CN113206746B - Digital certificate management method and device - Google Patents
Digital certificate management method and device Download PDFInfo
- Publication number
- CN113206746B CN113206746B CN202110474167.1A CN202110474167A CN113206746B CN 113206746 B CN113206746 B CN 113206746B CN 202110474167 A CN202110474167 A CN 202110474167A CN 113206746 B CN113206746 B CN 113206746B
- Authority
- CN
- China
- Prior art keywords
- digital certificate
- block chain
- user
- information
- revocation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000007726 management method Methods 0.000 title claims abstract description 44
- 238000000034 method Methods 0.000 claims abstract description 27
- 230000004931 aggregating effect Effects 0.000 claims abstract description 23
- 230000002776 aggregation Effects 0.000 claims description 87
- 238000004220 aggregation Methods 0.000 claims description 87
- 239000000126 substance Substances 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 9
- 238000010586 diagram Methods 0.000 description 13
- 238000004891 communication Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 239000000835 fiber Substances 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 239000013256 coordination polymer Substances 0.000 description 1
- 238000005034 decoration Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 210000000056 organ Anatomy 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a digital certificate management method and device, and relates to the technical field of computers. One specific implementation of the method comprises receiving a digital certificate generation request sent by a user, wherein the digital certificate generation request indicates first user information of the user; broadcasting the first user information onto a blockchain, so that any one or more blockchain nodes on the blockchain sign the first user information by using corresponding private key components to generate first signature information; aggregating the first signature information to generate a digital certificate for the user, the digital certificate indicating identification information of the one or more blockchain nodes. The implementation mode realizes the common control of signing and issuing private keys of the digital certificate by multi-party management members, and improves the safety of the digital certificate.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for managing digital certificates.
Background
The CA (Certificate Authority) is an important component in PKI (Public Key infrastructure) and is responsible for issuing a digital Certificate that can identify the identity of a user. Once the CA private key used to issue a digital certificate is compromised, all digital certificates issued by the CA will be defeated, thus ensuring that the security of the CA private key is at the heart of the overall PKI security.
In order to improve the safety of the CA private key, a scheme for managing the CA by multiple parties is provided. However, in the current scenario of managing the CA by multiple parties, each management member can issue a digital certificate according to its own requirements, and because of lack of supervision or a unified coordinated supervision mechanism of other management members, any party may introduce an uncontrollable external risk to improper use of the CA private key. In addition, the control capability of the management member actually responsible for the operation and maintenance CA or the introduced third-party CA manager on the CA is relatively high, and the CA private key is easily leaked due to improper management, so that the whole CA is not trusted.
Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for managing a digital certificate, which can implement common control of a plurality of management members on a private key issued by the digital certificate, avoid the problem of private key disclosure caused by improper management of any management member, and can arbitrarily select a member participating in issuance of the digital certificate, thereby further improving the security of the digital certificate.
To achieve the above object, according to an aspect of the present invention, there is provided a digital certificate management method including: receiving a digital certificate generation request sent by a user, wherein the digital certificate generation request indicates first user information of the user;
broadcasting the first user information onto a blockchain, so that any one or more blockchain nodes on the blockchain sign the first user information by using corresponding private key components to generate first signature information;
aggregating the first signature information to generate a digital certificate for the user, the digital certificate indicating identification information of the one or more blockchain nodes.
Optionally, before receiving a digital certificate generation request sent by a user, the method further includes:
writing one or more aggregation public keys in a created block of the block chain, wherein the aggregation public keys are generated by aggregating private key components of any one or more block chain nodes on the block chain based on a signature generation algorithm.
Optionally, the method further comprises: and uploading the digital certificate to a block chain, so that block chain nodes or an intelligent contract obtain corresponding aggregation public keys from the created blocks according to the identification information of one or more block chain nodes indicated by the digital certificate, and verifying the digital certificate by using the aggregation public keys.
Optionally, the method further comprises:
receiving a digital certificate revocation request sent by a user, wherein the digital certificate revocation request indicates second user information of the user and a digital certificate to be revoked;
broadcasting the second user information to a block chain so that one or more block chain nodes corresponding to the identification information indicated by the digital certificate to be revoked on the block chain sign the second user information by using corresponding private key components to generate second signature information;
aggregating the second signature information to generate a revocation certificate corresponding to the to-be-revoked digital certificate, where the revocation certificate indicates identification information of the one or more blockchain nodes.
Optionally, the method further comprises:
and uploading the revocation certificate to a block chain, so that block chain nodes or an intelligent contract obtain corresponding aggregation public keys from the created blocks according to the identification information of one or more block chain nodes indicated by the revocation certificate, and verifying the revocation certificate by using the aggregation public keys.
To achieve the above object, according to another aspect of the present invention, there is provided a digital certificate management apparatus including: the system comprises a request receiving module, an information broadcasting module and a signature aggregation module; wherein the content of the first and second substances,
the request receiving module is used for receiving a digital certificate generation request sent by a user, wherein the digital certificate generation request indicates first user information of the user;
the information broadcasting module is configured to broadcast the first user information to a blockchain, so that any one or more blockchain nodes on the blockchain sign the first user information by using a corresponding private key component to generate first signature information;
the signature aggregation module is configured to aggregate the first signature information to generate a digital certificate for the user, where the digital certificate indicates identification information of the one or more blockchain nodes.
Optionally, the method further comprises: an aggregation public key writing module; wherein the content of the first and second substances,
the aggregation public key writing module is configured to write one or more aggregation public keys in the created block before receiving a digital certificate generation request sent by a user, where the aggregation public keys are generated by aggregating private key components of any one or more block chain nodes in the block chain based on a signature generation algorithm.
Optionally, the method further comprises: a digital certificate uploading module; wherein the content of the first and second substances,
the digital certificate uploading module is configured to upload the digital certificate to a block chain, so that a block chain node or an intelligent contract obtains a corresponding aggregation public key from the founding block according to identification information of one or more block chain nodes indicated by the digital certificate, and verifies the digital certificate by using the aggregation public key.
Optionally, the method further comprises: a digital certificate revocation module; wherein the content of the first and second substances,
the digital certificate revocation module is used for receiving a digital certificate revocation request of a user, wherein the digital certificate revocation request indicates second user information of the user and a digital certificate to be revoked;
broadcasting the second user information to a block chain, so that one or more block chain nodes corresponding to the identification information indicated by the digital certificate to be revoked on the block chain sign the second user information by using corresponding private key components to generate second signature information;
aggregating the second signature information to generate a revocation certificate corresponding to the to-be-revoked digital certificate, where the revocation certificate indicates identification information of the one or more blockchain nodes.
Optionally, the digital certificate revocation module is further configured to,
and uploading the revocation certificate to a block chain, so that block chain nodes or an intelligent contract obtain corresponding aggregation public keys from the created blocks according to the identification information of one or more block chain nodes indicated by the revocation certificate, and verifying the revocation certificate by using the aggregation public keys.
To achieve the above object, according to still another aspect of embodiments of the present invention, there is provided an electronic device for digital certificate management, including: one or more processors; storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to carry out any of the methods of digital certificate management as described above.
To achieve the above object, according to still another aspect of embodiments of the present invention, there is provided a computer-readable medium on which is stored a computer program, which when executed by a processor, implements any one of the digital certificate management methods described above.
The invention has the following advantages or beneficial effects: all possible aggregation public keys are stored in the founding block in advance, so that any one or more block chain nodes on the block chain can participate in issuing of the digital certificate under the condition that a user digital certificate generation request is received, namely, the corresponding private key component is adopted to sign the first user information, and all first signature information is aggregated to generate the digital certificate. In this way, the public control of the digital certificate issuance by a plurality of block chain link points is realized by dispersing the private key of the digital certificate issuance into private key components of a plurality of block chain nodes; meanwhile, the attack resistance of the block chain nodes for signing and issuing the digital certificate is further improved through the random selection of the block chain nodes for signing and issuing the digital certificate, so that the safety and the reliability of the digital certificate are improved.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
fig. 1 is a schematic diagram of a main flow of a digital certificate management method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a main flow of another digital certificate management method according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a main flow of still another digital certificate management method according to an embodiment of the present invention;
fig. 4 is a schematic diagram of the main blocks of a digital certificate management apparatus according to an embodiment of the present invention;
fig. 5 is a schematic diagram of the main structure of a digital certificate management system according to an embodiment of the present invention;
FIG. 6 is an exemplary system architecture diagram in which embodiments of the present invention may be applied;
fig. 7 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 is a schematic diagram of a main flow of a digital certificate management method according to an embodiment of the present invention, and as shown in fig. 1, the digital certificate management method may specifically include the following steps:
step S101, receiving a digital certificate generation request sent by a user, wherein the digital certificate generation request indicates first user information of the user.
The digital certificate is a character string which is issued by a certification center and marks identity information of each communication party in internet communication, and is commonly used for business websites such as B2B, B2C, P2P, O2O and the like, information websites containing private information, service websites such as government organs, financial institutions and the like so as to improve the security of the network. According to different users, common digital certificates can be divided into: personal identification digital certificates, corporate or institutional identification digital certificates, payment gateway digital certificates, server digital certificates, secure email digital certificates, personal code signing digital certificates, and the like. The digital certificate indicates at least a digital certificate holder public key, digital certificate holder information, digital certificate issuer information, issuer signature information, and the like. Therefore, to generate the digital certificate corresponding to the user, the first user information at least includes information for identifying the holder of the digital certificate, such as a user public key, a user name, or a user identifier. In addition, the first user information may also include other information that the user needs to display in the digital certificate, and the like.
Step S102, broadcasting the first user information to a blockchain, so that any one or more blockchain nodes on the blockchain use corresponding private key components to sign the first user information, so as to generate first signature information.
That is to say, after the first user information is broadcasted to the block chain, any block chain link point on the block chain, which can acquire the first user information, can generate the first signature information based on the first user information, and then aggregate all the first signature information to generate the digital certificate for the user. Therefore, the randomness of the block chain nodes participating in the generation of the digital certificate is ensured, and the signing and issuing safety of the digital certificate is improved.
It can be understood that, in order to ensure that any one or more block link points on the block chain can randomly participate in the generation of the digital certificate, and can obtain a corresponding aggregated public key from the founder block to verify the validity and the like of the digital certificate, before receiving a digital certificate generation request sent by a user, the method further includes: writing one or more aggregation public keys in a created block of the block chain, wherein the aggregation public keys are generated by aggregating private key components of any one or more block chain nodes on the block chain based on a signature generation algorithm. The signature generation algorithm includes, but is not limited to, a signature algorithm based on Schnorr, a BLS signature algorithm, and the like.
Specifically, before receiving a digital certificate generation request sent by a user, an encryption engine needs to be used to generate a pair of asymmetric key pairs for each block link node, where the asymmetric key pairs indicate a public key component and a private key component corresponding to the block link node, and the public key component may be written into a creature block or made known to nodes in a block chain by means of an agreed mail, offline exchange, or the like. On the basis, based on signature generation algorithms such as Schnorr signature algorithm, BLS signature algorithm and the like, public key components corresponding to any one or more block chain links on the block chain are aggregated to generate one or more aggregated public keys, and the aggregated public keys are written into the created blocks of the block chain.
For example, if a block chain has 5 block chain nodes, and the 5 block chain nodes are respectively node 1, node 2, node 3, node 4, and node 5, in the step of generating an aggregation public key, public key components corresponding to any multiple nodes in the 5 nodes may be randomly aggregated to generate an aggregation public key, how to aggregate public key components corresponding to node 1, node 2, and node 3 to generate an aggregation public key, and how to aggregate public key components corresponding to node 1, node 2, node 3, and node 4 to generate an aggregation public key. In this manner, multiple aggregated public keys may be generated. More specifically, if it is required in practical cases that not less than 3 block link points participating in generation of the aggregation public key are required in order to achieve common issuance or management of digital certificates by a plurality of block link points, 16 aggregation public keys can be generated in total.
On the basis, the generated aggregation public key can be written into the created block of the block chain, so that after the block chain node or the intelligent contract and the like can acquire the digital certificate, the corresponding aggregation public key is acquired from the created block to verify the digital certificate, and the validity and the reliability of the digital certificate are ensured. Specifically, in order to avoid that a plurality of block chain nodes participating in generating the aggregation public key are repeatedly written into the aggregation public key, a lock mechanism is adopted to calculate one block chain node from a plurality of block chain link points participating in generating the aggregation public key so that the block chain link point writes the aggregation public key into a created block of the block chain. Meanwhile, other block chain nodes participating in generating the aggregation public key can verify whether the aggregation public key written into the created block is consistent with the aggregation public key generated by the other block chain nodes, so that the correctness of the aggregation public key written into the created block is ensured. And if and only when the other block chain nodes participating in the generation of the aggregation public key pass the verification of the aggregation public key, the block chain nodes acknowledge the validity of the aggregation public key in the created block, and the generation, the revocation and the like of the subsequent digital certificate can be continued.
Step S103, aggregating the first signature information to generate a digital certificate for the user, where the digital certificate indicates the identification information of the one or more blockchain nodes.
The identification information of the block chain node refers to information that can be used for distinguishing the block chain node, such as a block chain node number, a public key component corresponding to the block chain node, a block chain node name, and the like. And the identification information of one or more blockchain nodes indicated by the digital certificate refers to the information of the blockchain nodes participating in generating the digital certificate. Thus, under the condition that any blockchain node on the blockchain can participate or does not participate in generating the digital certificate, the digital certificate verifier can determine one or more blockchain nodes which specifically participate in generating the digital certificate according to the blockchain link point identifier indicated by the digital certificate, further obtain an aggregation public key generated by a public key component corresponding to the one or more blockchain link points, and verify the validity or source of the digital certificate by using the aggregation public key.
In an optional embodiment, the method further comprises: and uploading the digital certificate to a block chain, so that a block chain node or an intelligent contract obtains a corresponding aggregation public key from the creature block according to the identification information of one or more block chain nodes indicated by the digital certificate, and verifying the digital certificate by using the aggregation public key.
As described by taking the block link point information indicated by the digital certificate as the block link point numbers 1, 2, and 3 as an example, it can be determined that the block chain nodes participating in generating the digital certificate are the node 1, the node 2, and the node 3, and therefore the block chain node or the intelligent contract that needs to verify the digital certificate can obtain the pre-written aggregation public key generated by the public key components of the three block chain nodes of the node 1, the node 2, and the node 3 from the created block, and can verify the digital certificate based on the aggregation public key. Specifically, the example of verifying the digital certificate by the smart contract is described as follows: firstly, after acquiring an aggregation public key from a created block of a block chain, the intelligent combination of the uplink can decrypt signature information in a digital certificate by using the aggregation public key to acquire a hash value; secondly, carrying out hash operation on plaintext information except the signature information indicated in the digital certificate by using a hash algorithm to generate a new hash value; on the basis, whether the newly generated hash value is consistent with the hash value obtained after the aggregated public key is used for decrypting the signature information is judged, if so, the digital certificate is verified to be passed, namely the digital certificate is legal, and if not, the digital certificate is verified to be not passed, namely the digital certificate is illegal.
In an optional embodiment, the method further comprises: receiving a digital certificate revocation request sent by a user, wherein the digital certificate revocation request indicates second user information of the user and a digital certificate to be revoked; broadcasting the second user information to a block chain, so that one or more block chain nodes corresponding to the identification information indicated by the digital certificate to be revoked on the block chain sign the second user information by using corresponding private key components to generate second signature information; aggregating the second signature information to generate a revocation certificate corresponding to the digital certificate to be revoked, where the revocation certificate indicates identification information of the one or more blockchain nodes.
It is to be appreciated that after the generation of a digital certificate, revocation of the digital certificate is often involved during the full life cycle of the digital certificate. Specifically, under the condition that a digital certificate revocation request sent by a user is received, second user information is broadcasted to a block chain, so that block chain nodes indicated by the digital certificate, namely block chain nodes participating in generation of the digital certificate, respectively use a hash algorithm to perform hash operation on the second user information to generate hash values, then private key components of the second user information are used for encrypting the hash values to generate second signature information, and the second signature information is aggregated to generate a revocation certificate corresponding to the digital certificate. It is to be understood that the revocation credential also indicates block link point identification information that participates in generating the revocation credential, so as to determine the specific block link point that participates in generating the revocation credential, in the case where any block link node on the block chain may or may not participate in the revocation credential. Thus, other nodes on the blockchain can obtain the aggregated public key generated by the public key component of the blockchain node participating in generating the revocation certificate from the created block according to the identification information of the blockchain node indicated by the revocation certificate, so as to verify the validity of the revocation certificate.
In an optional embodiment, the method further comprises: and uploading the revocation certificate to a block chain, so that block chain nodes or an intelligent contract obtain corresponding aggregation public keys from the created blocks according to the identification information of one or more block chain nodes indicated by the revocation certificate, and verifying the revocation certificate by using the aggregation public keys.
Specifically, taking the block link point information indicated by the revocation certificate as the block link point numbers 1, 2, and 3 as an example, it may be determined that the block link points participating in generating the revocation certificate are the node 1, the node 2, and the node 3, and therefore the block link node or the intelligent contract that needs to verify the revocation certificate may obtain the pre-written aggregation public key generated by the public key components of the three block link nodes of the node 1, the node 2, and the node 3 from the created block, and then verify the digital certificate using the aggregation public key. More specifically, the example of the verification of the revocation certificate by the intelligent contract of the uplink is described as follows: firstly, acquiring an aggregation public key generated by public key components of three blockchain nodes, namely a node 1, a node 2 and a node 3, from a blockchain, and then decrypting signature information in a revocation certificate by using the aggregation public key to acquire a hash value; then, carrying out hash operation on plaintext information except the signature information indicated in the revocation certificate by using a hash algorithm to generate a new hash value; on the basis, whether the newly generated hash value is consistent with the hash value acquired after the aggregated public key is used for decrypting the signature information is judged, if so, the certificate revocation passes verification, namely the digital certificate corresponding to the certificate revocation is invalid, and if not, the certificate revocation fails verification, namely the certificate revocation source is unreliable, so that the certificate revocation cannot be used for determining whether the corresponding digital certificate is revoked.
Based on the above embodiment, all possible aggregation public keys are stored in the founding block in advance, so that any one or more block chain nodes on the block chain can participate in issuing the digital certificate when a user digital certificate generation request is received, that is, the corresponding private key component is adopted to sign the first user information, and all the first signature messages are aggregated to generate the digital certificate. In this way, the mode of dispersing the private key for issuing the digital certificate into private key components of a plurality of block chain nodes is adopted, so that the common control of issuing the digital certificate by a plurality of block chain nodes is realized; meanwhile, the attack resistance of the block chain nodes for signing and issuing the digital certificate is further improved through the random selection of the block chain nodes for signing and issuing the digital certificate, so that the safety and the reliability of the digital certificate are improved.
Referring to fig. 2, on the basis of the foregoing embodiment, the present invention provides another digital certificate management method, which may specifically include the following steps:
step S201, writing one or more aggregation public keys in the created block of the block chain, where the aggregation public keys are generated by aggregating private key components of any one or more block chain nodes on the block chain based on a signature generation algorithm.
Specifically, before receiving a digital certificate generation request sent by a user, an encryption engine needs to be used to generate a pair of asymmetric key pairs for each block link node, where the asymmetric key pairs indicate public key components and private key components corresponding to the block link nodes, and public key components can be written into a founding block or public key components can be made to know public key components of each block link node by means of an agreed mail, offline exchange, or the like. On the basis, based on signature generation algorithms such as Schnorr signature algorithm, BLS signature algorithm and the like, public key components corresponding to any one or more block chain links on the block chain are aggregated to generate one or more aggregated public keys, and the aggregated public keys are written into the created blocks of the block chain. In this way, any blockchain node on the blockchain can participate in the generation of the digital certificate, and the aggregated public key generated by the public key component of the blockchain node participating in the generation of the digital certificate can be always acquired from the created blockchain, so as to verify the digital certificate.
Step S202, receiving a digital certificate generation request sent by a user, wherein the digital certificate generation request indicates first user information of the user.
Step S203, broadcasting the first user information to a blockchain, so that any one or more blockchain nodes on the blockchain use corresponding private key components to sign the first user information, so as to generate first signature information.
Step S204, aggregating the first signature information to generate a digital certificate for the user, where the digital certificate indicates the identification information of the one or more blockchain nodes.
Referring to fig. 3, on the basis of the foregoing embodiment, an embodiment of the present invention provides another digital certificate management method, which may specifically include the following steps:
step S301, receiving a digital certificate generation request sent by a user, where the digital certificate generation request indicates first user information of the user.
It can be understood that, before receiving a digital certificate generation request sent by a user, an encryption engine needs to be used to generate a pair of asymmetric key pairs for each block link point, where the asymmetric key pairs indicate public key components and private key components corresponding to the block link points, and public key components can be written into a created block or public key components can be made to know public key components of each block link node by means of an agreed mail, offline exchange, or the like. On the basis, based on signature generation algorithms such as Schnorr signature algorithm, BLS signature algorithm and the like, public key components corresponding to any one or more block chain links on the block chain are aggregated to generate one or more aggregated public keys, and the aggregated public keys are written into the created blocks of the block chain. In this way, any blockchain node on the blockchain can participate in the generation of the digital certificate, and the aggregated public key generated by the public key component of the blockchain node participating in the generation of the digital certificate can be always acquired from the created blockchain, so as to verify the digital certificate.
Step S302, broadcasting the first user information to a blockchain, so that any one or more blockchain nodes on the blockchain use corresponding private key components to sign the first user information, so as to generate first signature information.
Step S303, aggregating the first signature information to generate a digital certificate for the user, where the digital certificate indicates the identification information of the one or more blockchain nodes.
On this basis, the digital certificate may also be uploaded to a block chain, so that a block chain node or an intelligent contract obtains a corresponding aggregation public key from the created block according to identification information of one or more block chain nodes indicated by the digital certificate, and verifies the digital certificate by using the aggregation public key.
Step S304, receiving a digital certificate revocation request sent by a user, wherein the digital certificate revocation request indicates second user information of the user and a digital certificate to be revoked.
Step S305, broadcasting the second user information to a block chain, so that one or more block chain nodes corresponding to the identification information indicated by the to-be-revoked digital certificate on the block chain sign the second user information using corresponding private key components to generate second signature information.
Step S306, aggregating the second signature information to generate a revocation certificate corresponding to the to-be-revoked digital certificate, where the revocation certificate indicates the identification information of the one or more block chain nodes.
On this basis, the revocation certificate can also be uploaded to a block chain, so that block chain nodes or an intelligent contract obtain corresponding aggregation public keys from the created blocks according to the identification information of one or more block chain nodes indicated by the revocation certificate, and the revocation certificate is verified by using the aggregation public keys.
Referring to fig. 4, on the basis of the above embodiment, the embodiment of the present invention provides a digital certificate management decoration 400, which includes: a request receiving module 402, an information broadcasting module 403, and a signature aggregation module 404; wherein the content of the first and second substances,
the request receiving module 402 is configured to receive a digital certificate generation request sent by a user, where the digital certificate generation request indicates first user information of the user;
the information broadcasting module 403 is configured to broadcast the first user information onto a blockchain, so that any one or more blockchain nodes on the blockchain sign the first user information using corresponding private key components to generate first signature information;
the signature aggregation module 404 is configured to aggregate the first signature information to generate a digital certificate for the user, where the digital certificate indicates the identification information of the one or more blockchain nodes.
In an optional embodiment, the method further comprises: an aggregation public key writing module 401; wherein the content of the first and second substances,
the aggregate public key writing module 401 is configured to write one or more aggregate public keys in the founding block before receiving a digital certificate generation request sent by a user, where the aggregate public key is generated by aggregating private key components of any one or more block chain nodes in the block chain based on a signature generation algorithm.
In an optional embodiment, the method further comprises: a digital certificate upload module 405; wherein the content of the first and second substances,
the digital certificate uploading module 405 is configured to upload the digital certificate to a block chain, so that a block chain node or an intelligent contract obtains a corresponding aggregation public key from the created block according to identification information of one or more block chain nodes indicated by the digital certificate, and verifies the digital certificate by using the aggregation public key.
In an optional embodiment, the method further comprises: a digital certificate revocation module 406; wherein, the first and the second end of the pipe are connected with each other,
the digital certificate revocation module 406 is configured to receive a digital certificate revocation request of a user, where the digital certificate revocation request indicates second user information of the user and a digital certificate to be revoked;
broadcasting the second user information to a block chain so that one or more block chain nodes corresponding to the identification information indicated by the digital certificate to be revoked on the block chain sign the second user information by using corresponding private key components to generate second signature information;
aggregating the second signature information to generate a revocation certificate corresponding to the to-be-revoked digital certificate, where the revocation certificate indicates identification information of the one or more blockchain nodes.
In an alternative embodiment, the digital certificate revocation module 406 is further configured to,
and uploading the revocation certificate to a block chain, so that block chain nodes or an intelligent contract obtain corresponding aggregation public keys from the created blocks according to the identification information of one or more block chain nodes indicated by the revocation certificate, and verifying the revocation certificate by using the aggregation public keys.
Referring to fig. 5, on the basis of the above embodiment, an embodiment of the present invention provides a digital certificate management system 500, which includes a digital certificate management apparatus 400, a blockchain 501; wherein the content of the first and second substances,
the digital certificate management apparatus 400 is configured to receive a digital certificate generation request sent by a user, where the digital certificate generation request indicates first user information of the user; broadcasting the first user information to a blockchain, so that any one or more blockchain nodes on the blockchain sign the first user information by using corresponding private key components to generate first signature information; aggregating the first signature information to generate a digital certificate for the user, the digital certificate indicating identification information of the one or more blockchain nodes.
The block chain 501 is configured to store the aggregation public key, and the block chain link points participating in generating the aggregation public key on the block chain are configured to use the private key component of the block chain node to sign the first user information, so as to generate first signature information.
Fig. 6 illustrates an exemplary system architecture 600 to which the digital certificate management method or apparatus of an embodiment of the present invention may be applied.
As shown in fig. 6, the system architecture 600 may include terminal devices 601, 602, 603, a network 604, and a server 605. The network 604 serves to provide a medium for communication links between the terminal devices 601, 602, 603 and the server 605. Network 604 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.
A user may use the terminal devices 601, 602, 603 to interact with a server 605, via a network 604, to receive or send messages or the like. Various applications may be installed on the terminal devices 601, 602, 603.
The terminal devices 601, 602, 603 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 605 may be a server that provides various services, such as a background management server that provides support for websites browsed by users using the terminal devices 601, 602, 603. The background management server can analyze and process the received data such as the digital certificate generation request and feed back the processing results such as the digital certificate, the revocation certificate and the like () to the terminal device.
It should be noted that the digital certificate management method provided by the embodiment of the present invention is generally executed by the server 605, and accordingly, the digital certificate management apparatus is generally disposed in the server 605.
It should be understood that the number of terminal devices, networks, and servers in fig. 6 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for an implementation.
Referring now to FIG. 7, shown is a block diagram of a computer system 700 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 7, the computer system 700 includes a Central Processing Unit (CPU) 701, which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM) 702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data necessary for the operation of the system 700 are also stored. The CPU 701, ROM 702, and RAM 703 are connected to each other via a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
The following components are connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including components such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that the computer program read out therefrom is mounted in the storage section 708 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program performs the above-described functions defined in the system of the present invention when executed by the central processing unit (CP U) 701.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes a request receiving module, an information broadcasting module, and a signature aggregation module. Where the names of these modules do not constitute a limitation on the module itself under certain circumstances, for example, a signature aggregation module may be described as "a module for aggregating the first signature information to generate a digital certificate for the user".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: receiving a digital certificate generation request sent by a user, wherein the digital certificate generation request indicates first user information of the user; broadcasting the first user information onto a blockchain, so that any one or more blockchain nodes on the blockchain sign the first user information by using corresponding private key components to generate first signature information; aggregating the first signature information to generate a digital certificate for the user, the digital certificate indicating identification information of the one or more blockchain nodes.
According to the technical scheme of the embodiment of the invention, all possible aggregation public keys are stored in the founding block in advance, so that any one or more block chain nodes in the block chain can participate in the issuance of the digital certificate under the condition of receiving a user digital certificate generation request, namely, the corresponding private key component is adopted to sign the first user information, and all first signature messages are aggregated to generate the digital certificate. In this way, the public control of the digital certificate issuance by a plurality of block chain link points is realized by dispersing the private key of the digital certificate issuance into private key components of a plurality of block chain nodes; meanwhile, the attack resistance of the block chain nodes for signing and issuing the digital certificate is further improved through the random selection of the block chain nodes for signing and issuing the digital certificate, so that the safety and the reliability of the digital certificate are improved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may occur depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (12)
1. A digital certificate management method, comprising:
receiving a digital certificate generation request sent by a user, wherein the digital certificate generation request indicates first user information of the user;
broadcasting the first user information to a blockchain, so that any one or more blockchain nodes on the blockchain sign the first user information by using corresponding private key components to generate first signature information;
aggregating the first signature information to generate a digital certificate for the user, the digital certificate indicating identification information of the one or more blockchain nodes.
2. The method of claim 1, further comprising, prior to receiving a request for generating a digital certificate from a user:
writing one or more aggregation public keys in a created block of the block chain, wherein the aggregation public keys are generated by aggregating private key components of any one or more block chain nodes on the block chain based on a signature generation algorithm.
3. The digital certificate management method according to claim 2, further comprising: and uploading the digital certificate to a block chain, so that block chain nodes or an intelligent contract obtain corresponding aggregation public keys from the created blocks according to the identification information of one or more block chain nodes indicated by the digital certificate, and verifying the digital certificate by using the aggregation public keys.
4. The digital certificate management method according to claim 2, further comprising:
receiving a digital certificate revocation request sent by a user, wherein the digital certificate revocation request indicates second user information of the user and a digital certificate to be revoked;
broadcasting the second user information to a block chain, so that one or more block chain nodes corresponding to the identification information indicated by the digital certificate to be revoked on the block chain sign the second user information by using corresponding private key components to generate second signature information;
aggregating the second signature information to generate a revocation certificate corresponding to the digital certificate to be revoked, where the revocation certificate indicates identification information of the one or more blockchain nodes.
5. The method of claim 4, further comprising:
and uploading the revocation certificate to a block chain, so that a block chain node or an intelligent contract obtains a corresponding aggregation public key from the creature block according to the identification information of one or more block chain nodes indicated by the revocation certificate, and verifying the revocation certificate by using the aggregation public key.
6. A digital certificate management apparatus, comprising: the system comprises a request receiving module, an information broadcasting module and a signature aggregation module; wherein, the first and the second end of the pipe are connected with each other,
the request receiving module is used for receiving a digital certificate generation request sent by a user, wherein the digital certificate generation request indicates first user information of the user;
the information broadcasting module is configured to broadcast the first user information to a blockchain, so that any one or more blockchain nodes on the blockchain sign the first user information using corresponding private key components to generate first signature information;
the signature aggregation module is configured to aggregate the first signature information to generate a digital certificate for the user, where the digital certificate indicates identification information of the one or more blockchain nodes.
7. The digital certificate management apparatus according to claim 6, further comprising: an aggregation public key writing module; wherein the content of the first and second substances,
the aggregation public key writing module is configured to write one or more aggregation public keys in a creature block of the block chain before receiving a digital certificate generation request sent by a user, where the aggregation public key is generated by aggregating private key components of any one or more block chain nodes in the block chain based on a signature generation algorithm.
8. The digital certificate management apparatus according to claim 7, further comprising: a digital certificate uploading module; wherein the content of the first and second substances,
the digital certificate uploading module is used for uploading the digital certificate to the block chain, so that the block chain nodes or the intelligent contract obtain corresponding aggregation public keys from the founding blocks according to the identification information of one or more block chain nodes indicated by the digital certificate, and the aggregation public keys are used for verifying the digital certificate.
9. The digital certificate management apparatus according to claim 7, further comprising: a digital certificate revocation module; wherein the content of the first and second substances,
the digital certificate revocation module is used for receiving a digital certificate revocation request of a user, wherein the digital certificate revocation request indicates second user information of the user and a digital certificate to be revoked;
broadcasting the second user information to a block chain, so that one or more block chain nodes corresponding to the identification information indicated by the digital certificate to be revoked on the block chain sign the second user information by using corresponding private key components to generate second signature information;
aggregating the second signature information to generate a revocation certificate corresponding to the digital certificate to be revoked, where the revocation certificate indicates identification information of the one or more blockchain nodes.
10. The digital certificate management apparatus of claim 9, wherein the digital certificate revocation module is further configured to,
and uploading the revocation certificate to a block chain, so that a block chain node or an intelligent contract obtains a corresponding aggregation public key from the creature block according to the identification information of one or more block chain nodes indicated by the revocation certificate, and verifying the revocation certificate by using the aggregation public key.
11. An electronic device for digital certificate management, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-5.
12. A computer-readable medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-5.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110474167.1A CN113206746B (en) | 2021-04-29 | 2021-04-29 | Digital certificate management method and device |
| EP22794893.2A EP4333365A1 (en) | 2021-04-29 | 2022-04-26 | Digital certificate management method and apparatus |
| PCT/CN2022/089242 WO2022228423A1 (en) | 2021-04-29 | 2022-04-26 | Digital certificate management method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110474167.1A CN113206746B (en) | 2021-04-29 | 2021-04-29 | Digital certificate management method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113206746A CN113206746A (en) | 2021-08-03 |
| CN113206746B true CN113206746B (en) | 2022-12-13 |
Family
ID=77027767
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110474167.1A Active CN113206746B (en) | 2021-04-29 | 2021-04-29 | Digital certificate management method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113206746B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022228423A1 (en) * | 2021-04-29 | 2022-11-03 | 中国人民银行数字货币研究所 | Digital certificate management method and apparatus |
| CN115277008B (en) * | 2022-07-01 | 2024-04-12 | 浪潮软件股份有限公司 | Method and system for managing document signature based on blockchain |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109992953A (en) * | 2019-02-18 | 2019-07-09 | 深圳壹账通智能科技有限公司 | Digital certificate on block chain signs and issues, verification method, equipment, system and medium |
| CN111047324B (en) * | 2020-03-16 | 2020-08-04 | 支付宝(杭州)信息技术有限公司 | Method and apparatus for updating a set of public keys at a blockchain node |
-
2021
- 2021-04-29 CN CN202110474167.1A patent/CN113206746B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN113206746A (en) | 2021-08-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2020258912A1 (en) | Blockchain consensus method, device and system | |
| CN112131316B (en) | Data processing method and device applied to block chain system | |
| CN113193961B (en) | Digital certificate management method and device | |
| CN110189184B (en) | Electronic invoice storage method and device | |
| CN109981287B (en) | Code signing method and storage medium thereof | |
| CN110611657A (en) | File stream processing method, device and system based on block chain | |
| US20170324545A1 (en) | Revocable pki signatures | |
| CN113206746B (en) | Digital certificate management method and device | |
| CN115203749B (en) | Data transaction method and system based on block chain | |
| CN114978635A (en) | Cross-domain authentication method and device, and user registration method and device | |
| CN113468580B (en) | Multi-party collaborative signature method and system | |
| CN113179169B (en) | Digital certificate management method and device | |
| CN111865761B (en) | Social chat information evidence storing method based on block chain intelligent contracts | |
| CN113206745B (en) | Digital certificate management method and device | |
| CN111010283B (en) | Method and apparatus for generating information | |
| CN113206738B (en) | Digital certificate management method and device | |
| CN113242132B (en) | Digital certificate management method and device | |
| CN113242133B (en) | Digital certificate management method and device | |
| CN110855442A (en) | PKI (public key infrastructure) technology-based inter-device certificate verification method | |
| CN112994882B (en) | Authentication method, device, medium and equipment based on block chain | |
| CN110166226B (en) | Method and device for generating secret key | |
| CN113868713A (en) | Data verification method and device, electronic equipment and storage medium | |
| CN111832046A (en) | Trusted data evidence storing method based on block chain technology | |
| EP4333365A1 (en) | Digital certificate management method and apparatus | |
| CN110611656B (en) | Identity management method, device and system based on master identity multiple mapping |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |