CN114051031A - Encryption communication method, system, equipment and storage medium based on distributed identity - Google Patents

Encryption communication method, system, equipment and storage medium based on distributed identity Download PDF

Info

Publication number
CN114051031A
CN114051031A CN202111354506.9A CN202111354506A CN114051031A CN 114051031 A CN114051031 A CN 114051031A CN 202111354506 A CN202111354506 A CN 202111354506A CN 114051031 A CN114051031 A CN 114051031A
Authority
CN
China
Prior art keywords
user
key
round
identity
distributed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111354506.9A
Other languages
Chinese (zh)
Other versions
CN114051031B (en
Inventor
黎靖阳
王帅
余航
张昊迪
邓晓东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202111354506.9A priority Critical patent/CN114051031B/en
Publication of CN114051031A publication Critical patent/CN114051031A/en
Application granted granted Critical
Publication of CN114051031B publication Critical patent/CN114051031B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0421Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides an encryption communication method, a system, equipment and a storage medium based on distributed identity, wherein the method comprises the following steps: the first user and the second user establish an anonymous communication channel by using a peer-to-peer network protocol based on distributed identity identification; during each round of communication, the first user and the second user respectively create a password pair for the other party, the password pair comprises a public key and a private key, and a corresponding distributed identity and a corresponding identity certificate are generated; the first user and the second user exchange the distributed identity identifiers and the corresponding identity certificates in each round to obtain the identity of the other party and the public key in the round, and the exchanged public key is used as the session key in the round; and after the user plane information is encrypted by the session key, bidirectional communication is carried out. The invention can ensure the confidentiality and privacy of data transmission by establishing an end-to-end distributed identity identification channel, is suitable for scenes needing shared key rotation recording, and ensures the integrity of data transmission.

Description

Encryption communication method, system, equipment and storage medium based on distributed identity
Technical Field
The present invention relates to the field of network security, and in particular, to a method, system, device, and storage medium for encrypted communication based on distributed identities.
Background
The conventional key rotation algorithm infrastructure has two implementations. The first method is to obtain the round-robin key from the third-party authority, and the first method belongs to centralized storage and is easily disturbed by single point of failure. When the distributed book is used, a large amount of or frequent remote queries can cause low algorithm efficiency, and the business is affected.
The second method is rooted in a distributed account book, and the credibility and the non-repudiation of the keys after rotation are ensured through a consensus mechanism.
Therefore, the invention provides a distributed identity-based encrypted communication method, a system, a device and a storage medium by utilizing a distributed ledger (second type).
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the invention and therefore may include information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
Aiming at the problems in the prior art, the invention aims to provide an encryption communication method, a system, equipment and a storage medium based on distributed identity, which overcome the difficulties in the prior art and ensure the confidentiality and privacy of data transmission by establishing an end-to-end distributed identity identification channel.
The embodiment of the invention provides an encryption communication method based on distributed identity, which comprises the following steps:
the first user and the second user establish an anonymous communication channel by using a peer-to-peer network protocol based on distributed identity identification;
during each round of communication, the first user and the second user respectively create a password pair for the other party, the password pair comprises a public key and a private key, and a corresponding distributed identity and a corresponding identity certificate are generated;
the first user and the second user exchange the distributed identity identifiers and the corresponding identity certificates in each round to obtain the identity of the opposite party and the public key in the round, and the exchanged public key is used as the session key in the round; and
and after the user plane information is encrypted by the session key, bidirectional communication is carried out.
Preferably, the first user and the second user establish an anonymous communication channel using a peer-to-peer network protocol based on distributed identity, further comprising:
and selecting a main body key rotation table to be stored in a wallet of the distributed identity corresponding to the first user or the second user, wherein the main body key rotation table stores each rotation of session records.
Preferably, the subject key rotation table stores per-rotation session records, including:
and the main key rotating table sequentially records the session key information, the abstract information and the signature information of each session record based on the time sequence.
Preferably, the generating the corresponding distributed identity and the corresponding identity credential includes:
and the first user and the second user generate corresponding distributed identity identifications and corresponding identity certificates according to the passwords of each round, wherein the identity certificates are verifiable statements corresponding to the distributed identity identifications.
Preferably, the first user and the second user obtain the identity of the other party and the public key of the current round by exchanging the distributed identity identifier and the corresponding identity credential of each round, and use the exchanged public key as the session key of the current round, further comprising:
the first user and the second user obtain the identity of the opposite side and the public key of the current round by exchanging the distributed identity identifiers, and share the same main key rotating table;
the summary information of each round of session record is the summary of the previous round of session record by using the private key of the current round of session record;
the signature information of each round of the session record is a signature made on the record of the round by adopting a private key of the session record of the previous round;
and the first user and the second user respectively obtain the abstract of the public key of the next round at least according to the private key of the round.
Preferably, the method further comprises the following steps: one of the first user or the second user is used as a rotator, and the principal key rotation table is arranged in a wallet of a distributed identity of the rotator;
providing at least one supervising user, wherein a supervising key rotation table synchronized with the main key rotation table is arranged in a wallet of the distributed identity of the supervising user, and each supervising user signs the session record by using a respective current private key to form a shadow record;
and comparing each round of shadow record of the supervision key rotation table with each round of session record of the main key rotation table, wherein if the shadow records are not matched with the session records, the session key is falsely used, and the communication is terminated.
Preferably, the method further comprises synchronizing the subject key round-robin table of the rotator to the supervision key round-robin table of the supervision user in real time when the subject key round-robin table of the rotator is updated.
The embodiment of the present invention further provides an encryption communication system based on distributed identity, which is used for implementing the encryption communication method based on distributed identity, and the encryption communication system based on distributed identity includes:
the channel establishing module is used for establishing an anonymous communication channel by the first user and the second user by using a peer-to-peer network protocol based on distributed identity identification;
the system comprises a password pair creating module, a password pair creating module and a password authentication module, wherein the password pair creating module creates a password pair for each other by the first user and the second user during each communication, the password pair comprises a public key and a private key, and a corresponding distributed identity and a corresponding identity certificate are generated;
the first user and the second user exchange the distributed identity identifiers and the corresponding identity certificates in each round to obtain the identity of the opposite party and the public key of the round, and the exchanged public key is used as the session key of the round; and
and the bidirectional communication module is used for carrying out bidirectional communication after encrypting the user plane information through the session key.
The embodiment of the invention also provides encryption communication equipment based on distributed identity, which comprises:
a processor;
a memory having stored therein executable instructions of the processor;
wherein the processor is configured to perform the steps of the above-described distributed identity based encrypted communication method via execution of the executable instructions.
Embodiments of the present invention also provide a computer-readable storage medium for storing a program, where the program implements the steps of the above-mentioned encryption communication method based on distributed identities when executed.
The invention aims to provide a distributed identity-based encrypted communication method, a distributed identity-based encrypted communication system, a distributed identity-based encrypted communication device and a distributed identity-based encrypted communication storage medium, which can ensure confidentiality and privacy of data transmission by establishing an end-to-end distributed identity identification channel, are suitable for scenes needing shared key rotation recording and ensure the integrity of data transmission.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, with reference to the accompanying drawings.
Fig. 1 is a flowchart of an embodiment of a distributed identity-based encrypted communication method according to the present invention.
Fig. 2 is a flowchart of another embodiment of the encrypted communication method based on distributed identities according to the present invention.
Fig. 3 is a schematic diagram of a usage scenario in the encryption communication method based on distributed identities according to the present invention.
Fig. 4 is a schematic diagram of a key rotation table in the encryption communication method based on distributed identities according to the present invention.
Fig. 5 is a schematic diagram of key information in a key rotation table in the encryption communication method based on distributed identities according to the present invention.
Fig. 6 is a schematic diagram of synchronously updating a supervision key round table by a main body key round table in the encryption communication method based on distributed identities according to the present invention.
Fig. 7 is a block diagram of an embodiment of a distributed identity based encryption communication system according to the present invention.
Fig. 8 is a block diagram of another embodiment of the distributed identity based encrypted communication system of the present invention.
Fig. 9 is a schematic diagram of the operation of the distributed identity based encrypted communication system of the present invention.
Detailed Description
The following description of the embodiments of the present application is provided by way of specific examples, and other advantages and effects of the present application will be readily apparent to those skilled in the art from the disclosure herein. The present application is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present application. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Embodiments of the present application will be described in detail below with reference to the accompanying drawings so that those skilled in the art to which the present application pertains can easily carry out the present application. The present application may be embodied in many different forms and is not limited to the embodiments described herein.
Reference throughout this specification to "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," or the like, means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. Furthermore, the particular features, structures, materials, or characteristics shown may be combined in any suitable manner in any one or more embodiments or examples. Moreover, various embodiments or examples and features of different embodiments or examples presented in this application can be combined and combined by those skilled in the art without contradiction.
Furthermore, the terms "first", "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the expressions of the present application, "plurality" means two or more unless specifically defined otherwise.
In order to clearly explain the present application, components that are not related to the description are omitted, and the same reference numerals are given to the same or similar components throughout the specification.
Throughout the specification, when a device is referred to as being "connected" to another device, this includes not only the case of being "directly connected" but also the case of being "indirectly connected" with another element interposed therebetween. In addition, when a device "includes" a certain component, unless otherwise stated, the device does not exclude other components, but may include other components.
When a device is said to be "on" another device, this may be directly on the other device, but may also be accompanied by other devices in between. When a device is said to be "directly on" another device, there are no other devices in between.
Although the terms first, second, etc. may be used herein to describe various elements in some instances, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, the first interface and the second interface are represented. Also, as used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context indicates otherwise. It will be further understood that the terms "comprises," "comprising," "includes" and/or "including," when used in this specification, specify the presence of stated features, steps, operations, elements, components, items, species, and/or groups, but do not preclude the presence, or addition of one or more other features, steps, operations, elements, components, items, species, and/or groups thereof. The terms "or" and/or "as used herein are to be construed as inclusive or meaning any one or any combination. Thus, "A, B or C" or "A, B and/or C" means "any of the following: a; b; c; a and B; a and C; b and C; A. b and C ". An exception to this definition will occur only when a combination of elements, functions, steps or operations are inherently mutually exclusive in some way.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used herein, the singular forms "a", "an" and "the" include plural forms as long as the words do not expressly indicate a contrary meaning. The term "comprises/comprising" when used in this specification is taken to specify the presence of stated features, regions, integers, steps, operations, elements, and/or components, but does not exclude the presence or addition of other features, regions, integers, steps, operations, elements, and/or components.
Although not defined differently, including technical and scientific terms used herein, all terms have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. Terms defined in commonly used dictionaries are to be additionally interpreted as having meanings consistent with those of related art documents and the contents of the present prompts, and must not be excessively interpreted as having ideal or very formulaic meanings unless defined.
Fig. 1 is a flowchart of an embodiment of a distributed identity-based encrypted communication method according to the present invention. As shown in fig. 1, the encryption communication method based on distributed identity of the present invention includes:
s110, the first user and the second user establish an anonymous communication channel by using a Peer-to-Peer network protocol (Peer) based on Distributed Identity (DID). In order to solve the problems of the traditional centralized identity, the invention adopts a distributed identity identifier (DID) technology. Distributed identity is a decentralized, verifiable digital identifier that is independent of centralized authorities, and can autonomously perform registration, resolution, renewal, or revocation operations without centralized registration and authorization. The distributed identity identification technology comprehensively uses a Blockchain (Blockchain) technology and a Byzantine Fault Tolerance (BFT) algorithm to establish a traceable, verifiable, tamper-resistant and autonomous credible digital identity for a user in a decentralized mode. The distributed identity and Verifiable Credential (VC) specifications define an identity identifier representing an entity and an attribute declaration associated therewith, respectively, and together support the basic model of distributed identity — the efficient operation of a Verifiable Credential flow model. The corresponding identity can be found by the distributed identity identification, the attribute of the identity can be determined by the verifiable certificate, and the identity can be assigned with the corresponding role by combining the two: the identity and the corresponding verifiable certificate can be quickly retrieved on the block chain through the distributed identity, the verifiable certificate contains the detailed attributes of the identity, such as the position or the role of the user corresponding to the identity in the organization, the data requirement and the like, and after the information is determined, the data owner can allocate the role corresponding to the corresponding authority to the user. After a user initiates a service request to data on the cloud, a data owner can judge whether the user can access a corresponding data block according to the role owned by the user.
With distributed identity, data owners can be made to provide data services to users in specific roles, but the execution of data requires a secure and trusted environment to prevent data theft and tampering. Further, data owner's data is of particular value and is often unwilling to be directly acquired by a user, i.e., allowing the user to use the data without allowing the user to obtain ownership of the data. Therefore, a homomorphic encryption method can be adopted to execute the data in a ciphertext state, and then the execution result is decrypted, and the obtained result is consistent with the plaintext operation result. The data is not presented to the user in the clear, ensuring that the data is not visible to the user during execution.
The international electrotechnical commission defines "identity" as a "set of attributes associated with an entity". Digital identities are typically represented by an identity identifier and attribute claims associated therewith, distributed digital identities including: a distributed digital identity identifier and a digital identity credential (set of claims). A distributed digital identity identifier (DID) is an identifier consisting of a string of characters used to represent a digital identity that can be globally unique without the need for a central registry. Typically, an entity may possess multiple identities, each assigned a unique DID value, and an asymmetric key associated therewith. There is no associated information between different identities, thus effectively avoiding the collection of owner identity information. Distributed Identities (DID) are Decentralized verifiable digital Identifiers, and have the characteristics of being distributed, autonomously controllable, cross-chain multiplexing and the like. The entity can autonomously complete the registration, parsing, updating or revocation operations of the DID. The DID is specifically resolved into a DID Document that includes the unique id of the DID, a list of public keys and detailed information of the public keys (holder, encryption algorithm, key status, etc.), and other attribute descriptions of the DID holder. Also, one entity may correspond to a plurality of DID. "claims (claims)" refers to attribute information associated with an identity, and this term stems from claim-based digital identities, a way to assert (alert) digital identities, independent of any particular system that needs to rely on it. The declaration information generally includes: such as name, email address, age, occupation, etc. A claim may be issued by an identity owner (e.g., an individual or organization) itself, or by other claim issuers, and is referred to as a verifiable claim when issued by an issuer. The user submits the claim to the relevant application, the application checks it, and the application facilitator can trust the verifiable claim he signs like a trusted issuer. The collection of multiple assertions is called a credential (credentials). The DID is associated with a DID Document (DID Document). The data recorded on the DID document is decided by the user himself, and unnecessary information may not be recorded on the DID document at all. In the DID system, there are three kinds of roles of identity issuer, identity holder and verifier. The holder applies for identity to the issuer, and the verifier verifies the holder's identity when needed. DID data is stored in a block chain, and private data is not stored in the chain. And the three directly interact mutually and use the cryptographic algorithms such as asymmetric encryption algorithm, zero knowledge proof and the like.
A Peer-to-Peer network, i.e., a Peer-to-Peer computer network, is a distributed application architecture that distributes tasks and workloads among peers (peers), and is a networking or networking form of a Peer-to-Peer computing model formed in an application layer. "Peer" has the meaning of "Peer, partner, Peer" in English. Thus, literally, P2P may be understood as a peer-to-peer computing or peer-to-peer network. Some of the media in China translate P2P into "Peer-to-Peer" or "Peer-to-Peer," which is commonly referred to by the academic community as Peer-to-Peer networking (Peer-to-Peer computing), and can be defined as: participants of the network share a portion of the hardware resources (processing power, storage power, network connectivity, printers, etc.) they own, which provide services and content over the network and which can be accessed directly by other Peer nodes (peers) without going through intermediate entities. The participants in this network are both providers (servers) and acquirers (clients) of resources, services and content. In a P2P network environment, multiple computers connected to each other are in a peer-to-peer relationship, each computer has the same functionality, without a master-slave relationship, and a computer can serve as both a server, setting shared resources for use by other computers in the network, and a workstation, and the overall network generally does not rely on a dedicated centralized server, nor does it have a dedicated workstation. Each computer in the network can both act as a requester of network services and provide resources, services and content in response to requests from other computers. Typically these resources and services include: sharing and exchange of information, computing resources (e.g., CPU computing power sharing), storage sharing (e.g., use of cache and disk space), network sharing, printer sharing, and the like.
And S120, during each round of communication, the first user and the second user respectively create a password pair for the other party, the password pair comprises a public key and a private key, and a corresponding distributed identity and a corresponding identity certificate are generated. A key pair (key pair) is a technical term in computer science, and generally includes a public key and a corresponding private key.
S130, the first user and the second user obtain the identity of the opposite party and the public key of the current round by exchanging the distributed identity and the corresponding identity certificate in each round, and the exchanged public key is used as the session key of the current round. And
and S140, after the user plane information is encrypted through the session key, bidirectional communication is carried out.
The DID-based key rotation method provided by the invention shares the key rotation table through the private link established by the DID Peer protocol, thereby greatly reducing the cost of inquiring the validity of the key in the actual identity authentication process, greatly improving the privacy and the safety, and preventing the rotated private key from being stolen or damaged.
Fig. 2 is a flowchart of another embodiment of the encrypted communication method based on distributed identities according to the present invention. As shown in fig. 2, in the encryption communication method based on distributed identity, on the basis of steps S110, S120, S130, and S140 in the embodiment of fig. 1, step S110 is replaced by S111 and S112, step S120 is replaced by S121 and S122, step S130 is replaced by S131, S132, S133 and S134, and step S140 is replaced by S141, S142 and S143, and each step is described below:
s111, the first user and the second user establish an anonymous communication channel by using a peer-to-peer network protocol based on distributed identity identification.
And S112, selecting a main body key rotation table to be stored in the wallet with the distributed identity corresponding to the first user or the second user, wherein the main body key rotation table stores each rotation of session records.
And S121, during each round of communication, the first user and the second user respectively create a password pair for each other, wherein the password pair comprises a public key and a private key.
And S122, the first user and the second user generate corresponding distributed identity identifications and corresponding identity certificates according to the passwords of each round, wherein the identity certificates are verifiable statements corresponding to the distributed identity identifications.
S131, the first user and the second user obtain the identity of the opposite side and the public key of the current round by exchanging the distributed identity, and share the same main key rotating table.
And S132, the summary information of each round of session record is the summary of the previous round of session record by using the private key of the current round of session record.
And S133, signature information of each round of session record is a signature of the round of record by adopting a private key of the previous round of session record.
S134, the first user and the second user respectively obtain the abstract of the public key of the next round at least according to the private key of the round.
And S141, providing at least one supervising user, wherein a supervising key rotation table synchronized with the main key rotation table is arranged in the wallet of the distributed identity of the supervising user, and each supervising user signs the session record by using the respective current private key to form a shadow record.
And S142, comparing each round of shadow record of the supervision key rotation table with each round of session record of the main key rotation table, and if the shadow record of each round of the supervision key rotation table is not matched with the session record of each round of the main key rotation table, falsely using the session key and terminating the communication.
And S143, when the main key rotating table of the rotator is updated, the main key rotating table of the rotator is synchronized to the supervision key rotating table of the supervision user in real time.
The invention ensures the confidentiality and privacy of data transmission by establishing the end-to-end DID channel. The well-designed key rotation table can be bound and proved with the front and rear wheel keys in different forms, and the front and rear proving effect can be achieved. The private key cannot pass the check even if being impersonated, and the integrity of the data is guaranteed. And moreover, the supervisor node and the supervisor cycle table are used for carrying out trust enhancement on the subject cycle table, even if a forged subject escapes from the supervision of other supervisors, the network security is improved.
The following describes an implementation process of the encryption communication method based on distributed identity in detail with reference to fig. 3 to 6:
in reality, in order to avoid the key being exploded or accidentally revealed, the asymmetric key used for ensuring the security often needs to be updated and rotated. The DID-based key rotation recording method can be used for scenes needing shared key rotation recording. Fig. 3 is a schematic diagram of a usage scenario in the encryption communication method based on distributed identities according to the present invention. As shown in fig. 3, first, a mobile terminal 1 (mobile phone) of a first user and a mobile terminal 2 (computer) of a second user construct a DID anonymous encryption channel 3 to share a key rotation table, and after handshaking between two communication parties through a DID: Peer protocol, an anonymous communication channel is established. The two parties create a new key pair for each other's session and generate corresponding DID and DID Document information. The identity of the other party, in particular the public key, is obtained by exchanging the DID. The session key is exchanged via the public key and finally the user plane information is encrypted via the session key to start communicating over the channel.
Fig. 4 is a schematic diagram of a key rotation table in the encryption communication method based on distributed identities according to the present invention. As shown in fig. 4, a key rotation table is then built on the Agent (Agent), and the key rotation table is stored in the DID wallet to ensure confidentiality and privacy. In which case the key rotation information of one of the parties can be shared. At this point, both parties can build a key rotation record table. The digest in the table is the digest of the last record with the new private key. The signature is the signature of the new record with the last private key. This ensures that the front and back records endorse each other.
Fig. 5 is a schematic diagram of key information in a key rotation table in the encryption communication method based on distributed identities according to the present invention. As shown in fig. 5, the key round table is then used as the key embedding point of the next round, and in the present invention, the records are not only endorsed with each other, but also used as the key embedding point of the next round. The abstract of the next round of public key is calculated by the round of private key, so that the 'forecast' can be provided for the next round of public key, and binding is performed. But does not expose the true value, and avoids being maliciously cracked.
Fig. 6 is a schematic diagram of synchronously updating a supervision key round table by a main body key round table in the encryption communication method based on distributed identities according to the present invention. As shown in fig. 6, and can provide further reliability throughout the process with the auditor node on which we can create and register the auditor key rotation table. The supervisor establishes a DID (digital identification) Peer anonymous encryption channel with the rotator. The rotator can synchronize the rotation information with the supervisor in real time. The supervisor signs the record with the current private key after receiving. The more supervisors, the higher the trustworthiness of the subject key rotation table.
Fig. 7 is a block diagram of an embodiment of a distributed identity based encryption communication system according to the present invention. The encryption communication system based on distributed identity of the present invention, as shown in fig. 7, includes but is not limited to:
the channel establishing module 51 establishes an anonymous communication channel between the first user and the second user by using a peer-to-peer network protocol based on distributed identity.
The password pair creating module 52 creates a password pair for each other, where the password pair includes a public key and a private key, and generates a corresponding distributed identity and a corresponding identity credential.
And in the identifier exchange module 53, the first user and the second user obtain the identity of the other party and the public key of the current round by exchanging the distributed identity identifier and the corresponding identity certificate in each round, and the exchanged public key is used as the session key of the current round.
The bidirectional communication module 54 performs bidirectional communication after encrypting the user plane information by the session key.
The implementation principle of the above modules is described in the encryption communication method based on distributed identity, and will not be described herein again.
The encryption communication system based on the distributed identity can ensure the confidentiality and the privacy of data transmission by establishing an end-to-end distributed identity identification channel, is suitable for scenes needing the rotation recording of the shared secret key, and ensures the integrity of the data transmission.
Fig. 8 is a block diagram of another embodiment of the distributed identity based encrypted communication system of the present invention. As shown in fig. 8, on the basis of the embodiment of the apparatus shown in fig. 7, in the login authentication system based on hybrid encryption of the present invention, the anonymous communication module 511 and the key rotation table module 512 replace the channel establishing module 51, the password pair establishing module 52 is replaced by the password establishing module 521 and the id identifying module 522, the id exchanging module 53 is replaced by the id exchanging module 531, the session digest module 532, the record signature module 533 and the public key digest module 534, and the shadow recording module 541, the supervision judging module 542 and the synchronous updating module 543 replace the bidirectional communication module 54, which is described below for each module:
the anonymous communication module 511 establishes an anonymous communication channel between the first user and the second user by using a peer-to-peer network protocol based on distributed identity.
The key rotation table module 512 selects a main body key rotation table to be stored in the wallet with distributed id corresponding to the first user or the second user, and the main body key rotation table stores each rotation of session record.
And a password creating module 521, wherein each round of communication is performed, the first user and the second user respectively create a password pair for each other, and the password pair comprises a public key and a private key.
The identity module 522 generates corresponding distributed identities and corresponding identity credentials for the first user and the second user according to the passwords of each round, and the identity credentials are verifiable claims corresponding to the distributed identities.
And the identity exchange module 531 obtains the identity of the other party and the public key of the current round by exchanging the distributed identity identifiers between the first user and the second user, and shares the same main key rotating table.
The session summary module 532 summarizes the summary information of each session record by using the private key of the session record of the current round.
And the record signature module 533 is configured to record the signature information of each round of session record by using the private key of the previous round of session record to sign the round of session record.
And the public key digest module 534, the first user and the second user respectively obtain the digest of the public key of the next round at least according to the private key of the round.
The shadow recording module 541 provides at least one supervising user, a supervising key rotation table synchronized with the main key rotation table is arranged in a wallet of the distributed identity of the supervising user, and each supervising user signs the session record by using a respective current private key to form a shadow record.
And the supervision judging module 542 compares each round of shadow record of the supervision key rotation table with each round of session record of the main key rotation table, and if the shadow record of each round of shadow record of the supervision key rotation table is not matched with the session record of each round of session record of the main key rotation table, the session key is falsely used, and the communication is terminated.
The synchronization updating module 543, when the main key round table of the rotator is updated, synchronizes the main key round table of the rotator to the supervision key round table of the supervision user in real time.
The above-mentioned implementation principle of the module is described in the encryption communication method based on the distributed identity, and is not described herein again.
The encryption communication system based on the distributed identity can ensure the confidentiality and the privacy of data transmission by establishing an end-to-end distributed identity identification channel, is suitable for scenes needing the rotation recording of the shared secret key, and ensures the integrity of the data transmission.
The embodiment of the invention also provides encryption communication equipment based on the distributed identity, which comprises a processor. A memory having stored therein executable instructions of the processor. Wherein the processor is configured to perform the steps of the distributed identity based encrypted communication method via execution of the executable instructions.
As shown above, the encryption communication system based on distributed identities of the embodiment of the present invention can ensure confidentiality and privacy of data transmission by establishing an end-to-end distributed identity channel, and is suitable for a scenario requiring a shared key rotation record, thereby ensuring integrity of data transmission.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" platform.
Fig. 9 is a schematic structural diagram of the encrypted communication device based on distributed identity in the present invention. An electronic device 600 according to this embodiment of the invention is described below with reference to fig. 9. The electronic device 600 shown in fig. 9 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 9, the electronic device 600 is embodied in the form of a general purpose computing device. The components of the electronic device 600 may include, but are not limited to: at least one processing unit 610, at least one memory unit 620, a bus 630 connecting the different platform components (including the memory unit 620 and the processing unit 610), a display unit 640, etc.
Wherein the storage unit stores program code executable by the processing unit 610 to cause the processing unit 610 to perform steps according to various exemplary embodiments of the present invention described in the above-mentioned electronic prescription flow processing method section of the present specification. For example, processing unit 610 may perform the steps as shown in fig. 1.
The storage unit 620 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)6201 and/or a cache memory unit 6202, and may further include a read-only memory unit (ROM) 6203.
The memory unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: a processing system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 630 may be one or more of several types of bus structures, including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 600 may also communicate with one or more external devices 700 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 600, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 600 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 650. Also, the electronic device 600 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via the network adapter 660. The network adapter 660 may communicate with other modules of the electronic device 600 via the bus 630. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 600, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage platforms, to name a few.
The embodiment of the invention also provides a computer readable storage medium for storing a program, and the steps of the encryption communication method based on the distributed identity are realized when the program is executed. In some possible embodiments, the aspects of the present invention may also be implemented in the form of a program product comprising program code for causing a terminal device to perform the steps according to various exemplary embodiments of the present invention described in the above-mentioned electronic prescription flow processing method section of this specification, when the program product is run on the terminal device.
As shown above, the encryption communication system based on distributed identities of the embodiment of the present invention can ensure confidentiality and privacy of data transmission by establishing an end-to-end distributed identity channel, and is suitable for a scenario requiring a shared key rotation record, thereby ensuring integrity of data transmission.
The program product 800 for implementing the above method according to an embodiment of the present invention may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out processes of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
In summary, the present invention is directed to provide a method, a system, a device, and a storage medium for encrypted communication based on distributed identities, which can ensure confidentiality and privacy of data transmission by establishing an end-to-end distributed identity channel, and are suitable for a scenario requiring a shared key rotation record, thereby ensuring integrity of data transmission.
The foregoing is a more detailed description of the invention in connection with specific preferred embodiments and it is not intended that the invention be limited to these specific details. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.

Claims (10)

1. An encryption communication method based on distributed identity is characterized by comprising the following steps:
the first user and the second user establish an anonymous communication channel by using a peer-to-peer network protocol based on distributed identity identification;
during each round of communication, the first user and the second user respectively create a password pair for the other party, the password pair comprises a public key and a private key, and a corresponding distributed identity and a corresponding identity certificate are generated;
the first user and the second user exchange the distributed identity identifiers and the corresponding identity certificates in each round to obtain the identity of the opposite party and the public key in the round, and the exchanged public key is used as the session key in the round; and
and after the user plane information is encrypted by the session key, bidirectional communication is carried out.
2. The distributed identity based encrypted communication method according to claim 1, wherein the first user and the second user establish an anonymous communication channel using a peer-to-peer network protocol based on distributed identity, further comprising:
and selecting a main body key rotation table to be stored in a wallet of the distributed identity corresponding to the first user or the second user, wherein the main body key rotation table stores each rotation of session records.
3. The method of claim 2, wherein the body key rotation table stores session records for each rotation, and comprises:
and the main key rotating table sequentially records the session key information, the abstract information and the signature information of each session record based on the time sequence.
4. The method of claim 1, wherein the generating the corresponding distributed ids and corresponding credentials comprises:
and the first user and the second user generate corresponding distributed identity identifications and corresponding identity certificates according to the passwords of each round, wherein the identity certificates are verifiable statements corresponding to the distributed identity identifications.
5. The encryption communication method based on the distributed identity as claimed in claim 3, wherein the first user and the second user obtain the identity of the other party and the public key of the current round by exchanging the distributed identity and the corresponding identity certificate in each round, and the exchanged public key is used as the session key of the current round, further comprising:
the first user and the second user obtain the identity of the opposite side and the public key of the current round by exchanging the distributed identity identifiers, and share the same main key rotating table;
the summary information of each round of session record is the summary of the previous round of session record by using the private key of the current round of session record;
the signature information of each round of the session record is a signature made on the record of the round by adopting a private key of the session record of the previous round;
and the first user and the second user respectively obtain the abstract of the public key of the next round at least according to the private key of the round.
6. The encrypted communication method based on distributed identity according to claim 5, further comprising: one of the first user or the second user is used as a rotator, and the principal key rotation table is arranged in a wallet of a distributed identity of the rotator;
providing at least one supervising user, wherein a supervising key rotation table synchronized with the main key rotation table is arranged in a wallet of the distributed identity of the supervising user, and each supervising user signs the session record by using a respective current private key to form a shadow record;
and comparing each round of shadow record of the supervision key rotation table with each round of session record of the main key rotation table, wherein if the shadow records are not matched with the session records, the session key is falsely used, and the communication is terminated.
7. The method of claim 6, further comprising:
and when the main key round-robin table of the rotator is updated, the main key round-robin table of the rotator is synchronized to the supervision key round-robin table of the supervision user in real time.
8. A distributed identity based encrypted communication system, comprising:
the channel establishing module is used for establishing an anonymous communication channel by the first user and the second user by using a peer-to-peer network protocol based on distributed identity identification;
the system comprises a password pair creating module, a password pair creating module and a password authentication module, wherein the password pair creating module creates a password pair for each other by the first user and the second user during each communication, the password pair comprises a public key and a private key, and a corresponding distributed identity and a corresponding identity certificate are generated;
the first user and the second user exchange the distributed identity identifiers and the corresponding identity certificates in each round to obtain the identity of the opposite party and the public key of the round, and the exchanged public key is used as the session key of the round; and
and the bidirectional communication module is used for carrying out bidirectional communication after encrypting the user plane information through the session key.
9. An encrypted communication device based on distributed identity, comprising:
a processor;
a memory having stored therein executable instructions of the processor;
wherein the processor is configured to perform the steps of the distributed identity based cryptographic communication method of any of claims 1 to 7 via execution of the executable instructions.
10. A computer-readable storage medium storing a program which, when executed by a processor, performs the steps of the distributed identity based cryptographic communication method of any one of claims 1 to 7.
CN202111354506.9A 2021-11-16 2021-11-16 Encryption communication method, system, equipment and storage medium based on distributed identity Active CN114051031B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111354506.9A CN114051031B (en) 2021-11-16 2021-11-16 Encryption communication method, system, equipment and storage medium based on distributed identity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111354506.9A CN114051031B (en) 2021-11-16 2021-11-16 Encryption communication method, system, equipment and storage medium based on distributed identity

Publications (2)

Publication Number Publication Date
CN114051031A true CN114051031A (en) 2022-02-15
CN114051031B CN114051031B (en) 2024-05-10

Family

ID=80209246

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111354506.9A Active CN114051031B (en) 2021-11-16 2021-11-16 Encryption communication method, system, equipment and storage medium based on distributed identity

Country Status (1)

Country Link
CN (1) CN114051031B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115174146A (en) * 2022-06-02 2022-10-11 浙江毫微米科技有限公司 Communication method and device based on distributed identity
CN117370459A (en) * 2023-10-08 2024-01-09 广州新赫信息科技有限公司 High-performance evidence-storing data storage method based on trusted chain
CN117560229A (en) * 2024-01-11 2024-02-13 吉林大学 Federal non-intrusive load monitoring user verification method

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140075524A1 (en) * 2012-09-11 2014-03-13 Authenticade Llc System and method to establish and use credentials for a common lightweight identity through digital certificates
WO2018076365A1 (en) * 2016-10-31 2018-05-03 美的智慧家居科技有限公司 Key negotiation method and device
CN109983466A (en) * 2018-09-27 2019-07-05 区链通网络有限公司 A kind of account management system and management method, storage medium based on block chain
US20190280860A1 (en) * 2017-01-25 2019-09-12 saleforce.com.Inc. Secure user authentication based on multiple asymmetric cryptography key pairs
CN110581854A (en) * 2019-09-12 2019-12-17 北京笔新互联网科技有限公司 intelligent terminal safety communication method based on block chain
US20200067907A1 (en) * 2018-08-21 2020-02-27 HYPR Corp. Federated identity management with decentralized computing platforms
CN113256290A (en) * 2021-05-14 2021-08-13 杭州链网科技有限公司 Decentralized encrypted communication and transaction system
CN113438088A (en) * 2021-06-28 2021-09-24 湖南天河国云科技有限公司 Social network credit monitoring method and device based on block chain distributed identity

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140075524A1 (en) * 2012-09-11 2014-03-13 Authenticade Llc System and method to establish and use credentials for a common lightweight identity through digital certificates
WO2018076365A1 (en) * 2016-10-31 2018-05-03 美的智慧家居科技有限公司 Key negotiation method and device
US20190280860A1 (en) * 2017-01-25 2019-09-12 saleforce.com.Inc. Secure user authentication based on multiple asymmetric cryptography key pairs
US20200067907A1 (en) * 2018-08-21 2020-02-27 HYPR Corp. Federated identity management with decentralized computing platforms
CN109983466A (en) * 2018-09-27 2019-07-05 区链通网络有限公司 A kind of account management system and management method, storage medium based on block chain
CN110581854A (en) * 2019-09-12 2019-12-17 北京笔新互联网科技有限公司 intelligent terminal safety communication method based on block chain
CN113256290A (en) * 2021-05-14 2021-08-13 杭州链网科技有限公司 Decentralized encrypted communication and transaction system
CN113438088A (en) * 2021-06-28 2021-09-24 湖南天河国云科技有限公司 Social network credit monitoring method and device based on block chain distributed identity

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115174146A (en) * 2022-06-02 2022-10-11 浙江毫微米科技有限公司 Communication method and device based on distributed identity
CN115174146B (en) * 2022-06-02 2024-02-23 浙江毫微米科技有限公司 Communication method and device based on distributed identity
CN117370459A (en) * 2023-10-08 2024-01-09 广州新赫信息科技有限公司 High-performance evidence-storing data storage method based on trusted chain
CN117560229A (en) * 2024-01-11 2024-02-13 吉林大学 Federal non-intrusive load monitoring user verification method
CN117560229B (en) * 2024-01-11 2024-04-05 吉林大学 Federal non-intrusive load monitoring user verification method

Also Published As

Publication number Publication date
CN114051031B (en) 2024-05-10

Similar Documents

Publication Publication Date Title
US20220318907A1 (en) Systems and methods for generating secure, encrypted communications across distributed computer networks for authorizing use of cryptography-based digital repositories in order to perform blockchain operations in decentralized applications
EP3788523B1 (en) System and method for blockchain-based cross-entity authentication
Lim et al. Blockchain technology the identity management and authentication service disruptor: a survey
US11159307B2 (en) Ad-hoc trusted groups on a blockchain
Alvarenga et al. Securing configuration management and migration of virtual network functions using blockchain
JP6118778B2 (en) System and method for securing data in motion
JP6120895B2 (en) System and method for securing data in the cloud
JP5663083B2 (en) System and method for securing data in motion
Bao et al. IoTChain: A three-tier blockchain-based IoT security architecture
US20200021446A1 (en) Secure de-centralized domain name system
CN109327481B (en) Block chain-based unified online authentication method and system for whole network
CN111144881A (en) Selective access to asset transfer data
CN114051031B (en) Encryption communication method, system, equipment and storage medium based on distributed identity
US9160535B2 (en) Truly anonymous cloud key broker
JP2009534940A (en) Peer-to-peer contact information exchange
TW202131659A (en) Computer implemented method and system for storing certified data on a blockchain
Li et al. A Blockchain‐Based Public Auditing Protocol with Self‐Certified Public Keys for Cloud Data
US11893577B2 (en) Cryptographic key storage system and method
US20090185685A1 (en) Trust session management in host-based authentication
Wen et al. A Blockchain‐Based Privacy Preservation Scheme in Mobile Medical
US20230246822A1 (en) Systems and methods for providing secure, encrypted communications across distributed computer networks by coordinating cryptography-based digital repositories in order to perform blockchain operations in decentralized applications
Mershad et al. Lightweight blockchain solutions: Taxonomy, research progress, and comprehensive review
US11647020B2 (en) Satellite service for machine authentication in hybrid environments
Andersen Decentralized authorization with private delegation
US20230421540A1 (en) Systems and methods for generating secure, encrypted communications using multi-party computations in order to perform blockchain operations in decentralized applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant