CN113839905B

CN113839905B - Certificate writing and certificate feedback method, accounting node and identity authentication system

Info

Publication number: CN113839905B
Application number: CN202010514097.3A
Authority: CN
Inventors: 刘福文; 杨波; 王珂; 阎军智
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Current assignee: China Mobile Zijin Jiangsu Innovation Research Institute Co ltd; China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Priority date: 2020-06-08
Filing date: 2020-06-08
Publication date: 2023-05-09
Anticipated expiration: 2040-06-08
Also published as: CN113839905A

Abstract

The invention provides a certificate writing and feedback method, an accounting node and an identity authentication system, and relates to the technical field of alliance chains. The certificate writing method is applied to the accounting node and comprises the following steps: acquiring a blockchain certificate of at least one authentication server; writing the blockchain certificate of the at least one authentication server into a alliance chain by using a consensus mechanism; wherein the state of the blockchain credential of the authentication server is a valid state; the blockchain certificates of the authentication server do not use signatures to form a certificate chain. According to the scheme, the blockchain certificate of the authentication server is written into the alliance chain by using the consensus mechanism, so that the authentication server can acquire the blockchain certificate of the authentication server from the alliance chain, CA mutual trust is not needed, and the call delay can be reduced.

Description

Certificate writing and certificate feedback method, accounting node and identity authentication system

Technical Field

The invention relates to the technical field of alliance chains, in particular to a certificate writing and feedback method, an accounting node and an identity authentication system.

Background

In the process of implementing the present application, the inventor finds that at least the following problems exist in the prior art:

the secure phone identity remittance (Secure Telephone Identity Revisited, STIR) scheme has major drawbacks:

1. problems of multiple CA (Certificate Authority) mutual trust: in principle one CA can issue certificates to all users around the world. However, in view of the management of certificates, different security level requirements, in practice, require the presence of multiple CAs, either at the national level, at the industry level, or at the enterprise level. The existence of multiple CAs brings about the inter-CA trust problem.

2. Time delay problem: for large networks, hierarchical management is common. Correspondingly, conventional certificate management is also generally implemented hierarchically. And signing the subordinate certificate by a private key corresponding to the public key in the root certificate to generate the subordinate certificate. The private key corresponding to the public key in the subordinate certificate signs the subordinate certificate thereof, and the subordinate certificate of the certificate is generated. And so on, only until the end-most certificate for authenticating the user is generated, thereby forming a chain of certificates from the root certificate to the user certificate. After the authentication server receives the certificate chain, authentication is performed from the root certificate to the user certificate. In general, three levels of certificates exist, and the verification server needs to perform signature verification three times correspondingly, so that the call delay is increased.

Disclosure of Invention

The embodiment of the invention provides a certificate writing and feedback method, an accounting node and an identity authentication system, which are used for solving the problems of mutual trust among CA and increased call delay in the existing solution for false calls.

In order to solve the above technical problems, an embodiment of the present invention provides a certificate writing method, which is applied to an accounting node, and includes:

acquiring a blockchain certificate of at least one authentication server;

writing the blockchain certificate of the at least one authentication server into a alliance chain by using a consensus mechanism;

wherein the state of the blockchain credential of the authentication server is a valid state; the blockchain certificates of the authentication server do not use signatures to form a certificate chain.

Optionally, the format of the blockchain certificate of the authentication server includes at least one of the following information:

the method comprises the steps of authenticating a type of a server, authenticating a blockchain certificate characteristic of the server, authenticating a server identification, a public key of a blockchain certificate of the server, validity period of the blockchain certificate of the authentication server, reservation information and state of the blockchain certificate of the authentication server.

Further, the setting rule of the authentication server identifier adopts one of the following:

Identifying the authentication server by utilizing the range of the telephone number;

identification of the authentication server is performed using a hierarchy of authentication servers.

Optionally, after writing the blockchain certificate of the at least one authentication server into the federation chain using a consensus mechanism, the method further comprises:

receiving a certificate inquiry message sent by a verification server, wherein the certificate inquiry message comprises: calling number or authentication server name;

and according to the certificate inquiry message, performing certificate inquiry and feeding back an inquiry result to the verification server.

Specifically, the method includes performing certificate inquiry according to the certificate inquiry message, and feeding back an inquiry result to the verification server, including one of the following:

if the blockchain certificate of the authentication server corresponding to the calling number or the authentication server name in the certificate inquiry message is not retrieved, returning error information of the absence of the certificate to the authentication server;

if the blockchain certificate of the authentication server corresponding to the calling number or the authentication server name in the certificate inquiry message is searched, and the state of the searched blockchain certificate of the authentication server is invalid, returning error information of certificate state invalidation to the authentication server;

If the blockchain certificate of the authentication server corresponding to the calling number or the authentication server name in the certificate inquiry message is searched, if the state of the blockchain certificate of the authentication server is a valid state and the certificate verification time is not within the validity period of the blockchain certificate of the authentication server, returning error information that the certificate has expired to the verification server;

if the blockchain certificate of the authentication server corresponding to the calling number or the authentication server name in the certificate inquiry message is searched, and if the state of the blockchain certificate of the authentication server is in a valid state and the certificate verification time is within the validity period of the blockchain certificate of the authentication server, returning the blockchain certificate of the authentication server to the verification server.

The embodiment of the invention also provides a certificate feedback method which is applied to the accounting node and comprises the following steps:

receiving a certificate inquiry message sent by a verification server, wherein the certificate inquiry message comprises a calling number or an authentication server name;

The embodiment of the invention also provides an accounting node, which comprises:

the acquisition module is used for acquiring the blockchain certificate of at least one authentication server;

the writing module is used for writing the blockchain certificate of the at least one authentication server into the alliance chain by using a consensus mechanism;

The embodiment of the invention also provides a billing node, which comprises a transceiver and a processor;

the processor is configured to: acquiring a blockchain certificate of at least one authentication server;

the first receiving module is used for receiving a certificate inquiry message sent by the verification server, wherein the certificate inquiry message comprises a calling number or an authentication server name;

And the feedback module is used for inquiring the certificate according to the certificate inquiry message and feeding back the inquiry result to the verification server.

the transceiver is used for receiving a certificate inquiry message sent by the verification server, wherein the certificate inquiry message comprises a calling number or an authentication server name;

and the processor is used for inquiring the certificate according to the certificate inquiring message and feeding back the inquiring result to the verification server.

The embodiment of the invention also provides a billing node, which comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor realizes the certificate writing method or the certificate feedback method when executing the program.

The embodiments of the present invention also provide a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the above-described certificate feedback method or the steps of the above-described certificate feedback method.

The embodiment of the invention also provides an identity authentication system, which comprises:

an authentication server for digitally signing the session initiation protocol, SIP, call using its private key corresponding to the public key on the blockchain certificate;

And the verification server is used for acquiring the blockchain certificate of the authentication server from the alliance chain, and verifying the digital signature of the authentication server by using the public key of the blockchain certificate of the authentication server.

The beneficial effects of the invention are as follows:

according to the scheme, the blockchain certificate of the authentication server is written into the alliance chain by using the consensus mechanism, so that the authentication server can acquire the blockchain certificate of the authentication server from the alliance chain, CA mutual trust is not needed, and the call delay can be reduced.

Drawings

FIG. 1 shows a schematic diagram of an STIR architecture;

FIG. 2 is a schematic flow chart of a certificate writing method according to an embodiment of the present invention;

FIG. 3 illustrates an example of server certificate hierarchical naming;

FIG. 4 shows a schematic diagram of an embodiment of the invention;

FIG. 5 shows one of the block diagrams of the accounting node of an embodiment of the present invention;

FIG. 6 is a schematic flow chart of a certificate feedback method according to an embodiment of the present invention;

fig. 7 shows a second block diagram of a billing node according to an embodiment of the invention.

Detailed Description

The prior art related to the embodiments of the present invention will be briefly described below.

The public switched telephone network (Public Switched Telephone Network, PSTN) is generally considered a closed trusted network. Telephone companies rely on other operators to follow rules to ensure proper operation of the network. In providing caller telephone numbers, the originating switch may control which calling number (ID) is sent on a call-by-call basis. In the PSTN, caller-custom caller ID requires control over the SS7 switch, so there is little forgery attack of caller identity in the PSTN.

However, with the recent rise of IP access to the PSTN, inexpensive IP-based client protocols such as session initiation protocol (Session Initiation Protocol, SIP) are replacing expensive traditional telephone services such as integrated services digital network (Integrated Services Digital Network, ISDN). Inexpensive voice over IP (VoIP) telephony services are now becoming commonplace. The bearer of PSTN is also evolving towards IP-based. The following possible telephone call modalities currently exist: voIP-to-VoIP calls, voIP-PSTN-VoIP calls, PSTN-to-VoIP calls, voIP-to-PSTN calls, PSTN-VoIP-PSTN calls, PSTN-PSTN calls.

Interworking of VoIP with legacy telephone network systems has reduced caller number authenticity assurance. In the above telephone call modality, in addition to PSTN-PSTN calls, an attacker can forge any calling party number to make false calls using new and inexpensive tools, such as the tools Asterisk IP PBX. It can produce millions of phones, each of which can be individual, random or carefully selected calling numbers. Using the fake calling number, an attacker may initiate the following attack:

a11, voice spam phones, e.g., phone promotions, surveys, liabilities staff, etc. While some "legitimate" telephone promoters use legitimate numbers, many numbers are counterfeited. Fake numbers are almost always used unless a telemarketer wishes a consumer or victim to be able to call back to use the real number.

A12, fraud, national tax office fraud, technical support fraud, other fraud. These phones almost always use spoofed phone numbers to impersonate legitimate organizations and fool victims.

A13, phishing, the call is intended to gather information of the victim. This includes attempting to fool the victim into saying "yes" or something that can be recorded for future use.

A14, voicemail attack, some voicemail systems use only the calling number for verification. You can access immediately if you call these voice mail systems using a spoofed telephone number.

A15, telephone denial of service (Telephony Denial of Service, TDoS), a large number of calls intended to be interrupted are typically public-facing contact centers, such as 10086. By forging numbers making TDoS calls, it is much more difficult to distinguish them from legitimate calls. Or the attacker can forge a specific calling number of the attacked person to make a large number of calls, so that the calling number of the attacked person is recorded into a blacklist, and the calls of the attacked person can be blocked when being received.

For false calls, there are mainly two solutions:

b11, blacklist, most operators use blacklist to solve the problem of false calls, i.e. to maintain blacklist and prevent calls on this list from arriving. The operators will update these lists based on their traffic monitoring functions and based on user comments. The biggest challenges faced by blacklist approaches are that they are not applicable to new calls that are not in the list, nor to calls that use random spoofed calling numbers. The fraudsters know the blacklist, and if they really want to make a call, they either know which numbers are on the blacklist or can easily try out which numbers are on the blacklist. In addition, because there is currently no effective method for guaranteeing the authenticity of the calling number over VOIP, the blacklisted number is not necessarily a spoofed number.

B12, secure phone identity remittance (Secure Telephone Identity Revisited, STIR)/use Token processing decision information (SHAKEN), including Internet Engineering Task Force (IETF), telecommunications industry solutions Alliance (ATIS), SIP forum and service provider are under study for the STIR IETF standard (RFC) and signature-based SHAKEN. These efforts are attempts to provide caller number verification to the target user. STIR has been a practice based on STIR for some time.

The STIR includes the following IETF standards:

RFC 8224: identity authentication management in session initiation protocol;

RFC 8225：PASSporT：Personal Assertion Token；

RFC 8226: secure phone identity credential: and (5) passing the certificate.

RFC 8224 defines a security mechanism to identify the identity of the SIP request originator, as shown in figure 1; it is achieved by defining a SIP Identity field (Identity) for transmitting the signature of the Identity and the certificate download address of the signer.

The specific flow is as follows:

s11, the SIP client A sends an SIP invite message to an authentication server;

s12, the authentication server signs the DATA field, the FROM field and the TO field in the SIP invite message header. The FROM field contains the identity of the inviter (SIP URI or telephone number), the TO field contains the identity of the invitee (SIP URI or telephone number), and the DATA field contains the timestamp of the sending of the SIP invite message. The signature on the FROM field can ensure the identity authenticity of the inviter, the signature on the TO field can ensure that the identity of the invitee is not tampered with, and the signature on the DATA field can prevent replay attacks. The authentication server places the signature and the address indicating the authentication server certificate in a newly defined identity field.

S13, the authentication server sends the signed invitation message to the verification server;

s14, the verification server is connected to the PKI according to the address of the authentication server certificate to obtain the authentication server certificate;

and S15, the verification server uses the public key in the certificate of the authentication server to verify the signature, and after the verification is successful, the verification server sends the SIP invite message to the SIP client B.

Aiming at the problems of mutual trust among CA and increased call delay in the existing solution for false calls, the invention provides a certificate writing and feedback method, an accounting node and an identity authentication system.

As shown in fig. 2, the certificate writing method of the embodiment of the present invention is applied to an accounting node, and includes:

step 21, obtaining a blockchain certificate of at least one authentication server;

it should be noted that, the blockchain certificate of the authentication server is generated by the operator management department, and the state of the blockchain certificate of the authentication server needs to be set to a valid state when the blockchain certificate is generated, and the operator management department can input the blockchain certificate of the authentication server to the accounting node after generating the blockchain certificate of the authentication server, so as to ensure that the accounting node can acquire the blockchain certificate of the authentication server.

Step 22, writing the blockchain certificate of the at least one authentication server into a alliance chain by using a consensus mechanism;

the state of the blockchain certificates of the authentication servers written by the accounting node is a valid state, and when the certificates are written, the accounting node can write the blockchain certificates of all the authentication servers of an operator into the alliance chain at one time, or write the blockchain certificates of all the authentication servers into the alliance chain for many times according to regions; the certificate chain is also constructed without using a signature between blockchain certificates written to the authentication server of the federation chain.

It should be noted that, in the embodiments of the present invention, the coalition chain refers to a blockchain that is commonly participated in and managed by several organizations. The federation chain internally designates a plurality of preselected nodes as accounting nodes, the generation of each block is determined jointly by all preselected nodes using a consensus mechanism, and other access nodes (i.e., other accounting nodes) can read the on-chain information, but do not require the accounting process. The alliance chain uses the distributed account book and the distributed consensus technology to form a distributed database with data being not tamperable, so that the multi-party trust problem is solved.

It should be further noted that, in the embodiment of the present invention, the format of the blockchain certificate of the authentication server may use the standard x.509 format, but the signature of the certificate information is different from the common x.509 certificate, and because there is no trusted third party in the blockchain network, in this case, a self-signature is used for the information of the certificate, instead of the digital signature of the third party.

The format of the blockchain certificate of the authentication server in the embodiment of the invention can also use a custom format, and the custom format is the biggest difference from the X.509 format in that the custom format does not contain signature on certificate information, because the authenticity and reliability of the blockchain certificate are ensured by the blockchain rather than by the digital signature of a third party, and no trusted third party exists in the network of the blockchain. The benefits of custom blockchain credential formats are: compared with standard certificates, the method omits unnecessary information fields in the blockchain system, saves storage space on the blockchain, and simultaneously saves the calculation power for generating and verifying the self-signature because the self-signature is not needed. The format of such a custom blockchain credential includes at least one of the following information:

A11, authenticating the type of the server;

the type is a flag for distinguishing between different authentication server types, such as primary server, secondary server, etc.

A12, the block chain certificate characteristic of the authentication server;

the blockchain certificate characteristic of the authentication server is used to describe certificate characteristics, such as an anonymous certificate, a real name certificate, a signature certificate, a key agreement certificate, and the like.

A13, identifying an authentication server;

the authentication server identifier is a name used by the authentication server to apply for the blockchain certificate.

It should be further noted that, the setting rule of the authentication server identifier adopts one of the following:

a131, identifying an authentication server by utilizing the range of the telephone number;

it should be noted that, the authentication server uses the manageable phone number range as the authentication server identifier of the certificate, for example 00861391xxxxxxx-00861395xxxxxxx is the authentication server identifier of the authentication server N, so that the verification server can easily find the blockchain certificate of the corresponding authentication server from the federation chain according to the calling number. This naming scheme is suitable for countries and regions where no number portability is available. Once there is a number portability, the authentication server that a certain number belongs to a certain operator manages, and it becomes managed by the authentication server of another operator. This can cause confusion in signing and verification.

A132, identifying the authentication server by utilizing the grading of the authentication server;

in this way, the authentication server is named hierarchically in one operator. The grading rules may be formulated in terms of administrative territories. For example, as shown in fig. 3, x=china movement, y1=beijing, y2=hebei, …, ym=tibetan, z1=first authentication server, zn=nth authentication server is set. Y1=first authentication server certificate of beijing, zn.y1=nth authentication server certificate of beijing. Although blockchain certificates of authentication servers are hierarchically named, certificates are not concatenated using signatures, they are managed only according to hierarchical rules. It should also be noted that naming of all certificates and generation of certificates are centrally implemented by a certain management authority of the operator.

Here, it should also be noted that, compared with a131, a132 has the following advantages: the calling number is not bound with the name of the authentication server, so that the method is suitable for the country and region where the number-carrying network transfer is opened. Only the authentication server needs to add the name of the authentication server in the SIP information header, sign the related message in the SIP information header and the name of the authentication server, and the authentication server finds the certificate of the corresponding authentication server on the alliance chain according to the name of the authentication server.

A14, authenticating a public key of a blockchain certificate of the server;

the public key is generated by the certificate applicant, and the corresponding private key is kept secret by the certificate applicant. In order to make the length of the certificate as short as possible to save its storage space on the blockchain, it is proposed that the certificate applicant adopts elliptic curve key algorithms (Elliptical Curve Cryptography, ECC) when generating public-private key pairs.

A15, the validity period of the blockchain certificate of the authentication server;

the validity period refers to a point in time when the blockchain certificate of the authentication server can start to be used and a point in time when the blockchain certificate is no longer valid.

A16, reserving information;

it should be noted that this content is a reserved field.

A17, authenticating the state of the blockchain certificate of the server;

it should be noted that the blockchain credential of the authentication server includes two states, namely a valid state and an invalid state.

The basic idea of the invention is as follows: the blockchain certificate of the authentication server is written into the alliance chain through a consensus mechanism of the alliance chain, so that the multi-CA trust problem is solved, and a plurality of operators can trust the information written into the blockchain; the block chain certificates of the authentication server do not use signatures to form a certificate chain, so that the authentication server reduces the authentication steps of the certificate chain, thereby reducing the call delay; the authentication server signs the relevant fields (including caller identity information and authentication server name) in the SIP invite message header, and the authentication server uses the public key in the blockchain certificate to verify the signature by reading the blockchain certificate of the authentication server on the alliance chain, thereby judging whether the caller identity is legal or not. The architecture to which the present invention applies is shown in particular in fig. 4. The architecture differs from the STIR architecture in that: the present invention uses a blockchain system to manage certificates of authentication servers instead of managing certificates based on conventional PKI. Due to the introduction of the blockchain system, the present invention overcomes two drawbacks that exist in the STIR architecture: multi-CA trust issues and call latency issues.

Specifically, the main process of certificate verification by the verification server is as follows: the authentication server sends a certificate inquiry message to an accounting node in a alliance chain, wherein the certificate inquiry message comprises the following components: calling number or authentication server name; and the accounting node performs certificate inquiry according to the certificate inquiry message and feeds back the inquiry result to the verification server.

Specifically, the specific implementation manner of the accounting node performing certificate inquiry according to the certificate inquiry message and feeding back the inquiry result to the verification server includes one of the following:

b11, if the blockchain certificate of the authentication server corresponding to the calling number or the authentication server name in the certificate inquiry message is not searched, returning error information of the non-existence of the certificate to the authentication server;

b12, if the blockchain certificate of the authentication server corresponding to the calling number or the authentication server name in the certificate inquiry message is searched and the state of the searched blockchain certificate of the authentication server is invalid, returning error information of certificate state invalidation to the authentication server;

b13, if the blockchain certificate of the authentication server corresponding to the calling number or the authentication server name in the certificate inquiry message is searched, if the state of the blockchain certificate of the authentication server is a valid state and the certificate verification time is not within the validity period of the blockchain certificate of the authentication server, returning an error message that the certificate has expired to the verification server;

And B14, if the blockchain certificate of the authentication server corresponding to the calling number or the authentication server name in the certificate inquiry message is searched, and if the state of the blockchain certificate of the authentication server is a valid state and the certificate verification time is within the validity period of the blockchain certificate of the authentication server, returning the blockchain certificate of the authentication server to the verification server.

In summary, the embodiment of the invention can solve the defect of the STIR scheme, and solves the multi-CA trust problem by writing the blockchain certificate of the authentication server into the alliance chain by using the consensus mechanism of the alliance chain, and the certificate chain is formed by the authentication server certificates without using signatures, thereby reducing the call delay.

As shown in fig. 5, the accounting node 50 of the embodiment of the present invention includes:

an acquisition module 51 for acquiring blockchain certificates of at least one authentication server;

a writing module 52, configured to write the blockchain certificate of the at least one authentication server into the federation chain using a consensus mechanism;

Specifically, the setting rule of the authentication server identifier adopts one of the following:

Optionally, after the writing module 52 writes the blockchain certificate of the at least one authentication server into the federation chain using a consensus mechanism, the method further includes:

the second receiving module is configured to receive a certificate inquiry message sent by the verification server, where the certificate inquiry message includes: calling number or authentication server name;

and the result feedback module is used for inquiring the certificate according to the certificate inquiry message and feeding back the inquiry result to the verification server.

Further, the result feedback module is configured to implement one of the following:

It should be noted that, if the accounting node provided in the embodiment of the present invention is an accounting node capable of executing the certificate writing method, all the implementation manners in the embodiment of the certificate writing method are applicable to the accounting node, and the same or similar beneficial effects can be achieved.

Optionally, after the processor writes the blockchain certificate of the at least one authentication server into the federation chain using a consensus mechanism, the transceiver is further configured to:

receiving a certificate inquiry message sent by a verification server, wherein the certificate inquiry message comprises: calling number or authentication server name; the processor is further configured to: and according to the certificate inquiry message, performing certificate inquiry and feeding back an inquiry result to the verification server.

Further, the processor performs certificate inquiry according to the certificate inquiry message, and feeds back an inquiry result to the verification server, which is specifically configured to implement one of the following:

The embodiment of the invention also provides an accounting node, which comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor realizes each process in the embodiment of the certificate writing method when executing the program and can achieve the same technical effect, and the repetition is avoided, so that the description is omitted.

The embodiment of the present invention also provides a computer readable storage medium, on which a computer program is stored, where the program when executed by a processor implements each process in the embodiment of the certificate writing method, and the same technical effects can be achieved, and for avoiding repetition, a detailed description is omitted herein. Wherein the computer readable storage medium is selected from Read-Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic disk or optical disk.

As shown in fig. 6, an embodiment of the present invention further provides a certificate feedback method, applied to an accounting node, including:

step 61, receiving a certificate inquiry message sent by a verification server, wherein the certificate inquiry message comprises a calling number or an authentication server name;

and step 62, according to the certificate inquiry message, performing certificate inquiry, and feeding back an inquiry result to the verification server.

Further, the specific implementation of step 62 includes one of the following:

It should be noted that, the specific implementation of the embodiment of the present invention is the same as the implementation process of performing certificate verification by the verification server in the above embodiment, and will not be described herein.

As shown in fig. 7, the accounting node 70 of the embodiment of the present invention includes:

a first receiving module 71, configured to receive a certificate inquiry message sent by a verification server, where the certificate inquiry message includes a calling number or an authentication server name;

and the feedback module 72 is configured to perform a certificate query according to the certificate query message, and feedback a query result to the verification server.

Further, the feedback module 72 specifically implements one of the following:

It should be noted that, if the accounting node provided in the embodiment of the present invention is an accounting node capable of executing the above-mentioned certificate feedback method, all the implementation manners in the above-mentioned certificate feedback method embodiment are applicable to the accounting node, and the same or similar beneficial effects can be achieved.

The embodiment of the invention also provides an accounting node, which comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor realizes each process in the certificate feedback method embodiment when executing the program and can achieve the same technical effect, and the repetition is avoided, and the description is omitted here.

The embodiment of the present invention further provides a computer readable storage medium, on which a computer program is stored, where the program when executed by a processor implements each process in the above-mentioned certificate feedback method embodiment, and the same technical effects can be achieved, so that repetition is avoided, and no further description is given here. Wherein the computer readable storage medium is selected from Read-Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic disk or optical disk.

It should be noted that, the process of the verification server obtaining the blockchain certificate of the authentication server from the federation chain specifically includes: the authentication server sends a certificate inquiry message to an accounting node on a alliance chain, wherein the certificate inquiry message comprises a calling number or an authentication server name; and according to the certificate inquiry message, performing certificate inquiry and feeding back an inquiry result to the verification server.

Specifically, the specific implementation of the accounting node feeding back the query result to the verification server includes one of the following:

When the verification server acquires the blockchain certificate of the authentication server on the alliance chain fed back by the accounting node, the digital signature of the authentication server is verified by using a public key corresponding to the blockchain certificate of the authentication server (that is, the blockchain certificate of the authentication server on the alliance chain is used for telephone identity verification), and only after the verification is passed, the verification server sends the SIP invite message of the calling client to the called client.

It should be noted that, in the embodiment of the present invention, the verification server obtains the blockchain certificate of the authentication server from the federation chain, and under the condition of guaranteeing the authenticity of the identity of the calling client, compared with the traditional PKI system, the call delay can be reduced because of no verification process of the certificate chain.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-readable storage media (including, but not limited to, magnetic disk storage and optical storage, etc.) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block or blocks.

These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and changes can be made without departing from the principles of the present invention, and such modifications and changes are intended to be within the scope of the present invention.

Claims

1. A certificate feedback method applied to an accounting node, comprising:

according to the certificate inquiry message, certificate inquiry is carried out on a alliance chain, and an inquiry result is fed back to a verification server, so that the verification server verifies the digital signature of the authentication server by using the public key of the blockchain certificate of the authentication server under the condition that the inquiry result comprises the blockchain certificate of the authentication server;

wherein, there is at least one block chain certificate of authentication server based on the common identification mechanism writing on the alliance chain; the blockchain certificates of the authentication server do not use signatures to form a certificate chain.

2. The certificate feedback method according to claim 1, wherein the performing a certificate query according to the certificate query message and feeding back a query result to the verification server includes one of:

3. The certificate writing method according to claim 1, wherein the format of the blockchain certificate of the authentication server includes at least one of the following information:

4. The certificate writing method according to claim 1, wherein the setting rule of the authentication server identifier adopts one of:

5. A billing node comprising:

the feedback module is used for inquiring the certificate on the alliance chain according to the certificate inquiring message and feeding back the inquiring result to the verification server, so that the verification server verifies the digital signature of the authentication server by using the public key of the blockchain certificate of the authentication server under the condition that the inquiring result comprises the blockchain certificate of the authentication server;

6. A billing node comprising a transceiver and a processor;

the processor is used for inquiring the certificate on the alliance chain according to the certificate inquiring message and feeding back an inquiring result to the verification server, so that the verification server verifies the digital signature of the authentication server by using the public key of the blockchain certificate of the authentication server under the condition that the inquiring result comprises the blockchain certificate of the authentication server;

7. A billing node comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the certificate feedback method of any of claims 1-4 when the program is executed by the processor.

8. A computer readable storage medium, on which a computer program is stored, which program, when being executed by a processor, implements the steps of the certificate feedback method as claimed in any one of claims 1-4.