CN113572617B - Distributed inter-node identity authentication method based on alliance chain - Google Patents

Distributed inter-node identity authentication method based on alliance chain Download PDF

Info

Publication number
CN113572617B
CN113572617B CN202110820114.0A CN202110820114A CN113572617B CN 113572617 B CN113572617 B CN 113572617B CN 202110820114 A CN202110820114 A CN 202110820114A CN 113572617 B CN113572617 B CN 113572617B
Authority
CN
China
Prior art keywords
node
public key
data signature
random number
identity authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110820114.0A
Other languages
Chinese (zh)
Other versions
CN113572617A (en
Inventor
李标
王俊
王太顺
冯月
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Chooseme Information Technology Co ltd
Original Assignee
Guangzhou Chooseme Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Chooseme Information Technology Co ltd filed Critical Guangzhou Chooseme Information Technology Co ltd
Priority to CN202110820114.0A priority Critical patent/CN113572617B/en
Publication of CN113572617A publication Critical patent/CN113572617A/en
Application granted granted Critical
Publication of CN113572617B publication Critical patent/CN113572617B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Abstract

The invention relates to the technical field of blockchains, and provides a distributed inter-node identity authentication method based on a alliance chain. The method comprises the following steps: when a certain distributed node needs to communicate with other distributed nodes, the access domain name and the access port of the opposite party are queried from the alliance chain through the public key of the opposite party node, and then communication is established through the access domain name and the access port. When communication is established, the data signature of the opposite party is verified through the node public key of the opposite party, so that the identity authentication among the distributed nodes is realized. Can prevent masquerading attack and man-in-the-middle attack and realize decentralization addressing among distributed nodes.

Description

Distributed inter-node identity authentication method based on alliance chain
Technical Field
The invention relates to the technical field of blockchains, in particular to a distributed inter-node identity authentication method based on a alliance chain.
Background
Decentralized addressing of distributed nodes refers to the process of how the distributed nodes in the network find each other independent of the centralized server. The existing ED2K (electric donkey network) is implemented by constructing Kad (Kademlia, P2P overlay network transport protocol) based on a distributed hash table.
Kad is a decentralized P2P communication protocol, in which all users are connected to a network, and do not pass through a server, so that the operations of searching for resources and sources can be directly performed. The burden on the server can be reduced.
However, kad network consumes a lot of resources for distributed nodes, and when each node joins Kad network, it needs to make a connection with enough other nodes (this process is called initializing K bucket), otherwise, it cannot implement route forwarding communication.
In addition, the communication of the distributed nodes in the Kad network needs to rely on the route forwarding among the nodes, so that the efficiency problem and the intermediate link route failure problem exist, and meanwhile, no effective method is available among the distributed nodes for mutual identification and authentication.
Disclosure of Invention
The invention provides a distributed inter-node identity authentication method based on a alliance chain, which can prevent camouflage attacks and man-in-the-middle attacks and realize decentralization addressing among distributed nodes.
In order to solve the problems, the invention adopts the following technical scheme:
the invention provides a distributed inter-node identity authentication method based on a alliance chain, which comprises the following steps:
when a first node in the block chain network needs to communicate with a second node, inquiring from a alliance chain through a second node public key to obtain second node access information, establishing connection with the second node according to the second node access information, and sending the first node public key and a first random number to the second node;
after receiving the first node public key and the first random number, the second node inquires the alliance chain whether the first node public key is trusted, and when the first node public key is trusted, generates a second data signature according to the first random number, and sends the second data signature and the second random number to the first node;
after receiving the second data signature and the second random number, the first node performs identity authentication on the second node according to the second data signature, generates a first data signature according to the second random number after confirming that the identity authentication on the second node is successful, and sends the first data signature to the second node;
and the second node performs identity authentication on the first node according to the first data signature after receiving the first data signature.
In one embodiment, the first node public key refers to a node public key of the first node; the second node public key refers to a node public key of the second node; the second node access information refers to node access information of the second node; the node access information includes an access domain name and an access port.
In one embodiment, the second node generates a second data signature from the first random number, comprising:
the second node processes the first random number by using a hash algorithm to obtain a first hash digest;
and signing the first hash digest by using a second node private key to obtain a second data signature.
In one embodiment, the first node generates a first data signature from the second random number, comprising:
the first node processes the second random number by using a hash algorithm to obtain a second hash digest;
and signing the second hash digest by using the first node private key to obtain a first data signature.
In one embodiment, the first node performs identity authentication on the second node according to the second data signature, including:
the first node compares the data obtained by processing the first random number by using the hash algorithm with the data obtained by decrypting the second data signature by using the second node public key, and when the comparison is consistent, the identity authentication of the second node is judged to be successful.
In one embodiment, the second node performs identity authentication on the first node according to the first data signature, including:
and the second node compares the data obtained by processing the second random number by using a hash algorithm with the data obtained by decrypting the first data signature by using the first node public key, and when the comparison is consistent, the identity authentication of the first node is judged to be successful.
In one embodiment, the method further comprises:
when any node joins the blockchain network, generating a third node public key and a third node private key, storing the third node private key in the node, and submitting the third node public key and third node access information to the alliance chain;
any alliance member of the alliance chain verifies the third node public key, when the verification is successful, the third node public key is trusted, the third node public key is packaged to generate a new block, and block information of the new block is broadcasted to other alliance members;
after all other alliance members succeed in confirming the block information, the third node public key is judged to be trusted.
In one embodiment, the third node public key refers to the node public key generated by the any node, and the third node private key refers to the node private key generated by the first node.
The invention provides another distributed inter-node identity authentication method based on a alliance chain, which is applied to a first node in a blockchain network; the method comprises the following steps:
when the second node needs to communicate with the second node, inquiring from the alliance chain through the second node public key to obtain second node access information, establishing connection with the second node according to the second node access information, and sending the first node public key and the first random number to the second node;
after receiving the second data signature and the second random number sent by the second node, carrying out identity authentication on the second node according to the second data signature, generating a first data signature according to the second random number after confirming that the identity authentication on the second node is successful, and sending the first data signature to the second node so that the second node carries out identity authentication on the node according to the first data signature; the second data signature is generated from the first random number by the second node after confirming that the first node public key has been trusted in the federation chain.
The invention provides a distributed inter-node identity authentication method based on a alliance chain, which is applied to a second node in a blockchain network; the method comprises the following steps:
receiving a first node public key and a first random number sent by a first node; the first node public key and the first random number are sent by the first node after the first node establishes connection with the node according to second node access information obtained by inquiring the first node public key from the alliance chain through the second node public key;
inquiring whether the public key of the first node is trusted or not from the alliance chain, generating a second data signature according to the first random number when the public key of the first node is trusted, and sending the second data signature and the second random number to the first node so that the first node can carry out identity authentication on the node according to the second data signature;
receiving a first data signature sent by a first node, wherein the first data signature is generated by the first node according to a second random number after the first node confirms that the identity authentication of the node is successful according to the second data signature;
and authenticating the identity of the first node according to the first data signature.
Compared with the prior art, the technical scheme of the invention has at least the following advantages: the embodiment can realize the identity authentication among the distributed nodes, and further can prevent camouflage attacks and man-in-the-middle attacks. In addition, the embodiment can realize the decentralization addressing among the distributed nodes, namely, the distributed nodes can inquire the domain name and the port of the other party from the alliance chain without depending on a centralization server. Wherein, disguise attack means that an attacker disguises as a certain trusted distributed node to communicate with other distributed nodes; man-in-the-middle attack means that an attacker establishes communication with two distributed nodes respectively and exchanges data received by the attacker, thereby realizing data monitoring and even data tampering.
Drawings
FIG. 1 is a flow chart of one embodiment of a distributed inter-node identity authentication method based on a federated chain of the present invention;
FIG. 2 is a block flow diagram of on-chain trust in one embodiment of a distributed inter-node identity authentication method based on a federated chain of the present invention;
FIG. 3 is a block diagram illustrating a specific example of a distributed inter-node identity authentication method based on a federated chain in accordance with the present invention;
FIG. 4 is a block flow diagram of another embodiment of a distributed inter-node identity authentication method based on a federated chain of the present invention;
FIG. 5 is a block diagram illustrating one embodiment of an authentication device between distributed nodes based on a federated chain in accordance with the present invention;
FIG. 6 is a block flow diagram of another embodiment of a distributed inter-node identity authentication method based on a federated chain of the present invention;
FIG. 7 is a block diagram illustrating one embodiment of a distributed inter-node authentication device based on a federated chain in accordance with the present invention;
FIG. 8 is a block diagram of the internal architecture of a computing device in one embodiment of the invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
In order to enable those skilled in the art to better understand the present invention, the following description will make clear and complete descriptions of the technical solutions according to the embodiments of the present invention with reference to the accompanying drawings.
In some of the flows described in the specification and claims of the present invention and in the foregoing figures, a plurality of operations appearing in a particular order are included, but it should be clearly understood that the operations may be performed in other than the order in which they appear herein or in parallel, the sequence numbers of the operations such as S11, S12, etc. are merely used to distinguish between the various operations, and the sequence numbers themselves do not represent any order of execution. In addition, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first" and "second" herein are used to distinguish different messages, devices, modules, etc., and do not represent a sequence, and are not limited to the "first" and the "second" being different types.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless expressly stated otherwise, as understood by one of ordinary skill in the art. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or wirelessly coupled. The term "and/or" as used herein includes all or any element and all combination of one or more of the associated listed items.
It will be understood by those of ordinary skill in the art that unless otherwise defined, all terms used herein (including technical and scientific terms) have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, wherein the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to fall within the scope of the invention.
Before describing the present invention, some of the words that will appear below are explained in order to better understand the present invention.
1. Alliance chain: blockchains that are mutually trusted within a federation.
2. Alliance members: feasible members in the alliance chain are responsible for block packing.
3. Distributed node: the network node under the jurisdiction of a member of a federation, i.e. the member of the federation is its facilitator. The distributed node may query the federation chain for the node public key of other nodes.
4. Private key of distributed node: generated by the distributed nodes themselves, and cannot be known by others.
5. Public key of distributed node: the private key of the distributed node is generated, and the public key is placed on the alliance chain and is visible to other distributed nodes.
6. On-chain trust of distributed nodes: when a distributed node submits its own public key to the federation chain and is trusted by the affiliated federation member (server), the distributed node gets the trust of the federation chain. I.e. other distributed nodes can trust the public key of the distributed node.
7. Hash algorithm: and calculating any group of input data to obtain an output digest with a fixed length, and forming a hash digest. Common hash algorithms are MD5, SHA-1, SM3, etc.
8. Data signature: the distributed nodes carry out a hash algorithm on the data to generate a hash abstract, and then the self node private key encrypts the hash abstract to generate a data signature. Other distributed nodes can check the signature through the node public key of the distributed node.
9. And (5) checking labels: and firstly, carrying out a hash algorithm on the data to generate a hash abstract, then decrypting the data signature by using the node public key to obtain a new hash abstract, comparing the new hash abstract with the original hash abstract, and if the new hash abstract is consistent with the original hash abstract, successfully checking the signature. I.e. the data confirmation is signed by the private key corresponding to the node public key.
10. Identity authentication among distributed nodes: and a process that the distributed node confirms whether the identities of other distributed nodes are trusted.
11. Trusted connection: and establishing connection among the distributed nodes and completing node identity authentication.
12. Camouflage attack: an attacker masquerades as a trusted distributed node communicating with other distributed nodes.
13. Man-in-the-middle attack: the attacker establishes communication with the two distributed nodes respectively and exchanges the received data, thereby realizing data monitoring and even data tampering.
In one embodiment, as shown in fig. 1, the method for authenticating identity between distributed nodes based on a federation chain provided by the invention comprises the following steps:
and S11, when a first node in the blockchain network needs to communicate with a second node, inquiring the second node access information from the alliance chain through a second node public key, establishing connection with the second node according to the second node access information, and sending the first node public key and the first random number to the second node.
After the first node and the second node establish connection, information interaction is needed to be carried out through the established links to achieve authentication of identities of the opposite nodes, and meaningful communication is started after both sides confirm that the identity authentication is successful.
The first node refers to any distributed node in the blockchain network, which needs to communicate with other distributed nodes. The second node may be any distributed node in the blockchain network other than the first node. The federation chain holds node public keys and node access information for each node in the blockchain network.
The first node public key refers to a node public key of the first node; the second node public key refers to a node public key of the second node; the second node access information refers to node access information of the second node; the node access information for each node in the blockchain network includes an access domain name and an access port for that node.
Each distributed node in the blockchain network generates a node private key and a node public key by itself, wherein the node private key is only known by the distributed node, and the node public key is stored in the alliance chain, so that other distributed nodes in the blockchain network can be obtained.
In one embodiment, the method further comprises: when any node joins the blockchain network, generating a third node public key and a third node private key, storing the third node private key in the node, and submitting the third node public key and third node access information to the alliance chain; any alliance member of the alliance chain verifies the third node public key, when the verification is successful, the third node public key is trusted, the third node public key is packaged to generate a new block, and block information of the new block is broadcasted to other alliance members; after all other alliance members succeed in confirming the block information, the third node public key is judged to be trusted. The third node public key refers to a node public key generated by any node, and the third node private key refers to a node private key generated by any node.
Illustratively, when any one of the distributed nodes is to join a blockchain network, an on-chain trust flow as shown in FIG. 2 needs to be performed. Namely, the distributed node A1 submits a node public key A1, an access domain name A1 and an access port A1 thereof to the alliance chain; a certain alliance member A (a server to which the distributed node belongs) verifies the node public key A1, trusts the node public key A1 when the verification passes, packages data to generate a new block, and broadcasts block information to other alliance members; when the verification fails, indicating that the node public key does not belong to the alliance member A, and that trust fails; other alliance members perform data confirmation, and trust is completed when the confirmation passes; when the validation fails, trust fails. That is, when a distributed node joins the network, the distributed node submits a node public key, an access domain name, and an access port to the federation chain, and when any federation member trusts the node address, the node becomes a trusted node within the federation chain.
S12, after receiving the first node public key and the first random number, the second node inquires the alliance chain whether the first node public key is trusted, and when the first node public key is trusted, generates a second data signature according to the first random number, and sends the second data signature and the second random number to the first node.
In one embodiment, the second node generates a second data signature from the first random number, comprising: processing the first random number by using a hash algorithm to obtain a first hash digest; and signing the first hash digest by using a second node private key to obtain a second data signature. The second node private key refers to a node private key of the second node.
And S13, after receiving the second data signature and the second random number, the first node performs identity authentication on the second node according to the second data signature, and after confirming that the identity authentication on the second node is successful, generates the first data signature according to the second random number, and sends the first data signature to the second node.
After confirming that the identity authentication of the second node fails, the first node determines that the node cannot establish a trusted connection with the second node. The trusted connection means that the connection is established between the distributed nodes and the identity authentication of the nodes is completed.
In one embodiment, the first node generates a first data signature from the second random number, comprising: processing the second random number by using a hash algorithm to obtain a second hash digest; and signing the second hash digest by using the first node private key to obtain a first data signature. The first node private key refers to a node private key of the first node. The hash algorithm used by the first node and the second node is the same.
In one embodiment, the first node performs identity authentication on the second node according to the second data signature, including: the first node compares the data obtained by processing the first random number by using the hash algorithm with the data obtained by decrypting the second data signature by using the second node public key, and when the comparison is consistent, the identity authentication of the second node is judged to be successful. And when the comparison is inconsistent, judging that the identity authentication of the second node fails.
And S14, after the second node receives the first data signature, the second node performs identity authentication on the first node according to the first data signature.
If the second node confirms that the identity authentication of the first node is successful after the second node authenticates the first node according to the first data signature, the first node and the second node can be calculated to establish a trusted connection, and communication can be started at the moment. If the second node confirms that the identity authentication of the first node fails, then the node is determined to be unable to establish a trusted connection with the first node.
In one embodiment, the second node performs identity authentication on the first node according to the first data signature, including: and the second node compares the data obtained by processing the second random number by using a hash algorithm with the data obtained by decrypting the first data signature by using the first node public key, and when the comparison is consistent, the identity authentication of the first node is judged to be successful. And when the comparison is inconsistent, judging that the identity authentication of the first node fails.
For example, the passing of identity authentication between distributed nodes may be as shown in fig. 3, that is, the identity authentication between distributed node A1 and distributed node B1 is started;
the distributed node A1 queries an access domain name B1 and an access port B1 of the opposite party from the alliance chain according to a node public key B1 of the distributed node B1;
the distributed node A1 establishes connection with the distributed node B1 according to the access domain name B1 and the access port B1, and sends a node public key A1 and a random number A1 to the distributed node B1;
the distributed node B1 inquires from the alliance chain whether the public key of the distributed node A1 is trusted, if the public key of the distributed node A1 is trusted, a hash digest A1 of the random number A1 is generated by using a hash algorithm, a data signature B1 is generated by encrypting the hash digest A1 by using a node private key B1, and then the data signature B1 and a new random number B1 are sent to the distributed node A1; if the public key of the distributed node A1 is not trusted, a trusted connection cannot be established between the distributed node A1 and the distributed node B1;
the distributed node A1 generates a hash digest A1 of the random number A1 by using a hash algorithm, decrypts the data signature B1 by using the node public key B1 to generate a hash digest A11, and compares whether the hash digests A1 and A11 are equal; if the data signature is equal (indicating that signature verification is successful), a hash algorithm is used for generating a hash digest B1 of the random number B1, a node private key A1 is used for encrypting the hash digest B1 to generate a data signature A1, and then the data signature A1 is sent to the distributed node B1; if the distributed nodes A1 and B1 are not equal (indicating that the signature verification fails), a trusted connection cannot be established between the distributed nodes A1 and B1;
the distributed node B1 generates a hash digest B1 of the random number B1 by using a hash algorithm, decrypts the data signature A1 by using the node public key A1 to generate a hash digest B11, and compares whether the hash digests B1 and B11 are equal or not; if the two types of information are equal (indicating that the signature verification is successful), a trusted connection is established between the distributed node A1 and the distributed node B1; if not (indicating that the signature verification fails), a trusted connection cannot be established between the distributed node A1 and the distributed node B1.
In this embodiment, when a certain distributed node in the blockchain network needs to communicate with other distributed nodes, the access domain name and the access port of the opposite party are queried from the coalition chain through the public key of the opposite party node, and then communication is established through the access domain name and the access port. When the communication is actually carried out, the data signature of the opposite party is verified through the node public key of the opposite party, so that the identity authentication among the distributed nodes is realized. Because the public keys of all the trusted distributed nodes are trusted by the alliance chain, the node public keys, the access domain names and the access ports of the opposite sides which are inquired by the distributed nodes from the alliance chain are also trusted, and when the connection is established with the opposite sides, the opposite sides public keys are used for carrying out identity authentication on the data signature of the opposite sides, wherein if the identity authentication is successful, the identity of the opposite sides is proved to be true. The same method will be used by the peer to verify my identity.
The embodiment can realize the identity authentication among the distributed nodes, and further can prevent camouflage attacks and man-in-the-middle attacks. In addition, the embodiment can realize the decentralization addressing among the distributed nodes, namely, the distributed nodes can inquire the domain name and the port of the other party from the alliance chain without depending on a centralization server. Wherein, disguise attack means that an attacker disguises as a certain trusted distributed node to communicate with other distributed nodes; man-in-the-middle attack means that an attacker establishes communication with two distributed nodes respectively and exchanges data received by the attacker, thereby realizing data monitoring and even data tampering.
Based on the same inventive concept, in one embodiment, the present invention further provides another distributed inter-node identity authentication method based on a federation chain, where the method is applied to a first node in a blockchain network, as shown in fig. 4, and the method includes:
s21, inquiring from the alliance chain through a public key of the second node to obtain second node access information when the second node needs to communicate with the second node;
s22, establishing connection with the second node according to the second node access information;
s23, sending the first node public key and the first random number to the second node;
s24, after receiving the second data signature and the second random number sent by the second node, authenticating the identity of the second node according to the second data signature;
s25, after confirming that the identity authentication of the second node is successful, generating a first data signature according to the second random number, and sending the first data signature to the second node so that the second node can perform the identity authentication on the second node according to the first data signature; the second data signature is generated from the first random number by the second node after confirming that the first node public key has been trusted in the federation chain.
With respect to the distributed inter-node identity authentication method based on the federation chain in the present embodiment, the related operations performed by the second node have been described in detail in the first embodiment, and will not be described in detail herein.
In one embodiment, the present invention further provides a distributed inter-node identity authentication device based on a federation chain, as shown in fig. 5, where the device includes:
the information query module 21 is configured to query from the federation chain through the second node public key to obtain second node access information when communication with the second node is required;
a connection establishment module 22, configured to establish a connection with a second node according to the second node access information;
a first sending module 23, configured to send the first node public key and the first random number to the second node;
the identity authentication module 24 is configured to authenticate the second node according to the second data signature after receiving the second data signature and the second random number sent by the second node;
the second sending module 25 is configured to generate a first data signature according to the second random number after confirming that the identity authentication of the second node is successful, and send the first data signature to the second node, so that the second node performs identity authentication on the second node according to the first data signature; the second data signature is generated from the first random number by the second node after confirming that the first node public key has been trusted in the federation chain.
The specific manner in which the operations of the respective modules are performed in the apparatus provided in this embodiment has been described in detail in relation to the second method embodiment, and will not be described in detail here.
Based on the same inventive concept, in one embodiment, the invention also provides another distributed inter-node identity authentication method based on the alliance chain, which is applied to a second node in the blockchain network; as shown in fig. 6, the method includes:
s31, receiving a first node public key and a first random number sent by a first node; the first node public key and the first random number are sent by the first node after the first node establishes connection with the node according to second node access information obtained by inquiring the first node public key from the alliance chain through the second node public key;
s32, inquiring whether the public key of the first node is trusted or not from the alliance chain;
s33, when the public key of the first node is trusted, generating a second data signature according to the first random number, and sending the second data signature and the second random number to the first node so that the first node can carry out identity authentication on the node according to the second data signature;
s34, receiving a first data signature sent by the first node, wherein the first data signature is generated by the first node according to a second random number after the first node confirms that the identity authentication of the first node is successful according to the second data signature;
s35, carrying out identity authentication on the first node according to the first data signature.
With respect to the distributed inter-node identity authentication method based on the federation chain in the present embodiment, the related operations performed by the second node have been described in detail in the first embodiment, and will not be described in detail herein.
In one embodiment, the present invention further provides a distributed inter-node identity authentication device based on a federation chain, as shown in fig. 7, where the device includes:
a first receiving module 31, configured to receive a first node public key and a first random number sent by a first node; the first node public key and the first random number are sent by the first node after the first node establishes connection with the node according to second node access information obtained by inquiring the first node public key from the alliance chain through the second node public key;
a query module 32 for querying the federation chain whether the first node public key has been trusted;
a data processing module 33, configured to generate a second data signature according to the first random number when the public key of the first node is trusted, and send the second data signature and the second random number to the first node, so that the first node performs identity authentication on the node according to the second data signature;
a second receiving module 34, configured to receive a first data signature sent by the first node, where the first data signature is generated by the first node according to a second random number after confirming that the identity authentication of the first node is successful according to the second data signature;
an authentication module 35, configured to authenticate the identity of the first node according to the first data signature.
With respect to the distributed inter-node identity authentication method based on the federation chain in the present embodiment, the related operations performed by the second node have been described in detail in the first embodiment, and will not be described in detail herein.
The invention provides a computer device, which comprises a memory and a processor, wherein the memory stores computer readable instructions, and the computer readable instructions, when executed by the processor, cause the processor to execute the steps of the distributed inter-node identity authentication method based on a coalition chain.
In one embodiment, as shown in FIG. 8. The computer device described in this embodiment may be a server, a personal computer, a network device, or the like. The computer device comprises a processor 402, a memory 403, an input unit 404, a display unit 405 and the like. Those skilled in the art will appreciate that the device architecture shown in fig. 8 does not constitute a limitation of all devices, and may include more or fewer components than shown, or may combine certain components. For example, in most cases, the computer device need not be equipped with the display unit 405. The memory 403 may be used to store a computer program 401 and functional modules, and the processor 402 runs the computer program 401 stored in the memory 403 to execute various functional applications of the device and data processing. The memory may be internal memory or external memory, or include both internal memory and external memory. The internal memory may include read-only memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), flash memory, or random access memory. The external memory may include a hard disk, floppy disk, ZIP disk, U-disk, tape, etc. The disclosed memory includes, but is not limited to, these types of memory. The memory disclosed herein is by way of example only and not by way of limitation.
The input unit 404 is used for receiving input of a signal and receiving keywords input by a user. The input unit 404 may include a touch panel and other input devices. The touch panel may collect touch operations on or near the user (e.g., the user's operation on or near the touch panel using any suitable object or accessory such as a finger, stylus, etc.), and drive the corresponding connection device according to a preset program; other input devices may include, but are not limited to, one or more of a physical keyboard, function keys (e.g., play control keys, switch keys, etc.), a trackball, mouse, joystick, etc. The display unit 405 may be used to display information entered by a user or provided to a user as well as various menus of a computer device. The display unit 405 may take the form of a liquid crystal display, an organic light emitting diode, or the like. The processor 402 is the control center of the computer device, connects the various parts of the overall computer using various interfaces and lines, performs various functions and processes data by running or executing software programs and/or modules stored in the memory 402, and invoking data stored in the memory.
As one embodiment, the computer device includes: one or more processors 402, a memory 403, one or more computer programs 401, wherein the one or more computer programs 401 are stored in the memory 403 and configured to be executed by the one or more processors 402, the one or more computer programs 401 configured to perform the federation chain based distributed inter-node identity authentication method according to the second or third embodiment.
In one embodiment, the present invention also proposes a storage medium storing computer readable instructions that, when executed by one or more processors, cause the one or more processors to perform the above-described federation chain-based distributed inter-node identity authentication method. For example, the storage medium may be ROM, random Access Memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.
Those skilled in the art will appreciate that implementing all or part of the above-described embodiment methods may be accomplished by a computer program stored in a storage medium, which when executed may include the steps of the distributed inter-node authentication method based on a federated chain as described in the second or third embodiments. The storage medium may be a nonvolatile storage medium such as a magnetic disk, an optical disk, a Read-only memory (ROM), or a random access memory (RandomAccessMemory, RAM).
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the invention and are described in detail herein without thereby limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.

Claims (10)

1. A distributed inter-node identity authentication method based on a federation chain, the method comprising:
when a first node in a block chain network needs to communicate with a second node, inquiring a second node access information from a alliance chain through a second node public key, establishing connection with the second node according to the second node access information, and sending the first node public key and a first random number to the second node;
the second node inquires whether the first node public key is trusted or not from a alliance chain after receiving the first node public key and the first random number, and generates a second data signature according to the first random number when the first node public key is trusted, and sends the second data signature and the second random number to the first node;
after receiving the second data signature and the second random number, the first node performs identity authentication on the second node according to the second data signature, generates a first data signature according to the second random number after confirming that the identity authentication on the second node is successful, and sends the first data signature to the second node;
and the second node performs identity authentication on the first node according to the first data signature after receiving the first data signature.
2. The method of claim 1, wherein,
the first node public key refers to a node public key of the first node; the second node public key refers to a node public key of the second node; the second node access information refers to node access information of the second node, and the node access information includes an access domain name and an access port.
3. The method of claim 1, wherein the second node generating a second data signature from the first random number comprises:
the second node processes the first random number by using a hash algorithm to obtain a first hash digest;
and signing the first hash digest by using a second node private key to obtain a second data signature.
4. The method of claim 1, wherein the first node generating a first data signature from the second random number comprises:
the first node processes the second random number by using a hash algorithm to obtain a second hash digest;
and signing the second hash digest by using the first node private key to obtain a first data signature.
5. The method of claim 1, wherein,
the first node performs identity authentication on the second node according to the second data signature, and the method comprises the following steps:
and the first node compares the data obtained by processing the first random number by using a hash algorithm with the data obtained by decrypting the second data signature by using the second node public key, and when the comparison is consistent, the identity authentication of the second node is judged to be successful.
6. The method of claim 1, wherein,
the second node performs identity authentication on the first node according to the first data signature, and the method comprises the following steps:
and the second node compares the data obtained by processing the second random number by using a hash algorithm with the data obtained by decrypting the first data signature by using the first node public key, and when the comparison is consistent, the identity authentication of the first node is judged to be successful.
7. The method of claim 1, wherein the method further comprises:
when any node joins the blockchain network, generating a third node public key and a third node private key, storing the third node private key in the node, and submitting the third node public key and third node access information to a alliance chain;
any one of the alliance members of the alliance chain verifies the third node public key, when the verification is successful, the third node public key is trusted, the third node public key is packaged to generate a new block, and block information of the new block is broadcast to other alliance members;
and after all other alliance members confirm the block information successfully, determining that the third node public key is trusted.
8. The method of claim 7, wherein,
the third node public key refers to a node public key generated by any node, and the third node private key refers to a node private key generated by any node.
9. A distributed inter-node identity authentication method based on a alliance chain is characterized in that the method is applied to a first node in a blockchain network; the method comprises the following steps:
when the second node needs to communicate with the second node, inquiring from the alliance chain through a second node public key to obtain second node access information, establishing connection with the second node according to the second node access information, and sending a first node public key and a first random number to the second node;
after receiving a second data signature and a second random number sent by the second node, authenticating the identity of the second node according to the second data signature, generating a first data signature according to the second random number after confirming that the identity authentication of the second node is successful, and sending the first data signature to the second node so that the second node authenticates the identity of the node according to the first data signature; the second data signature is generated from the first random number by the second node after confirming that the first node public key has been trusted in the federation chain.
10. The distributed inter-node identity authentication method based on the alliance chain is characterized by being applied to a second node in a blockchain network; the method comprises the following steps:
receiving a first node public key and a first random number sent by a first node; the first node public key and the first random number are sent after the first node establishes connection with the node according to second node access information obtained by inquiring the first node public key from the alliance chain through the second node public key;
inquiring whether the first node public key is trusted or not from a alliance chain, generating a second data signature according to the first random number when the first node public key is trusted, and sending the second data signature and the second random number to the first node so that the first node can carry out identity authentication on the first node according to the second data signature;
receiving a first data signature sent by the first node, wherein the first data signature is generated by the first node according to the second random number after the first node confirms that the identity authentication of the first node is successful according to the second data signature;
and authenticating the identity of the first node according to the first data signature.
CN202110820114.0A 2021-07-20 2021-07-20 Distributed inter-node identity authentication method based on alliance chain Active CN113572617B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110820114.0A CN113572617B (en) 2021-07-20 2021-07-20 Distributed inter-node identity authentication method based on alliance chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110820114.0A CN113572617B (en) 2021-07-20 2021-07-20 Distributed inter-node identity authentication method based on alliance chain

Publications (2)

Publication Number Publication Date
CN113572617A CN113572617A (en) 2021-10-29
CN113572617B true CN113572617B (en) 2023-05-26

Family

ID=78165750

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110820114.0A Active CN113572617B (en) 2021-07-20 2021-07-20 Distributed inter-node identity authentication method based on alliance chain

Country Status (1)

Country Link
CN (1) CN113572617B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114285861B (en) * 2021-12-21 2023-03-21 西安交通大学 Decentralized credible identity authentication method based on alliance chain

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108416589A (en) * 2018-03-08 2018-08-17 深圳前海微众银行股份有限公司 Connection method, system and the computer readable storage medium of block chain node
WO2019101240A2 (en) * 2019-03-15 2019-05-31 Alibaba Group Holding Limited Authentication based on a recoverd public key
WO2020108019A1 (en) * 2018-11-29 2020-06-04 苏宁云计算有限公司 Consortium blockchain-based data transfer method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108416589A (en) * 2018-03-08 2018-08-17 深圳前海微众银行股份有限公司 Connection method, system and the computer readable storage medium of block chain node
WO2020108019A1 (en) * 2018-11-29 2020-06-04 苏宁云计算有限公司 Consortium blockchain-based data transfer method and device
WO2019101240A2 (en) * 2019-03-15 2019-05-31 Alibaba Group Holding Limited Authentication based on a recoverd public key

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张昊迪 ; 刘国荣 ; 汪来富 ; 王帅 ; .基于区块链技术的跨域身份认证机制研究.广东通信技术.2018,(07),全文. *

Also Published As

Publication number Publication date
CN113572617A (en) 2021-10-29

Similar Documents

Publication Publication Date Title
Cui et al. A hybrid blockchain-based identity authentication scheme for multi-WSN
US11196573B2 (en) Secure de-centralized domain name system
CN109714168B (en) Trusted remote attestation method, device and system
Melki et al. Lightweight multi-factor mutual authentication protocol for IoT devices
CN109241087B (en) Data processing method and terminal of alliance chain
US8139588B2 (en) Method and apparatus to establish routes based on the trust scores of routers within an IP routing domain
CN114982196A (en) Communication protocol utilizing blockchain transactions
KR101250295B1 (en) Peer to peer network
WO2011092500A1 (en) Digital identity authentication system and method
Benarous et al. Blockchain-based privacy-aware pseudonym management framework for vehicular networks
EP3598333B1 (en) Electronic device update management
Zhang et al. BTNC: A blockchain based trusted network connection protocol in IoT
CN113328997A (en) Alliance chain cross-chain system and method
CN115865418A (en) Cross-domain access control scheme based on block chain and Byzantine fault-tolerant algorithm
CN117335958A (en) Identity authentication method oriented to alliance chain crossing
CN101789939B (en) Effective realization method for credible OpenSSH
CN113572617B (en) Distributed inter-node identity authentication method based on alliance chain
Fan et al. Blockchain-enabled collaborative intrusion detection in software defined networks
Liu et al. A novel authentication management RFID protocol based on elliptic curve cryptography
CN114982195A (en) Request and response protocol with blockchain transactions
WO2023116027A1 (en) Cross-domain identity verification method in secure multi-party computation, and server
CN114401091B (en) Device cross-domain authentication management method and device based on block chain
CN110290113B (en) PoW algorithm-based device identification construction method and device and computer-readable storage medium
CN104486082A (en) Authentication method and router
Jarosz et al. Formal verification of security properties of the Lightweight Authentication and Key Exchange Protocol for Federated IoT devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant