CN113179169B - Digital certificate management method and device - Google Patents

Digital certificate management method and device Download PDF

Info

Publication number
CN113179169B
CN113179169B CN202110474136.6A CN202110474136A CN113179169B CN 113179169 B CN113179169 B CN 113179169B CN 202110474136 A CN202110474136 A CN 202110474136A CN 113179169 B CN113179169 B CN 113179169B
Authority
CN
China
Prior art keywords
digital certificate
block chain
public key
threshold value
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110474136.6A
Other languages
Chinese (zh)
Other versions
CN113179169A (en
Inventor
霍云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Digital Currency Institute of the Peoples Bank of China
Original Assignee
Digital Currency Institute of the Peoples Bank of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Digital Currency Institute of the Peoples Bank of China filed Critical Digital Currency Institute of the Peoples Bank of China
Priority to CN202110474136.6A priority Critical patent/CN113179169B/en
Publication of CN113179169A publication Critical patent/CN113179169A/en
Priority to PCT/CN2022/089242 priority patent/WO2022228423A1/en
Priority to EP22794893.2A priority patent/EP4333365A1/en
Application granted granted Critical
Publication of CN113179169B publication Critical patent/CN113179169B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a digital certificate management method and device, and relates to the technical field of computers. One embodiment of the method comprises: receiving a digital certificate generation request sent by a user; determining a preset threshold value corresponding to the digital certificate application scene according to the digital certificate application scene; broadcasting the first user information to a block chain so that a block chain node of an aggregation public key corresponding to the threshold value is known, and signing the first user information by using a private key component of the block chain node to generate first signature information, wherein the aggregation public key corresponding to the threshold value is generated by aggregating public key components of the block chain node based on a signature generation algorithm; aggregating the first signature information to generate a digital certificate for the user. The implementation mode improves the safety of digital certificate management and the applicability of digital certificate signing and issuing in different application scenes.

Description

Digital certificate management method and device
Technical Field
The invention relates to the technical field of computers, in particular to a digital certificate management method and device.
Background
The CA (Certificate Authority), which is an important component in PKI (Public Key infrastructure), is responsible for issuing a digital Certificate that can identify the identity of a user. Once the CA private key used to issue a digital certificate is compromised, all digital certificates issued by the CA will be defeated, thus ensuring that the security of the CA private key is at the heart of the overall PKI security.
In order to improve the safety of the CA private key, a scheme for managing the CA by multiple parties is provided. However, in the current scenario of managing the CA by multiple parties, each management member can issue a digital certificate according to its own requirements, and because of lack of supervision or a unified coordinated supervision mechanism of other management members, any party may introduce an uncontrollable external risk to improper use of the CA private key. In addition, the control capability of the management member actually responsible for the operation and maintenance CA or the introduced third-party CA manager to the CA is relatively high, and the CA private key is easily leaked due to improper management, so that the whole CA is not trusted.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for managing a digital certificate, which can implement common management and control of a plurality of management members on a private key issued by the digital certificate, avoid the problem of leakage of the private key due to improper management of any one of the management members, determine a specific management member participating in the digital certificate according to an application scenario of the digital certificate, and further improve security of issuing the digital certificate.
To achieve the above object, according to one aspect of the present invention, there is provided a digital certificate management method including:
receiving a digital certificate generation request sent by a user, wherein the digital certificate generation request indicates first user information and a digital certificate application scene of the user;
determining a preset threshold value corresponding to the digital certificate application scene according to the digital certificate application scene, wherein the threshold value indicates the number of block chain nodes participating in generating a digital certificate in all block chain nodes;
broadcasting the first user information to a block chain so that a block chain node of an aggregation public key corresponding to the threshold value is known, and signing the first user information by using a private key component of the block chain node to generate first signature information, wherein the aggregation public key corresponding to the threshold value is generated by aggregating public key components of the block chain node based on a signature generation algorithm;
aggregating the first signature information to generate a digital certificate for the user.
Optionally, the method further comprises:
and uploading the digital certificate to a block chain, so that a block chain node or an intelligent contract verifies the digital certificate according to the aggregation public key corresponding to the threshold value.
Optionally, the method further comprises:
receiving a digital certificate revocation request sent by a user, wherein the digital certificate revocation request indicates second user information of the user and a digital certificate to be revoked;
broadcasting the second user information to a block chain according to a threshold value when the digital certificate to be revoked is generated, so that a block chain node participating in generation of an aggregation public key corresponding to the threshold value signs the second user information by using a private key component of the block chain node to generate second signature information;
and aggregating the second signature information to generate a revocation certificate corresponding to the digital certificate to be revoked.
Optionally, the method further comprises:
and uploading the revocation certificate to a block chain, so that block chain nodes or intelligent contracts verify the revocation certificate according to the aggregation public key corresponding to the threshold value.
Optionally, before receiving a digital certificate generation request sent by a user, the method further includes:
determining one or more block chain nodes participating in generating an aggregation public key corresponding to the threshold value from all the block chain nodes according to the threshold value;
aggregating the public key components of the determined block chain link points based on a signature algorithm to generate the same aggregated public key corresponding to the threshold value for each block chain node;
and calculating a block chain node from the determined block chain link points so as to write the aggregation public key into a created block of the block chain, and verifying the aggregation public key in the created block by other block chain link points participating in generating the aggregation public key corresponding to the threshold value.
Optionally, the method further comprises:
broadcasting preset root certificate information to a block chain under the condition that the aggregation public key passes verification, so that block chain link points participating in generation of the aggregation public key use private key components of the block chain nodes to sign the preset root certificate information to generate third signature information;
and aggregating the third signature information to generate a root certificate corresponding to the aggregated public key, and writing the root certificate into the founder block of the block chain.
To achieve the above object, according to another aspect of the present invention, there is provided a digital certificate management apparatus including: the system comprises a request receiving module, a threshold value determining module, an information broadcasting module and a signature aggregation module; wherein,
the request receiving module is used for receiving a digital certificate generation request sent by a user, wherein the digital certificate generation request indicates first user information and a digital certificate application scene of the user;
the threshold value determining module is configured to determine a preset threshold value corresponding to the digital certificate application scenario according to the digital certificate application scenario, where the threshold value indicates the number of blockchain nodes participating in generation of a digital certificate in all blockchain link points;
the information broadcasting module is configured to broadcast the first user information to a block chain, so that a block chain node of an aggregation public key corresponding to the threshold is known, and the first user information is signed by using a private key component of the block chain node to generate first signature information, where the aggregation public key corresponding to the threshold is generated by aggregating public key components of the block chain node based on a signature generation algorithm;
the signature aggregation module is used for aggregating the first signature information to generate a digital certificate for the user.
Optionally, the method further comprises: a digital certificate uploading module; wherein,
and the digital certificate uploading module is used for uploading the digital certificate to the block chain so that the block chain node or the intelligent contract can verify the digital certificate according to the aggregation public key corresponding to the threshold value.
Optionally, the method further comprises: a digital certificate revocation module; wherein,
the digital certificate revocation module is used for receiving a digital certificate revocation request sent by a user, wherein the digital certificate revocation request indicates second user information of the user and a digital certificate to be revoked;
broadcasting the second user information to a block chain according to a threshold value when the digital certificate to be revoked is generated, so that a block chain node participating in generation of an aggregation public key corresponding to the threshold value signs the second user information by using a private key component of the block chain node to generate second signature information;
and aggregating the second signature information to generate a revocation certificate corresponding to the digital certificate to be revoked.
Optionally, the digital certificate revocation module is further configured to,
and uploading the revocation certificate to a block chain, so that block chain nodes or intelligent contracts verify the revocation certificate according to the aggregation public key corresponding to the threshold value.
Optionally, the method further comprises: an aggregation public key generation module; wherein,
the aggregation public key generation module is configured to determine, according to the threshold value, one or more block chain nodes participating in generation of an aggregation public key corresponding to the threshold value from all block chain nodes;
aggregating the public key components of the determined block chain link points based on a signature algorithm to generate the same aggregated public key corresponding to the threshold value for each block chain node;
and calculating a block chain node from the determined block chain link points so as to write the aggregation public key into a created block of the block chain, and verifying the aggregation public key in the created block by other block chain link points participating in generating the aggregation public key corresponding to the threshold value.
Optionally, the aggregate public key generating module is further configured to,
broadcasting preset root certificate information to a block chain under the condition that the aggregation public key passes verification, so that block chain link points participating in generation of the aggregation public key sign the preset root certificate information by using a private key component of a block chain node to generate third signature information;
and aggregating the third signature information to generate a root certificate corresponding to the aggregated public key, and writing the root certificate into the founder block of the block chain.
To achieve the above object, according to still another aspect of embodiments of the present invention, there is provided an electronic device for digital certificate management, including: one or more processors; storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement a method as in any one of the digital certificate management methods described above.
To achieve the above object, according to still another aspect of embodiments of the present invention, there is provided a computer-readable medium having stored thereon a computer program which, when executed by a processor, implements any one of the digital certificate management methods described above.
The invention has the following advantages or beneficial effects: receiving a digital certificate generation request sent by a user, wherein the digital certificate generation request indicates first user information and a digital certificate application scene of the user; determining a preset threshold value corresponding to the digital certificate application scene according to the digital certificate application scene, wherein the threshold value indicates the number of block chain nodes participating in generating a digital certificate in all the block chain nodes; broadcasting the first user information to a block chain so that a block chain node of an aggregation public key corresponding to the threshold value is known, and signing the first user information by using a private key component of the block chain node to generate first signature information, wherein the aggregation public key corresponding to the threshold value is generated by aggregating public key components of the block chain node based on a signature generation algorithm; aggregating the first signature information to generate a digital certificate for the user. Therefore, the corresponding threshold value is determined through the application scene of the digital certificate, and then the block chain nodes participating in the digital certificate issuing are determined, so that the validity of the digital certificate issuing is ensured, and the safety of the digital certificate issuing process and the applicability of the digital certificate issuing method in different application scenes are improved.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
fig. 1 is a schematic diagram of a main flow of a digital certificate management method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a main flow of another digital certificate management method according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a main flow of still another digital certificate management method according to an embodiment of the present invention;
fig. 4 is a schematic diagram of main blocks of a digital certificate management apparatus according to an embodiment of the present invention;
fig. 5 is a schematic diagram of the main structure of a digital certificate management system according to an embodiment of the present invention;
FIG. 6 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 7 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 is a schematic diagram of a main flow of a digital certificate management method according to an embodiment of the present invention, in order to prevent a private key issued by a digital certificate from being leaked to improve security of the digital certificate, each management member in a scheme for performing multi-party common management based on a block chain in this embodiment corresponds to a block chain node. As shown in fig. 1, the digital certificate management method may specifically include the following steps:
step S101, receiving a digital certificate generation request sent by a user, wherein the digital certificate generation request indicates first user information and a digital certificate application scene of the user.
The digital certificate is a character string which is issued by a certification center and marks identity information of each communication party in internet communication, and is commonly used for business websites such as B2B, B2C, P2P, O2O and the like, information websites containing private information, service websites such as government organs, financial institutions and the like so as to improve the security of the network. According to different users, common digital certificates can be divided into: personal identification digital certificates, corporate or institutional identification digital certificates, payment gateway digital certificates, server digital certificates, secure email digital certificates, personal code signing digital certificates, and the like. The digital certificate indicates at least a digital certificate holder public key, digital certificate holder information, digital certificate issuer information, issuer signature information, and the like. Therefore, to generate the digital certificate corresponding to the user, the first user information at least includes information for identifying the holder of the digital certificate, such as a user public key, a user name, or a user identifier. In addition, the first user information may also include other information that the user needs to display in the digital certificate, and the like.
The application scenario refers to the actual application scenario of the issued digital certificate, including but not limited to: financial transactions, document signing, mailing, site security, etc. Specifically, for example, in a financial transaction, a corresponding relationship between a transaction amount and a threshold may be preset, and if the transaction amount is larger, the corresponding threshold is larger, that is, the number of points of the block link participating in generating the aggregation public key or in issuing the digital certificate is larger, and vice versa. Therefore, the method can meet the signing and issuing differences of the digital certificates in different application scenes, can ensure the signing and issuing safety and effectiveness of the digital certificates, and improves the applicability of the scheme for cooperatively managing the digital certificates.
It is understood that, before receiving the digital certificate generation request sent by the user, the method further includes: determining one or more block chain nodes participating in generating an aggregation public key corresponding to the threshold value from all the block chain nodes according to the threshold value; aggregating the public key components of the determined block chain link points based on a signature algorithm to generate the same aggregated public key corresponding to the threshold value for each block chain node; and calculating a block chain node from the determined block chain link points so as to write the aggregation public key into a created block of the block chain, and verifying the aggregation public key in the created block by other block chain link points participating in generating the aggregation public key corresponding to the threshold value.
The threshold value may be the number m of the block chain links participating in generating the aggregation public key, or a ratio p (p = m/n, p is greater than or equal to 0.5 and less than or equal to 1) of the number m of the block chain links participating in generating the aggregation public key and the total number n of the block chain links, and the like. If the total node number n on the block chain is 10, the threshold may be any one of values 1, 2, 3, 4, 5, 6, 7, 8, 9, and 10, or any one of values 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9, and 1. However, it should be noted that, in order to improve the security of the digital certificate bookmark and prevent the blockchain nodes from being attacked, the ratio of the number of the blockchain nodes participating in generating the aggregated public key or in issuing the digital certificate to the total number of the blockchain links should not be less than 0.5.
More specifically, taking the total number n of nodes in the block chain as 10 and the threshold corresponding to the application scenario as 7, 7 block chain nodes may be arbitrarily selected from 10 block chain nodes or 7 block chain nodes may be selected according to actual requirements, so that the block chain nodes aggregate public key components of the 7 block chain nodes by using a signature generation algorithm to generate an aggregation public key corresponding to the threshold 7.
In addition, it is noted that in the block chain initialization step, a pair of asymmetric key pairs is generated for each block chain node by using an encryption machine, and public key components in the asymmetric key pairs can be exchanged in an offline communication manner such as mails and letters agreed by management members, or can be written into an established block of the block chain. In this way, management members participating in digital certificate management or the block chain nodes corresponding to the management members can mutually know the public key components of each other, so that each block chain node can use a signature generation algorithm to aggregate a global public key. Usable signature generation algorithms include, but are not limited to: schnorr signature algorithm, BLS signature algorithm, etc.
And if and only if the verification of the aggregation public key is passed, namely the aggregation public key aggregated by the block link point per se is consistent with the aggregation public key in the founding block, all the block link nodes on the block chain acknowledge the validity of the aggregation public key, and the subsequent steps of generating the digital certificate and the like can be continued. Thus, the reliability of the aggregation public key stored in the founding block is improved. It can be understood that, in order to ensure the validity of the aggregated public key when one or a few nodes on the block chain are attacked, the verification rule of the aggregated public key may be determined according to actual requirements, and if 50% or 60% of the block chain nodes participating in generating the aggregated public key pass the verification of the aggregated public key, the aggregated public key in the created block is considered valid.
In addition, in order to further ensure the reliability of the aggregated public key, the method of issuing a root certificate and writing the root certificate into the founding block is adopted to ensure the real validity of the aggregated public key source. Specifically, under the condition that the aggregation public key passes verification, broadcasting preset root certificate information to a block chain, so that block chain link points participating in generation of the aggregation public key use private key components of block chain nodes to sign the preset root certificate information to generate third signature information; and aggregating the third signature information to generate a root certificate corresponding to the aggregated public key, and writing the root certificate into the created block of the block chain.
Step S102, according to the digital certificate application scene, determining a preset threshold value corresponding to the digital certificate application scene, wherein the threshold value indicates the number of block chain nodes participating in generating a digital certificate in all block chain nodes.
It can be understood that, before issuing the digital certificate, the corresponding relationship between the application scenario and the threshold is preset according to actual requirements. Therefore, under the condition of receiving a digital certificate generation request, the threshold value can be determined according to the corresponding relation between the application scene and the threshold value, and then the number of the block chain nodes participating in issuing the digital certificate is determined from all the block chain nodes according to the threshold value, so that the corresponding block chain nodes issue the digital certificate. Specifically, to ensure that the issued digital certificate can be verified by using the aggregation public key corresponding to the threshold value stored in the founding block, the block chain nodes participating in issuing the digital certificate should be consistent with the block chain nodes participating in generating the aggregation public key corresponding to the threshold value.
Step S103, broadcasting the first user information to a block chain, so that a block chain node participating in generating an aggregation public key corresponding to the threshold value signs the first user information by using a private key component of the block chain node to generate first signature information, where the aggregation public key corresponding to the threshold value is generated by aggregating public key components of the block chain node based on a signature generation algorithm.
That is, when the aggregate public key is generated through aggregation, one or more block chain nodes are required to participate together, and when a digital certificate is issued, the one or more block chain nodes are also required to participate together to generate the first signature information. Specifically, it is described by taking an example that the first user information only indicates the user public key and the user name, after the first user information is broadcast to the blockchain, the blockchain node participating in generating the aggregation public key corresponding to the threshold value may calculate a hash value corresponding to the user public key and the user name through a hash algorithm, and encrypt the hash value by using its own private key component to generate the first signature information. On the basis, first signature information generated by each block chain node is collected, and all the first signature information is aggregated to generate signature information in the digital certificate, so that the digital certificate is generated. It can be understood that the aggregated signature information corresponds to the aggregated public key, that is, the aggregated public key can be used to verify the signature information in the digital certificate, so as to determine the validity and validity of the digital certificate.
If the threshold value corresponding to the application scenario is 3, taking four block chain nodes, namely node 1, node 2, node 3, and node 4, in the block chain as an example, the four block chain nodes share 3 block chain nodes to participate in issuing the digital certificate. Since the aggregation public key a corresponding to the threshold value 3 is generated by the node 1, the node 2, and the node 3 in the initialization stage, after the first user information is broadcast to the blockchain, the three blockchain nodes participating in the generation of the aggregation public key a, that is, the node 1, the node 2, and the node 3, encrypt the hash value of the first user information by using respective private key components to generate first signature information, and aggregate the first signature information generated by the node 1, the node 2, and the node 3 to generate a digital certificate corresponding to the threshold value 3, that is, a digital certificate applicable in the application scenario.
Step S104, aggregating the first signature information to generate a digital certificate for the user.
Usable signature generation algorithms include, but are not limited to: schnorr signature algorithm, BLS signature algorithm, etc.
And on the basis, uploading the digital certificate to a block chain, so that a block chain node or an intelligent contract verifies the digital certificate according to an aggregation public key corresponding to the threshold value. Specifically, the example of verifying the digital certificate by the smart contract is described as follows: firstly, the intelligent contract on the chain can acquire an aggregation public key or a root certificate corresponding to a threshold value from a created block of the block chain, and then decrypt signature information in a digital certificate by using the aggregation public key to acquire a hash value; secondly, carrying out hash operation on plaintext information except the signature information indicated in the digital certificate by using a hash algorithm to generate a new hash value; on the basis, whether the newly generated hash value is consistent with the hash value obtained after the aggregated public key is used for decrypting the signature information is judged, if so, the digital certificate is verified to be passed, namely the digital certificate is legal, and if not, the digital certificate is verified to be not passed, namely the digital certificate is illegal. Therefore, the security and the reliability of the digital certificate source are further ensured.
It is to be appreciated that after the generation of a digital certificate, revocation of the digital certificate is often involved during the full life cycle of the digital certificate. Based on this, the method also comprises the following steps: receiving a digital certificate revocation request sent by a user, wherein the digital certificate revocation request indicates second user information of the user and a digital certificate to be revoked; broadcasting the second user information to a block chain according to a threshold value when the digital certificate to be revoked is generated, so that a block chain node participating in generation of an aggregation public key corresponding to the threshold value signs the second user information by using a private key component of the block chain node to generate second signature information; and aggregating the second signature information to generate a revocation certificate corresponding to the digital certificate to be revoked.
Specifically, for example, the second user information only includes a user name and a user public key, after the second user information is broadcasted onto the block chain, one or more block chain nodes participating in generating the to-be-revoked digital certificate are notified, so that each block chain node performs hash operation on the user name and the user public key by using a hash algorithm to generate a hash value, and then encrypts the hash value by using its own private key component to generate the second signature information. On the basis of the first signature information, all the second signature information is collected and aggregated to generate signature information indicated in the revocation certificate, and the revocation certificate also indicates information such as a user name and a user public key. It can be understood that, according to actual requirements, a hash algorithm may be used to perform hash operation on information such as the user name, the user public key, and the to-be-revoked digital certificate number to generate a hash value, and generate the second signature information. Therefore, the common control on the digital certificate revocation is realized by the way that one or more block chain link points participating in generating the digital certificate to be revoked participate in the common participation, and the reliability of the digital certificate is improved.
And on the basis, uploading the revocation certificate to a block chain, so that a block chain node or an intelligent contract can verify the revocation certificate according to an aggregation public key corresponding to the threshold value. Specifically, the example of the uplink intelligent contract verifying the revocation certificate is described as follows: firstly, acquiring an aggregation public key corresponding to a threshold value or a root certificate indicating the aggregation public key from a block chain, and then decrypting signature information in a revocation certificate by using the aggregation public key to acquire a hash value; then, carrying out hash operation on plaintext information except the signature information indicated in the revocation certificate by using a hash algorithm to generate a new hash value; on the basis, whether the newly generated hash value is consistent with the hash value acquired after the aggregated public key is used for decrypting the signature information is judged, if so, the certificate revocation passes verification, namely the digital certificate corresponding to the certificate revocation is invalid, and if not, the certificate revocation fails verification, namely the certificate revocation source is unreliable, so that the certificate revocation cannot be used for determining whether the corresponding digital certificate is revoked.
Further, to determine whether the digital certificate is still valid to determine the validity of the identity of the holder of the digital certificate, the digital certificate verifier may query the blockchain whether the digital certificate has a corresponding revocation certificate, and if not, the digital certificate is not revoked, and if so, the digital certificate is revoked. Further, to further ensure the validity of the revocation credential stored on the blockchain, the verifier may verify the revocation credential validity as described above based on the knowledge of the aggregated public key.
Based on the embodiment, the corresponding relation between the application scene and the threshold value is preset, and the number of the node of the block chain to be issued in the application scene is determined according to the threshold value, so that the issuing difference of the digital certificate in different application scenes is met, and the applicability of the digital certificate management scheme is improved; meanwhile, the plurality of block chain nodes use the corresponding private key components to sign the first user information to generate first signature information, and the signature generation algorithm is adopted to aggregate the first signature information to generate a digital certificate, so that the private key for signing and issuing the digital certificate is dispersed into the private key components corresponding to the block chain nodes, the common control of the private key for signing and issuing the digital certificate by a plurality of management members is realized, and the problem of private key leakage is avoided; in addition, if and only under the condition that the first signature information generated by all block chain nodes participating in generating the aggregation public key is aggregated, a new digital certificate can be successfully generated, so that the problem of uncontrollable external risks caused by random issuance of the digital certificate by any management member according to the self requirement is solved. Correspondingly, the digital certificate can be successfully revoked if and only if the second signature information generated by all the block chain nodes participating in generating the aggregation public key is aggregated, and the validity and the reliability of the digital certificate are further ensured.
Referring to fig. 2, on the basis of the foregoing embodiment, an embodiment of the present invention provides another digital certificate management method, which may specifically include the following steps:
step S201, receiving a digital certificate generation request sent by a user, where the digital certificate generation request indicates first user information and a digital certificate application scenario of the user.
It can be understood that before receiving a digital certificate generation request sent by a user, an encryption engine is further required to generate a pair of asymmetric key pairs for each block chain node, public key components in the asymmetric key pairs can be exchanged in an offline communication manner such as a mail, a letter and the like agreed by management members, and respective public key components can be written into a creation block of the block chain, so that management members participating in digital certificate management or block chain link points corresponding to the management members can know the public key components of each other, and each block chain link point can aggregate an aggregated public key by using a signature generation algorithm.
Further, according to a corresponding relation between a preset application scene and a threshold value, selecting one or more block chain link points corresponding to the threshold value from the block chain link points, and aggregating public key components of the block chain nodes by adopting a signature generation algorithm to generate an aggregated public key corresponding to the one or more threshold values and writing the aggregated public key into the creature block.
Step S202, according to the digital certificate application scenario, determining a preset threshold corresponding to the digital certificate application scenario, where the threshold indicates the number of block chain nodes participating in generation of a digital certificate in all block chain nodes.
Step S203, broadcasting the first user information to a block chain, so that a block chain node of an aggregation public key corresponding to the threshold value is known, and signing the first user information by using a private key component of the block chain node to generate first signature information, where the aggregation public key corresponding to the threshold value is generated by aggregating public key components of the block chain node based on a signature generation algorithm.
Step S204, aggregating the first signature information to generate a digital certificate for the user.
On this basis, the digital certificate can be uploaded to the block chain, so that the block chain node or the intelligent contract obtains the aggregation public key or the root certificate corresponding to the threshold value from the founding block to verify the digital certificate, and the validity of the digital certificate is guaranteed.
Step S205 is to receive a digital certificate revocation request sent by a user, where the digital certificate revocation request indicates second user information of the user and a digital certificate to be revoked.
Step S206, according to the threshold value when the digital certificate to be revoked is generated, broadcasting the second user information to a block chain, so that a block chain node participating in generating the aggregation public key corresponding to the threshold value signs the second user information using the private key component of the block chain node, so as to generate second signature information.
Step S207, aggregating the second signature information to generate a revocation certificate corresponding to the digital certificate to be revoked.
On the basis, the revocation certificate can be uploaded to the block chain, so that the verifier of the digital certificate to be revoked can judge the validity of the digital certificate to be revoked according to the certificate to be revoked acquired from the block chain.
Referring to fig. 3, on the basis of the foregoing embodiment, another digital certificate management method is provided, which specifically includes the following steps:
step S301, determining, according to the threshold value, one or more block chain nodes participating in generating an aggregation public key corresponding to the threshold value from all block chain nodes.
Step S302, aggregating the public key components of the determined block link points based on a signature algorithm, so as to generate the same aggregated public key corresponding to the threshold value for each of the block link points.
Before generating the aggregation public key value, an asymmetric key pair generated by the encryption machine for each block of two nodes is adopted, and the asymmetric key pair comprises a public key component and a private key component.
Step S303, a block chain node is calculated from the determined block chain link points, so as to write the aggregation public key into the created block of the block chain, and verify the aggregation public key in the created block by using the block chain link points participating in generating the aggregation public key corresponding to the threshold value.
Specifically, a locking mechanism may be employed to select one blockchain node from the blockchain nodes that generate the aggregate public key to write the aggregate public key into the created block, so as to avoid repeated writing of different blockchain nodes. In addition, if and only if the block link pair participating in the generation of the aggregate public key passes the verification in the founder block, the node on the block link chain acknowledges the validity of the aggregate public key and performs the subsequent digital certificate issuing step.
Step S304, broadcasting preset root certificate information to a block chain when the aggregation public key passes verification, so that a block chain node participating in generation of the aggregation public key signs the preset root certificate information using a private key component of the block chain node to generate third signature information.
The preset root certificate information is any information agreed in advance by a management member participating in digital certificate management, and in the case that a plurality of aggregation public keys exist, one root certificate can be generated for each aggregation public key correspondingly.
Step S305, aggregating the third signature information to generate a root certificate corresponding to the aggregated public key, and writing the root certificate into the founding block of the block chain.
Step S306, receiving a digital certificate generation request sent by a user, wherein the digital certificate generation request indicates first user information and a digital certificate application scene of the user.
Step S307, according to the digital certificate application scenario, determining a preset threshold corresponding to the digital certificate application scenario, where the threshold indicates the number of block chain nodes participating in generating a digital certificate in all block chain nodes.
Step S308, broadcasting the first user information to a block chain, so that a block chain node of an aggregation public key corresponding to the threshold is known, and signing the first user information by using a private key component of the block chain node to generate first signature information, where the aggregation public key corresponding to the threshold is generated by aggregating public key components of the block chain nodes based on a signature generation algorithm.
Step S309, aggregating the first signature information to generate a digital certificate for the user.
On the basis, the digital certificate can be uploaded to the block chain, so that a digital certificate verifier can obtain the absolute aggregation public key or the root certificate corresponding to the application scene threshold value from the founding block and verify the validity of the digital certificate.
In addition, under the condition that a digital certificate revocation request is received, a revocation certificate can be generated for the digital certificate to be revoked and is uploaded to the block chain, so that a digital certificate verifier can inquire the validity of the digital certificate from the block chain.
Referring to fig. 4, on the basis of the foregoing embodiment, an embodiment of the present invention provides a digital certificate management apparatus 400, including: a request receiving module 402, a threshold value determining module 403, an information broadcasting module 404, and a signature aggregation module 405; wherein,
the request receiving module 402 is configured to receive a digital certificate generation request sent by a user, where the digital certificate generation request indicates first user information and a digital certificate application scenario of the user;
the threshold value determining module 403 is configured to determine, according to the digital certificate application scenario, a preset threshold value corresponding to the digital certificate application scenario, where the threshold value indicates the number of block chain nodes participating in generating a digital certificate in all block chain nodes;
the information broadcasting module 404 is configured to broadcast the first user information to a block chain, so that a block chain node of an aggregation public key corresponding to the threshold is known, and a private key component of the block chain node is used to sign the first user information to generate first signature information, where the aggregation public key corresponding to the threshold is generated by aggregating public key components of the block chain nodes based on a signature generation algorithm;
the signature aggregation module 405 is configured to aggregate the first signature information to generate a digital certificate for the user.
In an optional embodiment, the method further comprises: a digital certificate upload module 406; wherein,
the digital certificate uploading module 406 is configured to upload the digital certificate to the block chain, so that the block chain node or the intelligent contract verifies the digital certificate according to the aggregation public key corresponding to the threshold value.
In an optional embodiment, the method further comprises: a digital certificate revocation module 407; wherein,
the digital certificate revocation module 407 is configured to receive a digital certificate revocation request sent by a user, where the digital certificate revocation request indicates second user information of the user and a digital certificate to be revoked;
broadcasting the second user information to a block chain according to a threshold value when the digital certificate to be revoked is generated, so that a block chain node participating in generation of an aggregation public key corresponding to the threshold value signs the second user information by using a private key component of the block chain node to generate second signature information;
and aggregating the second signature information to generate a revocation certificate corresponding to the digital certificate to be revoked.
In an alternative embodiment, the digital certificate revocation module 407 is further configured to,
and uploading the revocation certificate to a block chain, so that block chain nodes or intelligent contracts verify the revocation certificate according to the aggregation public key corresponding to the threshold value.
In an optional embodiment, the method further comprises: an aggregation public key generation module 401; wherein,
the aggregation public key generation module 401 is configured to determine, according to the threshold value, one or more blockchain nodes participating in generation of an aggregation public key corresponding to the threshold value from all blockchain nodes;
aggregating the public key components of the determined block chain link points based on a signature algorithm to generate the same aggregated public key corresponding to the threshold value for each block chain node;
and calculating a block chain node from the determined block chain link points so as to write the aggregation public key into a created block of the block chain, and verifying the aggregation public key in the created block by other block chain link points participating in generating the aggregation public key corresponding to the threshold value.
In an optional implementation manner, the aggregate public key generation module 401 is further configured to,
broadcasting preset root certificate information to a block chain under the condition that the aggregation public key passes verification, so that block chain link points participating in generation of the aggregation public key use private key components of the block chain nodes to sign the preset root certificate information to generate third signature information;
and aggregating the third signature information to generate a root certificate corresponding to the aggregated public key, and writing the root certificate into the created block of the block chain.
Referring to fig. 5, on the basis of the foregoing embodiment, an embodiment of the present invention provides a digital certificate management system 500, including: digital certificate management apparatus 400, blockchain 501; wherein,
the digital certificate management apparatus 400 is configured to receive a digital certificate generation request sent by a user, where the digital certificate generation request indicates first user information and a digital certificate application scenario of the user; determining a preset threshold value corresponding to the digital certificate application scene according to the digital certificate application scene, wherein the threshold value indicates the number of block chain nodes participating in generating a digital certificate in all the block chain nodes; broadcasting the first user information to a block chain so that a block chain node of an aggregation public key corresponding to the threshold value is known, and signing the first user information by using a private key component of the block chain node to generate first signature information, wherein the aggregation public key corresponding to the threshold value is generated by aggregating public key components of the block chain node based on a signature generation algorithm; aggregating the first signature information to generate a digital certificate for the user.
The block chain 501 is configured to store the aggregation public key, and the block chain link points participating in generating the aggregation public key on the block chain are configured to sign the first user information by using a private key component of the block chain node to generate first signature information.
Fig. 6 illustrates an exemplary system architecture 600 to which the digital certificate management method or apparatus of an embodiment of the present invention may be applied.
As shown in fig. 6, the system architecture 600 may include terminal devices 601, 602, 603, a network 604, and a server 605. The network 604 serves as a medium for providing communication links between the terminal devices 601, 602, 603 and the server 605. Network 604 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.
A user may use the terminal devices 601, 602, 603 to interact with a server 605, via a network 604, to receive or send messages or the like. Various applications may be installed on the terminal devices 601, 602, 603.
The terminal devices 601, 602, 603 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 605 may be a server that provides various services, such as a background management server that provides support for websites browsed by users using the terminal devices 601, 602, 603. The background management server may process the received digital certificate generation request and the like, and feed back a processing result (e.g., a digital certificate) to the terminal device.
It should be noted that the digital certificate management method provided by the embodiment of the present invention is generally executed by the server 605, and accordingly, the digital certificate management apparatus is generally disposed in the server 605.
It should be understood that the number of terminal devices, networks, and servers in fig. 6 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for an implementation.
Referring now to FIG. 7, shown is a block diagram of a computer system 700 suitable for use with a terminal device implementing embodiments of the present invention. The terminal device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the use range of the embodiment of the present invention.
As shown in fig. 7, the computer system 700 includes a Central Processing Unit (CPU) 701, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data necessary for the operation of the system 700 are also stored. The CPU 701, the ROM 702, and the RAM 703 are connected to each other via a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
The following components are connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program performs the above-described functions defined in the system of the present invention when executed by the central processing unit (CP U) 701.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor comprises a request receiving module, a threshold value determining module, an information broadcasting module and a signature aggregation module. Where the names of these modules do not in some cases constitute a limitation on the module itself, for example, the signature aggregation module may also be described as "a module for aggregating the first signature information to generate a digital certificate for the user".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not assembled into the device. The computer readable medium carries one or more programs which, when executed by a device, enable the device to include receiving a digital certificate generation request sent by a user, the digital certificate generation request indicating first user information and a digital certificate application scenario of the user; determining a preset threshold value corresponding to the digital certificate application scene according to the digital certificate application scene, wherein the threshold value indicates the number of block chain nodes participating in generating a digital certificate in all the block chain nodes; broadcasting the first user information to a block chain so that a block chain node of an aggregation public key corresponding to the threshold value is known, and signing the first user information by using a private key component of the block chain node to generate first signature information, wherein the aggregation public key corresponding to the threshold value is generated by aggregating public key components of the block chain node based on a signature generation algorithm; aggregating the first signature information to generate a digital certificate for the user.
According to the technical scheme of the embodiment of the invention, the corresponding relation between the application scene and the threshold value is preset, and the number of the node of the block chain to be issued in the application scene is determined according to the threshold value, so that the issuing difference of the digital certificate in different application scenes is met, and the applicability of the digital certificate management scheme is improved; meanwhile, the plurality of block chain nodes use the corresponding private key components to sign the first user information to generate first signature information, and the signature generation algorithm is adopted to aggregate the first signature information to generate a digital certificate, so that the private key for signing and issuing the digital certificate is dispersed into the private key components corresponding to the block chain nodes, the common control of the private key for signing and issuing the digital certificate by a plurality of management members is realized, and the problem of private key leakage is avoided; in addition, if and only under the condition that the first signature information generated by all block chain nodes participating in generating the aggregation public key is aggregated, a new digital certificate can be successfully generated, so that the problem of uncontrollable external risks caused by random issuance of the digital certificate by any management member according to the self requirement is solved. Correspondingly, the digital certificate can be successfully revoked if and only if the second signature information generated by all the block chain nodes participating in generating the aggregation public key is aggregated, and the validity and the reliability of the digital certificate are further ensured.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (14)

1. A method for digital certificate management, comprising:
receiving a digital certificate generation request sent by a user, wherein the digital certificate generation request indicates first user information and a digital certificate application scene of the user;
determining a preset threshold value corresponding to the digital certificate application scene according to the digital certificate application scene, wherein the threshold value indicates the number of block chain nodes participating in generating a digital certificate in all block chain nodes;
broadcasting the first user information to a block chain so that a block chain node of an aggregation public key corresponding to the threshold value is known, and signing the first user information by using a private key component of the block chain node to generate first signature information, wherein the aggregation public key corresponding to the threshold value is generated by aggregating public key components of the block chain node based on a signature generation algorithm;
aggregating the first signature information to generate a digital certificate for the user.
2. The digital certificate management method according to claim 1, further comprising:
and uploading the digital certificate to a block chain, so that a block chain node or an intelligent contract verifies the digital certificate according to the aggregation public key corresponding to the threshold value.
3. The digital certificate management method according to claim 1, further comprising:
receiving a digital certificate revocation request sent by a user, wherein the digital certificate revocation request indicates second user information of the user and a digital certificate to be revoked;
broadcasting the second user information to a block chain according to a threshold value when the digital certificate to be revoked is generated, so that a block chain node participating in generation of an aggregation public key corresponding to the threshold value signs the second user information by using a private key component of the block chain node to generate second signature information;
and aggregating the second signature information to generate a revocation certificate corresponding to the digital certificate to be revoked.
4. The digital certificate management method according to claim 3, further comprising:
and uploading the revocation certificate to a block chain, so that block chain nodes or intelligent contracts verify the revocation certificate according to the aggregation public key corresponding to the threshold value.
5. The method of claim 1, further comprising, prior to receiving a request for generating a digital certificate from a user:
determining one or more block chain nodes participating in generating an aggregation public key corresponding to the threshold value from all the block chain nodes according to the threshold value;
aggregating the public key components of the determined block chain link points based on a signature algorithm to generate the same aggregated public key corresponding to the threshold value for each block chain node;
and calculating a block chain node from the determined block chain link points so as to write the aggregation public key into a created block of the block chain, and verifying the aggregation public key in the created block by other block chain link points participating in generating the aggregation public key corresponding to the threshold value.
6. The digital certificate management method according to claim 5, further comprising:
broadcasting preset root certificate information to a block chain under the condition that the aggregation public key passes verification, so that block chain link points participating in generation of the aggregation public key sign the preset root certificate information by using a private key component of a block chain node to generate third signature information;
and aggregating the third signature information to generate a root certificate corresponding to the aggregated public key, and writing the root certificate into the founder block of the block chain.
7. A digital certificate management apparatus, comprising: the device comprises a request receiving module, a threshold value determining module, an information broadcasting module and a signature aggregation module; wherein,
the request receiving module is used for receiving a digital certificate generation request sent by a user, wherein the digital certificate generation request indicates first user information and a digital certificate application scene of the user;
the threshold value determining module is configured to determine a preset threshold value corresponding to the digital certificate application scenario according to the digital certificate application scenario, where the threshold value indicates the number of blockchain nodes participating in generation of a digital certificate in all blockchain link points;
the information broadcasting module is configured to broadcast the first user information to a block chain, so that a block chain node of an aggregation public key corresponding to the threshold is known, and the first user information is signed by using a private key component of the block chain node to generate first signature information, where the aggregation public key corresponding to the threshold is generated by aggregating public key components of the block chain node based on a signature generation algorithm;
the signature aggregation module is used for aggregating the first signature information to generate a digital certificate for the user.
8. The digital certificate management apparatus according to claim 7, further comprising: a digital certificate uploading module; wherein,
and the digital certificate uploading module is used for uploading the digital certificate to the block chain so that the block chain node or the intelligent contract can verify the digital certificate according to the aggregation public key corresponding to the threshold value.
9. The digital certificate management apparatus according to claim 7, further comprising: a digital certificate revocation module; wherein,
the digital certificate revocation module is used for receiving a digital certificate revocation request sent by a user, wherein the digital certificate revocation request indicates second user information of the user and a digital certificate to be revoked;
broadcasting the second user information to a block chain according to a threshold value when the digital certificate to be revoked is generated, so that a block chain node participating in generation of an aggregation public key corresponding to the threshold value signs the second user information by using a private key component of the block chain node to generate second signature information;
and aggregating the second signature information to generate a revocation certificate corresponding to the digital certificate to be revoked.
10. The digital certificate management apparatus of claim 9, wherein the digital certificate revocation module is further configured to,
and uploading the revocation certificate to a block chain, so that block chain nodes or intelligent contracts verify the revocation certificate according to the aggregation public key corresponding to the threshold value.
11. The digital certificate management apparatus according to claim 7, further comprising: an aggregation public key generation module; wherein,
the aggregation public key generation module is configured to determine, according to the threshold value, one or more block chain nodes participating in generation of an aggregation public key corresponding to the threshold value from all block chain nodes;
aggregating the public key components of the determined block chain link points based on a signature algorithm to generate the same aggregated public key corresponding to the threshold value for each block chain node;
and calculating a block chain node from the determined block chain link points so as to write the aggregation public key into a created block of the block chain, and verifying the aggregation public key in the created block by other block chain link points participating in generating the aggregation public key corresponding to the threshold value.
12. The digital certificate management apparatus of claim 11, wherein the aggregate public key generation module is further configured to,
broadcasting preset root certificate information to a block chain under the condition that the aggregation public key passes verification, so that block chain link points participating in generation of the aggregation public key sign the preset root certificate information by using a private key component of a block chain node to generate third signature information;
and aggregating the third signature information to generate a root certificate corresponding to the aggregated public key, and writing the root certificate into the created block of the block chain.
13. An electronic device for digital certificate management, comprising:
one or more processors;
a storage device to store one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-6.
14. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-6.
CN202110474136.6A 2021-04-29 2021-04-29 Digital certificate management method and device Active CN113179169B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN202110474136.6A CN113179169B (en) 2021-04-29 2021-04-29 Digital certificate management method and device
PCT/CN2022/089242 WO2022228423A1 (en) 2021-04-29 2022-04-26 Digital certificate management method and apparatus
EP22794893.2A EP4333365A1 (en) 2021-04-29 2022-04-26 Digital certificate management method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110474136.6A CN113179169B (en) 2021-04-29 2021-04-29 Digital certificate management method and device

Publications (2)

Publication Number Publication Date
CN113179169A CN113179169A (en) 2021-07-27
CN113179169B true CN113179169B (en) 2022-12-09

Family

ID=76925358

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110474136.6A Active CN113179169B (en) 2021-04-29 2021-04-29 Digital certificate management method and device

Country Status (1)

Country Link
CN (1) CN113179169B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022228423A1 (en) * 2021-04-29 2022-11-03 中国人民银行数字货币研究所 Digital certificate management method and apparatus

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11556925B2 (en) * 2018-09-12 2023-01-17 International Business Machines Corporation Ensuring information fairness and input privacy using a blockchain in a competitive scenario governed by a smart contract
CN109992953A (en) * 2019-02-18 2019-07-09 深圳壹账通智能科技有限公司 Digital certificate on block chain signs and issues, verification method, equipment, system and medium
CN111047324B (en) * 2020-03-16 2020-08-04 支付宝(杭州)信息技术有限公司 Method and apparatus for updating a set of public keys at a blockchain node
CN112671541B (en) * 2020-12-17 2024-09-06 深圳前海微众银行股份有限公司 Method and device for managing nodes in block chain network

Also Published As

Publication number Publication date
CN113179169A (en) 2021-07-27

Similar Documents

Publication Publication Date Title
US20220318907A1 (en) Systems and methods for generating secure, encrypted communications across distributed computer networks for authorizing use of cryptography-based digital repositories in order to perform blockchain operations in decentralized applications
CN113193961B (en) Digital certificate management method and device
CN113162752B (en) Data processing method and device based on hybrid homomorphic encryption
US11716206B2 (en) Certificate based security using post quantum cryptography
US20210042829A1 (en) Computer implemented method and system for transferring control of a digital asset
TWI768403B (en) Methods and devices for cryptographic key management based on blockchain system
US10447467B2 (en) Revocable PKI signatures
CN110189184B (en) Electronic invoice storage method and device
US20220368539A1 (en) Computer implemented method and system for storing certified data on a blockchain
CN115203749B (en) Data transaction method and system based on block chain
CN113206746B (en) Digital certificate management method and device
WO2022247910A1 (en) Information verification method and apparatus
CN113468580B (en) Multi-party collaborative signature method and system
CN114760071A (en) Zero-knowledge proof based cross-domain digital certificate management method, system and medium
CN113179169B (en) Digital certificate management method and device
CN111865761B (en) Social chat information evidence storing method based on block chain intelligent contracts
CN114037447A (en) Method and device for off-line transaction
CN111552950B (en) Software authorization method and device and computer readable storage medium
CN118114222A (en) Authentication method, device, system, equipment and medium for data product
CN111010283B (en) Method and apparatus for generating information
CN113206745B (en) Digital certificate management method and device
CN113206738B (en) Digital certificate management method and device
CN113242132B (en) Digital certificate management method and device
CN113242133B (en) Digital certificate management method and device
EP4333365A1 (en) Digital certificate management method and apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant