifiable statement combines the zero knowledge proof, the Mercker tree and other cryptographic technologies to selectively disclose the certificate attribute, so that the privacy of the certificate holder can be guaranteed not to be revealed, and the safety is improved.

Description

Block chain-based digital certificate management method, system, equipment and storage medium
Technical Field
The present invention relates to the field of digital certificate management technologies, and in particular, to a block chain-based digital certificate management method, system, device, and computer-readable storage medium.
Background
The existing certificate issuing and verifying process comprises the following steps: x1: a certificate issuer issues a certificate to a qualification qualified person; x2: the certificate holder provides the held certificate to the verifier for verification thereof; x3: the verifier verifies the certificate provided by the certificate holder. Among them, the existing certificate issuance and verification flow has the following disadvantages:
1. in the traditional certificate issuing and verifying process, a large amount of paper certification is issued and verified, and in most cases, a verifier does not directly contact with a certificate issuer, so that verification needs to be performed on the certificate issuer in the forms of telephone communication and the like, the verifying efficiency is reduced, and a large amount of waste of resources such as manpower, material resources and the like is caused.
2. Paper or electronic certificates have the possibility of counterfeiting, and the supervision difficulty is high, so that the certificate verification process is not facilitated.
3. The paper certificate is not easy to keep, and important privacy information can be leaked once the paper certificate is lost; meanwhile, the supplementary evidence proves that the process is complicated and the time cost is high.
4. The verification process needs to provide a complete certificate, where some important, unnecessary information in the verification process may be revealed, increasing the risk of privacy disclosure.
5. The traditional certificate issuer database is a central database, and once the database of the type is attacked maliciously, privacy of a large number of members can be leaked.
Disclosure of Invention
The invention provides a block chain-based digital certificate management method, a system, equipment and a computer-readable storage medium, which aim to solve the technical problems of low efficiency and poor safety of the traditional certificate issuing and verifying process.
According to an aspect of the present invention, there is provided a block chain-based digital certificate management method, including the steps of:
step S1: registering a certificate template on a public account book of the block chain, and defining a certificate according to the template after successful registration;
step S2: establishing safe connection after the certificate application side node and the certificate authority node mutually confirm identities;
step S3: the certificate authority node sends a digital certificate to the certificate applicant node, and all the declaration contents of the certificate have a public key DID signature of the certificate authority node;
step S4: establishing a secure connection after the certificate verification authority node and the certificate holder node mutually confirm the identity;
step S5: the certificate authority node verifies the validity of the digital certificate based on a verifiable assertion provided by a certificate holder node, wherein the certificate holder node is a previous certificate applicant node.
Further, the step S2 includes the following steps:
step S21: the certificate authority node sends invitation information to a certificate applicant node;
step S22: the certificate applicant node applies DID documents of the certificate authority node to a public account book;
step S23: the public account book returns a corresponding DID document according to the request of the certificate applicant node, and the certificate applicant node confirms whether the sender of the invitation information is a certificate authority node or not by comparing the content of the public key of the DID document with the public key information of the inviter;
step S24: the node of the certificate applicant creates a new DID which is only used for exchanging information with the node of the certificate authority;
step S25: the node of the certificate application party receives the invitation request of the node of the certificate authority and sends a connection establishment request to the node of the certificate authority, a DID newly created by the node of the certificate application party and a corresponding DID document need to be provided in the request, the request content needs to be encrypted when being sent, and the decryption can be carried out only by using a public key of the node of the certificate authority;
step S26: the certificate authority node creates a pair of DIDs which are only used for connecting with the certificate applicant node;
step S27: the certificate authority node receives a request for establishing connection with the certificate applicant node and returns a receiving response to the certificate applicant node, wherein the response needs to provide a DID newly created by the certificate authority node and a corresponding DID document, the request needs to be encrypted when being sent, and decryption can be performed only by using a DID public key newly created by the certificate applicant node.
Further, the step S3 includes the following steps:
step S31: the certificate authority node sends a request to the certificate applicant node, and if the certificate applicant node provides a client endpoint to the certificate authority node in the connection establishment stage, the stage is automatically completed;
step S32: the certificate applicant node downloads the definition of the certificate on the public ledger to confirm the certificate type and content corresponding to the request, and the public ledger returns the certificate definition inquired by the certificate applicant node;
step S33: the node of the certificate application side receives the request sent by the node of the certificate authority and sends an application link of the certificate to the node of the certificate authority;
step S34: the certificate authority node sends data attributes required for generating the certificate to the certificate applicant node, and the certificate applicant node provides corresponding attributes to the certificate authority node;
step S35: the certificate authority node generates a certificate belonging to the applicant according to the corresponding attribute provided by the certificate applicant node, and stores the hash head of the certificate issue record on a public account book;
step S36: the certificate authority node sends a certificate to the certificate applicant node, and all the declaration contents of the certificate have a public key DID signature of the certificate authority node, so that the authenticity of all data related to the certificate is guaranteed;
step S37: after receiving the certificate, the certificate applicant node puts the certificate into a key management system to ensure that personal information is not leaked.
Further, the step S4 includes the following steps:
step S41: the certificate verification authority node sends invitation information to the certificate holder node;
step S42: a certificate holder node applies DID documents of a certificate verification organization node to a public account book;
step S43: the public account book returns a corresponding DID document according to the request of the certificate holder node, and the certificate holder node confirms whether the sender of the invitation information is a certificate verification authority node or not by comparing the content of the public key of the DID document with the public key information of the invitation sender;
step S44: the certificate holder node creates a new DID that is only used to exchange information with the certificate authority node;
step S45: the method comprises the steps that a certificate holder node receives an invitation request of a certificate verification mechanism node and sends a connection establishment request to the certificate holder node, a DID newly created by the certificate holder node and a corresponding DID document need to be provided in the request, the request content needs to be encrypted when being sent, and decryption can be performed only by using a public key of the certificate verification mechanism node;
step S46: the certificate authority node creates a pair of DID's that are only used to connect with the certificate holder;
step S47: the certificate verification authority node receives the request of establishing connection of the certificate holder node and returns a receiving response to the holder, the response needs to provide the DID newly created by the certificate verification authority node and the corresponding DID document, the request needs to be encrypted when being sent, and the decryption can be carried out only by using the DID public key newly created by the certificate holder node.
Further, the step S5 includes the following steps:
step S51: the certificate verification authority node sends a message of a declaration request to the certificate holder node through a DID used in a connection establishment stage;
step S52: the certificate holder node judges whether to disclose the attribute required by the verifier and provides a verifiable statement for the certificate verifier node according to the requirement of the certificate verification authority node, wherein the statement only discloses partial information of the certificate;
step S53: the certificate holder node signing the generated verifiable statement to ensure that the certificate was generated by it and sending it to the certificate authority node;
step S54: the certificate verification authority node inquires a corresponding certificate issuing record from a public ledger according to a verifiable statement provided by the certificate holder node to verify the authenticity of the certificate issuing record, and meanwhile, the revocation state of the statement is verified through an accumulator;
step S55: the public ledger returns the issuing record and the revocation state of the inquiry certificate to the certificate verification mechanism node, and the certificate verification mechanism node can verify the validity of the digital certificate held by the certificate holder node through the returned content.
Further, the process of generating the verifiable certificate specifically includes the following:
generating a pair of keys by RSA algorithm, randomly selecting two unequal indexes p and q, and calculating Euler function of n ═ p × q and n
Figure GDA0003331711380000041
Random selection and
Figure GDA0003331711380000042
integers of relative prime
Figure GDA0003331711380000043
Calculating a modulo element d corresponding to e to obtain a pair of keys Key ═ (Pub _ K, Pri _ K) ═(n, e), (n, d));
inputting related attributes of a certificate main body and information raw _ data of an issuing organization;
performing hash calculation on the content generated after the relevant attributes of the certificate body and the information of the issuing organization are input to obtain a hash value H, wherein H is a hash _ function (raw _ data);
RSA signature of hash value H using private key of issuing authority: signature is Hd mod n;
The content generated after inputting the relevant attribute of the certificate main body and the information of the issuing organization and the content obtained after the private key of the issuing organization is used for carrying out RSA signature on the hash value are connected into a file to generate the verifiable certificate.
Further, the process of verifying the verifiable claims includes the following:
comparing DID documents corresponding to the public key of the holder and the public key of the submitter in the declaration, and verifying the validity of the signature of the declaration, namely that the generator of the declaration is consistent with the submitter;
downloading a corresponding DID document from the account book according to the name of the issuer in the statement, obtaining a public key of the issuer from the document, and verifying whether the issuer is authoritative;
verifying the relevant data of the disclosed field to ensure that the disclosed field is authenticated by an issuer;
through the verification step, the credible public content can be displayed, and information except the public content can not be obtained, so that the privacy of the certificate holder is guaranteed.
In addition, the present invention also provides a block chain-based digital certificate management system, which adopts the above digital certificate management method, and the system comprises:
the template registration module is used for registering a certificate template on a public account book of the block chain, and after the registration is successful, a certificate can be defined according to the template;
the identity confirmation module is used for establishing safe connection after the mutual identity confirmation of the nodes of the two parties;
the digital certificate issuing module is used for enabling the certificate issuing organization node to send a digital certificate to the certificate application side node, and all the declaration contents of the certificate have a public key DID signature of the certificate issuing organization node;
and the certificate verification module is used for verifying the validity of the digital certificate by the certificate verification authority node based on the verifiable statement provided by the certificate holder node.
In addition, the present invention also provides an electronic device, comprising a processor and a memory, wherein the memory stores a computer program, and the processor is used for executing the steps of the method by calling the computer program stored in the memory.
In addition, the present invention also provides a computer readable storage medium for storing a computer program for block chain based digital certificate management, which when running on a computer performs the steps of the method as described above.
The invention has the following effects:
the digital certificate management method based on the block chain is used for generating the certificate, the certificate template of the certificate can be issued only after a registration program, strict control is carried out from the source of issuing the certificate, the threshold of certificate counterfeiting is improved, the public credibility is improved, the certificate template and the sending record of each certificate can be traced, the problem of certificate counterfeiting is thoroughly solved, the certificate inspection cost can be reduced, and the certificate inspection efficiency is improved. Before issuing and verifying the certificate, the applicant and the issuer, the holder and the verifier need to establish secure connection, the DID technology adopted by the invention provides a basis for secure communication, information is encrypted by using a public key during message sending and is sent to a specified service endpoint, and the ciphertext can be decrypted only by using a corresponding private key, so that the security of certificate transmission is increased. In addition, in the certificate verification stage, the certificate verifier can complete the validity verification of the certificate based on the verifiable statement provided by the holder, and the generation process of the verifiable statement selectively reveals the certificate attribute by combining the cryptography technologies such as zero knowledge proof, Mercker tree and the like, so that the privacy of the certificate holder can be guaranteed not to be revealed, and the safety is improved.
In addition, the digital certificate management system, the digital certificate management equipment and the digital certificate management storage medium based on the block chain also have the advantages.
In addition to the objects, features and advantages described above, other objects, features and advantages of the present invention are also provided. The present invention will be described in further detail below with reference to the drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
fig. 1 is a flowchart illustrating a block chain-based digital certificate management method according to a preferred embodiment of the present invention.
Fig. 2 is a sub-flowchart of step S2 in fig. 1.
Fig. 3 is a sub-flowchart of step S3 in fig. 1.
Fig. 4 is a sub-flowchart of step S4 in fig. 1.
Fig. 5 is a sub-flowchart of step S5 in fig. 1.
Fig. 6 is a schematic diagram of the stages involved in the lifecycle of a digital certificate in a preferred embodiment of the invention.
Fig. 7 is a schematic block chain-based digital certificate management system according to another embodiment of the present invention.
Detailed Description
The embodiments of the invention will be described in detail below with reference to the accompanying drawings, but the invention can be embodied in many different forms, which are defined and covered by the following description.
As shown in fig. 1, a preferred embodiment of the present invention provides a block chain-based digital certificate management method, including the following steps:
step S1: registering a certificate template on a public account book of the block chain, and defining a certificate according to the template after successful registration;
step S2: establishing safe connection after the certificate application side node and the certificate authority node mutually confirm identities;
step S3: the certificate authority node sends a digital certificate to the certificate applicant node, and all the declaration contents of the certificate have a public key DID signature of the certificate authority node;
step S4: establishing a secure connection after the certificate verification authority node and the certificate holder node mutually confirm the identity;
step S5: the certificate authority node verifies the validity of the digital certificate based on a verifiable assertion provided by the certificate holder node.
It is understood that the materials used for certification within a blockchain network can be divided into three types, a credential template, a verifiable certificate, and a verifiable statement, depending on the functionality. Wherein the data structure of each certificate is introduced as follows:
the certificate template is designed by a certificate issuing organization, is signed by the organization and then is registered on the distributed account book, and can contain the contents of certificate types, certificate version numbers, certificate data structures, public keys of the issuing organization, signatures and the like, and the certificate template registered on the distributed account book can be downloaded and viewed by all people in the system.
Verifiable certificates are digital certificates generated from credential templates and are held by individuals, organizations, and other entities. In general, the verifiable certificate needs to include the following: 1. certificate metadata, including the content of the associated voucher, such as the issuing authority, voucher type, etc.; 2. a declaration, a set of descriptive specifications about the holding principal; 3. the digital signature of an issuing organization can verify that the essence of a certificate is that one DID endorses some attributes of another DID to issue a descriptive statement, so that the digital signature of an endorsement party needs to be added to ensure the authenticity of the certificate; 4, the holder public key is used to describe the identity of the certificate holder, and since the certificate can be verified to contain the user's private information, it is generally stored in a private device or a network address that needs authorization.
The verifiable declaration is a declaration with a verification function, which is generated by a verifiable certificate based on a zero-knowledge proof principle and can selectively disclose partial attributes, and a DID holder can prove certain assertions of the DID holder to be credible to other organizations or individuals through the verifiable declaration, and meanwhile, the privacy of the certificate holder can be guaranteed not to be disclosed by selectively disclosing the certificate attributes in combination with cryptography technologies such as zero-knowledge proof and Mercker tree. In general, a verifiable claim needs to include the following: 1. list of certifications, i.e., disclosed attributes; 2. a holder public key describing the identity of the claim generator; 3. the disclosed field index can display the attribute to be disclosed without revealing other information; 4. the merkel root, signed by the issuing authority, certifies that the disclosed declarative attributes are certified by the issuing authority and have not been tampered with. The DID is a character string with a specific format and is used for representing the digital identity of an entity, the DID identification is independent of any centralized registry, identity providers or certificate issuing organization, and has the characteristics of global uniqueness, analyzability, high availability, encryption verification and the like, each DID identification corresponds to a DID document, the document is a set of JSON character strings, and the document generally comprises DID subjects, public keys, service endpoints, authorization and the like.
It can be understood that, in the digital certificate management method based on the blockchain according to the embodiment, the certificate template used for generating the certificate needs to be issued after passing through the registration procedure, and is strictly controlled from the source of issuing the certificate, so that the threshold of certificate forgery is improved, the confidence level is improved, and the certificate template and the sending record of each certificate can be traced, so that the problem of certificate forgery is thoroughly solved, the certificate verification cost can be reduced, and the certificate verification efficiency can be improved. Before issuing and verifying the certificate, the applicant and the issuer, the holder and the verifier need to establish secure connection, the DID technology adopted by the invention provides a basis for secure communication, information is encrypted by using a public key during message sending and is sent to a specified service endpoint, and the ciphertext can be decrypted only by using a corresponding private key, so that the security of certificate transmission is increased. In addition, in the certificate verification stage, the certificate verifier can complete the validity verification of the certificate based on the verifiable statement provided by the holder, and the generation process of the verifiable statement selectively reveals the certificate attribute by combining the cryptography technologies such as zero knowledge proof, Mercker tree and the like, so that the privacy of the certificate holder can be guaranteed not to be revealed, and the safety is improved. Therefore, the block chain-based digital certificate management method designs a block chain-based digital certificate registration, issuance and verification method, improves the efficiency of the certificate verification process, reduces the cost of manpower and material resources, realizes the digitization of the certificate by using the technologies of asymmetric encryption, Hash algorithm, digital signature and the like, ensures that the certificate can not be tampered and forged, thereby ensuring the authenticity of various certificates used in business, breaking information isolated island by using distributed account book technology, realizing data sharing, ensuring the authenticity of various certificates, and carrying out controllable sharing on sensitive data by using technology based on zero knowledge proof, on the basis of ensuring the smooth operation of the service, the privacy of the certificate holder is protected to the maximum extent, meanwhile, various certificate registration flows and structures are standardized by using a block chain technology, and systematic supervision by government departments is facilitated.
It is to be understood that in step S1, the certificate authority or the public institution may register the credential template on the public ledger, and after the credential template is successfully registered, the certificate may be defined according to the template, such as the name and version of the certificate.
It is understood that, as shown in fig. 2, the step S2 includes the following steps:
step S21: the certificate authority node sends invitation information to a certificate applicant node;
step S22: the certificate applicant node applies DID documents of the certificate authority node to a public account book;
step S23: the public account book returns a corresponding DID document according to the request of the certificate applicant node, and the certificate applicant node confirms whether the sender of the invitation information is a certificate authority node or not by comparing the content of the public key of the DID document with the public key information of the inviter;
step S24: the node of the certificate applicant creates a new DID which is only used for exchanging information with the node of the certificate authority;
step S25: the node of the certificate application party receives the invitation request of the node of the certificate authority and sends a connection establishment request to the node of the certificate authority, a DID newly created by the node of the certificate application party and a corresponding DID document need to be provided in the request, the request content needs to be encrypted when being sent, and the decryption can be carried out only by using a public key of the node of the certificate authority;
step S26: the certificate authority node creates a pair of DIDs which are only used for connecting with the certificate applicant node;
step S27: the certificate authority node receives a request for establishing connection with the certificate applicant node and returns a receiving response to the certificate applicant node, wherein the response needs to provide a DID newly created by the certificate authority node and a corresponding DID document, the request needs to be encrypted when being sent, and decryption can be performed only by using a DID public key newly created by the certificate applicant node. At this point, the certificate applicant node and the certificate authority node mutually confirm identities, possess a secret key for secure communication, and formally establish secure connection between the two parties.
It can be understood that before the certificate is issued formally, the applicant and the issuer perform mutual identity confirmation based on the DID technology, and the applicant and the issuer perform information interaction through unique DID, so that a dedicated information channel is established, information is prevented from being leaked, and the security of certificate transmission is ensured.
It is understood that, as shown in fig. 3, the step S3 includes the following steps:
step S31: the certificate authority node sends a request to the certificate applicant node, and if the certificate applicant node provides a client endpoint to the certificate authority node in the connection establishment stage, the stage is automatically completed;
step S32: the certificate applicant node downloads the definition of the certificate on the public ledger to confirm the certificate type and content corresponding to the request, and the public ledger returns the certificate definition inquired by the certificate applicant node;
step S33: the node of the certificate application side receives the request sent by the node of the certificate authority and sends an application link of the certificate to the node of the certificate authority;
step S34: the certificate authority node sends data attributes required for generating the certificate to the certificate applicant node, and the certificate applicant node provides corresponding attributes to the certificate authority node;
step S35: the certificate authority node generates a certificate belonging to the applicant according to the corresponding attribute provided by the certificate applicant node, and stores the hash head of the certificate issue record on a public account book;
step S36: the certificate authority node sends a certificate to the certificate applicant node, and all the declaration contents of the certificate have a public key DID signature of the certificate authority node, so that the authenticity of all data related to the certificate is guaranteed;
step S37: after receiving the certificate, the certificate applicant node puts the certificate into a key management system to ensure that personal information is not leaked.
It can be understood that after the certificate issuing organization establishes secure connection with an applicant, the issuing organization can generate a certificate according to a certificate template and data attributes provided by the applicant, the certificate is sent to the applicant in an encryption mode, encrypted contents can be decrypted only by using a private key of the applicant, and a hash head of a certificate issuing record is stored in a public account book, so that certificate verification in the later period is facilitated, and a digital certificate is stored in a key management system of the applicant, so that the digital certificate is not easy to lose compared with a traditional paper certificate, and time and labor cost for completing the certificate are reduced.
It is understood that, as shown in fig. 4, the step S4 includes the following steps:
step S41: the certificate verification authority node sends invitation information to the certificate holder node;
step S42: a certificate holder node applies DID documents of a certificate verification organization node to a public account book;
step S43: the public account book returns a corresponding DID document according to the request of the certificate holder node, and the certificate holder node confirms whether the sender of the invitation information is a certificate verification authority node or not by comparing the content of the public key of the DID document with the public key information of the invitation sender;
step S44: the certificate holder node creates a new DID that is only used to exchange information with the certificate authority node;
step S45: the method comprises the steps that a certificate holder node receives an invitation request of a certificate verification mechanism node and sends a connection establishment request to the certificate holder node, a DID newly created by the certificate holder node and a corresponding DID document need to be provided in the request, the request content needs to be encrypted when being sent, and decryption can be performed only by using a public key of the certificate verification mechanism node;
step S46: the certificate authority node creates a pair of DID's that are only used to connect with the certificate holder;
step S47: the certificate verification authority node receives the request of establishing connection of the certificate holder node and returns a receiving response to the holder, the response needs to provide the DID newly created by the certificate verification authority node and the corresponding DID document, the request needs to be encrypted when being sent, and the decryption can be carried out only by using the DID public key newly created by the certificate holder node.
It can be understood that before the certificate verification is formally performed, the holder (i.e. the previous applicant) and the verification authority perform mutual identity confirmation based on the DID technology, and the holder and the verifier perform information interaction through a unique DID, so that a dedicated information channel is established, information is prevented from being leaked, and the security of information transmission is ensured.
It is understood that, as shown in fig. 5, the step S5 includes the following steps:
step S51: the certificate verification authority node sends a message of a declaration request to the certificate holder node through a DID used in a connection establishment stage;
step S52: the certificate holder node judges whether to disclose the attribute required by the verifier and provides a verifiable statement for the certificate verifier node according to the requirement of the certificate verification authority node, wherein the statement only discloses partial information of the certificate;
step S53: the certificate holder node signing the generated verifiable statement to ensure that the certificate was generated by it and sending it to the certificate authority node;
step S54: the certificate verification authority node inquires a corresponding certificate issuing record from a public ledger according to a verifiable statement provided by the certificate holder node to verify the authenticity of the certificate issuing record, and meanwhile, the revocation state of the statement is verified through an accumulator; if the declaration is in a revocation state, the digital certificate is in a failure state;
step S55: the public ledger returns the issuing record and the revocation state of the inquiry certificate to the certificate verification mechanism node, and the certificate verification mechanism node can verify the validity of the digital certificate held by the certificate holder node through the returned content.
The certificate holder can provide a verifiable statement for the certificate holder to verify according to the requirement of the verifier instead of directly providing the certificate to verify, the verifiable statement is a statement which is generated by the verifiable certificate based on a zero-knowledge proof principle, can selectively reveal part of attributes and has a verification function, the attributes of the certificate can be selectively revealed, the certificate can be effectively verified, the privacy of the certificate holder can be guaranteed not to be leaked, data sharing is improved, a data island is broken, mutual trust of verification parties is increased, sensitive data of each node is protected, and the sensitive data can be controllably shared.
It will be appreciated that as shown in fig. 6, the entire life cycle of a digital certificate may be divided into five phases, generation, issuance, generation of verifiable claims, verification, revocation, in the generation phase: after the certificate issuing organization establishes safe connection with an applicant, the issuer generates a certificate according to the certificate template and the attribute of the applicant; in the issuing phase: the certificate authority sends the certificate to the applicant in an encryption mode, and the encrypted content can be decrypted only by using a private key of the applicant; in the generate verifiable claims phase: a process of generating a verifiable statement which has a verification function and only discloses partial attributes by combining the cryptographic technologies such as the Mercker tree, the digital signature and the like on the basis of a verifiable certificate; in the verification phase: after receiving the verifiable statement, the verifier verifies the authenticity and validity of the statement; in the revocation phase: for time-efficiency or other reasons, the definition of the verifiable certificate is revoked, and the certificate no longer has the certification function after revocation.
Specifically, the generation of the verifiable certificate mainly includes the following steps:
1. generating a pair of keys by RSA algorithm, randomly selecting two unequal indexes p and q, and calculating Euler function of n ═ p × q and n
Figure GDA0003331711380000101
Random selection and
Figure GDA0003331711380000102
integers of relative prime
Figure GDA0003331711380000103
Calculating a modular inverse element d corresponding to the e; a pair of keys is available: key ═ (Pub _ K, Pri _ K) ═ ((n, e), (n, d));
2. inputting related attributes of a certificate main body and information raw _ data of an issuing organization;
3. performing hash calculation on the content generated in the step 2 to obtain a hash value H:
H=hash_function(raw_data)
4. RSA signature of hash value H using private key of issuing authority:
signature=Hd mod n
5. and connecting the contents obtained in the step 2 and the step 4 into a file to generate a verifiable certificate.
In addition, the issuing process of the verifiable certificate specifically includes:
when an issuer sends a certificate to an applicant, an application end needs to encrypt the sent content, the applicant needs to decrypt the encrypted content after receiving the encrypted content, and the mathematical description of decryption and decryption is as follows:
1. and (3) encryption process: the sender of the information selects a non-repeated random number NsenderCurrent time tsenderIdentification information ID of the other partyrecipientAnd other contents C requiring encryptionsender(ii) a With Nsender、tsender、IDrecipient、CsenderConstituting plaintext information msender={Nsender,tsender,IDrecipient,CsenderAnd combine msenderExpressed as a field element
Figure GDA0003331711380000114
Then in [1, n-1 ]]A random number k and the public key information Pb of the information receiver are selected at randomIrecipient=(F(sender),G,n,Qrecipient) (ii) a Calculating point (x)1,y1) kG, point (x)2,y2)=kQrecipientGenerating the following ciphertext:
Figure GDA0003331711380000111
if (x)2,y2) When it is 0, the random number k needs to be selected again.
2. And (3) decryption process: for ciphertext
Figure GDA0003331711380000112
The applicant can use his own private key drcipientDecrypting the content:
Figure GDA0003331711380000113
the message receiver can obtain the plaintext m after decryptionsenderWhile passing the tag information IDrecipientIt can be verified whether it is the message recipient.
In addition, the generation phase of the verifiable statement is specifically as follows:
in order to guarantee the privacy data of the certificate holder, the method combines the zero-knowledge proof theory and adopts two methods of random salt and Mercker tree to generate verifiable proof. Firstly, random salt encryption is carried out on all attribute contents in the certificate:
attr'=Hash_function(attr+random_seed)
and then determining a data index, conveniently and quickly inquiring and positioning the position of the disclosure attribute in the Mercker tree, and finally providing a Mercker root signature rootsignature to ensure that the data is not changed.
The verification stage of the verifiable statement is specifically as follows:
after the verifier receives the verifiable statement, the verifier needs to verify the authenticity of the verifiable statement by:
1. comparing DID documents corresponding to the public key of the holder and the public key of the submitter in the declaration, and verifying the validity of the signature of the declaration, namely that the generator of the declaration is consistent with the submitter;
2. downloading a corresponding DID document from the account book according to the name of the issuer in the statement, obtaining a public key of the issuer from the document, and verifying whether the issuer is authoritative;
3. verifying related data such as data indexes, random salt, Mercker root and the like of the disclosed fields to ensure that the disclosed fields are authenticated by an issuing authority;
4. through the verification step, the credible public content can be displayed, and information except the public content can not be obtained, so that the privacy of the certificate holder is guaranteed.
The certificate revocation specifically includes:
the certificate revocation process is implemented using a cryptographic-based accumulator algorithm. First, let a certificate set held by an entity be S ═ x1,x2…xnUse:
Figure GDA0003331711380000121
an accumulator as set S; where N is p × q, p and q are prime numbers with large values, and g is a generator on modulo N. When revoking certificate x in set S1In time, the state of the accumulator is updated to:
Figure GDA0003331711380000122
at this time, according to the Peltier theorem, it is unknown x1In the case of the specific contents of (1), the entity cannot prove x1∈S。
In addition, as shown in fig. 7, another embodiment of the present invention further provides a block chain-based digital certificate management system, preferably adopting the digital certificate management method described above, and the system includes:
the template registration module is used for registering a certificate template on a public account book of the block chain, and after the registration is successful, a certificate can be defined according to the template;
the identity confirmation module is used for establishing safe connection after the mutual identity confirmation of the nodes of the two parties;
the digital certificate issuing module is used for enabling the certificate issuing organization node to send a digital certificate to the certificate application side node, and all the declaration contents of the certificate have a public key DID signature of the certificate issuing organization node;
and the certificate verification module is used for verifying the validity of the digital certificate by the certificate verification authority node based on the verifiable statement provided by the certificate holder node.
It can be understood that, in the digital certificate management system based on the block chain according to this embodiment, the certificate template used for generating the certificate needs to be issued after passing through the registration procedure, and is strictly controlled from the source of issuing the certificate, so that the threshold for certificate forgery is increased, the confidence level is increased, and the certificate template and the sending record of each certificate can be traced, so that the problem of certificate forgery is thoroughly solved, the certificate verification cost can be reduced, and the certificate verification efficiency can be increased. Before issuing and verifying the certificate, the applicant and the issuer, the holder and the verifier need to establish secure connection, the DID technology adopted by the invention provides a basis for secure communication, information is encrypted by using a public key during message sending and is sent to a specified service endpoint, and the ciphertext can be decrypted only by using a corresponding private key, so that the security of certificate transmission is increased. In addition, in the certificate verification stage, the certificate verifier can complete the validity verification of the certificate based on the verifiable statement provided by the holder, and the generation process of the verifiable statement selectively reveals the certificate attribute by combining the cryptography technologies such as zero knowledge proof, Mercker tree and the like, so that the privacy of the certificate holder can be guaranteed not to be revealed, and the safety is improved.
In addition, the present invention also provides an electronic device, comprising a processor and a memory, wherein the memory stores a computer program, and the processor is used for executing the steps of the method by calling the computer program stored in the memory.
In addition, the present invention also provides a computer readable storage medium for storing a computer program for block chain based digital certificate management, which when running on a computer performs the steps of the method as described above.
The general form of computer readable media includes: floppy disk (floppy disk), flexible disk (flexible disk), hard disk, magnetic tape, any of its magnetic media, CD-ROM, any of the other optical media, punch cards (punch cards), paper tape (paper tape), any of the other physical media with patterns of holes, Random Access Memory (RAM), Programmable Read Only Memory (PROM), Erasable Programmable Read Only Memory (EPROM), FLASH erasable programmable read only memory (FLASH-EPROM), any of the other memory chips or cartridges, or any of the other media from which a computer can read. The instructions may further be transmitted or received by a transmission medium. The term transmission medium may include any tangible or intangible medium that is operable to store, encode, or carry instructions for execution by the machine, and includes digital or analog communications signals or intangible medium that facilitates communication of the instructions. Transmission media include coaxial cables, copper wire and fiber optics, including the wires that comprise a bus for transmitting computer data signals.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (9)

1. A block chain-based digital certificate management method is characterized by comprising the following steps:
step S1: registering a certificate template on a public account book of the block chain, and defining a certificate according to the template after successful registration;
step S2: establishing safe connection after the certificate application side node and the certificate authority node mutually confirm identities;
step S3: the certificate authority node sends a digital certificate to the certificate applicant node, and all the declaration contents of the certificate have a public key DID signature of the certificate authority node;
step S4: establishing a secure connection after the certificate verification authority node and the certificate holder node mutually confirm the identity;
step S5: the certificate verification authority node verifies the validity of the digital certificate based on a verifiable statement provided by a certificate holder node, wherein the certificate holder node is a previous certificate applicant node;
the step S2 includes the steps of:
step S21: the certificate authority node sends invitation information to a certificate applicant node;
step S22: the certificate applicant node applies DID documents of the certificate authority node to a public account book;
step S23: the public account book returns a corresponding DID document according to the request of the certificate applicant node, and the certificate applicant node confirms whether the sender of the invitation information is a certificate authority node or not by comparing the content of the public key of the DID document with the public key information of the inviter;
step S24: the node of the certificate applicant creates a new DID which is only used for exchanging information with the node of the certificate authority;
step S25: the node of the certificate application party receives the invitation request of the node of the certificate authority and sends a connection establishment request to the node of the certificate authority, a DID newly created by the node of the certificate application party and a corresponding DID document need to be provided in the request, the request content needs to be encrypted when being sent, and the decryption can be carried out only by using a public key of the node of the certificate authority;
step S26: the certificate authority node creates a pair of DIDs which are only used for connecting with the certificate applicant node;
step S27: the certificate authority node receives a request for establishing connection with the certificate applicant node and returns a receiving response to the certificate applicant node, wherein the response needs to provide a DID newly created by the certificate authority node and a corresponding DID document, the request needs to be encrypted when being sent, and decryption can be performed only by using a DID public key newly created by the certificate applicant node.
2. The block chain-based digital certificate management method according to claim 1,
the step S3 includes the steps of:
step S31: the certificate authority node sends a request to the certificate applicant node, and if the certificate applicant node provides a client endpoint to the certificate authority node in the connection establishment stage, the stage is automatically completed;
step S32: the certificate applicant node downloads the definition of the certificate on the public ledger to confirm the certificate type and content corresponding to the request, and the public ledger returns the certificate definition inquired by the certificate applicant node;
step S33: the node of the certificate application side receives the request sent by the node of the certificate authority and sends an application link of the certificate to the node of the certificate authority;
step S34: the certificate authority node sends data attributes required for generating the certificate to the certificate applicant node, and the certificate applicant node provides corresponding attributes to the certificate authority node;
step S35: the certificate authority node generates a certificate belonging to the applicant according to the corresponding attribute provided by the certificate applicant node, and stores the hash head of the certificate issue record on a public account book;
step S36: the certificate authority node sends a certificate to the certificate applicant node, and all the declaration contents of the certificate have a public key DID signature of the certificate authority node, so that the authenticity of all data related to the certificate is guaranteed;
step S37: after receiving the certificate, the certificate applicant node puts the certificate into a key management system to ensure that personal information is not leaked.
3. The blockchain-based digital certificate management method according to claim 2,
the step S4 includes the steps of:
step S41: the certificate verification authority node sends invitation information to the certificate holder node;
step S42: a certificate holder node applies DID documents of a certificate verification organization node to a public account book;
step S43: the public account book returns a corresponding DID document according to the request of the certificate holder node, and the certificate holder node confirms whether the sender of the invitation information is a certificate verification authority node or not by comparing the content of the public key of the DID document with the public key information of the invitation sender;
step S44: the certificate holder node creates a new DID that is only used to exchange information with the certificate authority node;
step S45: the method comprises the steps that a certificate holder node receives an invitation request of a certificate verification mechanism node and sends a connection establishment request to the certificate holder node, a DID newly created by the certificate holder node and a corresponding DID document need to be provided in the request, the request content needs to be encrypted when being sent, and decryption can be performed only by using a public key of the certificate verification mechanism node;
step S46: the certificate authority node creates a pair of DID's that are only used to connect with the certificate holder;
step S47: the certificate verification authority node receives the request of establishing connection of the certificate holder node and returns a receiving response to the holder, the response needs to provide the DID newly created by the certificate verification authority node and the corresponding DID document, the request needs to be encrypted when being sent, and the decryption can be carried out only by using the DID public key newly created by the certificate holder node.
4. The blockchain-based digital certificate management method according to claim 3,
the step S5 includes the steps of:
step S51: the certificate verification authority node sends a message of a declaration request to the certificate holder node through a DID used in a connection establishment stage;
step S52: the certificate holder node judges whether to disclose the attribute required by the verifier and provides a verifiable statement for the certificate verifier node according to the requirement of the certificate verification authority node, wherein the statement only discloses partial information of the certificate;
step S53: the certificate holder node signing the generated verifiable statement to ensure that the certificate was generated by it and sending it to the certificate authority node;
step S54: the certificate verification authority node inquires a corresponding certificate issuing record from a public ledger according to a verifiable statement provided by the certificate holder node to verify the authenticity of the certificate issuing record, and meanwhile, the revocation state of the statement is verified through an accumulator;
step S55: the public ledger returns the issuing record and the revocation state of the inquiry certificate to the certificate verification mechanism node, and the certificate verification mechanism node can verify the validity of the digital certificate held by the certificate holder node through the returned content.
5. The blockchain-based digital certificate management method according to claim 2,
the process of generating the verifiable certificate specifically includes the following:
generating a pair of keys by RSA algorithm, randomly selecting two unequal indexes p and q, and calculating Euler function of n ═ p × q and n
Figure FDA0003331711370000031
Random selection and
Figure FDA0003331711370000032
integers of relative prime
Figure FDA0003331711370000033
Calculating a modulo element d corresponding to e to obtain a pair of keys Key ═ (Pub _ K, Pri _ K) ═(n, e), (n, d));
inputting related attributes of a certificate main body and information raw _ data of an issuing organization;
performing hash calculation on the content generated after the relevant attributes of the certificate body and the information of the issuing organization are input to obtain a hash value H, wherein H is a hash _ function (raw _ data);
RSA signature of hash value H using private key of issuing authority: signature is Hd mod n;
The content generated after inputting the relevant attribute of the certificate main body and the information of the issuing organization and the content obtained after the private key of the issuing organization is used for carrying out RSA signature on the hash value are connected into a file to generate the verifiable certificate.
6. The blockchain-based digital certificate management method according to claim 5,
the process of verifying a verifiable claim includes the following:
comparing DID documents corresponding to the public key of the holder and the public key of the submitter in the declaration, and verifying the validity of the signature of the declaration, namely that the generator of the declaration is consistent with the submitter;
downloading a corresponding DID document from the account book according to the name of the issuer in the statement, obtaining a public key of the issuer from the document, and verifying whether the issuer is authoritative;
verifying the relevant data of the disclosed field to ensure that the disclosed field is authenticated by an issuer;
through the verification step, the credible public content can be displayed, and information except the public content can not be obtained, so that the privacy of the certificate holder is guaranteed.
7. A block chain-based digital certificate management system employing the digital certificate management method according to any one of claims 1 to 6, the system comprising:
the template registration module is used for registering a certificate template on a public account book of the block chain, and after the registration is successful, a certificate can be defined according to the template;
the identity confirmation module is used for establishing safe connection after the mutual identity confirmation of the nodes of the two parties;
the digital certificate issuing module is used for enabling the certificate issuing organization node to send a digital certificate to the certificate application side node, and all the declaration contents of the certificate have a public key DID signature of the certificate issuing organization node;
and the certificate verification module is used for verifying the validity of the digital certificate by the certificate verification authority node based on the verifiable statement provided by the certificate holder node.
8. An electronic device, comprising a processor and a memory, the memory having stored therein a computer program, the processor being configured to perform the steps of the method according to any one of claims 1 to 6 by invoking the computer program stored in the memory.
9. A computer-readable storage medium for storing a computer program for block-chain based digital certificate management, wherein the computer program performs the steps of the method according to any of claims 1 to 6 when the computer program runs on a computer.
CN202110190971.7A 2021-02-19 2021-02-19 Block chain-based digital certificate management method, system, equipment and storage medium Active CN113014392B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110190971.7A CN113014392B (en) 2021-02-19 2021-02-19 Block chain-based digital certificate management method, system, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110190971.7A CN113014392B (en) 2021-02-19 2021-02-19 Block chain-based digital certificate management method, system, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113014392A CN113014392A (en) 2021-06-22
CN113014392B true CN113014392B (en) 2022-04-08

Family

ID=76403645

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110190971.7A Active CN113014392B (en) 2021-02-19 2021-02-19 Block chain-based digital certificate management method, system, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113014392B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113495924A (en) * 2021-06-28 2021-10-12 成都金融梦工场投资管理有限公司 Anti-counterfeiting data security sharing method based on block chain
CN113452704B (en) * 2021-06-28 2022-08-09 湖南天河国云科技有限公司 Distributed identity identification-based credible interconnection method and device for heterogeneous industrial equipment
CN113807845A (en) * 2021-08-05 2021-12-17 北京房江湖科技有限公司 Real estate transaction system based on block chain and implementation method thereof
CN113779637B (en) * 2021-11-10 2022-02-22 腾讯科技(深圳)有限公司 Attribute data processing method, attribute data processing device, attribute data processing equipment and attribute data processing medium
CN113806809B (en) * 2021-11-17 2022-02-18 北京溪塔科技有限公司 Job seeker information disclosure method and system based on block chain
CN114666069B (en) * 2022-05-25 2022-08-30 天津安锐捷技术有限公司 Social improvement element data management system based on block chain
CN114900302B (en) * 2022-07-12 2022-11-25 杭州天谷信息科技有限公司 Anonymous certificate issuing method
CN115330421B (en) * 2022-10-14 2022-12-09 中国信息通信研究院 Trusted data asset transmission method and device based on block chain, equipment and medium
CN115550060B (en) * 2022-11-22 2023-03-14 中国信息通信研究院 Trusted certificate verification method, device, equipment and medium based on block chain
CN115964755B (en) * 2023-03-09 2023-05-26 北京百度网讯科技有限公司 Data authorization and verification method, device, equipment and storage medium
CN116011025B (en) * 2023-03-22 2023-08-04 天聚地合(苏州)科技股份有限公司 Digital identity authentication method and system based on block chain
CN116232763B (en) * 2023-05-05 2023-07-07 敏于行(北京)科技有限公司 Selectively disclosed dynamic combination verifiable credential generation method and system
CN116192540B (en) * 2023-05-05 2023-07-11 敏于行(北京)科技有限公司 Verification method and system for dynamically combined verifiable certificate

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109194482A (en) * 2018-08-03 2019-01-11 中山大学 A kind of block chain common recognition method proved based on prestige
CN111401902A (en) * 2020-05-29 2020-07-10 支付宝(杭州)信息技术有限公司 Service processing method, device and equipment based on block chain
CN111681007A (en) * 2020-05-28 2020-09-18 中国工商银行股份有限公司 Credit scoring method for block chain, transaction method and related device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108964924B (en) * 2018-07-24 2020-06-05 腾讯科技(深圳)有限公司 Digital certificate verification method and device, computer equipment and storage medium
CN111213147B (en) * 2019-07-02 2023-10-13 创新先进技术有限公司 Systems and methods for blockchain-based cross-entity authentication
CN110958229A (en) * 2019-11-20 2020-04-03 南京理工大学 Credible identity authentication method based on block chain
CN112035870B (en) * 2020-07-21 2023-12-08 杜晓楠 Method and computer readable medium for hiding specific age of user in decentralised identity system
CN112016923A (en) * 2020-08-28 2020-12-01 北京大学深圳研究生院 Intra-network cross-domain identity management method and system based on block chain and computational power network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109194482A (en) * 2018-08-03 2019-01-11 中山大学 A kind of block chain common recognition method proved based on prestige
CN111681007A (en) * 2020-05-28 2020-09-18 中国工商银行股份有限公司 Credit scoring method for block chain, transaction method and related device
CN111401902A (en) * 2020-05-29 2020-07-10 支付宝(杭州)信息技术有限公司 Service processing method, device and equipment based on block chain

Also Published As

Publication number Publication date
CN113014392A (en) 2021-06-22

Similar Documents

Publication Publication Date Title
CN113014392B (en) Block chain-based digital certificate management method, system, equipment and storage medium
US11349645B2 (en) Determining a common secret for the secure exchange of information and hierarchical, deterministic cryptographic keys
Adams et al. Understanding PKI: concepts, standards, and deployment considerations
US7634085B1 (en) Identity-based-encryption system with partial attribute matching
US7937584B2 (en) Method and system for key certification
CN109450843B (en) SSL certificate management method and system based on block chain
US20040165728A1 (en) Limiting service provision to group members
JP2012256083A (en) Certificate-based encryption and public key infrastructure
CN115176441A (en) Identity-based public key generation protocol
Benantar The Internet public key infrastructure
Win et al. Privacy enabled digital rights management without trusted third party assumption
CN108712259A (en) Identity-based acts on behalf of the efficient auditing method of cloud storage for uploading data
JP2010231404A (en) System, method, and program for managing secret information
US8644509B2 (en) Data providing process based on an IBPE scheme
CN110519040B (en) Anti-quantum computation digital signature method and system based on identity
JP3513324B2 (en) Digital signature processing method
CN112950356B (en) Personal loan processing method, system, equipment and medium based on digital identity
TW202318833A (en) Threshold signature scheme
KR100654933B1 (en) System and its method for authenticating dynamically created certificate by user's password input
CN111585756B (en) Certificate-free cloud auditing method suitable for multi-copy-multi-cloud situation
KR100718687B1 (en) Id-based threshold signature scheme from bilinear pairings
Tan et al. An implementation of enhanced public key infrastructure
Patel et al. The study of digital signature authentication process
CN115883102B (en) Cross-domain identity authentication method and system based on identity credibility and electronic equipment
El Mane et al. Digital Signature for data and documents using operating PKI certificates

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant