CN113132094B - Decentralized digital authentication method and system - Google Patents

Decentralized digital authentication method and system Download PDF

Info

Publication number
CN113132094B
CN113132094B CN201911421424.4A CN201911421424A CN113132094B CN 113132094 B CN113132094 B CN 113132094B CN 201911421424 A CN201911421424 A CN 201911421424A CN 113132094 B CN113132094 B CN 113132094B
Authority
CN
China
Prior art keywords
signature
verification
node
data
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911421424.4A
Other languages
Chinese (zh)
Other versions
CN113132094A (en
Inventor
唐世彪
赵梅生
刘筱筱
王学富
郑建辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Quantumctek Co Ltd
Original Assignee
Quantumctek Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Quantumctek Co Ltd filed Critical Quantumctek Co Ltd
Priority to CN201911421424.4A priority Critical patent/CN113132094B/en
Publication of CN113132094A publication Critical patent/CN113132094A/en
Application granted granted Critical
Publication of CN113132094B publication Critical patent/CN113132094B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a decentralized digital authentication method and a system, wherein the system comprises the following steps: at least one signature verification node; each signature verification node decrypts the received first verification data from the signature sending node by using a verification shared key held by the signature verification node, records the first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node; and the signature verification node judges whether the relevant information of the first original text data received by the signature verification node is consistent with the corresponding first verification information recorded by the signature verification node, if so, the feedback verification is passed, otherwise, the feedback verification fails. The invention realizes the authentication function by using the verification feedback of most nodes of the whole network, and solves the safety problem of the whole identity authentication system when the CA center is attacked and becomes no longer credible.

Description

Decentralized digital authentication method and system
Technical Field
The invention belongs to the technical field of network security, relates to an identity/signature authentication method, and particularly relates to a decentralized digital authentication method and system.
Background
The traditional digital authentication scheme is realized based on a public and private key cryptosystem (PKI), signature verification is realized based on a public and private key encryption and decryption algorithm, and the identity authentication process is realized based on a digital certificate issued by a trusted third party authentication center (CA center), wherein the digital certificate is also realized based on the public and private key encryption and decryption algorithm.
However, with the continuous enhancement of the computing power of the computer, the length of the public and private key pair to be prepared is continuously increased, the preparation difficulty is increased, and once the quantum general purpose computer appears, the proposition that the existing computing power cannot carry out factorization of large prime numbers is thoroughly broken, so that the existing whole PKI system is fatally attacked. Therefore, with the technology improvement of quantum computers, public-private key cryptosystems face fatal impact, and potential safety hazards are great.
In addition, because the traditional digital authentication scheme is realized based on a public-private key cryptosystem, the whole system needs to operate by relying on an authentication center (CA center) with absolute security and absolute credibility, and once the CA center is attacked and is no longer credible or cannot continuously undertake the verification function, the whole authentication system stops working.
Disclosure of Invention
In view of the above drawbacks of the prior art, an object of the present invention is to provide a decentralized digital authentication method and system, which are used to solve the problem that the existing authentication technology relies on an authentication center with absolute security and absolute credibility to operate, and has great potential safety hazard.
In order to achieve the above and other related objects, the present invention provides a decentralized digital authentication method, applied to a network including at least 3 network nodes, wherein a network node in the network that transmits signature data is used as a signature transmitting node, a network node that receives signature data is used as a signature receiving node, and network nodes other than the signature transmitting node and the signature receiving node in the network are used as signature verifying nodes of the signature transmitting node and the signature receiving node; the decentralized digital authentication method comprises the following steps: the signature sending node encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information and sends the first signature data and the corresponding attribute information to the signature receiving node, encrypts related information of the first original text data by using corresponding verification shared keys to form first verification data, and sends the first verification data and the attribute information to corresponding signature verification nodes; the signature shared key is a key shared by the signature sending node and the signature receiving node; the verification shared key is a key which is independently shared by the signature sending node and each signature verification node; each corresponding signature verification node decrypts the received first verification data by using a verification shared key held by the corresponding signature verification node, records the first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node; the signature receiving node decrypts the first signature data by using the signature shared key, and sends the related information of the first original text data obtained after decryption and the attribute information to all corresponding signature verification nodes; the corresponding signature verification nodes respectively judge whether the related information of the first original text data received by the corresponding signature verification nodes is consistent with the corresponding first verification information recorded by the corresponding signature verification nodes, if so, the feedback verification is passed, otherwise, the feedback verification fails; and after the signature receiving node receives the signature verification node feedback verification which reaches the first preset safety threshold amount, the signature receiving node establishes credible communication with the signature sending node.
In an embodiment of the present invention, the decentralized digital authentication method further includes: the signature receiving node decrypts the received second signature data by using the signature shared key, and sends the related information of the second original text data obtained after decryption and the attribute information corresponding to the second signature data to all corresponding signature verification nodes; the corresponding signature verification nodes respectively judge whether the related information of the second original text data received by the corresponding signature verification nodes is consistent with the corresponding second verification information recorded by the corresponding signature verification nodes, if so, the feedback verification is passed, otherwise, the feedback verification fails; and after the signature receiving node receives the signature verification node which reaches the second preset safety threshold amount and passes the feedback verification, the signature receiving node proves that the second signature data is sent by the signature sending node and cannot be denied by the signature sending node.
In an embodiment of the present invention, the decentralized digital authentication method further includes: each signature verification node receives each verification data and the attribute information from a signature sending node, and records corresponding verification information and the attribute information obtained by decrypting each verification data; each signature verification node records the related information and the attribute information of each original text data from the signature receiving node; and after the signature verification nodes finish the matching of the related information of the original text data and the corresponding verification information according to the attribute information once, the related information of the original text data which is matched and consistent with the corresponding verification information is stored in a correlation mode.
In an embodiment of the present invention, any two network nodes in the network each have a unique pair of shared keys.
In an embodiment of the present invention, the related information of the original data includes a hash value of the original data or a related value obtained by calculating the original data by any other algorithm; the attribute information corresponding to the signature data includes timestamp information of the signature sending node sending the signature data, and information of a signature receiving node receiving the signature data.
In an embodiment of the present invention, the decentralized digital authentication method further includes a network node extension method of the network, including: providing security guarantee for the newly added network node by utilizing a trusted entity mechanism; or the original network nodes in the network are combined to provide safety guarantee for the newly added network nodes based on an invitation mechanism; and presetting shared keys with all original network nodes in the network for the newly added network nodes with safety guarantee by using the management center of the network.
In an embodiment of the present invention, the network further includes an authentication server for performing signature verification for the signature sending node and the signature receiving node.
In an embodiment of the present invention, the decentralized digital authentication method further includes: the signature sending node encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information and sends the first signature data and the corresponding attribute information to the signature receiving node, encrypts related information of the first original text data by using corresponding verification shared keys to form first verification data respectively, and sends the first verification data and the attribute information to corresponding authentication servers or/and signature verification nodes; the signature shared key is a key shared by the signature sending node and the signature receiving node; the verification shared key is a key which is independently shared by the signature sending node and each authentication server or/and signature verification node; each authentication server or/and signature verification node decrypts received first verification data by using a verification shared key held by the authentication server or/and the signature verification node, records first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node; the signature receiving node decrypts the first signature data by using the signature shared key, and sends the related information of the first original text data obtained after decryption and the attribute information to each authentication server or/and the signature verification node; each authentication server or/and signature verification node respectively judges whether the relevant information of the first original text data received by the authentication server or/and the signature verification node is consistent with the corresponding first verification information recorded by the authentication server or/and the signature verification node, if so, the feedback verification is passed, otherwise, the feedback verification fails; and after the signature receiving node receives the authentication server or/and the signature verification node which reach the first preset safety threshold amount and passes the feedback verification, establishing trusted communication with the signature sending node.
In an embodiment of the invention, the decentralized digital authentication method further includes: the signature receiving node decrypts the received second signature data by using the signature shared key, and sends the related information of the second original text data obtained after decryption and the attribute information corresponding to the second signature data to each authentication server or/and signature verification node; each authentication server or/and signature verification node respectively judges whether the related information of the second original text data received by the authentication server or/and the signature verification node is consistent with the corresponding second verification information recorded by the authentication server or/and the signature verification node, if so, the feedback verification is passed, otherwise, the feedback verification fails; and after the signature receiving node receives the authentication server or/and the signature verification node which reach the second preset safety threshold amount and passes the feedback verification, the signature receiving node proves that the second signature data is sent by the signature sending node and cannot be denied by the signature sending node.
In an embodiment of the present invention, the decentralized digital authentication method further includes: each authentication server or/and signature verification node receives each verification data and the attribute information from a signature sending node, and records corresponding verification information and the attribute information obtained by decrypting each verification data; each authentication server or/and signature verification node records the related information and the attribute information of each original text data from the signature receiving node; and after the authentication server or/and the signature verification node completes one-time verification of the related information of the original text data and the corresponding verification information according to the attribute information matching, the related information of the original text data which is consistent in verification and the corresponding verification information are stored in a correlation mode.
In an embodiment of the present invention, the decentralized digital authentication method further includes: the signature sending node encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information and sends the first signature data and the corresponding attribute information to the signature receiving node, fragments related information of the first original text data by using a first fragmentation method to obtain fragmentation information, encrypts corresponding fragmentation information by using corresponding verification shared keys according to a first distribution strategy to form first verification data respectively, and sends the first verification data and the attribute information to corresponding authentication servers or/and signature verification nodes respectively; the signature shared key is a key shared by the signature sending node and the signature receiving node; the verification shared key is a key which is independently shared by the signature sending node and each authentication server or/and signature verification node; each authentication server or/and signature verification node decrypts received first verification data by using a verification shared key held by the authentication server or/and the signature verification node, records first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node; the signature receiving node decrypts the first signature data by using the signature shared key, fragments the related information of the first original text data obtained after decryption by using the first fragmentation method to obtain all fragmentation information, and correspondingly sends each fragmentation information and the attribute information to each authentication server or/and a signature verification node according to the first distribution strategy; each authentication server or/and signature verification node respectively judges whether the fragment information received by the authentication server or/and the signature verification node is consistent with the corresponding first verification information recorded by the authentication server or/and the signature verification node, if so, the feedback verification is passed, otherwise, the feedback verification fails; and after the signature receiving node receives the authentication server or/and the signature verification node which reach the first preset safety threshold amount and passes the feedback verification, establishing trusted communication with the signature sending node.
In an embodiment of the present invention, the decentralized digital authentication method further includes: the signature receiving node decrypts the received second signature data by using the signature shared key, fragments the related information of the second original text data obtained after decryption by using the first fragmentation method to obtain all fragmentation information, and correspondingly sends each fragmentation information and the attribute information corresponding to the second signature data to each authentication server or/and signature verification node according to a second distribution strategy; each authentication server or/and signature verification node respectively judges whether the fragment information received by the authentication server or/and the signature verification node is consistent with the corresponding second verification information recorded by the authentication server or/and the signature verification node, if so, the feedback verification is passed, otherwise, the feedback verification fails; and after the signature receiving node receives the authentication server or/and the signature verification node which reach the second preset safety threshold amount and passes the feedback verification, the signature receiving node proves that the second signature data is sent by the signature sending node and cannot be denied by the signature sending node.
In an embodiment of the present invention, the network includes a quantum key distribution network; the shared key comprises a quantum key.
The invention also provides a decentralized digital authentication system, comprising: the signature verification system comprises a signature sending node, a signature receiving node and a signature verification node; the signature sending node, the signature receiving node and the signature verifying node form a network; a network node which sends signature data in the network is used as a signature sending node, a network node which receives the signature data is used as a signature receiving node, and correspondingly, network nodes except the signature sending node and the signature receiving node in the network are used as signature verification nodes of the signature sending node and the signature receiving node; the signature sending node encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information and sends the first signature data and the corresponding attribute information to the signature receiving node, encrypts related information of the first original text data by using a corresponding verification shared key to form first verification data, and sends the first verification data and the attribute information to corresponding signature verification nodes; the signature shared key is a key shared by the signature sending node and the signature receiving node; the verification shared key is a key which is independently shared by the signature sending node and each signature verification node; each corresponding signature verification node decrypts the received first verification data by using a verification shared key held by the corresponding signature verification node, records the first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node; the signature receiving node decrypts the received first signature data by using the signature shared key, and sends the related information of the first original text data obtained after decryption and the attribute information to all corresponding signature verification nodes; the corresponding signature verification nodes respectively judge whether the related information of the first original text data received by the corresponding signature verification nodes is consistent with the corresponding first verification information recorded by the corresponding signature verification nodes, if so, the feedback verification is passed, otherwise, the feedback verification fails; and after the signature receiving node receives the signature verification node feedback verification which reaches the first preset safety threshold amount, the signature receiving node establishes credible communication with the signature sending node.
In an embodiment of the present invention, the decentralized digital authentication system further includes: the signature receiving node decrypts the received second signature data by using the signature shared key, and sends the related information of the second original text data obtained after decryption and the attribute information corresponding to the second signature data to all corresponding signature verification nodes; the corresponding signature verification nodes respectively judge whether the related information of the second original text data received by the corresponding signature verification nodes is consistent with the corresponding second verification information recorded by the corresponding signature verification nodes, if so, the feedback verification is passed, otherwise, the feedback verification fails; and after the signature receiving node receives the signature verification node which reaches the second preset safety threshold amount and passes the feedback verification, the signature receiving node proves that the second signature data is sent by the signature sending node and cannot be denied by the signature sending node.
In an embodiment of the present invention, the decentralized digital authentication system further includes: each signature verification node receives each verification data and the attribute information from a signature sending node, and records corresponding verification information and the attribute information obtained by decrypting each verification data; each signature verification node records the related information and the attribute information of each original text data from the signature receiving node; and after the signature verification nodes finish the matching of the related information of the original text data and the corresponding verification information according to the attribute information once, the related information of the original text data which is matched and consistent with the corresponding verification information is stored in a correlation mode.
The invention also provides a decentralized digital authentication system, which comprises: the system comprises a signature sending node, a signature receiving node and an authentication server; the signature sending node, the signature receiving node and the authentication server form a network; the network node which sends the signature data in the network is used as a signature sending node, the network node which receives the signature data is used as a signature receiving node, and the authentication server is used as a network node which performs signature verification for the signature sending node and the signature receiving node; the signature sending node encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information and sends the first signature data and the corresponding attribute information to the signature receiving node, encrypts related information of the first original text data by using corresponding verification shared keys to form first verification data respectively, and sends the first verification data and the attribute information to corresponding authentication servers; the signature shared key is a key shared by the signature sending node and the signature receiving node; the verification shared key is a key which is independently shared by the signature sending node and each authentication server; each authentication server decrypts the received first verification data by using a verification shared key held by the authentication server, records the first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node; the signature receiving node decrypts the first signature data by using the signature shared key, and sends the related information of the first original text data obtained after decryption and the attribute information to each authentication server; each authentication server respectively judges whether the relevant information of the first original text data received by the authentication server is consistent with the corresponding first verification information recorded by the authentication server, if so, the feedback verification is passed, otherwise, the feedback verification fails; and after the signature receiving node receives the authentication server feedback verification which reaches the first preset safety threshold amount, the signature receiving node establishes credible communication with the signature sending node.
In an embodiment of the present invention, the decentralized digital authentication system further includes: the signature sending node encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information and sends the first signature data and the corresponding attribute information to the signature receiving node, fragments related information of the first original text data by using a first fragmentation method to obtain fragmentation information, encrypts corresponding fragmentation information by using corresponding verification shared keys according to a first distribution strategy to form first verification data respectively, and sends the first verification data and the attribute information to corresponding authentication servers respectively; the signature shared key is a key shared by the signature sending node and the signature receiving node; the verification shared key is a key which is independently shared by the signature sending node and each authentication server; each authentication server decrypts the received first verification data by using a verification shared key held by the authentication server, records the first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node; the signature receiving node decrypts the first signature data by using the signature shared key, fragments the related information of the first original text data obtained after decryption by using the first fragmentation method to obtain all fragmentation information, and correspondingly sends each fragmentation information and the attribute information to each authentication server according to the first distribution strategy; each authentication server respectively judges whether the fragment information received by the authentication server is consistent with the corresponding first verification information recorded by the authentication server, if so, the feedback verification is passed, otherwise, the feedback verification fails; and after the signature receiving node receives the authentication server feedback verification which reaches the first preset safety threshold amount, the signature receiving node establishes credible communication with the signature sending node.
In an embodiment of the present invention, the decentralized digital authentication system further includes: the signature receiving node decrypts the received second signature data by using the signature shared key, and sends the related information of the second original text data obtained after decryption and the attribute information corresponding to the second signature data to each authentication server; each authentication server respectively judges whether the related information of the second original text data received by the authentication server is consistent with the corresponding second verification information recorded by the authentication server, if so, the feedback verification is passed, otherwise, the feedback verification fails; and after the signature receiving node receives the authentication server feedback verification which reaches a second preset safety threshold amount, the signature receiving node proves that the second signature data is sent by the signature sending node and cannot be denied by the signature sending node.
In an embodiment of the present invention, the decentralized digital authentication system further includes: the signature receiving node decrypts the received second signature data by using the signature shared key, fragments the related information of the second original text data obtained after decryption by using the first fragmentation method to obtain all fragmentation information, and correspondingly sends each fragmentation information and the attribute information corresponding to the second signature data to each authentication server according to a second distribution strategy; each authentication server respectively judges whether the fragment information received by the authentication server is consistent with the corresponding second verification information recorded by the authentication server, if so, the feedback verification is passed, otherwise, the feedback verification fails; and after the signature receiving node receives the authentication server feedback verification which reaches a second preset safety threshold amount, the signature receiving node proves that the second signature data is sent by the signature sending node and cannot be denied by the signature sending node.
The invention also provides a decentralized digital authentication system, comprising: the system comprises a signature sending node, a signature receiving node, a signature verification node or/and an authentication server; the signature sending node, the signature receiving node, the signature verification node or/and the authentication server form a network; a network node which sends signature data in the network is used as a signature sending node, a network node which receives the signature data is used as a signature receiving node, and correspondingly, network nodes except the signature sending node and the signature receiving node in the network are used as signature verification nodes of the signature sending node and the signature receiving node; the signature verification node or/and the authentication server performs signature verification on the signature sending node and the signature receiving node; the signature sending node encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information and sends the first signature data and the corresponding attribute information to the signature receiving node, encrypts related information of the first original text data by using a corresponding verification shared key to form first verification data, and sends the first verification data and the attribute information to a corresponding signature verification node or/and an authentication server; the signature shared key is a key shared by the signature sending node and the signature receiving node; the verification shared key is a key which is independently shared by the signature sending node and each signature verification node or/and the authentication server; each corresponding signature verification node or/and authentication server decrypts the received first verification data by using a verification shared key held by the corresponding signature verification node or/and authentication server, records the first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node; the signature receiving node decrypts the received first signature data by using the signature shared key, and sends the related information of the first original text data obtained after decryption and the attribute information to all corresponding signature verification nodes/authentication servers; the corresponding signature verification nodes or/and the authentication server respectively judge whether the relevant information of the first original text data received by the corresponding signature verification nodes or/and the authentication server is consistent with the corresponding first verification information recorded by the corresponding signature verification nodes or/and the authentication server, if so, the feedback verification is passed, otherwise, the feedback verification fails; and after the signature receiving node receives the signature verification node or/and the authentication server which reach the first preset safety threshold amount and passes the feedback verification, establishing trusted communication with the signature sending node.
As described above, the decentralized digital authentication method and system according to the present invention have the following advantages:
1) the invention does not need the participation of the CA center in the traditional sense, but utilizes the verification feedback of most nodes in the whole network to realize the authentication function, thereby solving the safety problem of the whole identity authentication system when the CA center is attacked and becomes no longer credible.
2) The method is realized by combining the quantum key, can solve the problem that the length of a public-private key pair is required to be continuously increased along with the increase of the computing capacity of the traditional digital authentication scheme based on a public-private key cryptosystem, and avoids the future potential safety hazard of the public-private key cryptosystem.
3) The invention also improves the authentication mode, so that the network load and the quantum key consumption of the whole quantum key distribution network during high-frequency identity authentication, digital signature/signature verification can be greatly reduced, and the pressure of each quantum key distribution network node is reduced.
4) The invention can also ensure that each authentication server has no complete Hash value in a fragmentation mode, thereby enhancing the protection level of transaction data.
Drawings
Fig. 1 shows an exemplary structural diagram of a quantum key distribution network according to an embodiment of the present invention.
Fig. 2A is a schematic diagram illustrating a first exemplary authentication flow of the decentralized digital authentication method according to an embodiment of the present invention.
Fig. 2B is a schematic diagram illustrating a first exemplary signature verification process of the decentralized digital authentication method according to the embodiment of the present invention.
Fig. 3 shows another exemplary structural diagram of a quantum key distribution network according to an embodiment of the present invention.
Fig. 4A is a schematic diagram illustrating a second exemplary authentication flow of the decentralized digital authentication method according to the embodiment of the present invention.
Fig. 4B is a schematic diagram illustrating a second exemplary signature verification process of the decentralized digital authentication method according to the embodiment of the present invention.
Fig. 5A is a diagram illustrating a third exemplary authentication flow of the decentralized digital authentication method according to the embodiment of the present invention.
Fig. 5B is a schematic diagram illustrating a third exemplary signature verification process of the decentralized digital authentication method according to the embodiment of the present invention.
Fig. 6A is a schematic diagram illustrating a first exemplary structure of a decentralized digital authentication system according to an embodiment of the present invention.
Fig. 6B is a schematic diagram illustrating a second exemplary structure of the decentralized digital authentication system according to the embodiment of the present invention.
Description of the element reference numerals
600 decentralized digital authentication system
610 signature sending node
620 signature receiving node
630 signature verification node
640 authentication server
S201 to S205
S211 to S213 steps
S401 to S405
Steps S411 to S413
S501 to S505
S511 to S513 steps
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict.
It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present invention, and the drawings only show the components related to the present invention rather than being drawn according to the number, shape and size of the components in actual implementation, and the type, quantity and proportion of each component in actual implementation may be changed arbitrarily, and the layout of the components may be more complicated.
The existing traditional digital authentication scheme has the following defects:
1) the existing traditional digital authentication scheme is realized by relying on an authentication center (CA center) with absolute safety and credibility, and once the authentication center is attacked and is not credible any more or cannot continuously undertake the authentication function, the whole authentication system is abnormal in work.
2) With the increasing computing power of computers, the traditional digital authentication scheme based on public and private key cryptosystems has the problems that the length of a public and private key pair to be prepared is increased continuously, and the preparation difficulty is increased continuously.
3) With the technology improvement of quantum computers, the indestructibility of public-private key cryptosystems is confronted with fatal impact.
4) The existing authentication technology implementation mode is difficult to be fused with a quantum key distribution network.
Aiming at the problems, the invention provides a decentralized digital authentication method and a decentralized digital authentication system, which do not need an authoritative trusted center for verification, but utilize part of the constituent members in the whole network to cooperatively undertake the verification work, avoid the great influence of the untrusted risk of the trusted center on the whole verification network, and solve the problem of the untrusted center.
The invention provides an application scene of a decentralized digital authentication method and a system, which comprises a network with at least 3 network nodes, wherein any two network nodes in the network can independently share a pair of secret keys, namely, any two network nodes in the network are provided with a unique pair of shared secret keys; the network node for sending the signature data in the network is used as a signature sending node, the network node for receiving the signature data is used as a signature receiving node, and all network nodes except the signature sending node and the signature receiving node in the network can be used as signature verification nodes of the signature sending node and the signature receiving node.
In the present invention, the network includes but is not limited to a quantum key distribution network, and the shared key includes but is not limited to a quantum key. The embodiments of the present invention are explained by taking a quantum key distribution network as an example, but the scope of protection of the present invention is not limited to the quantum key distribution network. The network node for sending the signature data in the quantum key distribution network is used as a signature sending node, the network node for receiving the signature data is used as a signature receiving node, and all network nodes except the signature sending node and the signature receiving node in the quantum key distribution network can be used as signature verification nodes of the signature sending node and the signature receiving node.
Referring to fig. 1, the quantum key distribution network includes a network node a, a network node B, a network node C, a network node D, a network node E, and a network node F; any network node can be used as a signature sending node, any network node can also be used as a signature receiving node, and any network node can also be used as a signature verification node, namely: each network node can share 3 roles of a signature sending node, a signature receiving node and a signature verifying node. The signature verification node may be all network nodes or part of network nodes except the signature sending node and the signature receiving node in the quantum key distribution network, and the role that each node in the quantum key distribution network may play may be defined in a preset manner. Any two network nodes in the quantum key distribution network can be provided with a unique pair of shared quantum keys. The network node A and the network node B share a quantum key Key (AB), the network node A and the network node C share a quantum key Key (AC), the network node A and the network node D share a quantum key Key (AD), the network node A and the network node E share a quantum key Key (AE), the network node A and the network node F share a quantum key Key (AF), the network node B and the network node C share a quantum key Key (BC), the network node B and the network node D share a quantum key Key (BD), the network node B and the network node E share a quantum key Key (BE), the network node B and the network node F share a quantum key Key (BF), the network node C and the network node D share a quantum key Key (CD), the network node C and the network node E share a quantum key Key (CE), and the network node C and the network node F share a quantum key Key (CF), the network node D and the network node E share a quantum key Key (DE), the network node D and the network node F share a quantum key Key (DF), and the network node E and the network node F share a quantum key Key (EF). For example: when the network node a is used as a signature sending node and the network node D is used as a signature receiving node, the network node B, the network node C, the network node E and the network node F can be used as signature verification nodes of the network node a and the network node D. When the network node B is used as a signature sending node and the network node C is used as a signature receiving node, the network node a, the network node D, the network node E and the network node F can be used as signature verification nodes of the network node B and the network node C.
Referring to fig. 2A, an embodiment of the present invention provides a first exemplary authentication process of the decentralized digital authentication method, where the authentication process describes how a signature receiving node performs identity authentication on a signature sending node, and determines whether an identity of the signature sending node is trusted, and specifically includes:
s201, a signature sending node encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information and sends the first signature data and the corresponding attribute information to a signature receiving node, encrypts related information of the first original text data by using a corresponding verification shared key to form first verification data, and sends the first verification data and the attribute information to corresponding signature verification nodes. The signature shared key is a key shared by the signature sending node and the signature receiving node; the verification shared key is a key which is shared by the signature sending node and each signature verification node separately.
The related information of the first original text data may be a hash value of the first original text data, or a related value obtained by calculating the first original text data by any other algorithm. The attribute information corresponding to the first signature data comprises timestamp information of the signature sending node sending the first signature data, and information of a signature receiving node receiving the first signature data. When the signature verification node is provided with a plurality of verification shared keys, the signature sending node is provided with a plurality of verification shared keys, and the like, a plurality of first verification data can be obtained after the plurality of verification shared keys are encrypted.
For example: in the quantum key distribution network shown in fig. 1, a network node a encrypts first original text Data1 with a quantum key (ad) between network nodes a and D, generates first signature Data, sends the first signature Data to a network node D together with corresponding attribute information (including at least timestamp information for sending the first signature Data, information of a signature sending node of the first signature Data, and information of a signature receiving node of the first signature Data), and uses a quantum key between each network node of the whole network, that is: the key (ab), the key (ac), the key (ae), and the key (af) respectively encrypt the Hash value of Data1 (which can be obtained by performing Hash operation on Data 1) to obtain each of the first verification Data y (ab), y (ac), y (ae), and y (af), and then respectively send the first verification Data y (ab), y (ac), y (ae), and y (af) together with the attribute information (including at least timestamp information for sending the first signature Data, information for a signature sending node for sending the first signature Data, and information for a signature receiving node for receiving the first signature Data) to the network node B, the network node C, the network node E, and the network node F.
Wherein the timestamp information comprises: a specific time at which the first signature data is transmitted; the information of the signature sending node comprises: the IP address of the signature sending node, the unique number of the signature sending node, the Hash value of the unique number of the signature sending node and the like; the information of the signature receiving node comprises: the IP address of the signature receiving node, the unique number of the signature receiving node, the Hash value of the unique number of the signature receiving node, and the like.
S202, each corresponding signature verification node decrypts the received first verification data by using a verification shared key held by the corresponding signature verification node, records the first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node.
For example: after receiving the first verification data, each signature verification node (such as network node B, network node C, network node E and network node F, respectively) decrypts the first verification data with its own quantum key (such as key (ab), key (ac), key (ae), key (af)), and records each piece of decrypted first verification information yx (ab), yx (ac), yx (ae) and yx (af) and the attribute information into its own database, and then sends a feedback to network node a to indicate that the information is confirmed.
S203, the signature receiving node decrypts the received first signature data by using the signature shared key, and sends the related information of the first original text data obtained after decryption and the attribute information to all corresponding signature verification nodes.
For example: after receiving the ciphertext Data (i.e., the first signature Data) and the corresponding attribute information from the network node a, the network node D decrypts the first signature Data by using key (ad) as a verification means to obtain first original text Data1, and simultaneously broadcasts the Hash value of the first original text Data1 and the attribute information to all signature verification nodes (such as a network node B, a network node C, a network node E, and a network node F, respectively) in the whole network.
And S204, respectively judging whether the related information of the first original text data received by the corresponding signature verification nodes is consistent with the corresponding first verification information recorded by the corresponding signature verification nodes, if so, feeding back the verification to pass, and otherwise, feeding back the verification to fail.
Each signature verification node receives each first verification data and the attribute information from a signature sending node, and records corresponding first verification information and the attribute information obtained by decrypting each first verification data; each signature verification node records the related information and the attribute information of each first original text data from the signature receiving node; after the signature verification nodes finish the matching of the related information of the first original text data and the corresponding first verification information for one time according to the attribute information, the related information of the first original text data which is matched and consistent with the first verification information is stored in an associated mode. Specifically, after each signature verification node receives verification request information broadcast by a pair of signature sending nodes and signature receiving nodes and confirms the content, the two verification requests can be combined into a complete operation, and a block is formally formed and hung on a chain stored by the signature verification node for permanent storage.
For example: verifying the content sent by the network node D by each signature verification node (such as the network node B, the network node C, the network node E and the network node F respectively), if the content received by each signature verification node (such as the network node B, the network node C, the network node E and the network node F respectively) from the network node D is consistent with the corresponding content recorded in the database of the signature verification node, passing the verification, otherwise failing the verification; the content passing the verification is also recorded into a database of the network node D, and a feedback passing the verification is sent to the network node D to indicate that the information is confirmed; if the verification fails, the information is also recorded in the own database or not recorded in the own database, and a feedback of the verification failure is sent to the network node D, which also indicates that the information is confirmed.
And S205, after the signature receiving node receives the signature verification node which reaches the first preset safety threshold amount and passes the feedback verification, establishing trusted communication with the signature sending node. The first preset security threshold may be set according to the node size of the entire quantum key distribution network, or according to the total number of nodes serving as signature verification nodes. Even if one or some signature verification nodes in the plurality of signature verification nodes are not credible, the correctness of the verification results of other signature verification nodes is not influenced, and decentralized verification is really realized.
For example: after receiving confirmation information that the node feedback verification passes when the node reaches a full-network security threshold (for example, 50% of the total number of nodes, the security threshold can be set according to the size of the node), the network node D can confirm that the identity of the network node a is trusted, and starts to establish trusted communication with the network node a by using key (ad).
The decentralized digital authentication method avoids the great influence on the whole verification network caused by the distrustable risk of a trusted center, and solves the distrustable problem of the trusted center. Likewise, it can also solve the problem of signature sending node repudiation. Such as: if the network node a does not acknowledge that it has sent the Data2 after sending the Data2, the network node D only needs to apply for the operation of querying the network node a for sending the Data2, and the signature verification node exceeding the security threshold feeds back the confirmation information, which indicates that the operation of sending the Data2 by the network node a has indeed occurred and cannot be repudiated, as described in detail in the following exemplary description.
Further, referring to fig. 2B, an embodiment of the present invention provides a first exemplary signature verification process of the decentralized digital authentication method, where the signature verification process describes how a signature receiving node should repudiate a signature sending node against sent data, and determines whether the signature sending node has sent a certain data, and specifically includes:
and S211, the signature receiving node decrypts the received second signature data by using the signature shared key, and sends the related information of the second original text data obtained after decryption and the attribute information corresponding to the second signature data to all corresponding signature verification nodes.
For example: after receiving the ciphertext Data (i.e., the second signature Data) from the network node a, the network node D decrypts the ciphertext Data by using key (ad) as a verification means, and simultaneously broadcasts the Hash value of the decrypted second plaintext Data2 together with attribute information corresponding to the second signature Data (including at least timestamp information for sending the second signature Data, information of a signature sending node for sending the second signature Data, and information of a signature receiving node for receiving the second signature Data) to all signature verification nodes (such as a network node B, a network node C, a network node E, and a network node F, respectively) in the whole network. Before that, the network node a encrypts the Data2 by using the quantum key (ad) between A, D and sends the Data to the network node D, and simultaneously, the quantum key between each node of the whole network is used, that is: and the Hash values of the Data2 (which can be obtained by performing Hash operation on the Data 2) are respectively encrypted to form second verification Data, and then the second verification Data and the attribute information (at least including timestamp information for sending the second signature Data, information of a signature sending node for sending the second signature Data, and information of a signature receiving node for receiving the second signature Data) are sent to each signature verification node, namely a network node B, a network node C, a network node E and a network node F. After receiving the second verification data, each signature verification node (such as network node B, network node C, network node E and network node F, respectively) decrypts the second verification data with its own quantum key (such as key (ab), key (ac), key (ae), key (af)), and records the decrypted Hash value and the attribute information (including at least timestamp information for sending the second signature data, information of a signature sending node for sending the second signature data, and information of a signature receiving node for receiving the second signature data) into its database, and then sends a feedback to network node a to indicate that the information is confirmed. Wherein the information of the signature sending node comprises: the IP address of the signature sending node, the unique number of the signature sending node or/and the Hash value of the unique number of the signature sending node; the information of the signature receiving node comprises: the IP address of the signature receiving node, the unique number of the signature receiving node, or/and the Hash value of the unique number of the signature receiving node.
And S212, respectively judging whether the related information of the second original text data received by the corresponding signature verification nodes is consistent with the corresponding second verification information recorded by the corresponding signature verification nodes, if so, passing the feedback verification, otherwise, failing to pass the feedback verification.
For example: verifying the content sent by the network node D by each signature verification node (such as the network node B, the network node C, the network node E and the network node F respectively), if the content received by each signature verification node (such as the network node B, the network node C, the network node E and the network node F respectively) from the network node D is consistent with the corresponding content recorded in the database of the signature verification node D, passing the verification, otherwise failing the verification; the content passing the verification is also recorded into a database of the network node D, and a feedback passing the verification is sent to the network node D to indicate that the information is confirmed; if the verification fails, the information is also recorded in the own database or not recorded in the own database, and a feedback of the verification failure is sent to the network node D, which also indicates that the information is confirmed.
S213, after the signature receiving node receives the signature verification node feedback verification that the amount of the signature verification node reaches the second preset security threshold, it can prove that the second signature data is sent by the signature sending node, and the signature sending node cannot deny the second signature data.
For example: after the network node D receives the confirmation information that the signature verification node that reaches the full-network security threshold (for example, 50% of the total number of nodes, the security threshold may be set according to the node size, and the second preset security threshold amount may be set to be less than or equal to the first preset security threshold amount according to the actual network node condition), the signature verification node feeds back the verification pass, it can be verified that the second signature data is sent by the network node a, and the network node a cannot repudiate the second signature data.
Further, the decentralized digital authentication method further comprises a network node expansion method of the quantum key distribution network, and the method comprises the following steps:
1) providing security guarantee for the newly added network node by utilizing a trusted entity mechanism; or the original network nodes in the quantum key distribution network are combined to provide safety guarantee for the newly added network nodes based on an invitation mechanism;
2) and presetting a shared quantum key of all original network nodes in the quantum key distribution network for the newly added network node with safety guarantee by using a management center of the quantum key distribution network.
The new network-accessing node (i.e. the network node) does not in fact have the capability of sharing the quantum key with any node in the full quantum key distribution network because it is not coded with other adjacent nodes, and for this case, if the identity of the new network-accessing node needs to be verified, a federation mode can be adopted, and through this management means, it is ensured that each node of the quantum key distribution network comes from a trusted entity authority, and the entity authority provides security for the nodes of the quantum key distribution network. That is, before each new network-accessing node is connected to the quantum key distribution network, the holder and device information of the node need to be strictly checked to ensure that the node is held and managed by a trusted authority, so that the new network-accessing node can be ensured to normally access the network only by presetting shared keys with other adjacent nodes (or all other nodes) for the node by the quantum key distribution network key and the account management center which are already put into operation.
In addition, if the identity of the node needs to be verified, an inviter mechanism can be introduced, that is, the network access authentication process is combined with network nodes in the network, a new node needs to take the shared secret key of the original network nodes with enough quantity (a corresponding safety threshold value can be set according to the network scale), the new network access node is authenticated by the combination of the network nodes, and then the node can be formally accessed to form codes.
The embodiment of the invention also provides another application scenario, which comprises a quantum key distribution network of at least 2 network nodes (namely a signature sending node and a signature receiving node) and at least 1 authentication server, wherein each authentication server and all network nodes in the network respectively and independently share a pair of quantum keys; the network nodes for sending the signature data in the quantum key distribution network are used as signature sending nodes, the network nodes for receiving the signature data are used as signature receiving nodes, and all the authentication servers perform signature authentication for all the signature sending nodes and the signature receiving nodes in the network.
Referring to fig. 3, the network nodes of the quantum key distribution network include a network node a, a network node D, a network node X, and a network node Y; the authentication server of the quantum key distribution network comprises an authentication server 1, an authentication server 2, and an authentication server … …, wherein N is 1,2,3,4,5, … …, N; n is a positive integer. Any network node can be used as a signature sending node, and any network node can also be used as a signature receiving node. Each network node in the quantum key distribution network and all authentication servers respectively have a unique pair of shared quantum keys. Such as: the network node A and the authentication server 1 share a quantum Key Key (1-A), the network node A and the authentication server 2 share a quantum Key Key (2-A), … …, and the network node A and the authentication server n share a quantum Key Key (n-A); the network node D and the authentication server 1 share a quantum Key Key (1-D), the network node D and the authentication server 2 share a quantum Key Key (2-D), … …, and the network node D and the authentication server n share a quantum Key Key (n-D); the network node X and the authentication server 1 share a quantum Key Key (1-X), the network node X and the authentication server 2 share a quantum Key Key (2-X), … …, and the network node X and the authentication server n share a quantum Key Key (n-X); network node Y and authentication server 1 share a quantum Key (1-Y), network node Y and authentication server 2 share a quantum Key (2-Y), … …, and network node Y and authentication server n share a quantum Key (n-Y).
Referring to fig. 4A, a second exemplary authentication process of the decentralized digital authentication method is provided in the embodiment of the present invention, where the process describes how a signature receiving node performs identity authentication on a signature sending node, and determines whether an identity of the signature sending node is trusted, and specifically includes:
s401, a signature sending node encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information and sends the first signature data and the corresponding attribute information to a signature receiving node, encrypts related information of the first original text data by using verification shared keys to form first verification data respectively, and sends the first verification data and the attribute information to corresponding authentication servers; the signature shared key is a quantum key shared by the signature sending node and the signature receiving node; the verification shared key is a quantum key which is independently shared by the signature sending node and each authentication server.
The related information of the first original text data may be a hash value of the first original text data, or a related value obtained by calculating the first original text data by any other algorithm. The attribute information corresponding to the first signature data comprises timestamp information of the signature sending node sending the first signature data, and information of a signature receiving node receiving the first signature data. When the number of the authentication servers is multiple, the signature sending node has multiple verification shared keys, and by analogy, multiple first verification data can be obtained after the multiple verification shared keys are encrypted.
For example: in the quantum key distribution network shown in fig. 3, the network node a encrypts the Data1 with the quantum key (ad) between the network nodes a and D, and sends the encrypted Data to the network node D, and at the same time, the network node a uses the quantum key between each authentication server in the whole network, that is: key (1-a) and Key (2-a) … … Key (n-a), respectively encrypt Hash values of Data1, and then send them to the authentication server 1, the authentication server 2, … … authenticates the server n, together with the attribute information (including at least timestamp information of sending first signature Data, information of signature sending node of the first signature Data, and information of signature receiving node of the first signature Data).
Wherein the time stamp information includes: a specific time at which the first signature data is transmitted; the information of the signature sending node comprises: the IP address of the signature sending node, the unique number of the signature sending node, the Hash value of the unique number of the signature sending node and the like; the information of the signature receiving node comprises: the IP address of the signature receiving node, the unique number of the signature receiving node, the Hash value of the unique number of the signature receiving node, and the like.
S402, each authentication server decrypts the received first verification data by using a verification shared key held by the authentication server, records the first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node.
For example: after receiving the first verification data, each authentication server (such as authentication server 1, authentication server 2, and authentication server … …, respectively) decrypts the first verification data with the same quantum Key (such as Key (1-a) and Key (2-a) … … Key (n-a)) as a verification means, records the decrypted Hash value and the attribute information into its own database, and then sends a feedback to network node a to indicate that the information is confirmed.
And S403, the signature receiving node decrypts the first signature data by using the signature shared key, and sends the related information of the first original text data obtained after decryption and the attribute information to each authentication server.
For example: after receiving the ciphertext Data (i.e., the first signature Data) from the network node a, the network node D decrypts the ciphertext Data by using key (ad) as a verification means, and broadcasts the Hash value of Data1 obtained after decryption and the attribute information to all authentication servers (such as the authentication server 1, the authentication server 2, and the authentication server n … …, respectively) in the whole network.
S404, each authentication server respectively judges whether the relevant information of the first original text data received by the authentication server is consistent with the corresponding first verification information recorded by the authentication server, if so, the feedback verification is passed, otherwise, the feedback verification fails.
Each authentication server receives each verification data and the attribute information from a signature sending node, and records corresponding verification information and the attribute information obtained by decrypting each verification data; each authentication server records the related information and the attribute information of each original text data from the signature receiving node; and after the authentication servers finish the matching of the related information of the original text data and the corresponding verification information according to the attribute information once, the related information of the original text data which is matched and is consistent with the corresponding verification information is stored in a related mode. Specifically, after receiving the verification request information broadcast by a pair of signature sending nodes and signature receiving nodes and confirming the content, each authentication server can combine the two verification requests into a complete operation, formally form a block and hang the block on a chain stored by the authentication server for permanent storage.
For example: each authentication server (such as authentication server 1, authentication server 2, and … … authentication server n, respectively) verifies the content sent by the network node D, if the content received by each authentication server (such as authentication server 1, authentication server 2, and … … authentication server n, respectively) from the network node D is consistent with the corresponding content recorded in its own database, the verification is passed, otherwise, the verification fails; the content passing the verification is also recorded into a database of the network node D, and a feedback passing the verification is sent to the network node D to indicate that the information is confirmed; if the verification fails, the information is also recorded in the own database or not recorded in the own database, and a feedback of the verification failure is sent to the network node D, which also indicates that the information is confirmed.
S405, after the signature receiving node receives the authentication server feedback verification which reaches the first preset safety threshold amount, the signature receiving node establishes credible communication with the signature sending node. The first preset security threshold may be set according to the number scale of authentication servers in the whole quantum key distribution network. Even if one or some authentication servers in the plurality of authentication servers are not credible, the correctness of the verification results of other authentication servers is not influenced, and decentralized verification is really realized.
For example: after receiving the confirmation information fed back by the authentication servers reaching the security threshold (which can be set according to the quantity scale of the authentication servers and can be set to 100% at most), the network node D can confirm that the identity of the network node a is trusted, and starts to establish trusted communication with the network node a by using key (ad).
The decentralized digital authentication method avoids the great influence on the whole verification network caused by the distrustable risk of a trusted center, and solves the distrustable problem of the trusted center. Likewise, it can also solve the problem of signature sending node repudiation; such as: if the network node a does not acknowledge that it has sent the Data2 after sending the Data2, the network node D only needs to apply for the operation of querying the network node a for sending the Data2, and the authentication server exceeding the security threshold feeds back the confirmation information, which indicates that the operation of sending the Data2 by the network node a has indeed occurred and cannot be repudiated, as described in the following exemplary description.
Further, referring to fig. 4B, an embodiment of the present invention provides a second exemplary signature verification process of the decentralized digital authentication method, where the process describes how a signature receiving node should repudiate a signature sending node against sent data, and determine whether the signature sending node has sent a certain data, and specifically includes:
and S411, the signature receiving node decrypts the received second signature data by using the signature shared key, and sends the related information of the second original text data obtained after decryption and the attribute information corresponding to the second signature data to each authentication server.
For example: after receiving the ciphertext Data (i.e., the second signature Data) from the network node a, the network node D decrypts the ciphertext Data with key (ad) as a verification means, and broadcasts the Hash value of the Data2 obtained after decryption and the attribute information corresponding to the second signature Data to all authentication servers (such as the authentication server 1, the authentication server 2, and the authentication server n … …, respectively) in the whole network. Before that, the network node a encrypts the Data2 by using the quantum key (ad) between A, D and sends the encrypted Data to the network node D, and simultaneously uses the quantum keys between all authentication servers, that is: key (1-A), Key (2-A) and … … Key (n-A), which respectively encrypt the Hash value of Data2 (which can be obtained by performing Hash operation on Data 2), and then send the Hash value together with attribute information corresponding to the second signature Data (at least including timestamp information for sending the second signature Data, information of a signature sending node for sending the second signature Data, and information of a signature receiving node for receiving the second signature Data) to each authentication server (such as authentication server 1, authentication server 2, … … authentication server n, respectively). After receiving the second verification data, each authentication server (such as authentication server 1, authentication server 2, and authentication server … …, respectively) decrypts the second verification data with its own quantum Key (such as Key (1-a), Key (2-a), and … … Key (n-a), respectively) as a verification means, records the decrypted Hash value and the attribute information (including at least timestamp information for sending the second signature data, information of a signature sending node for sending the second signature data, and information of a signature receiving node for receiving the second signature data) into its database, and then sends a feedback to network node a to indicate that the information is confirmed. Wherein the information of the signature sending node comprises: the IP address of the signature sending node, the unique number of the signature sending node or/and the Hash value of the unique number of the signature sending node; the information of the signature receiving node comprises: the IP address of the signature receiving node, the unique number of the signature receiving node, or/and the Hash value of the unique number of the signature receiving node.
And S412, each authentication server respectively judges whether the related information of the second original text data received by the authentication server is consistent with the corresponding second verification information recorded by the authentication server, if so, the feedback verification is passed, otherwise, the feedback verification fails.
For example: each authentication server (such as authentication server 1, authentication server 2, and authentication server … …, respectively) verifies the content sent by the network node D, if the content received by each authentication server (such as authentication server 1, authentication server 2, and authentication server … …, respectively) from the network node D is consistent with the corresponding content recorded in its own database, the verification is passed, otherwise, the verification fails; the content passing the verification is also recorded into a database of the network node D, and a feedback passing the verification is sent to the network node D to indicate that the information is confirmed; if the verification fails, the information is also recorded in the own database or not recorded in the own database, and a feedback of the verification failure is sent to the network node D, which also indicates that the information is confirmed.
S413, after the signature receiving node receives the authentication server feedback verification that the amount of the second preset security threshold is reached, it may prove that the second signature data is sent by the signature sending node, and the signature sending node cannot deny the second signature data.
For example: after the network node D receives the confirmation information that the verification passes through fed back by the authentication servers (such as the authentication server 1, the authentication server 2, and the authentication server n … …, respectively) which reach the full-network security threshold (such as 70% of the total number of the authentication servers, the security threshold can be set according to the quantity scale of the authentication servers, and the second preset security threshold can be set to be less than or equal to the first preset security threshold according to the actual conditions of the authentication servers), it can be proved that the second signature data is sent by the network node a and cannot be repudiated by the network node a.
Further, the decentralized digital authentication method further comprises a network node expansion method of the quantum key distribution network, and the method comprises the following steps:
1) providing security guarantee for the newly added network node by utilizing a trusted entity mechanism; or an authentication server in the quantum key distribution network or/and the original network node are/is combined to provide safety guarantee for the newly added network node based on an invitation mechanism;
2) and presetting a shared quantum key of all the original network nodes in the quantum key distribution network for the newly added network nodes with safety guarantee by using the management center of the quantum key distribution network.
It should be noted that, when there are both a signature verification node and an authentication server in the network, those skilled in the art will easily understand that the decentralized digital authentication method may be performed by only the signature verification node or only the authentication server, or may be performed by both of them, and the present invention is not limited to this.
Referring to fig. 5A, an embodiment of the present invention provides a third exemplary authentication process of the decentralized digital authentication method, where the process describes how a signature receiving node performs identity authentication on a signature sending node, and determines whether an identity of the signature sending node is trusted, and specifically includes:
s501, a signature sending node encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information and sends the first signature data and the corresponding attribute information to a signature receiving node, performs fragmentation on related information of the first original text data by using a first fragmentation method to obtain fragmentation information, encrypts corresponding fragmentation information by using a corresponding verification shared key according to a first distribution strategy to form first verification data respectively, and sends the first verification data and the attribute information to a corresponding authentication server or/and a signature verification node respectively; the signature shared key is a quantum key shared by the signature sending node and the signature receiving node; the verification shared key is a quantum key which is independently shared by the signature sending node and each authentication server or/and signature verification node.
For example: the signature sending node fragments the relevant information of the first original text data by using a first fragmentation method to obtain fragmentation information 1, fragmentation information 2, fragmentation information 3 and fragmentation information 4; the signature sending node sends the encrypted fragment information 1 and the attribute information to the authentication server 1 according to the distribution strategy A, sends the encrypted fragment information 2 and the attribute information to the authentication server 2, sends the encrypted fragment information 3 and the attribute information to the authentication server 3, and sends the encrypted fragment information 4 and the attribute information to the authentication server 4.
Or the signature sending node sends the encrypted fragment information 1 and the attribute information to the authentication server 2 according to the distribution strategy B, sends the encrypted fragment information 2 and the attribute information to the authentication server 3, sends the encrypted fragment information 3 and the attribute information to the authentication server 4, and sends the encrypted fragment information 4 and the attribute information to the authentication server 1.
Or the signature sending node sends the encrypted fragmentation information 1 and 2 and the attribute information to the authentication server 1 according to the distribution strategy C, sends the encrypted fragmentation information 2 and 3 and the attribute information to the authentication server 2, sends the encrypted fragmentation information 3 and 4 and the attribute information to the authentication server 3, and sends the encrypted fragmentation information 4 and 1 and the attribute information to the authentication server 4.
The distribution strategy for distributing each piece information to each authentication server or/and signature verification node can be preset according to the requirement, and the protection scope of the invention is not limited to the algorithm or the content of the specific distribution strategy.
S502, each authentication server and/or signature verification node decrypts the received first verification data using the verification shared key held by itself, records the first verification information (i.e., the fragment information) and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node.
S503, the signature receiving node decrypts the first signature data by using the signature shared key, fragments the related information of the first original text data obtained after decryption by using the first fragmentation method to obtain all fragmentation information, and correspondingly sends each fragmentation information and the attribute information to each authentication server or/and the signature verification node according to the first distribution strategy.
S504, each authentication server or/and signature verification node respectively judges whether the fragment information received by the authentication server or/and the signature verification node is consistent with the corresponding first verification information recorded by the authentication server or/and the signature verification node, if so, the feedback verification is passed, otherwise, the feedback verification fails.
And S505, after the signature receiving node receives the authentication server or/and the signature verification node which reach the first preset safety threshold amount and passes the feedback verification, establishing trusted communication with the signature sending node.
Further, referring to fig. 5B, an embodiment of the present invention provides a third exemplary signature verification process of the decentralized digital authentication method, where the process describes how a signature receiving node repudiates a signature sending node against sent data, and determines whether the signature sending node has sent a certain data, and specifically includes:
s511, the signature receiving node decrypts the received second signature data by using the signature shared key, fragments the related information of the second original text data obtained after decryption by using the first fragmentation method to obtain all fragmentation information, and correspondingly sends each fragmentation information and the attribute information corresponding to the second signature data to each authentication server or/and signature verification node according to a second distribution strategy; the second allocation policy may be the same as or different from the first allocation policy.
And S512, each authentication server or/and signature verification node respectively judges whether the fragment information received by the authentication server or/and the signature verification node is consistent with the corresponding second verification information recorded by the authentication server or/and the signature verification node, if so, the feedback verification is passed, and otherwise, the feedback verification fails.
S513, after the signature receiving node receives the authentication server or/and the signature verification node that reach the second preset security threshold amount and passes the feedback verification, it may prove that the second signature data is sent by the signature sending node, and the signature sending node cannot deny the second signature data.
The protection scope of the decentralized digital authentication method according to the present invention is not limited to the execution sequence of the steps listed in this embodiment, and all the solutions implemented by adding, subtracting, and replacing steps according to the principles of the present invention are included in the protection scope of the present invention.
The present invention also provides a decentralized digital authentication system, which can implement the decentralized digital authentication method of the present invention, but the implementation apparatus of the decentralized digital authentication method of the present invention includes, but is not limited to, the structure of the decentralized digital authentication system as illustrated in this embodiment, and all structural modifications and substitutions in the prior art made according to the principle of the present invention are included in the protection scope of the present invention.
In the present invention, the network includes but is not limited to a quantum key distribution network, and the shared key includes but is not limited to a quantum key. The embodiments of the present invention are explained by taking a quantum key distribution network as an example, but the scope of protection of the present invention is not limited to the quantum key distribution network.
Referring to fig. 6A, an exemplary structure of the decentralized digital authentication system 600 comprises: a signature sending node 610, a signature receiving node 620 and a signature verification node 630. The signature sending node 610, the signature receiving node 620 and the signature verifying node 630 form a quantum key distribution network; correspondingly, all network nodes except the signature sending node 610 and the signature receiving node 620 in the quantum key distribution network may be signature verification nodes 630 of the signature sending node 610 and the signature receiving node 620.
The signature sending node 610 encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information, and sends the first signature data and the corresponding attribute information to the signature receiving node 620, encrypts related information of the first original text data by using a corresponding verification shared key to form first verification data, and sends the first verification data and the attribute information to the corresponding signature verification node 630; the signature shared key is a quantum key shared by the signature sending node 610 and the signature receiving node 620; the verification shared key is a quantum key that the signature sending node 610 shares with each of the signature verification nodes 630 separately. Each of the corresponding signature verification nodes 630 decrypts the received first verification data using the verification shared key held by itself, records the first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node 610. The signature receiving node 620 decrypts the received first signature data by using the signature shared key, and sends the related information of the first original text data obtained after decryption and the attribute information to all corresponding signature verifying nodes 630. The corresponding signature verification nodes 630 respectively determine whether the information related to the first original text data received by the corresponding signature verification nodes is consistent with the corresponding first verification information recorded by the corresponding signature verification nodes, if so, the feedback verification is passed, otherwise, the feedback verification fails. And after the signature receiving node 620 receives the feedback verification passing of the signature verification node 630 which reaches the first preset safety threshold amount, establishing trusted communication with the signature sending node 610.
Further, the signature receiving node 620 decrypts the received second signature data by using the signature shared key, and sends the related information of the second original text data obtained after decryption and the attribute information corresponding to the second signature data to all corresponding signature verifying nodes 630; the corresponding signature verification nodes 630 respectively determine whether the information related to the second original text data received by the corresponding signature verification nodes is consistent with the corresponding second verification information recorded by the corresponding signature verification nodes, if so, the feedback verification is passed, otherwise, the feedback verification fails; after the signature receiving node 620 receives the feedback verification passed by the signature verifying node 630 which reaches the second preset security threshold amount, it can prove that the second signature data is sent by the signature sending node 610, and the denial of the signature sending node 610 is not allowed.
Referring to fig. 6B, another exemplary structure of the decentralized digital authentication system 600 comprises: a signature sending node 610, a signature receiving node 620 and an authentication server 640 or/and a signature verification node 630. The signature sending node 610, the signature receiving node 620 and the authentication server 640 or/and the signature verification node 630 form a quantum key distribution network; a network node that sends signature data in the quantum key distribution network is used as a signature sending node 610, a network node that receives signature data is used as a signature receiving node 620, all network nodes except the signature sending node 610 and the signature receiving node 620 in the quantum key distribution network can be used as signature verification nodes 630 of the signature sending node 610 and the signature receiving node 620, and correspondingly, all authentication servers 640 in the quantum key distribution network can verify for the signature sending node 610 and the signature receiving node 620.
The signature sending node 610 encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information, and sends the first signature data and the corresponding attribute information to the signature receiving node, and encrypts related information of the first original text data by using each verification shared key to form each first verification data (or the signature sending node 610 fragments the related information of the first original text data by using a first fragmentation method to obtain each fragmentation information, and encrypts the corresponding fragmentation information by using the corresponding verification shared key according to a first distribution strategy to form each first verification data), and sends each first verification data and the attribute information to each authentication server 640 or/and the signature verification node 630 correspondingly; the signature shared key is a quantum key shared by the signature sending node 610 and the signature receiving node 620; the verification shared key is a quantum key which is separately shared by the signature sending node 610 and each of the authentication servers 640 and/or the signature verification nodes 630; each authentication server 640 or/and signature verification node 63 decrypts the received first verification data by using a verification shared key held by itself, records the first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node 610; the signature receiving node 620 decrypts the first signature data by using the signature shared key, and sends the related information of the first textual data obtained after decryption and the attribute information to each authentication server 640 or/and the signature verifying node 630 (or the signature receiving node 620 fragments the related information of the first textual data obtained after decryption by using the first fragmentation method to obtain all fragmentation information, and correspondingly sends each fragmentation information and the attribute information to each authentication server 640 or/and the signature verifying node 630 according to the first allocation policy); each authentication server 640 or/and the signature verification node 630 respectively judges whether the relevant information of the first original text data received by the authentication server 640 or/and the signature verification node 630 is consistent with the corresponding first verification information recorded by the authentication server or/and the signature verification node, if so, the feedback verification is passed, otherwise, the feedback verification fails; after receiving the feedback verification of the authentication server 640 or/and the signature verification node 630 reaching the first preset security threshold amount, the signature receiving node 620 establishes trusted communication with the signature sending node 610.
Further, the signature receiving node 620 decrypts the received second signature data by using the signature shared key, and sends the relevant information of the second original text data obtained after decryption and the attribute information corresponding to the second signature data to each authentication server 640 or/and signature verifying node 630 (or the signature receiving node 620 fragments the relevant information of the first original text data obtained after decryption by using the first fragmentation method to obtain all fragmentation information, and correspondingly sends each fragmentation information and the attribute information corresponding to the second signature data to each authentication server 640 or/and signature verifying node 630 according to a second allocation policy); each authentication server 640 or/and signature verification node 630 respectively judges whether the information (hash value or fragmentation information) related to the second original text data received by itself is consistent with the corresponding second verification information recorded by itself, if so, the feedback verification is passed, otherwise, the feedback verification fails; after the signature receiving node 620 receives the feedback verification of the authentication server 640 or/and the signature verification node 630 reaching the second preset security threshold amount, it can prove that the second signature data is sent by the signature sending node 610, and the signature sending node 610 cannot deny the feedback verification.
The invention utilizes the decentralized thought to realize the identity authentication and digital signature verification functions of the whole network by using the nodes of the whole network together without an authoritative trusted center (CA center); that is, the present invention does not require the participation of a CA center in the traditional sense, but rather is implemented with the authentication feedback of most nodes throughout the network. Therefore, the security problem of the whole identity authentication system when the CA center is attacked and becomes no longer credible is solved.
The invention also discloses a realization scheme of using the decentralized idea, which is characterized in that a plurality of authentication servers are established in the whole network to participate in the processes of identity authentication, digital signature and signature verification, and the method is different from the decentralized digital authentication method in that the whole network nodes are matched with the safety threshold.
The scheme is used for confirming the identity authentication/signature verification and depends on a set safety threshold, wherein the threshold is set based on the scale of the current network and is not a fixed value. Any one verification operation comprises two parts of initiating verification and feedback verification, and the two parts form a complete authentication block together; any node or authentication server that participates in authentication needs to record the confirmed block and is responsible for maintaining the entire block chain.
The Hash value of the transaction Data (Data) used for authentication and signature/signature verification can be fragmented according to a certain algorithm according to the number of authentication servers; the fragmentation is a redundant storage mode, that is, most of all the fragmentation is obtained, such as: after three of the 5 fragments are obtained, a complete Hash value can be restored, each authentication server is guaranteed to have no complete Hash value, and the protection level of transaction data is enhanced.
The invention is also realized by combining a quantum key, and can solve the problem that the length of a public-private key pair is required to be continuously increased along with the increase of the computing capacity of the traditional digital authentication scheme based on a public-private key cryptosystem. The invention is realized based on a quantum key distribution network, and a pair of quantum keys exists between any two nodes in the quantum key distribution network.
The invention also improves the authentication mode, so that the network load and the quantum key consumption of the whole quantum key distribution network during high-frequency identity authentication, digital signature/signature verification can be greatly reduced, and the pressure of each quantum key distribution network node is reduced.
In conclusion, the present invention effectively overcomes various disadvantages of the prior art and has high industrial utilization value.
The foregoing embodiments are merely illustrative of the principles and utilities of the present invention and are not intended to limit the invention. Any person skilled in the art can modify or change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Accordingly, it is intended that all equivalent modifications or changes which may be made by those skilled in the art without departing from the spirit and scope of the present invention as defined in the appended claims.

Claims (21)

1. A decentralized digital authentication method is applied to a network comprising at least 3 network nodes, wherein the network node which sends signature data in the network is used as a signature sending node, the network node which receives the signature data is used as a signature receiving node, and the network nodes except the signature sending node and the signature receiving node in the network are used as signature verification nodes of the signature sending node and the signature receiving node; the decentralized digital authentication method comprises the following steps:
the signature sending node encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information and sends the first signature data and the corresponding attribute information to the signature receiving node, encrypts related information of the first original text data by using corresponding verification shared keys to form first verification data, and sends the first verification data and the attribute information to corresponding signature verification nodes; the signature shared key is a key shared by the signature sending node and the signature receiving node; the verification shared key is a key which is independently shared by the signature sending node and each signature verification node;
each corresponding signature verification node decrypts the received first verification data by using a verification shared key held by the corresponding signature verification node, records the first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node;
the signature receiving node decrypts the first signature data by using the signature shared key, and sends the related information of the first original text data obtained after decryption and the attribute information to all corresponding signature verification nodes;
the corresponding signature verification nodes respectively judge whether the related information of the first original text data received by the corresponding signature verification nodes is consistent with the corresponding first verification information recorded by the corresponding signature verification nodes, if so, the feedback verification is passed, otherwise, the feedback verification fails;
and after the signature receiving node receives the signature verification node feedback verification which reaches the first preset safety threshold amount, the signature receiving node establishes credible communication with the signature sending node.
2. The decentralized digital authentication method according to claim 1, wherein the decentralized digital authentication method further comprises:
the signature receiving node decrypts the received second signature data by using the signature shared key, and sends the related information of the second original text data obtained after decryption and the attribute information corresponding to the second signature data to all corresponding signature verification nodes;
the corresponding signature verification nodes respectively judge whether the related information of the second original text data received by the corresponding signature verification nodes is consistent with the corresponding second verification information recorded by the corresponding signature verification nodes, if so, the feedback verification is passed, otherwise, the feedback verification fails;
and after the signature receiving node receives the signature verification node which reaches the second preset safety threshold amount and passes the feedback verification, the signature receiving node proves that the second signature data is sent by the signature sending node and cannot be denied by the signature sending node.
3. The decentralized digital authentication method according to claim 1, wherein the decentralized digital authentication method further comprises:
each signature verification node receives each verification data and the attribute information from a signature sending node, and records corresponding verification information and the attribute information obtained by decrypting each verification data;
each signature verification node records the related information and the attribute information of each original text data from the signature receiving node;
and after the signature verification nodes finish the matching of the related information of the original text data and the corresponding verification information according to the attribute information once, the related information of the original text data which is matched and consistent with the corresponding verification information is stored in a correlation mode.
4. The decentralized digital authentication method according to claim 1, wherein: any two network nodes in the network are provided with a unique pair of shared keys.
5. The decentralized digital authentication method according to any one of claims 1 to 4, wherein:
the related information of the original text data comprises a hash value of the original text data or a related value obtained by calculating the original text data by any other algorithm;
the attribute information corresponding to the signature data comprises timestamp information of the signature sending node sending the signature data, and information of a signature receiving node receiving the signature data.
6. The decentralized digital authentication method according to claim 1, wherein said decentralized digital authentication method further comprises a network node expansion method of said network, comprising:
providing security guarantee for the newly added network node by utilizing a trusted entity mechanism; or the original network nodes in the network are combined to provide safety guarantee for the newly added network nodes based on an invitation mechanism;
and presetting shared keys with all original network nodes in the network for the newly added network nodes with safety guarantee by using the management center of the network.
7. The decentralized digital authentication method according to claim 5, wherein: the network also comprises an authentication server used for signature verification for the signature sending node and the signature receiving node.
8. The decentralized digital authentication method according to claim 7, wherein said decentralized digital authentication method further comprises:
the signature sending node encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information and sends the first signature data and the corresponding attribute information to the signature receiving node, encrypts related information of the first original text data by using corresponding verification shared keys to form first verification data respectively, and sends the first verification data and the attribute information to corresponding authentication servers or/and signature verification nodes; the signature shared key is a key shared by the signature sending node and the signature receiving node; the verification shared key is a key which is independently shared by the signature sending node and each authentication server or/and signature verification node;
each authentication server or/and signature verification node decrypts received first verification data by using a verification shared key held by the authentication server or/and the signature verification node, records first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node;
the signature receiving node decrypts the first signature data by using the signature shared key, and sends the related information of the first original text data obtained after decryption and the attribute information to each authentication server or/and the signature verification node;
each authentication server or/and signature verification node respectively judges whether the relevant information of the first original text data received by the authentication server or/and the signature verification node is consistent with the corresponding first verification information recorded by the authentication server or/and the signature verification node, if so, the feedback verification is passed, otherwise, the feedback verification fails;
and after the signature receiving node receives the authentication server or/and the signature verification node which reach the first preset safety threshold amount and passes the feedback verification, establishing trusted communication with the signature sending node.
9. The decentralized digital authentication method according to claim 8, wherein said decentralized digital authentication method further comprises:
the signature receiving node decrypts the received second signature data by using the signature shared key, and sends the related information of the second original text data obtained after decryption and the attribute information corresponding to the second signature data to each authentication server or/and signature verification node;
each authentication server or/and signature verification node respectively judges whether the related information of the second original text data received by the authentication server or/and the signature verification node is consistent with the corresponding second verification information recorded by the authentication server or/and the signature verification node, if so, the feedback verification is passed, otherwise, the feedback verification fails;
and after the signature receiving node receives the authentication server or/and the signature verification node which reach the second preset safety threshold amount and passes the feedback verification, the signature receiving node proves that the second signature data is sent by the signature sending node and cannot be denied by the signature sending node.
10. The decentralized digital authentication method according to claim 8, wherein said decentralized digital authentication method further comprises:
each authentication server or/and signature verification node receives each verification data and the attribute information from a signature sending node, and records corresponding verification information and the attribute information obtained by decrypting each verification data;
each authentication server or/and signature verification node records related information and the attribute information of each original text data from the signature receiving node;
and after the authentication server or/and the signature verification node completes one-time verification of the related information of the original text data and the corresponding verification information according to the attribute information matching, the related information of the original text data which is consistent in verification and the corresponding verification information are stored in a correlation mode.
11. The decentralized digital authentication method according to claim 7, wherein said decentralized digital authentication method further comprises:
the signature sending node encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information and sends the first signature data and the corresponding attribute information to the signature receiving node, fragments related information of the first original text data by using a first fragmentation method to obtain fragmentation information, encrypts corresponding fragmentation information by using corresponding verification shared keys according to a first distribution strategy to form first verification data respectively, and sends the first verification data and the attribute information to corresponding authentication servers or/and signature verification nodes respectively; the signature shared key is a key shared by the signature sending node and the signature receiving node; the verification shared key is a key which is independently shared by the signature sending node and each authentication server or/and signature verification node;
each authentication server or/and signature verification node decrypts received first verification data by using a verification shared key held by the authentication server or/and the signature verification node, records first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node;
the signature receiving node decrypts the first signature data by using the signature shared key, fragments the related information of the first original text data obtained after decryption by using the first fragmentation method to obtain all fragmentation information, and correspondingly sends each fragmentation information and the attribute information to each authentication server or/and a signature verification node according to the first distribution strategy;
each authentication server or/and signature verification node respectively judges whether the fragment information received by the authentication server or/and the signature verification node is consistent with the corresponding first verification information recorded by the authentication server or/and the signature verification node, if so, the feedback verification is passed, otherwise, the feedback verification fails;
and after the signature receiving node receives the authentication server or/and the signature verification node which reach the first preset safety threshold amount and passes the feedback verification, establishing trusted communication with the signature sending node.
12. The decentralized digital authentication method according to claim 11, wherein said decentralized digital authentication method further comprises:
the signature receiving node decrypts the received second signature data by using the signature shared key, fragments the related information of the second original text data obtained after decryption by using the first fragmentation method to obtain all fragmentation information, and correspondingly sends each fragmentation information and the attribute information corresponding to the second signature data to each authentication server or/and signature verification node according to a second distribution strategy;
each authentication server or/and signature verification node respectively judges whether the fragment information received by the authentication server or/and the signature verification node is consistent with the corresponding second verification information recorded by the authentication server or/and the signature verification node, if so, the feedback verification is passed, otherwise, the feedback verification fails;
and after the signature receiving node receives the authentication server or/and the signature verification node which reach the second preset safety threshold amount and passes the feedback verification, the signature receiving node proves that the second signature data is sent by the signature sending node and cannot be denied by the signature sending node.
13. The decentralized digital authentication method according to any one of claims 1 to 12, wherein: the network comprises a quantum key distribution network; the shared key comprises a quantum key.
14. A decentralized digital authentication system, comprising: the decentralized digital authentication system comprises: the signature verification system comprises a signature sending node, a signature receiving node and a signature verification node; the signature sending node, the signature receiving node and the signature verifying node form a network; a network node which sends signature data in the network is used as a signature sending node, a network node which receives the signature data is used as a signature receiving node, and correspondingly, network nodes except the signature sending node and the signature receiving node in the network are used as signature verification nodes of the signature sending node and the signature receiving node;
the signature sending node encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information and sends the first signature data and the corresponding attribute information to the signature receiving node, encrypts related information of the first original text data by using a corresponding verification shared key to form first verification data, and sends the first verification data and the attribute information to the corresponding signature verification node; the signature shared key is a key shared by the signature sending node and the signature receiving node; the verification shared key is a key which is independently shared by the signature sending node and each signature verification node;
each corresponding signature verification node decrypts the received first verification data by using a verification shared key held by the corresponding signature verification node, records the first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node;
the signature receiving node decrypts the received first signature data by using the signature shared key, and sends the related information of the first original text data obtained after decryption and the attribute information to all corresponding signature verification nodes;
the corresponding signature verification nodes respectively judge whether the related information of the first original text data received by the corresponding signature verification nodes is consistent with the corresponding first verification information recorded by the corresponding signature verification nodes, if so, the feedback verification is passed, otherwise, the feedback verification fails;
and after the signature receiving node receives the signature verification node feedback verification which reaches the first preset safety threshold amount, the signature receiving node establishes credible communication with the signature sending node.
15. The decentralized digital authentication system according to claim 14, wherein said decentralized digital authentication system further comprises:
the signature receiving node decrypts the received second signature data by using the signature shared key, and sends the related information of the second original text data obtained after decryption and the attribute information corresponding to the second signature data to all corresponding signature verification nodes;
the corresponding signature verification nodes respectively judge whether the related information of the second original text data received by the corresponding signature verification nodes is consistent with the corresponding second verification information recorded by the corresponding signature verification nodes, if so, the feedback verification is passed, otherwise, the feedback verification fails;
and after the signature receiving node receives the signature verification node which reaches the second preset safety threshold amount and passes the feedback verification, the signature receiving node proves that the second signature data is sent by the signature sending node and cannot be denied by the signature sending node.
16. The decentralized digital authentication system according to claim 14, wherein said decentralized digital authentication system further comprises:
each signature verification node receives each verification data and the attribute information from a signature sending node, and records corresponding verification information and the attribute information obtained by decrypting each verification data;
each signature verification node records the related information and the attribute information of each original text data from the signature receiving node;
and after the signature verification nodes finish the matching of the related information of the original text data and the corresponding verification information according to the attribute information once, the related information of the original text data which is matched and consistent with the corresponding verification information is stored in a correlation mode.
17. A decentralized digital authentication system, said decentralized digital authentication system comprising: the system comprises a signature sending node, a signature receiving node and an authentication server; the signature sending node, the signature receiving node and the authentication server form a network; the network node which sends the signature data in the network is used as a signature sending node, the network node which receives the signature data is used as a signature receiving node, and the authentication server is used as a network node which performs signature verification for the signature sending node and the signature receiving node;
the signature sending node encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information and sends the first signature data and the corresponding attribute information to the signature receiving node, encrypts related information of the first original text data by using corresponding verification shared keys to form first verification data respectively, and sends the first verification data and the attribute information to corresponding authentication servers; the signature shared key is a key shared by the signature sending node and the signature receiving node; the verification shared key is a key which is independently shared by the signature sending node and each authentication server;
each authentication server decrypts the received first verification data by using a verification shared key held by the authentication server, records the first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node;
the signature receiving node decrypts the first signature data by using the signature shared key, and sends the related information of the first original text data obtained after decryption and the attribute information to each authentication server;
each authentication server respectively judges whether the relevant information of the first original text data received by the authentication server is consistent with the corresponding first verification information recorded by the authentication server, if so, the feedback verification is passed, otherwise, the feedback verification fails;
and after the signature receiving node receives the authentication server feedback verification which reaches the first preset safety threshold amount, the signature receiving node establishes credible communication with the signature sending node.
18. The decentralized digital authentication system according to claim 17, wherein said decentralized digital authentication system further comprises:
the signature sending node encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information, sends the first signature data and the corresponding attribute information to the signature receiving node, fragments related information of the first original text data by using a first fragmentation method to obtain fragmentation information, encrypts corresponding fragmentation information by using corresponding verification shared keys according to a first distribution strategy to form first verification data respectively, and sends the first verification data and the attribute information to corresponding authentication servers respectively; the signature shared key is a key shared by the signature sending node and the signature receiving node; the verification shared key is a key which is independently shared by the signature sending node and each authentication server;
each authentication server decrypts the received first verification data by using a verification shared key held by the authentication server, records the first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node;
the signature receiving node decrypts the first signature data by using the signature shared key, fragments the related information of the first original text data obtained after decryption by using the first fragmentation method to obtain all fragmentation information, and correspondingly sends each fragmentation information and the attribute information to each authentication server according to the first distribution strategy;
each authentication server respectively judges whether the fragment information received by the authentication server is consistent with the corresponding first verification information recorded by the authentication server, if so, the feedback verification is passed, otherwise, the feedback verification fails;
and after the signature receiving node receives the authentication server feedback verification which reaches the first preset safety threshold amount, the signature receiving node establishes credible communication with the signature sending node.
19. The decentralized digital authentication system according to claim 17, wherein said decentralized digital authentication system further comprises:
the signature receiving node decrypts the received second signature data by using the signature shared key, and sends the related information of the second original text data obtained after decryption and the attribute information corresponding to the second signature data to each authentication server;
each authentication server respectively judges whether the related information of the second original text data received by the authentication server is consistent with the corresponding second verification information recorded by the authentication server, if so, the feedback verification is passed, otherwise, the feedback verification fails;
and after the signature receiving node receives the authentication server feedback verification which reaches a second preset safety threshold amount, the signature receiving node proves that the second signature data is sent by the signature sending node and cannot be denied by the signature sending node.
20. The decentralized digital authentication system according to claim 18, wherein said decentralized digital authentication system further comprises:
the signature receiving node decrypts the received second signature data by using the signature shared key, fragments the related information of the second original text data obtained after decryption by using the first fragmentation method to obtain all fragmentation information, and correspondingly sends each fragmentation information and the attribute information corresponding to the second signature data to each authentication server according to a second distribution strategy;
each authentication server respectively judges whether the fragment information received by the authentication server is consistent with the corresponding second verification information recorded by the authentication server, if so, the feedback verification is passed, otherwise, the feedback verification fails;
and after the signature receiving node receives the authentication server feedback verification which reaches a second preset safety threshold amount, the signature receiving node proves that the second signature data is sent by the signature sending node and cannot be denied by the signature sending node.
21. A decentralized digital authentication system, characterized by: the decentralized digital authentication system comprises: the system comprises a signature sending node, a signature receiving node, a signature verification node or/and an authentication server; the signature sending node, the signature receiving node, the signature verification node or/and the authentication server form a network; a network node which sends signature data in the network is used as a signature sending node, a network node which receives the signature data is used as a signature receiving node, and correspondingly, network nodes except the signature sending node and the signature receiving node in the network are used as signature verification nodes of the signature sending node and the signature receiving node; the signature verification node or/and the authentication server performs signature verification on the signature sending node and the signature receiving node;
the signature sending node encrypts first original text data by using a signature shared key to form first signature data and corresponding attribute information and sends the first signature data and the corresponding attribute information to the signature receiving node, encrypts related information of the first original text data by using a corresponding verification shared key to form first verification data, and sends the first verification data and the attribute information to a corresponding signature verification node or/and an authentication server; the signature shared key is a key shared by the signature sending node and the signature receiving node; the verification shared key is a key which is independently shared by the signature sending node and each signature verification node or/and the authentication server;
each corresponding signature verification node or/and authentication server decrypts the received first verification data by using a verification shared key held by the corresponding signature verification node or/and authentication server, records the first verification information and the attribute information obtained after decryption, and feeds back verification confirmation information to the signature sending node;
the signature receiving node decrypts the received first signature data by using the signature shared key, and sends the related information of the first original text data obtained after decryption and the attribute information to all corresponding signature verification nodes/authentication servers;
the corresponding signature verification nodes or/and the authentication server respectively judge whether the relevant information of the first original text data received by the corresponding signature verification nodes or/and the authentication server is consistent with the corresponding first verification information recorded by the corresponding signature verification nodes or/and the authentication server, if so, the feedback verification is passed, otherwise, the feedback verification fails;
and after the signature receiving node receives the signature verification node or/and the authentication server which reach the first preset safety threshold amount and passes the feedback verification, establishing trusted communication with the signature sending node.
CN201911421424.4A 2019-12-31 2019-12-31 Decentralized digital authentication method and system Active CN113132094B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911421424.4A CN113132094B (en) 2019-12-31 2019-12-31 Decentralized digital authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911421424.4A CN113132094B (en) 2019-12-31 2019-12-31 Decentralized digital authentication method and system

Publications (2)

Publication Number Publication Date
CN113132094A CN113132094A (en) 2021-07-16
CN113132094B true CN113132094B (en) 2022-08-26

Family

ID=76769738

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911421424.4A Active CN113132094B (en) 2019-12-31 2019-12-31 Decentralized digital authentication method and system

Country Status (1)

Country Link
CN (1) CN113132094B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113472534A (en) * 2021-07-23 2021-10-01 厦门潭宏信息科技有限公司 Block chain data encryption method, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105007158A (en) * 2015-07-09 2015-10-28 中国科学技术大学先进技术研究院 Quantum digital signing method and system
CN106375317A (en) * 2016-08-31 2017-02-01 北京明朝万达科技股份有限公司 Block chain-based big data security authentication method and system
CN106452790A (en) * 2016-11-11 2017-02-22 浙江神州量子网络科技有限公司 Multi-party quantum digital signature method without trusted center
CN106452791A (en) * 2016-11-11 2017-02-22 浙江神州量子网络科技有限公司 Quantum digital signature method for untrusted center

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9509506B2 (en) * 2011-09-30 2016-11-29 Los Alamos National Security, Llc Quantum key management

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105007158A (en) * 2015-07-09 2015-10-28 中国科学技术大学先进技术研究院 Quantum digital signing method and system
CN106375317A (en) * 2016-08-31 2017-02-01 北京明朝万达科技股份有限公司 Block chain-based big data security authentication method and system
CN106452790A (en) * 2016-11-11 2017-02-22 浙江神州量子网络科技有限公司 Multi-party quantum digital signature method without trusted center
CN106452791A (en) * 2016-11-11 2017-02-22 浙江神州量子网络科技有限公司 Quantum digital signature method for untrusted center

Also Published As

Publication number Publication date
CN113132094A (en) 2021-07-16

Similar Documents

Publication Publication Date Title
US11930103B2 (en) Method, user device, management device, storage medium and computer program product for key management
US20170244687A1 (en) Techniques for confidential delivery of random data over a network
CN103051453B (en) A kind of mobile terminal network affaris safety trade system based on digital certificate and method
EP3247087B1 (en) User-initiated migration of encryption keys
CN110519046B (en) Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD
CN109981639B (en) Block chain based distributed trusted network connection method
CN103493427A (en) Discovery of security associations
AU2003202511A1 (en) Methods for authenticating potential members invited to join a group
Chen et al. A round-and computation-efficient three-party authenticated key exchange protocol
CN111030814A (en) Key negotiation method and device
CN109274492B (en) Self-secure tightly coupled secret sharing method
EP3939202A1 (en) Method and apparatus for effecting a data-based activity
CN112202544A (en) Smart power grid data security aggregation method based on Paillier homomorphic encryption algorithm
CN112368974A (en) Method for securing data exchange in a distributed infrastructure
CN110557248A (en) Secret key updating method and system for resisting quantum computation signcryption based on certificateless cryptography
CN114826702A (en) Database access password encryption method and device and computer equipment
CN113132094B (en) Decentralized digital authentication method and system
CN111245611B (en) Anti-quantum computation identity authentication method and system based on secret sharing and wearable equipment
KR102269753B1 (en) Method for performing backup and recovery private key in consortium blockchain network, and device using them
CN110717760A (en) One-stop efficient PKI authentication service method based on block chain
CN103856463A (en) Lightweight directory access protocol realizing method and device based on key exchange protocol
NL1043779B1 (en) Method for electronic signing and authenticaton strongly linked to the authenticator factors possession and knowledge
Kline et al. Public key vs. conventional key encryption
CN103312671A (en) Method and system for verifying server
KR100681005B1 (en) Key roaming method, and method for the same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant