CN113641986A - Method and system for realizing federation chain user private key escrow based on SoftHSM - Google Patents
Method and system for realizing federation chain user private key escrow based on SoftHSM Download PDFInfo
- Publication number
- CN113641986A CN113641986A CN202110994619.9A CN202110994619A CN113641986A CN 113641986 A CN113641986 A CN 113641986A CN 202110994619 A CN202110994619 A CN 202110994619A CN 113641986 A CN113641986 A CN 113641986A
- Authority
- CN
- China
- Prior art keywords
- private key
- softhsm
- module
- user
- token
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 230000008676 import Effects 0.000 claims abstract description 19
- 238000012795 verification Methods 0.000 claims description 45
- 238000004806 packaging method and process Methods 0.000 claims description 18
- 230000008520 organization Effects 0.000 claims description 15
- 230000007246 mechanism Effects 0.000 claims description 7
- VBMOHECZZWVLFJ-GXTUVTBFSA-N (2s)-2-[[(2s)-6-amino-2-[[(2s)-6-amino-2-[[(2s,3r)-2-[[(2s,3r)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-2-[[(2s)-2,6-diaminohexanoyl]amino]-5-(diaminomethylideneamino)pentanoyl]amino]propanoyl]amino]hexanoyl]amino]propanoyl]amino]hexan Chemical compound NC(N)=NCCC[C@@H](C(O)=O)NC(=O)[C@H](CCCCN)NC(=O)[C@H](CCCCN)NC(=O)[C@H]([C@@H](C)O)NC(=O)[C@H]([C@H](O)C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCN=C(N)N)NC(=O)[C@@H](N)CCCCN VBMOHECZZWVLFJ-GXTUVTBFSA-N 0.000 claims 14
- 108010068904 lysyl-arginyl-alanyl-lysyl-alanyl-lysyl-threonyl-threonyl-lysyl-lysyl-arginine Proteins 0.000 claims 14
- 230000000977 initiatory effect Effects 0.000 claims 1
- 230000006870 function Effects 0.000 description 24
- 238000005516 engineering process Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a method and a system for realizing federation chain user private key escrow based on SoftHSM, which realize the soft escrow of a user private key, increase the security of the private key and also increase the expandability of the system. The technical scheme is as follows: responding to a private key import request of a user node, and verifying user information and authority information; executing a command to create a token and a slot; verifying the result of executing the creation, and if the creation is successful, acquiring the return values of the created token and the slot; starting a softHSM private key escrow module, and importing a user node private key into the softHSM private key escrow module for escrowing; verifying the result of importing the user node private key into a SoftHSM private key escrow module; calling an interface for updating the k8s configuration to update the k8s configuration; the restart user node validates the updated k8s configuration.
Description
Technical Field
The invention relates to application of a block chain technology, in particular to a method and a system for realizing federation chain user private key escrow based on SoftHSM.
Background
A federation chain is an organization of blockchains, which is an organization between a public chain and a private chain, where a plurality of organizations or institutions participate in the management of blockchains, and each organization or institution manages one or more nodes, and its data only allows different institutions in the system to read, write, and transmit. The private key of the user in the federation chain is data which only proves the identity of the user, and the core asset of the user is controlled by the private key, namely the confirmation of the transaction can be realized only through the signature of the private key, so that the protection of the private key of the block chain is very important. On one hand, the private key is prevented from being leaked and stolen by hackers, on the other hand, the private key is also prevented from being lost, and the private key can be safely retrieved in case of being lost. The private key of the user can be stored in the electronic equipment, but once the private key is lost or the information is stolen, the private key is lost, and the property safety of the user is greatly influenced.
The existing private key escrow method is used for backing up the private key by using a platform escrow mode, and when a user key is lost, a core node is required to be entrusted to retrieve the private key, so that the core node is endowed with overlarge rights, and the requirements of customers cannot be met. Moreover, the method can ensure that the authorized party has complete control over the account and even can carry out operation against the intention of the authorized party.
And Public Key Cryptography Standards (PKCS) include a set of cryptographic standards that provide guidelines and Application Programming Interfaces (APIs) for using cryptographic methods. PKCS #11 is a cryptographic token interface standard that makes a set of APIs called Cryptoki. Using this API, an application can address the cryptographic devices as tokens and can perform the cryptographic functions implemented by these tokens. A Hardware Security Module (HSM) generally needs to be connected with software to provide safer and more efficient Hardware encryption Security for software services, so that application development of the SoftHSM is available. Secure storage of passwords can be achieved using SoftHSM without a hardware Security module, which is now developed as part of the opendnssec (open Domain Name System Security extensions) project. SoftHSM implements the encrypted storage access interface defined by PKCS # 1.
How to utilize SoftHSM to realize soft escrow of the private key of the user in the alliance chain so as to enhance the security of the private key of the user in the alliance chain is a problem to be solved urgently in the industry at present.
Disclosure of Invention
The following presents a simplified summary of one or more aspects in order to provide a basic understanding of such aspects. This summary is not an extensive overview of all contemplated aspects, and is intended to neither identify key or critical elements of all aspects nor delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more aspects in a simplified form as a prelude to the more detailed description that is presented later.
The invention aims to solve the problems and provides a method and a system for realizing the escrow of the private key of the alliance chain user based on SoftHSM, so that the soft escrow of the private key of the user is realized, the security of the private key of the user is improved, and the expandability of the system can be improved.
The technical scheme of the invention is as follows: the invention discloses a method for realizing federation chain user private key escrow based on SoftHSM, which comprises the following steps:
step 1: responding to the user node private key import request, verifying user information and permission information corresponding to the user node, if the verification fails, returning error information to the client, and if the verification passes, continuing the next step;
step 2: executing a command to create a token and a slot;
and step 3: verifying the result of executing the creation, if the creation fails, returning error information to the client, if the creation succeeds, acquiring the return values of the created token and the slot, and entering the next step;
and 4, step 4: starting a softHSM private key escrow module, and importing a user node private key into the softHSM private key escrow module for escrowing;
and 5: verifying the result of importing the user node private key into the SoftHSM private key escrow module, if the import fails, returning error information to the client, and if the import succeeds, entering the next step;
step 6: calling an interface for updating the k8s configuration to update the k8s configuration;
and 7: the restart user node validates the updated k8s configuration.
According to an embodiment of the method for realizing federation chain user private key escrow based on SoftHSM, in step 1, verifying user information and permission information includes two steps of verification mechanisms: password authentication and authentication code authentication.
According to an embodiment of the method for realizing the escrow of the private key of the user in the alliance chain based on the SoftHSM, the step 2 further comprises the following steps:
checking whether the token and the slot exist or not, and if so, entering the next step;
if the token and the slot do not exist, acquiring preset values of the label and the pin, adding a random number to the label and the pin, and calling an initToken function of a PKCS #11 library to create the token and the slot.
According to an embodiment of the method for realizing the escrow of the private key of the user in the federation chain based on the SoftHSM, before the step of calling the initToken function of the PKCS #11 library to create the token and the slot, the method further comprises the following steps:
and packaging the interface of the initToken function of the PKCS #11 library.
According to an embodiment of the method for realizing the escrow of the private key of the user in the alliance chain based on the SoftHSM, the step 4 further comprises:
and acquiring a file path of the private key of the user node, calling the created token and the return value of the slot, and importing the private key of the user node into the SoftHSM private key escrow module through a key importing tool.
According to an embodiment of the method for realizing federation chain user private key escrow based on SoftHSM, before starting the SoftHSM private key escrow module, the method further includes: the method comprises the steps of installing and deploying SoftHSM in a certificate issuing organization, configuring a PKCS #11 interface in a block chain encryption service provider module of the certificate issuing organization, switching the configuration of a client into PKCS #11, and reconnecting the client and the certificate issuing organization.
According to an embodiment of the method for realizing federation chain user private key escrow based on SoftHSM, before importing, by a key import tool, a user node private key into a SoftHSM private key escrow module, the method further includes:
packaging the wrapkey interface of the PKCS #11 library to obtain a key importing tool, and realizing the guiding operation of the key;
and packaging the unwrapkey interface of the PKCS #11 library to obtain a key export tool, thereby realizing the export operation of the key.
The invention also discloses a system for realizing the private key escrow of the alliance chain users based on the SoftHSM, which comprises the following steps:
the user verification module is used for responding to a private key import request of the user node and verifying user information and authority information corresponding to the user node;
the initialization module is used for executing commands for creating the token and the slot, verifying the created result, and acquiring the return values of the created token and the slot if the creation is successful;
the SoftHSM private key escrow module is used for importing the user node private key into the SoftHSM private key escrow module for escrowing;
the execution verification module is used for verifying the result of importing the user node private key into the SoftHSM private key escrow module;
the configuration updating module is used for calling the interface updating k8s configuration for updating the k8s configuration;
and the node restarting module is used for restarting the user node to enable the updated k8s configuration to be effective.
According to an embodiment of the system for realizing the federation chain user private key escrow based on the SoftHSM, the user authentication module for authenticating the user information and the authority information comprises a two-step authentication mechanism: password authentication and authentication code authentication.
According to an embodiment of the system for implementing a federation chain user private key escrow based on SoftHSM of the present invention, the initialization module is further configured to:
and checking whether the token and the slot exist or not, if the token and the slot do not exist, acquiring preset values of label and pin, adding a random number to the values of label and pin, and calling an initToken function of a PKCS #11 library to create the token and the slot.
According to an embodiment of the system for implementing a federation chain user private key escrow based on SoftHSM of the present invention, the initialization module is further configured to:
before calling the initToken function of the PKCS #11 library to create the token and the slot, the method further comprises the following steps: and packaging the interface of the initToken function of the PKCS #11 library.
According to an embodiment of the invention, in which the federation chain user private key escrow system is implemented based on SoftHSM, the SoftHSM private key escrow module is further configured to:
and acquiring a file path of the private key of the user node, calling the created token and the return value of the slot, and importing the private key of the user node into the SoftHSM private key escrow module through a key importing tool.
According to an embodiment of the invention, in which the federation chain user private key escrow system is implemented based on SoftHSM, the SoftHSM private key escrow module is further configured to:
before starting the SoftHSM private key escrow module, the method further comprises: the method comprises the steps of installing and deploying SoftHSM in a certificate issuing organization, configuring a PKCS #11 interface in a block chain encryption service provider module of the certificate issuing organization, switching the configuration of a client into PKCS #11, and reconnecting the client and the certificate issuing organization.
According to an embodiment of the invention, in which the federation chain user private key escrow system is implemented based on SoftHSM, the SoftHSM private key escrow module is further configured to:
before importing, by a key import tool, a user node private key into the SoftHSM private key escrow module, the method further includes:
packaging the wrapkey interface of the PKCS #11 library to obtain a key importing tool, and realizing the guiding operation of the key;
and packaging the unwrapkey interface of the PKCS #11 library to obtain a key export tool, thereby realizing the export operation of the key.
Compared with the prior art, the invention has the following beneficial effects: the invention firstly provides a two-step verification mechanism to verify the user information and ensure that the user has the authority of the private key escrow; the core is that a softHSM private key escrow module is introduced to escrow the user private key in the softHSM, so that the soft escrow of the user private key is realized, and the security of the user private key is increased. In addition, the invention also encapsulates the initToken interface, the wrapkey interface and the unwrapkey interface of the PKCS #11 library, thereby increasing the expandability of the system.
Drawings
The above features and advantages of the present disclosure will be better understood upon reading the detailed description of embodiments of the disclosure in conjunction with the following drawings. In the drawings, components are not necessarily drawn to scale, and components having similar relative characteristics or features may have the same or similar reference numerals.
Fig. 1 shows a flowchart of an embodiment of the method for implementing federation chain user private key escrow based on SoftHSM of the present invention.
Fig. 2 shows a schematic diagram of an embodiment of the present invention for implementing a federation chain user private key escrow system based on SoftHSM.
Detailed Description
The invention is described in detail below with reference to the figures and specific embodiments. It is noted that the aspects described below in connection with the figures and the specific embodiments are only exemplary and should not be construed as imposing any limitation on the scope of the present invention.
Fig. 1 shows a flow of an embodiment of a method for implementing federation chain user private key escrow based on SoftHSM, please refer to fig. 1, and implementation steps of the method of this embodiment are detailed as follows.
Step 1: and the user verification module responds to the user node private key import request and verifies the user information and the authority information corresponding to the user node. If the verification is passed, continuing the next step, and if the verification is failed, returning error information to the client.
The authentication of the user information and the rights information comprises a two-step authentication mechanism: password verification and identifying code verification, the concrete steps include:
password verification: sending a login request to a server according to a user account and a password, and returning a corresponding token (token) by the server; signing the returned token by using a password; comparing the signed information with the signature information of the same account stored in the database, if the signed information is the same as the signature information of the same account, successfully verifying, and if the signed information is not the same as the signature information of the same account, failing to verify; returning the verification result to the client;
verification of the verification code: acquiring a mobile phone number and a verification code of a user, if the verification code is correct, sending a login request to a server according to the mobile phone number and the verification code, and returning a corresponding token by the server; storing the latest verification code into a database, and signing the token by using the password and the verification code; comparing the signed information with the signature information of the same mobile phone number stored in the database, if the signed information is the same as the signature information, successfully verifying, and if the signed information is not the same as the signature information, failing to verify; and returning the verification result to the client.
Step 2: the initialization module executes a command for creating a token and a slot, and specifically includes:
checking whether a token and a slot already exist, and if so, entering the next step;
if the token and the slot do not exist, acquiring preset values of the label and the pin, adding a random number to the label and the pin, wherein the random numbers can be different, and calling an initToken function of a PKCS #11 library to create the token and the slot.
The PKCS #11 standard is a set of specifications called Public-Key Cryptography Standards (Public-Key Cryptography Standards) that define A Programming Interface (API), called Cryptoki, which is an abbreviation for cryptographic token interface, for devices that store cryptographic information and perform cryptographic functions.
Token, Slot, Label, PIN, InitToken are all terms in the PKCS #11 standard,
token: token, the logical view of the password defined by Cryptoki, is a device that can store objects, perform cryptographic functions. As an open standard of a password token interface, Cryptoki defines an application program interface for user equipment which possesses password information (keys or certificates) and executes a cryptographic function, abstracts the details of the equipment, and refers to a universal model of the password equipment (such as USBKey and an encryption card) as a password token to be provided for an application program;
slot: a slot, possibly containing a logical reader of tokens;
label: a label;
PIN: representing a personal identification code;
initToken function: a token function is initialized.
In addition, before calling the initToken function of the PKCS #11 library to implement the creation of token and slot, the method further includes: and packaging an interface of the initToken function of the PKCS #11 library to realize the function of creating token and slot.
And step 3: and the execution verification module verifies the result of executing the creation, returns error information to the client if the creation fails, acquires the return values of the created token and slot if the creation succeeds, and enters the next step.
And 4, step 4: the node restarting module starts the softHSM private key escrow module and leads the user node private key into the softHSM private key escrow module.
The step 4 specifically comprises the following steps:
the softHSM private key escrow module is used for acquiring a file path of a user node private key, calling a return value for creating a token and a slot, and importing the user node private key into the softHSM private key escrow module through a key importing tool to process the escrow user private key.
In addition, before starting the SoftHSM private key escrow module, the method further comprises: installing and deploying SoftHSM in the CA, configuring a PKCS #11 interface in a BCCSP module of the CA, switching the configuration of the client to PKCS #11, and reconnecting the client and the CA.
Ca (certification authority) is a certificate issuing authority, which is an authority responsible for issuing certificates, authenticating certificates, and managing issued certificates.
BCCSP (Block chain Cryptographic Service Provider) block chain encryption Service Provider provides encryption standard and algorithm realization for Fabric, including Hash and signature, and BCCSP provides encryption algorithm related Service for core function and client SDK through MSP (Membership Service Provider).
In addition, before importing the user node private key into the SoftHSM private key escrow module by the key import tool, the method further includes:
packaging the wrapkey interface of the PKCS #11 library to obtain a key importing tool, and realizing the guiding operation of the key;
and packaging the unwrapkey interface of the PKCS #11 library to obtain a key export tool, thereby realizing the export operation of the key.
And 5: and the execution verification module verifies the result of importing the user node private key into the SoftHSM private key hosting module, if the import fails, error information is returned to the client, and if the import succeeds, the next step is carried out.
Step 6: the configuration update module calls the interface update k8s configuration that updates the k8s configuration.
k8s is called Kubernets completely, is a container cluster management system, and can realize the functions of automatic deployment, automatic capacity expansion, maintenance and the like of a container cluster.
And 7: the node restart module restarts the user node to validate the updated k8s configuration.
Fig. 2 shows the principle of an embodiment of the present invention, which implements a federation chain user private key escrow system based on SoftHSM, please refer to fig. 2, and the architecture and principle of the system of this embodiment are detailed as follows.
The system of the embodiment comprises: the system comprises a user verification module, an initialization module, a SoftHSM private key hosting module, an execution verification module, a configuration updating module and a node restarting module.
The data transmission relationship among the modules is as follows: the data of the user authentication module is output to the initialization module, the data of the initialization module is output to the SoftHSM private key hosting module, the data of the SoftHSM private key hosting module is output to the execution authentication module, the data of the execution authentication module is output to the configuration updating module, and the data of the configuration updating module is output to the node restarting module.
And the user verification module is used for responding to the private key import request of the user node and verifying the user information and the authority information corresponding to the user node.
The user authentication module for authenticating the user information and the authority information comprises two authentication mechanisms: password verification and verification code verification are specifically configured as follows:
password verification: sending a login request to a server according to a user account and a password, and returning a corresponding token (token) by the server; signing the returned token by using a password; comparing the signed information with the signature information of the same account stored in the database, if the signed information is the same as the signature information of the same account, successfully verifying, and if the signed information is not the same as the signature information of the same account, failing to verify; returning the verification result to the client;
verification of the verification code: acquiring a mobile phone number and a verification code of a user, if the verification code is correct, sending a login request to a server according to the mobile phone number and the verification code, and returning a corresponding token by the server; storing the latest verification code into a database, and signing the token by using the password and the verification code; comparing the signed information with the signature information of the same mobile phone number stored in the database, if the signed information is the same as the signature information, successfully verifying, and if the signed information is not the same as the signature information, failing to verify; and returning the verification result to the client.
The initialization module is used for executing commands for creating the token and the slot, verifying the created result, and acquiring the return values of the created token and the slot if the creation is successful.
The specific configuration of the initialization module is as follows:
checking whether the token and the slot exist or not, and if so, entering the next step;
if the token and the slot do not exist, preset label and pin values are obtained, a random number is added to both the label 1 and the pin values, and the initToken function of the PKCS #11 library is called to create the token and the slot.
In addition, before the initToken function of the PKCS #11 library is called to create the token and the slot, the method further comprises the following steps: and packaging the interface of the initToken function of the PKCS #11 library.
The SoftHSM private key escrow module is used for importing the user node private key into the SoftHSM private key escrow module for escrowing.
The specific configuration of the SoftHSM private key escrow module is as follows:
and acquiring a file path of the private key of the user node, calling the created token and the return value of the slot, and importing the private key of the user node into the SoftHSM private key escrow module through a key importing tool.
In addition, before starting the SoftHSM private key escrow module, the method further comprises: installing and deploying SoftHSM in the CA, configuring a PKCS #11 interface in a BCCSP module of the CA, switching the configuration of the client to PKCS #11, and reconnecting the client and the CA.
In addition, before importing the user node private key into the SoftHSM private key escrow module by the key import tool, the method further includes:
packaging the wrapkey interface of the PKCS #11 library to obtain a key importing tool, and realizing the guiding operation of the key;
and packaging the unwrapkey interface of the PKCS #11 library to obtain a key export tool, thereby realizing the export operation of the key.
And the execution verification module is used for verifying the result of importing the user node private key into the SoftHSM private key escrow module.
The configuration update module is used for calling the interface update k8s configuration for updating the k8s configuration.
The node restart module is used for restarting the user node to enable the updated k8s configuration to be effective.
While, for purposes of simplicity of explanation, the methodologies are shown and described as a series of acts, it is to be understood and appreciated that the methodologies are not limited by the order of acts, as some acts may, in accordance with one or more embodiments, occur in different orders and/or concurrently with other acts from that shown and described herein or not shown and described herein, as would be understood by one skilled in the art.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The various illustrative logical blocks, modules, and circuits described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
In one or more exemplary embodiments, the functions described may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software as a computer program product, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. Any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a web site, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk (disk) and disc (disc), as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk and blu-ray disc where disks (disks) usually reproduce data magnetically, while discs (discs) reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
The previous description of the disclosure is provided to enable any person skilled in the art to make or use the disclosure. Various modifications to the disclosure will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other variations without departing from the spirit or scope of the disclosure. Thus, the disclosure is not intended to be limited to the examples and designs described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (14)
1. A method for realizing federation chain user private key escrow based on SoftHSM is characterized by comprising the following steps:
step 1: responding to the user node private key import request, verifying user information and permission information corresponding to the user node, if the verification fails, returning error information to the client, and if the verification passes, continuing the next step;
step 2: executing a command to create a token and a slot;
and step 3: verifying the result of executing the creation, if the creation fails, returning error information to the client, if the creation succeeds, acquiring the return values of the created token and the slot, and entering the next step;
and 4, step 4: starting a softHSM private key escrow module, and importing a user node private key into the softHSM private key escrow module for escrowing;
and 5: verifying the result of importing the user node private key into the SoftHSM private key escrow module, if the import fails, returning error information to the client, and if the import succeeds, entering the next step;
step 6: calling an interface for updating the k8s configuration to update the k8s configuration;
and 7: the restart user node validates the updated k8s configuration.
2. The method for realizing federation chain user private key escrow based on SoftHSM according to claim 1, wherein in step 1, verifying user information and permission information includes a two-step verification mechanism: password authentication and authentication code authentication.
3. The method for realizing federation chain user private key escrow based on SoftHSM of claim 1, wherein step 2 further comprises:
checking whether the token and the slot exist or not, and if so, entering the next step;
if the token and the slot do not exist, acquiring preset values of the label and the pin, adding a random number to the label and the pin, and calling an initToken function of a PKCS #11 library to create the token and the slot.
4. The method for realizing federation chain user private key escrow based on SoftHSM of claim 3, wherein before invoking the initToken function of PKCS #11 library to create the token and the slot, further comprising:
and packaging the interface of the initToken function of the PKCS #11 library.
5. The method for realizing federation chain user private key escrow based on SoftHSM of claim 1, wherein step 4 further comprises:
and acquiring a file path of the private key of the user node, calling the created token and the return value of the slot, and importing the private key of the user node into the SoftHSM private key escrow module through a key importing tool.
6. The method of claim 5, further comprising, prior to initiating the SoftHSM private key escrow module: the method comprises the steps of installing and deploying SoftHSM in a certificate issuing organization, configuring a PKCS #11 interface in a block chain encryption service provider module of the certificate issuing organization, switching the configuration of a client into PKCS #11, and reconnecting the client and the certificate issuing organization.
7. The method of claim 6, further comprising, prior to importing the user node private key into the SoftHSM private key escrow module via the key import tool:
packaging the wrapkey interface of the PKCS #11 library to obtain a key importing tool, and realizing the guiding operation of the key;
and packaging the unwrapkey interface of the PKCS #11 library to obtain a key export tool, thereby realizing the export operation of the key.
8. A system for realizing federation chain user private key escrow based on SoftHSM is characterized in that the system comprises:
the user verification module is used for responding to a private key import request of the user node and verifying user information and authority information corresponding to the user node;
the initialization module is used for executing commands for creating the token and the slot, verifying the created result, and acquiring the return values of the created token and the slot if the creation is successful;
the SoftHSM private key escrow module is used for importing the user node private key into the SoftHSM private key escrow module for escrowing;
the execution verification module is used for verifying the result of importing the user node private key into the SoftHSM private key escrow module;
the configuration updating module is used for calling the interface updating k8s configuration for updating the k8s configuration;
and the node restarting module is used for restarting the user node to enable the updated k8s configuration to be effective.
9. The system of claim 8, in which the user authentication module to authenticate the user information and the permission information comprises a two-step authentication mechanism: password authentication and authentication code authentication.
10. The SofttHSM-based federated coalition user private key escrow system of claim 8, wherein the initialization module is further configured to:
and checking whether the token and the slot exist or not, if the token and the slot do not exist, acquiring preset values of label and pin, adding a random number to the values of label and pin, and calling an initToken function of a PKCS #11 library to create the token and the slot.
11. The SoftHSM-based federated coalition chain user private key escrow system of claim 10, wherein the initialization module is further configured to:
before calling the initToken function of the PKCS #11 library to create the token and the slot, the method further comprises the following steps: and packaging the interface of the initToken function of the PKCS #11 library.
12. The system of claim 8, wherein the SoftHSM-based implementation of federation chain user private key escrow module is further configured to:
and acquiring a file path of the private key of the user node, calling the created token and the return value of the slot, and importing the private key of the user node into the SoftHSM private key escrow module through a key importing tool.
13. The system of claim 12, wherein the SoftHSM-based implementation of federation chain user private key escrow module is further configured to:
before starting the SoftHSM private key escrow module, the method further comprises: the method comprises the steps of installing and deploying SoftHSM in a certificate issuing organization, configuring a PKCS #11 interface in a block chain encryption service provider module of the certificate issuing organization, switching the configuration of a client into PKCS #11, and reconnecting the client and the certificate issuing organization.
14. The system of claim 12, wherein the SoftHSM-based implementation of federation chain user private key escrow module is further configured to:
before importing, by a key import tool, a user node private key into the SoftHSM private key escrow module, the method further includes:
packaging the wrapkey interface of the PKCS #11 library to obtain a key importing tool, and realizing the guiding operation of the key;
and packaging the unwrapkey interface of the PKCS #11 library to obtain a key export tool, thereby realizing the export operation of the key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110994619.9A CN113641986B (en) | 2021-08-27 | 2021-08-27 | Method and system for realizing alliance chain user private key hosting based on SoftHSM |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110994619.9A CN113641986B (en) | 2021-08-27 | 2021-08-27 | Method and system for realizing alliance chain user private key hosting based on SoftHSM |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113641986A true CN113641986A (en) | 2021-11-12 |
| CN113641986B CN113641986B (en) | 2024-04-02 |
Family
ID=78424138
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110994619.9A Active CN113641986B (en) | 2021-08-27 | 2021-08-27 | Method and system for realizing alliance chain user private key hosting based on SoftHSM |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113641986B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO1998054864A2 (en) * | 1997-05-28 | 1998-12-03 | Adam Lucas Young | Auto-recoverable auto-certifiable cryptosystems |
| US20160218879A1 (en) * | 2015-01-23 | 2016-07-28 | Daniel Robert Ferrin | Method and apparatus for the limitation of the mining of blocks on a block chain |
| US20180082076A1 (en) * | 2014-04-04 | 2018-03-22 | Zettaset, Inc. | Cloud Storage Encryption |
| US20180176013A1 (en) * | 2015-07-14 | 2018-06-21 | Fmr Llc | Firmware Extension For Secure Cryptocurrency Key Backup, Restore, and Transaction Signing Platform Apparatuses, Methods and Systems |
| US20180262341A1 (en) * | 2017-03-10 | 2018-09-13 | Fmr Llc | Secure Firmware Transaction Signing Platform Apparatuses, Methods and Systems |
| US20180367316A1 (en) * | 2015-07-14 | 2018-12-20 | Fmr Llc | Seed splitting and firmware extension for secure cryptocurrency key backup, restore, and transaction signing platform apparatuses, methods and systems |
| US10790976B1 (en) * | 2018-08-01 | 2020-09-29 | Bloomio Ag | System and method of blockchain wallet recovery |
| US20210056547A1 (en) * | 2019-08-19 | 2021-02-25 | Anchor Labs, Inc. | Cryptoasset custodial system with proof-of-stake blockchain support |
| US20210092108A1 (en) * | 2019-09-24 | 2021-03-25 | Magic Labs, Inc. | Non-custodial tool for building decentralized computer applications |
-
2021
- 2021-08-27 CN CN202110994619.9A patent/CN113641986B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO1998054864A2 (en) * | 1997-05-28 | 1998-12-03 | Adam Lucas Young | Auto-recoverable auto-certifiable cryptosystems |
| US20180082076A1 (en) * | 2014-04-04 | 2018-03-22 | Zettaset, Inc. | Cloud Storage Encryption |
| US20160218879A1 (en) * | 2015-01-23 | 2016-07-28 | Daniel Robert Ferrin | Method and apparatus for the limitation of the mining of blocks on a block chain |
| US20180176013A1 (en) * | 2015-07-14 | 2018-06-21 | Fmr Llc | Firmware Extension For Secure Cryptocurrency Key Backup, Restore, and Transaction Signing Platform Apparatuses, Methods and Systems |
| US20180367316A1 (en) * | 2015-07-14 | 2018-12-20 | Fmr Llc | Seed splitting and firmware extension for secure cryptocurrency key backup, restore, and transaction signing platform apparatuses, methods and systems |
| US20180262341A1 (en) * | 2017-03-10 | 2018-09-13 | Fmr Llc | Secure Firmware Transaction Signing Platform Apparatuses, Methods and Systems |
| US10790976B1 (en) * | 2018-08-01 | 2020-09-29 | Bloomio Ag | System and method of blockchain wallet recovery |
| US20210056547A1 (en) * | 2019-08-19 | 2021-02-25 | Anchor Labs, Inc. | Cryptoasset custodial system with proof-of-stake blockchain support |
| US20210092108A1 (en) * | 2019-09-24 | 2021-03-25 | Magic Labs, Inc. | Non-custodial tool for building decentralized computer applications |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113641986B (en) | 2024-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8943311B2 (en) | System and methods for online authentication | |
| CA2786271C (en) | Anytime validation for verification tokens | |
| JP4079200B2 (en) | External equipment | |
| US8756674B2 (en) | System and methods for online authentication | |
| US20130145455A1 (en) | Method for accessing a secure storage, secure storage and system comprising the secure storage | |
| CN111034120B (en) | Encryption key management based on identity information | |
| CN110933125A (en) | Block chain entity, down-link entity, authentication device and method for performing collaboration | |
| JP2005537559A (en) | Secure record of transactions | |
| US11811939B2 (en) | Advanced crypto token authentication | |
| CN112352410B (en) | Method and apparatus for using smart card as security token, readable storage medium | |
| KR101495448B1 (en) | Integrated circuit chip for user authentication and autentication method | |
| CN113641986B (en) | Method and system for realizing alliance chain user private key hosting based on SoftHSM | |
| JP2017079419A (en) | Server authentication system, terminal, server, server authentication method, program | |
| AU2015200701B2 (en) | Anytime validation for verification tokens | |
| JP2002132145A (en) | Authentication method, authentication system, recording medium and information processor | |
| CN115733611A (en) | Digital identity carrier device and digital identity verification method | |
| WO2022171263A1 (en) | Key attestation methods, computing devices having key attestation abilities, and their provisioning | |
| Hampiholi et al. | Trusted self-enrolment for attribute-based credentials on mobile phones |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |