CN114499883A - Cross-organization identity authentication method and system based on block chain and SM9 algorithm - Google Patents

Cross-organization identity authentication method and system based on block chain and SM9 algorithm Download PDF

Info

Publication number
CN114499883A
CN114499883A CN202210121174.8A CN202210121174A CN114499883A CN 114499883 A CN114499883 A CN 114499883A CN 202210121174 A CN202210121174 A CN 202210121174A CN 114499883 A CN114499883 A CN 114499883A
Authority
CN
China
Prior art keywords
signature
enterprise
organization
message
master
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210121174.8A
Other languages
Chinese (zh)
Inventor
宋明明
王伟兵
魏金雷
杨海勇
张岚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Cloud Information Technology Co Ltd
Original Assignee
Inspur Cloud Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Cloud Information Technology Co Ltd filed Critical Inspur Cloud Information Technology Co Ltd
Priority to CN202210121174.8A priority Critical patent/CN114499883A/en
Publication of CN114499883A publication Critical patent/CN114499883A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/72Signcrypting, i.e. digital signing and encrypting simultaneously

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a trans-organization identity authentication method and a trans-organization identity authentication system based on a block chain and an SM9 algorithm, belongs to the technical field of digital signatures, and aims to solve the technical problem of how to realize mutual authentication between enterprise key centers for users who sign KGC. Each enterprise organization generates a master key pair through KGC, wherein the master key pair is a signature master key pair used for signature and signature verification and comprises a master public key and a master private key; each enterprise organization privately stores the main private key, uploads and registers the main public key to the alliance chain, and discloses the main public key to other enterprise organizations in the alliance chain; after each enterprise organization receives the signature messages sent by the users of other enterprise organizations in the alliance chain, for other enterprise organizations trusted by the enterprise organizations, the main public keys of the other enterprise organizations are obtained from the alliance chain, and the received signature messages are verified.

Description

Cross-organization identity authentication method and system based on block chain and SM9 algorithm
Technical Field
The invention relates to the technical field of digital signatures, in particular to a trans-organization identity authentication method and a trans-organization identity authentication system based on a block chain and an SM9 algorithm.
Background
Identification-based cryptographic algorithms are an emerging branch of public key cryptographic algorithms. The identification cipher algorithm takes effective identification (such as mail address, mobile phone number, ID card code, etc.) of an entity as a public key, and a user does not need to apply and exchange certificates, thereby greatly reducing the complexity of the system. It is assumed that there is a trusted KGC (key generation center) as the center of the system based on the identified password, which generates a private key to the user when the user first joins the system. This center, also called the key generation center, acts like an issuer of identification cards in real life.
The key of the SM9 algorithm is generated by KGC (key generation center), and mainly includes a master key pair of the enterprise KGC and a private key of a user, and the private key of the user is generated by the enterprise KGC using the master private key and a user identifier. In the SM9 signing/signing process, the signature uses the enterprise master public key and the user private key, and the signature uses the enterprise master public key and the user identification.
Because the certificate is not relied on, the CA organization without authority signs the master public key and the user identification, the private key of each signer is generated by the KGC of the enterprise, the signature and signature verification process needs to rely on the master public key generated by the KGC of the enterprise, and the user between the enterprises can not verify the signature and identify the identification.
How to realize mutual authentication of users issued by KGC between enterprise key centers is a technical problem to be solved.
Disclosure of Invention
The technical task of the invention is to provide a method and a system for cross-organization identity authentication based on a block chain and an SM9 algorithm to solve the problem of how to mutually authenticate users issued by a partner KGC between enterprise key centers.
In a first aspect, the invention provides a cross-organization identity authentication method based on a block chain and an SM9 algorithm, which is characterized by comprising the following steps:
each enterprise organization generates a master key pair through KGC, wherein the master key pair is a signature master key pair used for signature and signature verification and comprises a master public key and a master private key;
each enterprise organization privately stores the main private key, uploads and registers the main public key to a alliance chain, and discloses the main public key to other enterprise organizations in the alliance chain;
after each enterprise organization receives the signature messages sent by the users of other enterprise organizations in the alliance chain, for other enterprise organizations trusted by the enterprise organizations, the main public keys of the other enterprise organizations are obtained from the alliance chain, and the received signature messages are verified.
Preferably, after uploading and registering the master public key of each enterprise organization to the federation chain, establishing a trust list, and recording the master public keys of other enterprise organizations trusted by the enterprise organizations in the federation chain through the trust list;
after each enterprise organization receives the signature messages sent by other enterprise organization users in the alliance chain, if the other enterprise organizations are located in the trust list, the main public keys of the other enterprise organizations are obtained from the trust list, and the signature of the received signature messages is verified.
Preferably, a user private key is generated through the KGC based on the master private key and the user identity, and the message to be signed is digitally signed through the user private key to obtain a signature message.
Preferably, while the users of other enterprise organizations send signature messages to the enterprise organizations, the users also send master public keys corresponding to the enterprise organizations, user identifications corresponding to the users, and messages to be signed corresponding to the signature messages;
and the enterprise organization takes the main public key, the user identification, the message to be signed and the signature message as input, acquires the main public keys of other enterprise organizations from the alliance chain, and verifies the signature of the received signature message so as to verify the identity of the user.
In a second aspect, the invention provides a block chain and SM9 algorithm-based cross-organization identity authentication system, for authenticating a user identity of a cross-organization through the block chain and SM9 algorithm-based cross-organization identity authentication method according to any one of the first aspects, the system comprising:
a federation chain including a plurality of enterprise organizations, each enterprise organization forming a federation chain by registering with a blockchain through its digital identity;
each enterprise organization generates a master key pair based on KGC through the master key management module, wherein the master key pair is a signature master key pair used for signature and signature verification and comprises a master public key and a master private key;
each enterprise organization privates a main private key through the main key management module, uploads and registers a main public key of the enterprise organization to a alliance chain through the main key management module, and discloses the main public key of the enterprise organization to other enterprise organizations in the alliance chain;
the system comprises a signature module, a signature module and a signature module, wherein a user of an enterprise organization of a signing party digitally signs a message to be signed through the signature module to obtain a signature message and sends the signature message to other enterprise organizations in a alliance chain;
and the signature checking module is used for judging whether the enterprise organization serving as the signature party is trusted or not after the enterprise organization serving as the signature party receives the signature message, if so, acquiring the main public key corresponding to the enterprise organization serving as the signature party from the alliance chain, and checking the signature of the received signature message.
Preferably, the method further comprises the following steps:
the trust list building module is used for building a trust list for each enterprise organization through the trust list building module, and recording the main public keys of other enterprise organizations trusted by the enterprise organizations in the alliance chain through the trust list;
and if the enterprise organization as the signature party is positioned in the trust list, acquiring a main public key corresponding to the enterprise organization as the signature party from the trust list, and carrying out signature verification on the received signature message through the signature verification module.
Preferably, the signature module is configured to generate a user private key through the KGC based on the master private key and the user identity, and digitally sign the message to be signed through the user private key to obtain the signed message.
Preferably, the signature module sends the signature message and simultaneously sends a master public key corresponding to an enterprise organization as a signature verifier, a user identifier corresponding to a user and a message to be signed corresponding to the signature message;
the signature verification module is used for taking the main public key, the user identification, the message to be signed and the signature message as input, acquiring the main public key corresponding to the enterprise organization as the signature party from the alliance chain, and verifying the signature of the received signature message so as to verify the identity of the user.
The trans-organization identity authentication method and system based on the block chain and the SM9 algorithm have the following advantages:
(1) the enterprise organization generates a master key pair through KGC, registers the master public key to the alliance chain, and calls the master public key from the alliance chain to verify the signature of the signature message for the trusted enterprise organization after receiving the signature message sent by other enterprise organization users, thereby realizing cross-combination user identity authentication;
(2) each enterprise organization is responsible for the master public key uploaded to the block chain by the enterprise organization, on one hand, the master public key of the enterprise organization can be prevented from being maliciously registered by other enterprise organizations which are not audited by the alliance, and on the other hand, the enterprise organization of the user issued by the KGC of the enterprise organization can not deny the master public key;
(3) each enterprise organization maintains a trust list of the enterprise organization trusted by the enterprise organization on the alliance chain, only the enterprise organization trusted by the enterprise organization is maintained in the trust list of the enterprise organization, and the enterprise organizations can be independently selected to be trusted, so that the information safety is ensured, and the signature verification process is accelerated.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed for the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
The invention is further described below with reference to the accompanying drawings.
Fig. 1 is a flowchart of a cross-organization identity authentication method based on a blockchain and an SM9 algorithm according to embodiment 1.
FIG. 2 is a block diagram illustrating the operation of digital signatures in the cross-organization identity authentication method based on the blockchain and SM9 algorithm in embodiment 1;
fig. 3 is a functional block diagram of the signature verification in the cross-organization identity authentication method based on the blockchain and SM9 algorithm in embodiment 1.
Detailed Description
The present invention is further described in the following with reference to the drawings and the specific embodiments so that those skilled in the art can better understand the present invention and can implement the present invention, but the embodiments are not to be construed as limiting the present invention, and the embodiments and the technical features of the embodiments can be combined with each other without conflict.
The embodiment of the invention provides a block chain and SM9 algorithm-based cross-organization identity authentication method and system, which are used for solving the technical problem of how to realize mutual authentication of users issued by KGC (trusted cryptography client) between enterprise key centers
Example 1:
the invention discloses a trans-organization identity authentication method based on a block chain and an SM9 algorithm, which comprises the following steps:
s100, each enterprise organization generates a master key pair through KGC, wherein the master key pair is a signature master key pair used for signature and signature verification and comprises a master public key and a master private key;
s200, each enterprise organization privately stores the main private key, uploads and registers the main public key to a alliance chain, and discloses the main public key to other enterprise organizations in the alliance chain;
s300, after each enterprise organization receives the signature messages sent by the users of other enterprise organizations in the alliance chain, for other enterprise organizations trusted by the enterprise organizations, the main public keys of the other enterprise organizations are obtained from the alliance chain, and the received signature messages are verified.
In this embodiment, the master private key is only used to compute the user private key. The user private key is generated by the user identification after being acted with the main private key. Specifically, the user uses the effective identifier of the entity (such as a mail address, a mobile phone number, an identification card code, etc.) as the user public key, and the user private key is issued by a KGC (key generation center) of an enterprise based on the effective identifier of the entity used by the user using the enterprise private key.
The inputs of the digital signature process are a master public key, a user private key and a message to be signed. As shown in fig. 2, assuming that the message to be signed is a bit string M, in order to obtain the digital signature (h, S) of the message M, the user a as the signer performs the following operation steps:
a1 calculation of group GTWherein the element g ═ e (P)1,Ppub-s);
A2, generating a random number r belongs to [1, N-1 ];
a3 calculation of group GTWherein w is grConverting the data type of w into a bit string;
a4 calculating the integer H ═ H2(M||w,N);
A5: calculating an integer l ═ (r-h) mod N, and if l ═ 0, returning to A2;
a6: computing group GTMiddle element
Figure BDA0003498525880000061
A7, the signature of the message M is (h, S).
Wherein, M: a message original text to be signed;
GT: group T;
g: an element g of group T;
P1: the generator P1 of group 1;
Ppub-s: signing the master public key;
r: a random number in the range of [1, N-1 ];
n: a random number value range;
w: calculating an element w in the group T through g and r;
h, calculating an integer through the message original text M to be signed, the element w and the random number range N;
l: calculating an integer by r, h and N;
Figure BDA0003498525880000062
a private signature key (private user key);
(h, S) digital signature of message M.
The users of other enterprise organizations send signature messages to the enterprise organizations, and simultaneously send the master public keys corresponding to the enterprise organizations, the user identifications corresponding to the users and the messages to be signed corresponding to the signature messages; the enterprise organization takes the master public key, the user identification, the message to be signed and the signature message as input, obtains the master public keys of other enterprise organizations from the alliance chain, and verifies the signature of the received signature message so as to verify the user identity.
As shown in fig. 3, the inputs of the digital signature verification process are the master public key, the user id, the message M and its digital signature M', and the user B as the verifier performs the following verification steps:
b1: checking whether h' is formed by the element [1, N-1], if not, verifying that the element does not pass;
b2: converting the data type of S 'to a point on an elliptic curve, and checking that S' belongs to G1If the verification is not successful, the verification is not passed;
b3: computing group GTMedium element g ═ e (P)1,Ppub-s);
B4: computing group GTMedium element t ═ gh′
B5 calculating the integer h1=H1(IDA||hid,N);
B6 computing group G2Wherein the element P ═ h1]P2+Ppub-s
B7: computing group GTMedium element u ═ e (S', P);
b8 computing group GTConverting the type of w' into a bit string;
B9:h2=H2(M '| w', N), test h2If h' is true, the verification is passed.
Wherein, M': the digital signature of message M, i.e. (h ', S');
GT: group T;
P1: group 1 generator P1
Ppub-s: signing the master public key;
g: an element g of group T;
t: calculating an element T in the group T through g and h';
IDAa user identity identifier;
hid, user private key type identification;
n: a random number value range;
h1: by IDAThe integers calculated from hid and N;
G2: group 2;
P2: the generator P2 of group 2;
u: an element u in the group T;
w': calculating an element w' in the group T through u and T;
h2: the digital signature M 'of the message M, the element w' and the random number range N.
The main public key of the enterprise organization is needed in the process that the user uses the user private key to digitally sign the message, and the main public key of the enterprise organization is also needed in the process of verifying the signature of the digital signature of the user. And verifying the digital signature of the user in a certain enterprise organization, and only by trusting the KGC and acquiring the master public key of the enterprise organization from the KGC, the digital signature can be verified separately in an off-line manner, so that the user in the enterprise organization is authenticated.
However, for the cross-organization user identity authentication, because there is no authority like CA, the main public key published by KGC of other organizations cannot be trusted, and the cross-organization digital signature cannot be verified, that is, the cross-organization user identity authentication cannot be performed.
In this embodiment, a federation chain is formed among enterprise organizations, and each enterprise organization creates its own enterprise identity in the federation chain. The enterprise organization uses the KGC to generate a main key pair (a main public key and a main private key) of the enterprise, and the main private key is independently stored by the enterprise organization and is not published to the outside. The main public key of the enterprise organization is registered to the alliance chain by using the digital identity on the alliance chain of the enterprise organization, and the main public key is disclosed to all members of the alliance chain, so that other enterprise organizations in the alliance chain can verify the user issued by the enterprise organization.
As an improvement, in this embodiment, after uploading and registering a master public key of each enterprise organization to a federation chain, a trust list is established, and master public keys of other enterprise organizations trusted by the enterprise organizations in the federation chain are recorded through the trust list; after each enterprise organization receives the signature messages sent by other enterprise organization users in the alliance chain, if other enterprise organizations are located in the trust list, the main public keys of other enterprise organizations are obtained from the trust list, and the signature of the received signature messages is verified.
A large number of enterprise organization participants are registered in the federation chain, and each enterprise organization participant can publish its own master public key in the federation chain. All joined enterprise organizations in the federation chain are approved by other members of the federation, and all master public keys up to the blockchain are signed and linked using the private keys of the enterprise organizations in the federation chain. On one hand, the method can prevent other enterprise organizations which are not audited by the alliance from maliciously registering the own master public key, and ensure that the master public key is issued by the credible enterprise organizations; on the other hand, the user issued by the KGC of the federation member cannot deny the user because the identity private key of the enterprise organization on the federation chain, which is used by all the public keys of the enterprise organization on the uplink, is signed, and the users authenticated by other users using the public keys on the chain are all trusted by all the enterprise organization.
In practice, a certain enterprise organization may not trust some enterprise organizations uplinked on the federation chain, only choose to trust the enterprise organization that the enterprise organization believes to be trusted, maintain a trust list belonging to the enterprise organization in the federation chain, and only trust the enterprise organization in the trust list. The user authenticates the identity of other users according to the trust list of the enterprise organization to which the user belongs.
Different enterprise organizations call enterprise trust lists maintained on own blockchains from blockchains, for example, enterprise a includes enterprise B in the trust list on the blockchain, and enterprise a can call the master public key of enterprise B from the blockchain. When a user-signed message issued by the B enterprise organization requests authentication to the A enterprise, the A enterprise can use the main public key of the B enterprise called from the trust list on the block chain for authentication. Because the main public key of the enterprise B called by the enterprise A is uploaded to the blockchain by the enterprise B by using the digital identity of the enterprise B on the alliance chain, the enterprise A can be used at ease, and the main public key of the enterprise B is not worried about being maliciously tampered.
Example 2:
the invention relates to a trans-organization identity authentication system based on a block chain and an SM9 algorithm, which comprises a alliance chain, a master key generation module, a master key management module, a signature module and a signature verification module, wherein the alliance chain comprises a plurality of enterprise organizations, and each enterprise organization is registered to the block chain through the digital identity of the enterprise organization to form the alliance chain; each enterprise organization generates a master key pair based on KGC through the master key management module, wherein the master key pair is a signature master key pair used for signature and signature verification and comprises a master public key and a master private key; each enterprise organization privates the main private key of the enterprise organization through the main key management module, uploads and registers the main public key of the enterprise organization to the alliance chain through the main key management module, and discloses the main public key of the enterprise organization to other enterprise organizations in the alliance chain; a user of an enterprise organization as a signing party digitally signs a message to be signed through the signing module to obtain a signature message, and sends the signature message to other enterprise organizations in a alliance chain; after receiving the signature message, the enterprise organization serving as the signature party judges whether the enterprise organization serving as the signature party is trusted or not through the signature verification module, if so, the main public key corresponding to the enterprise organization serving as the signature party is obtained from the alliance chain, and the signature of the received signature message is verified.
In this embodiment, the signature module is configured to generate a user private key through the KGC based on the master private key and the user identity, and digitally sign the message to be signed through the user private key to obtain a signed message.
And when the signature message is sent through the signature module, a master public key corresponding to an enterprise organization as a signature verifier, a user identifier corresponding to the user and a message to be signed corresponding to the signature message are also sent. The signature verification module is used for taking the main public key, the user identification, the message to be signed and the signature message as input, acquiring the main public key corresponding to the enterprise organization as the signature party from the alliance chain, and verifying the signature of the received signature message so as to verify the identity of the user.
For the digital signature process, a message to be signed is set as a bit string M, and for acquiring a digital signature (h, S) of the message M, a user a as a signer performs the following operation steps:
a1 calculation of group GTWherein the element g ═ e (P)1,Ppub-s);
A2, generating a random number r belongs to [1, N-1 ];
a3 calculation of group GTWherein w is grConverting the data type of w into a bit string;
a4 calculating the integer H ═ H2(M||w,N);
A5: calculating an integer l ═ (r-h) mod N, and if l ═ 0, returning to A2;
a6: computing group GTMiddle element
Figure BDA0003498525880000111
A7, the signature of the message M is (h, S).
For the digital signature verification process, the steps are as follows:
b1: checking whether h' is formed by the element [1, N-1], if not, verifying that the element does not pass;
b2: converting the data type of S 'to a point on an elliptic curve, and checking that S' belongs to G1If the verification is not successful, the verification is not passed;
b3: computing group GTMedium element g ═ e (P)1,Ppub-s);
B4: computing group GTMedium element t ═ gh′
B5 calculating the integer h1=H1(IDA||hid,N);
B6 computing group G2Wherein the element P ═ h1]P2+Ppub-s
B7: computing group GTMedium element u ═ e (S', P);
b8 computing group GTConverting the type of w' into a bit string;
B9:h2=H2(M '| w', N), test h2If h' is true, the verification is passed.
The method disclosed by the embodiment can be executed through the system, a federation chain is formed among enterprise organizations, and each enterprise organization creates an own enterprise identity in the federation chain. The enterprise organization uses the KGC to generate a main key pair (a main public key and a main private key) of the enterprise, and the main private key is independently stored by the enterprise organization and is not published to the outside. The main public key of the enterprise organization is registered to the alliance chain by using the digital identity on the alliance chain of the enterprise organization, and the main public key is disclosed to all members of the alliance chain, so that other enterprise organizations in the alliance chain can verify the user issued by the enterprise organization.
As an improvement of the system of this embodiment, the system further includes a trust list construction module, each enterprise organization establishes a trust list through the trust list construction module, and records the master public keys of other enterprise organizations trusted by the enterprise organization in the federation chain through the trust list; and if the enterprise organization as the signature party is positioned in the trust list, acquiring a main public key corresponding to the enterprise organization as the signature party from the trust list, and carrying out signature verification on the received signature message through the signature verification module.
In practice, a certain enterprise organization may not trust some enterprise organizations uplinked on the federation chain, only choose to trust the enterprise organization that the enterprise organization believes to be trusted, maintain a trust list belonging to the enterprise organization in the federation chain, and only trust the enterprise organization in the trust list. The user authenticates the identity of other users according to the trust list of the enterprise organization to which the user belongs.
Different enterprise organizations retrieve enterprise trust lists maintained on their blockchains from the blockchain, for example, enterprise a includes enterprise B in the trust list on the blockchain, and enterprise a can retrieve the master public key of enterprise B from the blockchain. When a user-signed message issued by the B enterprise organization requests authentication to the A enterprise, the A enterprise can use the main public key of the B enterprise called from the trust list on the block chain for authentication. Because the main public key of the enterprise B called by the enterprise A is uploaded to the blockchain by the enterprise B by using the digital identity of the enterprise B on the alliance chain, the enterprise A can be used at ease, and the main public key of the enterprise B is not worried about being maliciously tampered.
While the invention has been shown and described in detail in the drawings and in the preferred embodiments, it is not intended to limit the invention to the embodiments disclosed, and it will be apparent to those skilled in the art that many more embodiments of the invention are possible that combine the features of the different embodiments described above and still fall within the scope of the invention.

Claims (8)

1. The cross-organization identity authentication method based on the block chain and the SM9 algorithm is characterized by comprising the following steps of:
each enterprise organization generates a master key pair through KGC, wherein the master key pair is a signature master key pair used for signature and signature verification and comprises a master public key and a master private key;
each enterprise organization privately stores the main private key, uploads and registers the main public key to the alliance chain, and discloses the main public key to other enterprise organizations in the alliance chain;
after each enterprise organization receives the signature messages sent by the users of other enterprise organizations in the alliance chain, for other enterprise organizations trusted by the enterprise organizations, the main public keys of the other enterprise organizations are obtained from the alliance chain, and the received signature messages are verified.
2. The trans-organization identity authentication method based on the block chain and SM9 algorithm as claimed in claim 1, wherein each enterprise organization uploads and registers its master public key to a federation chain, establishes a trust list, and records the master public keys of other enterprise organizations trusted by the enterprise organization in the federation chain through the trust list;
after each enterprise organization receives the signature messages sent by other enterprise organization users in the alliance chain, if the other enterprise organizations are located in the trust list, the main public keys of the other enterprise organizations are obtained from the trust list, and the signature of the received signature messages is verified.
3. The method for cross-organization identity authentication based on the blockchain and SM9 algorithm according to claim 1 or 2, wherein the method comprises generating a user private key through KGC based on a master private key and a user identity, and digitally signing a message to be signed through the user private key to obtain a signed message.
4. The trans-organization identity authentication method based on the block chain and SM9 algorithm according to claim 3, wherein a user of another enterprise organization sends a signature message to the enterprise organization, and also sends a master public key corresponding to the enterprise organization, a user identifier corresponding to the user, and a message to be signed corresponding to the signature message;
and the enterprise organization takes the main public key, the user identification, the message to be signed and the signature message as input, acquires the main public keys of other enterprise organizations from the alliance chain, and checks the signature of the received signature message so as to verify the identity of the user.
5. A block chain and SM9 algorithm based cross-organization identity authentication system for authenticating a user identity of a cross-organization through the block chain and SM9 algorithm based cross-organization identity authentication method according to any one of claims 1 to 4, the system comprising:
a federation chain including a plurality of enterprise organizations, each enterprise organization forming a federation chain by registering with a blockchain through its digital identity;
each enterprise organization generates a master key pair based on KGC through the master key management module, wherein the master key pair is a signature master key pair used for signature and signature verification and comprises a master public key and a master private key;
each enterprise organization privates a main private key through the main key management module, uploads and registers a main public key of the enterprise organization to a alliance chain through the main key management module, and discloses the main public key of the enterprise organization to other enterprise organizations in the alliance chain;
the system comprises a signature module, a signature module and a client, wherein the signature module is used for carrying out digital signature on a message to be signed by a user of an enterprise organization as a signature party through the signature module to obtain a signature message and sending the signature message to other enterprise organizations in a alliance chain;
and the signature checking module is used for judging whether the enterprise organization serving as the signature party is trusted or not after the enterprise organization serving as the signature party receives the signature message, if so, acquiring the main public key corresponding to the enterprise organization serving as the signature party from the alliance chain, and checking the signature of the received signature message.
6. The cross-organization identity authentication system based on blockchain and SM9 algorithm according to claim 5, further comprising:
the trust list building module is used for building a trust list for each enterprise organization through the trust list building module, and recording the main public keys of other enterprise organizations trusted by the enterprise organizations in the alliance chain through the trust list;
and if the enterprise organization as the signature party is positioned in the trust list, acquiring a main public key corresponding to the enterprise organization as the signature party from the trust list, and carrying out signature verification on the received signature message through the signature verification module.
7. The trans-organization identity authentication system based on the blockchain and SM9 algorithm according to claim 5 or 6, wherein the signature module is configured to generate a user private key through KGC based on a master private key and a user identity, and digitally sign a message to be signed through the user private key to obtain a signed message.
8. The trans-organization identity authentication system based on the block chain and SM9 algorithm according to claim 7, wherein the signature module sends the signature message, and at the same time, sends a master public key corresponding to an enterprise organization as a signer, a user identifier corresponding to a user, and a message to be signed corresponding to the signature message;
the signature verification module is used for taking the main public key, the user identification, the message to be signed and the signature message as input, acquiring the main public key corresponding to the enterprise organization as the signature party from the alliance chain, and verifying the signature of the received signature message so as to verify the identity of the user.
CN202210121174.8A 2022-02-09 2022-02-09 Cross-organization identity authentication method and system based on block chain and SM9 algorithm Pending CN114499883A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210121174.8A CN114499883A (en) 2022-02-09 2022-02-09 Cross-organization identity authentication method and system based on block chain and SM9 algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210121174.8A CN114499883A (en) 2022-02-09 2022-02-09 Cross-organization identity authentication method and system based on block chain and SM9 algorithm

Publications (1)

Publication Number Publication Date
CN114499883A true CN114499883A (en) 2022-05-13

Family

ID=81478382

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210121174.8A Pending CN114499883A (en) 2022-02-09 2022-02-09 Cross-organization identity authentication method and system based on block chain and SM9 algorithm

Country Status (1)

Country Link
CN (1) CN114499883A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277009A (en) * 2022-07-01 2022-11-01 浪潮软件股份有限公司 Signature method and system based on block chain and SM9 algorithm
CN115589303A (en) * 2022-07-11 2023-01-10 昆明理工大学 Data sharing and privacy protection method based on SM9 algorithm and cross-chain technology

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110138560A (en) * 2019-06-04 2019-08-16 北京理工大学 A kind of dual-proxy cross-domain authentication method based on id password and alliance's chain
CN111010272A (en) * 2019-12-20 2020-04-14 武汉理工大学 Identification private key generation and digital signature method, system and device
CN111262691A (en) * 2020-01-07 2020-06-09 武汉理工大学 Identification private key generation and use method, system and device based on hybrid master key
WO2020140931A1 (en) * 2019-01-03 2020-07-09 菜鸟智能物流控股有限公司 Blockchain access control method and apparatus, and electronic device
WO2020237751A1 (en) * 2019-05-27 2020-12-03 国家电网有限公司 Method and device employing smart contract to realize identity-based key management
CN112069547A (en) * 2020-07-29 2020-12-11 北京农业信息技术研究中心 Supply chain responsibility main body identity authentication method and system
CN113987546A (en) * 2021-11-05 2022-01-28 浪潮云信息技术股份公司 Alliance chain system based on identification password system
CN114006708A (en) * 2020-07-13 2022-02-01 山东爱城市网信息技术有限公司 Key center authentication method and device based on block chain

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020140931A1 (en) * 2019-01-03 2020-07-09 菜鸟智能物流控股有限公司 Blockchain access control method and apparatus, and electronic device
WO2020237751A1 (en) * 2019-05-27 2020-12-03 国家电网有限公司 Method and device employing smart contract to realize identity-based key management
CN110138560A (en) * 2019-06-04 2019-08-16 北京理工大学 A kind of dual-proxy cross-domain authentication method based on id password and alliance's chain
CN111010272A (en) * 2019-12-20 2020-04-14 武汉理工大学 Identification private key generation and digital signature method, system and device
CN111262691A (en) * 2020-01-07 2020-06-09 武汉理工大学 Identification private key generation and use method, system and device based on hybrid master key
CN114006708A (en) * 2020-07-13 2022-02-01 山东爱城市网信息技术有限公司 Key center authentication method and device based on block chain
CN112069547A (en) * 2020-07-29 2020-12-11 北京农业信息技术研究中心 Supply chain responsibility main body identity authentication method and system
CN113987546A (en) * 2021-11-05 2022-01-28 浪潮云信息技术股份公司 Alliance chain system based on identification password system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277009A (en) * 2022-07-01 2022-11-01 浪潮软件股份有限公司 Signature method and system based on block chain and SM9 algorithm
CN115589303A (en) * 2022-07-11 2023-01-10 昆明理工大学 Data sharing and privacy protection method based on SM9 algorithm and cross-chain technology
CN115589303B (en) * 2022-07-11 2024-02-27 昆明理工大学 SM9 algorithm and cross-link technology based data sharing and privacy protection method

Similar Documents

Publication Publication Date Title
Horn et al. Authentication protocols for mobile network environment value-added services
JP3982848B2 (en) Security level control device and network communication system
US7020778B1 (en) Method for issuing an electronic identity
US6996716B1 (en) Dual-tier security architecture for inter-domain environments
CN112039872A (en) Cross-domain anonymous authentication method and system based on block chain
CN109687976A (en) Fleet's establishment and management method and system based on block chain and PKI authentication mechanism
US20040073801A1 (en) Methods and systems for flexible delegation
US20030163700A1 (en) Method and system for user generated keys and certificates
US10742426B2 (en) Public key infrastructure and method of distribution
Toorani et al. LPKI-a lightweight public key infrastructure for the mobile environments
CA2457493A1 (en) Data certification method and apparatus
JP2001524777A (en) Data connection security
JP2002534701A (en) Auto-recoverable, auto-encryptable cryptosystem using escrowed signature-only keys
CN114499883A (en) Cross-organization identity authentication method and system based on block chain and SM9 algorithm
CN115001721B (en) Safety certification method and system for smart power grid based on block chain
CN112565294A (en) Identity authentication method based on block chain electronic signature
US20040221158A1 (en) Digital signature and verification system for conversational messages
US8452966B1 (en) Methods and apparatus for verifying a purported user identity
NL1043779B1 (en) Method for electronic signing and authenticaton strongly linked to the authenticator factors possession and knowledge
Lin et al. Authentication protocols with nonrepudiation services in personal communication systems
WO2024049352A1 (en) Methods and systems of using quantum key distribution for secure user and data authentication
US7480801B2 (en) Method for securing data traffic in a mobile network environment
Zaw et al. User authentication in SSL handshake protocol with zero-knowledge proof
CN109981289A (en) Batch authentication method of elliptic curve digital signature algorithm under implicit certificate
CN114726645B (en) Linkable ring signature method based on user information security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination