CN114189341A - Digital certificate hierarchical processing method and device based on block chain identification - Google Patents
Digital certificate hierarchical processing method and device based on block chain identification Download PDFInfo
- Publication number
- CN114189341A CN114189341A CN202111506912.2A CN202111506912A CN114189341A CN 114189341 A CN114189341 A CN 114189341A CN 202111506912 A CN202111506912 A CN 202111506912A CN 114189341 A CN114189341 A CN 114189341A
- Authority
- CN
- China
- Prior art keywords
- certificate
- node
- blockchain
- super
- issuer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 26
- 238000012545 processing Methods 0.000 claims abstract description 36
- 238000012795 verification Methods 0.000 claims abstract description 35
- 238000000034 method Methods 0.000 claims abstract description 31
- 238000004590 computer program Methods 0.000 claims description 29
- 230000008569 process Effects 0.000 description 19
- 238000010586 diagram Methods 0.000 description 15
- 230000006870 function Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3265—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Abstract
The invention discloses a digital certificate hierarchical processing method and a device based on blockchain identification, wherein a root certificate authority node and a plurality of super nodes form a main blockchain, and a backbone node connected with each super node and a plurality of common nodes form at least one sub-blockchain, wherein the method comprises the following steps: the root certificate authority node issues a super node certificate for each super node according to the root certificate, and the super node certificates are stored on a main chain; each super node issues a backbone node certificate for the backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node; and each backbone node issues a common node certificate for the common nodes on the sub-block chain according to the backbone node certificate, and the common node certificate is stored on the sub-block chain. The invention adopts the blockchain based on the main sub-chain structure to perform digital certificate identity processing, can reduce the burden of a single chain, improves the performance of certificate issuance and subsequent verification, and realizes the high-efficiency and safe hierarchical processing of the digital certificate.
Description
Technical Field
The invention relates to the technical field of block chains, in particular to a digital certificate hierarchical processing method and device based on block chain identification.
Background
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
The Internet electronic commerce system technology enables customers who shop online to easily and conveniently obtain information of merchants and enterprises, but also increases the risk of abusing sensitive or valuable data. In order to ensure the security and confidentiality of electronic transactions and payments on the internet and prevent fraudulent activities in the transaction and payment processes, a trust mechanism must be established on the internet. This requires that both the buyer and the seller participating in the electronic commerce must have legitimate identities and be able to be authenticated on the network without error.
Definitions regarding identity and digital identity:
1. identity: an entity represented by one or more attributes that allows the entity to be sufficiently differentiated in context.
Identity is a set of attribute descriptions of a subject object, with distinctiveness and provenance. The distinctiveness is that a subject object can be uniquely determined by part or all of attribute information of an identity, and the testimony is that the identity of the subject object can be certified by part or all of attribute information of the subject object.
2. Digital identity: a digital identity is a digital representation of an entity in a digital environment such that individuals are sufficiently distinguishable in the digital environment.
The digital identity inherits various characteristics of the identity, is widely applied to the digital society, and can be mapped to the real society for application. Most digital identities have an ID attribute for uniquely identifying the digital identity, and the ID attribute may be a string of codes generated according to a certain rule definition, or a string of codes generated through a hash operation, and has uniqueness within a certain digital region.
As shown in fig. 1, a general digital identity will be defined as a set of attributes associated with an identity. Or may be a single identifier that uniquely distinguishes the entity it represents within the environment.
A digital certificate is an authoritative electronic document, one type of digital identity. It provides a way to verify identity over the Internet, which acts like a driver's license or identification card in everyday life. It is issued by an Authority, a CA Certificate Authority (Certificate Authority), that people can use in internet transactions to identify the other party. Of course, in the process of digital certificate authentication, the role of a Certificate Authority (CA) as an authoritative, fair, trusted third party is crucial.
The current types of digital certificates mainly include: personal digital certificates, unit employee digital certificates, server certificates, VPN certificates, WAP certificates, code signing certificates, and form signing certificates. The traditional digital certificate issuing and verifying method relies on a centralized CA (certificate Authority), identity data are easy to be tampered, and the problems of low digital certificate processing efficiency and low security exist.
Disclosure of Invention
The embodiment of the invention provides a block chain identification-based digital certificate hierarchical processing method, which is used for efficiently and safely carrying out the hierarchical processing of a digital certificate, wherein a root certificate authority node and a plurality of super nodes form a main block chain, and a backbone node and a plurality of common nodes connected with each super node form at least one sub-block chain, and the method comprises the following steps:
a root certificate authority node on the master blockchain issues a super node certificate for each super node on the master blockchain according to the root certificate, and the super node certificates are stored on the master blockchain;
each super node issues a backbone node certificate for the corresponding backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node;
and each backbone node issues a common node certificate for the common node on the corresponding sub-block chain according to the backbone node certificate, wherein the common node certificate is stored on the sub-block chain.
The embodiment of the present invention further provides a device for hierarchical processing of a digital certificate based on a blockchain identifier, which is used for efficiently and safely performing hierarchical processing of a digital certificate, wherein a root certificate authority node and a plurality of super nodes form a main blockchain, and a backbone node and a plurality of common nodes connected to each super node form at least one subblockchain, and the device includes:
the root certificate authority node on the master blockchain is used for issuing a super node certificate for each super node on the master blockchain according to the root certificate, and the super node certificates are stored on the master blockchain;
each super node is used for issuing a backbone node certificate for the corresponding backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node;
each backbone node is used for issuing a common node certificate to a common node on a corresponding sub-block chain according to the backbone node certificate, and the common node certificate is stored on the sub-block chain.
The embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the block chain identifier-based digital certificate hierarchical processing method is implemented.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the method for processing digital certificates based on blockchain identifiers in a hierarchical manner is implemented.
An embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, and when executed by a processor, the computer program implements the above hierarchical processing method for digital certificates based on blockchain identifiers.
In the embodiment of the invention, in a hierarchical processing scheme of a digital certificate based on a blockchain identifier, a root certificate authority node and a plurality of super nodes form a main blockchain, and a backbone node and a plurality of common nodes connected with each super node form at least one sub-blockchain, so that compared with the technical scheme that in the prior art, the issuing and verification of a traditional digital certificate depend on a centralized CA (certificate authority), identity data are easy to be tampered, and the problems of low processing efficiency and low safety of the digital certificate exist, the hierarchical processing scheme of the digital certificate based on the blockchain identifier comprises the following steps: a root certificate authority node on the master blockchain issues a super node certificate for each super node on the master blockchain according to the root certificate, and the super node certificates are stored on the master blockchain; each super node issues a backbone node certificate for the corresponding backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node; and each backbone node issues a common node certificate for the common node on the corresponding sub-blockchain according to the backbone node certificate, the common node certificate is stored on the sub-blockchain, and the digital certificate identity processing is performed by adopting the blockchain based on the main sub-chain framework, so that the single-chain burden can be reduced, the certificate issuing and subsequent verification performance can be improved, and the digital certificate can be efficiently and safely processed in a grading manner.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. In the drawings:
FIG. 1 is a schematic diagram of a digital identity structure according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating block chain identification based user certificate application and usage in the prior art;
FIG. 3 is a flowchart illustrating a hierarchical processing method for digital certificates based on blockchain identifiers according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a block chain identifier-based digital certificate hierarchical issuance processing apparatus according to an embodiment of the present invention;
FIG. 5 is a block chain ID based digital certificate hierarchical authentication processing diagram according to an embodiment of the present invention;
FIG. 6 is a block chain ID based digital certificate hierarchy processing according to an embodiment of the present invention;
FIG. 7 is a diagram illustrating an enterprise and user certificate issuance process in accordance with an embodiment of the present invention;
FIG. 8 is a diagram illustrating an overall process of certificate issuance and verification for enterprises and users according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention are further described in detail below with reference to the accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
Before describing the embodiments of the present invention, first, terms related to the present invention will be described.
eID- -Electronic Identity of the national network.
UPort- -an open identity system for distributed network design.
WAP- -Wireless Application Protocol.
VPN- -Virtual Private Network.
BID- -Block chain-based Identifier Block chain identification.
The following describes the technical problems of the conventional digital certificate processing discovered by the inventor and the idea of the present invention.
The traditional approach employs a centralized identity management approach. The digital certificate issuance process is generally: the user first generates its own key pair and transmits the public key and part of the individual identification information to the Certificate Authority (CA). After verifying the identity, the certificate authority performs the necessary steps to make sure that the request was indeed sent by the user, and then the certificate authority issues to the user a digital certificate containing the user's personal information and his public key information, together with the certificate authority's signature information. The user can use his/her digital certificate to perform various related activities. The digital certificate is issued by a separate certificate issuing authority. Digital certificates vary, each certificate providing a different level of trustworthiness.
The traditional mode adopts a centralized identity management mode, namely the traditional digital certificate issuing and verifying depends on a centralized CA mechanism, identity data is easy to be tampered, and the security problem exists.
Identity authentication based on blockchain identification, such as eID, uport, etc., as shown in fig. 2, taking user certificate application and use as an example, the process is as follows:
1. the user registers the identity through the client or browser for which the client or browser plug-in is generated.
2. The user activates the identity onto the chain.
3. And uploading the identity information by the user and applying for an identity certificate.
4. The trust anchor generates an identity credential and stores the credential on the chain.
5. The third party user requests to verify the identity credential.
6. The user provides an identity credential and generates verifiable data via black box processing.
7. And the third party user carries out on-chain verification to determine whether the identity is expired.
8. And comparing the data provided by the user with the data on the chain, and performing identity verification.
9. The chain returns the verification results to the user and the third party user.
Thus, block chain identification-based authentication techniques, digital certificate issuance relies on a centralized CA authority, and validation processes rely on decentralized block chain ledgers.
The existing identity authentication based on the block chain identification mostly adopts a flat identity authentication mode, namely all users perform identity authentication on one chain, the requirement on the performance of the chain is high, and under the premise of certain performance of the block chain, the block chain is easy to block, so that the authentication delay is large.
In view of the above technical problem, the present invention provides a hierarchical processing scheme for digital certificates based on blockchain identifiers, which comprises:
1. and the identity management is performed by adopting the block chain based on the main sub-chain framework, so that the single-chain load is reduced, and the certificate issuing and verifying performance is improved.
2. And the multi-stage certificate verification mode is adopted, and the burden of the root CA is reduced on the premise of not reducing the reliability.
3. By adopting the mode of combining the decentralized root CA and the centralized system, the root CA of the centralized system is on the block chain, and the risk of tampering the root CA is reduced.
The block chain identifier based digital certificate hierarchical processing scheme is described in detail below.
Fig. 3 is a schematic flow chart of a hierarchical processing method for a digital certificate based on a blockchain identifier according to an embodiment of the present invention, where a root certificate authority node and a plurality of super nodes form a master blockchain, and a backbone node connected to each of the super nodes and a plurality of common nodes form at least one sub-blockchain, as shown in fig. 3, the method includes the following steps:
step 101: a root certificate authority node on the master blockchain issues a super node certificate for each super node on the master blockchain according to the root certificate, and the super node certificates are stored on the master blockchain;
step 102: each super node issues a backbone node certificate for the corresponding backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node;
step 103: and each backbone node issues a common node certificate for the common node on the corresponding sub-block chain according to the backbone node certificate, wherein the common node certificate is stored on the sub-block chain.
In specific implementation, a blockchain based on a main sub-chain structure is adopted for certificate management: the chain includes super nodes, backbone nodes, common nodes and users, the main body granted to the certificate is the chain node, the certificate issuing process is as shown in the following fig. 3, and the process mainly includes:
0. the preconditions are as follows: both the certificate issuer and the certificate grantor have a user id (bid), and the certificate issuer holds the certificate.
1. A root CA (root certificate authority) node on the main chain (see the main chain in fig. 4, i.e., the main block chain) issues a super node certificate to a super node on the main chain, and the super node certificate is stored on the main chain, i.e., step 101 described above, which corresponds to (r) in fig. 4.
2. The super node issues a next-level certificate (backbone node certificate) for the backbone node, and the backbone node certificate is stored on the backbone node, i.e. step 102 above, corresponds to the second step in fig. 4.
3. The backbone node issues a next-level certificate (a common node certificate) for a node on the sub-chain, and the common node certificate is stored in the sub-chain (see the sub-chain in fig. 4, i.e., the sub-block chain), that is, step 103 corresponds to step three in fig. 4.
In particular, the embodiment of the present invention may also extend more levels of nodes in the lateral and longitudinal directions. There can be both vertical and horizontal expansion, e.g., vertical can interface more chains and horizontal (for each chain) can have more node types.
In specific implementation, the types of the digital certificate in the embodiment of the present invention may include: personal digital certificates, unit employee digital certificates, server certificates, VPN certificates, WAP certificates, code signing certificates, form signing certificates, and the like.
The digital certificate hierarchical processing method based on the block chain identifier provided by the embodiment of the invention adopts the block chain based on the main sub-chain framework as identity management, the certificate can be issued on the main chain and also can be issued on the sub-chain, the load of the main chain is reduced, the certificate issuing and subsequent verification performances are improved, and the efficient and safe hierarchical processing of the digital certificate is realized. The block chain identifier based digital certificate hierarchical processing method is described in detail below.
In one embodiment, the hierarchical processing method for digital certificates based on blockchain identifiers may further include:
receiving a verification request of a current digital certificate;
verifying a signature of the current digital certificate issuer;
if the current digital certificate is determined to exist in the upper-level issuer according to the signature verification result of the current digital certificate issuer, verifying the signature of the upper-level issuer until the initial certificate issuer is found; the initial certificate issuer is a root certificate authority node;
if the current digital certificate issuer's digital certificate verification on the chain to the original certificate issuer is trusted, determining that the current digital certificate is trusted.
In specific implementation, as shown in fig. 5, the verification process of the digital certificate is described by taking the current digital certificate as an ordinary node certificate as an example: receiving an authentication request of a current digital certificate, namely, initiating an authentication request when the identity of a user needs to be authenticated when the identity authentication is required according to the digital certificate, for example, when the user logs in a system through a common node or when shopping is carried out on the internet; verifying a signature of the current digital certificate issuer (e.g., verifying a backbone node corresponding to a common node); if the current digital certificate is determined to be stored in a superior issuer (super node) according to the signature verification result of the current digital certificate issuer, verifying the signature of the superior issuer until the initial certificate issuer is found; the initial certificate issuer is a root certificate authority node; if the current digital certificate issuer's digital certificate verification on the chain to the original certificate issuer is trusted, it is determined that the current digital certificate (ordinary node certificate) is trusted. In contrast to the process of fig. 4, the process of verification in fig. 5 is reversed, with particular reference to the circled numbers in fig. 5.
In specific implementation, the overall flow of hierarchical processing, i.e., issuing and verifying, of a digital certificate based on a blockchain identifier is shown in fig. 6.
In particular implementation, the user to which the certificate is granted may be an individual user, an enterprise user, or a node user, where:
1. the node user may issue credentials for the node user, for enterprise users, or for individual users.
2. Enterprise users may issue certificates for individual users.
3. The type of certificate issued is determined by the type of CA.
In particular, the process of issuing the enterprise and user certificates may be as shown in fig. 7, and the overall process of issuing and verifying the enterprise and user certificates may be as shown in fig. 8.
In particular, the CA selection process may include:
scheme 1-1: single CA, centralized mode, built-in CA, without selection;
schemes 1-2: multiple CAs issue certificates to users by consensus, and the selection of CAs may utilize the selection of trust anchors.
In specific implementation, the process of the CA acquiring its own certificate:
1. if only one CA exists, the certificate can be signed by the user;
2. if there are multiple CAs, the other CAs issue a certificate to the CA:
1) an issued certificate may be randomly selected among other valid CAs;
2) or select N out of M valid CAs as the CA issuing the certificate.
In specific implementation, the certificate content: the CA issues certificates to other users, the contents of which include: certificate id, certificate type, certificate issuer id, issuance time, owner id, expiration date of public key, signing date, certificate issuance purpose, public key identification, digital signature of issuing authority. Certificate content may also include fields for the geographic location, name, etc. of the certifier as desired. One example is shown in table 1 below:
TABLE 1
Further preferred steps of embodiments of the present invention, namely certificate update and deregistration steps, are described below.
1. Certificate updating
After the previous user certificate is updated, the next user certificate in the chain is updated, that is, in an embodiment, the block chain identifier-based digital certificate hierarchical processing method may further include: when any level certificate update of the root certificate, the super node certificate, the backbone node certificate and the common node certificate is detected, the next level certificate of the current updated certificate is updated. Specifically, the subject performing the detecting operation may be a root certificate authority node, a super node, a backbone node, or a general node, and when the root certificate authority node, the super node, the backbone node, or the general node detects a certificate update of any one level of the root certificate, the super node certificate, the backbone node certificate, and the general node certificate, an update notification may be sent to a next level node of a current node (e.g., the backbone node), and the next level node (e.g., the general node) updates the general node certificate (the next level certificate of the current update certificate). In the following, the certificate process reapplication and the execution subject of certificate revocation and the detailed reapplication and revocation process can be referred to the description of certificate update.
If the user certificate expires and needs to be applied again, the previous-level user may reissue the certificate, that is, in an embodiment, the hierarchical processing method for digital certificates based on blockchain identifiers may further include: and when detecting that the certificate at any level of the root certificate, the super node certificate, the backbone node certificate and the common node certificate is expired, re-applying the digital certificate to the issuer of the current expired certificate.
2. Certificate revocation
The user can log off the certificate of the user by himself;
after the previous user certificate is revoked, the next user certificate in the chain is revoked, and needs to be reapplied, that is, in an embodiment, the block chain identifier-based digital certificate hierarchical processing method may further include: after the user certificate of the upper level is detected to be revoked, the user certificates of the lower level on the current user certificate chain are all to be revoked, and the application is required to be reapplied.
To facilitate an understanding of how the present invention may be implemented, the overall process of hierarchical processing of digital certificates (issuance, validation, updating, and revocation of certificates) based on blockchain identification is described below by way of two examples.
Example 1:
first, certificate issuance (root CA built-in).
The first step is as follows: the root CA issues a supernode certificate for the supernode, which is stored on the supernode.
The second step is that: the super node issues a backbone node certificate for the backbone node, and the content of the backbone node certificate is different from that of the previous certificate: issuer bid, recipient bid, node type, creator public key, and signature, backbone node certificate is stored on the backbone node.
The third step: the backbone node issues a common node certificate for the common node, and the content of the common node certificate is different from that of the previous certificate: issuer bid, recipient bid, node type, creator public key, and signature, with a common node certificate stored on the common node.
And secondly, verifying the certificate.
The first step is as follows: the network finds out the public key and the digital signature value of the certificate issuer according to the certificate content, verifies the digital signature value, verifies whether there is a superior certificate after the verification is passed, if not, the verification is finished; if so, the second step is performed. In this case, the common node has a node at the upper level: and the backbone node needs to verify the validity of the backbone node certificate.
The second step is that: finding out a public key and a digital signature of a certificate issuer according to the content of the backbone node certificate, verifying the digital signature value, and after the verification is passed, storing a superior certificate node: and the super node needs to verify the validity of the super node certificate.
The third step: and finding out the public key and the digital signature of the certificate issuer according to the content of the super node certificate, verifying the digital signature value, and verifying the validity of the root CA certificate after the verification is passed.
The fourth step: and after the root CA certificate passes the verification, the verification is finished.
And thirdly, updating the certificate.
After the certificate of the previous node is updated, the certificates of the next node and the last node need to be updated, for example, after the certificate of the super node is updated, the certificates of the backbone node and the common node in the chain need to be updated.
And fourthly, canceling the certificate.
After the certificate of the previous node is revoked, the certificates of the next node and the last node are automatically revoked, for example, after the certificate of the super node is revoked, the certificates of the backbone node and the common node in the chain are revoked.
Example 2: issue, verification, update of identity certificates see example 1 above, similar to example 1 above, except that the certificate type is "identity certificate".
In summary, the digital certificate hierarchical processing method based on the block chain identifier provided by the embodiment of the present invention has the following beneficial technical effects:
1. and the identity management is performed by adopting the block chain based on the main sub-chain framework, so that the single-chain load is reduced, and the certificate issuing and verifying performance is improved.
2. And the multi-stage certificate verification mode is adopted, and the burden of the root CA is reduced on the premise of not reducing the reliability.
3. By adopting the mode of combining the decentralized root CA and the centralized system, the root CA of the centralized system is on the block chain, and the risk of tampering the root CA is reduced.
The embodiment of the present invention further provides a device for hierarchical processing of a digital certificate based on a blockchain identifier, as described in the following embodiments. Because the principle of the device for solving the problems is similar to the digital certificate hierarchical processing method based on the blockchain identifiers, the implementation of the device can refer to the implementation of the digital certificate hierarchical processing method based on the blockchain identifiers, and repeated parts are not described again.
A schematic structural diagram of a hierarchical processing apparatus for a digital certificate based on a blockchain identifier according to an embodiment of the present invention may be shown in fig. 4, where a root certificate authority node (CA in fig. 4) and a plurality of super nodes form a master blockchain, and one backbone node connected to each of the super nodes and a plurality of normal nodes ("nodes" in the subchain in fig. 4) form at least one subblockchain, as shown in fig. 4, the apparatus includes:
the root certificate authority node on the master blockchain is used for issuing a super node certificate for each super node on the master blockchain according to the root certificate, and the super node certificates are stored on the master blockchain;
each super node is used for issuing a backbone node certificate for the corresponding backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node;
each backbone node is used for issuing a common node certificate to a common node on a corresponding sub-block chain according to the backbone node certificate, and the common node certificate is stored on the sub-block chain.
In one embodiment, the root certificate authority node, the super node, the backbone node, or the regular node may be further configured to:
receiving a verification request of a current digital certificate;
verifying a signature of the current digital certificate issuer;
if the current digital certificate is determined to exist in the upper-level issuer according to the signature verification result of the current digital certificate issuer, verifying the signature of the upper-level issuer until the initial certificate issuer is found; the initial certificate issuer is a root certificate authority node;
if the current digital certificate issuer's digital certificate verification on the chain to the original certificate issuer is trusted, determining that the current digital certificate is trusted.
According to the technical scheme, the data acquisition, storage, use, processing and the like meet relevant regulations of national laws and regulations.
The embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the block chain identifier-based digital certificate hierarchical processing method is implemented.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the method for processing digital certificates based on blockchain identifiers in a hierarchical manner is implemented.
An embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, and when executed by a processor, the computer program implements the above hierarchical processing method for digital certificates based on blockchain identifiers.
In the embodiment of the invention, in a hierarchical processing scheme of a digital certificate based on a blockchain identifier, a root certificate authority node and a plurality of super nodes form a main blockchain, and a backbone node and a plurality of common nodes connected with each super node form at least one sub-blockchain, so that compared with the technical scheme that in the prior art, the issuing and verification of a traditional digital certificate depend on a centralized CA (certificate authority), identity data are easy to be tampered, and the problems of low processing efficiency and low safety of the digital certificate exist, the hierarchical processing scheme of the digital certificate based on the blockchain identifier comprises the following steps: a root certificate authority node on the master blockchain issues a super node certificate for each super node on the master blockchain according to the root certificate, and the super node certificates are stored on the master blockchain; each super node issues a backbone node certificate for the corresponding backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node; and each backbone node issues a common node certificate for the common node on the corresponding sub-blockchain according to the backbone node certificate, the common node certificate is stored on the sub-blockchain, and the digital certificate identity processing is performed by adopting the blockchain based on the main sub-chain framework, so that the single-chain burden can be reduced, the certificate issuing and subsequent verification performance can be improved, and the digital certificate can be efficiently and safely processed in a grading manner.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A hierarchical processing method of a digital certificate based on blockchain identification is characterized in that a root certificate authority node and a plurality of super nodes form a main blockchain, a backbone node connected with each super node and a plurality of common nodes form at least one sub-blockchain, and the hierarchical processing method of the digital certificate based on blockchain identification comprises the following steps:
a root certificate authority node on the master blockchain issues a super node certificate for each super node on the master blockchain according to the root certificate, and the super node certificates are stored on the master blockchain;
each super node issues a backbone node certificate for the corresponding backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node;
and each backbone node issues a common node certificate for the common node on the corresponding sub-block chain according to the backbone node certificate, wherein the common node certificate is stored on the sub-block chain.
2. The hierarchical processing method of digital certificates based on blockchain identifiers according to claim 1, further comprising:
receiving a verification request of a current digital certificate;
verifying a signature of the current digital certificate issuer;
if the current digital certificate is determined to exist in the upper-level issuer according to the signature verification result of the current digital certificate issuer, verifying the signature of the upper-level issuer until the initial certificate issuer is found; the initial certificate issuer is a root certificate authority node;
if the current digital certificate issuer's digital certificate verification on the chain to the original certificate issuer is trusted, determining that the current digital certificate is trusted.
3. The hierarchical processing method of digital certificates based on blockchain identifiers according to claim 1, further comprising: when any level certificate update of the root certificate, the super node certificate, the backbone node certificate and the common node certificate is detected, the next level certificate of the current updated certificate is updated.
4. The hierarchical processing method of digital certificates based on blockchain identifiers according to claim 1, further comprising: and when detecting that the certificate at any level of the root certificate, the super node certificate, the backbone node certificate and the common node certificate is expired, re-applying the digital certificate to the issuer of the current expired certificate.
5. The hierarchical processing method of digital certificates based on blockchain identifiers according to claim 1, further comprising: after the user certificate of the upper level is detected to be revoked, the user certificates of the lower level on the current user certificate chain are all to be revoked, and the application is required to be reapplied.
6. A hierarchical processing apparatus of digital certificate based on blockchain id, wherein a root certificate authority node and a plurality of super nodes form a master blockchain, and a backbone node and a plurality of common nodes connected to each of the super nodes form at least one sub-blockchain, the hierarchical processing apparatus of digital certificate based on blockchain id comprises:
the root certificate authority node on the master blockchain is used for issuing a super node certificate for each super node on the master blockchain according to the root certificate, and the super node certificates are stored on the master blockchain;
each super node is used for issuing a backbone node certificate for the corresponding backbone node according to the super node certificate, and the backbone node certificate is stored on the corresponding backbone node;
each backbone node is used for issuing a common node certificate to a common node on a corresponding sub-block chain according to the backbone node certificate, and the common node certificate is stored on the sub-block chain.
7. The blockchain identification based digital certificate hierarchical processing apparatus according to claim 6, wherein the root certificate authority node, the super node, the backbone node or the common node is further configured to:
receiving a verification request of a current digital certificate;
verifying a signature of the current digital certificate issuer;
if the current digital certificate is determined to exist in the upper-level issuer according to the signature verification result of the current digital certificate issuer, verifying the signature of the upper-level issuer until the initial certificate issuer is found; the initial certificate issuer is a root certificate authority node;
if the current digital certificate issuer's digital certificate verification on the chain to the original certificate issuer is trusted, determining that the current digital certificate is trusted.
8. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 5 when executing the computer program.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the method of any of claims 1 to 5.
10. A computer program product, characterized in that the computer program product comprises a computer program which, when being executed by a processor, carries out the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111506912.2A CN114189341A (en) | 2021-12-10 | 2021-12-10 | Digital certificate hierarchical processing method and device based on block chain identification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111506912.2A CN114189341A (en) | 2021-12-10 | 2021-12-10 | Digital certificate hierarchical processing method and device based on block chain identification |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114189341A true CN114189341A (en) | 2022-03-15 |
Family
ID=80604374
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111506912.2A Pending CN114189341A (en) | 2021-12-10 | 2021-12-10 | Digital certificate hierarchical processing method and device based on block chain identification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114189341A (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1783848A (en) * | 2004-12-02 | 2006-06-07 | 北京航空航天大学 | Mail transmission agent primary anti-deny method based on domain hierarchy identifying mechanism |
| CN106533691A (en) * | 2016-10-18 | 2017-03-22 | 北京信安世纪科技有限公司 | Method and device for verifying validity of digital certificate |
| US20190036712A1 (en) * | 2017-07-26 | 2019-01-31 | Alibaba Group Holding Limited | Digital certificate management method, apparatus, and system |
| WO2019161412A1 (en) * | 2018-02-16 | 2019-08-22 | Verimatrix, Inc. | Systems and methods for decentralized certificate hierarchy using a distributed ledger to determine a level of trust |
| US10547457B1 (en) * | 2016-10-21 | 2020-01-28 | Wells Fargo Bank N.A. | Systems and methods for notary agent for public key infrastructure names |
| CN111934870A (en) * | 2020-09-22 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Method, apparatus, device and medium for updating root certificate in block chain network |
| CN112884476A (en) * | 2021-01-29 | 2021-06-01 | 西南林业大学 | CA cross-domain authentication method and system based on block chain |
| CN113256297A (en) * | 2021-07-02 | 2021-08-13 | 腾讯科技(深圳)有限公司 | Data processing method, device and equipment based on block chain and readable storage medium |
| US20210328814A1 (en) * | 2020-07-08 | 2021-10-21 | Alipay (Hangzhou) Information Technology Co., Ltd. | Blockchain integrated stations and automatic blockchain construction methods and apparatuses |
| WO2021218334A1 (en) * | 2020-04-27 | 2021-11-04 | 深圳壹账通智能科技有限公司 | Method, system, and apparatus for managing expired digital certificate, and storage medium |
| CN113746630A (en) * | 2020-05-28 | 2021-12-03 | 顺丰科技有限公司 | Block chain certificate management method and device, alliance chain and storage medium |
-
2021
- 2021-12-10 CN CN202111506912.2A patent/CN114189341A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1783848A (en) * | 2004-12-02 | 2006-06-07 | 北京航空航天大学 | Mail transmission agent primary anti-deny method based on domain hierarchy identifying mechanism |
| CN106533691A (en) * | 2016-10-18 | 2017-03-22 | 北京信安世纪科技有限公司 | Method and device for verifying validity of digital certificate |
| US10547457B1 (en) * | 2016-10-21 | 2020-01-28 | Wells Fargo Bank N.A. | Systems and methods for notary agent for public key infrastructure names |
| US20190036712A1 (en) * | 2017-07-26 | 2019-01-31 | Alibaba Group Holding Limited | Digital certificate management method, apparatus, and system |
| WO2019161412A1 (en) * | 2018-02-16 | 2019-08-22 | Verimatrix, Inc. | Systems and methods for decentralized certificate hierarchy using a distributed ledger to determine a level of trust |
| WO2021218334A1 (en) * | 2020-04-27 | 2021-11-04 | 深圳壹账通智能科技有限公司 | Method, system, and apparatus for managing expired digital certificate, and storage medium |
| CN113746630A (en) * | 2020-05-28 | 2021-12-03 | 顺丰科技有限公司 | Block chain certificate management method and device, alliance chain and storage medium |
| US20210328814A1 (en) * | 2020-07-08 | 2021-10-21 | Alipay (Hangzhou) Information Technology Co., Ltd. | Blockchain integrated stations and automatic blockchain construction methods and apparatuses |
| CN111934870A (en) * | 2020-09-22 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Method, apparatus, device and medium for updating root certificate in block chain network |
| CN112884476A (en) * | 2021-01-29 | 2021-06-01 | 西南林业大学 | CA cross-domain authentication method and system based on block chain |
| CN113256297A (en) * | 2021-07-02 | 2021-08-13 | 腾讯科技(深圳)有限公司 | Data processing method, device and equipment based on block chain and readable storage medium |
Non-Patent Citations (2)
| Title |
|---|
| 刘亚雪等: "一种基于区块链的多应用证书系统模型", 《计算机工程》, vol. 46, no. 9, pages 2 * |
| 阎军智;彭晋;左敏;王珂;: "基于区块链的PKI数字证书系统", 电信工程技术与标准化, no. 11 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11784791B2 (en) | Verifying an identity based on multiple distributed data sources using a blockchain to safeguard the identity | |
| US11210661B2 (en) | Method for providing payment gateway service using UTXO-based protocol and server using same | |
| US10554421B2 (en) | Method for superseding log-in of user through PKI-based authentication by using smart contact and blockchain database, and server employing same | |
| US10846416B2 (en) | Method for managing document on basis of blockchain by using UTXO-based protocol, and document management server using same | |
| EP3721578B1 (en) | Methods and systems for recovering data using dynamic passwords | |
| US11936788B1 (en) | Distributed ledger system for identity data storage and access control | |
| CN108780390B (en) | System and method for providing identity scores | |
| US10659236B2 (en) | Method for superseding log-in of user through PKI-based authentication by using blockchain database of UTXO-based protocol, and server employing same | |
| US9978094B2 (en) | Tokenization revocation list | |
| CN107342867B (en) | Signature verification method and device | |
| US20180109516A1 (en) | Method for providing certificate service based on smart contract and server using the same | |
| JP6574168B2 (en) | Terminal identification method, and method, system, and apparatus for registering machine identification code | |
| TW202013930A (en) | A method and apparatus for authenticate user identity in a network | |
| CN114008971A (en) | Binding a decentralized identifier to a verified assertion | |
| JP2022550223A (en) | distributed data record | |
| CN108234135B (en) | Service authentication method, system and computer readable storage medium | |
| CN111612456A (en) | Expired digital certificate management and control method, system, device and storage medium | |
| Das et al. | A secure blockchain-enabled vehicle identity management framework for intelligent transportation systems | |
| CN116210200A (en) | Blockchain communication syndrome | |
| CN117426073A (en) | Trusted chain of custody for verifiable credentials | |
| US7890761B1 (en) | Systems and methods for strong authentication of electronic transactions | |
| Benarous et al. | Blockchain‐based forgery resilient vehicle registration system | |
| US8156338B1 (en) | Systems and methods for strong authentication of electronic transactions | |
| CN112862589A (en) | Identity verification method, device and system in financial scene | |
| CN112347516A (en) | Asset certification method and device based on block chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |