CN114186288A - PKI certificate system model based on block chain and certificate management method - Google Patents

PKI certificate system model based on block chain and certificate management method Download PDF

Info

Publication number
CN114186288A
CN114186288A CN202111482274.5A CN202111482274A CN114186288A CN 114186288 A CN114186288 A CN 114186288A CN 202111482274 A CN202111482274 A CN 202111482274A CN 114186288 A CN114186288 A CN 114186288A
Authority
CN
China
Prior art keywords
certificate
digital certificate
block chain
service provider
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111482274.5A
Other languages
Chinese (zh)
Inventor
黄志清
黄明明
贾雨风
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Technology
Original Assignee
Beijing University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Technology filed Critical Beijing University of Technology
Priority to CN202111482274.5A priority Critical patent/CN114186288A/en
Publication of CN114186288A publication Critical patent/CN114186288A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a PKI certificate system model based on a block chain and a certificate management method, which aim at optimizing the performance problem caused by introducing the block chain into a PKI system by introducing an RSA accumulator technology. The block chain PKI system model is based on, transparency and traceability are provided in an unsafe internet environment, operations of the CA on the digital certificate are uploaded to a block chain jointly maintained by multiple parties from coupled block chain link points, and the block chain PKI system model has the characteristics of decentralization and traceability of CA behaviors. The RSA accumulator technology is introduced, and a knowledge proof scheme is adopted, so that a large number of digital certificates are prevented from being stored on a block chain, and the storage space is compressed. Aiming at the characteristics of the digital certificate management full life cycle and the RSA accumulator, a digital certificate management method based on a block chain and a double RSA accumulator is provided, and all participants of a PKI system can locally verify the legality of the digital certificate through the accumulator state disclosed by the block chain in combination with the digital certificate and a corresponding proof.

Description

PKI certificate system model based on block chain and certificate management method
Technical Field
The invention belongs to the field of block chain technology application, and mainly relates to a block chain technology, a cryptology RSA accumulator, a Public Key Infrastructure (PKI) and a digital certificate management method.
Background
With the development and popularization of the internet, network activities have occupied a greater and greater proportion of the daily activities of human beings. The development of mobile internet enables people to communicate through terminals at any time, and the development of electronic commerce and mobile payment technology shifts the center of gravity of economic activities to the on-line. Needless to say, enhancing network security construction is of crucial importance to the actual economy.
The generation and distribution of the security key is the basis of the internet security communication. The PKI system is the most popular solution in network communication at present, and one PKI system includes a certificate authority CA, a registration authority RA, a certificate issuing system, a PKI policy, and the like, and provides a secure method for verifying an identity on the internet by realizing generation, management, distribution, and revocation of a certificate based on public key encryption. With the development of PKI technology, PKI systems have been widely used in various secure communication scenarios, such as e-commerce, e-government, internet banking, and more electronic health industries.
However, many security events that occur with well-known CAs in recent years have exposed the vulnerabilities of traditional PKI system architectures. For this reason, the current PKI architecture, in binding a trusted entity with a digital identity, has two fatal drawbacks due to the excessive reliance on a centralized certificate authority. First, the authentication center as a third party cannot guarantee the credibility thereof because of insufficient transparency. Secondly, if the authentication center has single point of failure or key leakage and other problems, the user identity information is lost or even tampered, and even the whole trust system is broken down.
The blockchain technology is decentralized distributed ledger technology, a credible distributed environment can be constructed in an untrusted public environment through a consensus mechanism, the trust is directly implanted into a system without depending on a credible third party, and all transaction records are transparently recorded and verified by using an encryption algorithm.
Block chain technology has the potential to solve problems in traditional PKI architectures. In the block chain system, the participants can manage and maintain the operation of the system together with third-party institutions such as a certification institution, a registration institution and the like, and all processes are traced transparently, so that the hidden danger of misuse of the authority by the third parties is effectively prevented. In view of this, a block chain-based PKI system model is designed based on the technologies of block chains, RSA accumulators and the like, and a digital certificate management method thereof is proposed on the basis of the system model.
Disclosure of Invention
The invention mainly aims to provide a PKI certificate system model and a digital certificate management method based on a block chain and an RSA accumulator, which combine a traditional PKI digital certificate trust system with the block chain, aim to solve the centralization problem in the traditional PKI system, and optimize the performance problem caused by introducing the block chain into the PKI system by introducing the RSA accumulator technology. The system structure is shown in fig. 1.
In order to achieve the purpose of the invention, the technical scheme adopted by the invention is as follows: a PKI digital certificate system model and a digital certificate management method based on a blockchain, the model of which is shown in fig. 2, mainly includes the following roles:
1CA node
The CA node is an organization that manages and maintains digital certificates in a PKI system, providing operations for issuing, revoking, and updating of digital certificates.
2 service provider
The facilitator is a provider of network services, is the originator of the certificate request, and obtains the certificate by issuing a certificate application to the CA node.
3 users
The user is a requester of the network service, and the user can check the authenticity and the validity of the digital certificate by combining the data stored on the blockchain according to the digital certificate and the certificate provided by the server.
4 block chain
The block chain adopts a alliance chain as a bottom chain, a block chain network is constructed by taking a Docker container as a carrier, the auditing of the operation record of the digital certificate of the CA is realized by deploying a plurality of intelligent contracts, and RSA accumulator parameters for checking the validity of the digital certificate are provided for users.
The digital certificate management method of the model mainly relates to three aspects of certificate registration, certificate revoking and certificate verification:
and (4) registering the certificate. The service provider sends a certificate registration request to the CA node and submits identity certification information, and the CA node checks the physical identity of the service provider off line and generates and issues a corresponding digital certificate certReg. The CA node will then retrieve the latest accumulator state A on the blockchainpubBy adding certificate CertReg to apubAdd the certificate into the certificate issuance set and return a registration proof. The information related to the certificate is uploaded to the blockchain through the transaction as a data type formatted as CertControl. When the transaction is validated, proof will be returned to the facilitator as proof of successful certificate registration. The flow is shown in fig. 3.
And (6) revoking the certificate. Due to the change of the facilitator information or the leakage of the private key, the facilitator can request to revoke the digital certificate CertRev from the CA. The CA node will retrieve the latest accumulator state a in the blockchainrevBy adding to A the certificate of revoke CertRevrevThe certificate is added to a certificate revocation set. Then, the accumulator state A on the blockchain is paired through transactionrevAnd updating the certificate control, and when the transaction is verified, revoking the certificate successfully. The flow is shown in fig. 4.
And (5) certificate verification. Before a user establishes a secure connection with a service provider, the validity of a digital certificate provided by the service provider needs to be verified, which mainly includes the following steps. Firstly, a user inquires a corresponding CertControl on a block chain according to a certificate sequence code provided by a service provider; second, the latest accumulator state A is looked up on the blockchainpubAnd Arev(ii) a Third, the accumulator state A is incorporated according to the service provider's registration proofpubVerifying whether the certificate is in a CA issuing certificate set; fourth, the latest accumulator state A is combined according to the digital certificate provided by the service providerrevVerifying whether the certificate is in a CA revocation certificate set; only after both authentication phases have passed can the user establish a secure connection with the facilitator via the digital certificate. The flow is shown in fig. 5.
Compared with the existing PKI system model and certificate management method, the PKI system based on the block chain and the RSA accumulator and the certificate management method thereof provided by the invention have the following benefits:
1. compared with the traditional PKI system, the block chain-based PKI system model provided by the invention provides transparency and traceability in an unsafe Internet environment, and the operation of CA on the digital certificate is uploaded to a block chain jointly maintained by multiple parties from coupled block chain link points, so that the block chain-based PKI system model has the characteristics of decentralization and CA behavior traceability.
2. On the basis of the design of a PKI model based on a block chain, the invention introduces an RSA accumulator technology, and avoids storing a large number of digital certificates on the block chain and compresses the storage space through a knowledge certification scheme.
3. In the digital certificate management process, aiming at the characteristics of the digital certificate management full life cycle and the RSA accumulator, the invention provides a digital certificate management method based on a block chain and a double RSA accumulator, and all participants of a PKI system can locally verify the legality of the digital certificate through the accumulator state disclosed by the block chain in combination with the digital certificate and a corresponding proof.
Drawings
Fig. 1 is a system architecture diagram.
FIG. 2 is a system model diagram.
Fig. 3 is a flow chart of digital certificate issuance.
Fig. 4 is a flow chart of digital certificate revocation.
Fig. 5 is a flow chart of digital certificate validation.
Detailed Description
For the purpose of making the present invention more comprehensible, its objects, contents and advantages will be more clearly understood by those skilled in the art, and the present invention will be described in further detail with reference to the accompanying drawings. The specific steps of the implementation case are as follows:
step 001: and (5) an initialization phase. A factorized unknown large number N is generated by RSA2048 and a generator basis g is selected which represents an empty accumulator. Thereby initializing the accumulator ApubAnd ArevAnd initializing the accumulator to the initial statePublished on blockchains.
Step 002: and issuing a certificate. The service provider submits a certificate issuing application to the CA node, the CA node verifies the information material provided by the service provider to generate a corresponding digital certificate, and the latest accumulator state A representing the issuing set is calculatedpub
Step 003: and (4) registering the certificate. The CA node submits the certificate issuing information and the latest accumulator state A to the blockchain through the submitting nodepub
Step 004: presence-proving updates. And after monitoring the registration of the new digital certificate, the service provider updates the self-held register according to the newly issued digital certificate.
Step 005: and (6) revoking the certificate. When the digital certificate is expired or the service provider submits a certificate revocation issue application to the CA node, the CA node checks whether the service provider identity is matched with the revocation certificate, and calculates the latest accumulator state A representing the revocation setrev. The CA node issues information and the latest accumulator state A to the blockchain through the submitting nodepub
Step 006: and (5) certificate verification. The user obtains the digital certificate and corresponding register proof from the service provider, and inquires the latest accumulator state A from the block chainpubAnd ArevThe validity of the digital certificate is verified by calculation if the certificate and the register proof can be associated with the accumulator state ApubIf the certificate and accumulator state A are reached, the digital certificate is issued by the legal CArevIn conjunction with being able to generate a non-presence credential, the digital certificate is still within the validity period.
Step 007: a connection is established. After the validity of the digital certificate is verified, the user can establish secure communication with the service provider through the public key attached to the digital certificate.
The invention provides a PKI system model and a certificate management method based on a block chain under the condition of not changing a traditional PKI system based on the characteristics of transparency, irreplaceability and traceability of a block chain technology. The invention is recommended to be constructed on the basis of the block chain of the alliance, is only open to limited third parties (supervision parties) and specific groups, can integrate CA of different organizations to the same trust system through the organization participation mode of the block chain of the alliance, and users can inquire the corresponding accumulator state on the block chain directly and combine the digital certificate and proof of the profession to realize the safety verification of the digital certificate locally, especially in the presence of frequent cross-domain authentication, and the invention has great practical value.

Claims (3)

1. A PKI digital certificate system model and digital certificate management method based on block chains are characterized in that: the method is realized by a model structure, and the model structure comprises the following roles:
1) a CA node;
the CA node is a mechanism for managing and maintaining the digital certificate in the PKI system and provides the operations of issuing, revoking and updating the digital certificate;
2) a service provider;
the service provider is a provider of network service, is an initiator of the certificate request, and obtains the certificate by initiating a certificate application to the CA node;
3) a user;
the user is a requester of the network service, and the user can check the authenticity and the validity of the digital certificate by combining the data stored on the block chain according to the digital certificate and the certificate provided by the server;
4) a block chain;
the block chain adopts a alliance chain as a bottom chain, a block chain network is constructed by taking a Docker container as a carrier, the auditing of the digital certificate operation record of a CA is realized by deploying a plurality of intelligent contracts, and RSA accumulator parameters for checking the validity of the digital certificate are provided for a user.
2. The PKI digital certificate system model and digital certificate management method based on blockchain as claimed in claim 1, wherein: the digital certificate management method of the model structure mainly relates to three aspects of certificate registration, certificate revoking and certificate verification:
registering a certificate; service provider to CA nodeSending a certificate registration request and submitting identity certification information, checking the physical identity of a service provider by a CA node in an off-line manner, and generating and issuing a corresponding digital certificate certReg; the CA node will then retrieve the latest accumulator state A on the blockchainpubBy adding certificate CertReg to apubAdding the certificate into a certificate issuing set and returning a registration proof; the related information of the certificate can be uploaded to a block chain through transaction by a data type formatted as CertControl; when the transaction is verified, proof will be returned to the facilitator as proof that the certificate registration was successful;
certificate revoking; the service provider requests the CA to revoke the digital certificate CertRev due to the change of the service provider information or the leakage of the private key; the CA node will retrieve the latest accumulator state a in the blockchainrevBy adding to A the certificate of revoke CertRevrevAdding the certificate into a certificate failure set; then, the accumulator state A on the blockchain is paired through transactionrevUpdating with the corresponding CertControl, and when the transaction is verified to be successful, revoking the certificate;
verifying the certificate; before a user establishes a secure connection with a service provider, the validity of a digital certificate provided by the service provider needs to be verified, and the method mainly comprises the following steps; firstly, a user inquires a corresponding CertControl on a block chain according to a certificate sequence code provided by a service provider; second, the latest accumulator state A is looked up on the blockchainpubAnd Arev(ii) a Third, the accumulator state A is incorporated according to the service provider's registration proofpubVerifying whether the certificate is in a CA issuing certificate set; fourth, the latest accumulator state A is combined according to the digital certificate provided by the service providerrevVerifying whether the certificate is in a CA revocation certificate set; only after both authentication phases have passed is the user establishing a secure connection with the facilitator via the digital certificate.
3. The PKI digital certificate system model and digital certificate management method based on blockchain as claimed in claim 1, wherein:
step 001: an initialization stage; by RSA2048Generating a large number N of factor decompositions unknown and selecting a generator base g, which represents an empty accumulator; thereby initializing the accumulator ApubAnd ArevAnd issuing the initial state of the accumulator on the block chain;
step 002: a certificate issuing application; the service provider submits a certificate issuing application to the CA node, the CA node verifies the information material provided by the service provider to generate a corresponding digital certificate, and the latest accumulator state A representing the issuing set is calculatedpub
Step 003: registering a certificate; the CA node submits the certificate issuing information and the latest accumulator state A to the blockchain through the submitting nodepub
Step 004: presence attestation updates; after monitoring the registration of a new digital certificate, a service provider updates the self-held register according to the newly issued digital certificate;
step 005: certificate revoking; when the digital certificate is expired or the service provider submits a certificate revocation issue application to the CA node, the CA node checks whether the service provider identity is matched with the revocation certificate, and calculates the latest accumulator state A representing the revocation setrev(ii) a The CA node issues information and the latest accumulator state A to the blockchain through the submitting nodepub
Step 006: verifying the certificate; the user obtains the digital certificate and corresponding register proof from the service provider, and inquires the latest accumulator state A from the block chainpubAnd ArevThe validity of the digital certificate is verified by calculation if the certificate and the register proof can be associated with the accumulator state ApubIf the certificate and accumulator state A are reached, the digital certificate is issued by the legal CArevIn combination with being able to generate a non-existence proof, that the digital certificate is still within the validity period;
step 007: establishing connection; after the validity of the digital certificate is verified, the user can establish secure communication with the service provider through the public key attached to the digital certificate.
CN202111482274.5A 2021-12-07 2021-12-07 PKI certificate system model based on block chain and certificate management method Pending CN114186288A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111482274.5A CN114186288A (en) 2021-12-07 2021-12-07 PKI certificate system model based on block chain and certificate management method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111482274.5A CN114186288A (en) 2021-12-07 2021-12-07 PKI certificate system model based on block chain and certificate management method

Publications (1)

Publication Number Publication Date
CN114186288A true CN114186288A (en) 2022-03-15

Family

ID=80542514

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111482274.5A Pending CN114186288A (en) 2021-12-07 2021-12-07 PKI certificate system model based on block chain and certificate management method

Country Status (1)

Country Link
CN (1) CN114186288A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114465817A (en) * 2022-03-22 2022-05-10 暨南大学 Digital certificate system and method based on TEE (text exchange engine) prediction machine cluster and block chain
CN114928450A (en) * 2022-05-07 2022-08-19 西安电子科技大学 Digital certificate life cycle management method based on alliance chain

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114465817A (en) * 2022-03-22 2022-05-10 暨南大学 Digital certificate system and method based on TEE (text exchange engine) prediction machine cluster and block chain
CN114465817B (en) * 2022-03-22 2023-06-16 暨南大学 Digital certificate system and method based on TEE predictor clusters and blockchain
CN114928450A (en) * 2022-05-07 2022-08-19 西安电子科技大学 Digital certificate life cycle management method based on alliance chain
CN114928450B (en) * 2022-05-07 2024-04-23 西安电子科技大学 Digital certificate life cycle management method based on alliance chain

Similar Documents

Publication Publication Date Title
US10284379B1 (en) Public key infrastructure based on the public certificates ledger
CN112055025B (en) Privacy data protection method based on block chain
RU2721959C1 (en) System and method for protecting information
CN108924092B (en) Public arbitration distributed cloud storage method and system based on block chain
De Oliveira et al. Towards a blockchain-based secure electronic medical record for healthcare applications
CN108833081B (en) Block chain-based equipment networking authentication method
US10965472B2 (en) Secure bootstrap for a blockchain network
WO2021120253A1 (en) Data storage method and verification method for blockchain structure, blockchain structure implementation method, blockchain-structured system, device, and medium
CN114186248B (en) Zero-knowledge proof verifiable certificate digital identity management system and method based on block chain intelligent contracts
CN111654363B (en) Group signature and homomorphic encryption-based alliance chain privacy protection method
Augot et al. Transforming face-to-face identity proofing into anonymous digital identity using the bitcoin blockchain
CN111144881A (en) Selective access to asset transfer data
CN112818368A (en) Digital certificate authentication method based on block chain intelligent contract
CN108810007B (en) Internet of things security architecture
CN105007284B (en) With the public audit method of secret protection in multi-manager group shared data
CN114186288A (en) PKI certificate system model based on block chain and certificate management method
Li et al. Decentralized public key infrastructures atop blockchain
Toorani et al. A decentralized dynamic PKI based on blockchain
CN113507458A (en) Cross-domain identity authentication method based on block chain
CN104901804A (en) User autonomy-based identity authentication implementation method
CN113824563A (en) Cross-domain identity authentication method based on block chain certificate
CN112435020A (en) Block chain based supervised anonymous transaction system
CN111586049A (en) Lightweight key authentication method and device for mobile internet
US20220353074A1 (en) Systems and methods for minting a physical device based on hardware unique key generation
CN114760071B (en) Zero-knowledge proof based cross-domain digital certificate management method, system and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination