CN113901432A - Block chain identity authentication method, equipment, storage medium and computer program product - Google Patents

Block chain identity authentication method, equipment, storage medium and computer program product Download PDF

Info

Publication number
CN113901432A
CN113901432A CN202111166889.7A CN202111166889A CN113901432A CN 113901432 A CN113901432 A CN 113901432A CN 202111166889 A CN202111166889 A CN 202111166889A CN 113901432 A CN113901432 A CN 113901432A
Authority
CN
China
Prior art keywords
node
digital certificate
block chain
user
blockchain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111166889.7A
Other languages
Chinese (zh)
Inventor
朱佩江
郭立华
杨金宝
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Letter Interlink Beijing Technology Co ltd
Original Assignee
Letter Interlink Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Letter Interlink Beijing Technology Co ltd filed Critical Letter Interlink Beijing Technology Co ltd
Priority to CN202111166889.7A priority Critical patent/CN113901432A/en
Publication of CN113901432A publication Critical patent/CN113901432A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Abstract

The embodiment of the invention provides a method, equipment, a storage medium and a computer program product for authenticating a blockchain identity, wherein a calling request for a target intelligent contract, which is sent by any node in a blockchain network, is received through an authentication server, and the calling request comprises a blockchain address of the node; acquiring a digital certificate which is associated with a block chain address of a node in advance through a target intelligent contract, performing identity authentication on a user of the node according to the digital certificate, and performing authority verification on the user according to a preset authority strategy; and if the identity authentication and the authority verification pass, authorizing the node to call the target intelligent contract of the block chain according to the contract calling request. By combining the authentication server and the intelligent contract, identity authentication and authority authentication are carried out on the block chain network node users based on the digital certificate and the preset authority strategy, so that the identity and the authority of each node in the block chain are effectively supervised and controlled, the supervision capability of the block chain is improved, and the legality and the safety of data in the block chain are ensured.

Description

Block chain identity authentication method, equipment, storage medium and computer program product
Technical Field
Embodiments of the present invention relate to the field of communications technologies, and in particular, to a method, an apparatus, a storage medium, and a computer program product for authenticating a blockchain identity.
Background
The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like, data blocks are combined into a chain data structure in a sequential connection mode according to a time sequence in a block chain system, and a distributed account book which is not falsified and forged and cannot be guaranteed in a cryptographic mode is obtained. From birth to development to the present, the block chain builds a safe and credible storage and transaction network by means of perfect protocols and architecture design.
However, the blockchain is usually unsupervised, information is only stored through a data storage mechanism, a blockchain authentication mechanism only relates to authentication of the information and does not have a verification function on identity, authority and the like, and when the blockchain technology is applied to organizations and enterprises, an effective user identity authentication and authority management control mechanism is lacked, so that the organizations and the enterprises cannot effectively supervise and control the identity and the authority of each node in the blockchain.
Disclosure of Invention
Embodiments of the present invention provide a method, an apparatus, a storage medium, and a computer program product for identity authentication of a blockchain, so as to effectively perform identity authentication and authority control during a use process of the blockchain.
A first aspect of an embodiment of the present invention provides a method for authenticating a blockchain identity, where the method is applied to an authentication server included in a blockchain network, and the method includes:
receiving a calling request for a target intelligent contract sent by any node in a block chain network, wherein the calling request comprises a block chain address of the node;
acquiring a digital certificate which is associated with the block chain address of the node in advance through the target intelligent contract, performing identity authentication on a user of the node according to the digital certificate, and performing authority verification on the user according to a preset authority strategy;
and if the identity authentication and the authority verification pass, authorizing the node to call the target intelligent contract of the block chain according to the contract calling request.
Optionally, the invocation request further includes an identifier of a target digital certificate specified by a user of the node; wherein the target digital certificate is any one of at least one digital certificate associated with the blockchain address of the node;
the acquiring, by the target intelligent contract, a digital certificate associated in advance with the blockchain address of the node includes:
and acquiring a target digital certificate which is associated with the blockchain address of the node in advance according to the identification of the target digital certificate through the target intelligent contract.
Optionally, before receiving the request for invoking the target intelligent contract sent by any node in the blockchain network, the method further includes:
receiving a digital certificate signature request sent by the node, wherein the digital certificate signature request comprises user basic information and public key information of the node;
after the basic user information and the public key information of the node are verified, a private key of an authentication server is adopted for signature to generate a digital certificate, and the digital certificate is sent to the node;
and acquiring the blockchain address of the node, and associating the digital certificate with the blockchain address of the node.
Optionally, the associating the digital certificate with the blockchain address of the node includes:
and acquiring the identifier of the digital certificate, and associating the identifier of the digital certificate with the blockchain address of the node.
Optionally, the method further includes:
receiving authority policy description information on user target attributes sent by a manager terminal through an authorization interface;
and generating the preset authority strategy according to the authority strategy description information, and storing the preset authority strategy.
Optionally, the method further includes:
receiving an revoke digital certificate request sent by the node, wherein the revoke digital certificate request comprises a block chain address of the node and an identifier of a digital certificate to be revoked;
after the identity authentication is carried out on the user of the node, a revoke list is generated according to the revoke digital certificate request;
and revoking the digital certificate to be revoked in the block chain according to the revocation list.
A second aspect of an embodiment of the present invention provides an authentication server, including:
the system comprises a receiving unit, a processing unit and a processing unit, wherein the receiving unit is used for receiving a calling request for a target intelligent contract sent by any node in a block chain network, and the calling request comprises a block chain address of the node;
an authentication unit, configured to obtain, through the target intelligent contract, a digital certificate that is pre-associated with the blockchain address of the node, perform identity authentication on a user of the node according to the digital certificate, and perform permission verification on the user according to a preset permission policy
And the authorization unit is used for authorizing the node to call the target intelligent contract of the block chain according to the contract calling request if the identity authentication and the authority verification pass.
Optionally, the invocation request further includes an identifier of a target digital certificate specified by a user of the node; wherein the target digital certificate is any one of at least one digital certificate associated with the blockchain address of the node;
the authentication unit, when acquiring a digital certificate associated with the blockchain address of the node in advance through the target intelligent contract, includes:
and acquiring a target digital certificate which is associated with the blockchain address of the node in advance according to the identification of the target digital certificate through the target intelligent contract.
Optionally, before receiving the call request for the target intelligent contract sent by any node in the blockchain network, the authentication unit is further configured to:
receiving a digital certificate signature request sent by the node, wherein the digital certificate signature request comprises user basic information and public key information of the node;
after the basic user information and the public key information of the node are verified, a private key of an authentication server is adopted for signature to generate a digital certificate, and the digital certificate is sent to the node;
and acquiring the blockchain address of the node, and associating the digital certificate with the blockchain address of the node.
Optionally, when associating the digital certificate with the blockchain address of the node, the authentication unit is configured to:
and acquiring the identifier of the digital certificate, and associating the identifier of the digital certificate with the blockchain address of the node.
Optionally, the authentication unit is further configured to:
receiving authority policy description information on user target attributes sent by a manager terminal through an authorization interface;
and generating the preset authority strategy according to the authority strategy description information, and storing the preset authority strategy.
Optionally, the authentication unit is further configured to:
receiving an revoke digital certificate request sent by the node, wherein the revoke digital certificate request comprises a block chain address of the node and an identifier of a digital certificate to be revoked;
after the identity authentication is carried out on the user of the node, a revoke list is generated according to the revoke digital certificate request;
and revoking the digital certificate to be revoked in the block chain according to the revocation list.
A third aspect of the embodiments of the present invention provides an authentication server, including: at least one processor; and a memory;
the memory stores computer-executable instructions;
the at least one processor executing the computer-executable instructions stored by the memory causes the at least one processor to perform the method of the first aspect.
A fourth aspect of the embodiments of the present invention is to provide a blockchain network, including an authentication server according to the third aspect.
A fifth aspect of the embodiments of the present invention is to provide a computer-readable storage medium, in which computer-executable instructions are stored, and when a processor executes the computer-executable instructions, the method according to the first aspect is implemented.
A sixth aspect of embodiments of the present invention provides a computer program product comprising a computer program which, when executed by a processor, implements the method of the first aspect.
According to the method, the device, the storage medium and the computer program product for authenticating the identity of the block chain, provided by the embodiment of the invention, a call request for a target intelligent contract, which is sent by any node in a block chain network, is received through an authentication server, wherein the call request comprises a block chain address of the node; acquiring a digital certificate which is associated with the block chain address of the node in advance through the target intelligent contract, performing identity authentication on a user of the node according to the digital certificate, and performing authority verification on the user according to a preset authority strategy; and if the identity authentication and the authority verification pass, authorizing the node to call the target intelligent contract of the block chain according to the contract calling request. In the embodiment of the invention, the identity authentication and the authority authentication are carried out on the block chain network node user based on the digital certificate and the preset authority strategy by combining the authentication server and the intelligent contract, so that the identity and the authority of each node in the block chain are effectively supervised and controlled, the supervision capability of the block chain is improved, and the legality and the safety of data in the block chain are ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a block chain network diagram of a block chain identity authentication method according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for authenticating a blockchain identity according to an embodiment of the present invention;
fig. 3 is a flowchart of a method for authenticating a blockchain identity according to another embodiment of the present invention;
fig. 4 is a flowchart of a method for authenticating a blockchain identity according to another embodiment of the present invention;
fig. 5 is a structural diagram of an authentication server according to an embodiment of the present invention;
fig. 6 is a structural diagram of an authentication server according to another embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by persons of ordinary skill in the art based on the embodiments of the present invention without any creative efforts shall fall within the protection scope of the embodiments of the present invention.
The existing block chain is usually unsupervised, information is only stored through a data storage mechanism, a block chain authentication mechanism only relates to authentication of the information and does not have verification functions of identity, authority and the like, and when the block chain technology is applied to organizations and enterprises, an effective user identity authentication and authority management control mechanism is lacked, so that the organizations and the enterprises cannot effectively supervise and control the identity and the authority of each node in the block chain.
In view of the above technical problems, in the embodiment of the present invention, an authentication server, such as a CA (Certificate Authority) authentication server or an intermediate Certificate server, is added in a blockchain network, where an arbitrary node in the blockchain network may send a digital Certificate signature request to the authentication server, where the digital signature request includes user basic information and public key information of the node, and after the authentication server verifies the user basic information and the public key information of the node, the authentication server signs a signature with a private key of the authentication server to generate a digital Certificate, sends the digital Certificate to the node, and associates the digital Certificate with a blockchain address of the node; in addition, a preset authority policy including but not limited to an Access Control (ABAC) policy can be configured in advance at the authentication server; when a node needs to call a certain target intelligent contract in a block chain, sending a call request for the target intelligent contract to an authentication server, wherein the call request comprises the block chain address of the node, the authentication server acquires a digital certificate associated with the block chain address of the node through the target intelligent contract, authenticating the identity of a user according to the digital certificate, verifying the authority of the user according to a preset authority strategy, and if the identity authentication and the authority verification pass, allowing the node to call the target intelligent contract of the block chain according to the contract call request. Through the process, the identity and the authority of each node in the block chain can be effectively supervised and controlled, the supervision capability of the block chain is improved, and the legality and the safety of data in the block chain are ensured.
The method for authenticating the identity of the block chain provided by the embodiment of the invention can be applied to the block chain network shown in fig. 1. As shown in fig. 1, the blockchain network may include an authentication server 10 (e.g., a CA authentication server) and nodes 11 of other blockchain networks, where the authentication server may issue a digital certificate to a node in advance, associate a digital certificate uplink with a blockchain address of the node, and also may pre-configure a preset authority policy, and further may send a call request for a target intelligent contract to the authentication server when any node in the blockchain network needs to call the intelligent contract, and the authentication server obtains the digital certificate associated with the blockchain address of the node in advance through the target intelligent contract, performs identity authentication on a user of the node according to the digital certificate, and performs authority verification on the user according to the preset authority policy; and if the identity authentication and the authority verification pass, authorizing the node to call the target intelligent contract of the block chain according to the contract calling request. The authentication server may be a server, a server cluster composed of a plurality of servers, or a cloud computing service center.
The block chain network system of the embodiment of the invention can comprise two parts, namely an on-chain device and an off-chain device, wherein the off-chain device is responsible for user management, such as an authentication server administrator, a personal digital identity user and the like; the on-chain device may be responsible for data storage, identity management, contract management, interface management, and the like. The interface management specifically comprises an authorization interface, a digital identity operation interface, a personal data transaction interface and a digital identity use interface, and all the interfaces can be called in a contract calling mode.
Further, the interface management is specifically as follows, and the authorization interface includes: adding an interface for authorization, updating authorization, deleting authorization and inquiring authorization; the digital identity operation interface comprises: a digital certificate uplink interface, a digital certificate revoke interface and a digital certificate inquiry interface; the personal data transaction interface includes: authorizing an interface, inquiring an interface, adding an interface, deleting an interface and updating an interface; the digital identity usage interface may be viewed as a contract invocation interface that populates the identification of the digital certificate (cert) when the contract is invoked.
The contract management is specifically as follows, and the intelligent contract in the embodiment of the invention comprises 2 system contracts, an authorized system contract and a digital identity operating system contract. The purpose of the authorized system contract is to add an authority policy to a user on the blockchain, the authority policy can be designed based on attributes, such as a certified transfer (if the transfer is prohibited, it is equivalent to completely prohibiting the user's behavior of initiating a transaction), a contract installation, a contract deployment, a contract stop, a contract invocation query, a storage certificate (DataPayload), account status information (accounts state), and different attributes can set different control granularities. And the digital identity operating system contract is responsible for binding the blockchain address and the digital certificate and revoking the digital certificate of the user. The hitching person is responsible for chaining a pin list (CRL).
The identity management specifically comprises an authorization module, a chain loading module, a hoisting module and an authentication module. The authorization module is used for converting the user description language into a corresponding authority policy; the user describes the authority to be given to a certain type of user by operating the UI interface of the authority management system, calls an authorization system contract to send an authorization request, and changes the authority description into an authority strategy by an authorization module after the caller passes the identity verification; the uplink module is used for binding the blockchain address and the digital certificate; the revoking module is responsible for storing the digital certificate revoking list to the block chain; the authentication module is used for verifying whether a user has authority to perform corresponding operation according to an authority strategy when the user initiates the operations of authorization, uplink and cancellation.
The data store may specifically include a management authority list, a digital certificate file, a digital certificate revocation list, PDC data, and all transaction data corresponding to the generation of these data.
In the embodiment of the invention, the authority of the node and the user block chain address can be controlled based on the certificate. A user without a digital certificate is considered an anonymous user and a node without a digital certificate is an anonymous node. An address may hold multiple certificates, and when initiating a transaction, a user may specify which certificate to use to initiate the transaction, and if not, the first certificate. The rights description of the user is implemented by means of an entitled system contract.
The blockchain identity authentication process is described in detail below with reference to specific embodiments.
Fig. 2 is a flowchart of a method for authenticating a blockchain identity according to an embodiment of the present invention. The embodiment provides a method for authenticating a blockchain identity, where an execution subject is an authentication server included in a blockchain network, and certainly may also be other devices in the blockchain network, and the method for authenticating the blockchain identity specifically includes the following steps:
s201, receiving a calling request for a target intelligent contract sent by any node in a block chain network, wherein the calling request comprises a block chain address of the node.
In this embodiment, at least one intelligent contract is configured in the blockchain, and when any node in the blockchain network needs to invoke an intelligent contract, a call request for a target intelligent contract may be sent to the authentication server, or the authentication server intercepts the call request for the target intelligent contract from the node, so as to perform a subsequent identity authentication method flow. The call request may carry a blockchain address of the node, or the authentication server may obtain the blockchain address of the node according to the call request. Of course, the invocation request may also include other information, which may not be limiting herein.
Optionally, in this embodiment, one blockchain address may correspond to at least one digital certificate, for example, to more than two digital certificates, so that when a node sends a call request, a user may specify which digital certificate to use, that is, the call request further includes an identifier of a target digital certificate specified by the user of the node; wherein the target digital certificate is any one of at least one digital certificate associated with the blockchain address of the node; further, when the digital certificate associated with the blockchain address of the node in advance is obtained through the target intelligent contract, the target digital certificate associated with the blockchain address of the node in advance can be obtained according to the identifier of the target digital certificate through the target intelligent contract.
S202, acquiring a digital certificate which is associated with the block chain address of the node in advance through the target intelligent contract, performing identity authentication on a user of the node according to the digital certificate, and performing authority verification on the user according to a preset authority strategy.
In this embodiment, the authentication server may associate a digital certificate of a node with a block chain address of the node in advance, and may also configure a preset authority policy of each node in advance, where the preset authority policy includes, but is not limited to, an ABAC (attribute-based authority verification) policy, and may also be a DAC (decentralized Access Control), a MAC (regulatory Access Control), or a RBAC (Role Base Access Control). And then, after receiving a call request for a target intelligent contract sent by the node, acquiring a digital certificate which is associated with the block chain address of the node in advance through the target intelligent contract, and further performing identity authentication on the user of the node according to the digital certificate and performing authority verification on the user according to a preset authority strategy.
More specifically, as shown in fig. 3, before receiving a call request for a target intelligent contract sent by any node in the blockchain network, the following steps may be included:
s301, receiving a digital certificate signature request sent by the node, wherein the digital signature request comprises user basic information and public key information of the node;
s302, after the basic information of the user and the public key information of the node are verified, a private key of an authentication server is adopted for signature to generate a digital certificate, and the digital certificate is sent to the node;
s303, obtaining the block chain address of the node, and associating the digital certificate with the block chain address of the node.
In this embodiment, the node may generate a digital Certificate Signing Request (CSR) first, where the digital Certificate Signing Request includes basic user information and public key information of the node, and the digital Certificate Signing Request may be generated by using an existing method, for example, by using a CSR online generation tool, or by using another method, which is not limited herein.
After the node obtains the digital certificate signing request, the digital certificate signing request can be sent to an authentication server, the authentication server verifies the basic user information and the public key information of the node and signs by using a private key of the authentication server, wherein the specific signing process can be realized by encrypting a hash value of the content of the digital certificate by using the private key of the authentication server to generate the digital certificate and sending the digital certificate to the node, so that the issuing process of the digital certificate is completed; in addition, the authentication server may further obtain a blockchain address of the node, where the blockchain address of the node may be carried in the digital certificate signature request, or the authentication server obtains the blockchain address of the node through other manners, which is not limited herein, and further, the authentication server associates the digital certificate with the blockchain address of the node, so that the digital certificate of the corresponding node may be queried after the blockchain address of the node is subsequently obtained, so as to perform identity authentication on the user of the node according to the digital certificate.
Optionally, when associating the digital certificate with the blockchain address of the node, an identifier (certid) of the digital certificate may be obtained, and the identifier of the digital certificate is associated with the blockchain address of the node. Of course, the process of associating the digital certificate with the blockchain address of the node may also be performed by the user of the node himself, for example, in the case of the P256 elliptic signature encryption algorithm, the user may initiate a request for chaining of certificates by himself.
In addition, the authentication server can also receive authority policy description information on the user target attribute, which is sent by the administrator terminal, through the authorization interface; and generating the preset authority strategy according to the authority strategy description information, and storing the preset authority strategy.
In this embodiment, the administrator terminal may be a node in the blockchain network, or certainly not a node in the blockchain network, and the administrator terminal sends the authority policy description information on the user target attribute, for example, an authority policy description statement on the user target attribute, to the authentication server through an authorization interface of the authentication server, so that the authentication server can convert the authority policy description information into a preset authority policy and store the preset authority policy, so as to perform authority verification on the user according to the preset authority policy in the following process.
The authority management in this embodiment generally refers to that a user can access and only access authorized resources according to security rules or security policies set by the system, and from the viewpoint of control strength, the authority management can be divided into function-level authority management and data-level authority management, and from the viewpoint of control direction, the authority management can be divided into acquiring data from the system (for example, inquiring orders and inquiring customer data) and submitting data to the system authority (for example, deleting orders and modifying customer data).
Further, in this embodiment, for the attribute-based permission verification policy, the authorization determination may be performed by dynamically determining whether one or a group of attributes satisfy a certain condition, where the attributes may include but are not limited to: user attributes (e.g., user age), environment attributes (e.g., current time), operation attributes (e.g., read), object attributes (e.g., an article, also known as resource attributes).
And S203, if the identity authentication and the authority verification pass, authorizing the node to call the target intelligent contract of the block chain according to the contract calling request.
In this embodiment, in the identity authentication and the permission verification, if both the identity authentication and the permission verification pass, the node may be allowed to invoke the target intelligent contract of the block chain.
In the method for authenticating a blockchain identity provided by this embodiment, a call request for a target intelligent contract sent by any node in a blockchain network is received through an authentication server, where the call request includes a blockchain address of the node; acquiring a digital certificate which is associated with the block chain address of the node in advance through the target intelligent contract, performing identity authentication on a user of the node according to the digital certificate, and performing authority verification on the user according to a preset authority strategy; and if the identity authentication and the authority verification pass, authorizing the node to call the target intelligent contract of the block chain according to the contract calling request. In the embodiment, by combining the authentication server and the intelligent contract and based on the digital certificate and the preset authority policy, identity authentication and authority authentication are performed on the network node users of the block chain, so that the identity and authority of each node in the block chain are effectively supervised and controlled, the supervision capability of the block chain is improved, and the legality and safety of data in the block chain are ensured.
On the basis of the foregoing embodiment, as shown in fig. 4, the block chain identity authentication method may further implement revoking of a digital certificate, and the specific process may include:
s401, receiving an revoke digital certificate request sent by the node, wherein the revoke digital certificate request comprises a block chain address of the node and an identifier of a digital certificate to be revoked;
s402, after the identity of the user of the node is authenticated, generating a revoke list according to the revoke digital certificate request;
and S403, revoking the digital certificate to be revoked in the block chain according to the revoking list.
In this embodiment, when a node needs to revoke a digital certificate, a revoke digital certificate request may be sent to an authentication server, where the revoke digital certificate request may include, but is not limited to, a block chain address of the node and an identifier of the digital certificate to be revoked, and of course, if only one digital certificate is bound to the block chain address of the node, the revoke digital certificate request may also not include the identifier of the digital certificate to be revoked, and at this time, the authentication server may determine the digital certificate to be revoked according to the block chain address of the node; if the blockchain address of the node only binds a plurality of digital certificates, the user is required to specify which digital certificate to revoke is, and the revoke digital certificate request may include the identifier of the digital certificate to revoke.
Further, after receiving the revoke digital certificate request, the authentication server may perform identity authentication on the user, and certainly may also perform authority verification, and after the verification is passed, generate a revoke list according to the revoke digital certificate request, revoke the to-be-revoked digital certificate in the block chain according to the revoke list, and further, may also perform unbinding on the binding relationship between the previous digital certificate and the block chain address of the node.
Fig. 5 is a structural diagram of an authentication server according to an embodiment of the present invention. The authentication server 500 provided in this embodiment can execute the processing procedure provided in the embodiment of the blockchain identity authentication method, as shown in fig. 5, and includes a receiving unit 501, an authentication unit 502, and an authorization unit 503.
The receiving unit 501 is configured to receive a call request for a target intelligent contract, which is sent by any node in a blockchain network, where the call request includes a blockchain address of the node;
an authentication unit 502, configured to obtain, through the target intelligent contract, a digital certificate that is pre-associated with the blockchain address of the node, perform identity authentication on the user of the node according to the digital certificate, and perform permission verification on the user according to a preset permission policy
And an authorizing unit 503, configured to authorize the node to invoke the target intelligent contract of the block chain according to the contract invoking request if the identity authentication and the permission verification pass.
On the basis of any of the above embodiments, the invocation request further includes an identification of a target digital certificate specified by a user of the node; wherein the target digital certificate is any one of at least one digital certificate associated with the blockchain address of the node;
the authentication unit 502, when acquiring the digital certificate associated with the blockchain address of the node in advance through the target intelligent contract, includes:
and acquiring a target digital certificate which is associated with the blockchain address of the node in advance according to the identification of the target digital certificate through the target intelligent contract.
On the basis of any of the foregoing embodiments, before receiving a call request for a target intelligent contract sent by any node in the blockchain network, the authentication unit 502 is further configured to:
receiving a digital certificate signature request sent by the node, wherein the digital certificate signature request comprises user basic information and public key information of the node;
after the basic user information and the public key information of the node are verified, a private key of an authentication server is adopted for signature to generate a digital certificate, and the digital certificate is sent to the node;
and acquiring the blockchain address of the node, and associating the digital certificate with the blockchain address of the node.
On the basis of any of the above embodiments, when associating the digital certificate with the blockchain address of the node, the authentication unit 502 is configured to:
and acquiring the identifier of the digital certificate, and associating the identifier of the digital certificate with the blockchain address of the node.
On the basis of any of the above embodiments, the authentication unit 502 is further configured to:
receiving authority policy description information on user target attributes sent by a manager terminal through an authorization interface;
and generating the preset authority strategy according to the authority strategy description information, and storing the preset authority strategy.
On the basis of any of the above embodiments, the authentication unit 502 is further configured to:
receiving an revoke digital certificate request sent by the node, wherein the revoke digital certificate request comprises a block chain address of the node and an identifier of a digital certificate to be revoked;
after the identity authentication is carried out on the user of the node, a revoke list is generated according to the revoke digital certificate request;
and revoking the digital certificate to be revoked in the block chain according to the revocation list.
The authentication server provided in the embodiments of the present invention may be specifically configured to execute the embodiments of the block chain identity authentication method provided in fig. 2 to 4, and specific functions are not described herein again.
The authentication server side provided by the embodiment of the invention receives a call request for a target intelligent contract, which is sent by any node in a block chain network, through the authentication server side, wherein the call request comprises a block chain address of the node; acquiring a digital certificate which is associated with the block chain address of the node in advance through the target intelligent contract, performing identity authentication on a user of the node according to the digital certificate, and performing authority verification on the user according to a preset authority strategy; and if the identity authentication and the authority verification pass, authorizing the node to call the target intelligent contract of the block chain according to the contract calling request. In the embodiment, by combining the authentication server and the intelligent contract and based on the digital certificate and the preset authority policy, identity authentication and authority authentication are performed on the network node users of the block chain, so that the identity and authority of each node in the block chain are effectively supervised and controlled, the supervision capability of the block chain is improved, and the legality and safety of data in the block chain are ensured.
Fig. 6 is a schematic structural diagram of an authentication server according to an embodiment of the present invention. The authentication server provided in the embodiment of the present invention may execute the processing procedure provided in the embodiment of the blockchain identity authentication method, as shown in fig. 6, the authentication server 60 includes a memory 61, a processor 62, a computer program, and a communication interface 63; wherein a computer program is stored in the memory 61 and configured to execute the blockchain identity authentication method described in the above embodiments by the processor 62.
The authentication server in the embodiment shown in fig. 6 may be configured to execute the technical solution of the above method embodiment, and the implementation principle and the technical effect are similar, which are not described herein again.
In addition, the present embodiment also provides a block chain network, which includes an authentication server shown in fig. 6.
In addition, the present embodiment also provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the blockchain identity authentication method described in the above embodiments.
In addition, the present embodiment further provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the method for authenticating a blockchain identity according to the foregoing embodiment is implemented.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a server, or a network device) or a processor (processor) to execute some steps of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
It is obvious to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to perform all or part of the above described functions. For the specific working process of the device described above, reference may be made to the corresponding process in the foregoing method embodiment, which is not described herein again.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the embodiments of the present invention, and are not limited thereto; although embodiments of the present invention have been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (16)

1. A method for authenticating a blockchain identity is applied to an authentication server included in a blockchain network, and comprises the following steps:
receiving a calling request for a target intelligent contract sent by any node in a block chain network, wherein the calling request comprises a block chain address of the node;
acquiring a digital certificate which is associated with the block chain address of the node in advance through the target intelligent contract, performing identity authentication on a user of the node according to the digital certificate, and performing authority verification on the user according to a preset authority strategy;
and if the identity authentication and the authority verification pass, authorizing the node to call the target intelligent contract of the block chain according to the contract calling request.
2. The method of claim 1, wherein the invocation request further includes an identification of a target digital certificate specified by a user of the node; wherein the target digital certificate is any one of at least one digital certificate associated with the blockchain address of the node;
the acquiring, by the target intelligent contract, a digital certificate associated in advance with the blockchain address of the node includes:
and acquiring a target digital certificate which is associated with the blockchain address of the node in advance according to the identification of the target digital certificate through the target intelligent contract.
3. The method according to claim 1 or 2, wherein before receiving the call request for the target intelligent contract sent by any node in the blockchain network, the method further comprises:
receiving a digital certificate signature request sent by the node, wherein the digital certificate signature request comprises user basic information and public key information of the node;
after the basic user information and the public key information of the node are verified, a private key of an authentication server is adopted for signature to generate a digital certificate, and the digital certificate is sent to the node;
and acquiring the blockchain address of the node, and associating the digital certificate with the blockchain address of the node.
4. The method of claim 3, wherein associating the digital certificate with the blockchain address of the node comprises:
and acquiring the identifier of the digital certificate, and associating the identifier of the digital certificate with the blockchain address of the node.
5. The method of claim 1 or 2, further comprising:
receiving authority policy description information on user target attributes sent by a manager terminal through an authorization interface;
and generating the preset authority strategy according to the authority strategy description information, and storing the preset authority strategy.
6. The method of claim 1 or 2, further comprising:
receiving an revoke digital certificate request sent by the node, wherein the revoke digital certificate request comprises a block chain address of the node and an identifier of a digital certificate to be revoked;
after the identity authentication is carried out on the user of the node, a revoke list is generated according to the revoke digital certificate request;
and revoking the digital certificate to be revoked in the block chain according to the revocation list.
7. An authentication server, comprising:
the system comprises a receiving unit, a processing unit and a processing unit, wherein the receiving unit is used for receiving a calling request for a target intelligent contract sent by any node in a block chain network, and the calling request comprises a block chain address of the node;
an authentication unit, configured to obtain, through the target intelligent contract, a digital certificate that is pre-associated with the blockchain address of the node, perform identity authentication on a user of the node according to the digital certificate, and perform permission verification on the user according to a preset permission policy
And the authorization unit is used for authorizing the node to call the target intelligent contract of the block chain according to the contract calling request if the identity authentication and the authority verification pass.
8. The authentication server of claim 7, wherein the invocation request further includes an identification of a target digital certificate specified by a user of the node; wherein the target digital certificate is any one of at least one digital certificate associated with the blockchain address of the node;
the authentication unit, when acquiring a digital certificate associated with the blockchain address of the node in advance through the target intelligent contract, includes:
and acquiring a target digital certificate which is associated with the blockchain address of the node in advance according to the identification of the target digital certificate through the target intelligent contract.
9. The authentication server according to claim 7 or 8, wherein the authentication unit, before receiving the call request for the target intelligent contract sent by any node in the blockchain network, is further configured to:
receiving a digital certificate signature request sent by the node, wherein the digital certificate signature request comprises user basic information and public key information of the node;
after the basic user information and the public key information of the node are verified, a private key of an authentication server is adopted for signature to generate a digital certificate, and the digital certificate is sent to the node;
and acquiring the blockchain address of the node, and associating the digital certificate with the blockchain address of the node.
10. The authentication server of claim 9, wherein the authentication unit, when associating the digital certificate with the blockchain address of the node, is configured to:
and acquiring the identifier of the digital certificate, and associating the identifier of the digital certificate with the blockchain address of the node.
11. The authentication server according to claim 7 or 8, wherein the authentication unit is further configured to:
receiving authority policy description information on user target attributes sent by a manager terminal through an authorization interface;
and generating the preset authority strategy according to the authority strategy description information, and storing the preset authority strategy.
12. The authentication server according to claim 7 or 8, wherein the authentication unit is further configured to:
receiving an revoke digital certificate request sent by the node, wherein the revoke digital certificate request comprises a block chain address of the node and an identifier of a digital certificate to be revoked;
after the identity authentication is carried out on the user of the node, a revoke list is generated according to the revoke digital certificate request;
and revoking the digital certificate to be revoked in the block chain according to the revocation list.
13. An authentication server, comprising: at least one processor; and a memory;
the memory stores computer-executable instructions;
the at least one processor executing the computer-executable instructions stored by the memory causes the at least one processor to perform the method of any one of claims 1-6.
14. A blockchain network comprising an authentication server according to claim 13.
15. A computer-readable storage medium having computer-executable instructions stored thereon which, when executed by a processor, implement the method of any one of claims 1-6.
16. A computer program product comprising a computer program, characterized in that the computer program realizes the method of any of claims 1-6 when executed by a processor.
CN202111166889.7A 2021-09-30 2021-09-30 Block chain identity authentication method, equipment, storage medium and computer program product Pending CN113901432A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111166889.7A CN113901432A (en) 2021-09-30 2021-09-30 Block chain identity authentication method, equipment, storage medium and computer program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111166889.7A CN113901432A (en) 2021-09-30 2021-09-30 Block chain identity authentication method, equipment, storage medium and computer program product

Publications (1)

Publication Number Publication Date
CN113901432A true CN113901432A (en) 2022-01-07

Family

ID=79190173

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111166889.7A Pending CN113901432A (en) 2021-09-30 2021-09-30 Block chain identity authentication method, equipment, storage medium and computer program product

Country Status (1)

Country Link
CN (1) CN113901432A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114978661A (en) * 2022-05-18 2022-08-30 保利长大工程有限公司 Data processing method and system based on block chain and big data
CN115396165A (en) * 2022-08-15 2022-11-25 中国联合网络通信集团有限公司 File management method and device, electronic equipment and storage medium
CN115470468A (en) * 2022-11-14 2022-12-13 安徽中科晶格技术有限公司 Identity chain construction method and device based on block chain preset contract and storage medium

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114978661A (en) * 2022-05-18 2022-08-30 保利长大工程有限公司 Data processing method and system based on block chain and big data
CN114978661B (en) * 2022-05-18 2023-03-10 保利长大工程有限公司 Data processing method and system based on block chain and big data
CN115396165A (en) * 2022-08-15 2022-11-25 中国联合网络通信集团有限公司 File management method and device, electronic equipment and storage medium
CN115470468A (en) * 2022-11-14 2022-12-13 安徽中科晶格技术有限公司 Identity chain construction method and device based on block chain preset contract and storage medium
CN115470468B (en) * 2022-11-14 2023-02-03 安徽中科晶格技术有限公司 Identity chain construction method and device based on block chain preset contract and storage medium

Similar Documents

Publication Publication Date Title
CN110602138B (en) Data processing method and device for block chain network, electronic equipment and storage medium
US11038682B2 (en) Communication method, apparatus and system, electronic device, and computer readable storage medium
Shahidinejad et al. Light-edge: A lightweight authentication protocol for IoT devices in an edge-cloud environment
US9621355B1 (en) Securely authorizing client applications on devices to hosted services
CN112422532B (en) Service communication method, system and device and electronic equipment
US10972272B2 (en) Providing high availability computing service by issuing a certificate
CN109729523B (en) Terminal networking authentication method and device
CN113901432A (en) Block chain identity authentication method, equipment, storage medium and computer program product
CN105915338B (en) Generate the method and system of key
KR20170106515A (en) Multi-factor certificate authority
US11228450B2 (en) Method and apparatus for performing multi-party secure computing based-on issuing certificate
CN110493237A (en) Identity management method, device, computer equipment and storage medium
CN102223420A (en) Digital content distribution method for multimedia social network
JP5992535B2 (en) Apparatus and method for performing wireless ID provisioning
CN110855695A (en) Improved SDN network security authentication method and system
CN111414640B (en) Key access control method and device
CN115883154A (en) Access certificate issuing method, block chain-based data access method and device
KR20220002455A (en) Improved transmission of data or messages in the vehicle using the SOME/IP communication protocol
Larsen et al. Direct anonymous attestation on the road: Efficient and privacy-preserving revocation in c-its
CN109302425A (en) Identity identifying method and terminal device
CN114091058A (en) Method and system for secure sharing of data between a first area and a second area
CN112906032A (en) File secure transmission method, system and medium based on CP-ABE and block chain
CN113449343B (en) Trusted computing system based on quantum technology
CN115150154B (en) User login authentication method and related device
CN112422292B (en) Network security protection method, system, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination