CN113507458B - Cross-domain identity authentication method based on block chain - Google Patents

Cross-domain identity authentication method based on block chain Download PDF

Info

Publication number
CN113507458B
CN113507458B CN202110718016.6A CN202110718016A CN113507458B CN 113507458 B CN113507458 B CN 113507458B CN 202110718016 A CN202110718016 A CN 202110718016A CN 113507458 B CN113507458 B CN 113507458B
Authority
CN
China
Prior art keywords
domain
cross
block chain
layer block
identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110718016.6A
Other languages
Chinese (zh)
Other versions
CN113507458A (en
Inventor
夏琦
高建彬
周靖岚
胡垚
李莹珠
宋炜
孙钰山
尹紫荆
朱涵仪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Financial Dream Workshop Investment Management Co ltd
University of Electronic Science and Technology of China
Original Assignee
Chengdu Financial Dream Workshop Investment Management Co ltd
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Financial Dream Workshop Investment Management Co ltd, University of Electronic Science and Technology of China filed Critical Chengdu Financial Dream Workshop Investment Management Co ltd
Priority to CN202110718016.6A priority Critical patent/CN113507458B/en
Publication of CN113507458A publication Critical patent/CN113507458A/en
Application granted granted Critical
Publication of CN113507458B publication Critical patent/CN113507458B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • H04L67/1042Peer-to-peer [P2P] networks using topology management mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Abstract

The invention discloses a cross-domain identity authentication method based on a block chain, which is realized based on a main and auxiliary double-layer block chain framework, each application domain maintains the block chain of the application domain to realize intra-domain identity authentication and authority management, and submits intra-domain identity authentication results to a main layer block chain through a main layer block chain access node, the main layer block chain is maintained by access nodes in all the application domains, and finally, the cross-application inter-domain identity authentication is realized by means of the main layer block chain. The method for generating the fine-grained cross-domain identity access certificate provided by the invention realizes selective disclosure of certificate information by a user and simultaneously verifies the validity and validity of the certificate information; and a lightweight verifiable certificate validity mechanism is provided, and decentralized cross-domain identity access certificate validity verification is realized.

Description

Cross-domain identity authentication method based on block chain
Technical Field
The invention belongs to the field of Internet, relates to a block chain technology and an identity authentication technology, and particularly relates to a block chain-based cross-domain identity authentication method.
Background
With the rapid development of cloud computing, the number of application domains of network resources on the internet is rapidly increased, the interaction between a client and different application domains and between different application domains becomes more frequent, for each client, if single-point access and single-point authorization are required between different application domains, the use burden of a user is greatly increased, for a PKI authentication server in each application domain, frequent identity authentication consumes a large amount of hardware resources, and in order to facilitate switching and obtaining of hardware resources between different domains by a user, a cross-domain identity authentication technology is required to be used, so that access control and authority management between different domains are effectively realized under the condition that only part of identity information of the user is known, and the network resources are prevented from being illegally accessed.
The traditional unified identity authentication technology realized based on a Cookie and redirection mechanism has the problems that all sites share one secret key, and the scheme is based on a trusted third-party organization, and the application account number with centralized authority management has the risks of single-point attack and privacy disclosure. The blockchain has the characteristics of decentralization, high fault tolerance and distributed trust, and the possibility is provided for solving the traditional cross-domain identity authentication problem.
Disclosure of Invention
Aiming at the problems of centralization, efficiency, safety and difficult certificate revocation existing in the traditional cross-domain identity authentication, the cross-domain identity authentication method based on the block chain is provided. The method uses the block chain as a trust transfer medium and a storage medium, and the block chain is commonly maintained by all the participating nodes, thereby realizing decentralized cross-domain identity authentication.
A cross-domain identity authentication method based on a block chain is realized by using a main and auxiliary double-layer block chain framework, each application domain maintains the block chain of the application domain to realize intra-domain identity authentication and authority management, an intra-domain identity authentication result is submitted to the main-layer block chain through an access node of the main-layer block chain, the main-layer block chain is maintained by the access nodes of all the application domains, and finally, the cross-domain identity authentication is realized by means of the main-layer block chain.
The primary and secondary double-layer blockchain architecture comprises: the main layer block chain, the auxiliary layer block chain, the CA node and the AS main layer block chain are linked into the node.
The invention provides a block chain-based cross-domain identity authentication method, which specifically comprises the following steps:
step 1: firstly, each application domain respectively constructs a sub-layer block chain based on a union chain or a public chain according to the service requirement of each application domain, and a local AS main layer block chain access node of each sub-layer block chain is accessed into the main layer block chain after authorization and authentication.
Step 2: after the main and auxiliary double-layer block chains are constructed, each application domain constructs a role authority mapping table between each application domain through an inter-domain authority negotiation method, and each application domain can verify the legality of cross-domain access operation through the role authority mapping table.
And step 3: before executing the cross-domain request, the user needs to create own unique identity identification information of the whole network through an intra-domain identity authentication method.
And 4, step 4: a user acquires own unique identity identification information of the whole network and then passes through a cross-domain identity login method, firstly, a cross-domain identity access certificate is acquired from a local CA node of an application domain, after the cross-domain identity access certificate is acquired, a certificate identification number and cross-domain operation information are sent to an authorization domain, the authorization domain verifies the validity and the legality of the cross-domain identity access certificate and the cross-domain operation information, and after the verification is passed, a cross-domain request is executed and a result is returned to the user.
The inter-domain authority negotiation method comprises the following steps:
step 1: and each application domain CA node generates and locally stores a role table, an authority table and a role authority mapping table of the application domain where the CA node is located.
Step 2: the application domain requesting authorized access sends an authorization request, submits the role and domain information of the domain and waits for an authorization response of the authorized domain when the request is authorized. When the response returns, the application domain requesting the authorized access needs to broadcast the authorization result to the main layer block chain through the AS main layer block chain access node of the secondary layer block chain for synchronization.
The method for verifying the identity in the domain comprises the following steps:
step 1: the intra-domain CA node stores the user information and implements identity authentication, and the intra-domain user waits for the intra-domain CA node to implement identity authentication by sending own identity authentication information to the CA server.
And 2, step: and the intra-domain CA node verifies the user identity, distributes user identity identification information to the intra-domain CA node after the verification is passed, and broadcasts the distribution result to the main layer block chain and the auxiliary layer block chain for synchronization.
The cross-domain identity login method comprises the following steps:
step 1: and the intra-domain user submits a cross-domain access request to the intra-domain CA node, wherein the request comprises a cross-domain access domain identification number, effective time, a user identification number and a signature, and waits for cross-domain access authorization of the intra-domain CA node.
And 2, step: after receiving the cross-domain access request, the intra-domain CA node verifies the validity of the signature, generates cross-domain identity access certificate information after the verification is passed, signs the cross-domain identity access certificate through a local private key, broadcasts the cross-domain identity access certificate and the signature to a sub-layer block chain of an application domain where the cross-domain identity access certificate is located for synchronization and verification, issues the cross-domain identity access certificate after the verification is passed, and links a certificate abstract of the cross-domain identity access certificate into a node through an AS main layer block chain of the sub-layer block chain where the cross-domain identity access certificate is located to synchronize in the main layer block chain.
And 3, step 3: the user signs the operation information of cross-domain access, submits a cross-domain identity access certificate, requests the corresponding cross-domain access operation information and signature to the authorized domain, and waits for the authentication and response of the authorized domain.
And 4, step 4: and the authorized domain verifies the integrity of the cross-domain identity access certificate through the certificate abstract information in the main layer module chain, verifies the validity of the cross-domain identity access certificate according to the exposed certificate attribute, executes the request operation after the verification is passed and returns the operation result to the user.
The invention provides a cross-domain identity authentication model based on a main block chain and an auxiliary block chain, which has higher universality, and each application domain can establish a block chain system in the application domain according to the service requirement of the application domain, and then link local AS main layer block chains into nodes to be added into the main layer block chain system. The cross-domain identity based on Cookie or redirection technology is based on a third-party trust mechanism, and the problem of single-point attack exists. And a lightweight and verifiable certificate validity mechanism is provided, and decentralized cross-domain certificate validity verification is realized.
Drawings
FIG. 1 is a schematic diagram of a main-sub dual-layer blockchain architecture
FIG. 2 is a timing diagram of user registration
FIG. 3 is a timing diagram illustrating a cross-domain identity access credential application
Detailed Description
The embodiments of the present invention will be described in more detail below with reference to the accompanying drawings and reference numerals, so that those skilled in the art can implement the embodiments after studying the description. It should be understood that the embodiments described in this example are only for illustrating the present invention and are not to be construed as limiting the present invention.
AS shown in fig. 1, the CA server, the AS server, and the common server in each application domain construct sub-layer block chains with different security requirements according to the service requirements of the application domain, and the sub-layer block chain constructed in each application domain may be a federation chain, a public chain, or a private chain. And when the AS main layer block link access node of the new application domain requests to access the main layer block chain, the AS main layer block link access node of the main layer block chain needs to be accessed to check and vote, and after the vote is passed, the AS main layer block link access node of the new application domain is allowed to access the main layer block chain. And the new application domain broadcasts the public key of the domain to the main layer block chain through the AS main layer block chain access node of the auxiliary layer block chain. And the auxiliary layer block chain of each application domain asynchronously executes the service in the region, and finally submits the execution result to the main layer block chain.
The invention provides a block chain-based cross-domain identity authentication method, which specifically comprises the following steps:
step 1: firstly, each application domain respectively constructs a sub-layer block chain based on a union chain or a public chain according to the service requirement of the application domain, and a local AS main layer block link access node of each sub-layer block chain is accessed into the main layer block chain after authorization and authentication.
Step 2: after the main and auxiliary double-layer block chains are constructed, each application domain constructs a role authority mapping table between each application domain through an inter-domain authority negotiation method, and each application domain can verify the legality of cross-domain access operation through the role authority mapping table.
And step 3: before executing the cross-domain request, the user needs to create own unique identity identification information of the whole network through an intra-domain identity authentication method.
And 4, step 4: a user acquires own unique identity identification information of the whole network and then passes through a cross-domain identity login method, firstly, a cross-domain identity access certificate is acquired from a local CA node of an application domain, after the cross-domain identity access certificate is acquired, a certificate identification number and cross-domain operation information are sent to an authorized domain, the authorized domain verifies the validity and legality of the cross-domain identity access certificate and the cross-domain operation information, after the verification is passed, a cross-domain request is executed, and a result is returned to the user.
The inter-domain authority negotiation is the basis of the whole cross-domain identity authentication method, and all application domains added into the main layer blockchain can issue cross-domain access certificates for accessing other domains to users in the domain only after the application domains pass through the pre-cross-domain authority negotiation.
The inter-domain rights negotiation first requires that each application domain exchange its own public key, which is already done when the application domain accesses the main layer blockchain. In order to ensure the security of the information, all the cross-domain authorization requests and the cross-domain authorization responses are encrypted transmission based on the key. The cross-domain authorization request is a mapping relation between roles in an authorized domain creation request domain (namely an application domain requesting authorized access) and roles in the authorized domain, the mapping relation is constructed into a Merkle Tree (Mercker Tree) M1 after the authorized domain creates the role mapping relation, the root hash of the M1 is uploaded to a main layer region block chain for synchronization, and the integrity and the privacy of the mapping relation are guaranteed through the method.
The cross-domain authorization request domain establishes a mapping relation between a local role and an authorized domain role, encrypts the request domain chain identifier, the role mapping table and the signature (the request domain uses a private key of the request domain to sign the request domain chain identifier and the role mapping relation) by using an authorized domain public key, and sends an encryption result to the authorized domain. After the authorization domain receives the encryption result, the authorization request is decrypted and the signature validity is verified, after the verification is passed, the authorization domain creates authorization information such as authorization effective time, each role authorization request interface list and the like, the authorization structure (the authorization structure is the authorization information such as the creation authorization effective time, each role authorization request interface list and the like) is inserted into the cross-domain authorization table (the cross-domain authorization table is a locally maintained data structure, is empty initially, and is obtained by inserting one piece of authorization information in the mode), the authorization information is abstracted in the main layer area block chain for synchronization, and the authorization request result is encrypted and returned to the request domain. And the request domain decrypts the encrypted authorization request result to obtain an authorization result, compares the authorization result with the authorization information abstract on the main layer block chain, and if the authorization is agreed and the authorization information abstract exists and is matched, the request authorization is successful, otherwise, the request authorization fails. The role authority mapping table is used for storing the role authority mapping relation.
During intra-domain identity authentication, the local domain CA node, the main layer block chain and the auxiliary layer block chain are used for auditing, after the auditing of the main layer block chain is completed, an IdCard is generated for the user according to the registration information of the user, and the registration process is shown in FIG. 2:
the user self stores a self public and private key and a user number, a random number can be generated through a local random function, the user signs the random number, the user number and the public key by using the self private key, and sends the random number, the user number, the public key and the signature to a CA node of the application domain to carry out intra-domain identity authentication.
And the CA node of the application domain receives the intra-domain identity authentication request of the user, and generates registration information RCardA for the user after the signature is verified.
The CA node of the application domain signs the generated registration information RCardA by using a private key of the CA node, sends the RCardA and the signature to the located auxiliary layer block chain, triggers an intelligent contract of the located auxiliary layer block chain to carry out validity verification on the signature, and sends a verification result to the AS main layer block link access node of the located auxiliary layer block chain.
If the verification is passed, the AS main layer block link access node of the auxiliary layer block chain where the user is located signs the RCardA and the user public key by using the local private key, sends the signed RCardA and the user public key to the main layer block chain for verification, triggers the main layer block chain intelligent contract to check the validity of the user identity information and the domain identity information, creates a user identity certificate in the main layer block chain after the check is passed, and returns a user identity certificate number to the user by the AS main layer block link access node of the auxiliary layer block chain where the user is located.
The user in the application domain requests cross-domain access to the CA node of the application domain (namely sends a cross-domain certificate application), the user in the application domain sends the authorized effective time, the user identity certificate number, and the signature information obtained by signing the authorized effective time and the user certificate number by the user through the private key to the CA node of the application domain, waits for the CA node of the application domain to issue the cross-domain identity access certificate, and the certificate issuing process is shown in FIG. 3:
after receiving the cross-domain certificate application, the application domain CA node verifies the validity of the signature, generates a cross-domain identity access certificate according to the user role information after the verification is passed, and broadcasts the cross-domain identity access certificate and signature information obtained by the application domain CA node by using a private key to sign the cross-domain identity access certificate to a subordinate layer block chain where the user is located for synchronization. The method comprises the steps of constructing a Merkle Tree M2 by respectively taking hash values of fields of a cross-domain identity access certificate (M1 is a Merkle Tree constructed through a mapping relation, M2 is a Merkle Tree constructed through respectively taking hash values of fields of the cross-domain identity access certificate, and the Merkle Tree is a set which can verify data integrity through a root hash), signing a root hash of M2, and sending a signature of the M2 root hash, the root hash of M2, a cross-domain identity access certificate number (the certificate is a series of data information sets, and numbers exist in the certificate) to an AS main layer block of a secondary layer block chain where a user is located to be linked into a node.
And after the AS main layer block link access node of the auxiliary layer block chain where the user is located receives the message (the message is sent in the previous step, and the message sent in the previous step is received in the previous step), verifying the validity of the signature of the M2 root hash, and synchronizing the M2 root hash and the cross-domain identity access certificate in the main layer block chain.
Wherein the cross-domain identity access credential contains an attribute field: user public key, certificate number, user role, user identity number, authorization validity time, and other information.
The user can selectively disclose each attribute field of the cross-domain identity access certificate according to the privacy protection requirement, for example, the user constructs a time validity proving circuit through a zero knowledge (zk-SNARk) verification algorithm. And calling a corresponding proof production algorithm of the time validity proof circuit by taking the authorized valid time as a parameter to obtain a time validity proof, replacing the authorized valid time in the cross-domain identity access certificate with a corresponding hash value (used for verifying the integrity and validity of the cross-domain identity access certificate), submitting the time validity proof and the cross-domain identity access certificate to the authorized domain by a user, requesting corresponding authority operation, and waiting for an operation result.
The method comprises the steps that an authorized domain inquires whether an inter-domain authority mapping table of a domain to which a user belongs exists or not (the inter-domain authority mapping table can construct a role authority mapping relation between application domains in an inter-domain authority negotiation method, the inter-domain authority mapping table is a table of the stored role authority mapping relation between the application domains, the table can be locally stored in an internal memory or a disk), the integrity of the inter-domain authority mapping table is verified through root hash of a Mercury tree M1 stored in a main layer block chain, the identity of the user is verified through a middle intelligent contract of the main layer block chain after the verification is passed, the legality and the integrity of a cross-domain identity access certificate are verified, if the user sends a cross-domain access time validity proof to the authorized domain, the authorized domain takes time validity proof and the current time as input, and a zero knowledge verification algorithm is called to verify the validity of the time validity proof.
The invention uses a certificate mechanism to realize cross-domain access between application domains, and provides a lightweight and verifiable certificate validity mechanism (the certificate is revoked when being invalid when verifying the certificate) for facilitating the revocation of the cross-domain identity access certificate due to the decentralized management of the cross-domain identity access certificate.
The intra-domain CA node locally maintains a number and non-repeated prime number table with the initial value of 1, randomly selects a prime number from the non-repeated prime number table AS a prime number bound by the cross-domain identity access certificate when the cross-domain identity access certificate is issued, removes the selected prime number from the non-repeated prime number table, multiplies the selected prime number by the locally maintained number, and broadcasts the multiplied number to the main layer block chain through the AS main layer block chain of the auxiliary layer block chain to be stored in the main layer block chain.
When the intra-domain CA node cancels the cross-domain identity access certificate, the number stored on the main layer block chain is only required to be divided by the prime number bound by the cross-domain identity access certificate to obtain a calculation result, and the local data and the data on the main layer block chain are updated, wherein the local data is updated directly through the calculation result, the data on the main layer block chain is updated through the broadcast of the main layer block chain access node of the local domain AS, and the prime number bound by the cross-domain identity access certificate can be put back into the unrepeated prime number table or can not be put back.
When the validity of the cross-domain identity access certificate is verified, the authorized domain only needs to judge whether the number bound by the authorization request domain on the main layer module chain can be divided by the prime number bound by the cross-domain identity access certificate, if so, the cross-domain identity access certificate is not revoked, otherwise, the cross-domain identity access certificate is revoked.
Example one
The block chain-based cross-domain identity authentication method is explained by taking the sharing of the medical data of the patient between the hospital A and the hospital B as an application scene.
At present, a plurality of hospitals exist in the business, and hospitals A and B need to share patient data.
Step 1: firstly, each hospital needs to protect its own service data, selects a alliance chain mode to construct an auxiliary layer block chain in its own application domain, and selects a respective AS main layer block chain to link into a node through the auxiliary layer block chain in each application domain to construct a main layer block chain.
And 2, step: there are patient data administrator roles in hospital a and hospital B, which have the authority to query the historical case data of all patients. Hospitals A and B establish role authority mapping relations of hospital A and hospital B data managers through the inter-domain authority negotiation mode.
There is a role for the user as a data administrator in Hospital A, and he needs to acquire 1 patient's historical case data from Hospital B.
And step 3: the data administrator user of hospital A obtains the globally unique identity ID through intra-domain identity authentication.
And 4, step 4: the hospital A user sends a global unique identity ID, acquires a user case request parameter in the hospital B to a local CA node to acquire a cross-domain identity access certificate, and sends the certificate, the request parameter and a signature to the CA node of the hospital B in a cross-domain login mode. And the CA node of the hospital B verifies the legality of the certificate and the operation, executes the query operation after the certificate and the operation pass, and returns the user case information.
The embodiments described above are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Claims (4)

1. A cross-domain identity authentication method based on a block chain is characterized in that the method is realized by a main and auxiliary double-layer block chain structure, and the main and auxiliary double-layer block chain structure comprises the following steps: the method specifically comprises the following steps of:
step S1: firstly, each application domain respectively constructs a sub-layer block chain based on a union chain or a public chain according to the service requirement of the application domain, and a local AS main layer block chain access node of each sub-layer block chain is accessed into the main layer block chain after authorization and authentication;
step S2: after the main and auxiliary double-layer block chains are constructed, each application domain constructs a role authority mapping table between each application domain through an inter-domain authority negotiation method, and each application domain can verify the legality of cross-domain access operation through the role authority mapping table;
and step S3: before executing a cross-domain request, a user needs to establish own unique identity identification information of the whole network by an intra-domain identity authentication method;
and step S4: the method comprises the steps that after a user obtains own unique identity identification information of the whole network, the user uses a cross-domain identity login method, firstly, a cross-domain identity access certificate is obtained from an intra-domain CA node of an application domain, the cross-domain identity access certificate and cross-domain access operation information are sent to an authorized domain after the cross-domain identity access certificate is obtained, the authorized domain verifies the validity and legality of the cross-domain identity access certificate and the cross-domain access operation information, a cross-domain request is executed after the verification is passed, and a result is returned to the user;
the cross-domain identity login method in step S4 specifically includes:
step S41: an intra-domain user submits a cross-domain access request to an intra-domain CA node, wherein the request comprises a cross-domain access domain identification number, a user identity certificate number, effective time, a user identification number and a signature, and the cross-domain access authorization of the intra-domain CA node is waited;
step S42: after receiving the cross-domain access request, the intra-domain CA node verifies the validity of the signature, generates a cross-domain identity access certificate after the verification is passed, signs the cross-domain identity access certificate through a local private key, broadcasts the cross-domain identity access certificate and the signature of the cross-domain identity access certificate to an auxiliary layer block chain of an application domain to perform synchronization and verification, issues the cross-domain identity access certificate after the verification is passed, and synchronizes the certificate abstract of the cross-domain identity access certificate in the main layer block chain through an AS main layer block chain of the auxiliary layer block chain;
step S43: the user signs the cross-domain access operation information, submits a cross-domain identity access certificate, requests the corresponding cross-domain access operation information and the signature of the cross-domain access operation information to the authorized domain, and waits for the authentication and response of the authorized domain;
step S44: and the authorized domain verifies the integrity of the cross-domain identity access certificate through the certificate abstract in the main layer area block chain, verifies the validity of the cross-domain identity access certificate according to the exposed certificate attribute, executes the request operation after the verification is passed and returns the operation result to the user.
2. The block chain-based cross-domain identity authentication method according to claim 1, wherein the inter-domain authority negotiation method in step S2 specifically comprises:
step S21: the CA node in each application domain generates and locally stores a role table, a permission table and a role permission mapping table of the application domain;
step S22: and when the response returns, the application domain requesting the authorized access broadcasts an authorization result to the main layer block chain for synchronization through an AS main layer block chain access node of the auxiliary layer block chain.
3. The block chain-based cross-domain identity authentication method according to claim 2, wherein the intra-domain identity authentication method in step S3 specifically comprises:
step S31: the intra-domain CA node stores user information and implements identity authentication, and the intra-domain user waits for the intra-domain CA node to implement identity authentication by sending own identity authentication information to the CA server;
step S32: the intra-domain CA node verifies an intra-domain identity verification request of the user, generates user registration information and a signature after the verification passes, and sends the user registration information and the signature to the sub-layer block chain where the user registration information and the signature pass, triggers an intelligent contract of the sub-layer block chain to verify the validity of the signature, and sends a verification result to an AS main layer block chain access node of the sub-layer block chain where the user registration information and the signature pass;
step S33: if the verification is passed, the AS main layer block link access node of the auxiliary layer block chain where the user is located signs the user registration information and the user public key by using the private key of the current domain and then sends the user registration information and the user public key to the main layer block chain, and an intelligent contract of the main layer block chain is triggered to check the validity of the user identity information and the domain identity information;
step S34: and if the verification is passed, establishing a user identity certificate in the main layer block chain, and returning a user identity certificate number to the user by an access node of the AS main layer block chain of the auxiliary layer block chain where the user is located.
4. The block chain-based cross-domain identity authentication method according to claim 3, wherein the revocation and verification of the cross-domain identity access credential specifically comprises:
the CA node in the domain maintains a number and a non-repeated prime number table with the initial value of 1 locally, selects a prime number from the non-repeated prime number table AS a prime number bound by the cross-domain identity access certificate at random when the cross-domain identity access certificate is issued, removes the selected prime number from the non-repeated prime number table, multiplies the selected prime number by the locally maintained number, and broadcasts the multiplied number to the main layer block chain through the AS main layer block chain of the auxiliary layer block chain to be stored;
when the intra-domain CA node cancels the cross-domain identity access certificate, the number stored on the main layer block chain is only required to be divided by the prime number bound by the cross-domain identity access certificate to obtain a calculation result, and the local data and the data on the main layer block chain are updated, wherein the local data is directly updated through the calculation result, the data on the main layer block chain is updated through the broadcast of the main layer block chain access node of the local domain AS, and the prime number bound by the cross-domain identity access certificate can be put back to the unrepeated prime number table or not;
when the validity of the cross-domain identity access certificate is verified, the authorized domain only needs to judge whether the number of the requested domain binding on the main layer module chain can be divided by the prime number bound by the cross-domain identity access certificate, if so, the cross-domain identity access certificate is not revoked, otherwise, the cross-domain identity access certificate is revoked.
CN202110718016.6A 2021-06-28 2021-06-28 Cross-domain identity authentication method based on block chain Active CN113507458B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110718016.6A CN113507458B (en) 2021-06-28 2021-06-28 Cross-domain identity authentication method based on block chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110718016.6A CN113507458B (en) 2021-06-28 2021-06-28 Cross-domain identity authentication method based on block chain

Publications (2)

Publication Number Publication Date
CN113507458A CN113507458A (en) 2021-10-15
CN113507458B true CN113507458B (en) 2023-01-31

Family

ID=78011076

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110718016.6A Active CN113507458B (en) 2021-06-28 2021-06-28 Cross-domain identity authentication method based on block chain

Country Status (1)

Country Link
CN (1) CN113507458B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114338081B (en) * 2021-11-29 2024-01-23 上海浦东发展银行股份有限公司 Multi-block-chain unified identity authentication method, device and computer equipment
CN114363415B (en) * 2021-12-14 2024-02-06 威创集团股份有限公司 Cross-domain video scheduling method, system, device and local area network server
CN114205162A (en) * 2021-12-16 2022-03-18 北京国富安电子商务安全认证有限公司 Block chain PKI mutual trust authentication based method and system
CN114268493B (en) * 2021-12-21 2023-07-21 联想(北京)有限公司 Cross-domain access method and server on block chain
CN114860855B (en) * 2022-05-10 2023-03-21 江苏阳光智慧城市科技有限公司 Internet mobile terminal inputting system based on data management
CN114978668B (en) * 2022-05-19 2023-05-02 中国人民大学 Cross-chain data entity identity management and authentication method and system
CN116800435B (en) * 2023-08-21 2023-12-19 成都信息工程大学 Access control method, system and storage medium based on zero knowledge proof and cross-chain

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108306819B (en) * 2018-04-20 2022-03-04 网易(杭州)网络有限公司 Instant communication system implementation method, medium and computing device based on block chain
CN108737436B (en) * 2018-05-31 2020-02-21 西安电子科技大学 Cross-domain server identity authentication method based on trust alliance block chain
CN110061851A (en) * 2019-04-28 2019-07-26 广州大学 A kind of across trust domain authentication method and system of decentralization
CN112583596B (en) * 2020-06-08 2021-09-28 四川大学 Complete cross-domain identity authentication method based on block chain technology
CN112637189B (en) * 2020-12-18 2022-06-24 重庆大学 Multi-layer block chain cross-domain authentication method in application scene of Internet of things

Also Published As

Publication number Publication date
CN113507458A (en) 2021-10-15

Similar Documents

Publication Publication Date Title
CN113507458B (en) Cross-domain identity authentication method based on block chain
CN111371561B (en) Alliance block chain data access control method based on CP-ABE algorithm
Singla et al. Blockchain-based PKI solutions for IoT
CN112153608B (en) Vehicle networking cross-domain authentication method based on side chain technology trust model
US7844816B2 (en) Relying party trust anchor based public key technology framework
US8898457B2 (en) Automatically generating a certificate operation request
CN114186248B (en) Zero-knowledge proof verifiable certificate digital identity management system and method based on block chain intelligent contracts
CN113824563B (en) Cross-domain identity authentication method based on block chain certificate
Abraham et al. Revocable and offline-verifiable self-sovereign identities
CN111901432A (en) Block chain-based safety data exchange method
Yang et al. Blockchain-based decentralized public key management for named data networking
Liu et al. Cross-heterogeneous domain authentication scheme based on blockchain
Zhao et al. A novel decentralized cross‐domain identity authentication protocol based on blockchain
Abe et al. Double-trapdoor anonymous tags for traceable signatures
CN114036472A (en) Cross-domain authentication method between Kerberos and PKI security domains based on alliance chain
CN116388986B (en) Certificate authentication system and method based on post quantum signature
Touceda et al. Attribute-based authorization for structured Peer-to-Peer (P2P) networks
Palomar et al. Secure content access and replication in pure p2p networks
CN116389111A (en) Identity authentication mode of alliance chain under strong authority control mode based on identification
Yan et al. Distributed authentication scheme for industry internet platform application based on consortium blockchain
Xiao et al. Privacy-preserving and scalable data access control based on self-sovereign identity management in large-scale cloud storage
CN114091009A (en) Method for establishing secure link by using distributed identity
Yao et al. Compact and anonymous role-based authorization chain
Wang et al. Reducing revocation latency in iov using edge computing and permissioned blockchain
Qian et al. A regulated identity management system based on blockchain platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant