CN114499883A - Cross-organization identity authentication method and system based on blockchain and SM9 algorithm - Google Patents

Cross-organization identity authentication method and system based on blockchain and SM9 algorithm Download PDF

Info

Publication number
CN114499883A
CN114499883A CN202210121174.8A CN202210121174A CN114499883A CN 114499883 A CN114499883 A CN 114499883A CN 202210121174 A CN202210121174 A CN 202210121174A CN 114499883 A CN114499883 A CN 114499883A
Authority
CN
China
Prior art keywords
master
enterprise
organization
signature
enterprise organization
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210121174.8A
Other languages
Chinese (zh)
Inventor
宋明明
王伟兵
魏金雷
杨海勇
张岚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Cloud Information Technology Co Ltd
Original Assignee
Inspur Cloud Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Cloud Information Technology Co Ltd filed Critical Inspur Cloud Information Technology Co Ltd
Priority to CN202210121174.8A priority Critical patent/CN114499883A/en
Publication of CN114499883A publication Critical patent/CN114499883A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/72Signcrypting, i.e. digital signing and encrypting simultaneously

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a trans-organization identity authentication method and a trans-organization identity authentication system based on a block chain and an SM9 algorithm, belongs to the technical field of digital signatures, and aims to solve the technical problem of how to realize mutual authentication between enterprise key centers for users who sign KGC. Each enterprise organization generates a master key pair through KGC, wherein the master key pair is a signature master key pair used for signature and signature verification and comprises a master public key and a master private key; each enterprise organization privately stores the main private key, uploads and registers the main public key to the alliance chain, and discloses the main public key to other enterprise organizations in the alliance chain; after each enterprise organization receives the signature messages sent by the users of other enterprise organizations in the alliance chain, for other enterprise organizations trusted by the enterprise organizations, the main public keys of the other enterprise organizations are obtained from the alliance chain, and the received signature messages are verified.

Description

基于区块链和SM9算法的跨组织身份认证方法及系统Cross-organization identity authentication method and system based on blockchain and SM9 algorithm

技术领域technical field

本发明涉及数字签名技术领域,具体地说是基于区块链和SM9算法的跨组织身份认证方法及系统。The invention relates to the technical field of digital signatures, in particular to a cross-organization identity authentication method and system based on block chain and SM9 algorithm.

背景技术Background technique

基于标识的密码算法是一门新兴的公钥密码算法分支。标识密码算法是以实体的有效标识(如邮件地址、手机号码、身份证码等)作为公钥,用户无需申请和交换证书,从而大大降低系统的复杂性。基于标识的密码假设存在一个可信的KGC(密钥生成中心)作为系统的中心,当用户第一次加入到系统时,该中心会给用户生成一个私钥。该中心也被称为密钥生成中心,作用类似现实生活中的身份识别卡的发卡机构。Identity-based cryptography is a new branch of public-key cryptography. The identification password algorithm uses the effective identification of the entity (such as email address, mobile phone number, ID code, etc.) as the public key, and users do not need to apply for and exchange certificates, thus greatly reducing the complexity of the system. Identity-based passwords assume the existence of a trusted KGC (Key Generation Center) as the center of the system. When a user joins the system for the first time, the center will generate a private key for the user. The center, also known as a key generation center, acts like a real-life ID card issuer.

SM9算法的密钥由KGC(密钥生成中心)产生,主要包括企业KGC的主密钥对和用户的私钥,用户私钥由企业KGC使用主私钥和用户标识生成。在SM9签名/验签过程中,签名使用企业主公钥和用户私钥,验签使用企业主公钥和用户标识。The key of the SM9 algorithm is generated by KGC (Key Generation Center), which mainly includes the master key pair of the enterprise KGC and the user's private key. The user private key is generated by the enterprise KGC using the master private key and the user ID. In the SM9 signature/verification process, the enterprise owner public key and user private key are used for signature, and the enterprise owner public key and user ID are used for signature verification.

因为没有依赖于证书,没有权威的CA机构签发主公钥和用户标识,每个签名者的私钥都是由所属企业的KGC产生,签名和验签过程都需要依赖企业KGC生成的主公钥,企业之间用户无法进行验签和标识认证。Because there is no reliance on the certificate, there is no authoritative CA agency to issue the master public key and user ID. The private key of each signer is generated by the KGC of the enterprise to which it belongs, and the signature and verification processes need to rely on the master public key generated by the enterprise KGC. , users between enterprises cannot perform signature verification and identity authentication.

如何实现企业密钥中心之间互认对方KGC签发的用户,是需要解决的技术问题。How to realize mutual recognition of users issued by the other party's KGC between enterprise key centers is a technical problem that needs to be solved.

发明内容SUMMARY OF THE INVENTION

本发明的技术任务是针对以上不足,提供基于区块链和SM9算法的跨组织身份认证方法及系统,来解决如何实现企业密钥中心之间互认对方KGC签发的用户的问题。The technical task of the present invention is to provide a cross-organization identity authentication method and system based on the blockchain and SM9 algorithm to solve the problem of how to realize the mutual recognition of users issued by each other's KGC between enterprise key centers.

第一方面,本发明的基于区块链和SM9算法的跨组织身份认证方法,其特征在于包括如下步骤:In the first aspect, the cross-organization identity authentication method based on the blockchain and the SM9 algorithm of the present invention is characterized by comprising the following steps:

每个企业组织通过KGC生成主密钥对,所述主密钥对为用于签名和验签的签名主密钥对,包括主公钥和主私钥;Each enterprise organization generates a master key pair through KGC, and the master key pair is a signature master key pair used for signature and verification, including a master public key and a master private key;

每个企业组织将其主私钥私有保存,将其主公钥上传并注册至联盟链,向联盟链中其它企业组织公开其主公钥;Each enterprise organization keeps its master private key privately, uploads and registers its master public key to the alliance chain, and discloses its master public key to other enterprise organizations in the alliance chain;

每个企业组织接收到联盟链中其它企业组织的用户发送的签名消息后,对于被所述企业组织信任的其它企业组织,从联盟链中获取所述其它企业组织的主公钥,并对接收的签名消息进行验签。After each enterprise organization receives the signed message sent by the user of other enterprise organization in the alliance chain, for other enterprise organization trusted by the enterprise organization, obtain the master public key of the other enterprise organization from the alliance chain, and receive The signed message is verified.

作为优选,每个企业组织将其主公钥上传并注册至联盟链后,建立一个信任清单,通过所述信任清单记录联盟链中所述企业组织信任的其他企业组织的主公钥;Preferably, after each enterprise organization uploads and registers its master public key to the consortium chain, a trust list is established, and the trust list records the master public keys of other enterprise organizations trusted by the enterprise organization in the consortium chain;

每个企业组织接收到联盟链中其它企业组织用户发送的签名消息后,如果所述其它企业组织位于信任清单中,从信任清单中获取所述其它企业组织的主公钥,并对接收的签名消息进行验签。After each enterprise organization receives the signed message sent by the user of other enterprise organization in the alliance chain, if the other enterprise organization is in the trust list, obtains the master public key of the other enterprise organization from the trust list, and signs the received The message is checked.

作为优选,基于主私钥和用户身份标识、通过KGC生成用户私钥,通过所述用户私钥对待签名的消息进行数字签名的,得到签名消息。Preferably, the user's private key is generated by KGC based on the master private key and the user identity, and the signed message is obtained by digitally signing the message to be signed by the user's private key.

更优的,其它企业组织的用户发送向企业组织发送签名消息的同时,还发送有所述企业组织对应的主公钥、所述用户对应的用户标识、以及所述签名消息对应的待签名消息;More preferably, when the user of other enterprise organization sends the signed message to the enterprise organization, it also sends the master public key corresponding to the enterprise organization, the user ID corresponding to the user, and the to-be-signed message corresponding to the signed message. ;

所述企业组织以所述主公钥、用户标识、待签名消息以及签名消息作为输入,从联盟链中获取所述其它企业组织的主公钥,并对接收的签名消息进行验签,以验证用户身份。The enterprise organization takes the master public key, the user ID, the message to be signed, and the signed message as input, obtains the master public key of the other enterprise organization from the alliance chain, and verifies the received signed message to verify user ID.

第二方面,本发明的基于区块链和SM9算法的跨组织身份认证系统,其特征在于用于通过如第一方面任一项所述的基于区块链和SM9算法的跨组织身份认证方法对跨组织的用户身份进行认证,所述系统包括:In the second aspect, the cross-organization identity authentication system based on the blockchain and the SM9 algorithm of the present invention is characterized in that it is used to pass the cross-organization identity authentication method based on the blockchain and the SM9 algorithm according to any one of the first aspects. Authenticating user identities across organizations, the system includes:

联盟链,所述联盟链中包括多个企业组织,每个企业组织均通过其数字身份注册至区块链组成联盟链;Consortium chain, the consortium chain includes multiple enterprise organizations, and each enterprise organization registers to the blockchain through its digital identity to form a consortium chain;

主密钥生成模块,每个企业组织通过所述主密钥管理模块基于KGC生成主密钥对,所述主密钥对为用于签名和验签的签名主密钥对,包括主公钥和主私钥;Master key generation module, each enterprise organization generates a master key pair based on KGC through the master key management module, and the master key pair is a signature master key pair used for signature and verification, including the master public key and the master private key;

主密钥管理模块,每个企业组织通过所述主密钥管理模块私有其主私钥,并通过所述主密钥管理模块将其主公钥上传并注册至联盟链,向联盟链中其它企业组织公开其主公钥;Master key management module, each enterprise organization privately owns its master private key through the master key management module, and uploads and registers its master public key to the consortium chain through the master key management module, and transfers it to other organizations in the consortium chain. The enterprise organization discloses its master public key;

签名模块,签名方的企业组织的用户通过所述签名模块对待签名消息进行数字签名得到签名消息,并将签名消息发送至联盟链中其它企业组织;The signature module, the user of the enterprise organization of the signer obtains the signature message by digitally signing the message to be signed through the signature module, and sends the signature message to other enterprise organizations in the alliance chain;

验签模块,作为验签方的企业组织接收到签名消息后,通过所述验签模块判断作为签名方的企业组织是否被信任,如果是,从联盟链中获取所述作为签名方的企业组织对应的主公钥,并对接收的签名消息进行验签。The signature verification module, after the enterprise organization as the signature verification party receives the signed message, judges whether the enterprise organization as the signature party is trusted through the signature verification module, and if so, obtains the enterprise organization as the signature party from the alliance chain. The corresponding master public key, and verify the signature of the received signed message.

更优的,还包括:Even better, it also includes:

信任清单构建模块,每个企业组织通过所述信任清单构建模块建立一个信任清单,通过所述信任清单记录联盟链中所述企业组织信任的其他企业组织的主公钥;a trust list building module, each enterprise organization establishes a trust list through the trust list building module, and records the master public keys of other enterprise organizations trusted by the enterprise organization in the alliance chain through the trust list;

作为验签方的企业组织通过所述验签模块读取其信任清单,并验证作为签名方的企业组织是否被信任,如果作为签名方的企业组织位于信任清单中,从信任清单中获取作为签名方的企业组织对应的主公钥,并通过所述验签模块对接收的签名消息进行验签。The enterprise organization as the signer reads its trust list through the signature verification module, and verifies whether the enterprise organization as the signer is trusted. If the enterprise organization as the signer is in the trust list, obtain the signature from the trust list as a signature The main public key corresponding to the party's enterprise organization is verified, and the received signature message is verified by the signature verification module.

作为优选,所述签名模块用于基于主私钥和用户身份标识、通过KGC生成用户私钥,通过所述用户私钥对待签名的消息进行数字签名的,得到签名消息。Preferably, the signature module is configured to generate the user's private key through KGC based on the master private key and the user's identity, and obtain the signed message by digitally signing the message to be signed by the user's private key.

作为优选,通过签名模块发送签名消息的同时,还发送有作为验签方的企业组织对应的主公钥、用户对应的用户标识、以及签名消息对应的待签名消息;Preferably, when the signed message is sent through the signature module, the master public key corresponding to the enterprise organization serving as the signature verification party, the user ID corresponding to the user, and the to-be-signed message corresponding to the signed message are also sent;

所述验签模块用于以主公钥、用户标识、待签名消息以及签名消息作为输入,从联盟链中获取作为签名方的企业组织对应的主公钥,并对接收的签名消息进行验签,以验证用户身份。The signature verification module is used to take the main public key, the user ID, the message to be signed and the signed message as input, obtain the main public key corresponding to the enterprise organization as the signer from the alliance chain, and verify the signature of the received signed message. , to authenticate the user.

本发明的基于区块链和SM9算法的跨组织身份认证方法及系统具有以下优点:The cross-organization identity authentication method and system based on blockchain and SM9 algorithm of the present invention have the following advantages:

(1)企业组织通过KGC生成主密钥对,将主公钥注册到联盟链上,当接收到其它企业组织用户发送的签名消息后,对于其信任的企业组织,从联盟链中调用主公钥对签名消息进行验签,从而实现了跨组合的用户身份认证;(1) The enterprise organization generates the master key pair through KGC, and registers the master public key on the alliance chain. After receiving the signed message sent by the user of other enterprise organization, for the enterprise organization it trusts, call the master from the alliance chain. The key pair is used to verify the signature of the signed message, thereby realizing cross-combination user identity authentication;

(2)每个企业组织对自己上传到区块链上的主公钥负责,一方面可以防止其他未经联盟审核的企业组织恶意注册自己的主公钥,另外一方面,只要是企业组织的KGC所签发的用户企业组织也无法进行否认;(2) Each enterprise organization is responsible for the master public key uploaded to the blockchain. On the one hand, it can prevent other enterprise organizations that have not been audited by the alliance from maliciously registering their own master public key. The user enterprise organization issued by KGC cannot deny it either;

(3)每个企业组织在联盟链上维护自己信任的企业组织的信任清单,只将自己所信任的企业组织维护到自己的信任清单中,可以自主选择信任哪些企业组织,确保了信息安全,并加快了验签过程。(3) Each enterprise organization maintains the trust list of the enterprise organizations it trusts on the alliance chain, and only maintains the enterprise organizations that it trusts in its own trust list, and can independently choose which enterprise organizations to trust, ensuring information security, And speed up the verification process.

附图说明Description of drawings

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions in the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description are only for the present invention. In some embodiments, for those of ordinary skill in the art, other drawings can also be obtained according to these drawings without any creative effort.

下面结合附图对本发明进一步说明。The present invention will be further described below with reference to the accompanying drawings.

图1为实施例1基于区块链和SM9算法的跨组织身份认证方法的流程框图。FIG. 1 is a flowchart of the cross-organization identity authentication method based on the blockchain and the SM9 algorithm in Embodiment 1.

图2为实施例1基于区块链和SM9算法的跨组织身份认证方法中数字签名的工作原理框图;Fig. 2 is the working principle block diagram of digital signature in the cross-organization identity authentication method based on blockchain and SM9 algorithm in Embodiment 1;

图3为实施例1基于区块链和SM9算法的跨组织身份认证方法中验签的工作原理框图。3 is a block diagram of the working principle of signature verification in the cross-organization identity authentication method based on the blockchain and SM9 algorithm in Embodiment 1.

具体实施方式Detailed ways

下面结合附图和具体实施例对本发明作进一步说明,以使本领域的技术人员可以更好地理解本发明并能予以实施,但所举实施例不作为对本发明的限定,在不冲突的情况下,本发明实施例以及实施例中的技术特征可以相互结合。The present invention will be further described below in conjunction with the accompanying drawings and specific embodiments, so that those skilled in the art can better understand the present invention and implement it, but the embodiments are not intended to limit the present invention, and in the case of no conflict Hereinafter, the embodiments of the present invention and the technical features in the embodiments may be combined with each other.

本发明实施例提供基于区块链和SM9算法的跨组织身份认证方法及系统,用于解决如何实现企业密钥中心之间互认对方KGC签发的用户的技术问题Embodiments of the present invention provide a method and system for cross-organization identity authentication based on blockchain and SM9 algorithm, which are used to solve the technical problem of how to realize mutual recognition between enterprise key centers of users issued by each other's KGC

实施例1:Example 1:

本发明基于区块链和SM9算法的跨组织身份认证方法,包括如下步骤:The cross-organization identity authentication method based on the block chain and the SM9 algorithm of the present invention includes the following steps:

S100、每个企业组织通过KGC生成主密钥对,主密钥对为用于签名和验签的签名主密钥对,包括主公钥和主私钥;S100. Each enterprise organization generates a master key pair through KGC, and the master key pair is a signature master key pair used for signature and signature verification, including a master public key and a master private key;

S200、每个企业组织将其主私钥私有保存,将其主公钥上传并注册至联盟链,向联盟链中其它企业组织公开其主公钥;S200. Each enterprise organization keeps its master private key privately, uploads and registers its master public key to the alliance chain, and discloses its master public key to other enterprise organizations in the alliance chain;

S300、每个企业组织接收到联盟链中其它企业组织的用户发送的签名消息后,对于被企业组织信任的其它企业组织,从联盟链中获取其它企业组织的主公钥,并对接收的签名消息进行验签。S300. After each enterprise organization receives the signed message sent by the user of other enterprise organization in the alliance chain, for other enterprise organization trusted by the enterprise organization, obtain the master public key of other enterprise organization from the alliance chain, and sign the received The message is checked.

本实施例中,主私钥仅用于计算用户私钥。用户私钥是由用户标识与主私钥作用后生成的。具体的,用户使用实体的有效标识(如邮件地址、手机号码、身份证码等)作为用户公钥,用户私钥由企业的KGC(密钥生成中心)使用企业签名主私钥基于用户使用实体的有效标识签发。In this embodiment, the master private key is only used to calculate the user's private key. The user private key is generated by the interaction between the user ID and the master private key. Specifically, the user uses the entity's valid identifier (such as email address, mobile phone number, ID code, etc.) as the user's public key, and the user's private key is signed by the enterprise's KGC (Key Generation Center) using the enterprise's master private key based on the user's use of the entity. issued with a valid ID.

数字签名过程的输入是主公钥、用户私钥、待签名的消息。如图2所示,设待签名的消息为比特串M,为获取消息M的数字签名(h,S),作为签名者的用户A进行如下运算步骤:The inputs to the digital signature process are the master public key, the user's private key, and the message to be signed. As shown in Figure 2, suppose the message to be signed is a bit string M, in order to obtain the digital signature (h, S) of the message M, the user A as the signer performs the following operation steps:

A1:计算群GT中的元素g=e(P1,Ppub-s);A1: Calculate the element g=e(P 1 , P pub-s ) in the group GT ;

A2:产生随机数r∈[1,N-1];A2: Generate random numbers r∈[1,N-1];

A3:计算群GT中的元素w=gr,再将w的数据类型转换为比特串;A3: Calculate the element w=g r in the group GT , and then convert the data type of w into a bit string;

A4:计算整数h=H2(M||w,N);A4: Calculate the integer h=H 2 (M||w,N);

A5:计算整数l=(r-h)mod N,若l=0则返回A2;A5: Calculate the integer l=(r-h)mod N, if l=0, return to A2;

A6:计算群GT中元素

Figure BDA0003498525880000061
A6: Calculate the elements in the group G T
Figure BDA0003498525880000061

A7:消息M的签名为(h,S)。A7: The signature of message M is (h, S).

其中,M:待签名消息原文;Among them, M: the original text of the message to be signed;

GT:群T;G T : group T;

g:群T中的一个元素g;g: an element g in the group T;

P1:群1的生成元P1;P 1 : generator P1 of group 1;

Ppub-s:签名主公钥;P pub-s : signature master public key;

r:[1,N-1]范围内的一个随机数;r: a random number in the range of [1,N-1];

N:随机数取值范围;N: random number value range;

w:通过g、r计算得到的群T中的一个元素w;w: an element w in the group T calculated by g and r;

h:通过待签名消息原文M、元素w和随机数范围N计算所得的整数;h: an integer calculated from the original text M of the message to be signed, the element w and the random number range N;

l:通过r、h、N计算所得到的一个整数;l: an integer obtained by calculating r, h, and N;

Figure BDA0003498525880000062
签名私钥(用户私钥);
Figure BDA0003498525880000062
Signature private key (user private key);

(h,S):消息M的数字签名。(h, S): digital signature of message M.

其它企业组织的用户发送向企业组织发送签名消息的同时,还发送有企业组织对应的主公钥、用户对应的用户标识、以及签名消息对应的待签名消息;企业组织以主公钥、用户标识、待签名消息以及签名消息作为输入,从联盟链中获取其它企业组织的主公钥,并对接收的签名消息进行验签,以验证用户身份。When users of other enterprise organizations send signed messages to the enterprise organization, they also send the master public key corresponding to the enterprise organization, the user ID corresponding to the user, and the message to be signed corresponding to the signed message; , the message to be signed and the signed message as input, obtain the master public key of other enterprise organizations from the alliance chain, and verify the signature of the received signed message to verify the identity of the user.

如图3所示,数字签名验签过程的输入是主公钥、用户标识、消息M及其数字签名M′,作为验证者的用户B进行如下验签步骤:As shown in Figure 3, the input of the digital signature verification process is the master public key, the user ID, the message M and its digital signature M', and the user B as the verifier performs the following signature verification steps:

B1:检验h′∈[1,N-1]是否成立,不成立则验证不通过;B1: Check whether h′∈[1,N-1] holds, if not, the verification fails;

B2:将S′的数据类型转换成椭圆曲线上的点,检验S′∈G1,若不成立,验证不通过;B2: Convert the data type of S' to a point on the elliptic curve, and check S'∈G 1 , if it does not hold, the verification fails;

B3:计算群GT中元素g=e(P1,Ppub-s);B3: Calculate the element g=e(P 1 , P pub-s ) in the group GT ;

B4:计算群GT中元素t=gh′B4: Calculate the element t =g h′ in the group GT;

B5:计算整数h1=H1(IDA||hid,N);B5: Calculate the integer h 1 =H 1 (ID A ||hid,N);

B6:计算群G2中的元素P=[h1]P2+Ppub-sB6: Calculate the element P=[h 1 ]P 2 +P pub-s in the group G 2 ;

B7:计算群GT中元素u=e(S′,P);B7: Calculate the element u=e(S′,P) in the group GT ;

B8:计算群GT中元素w′=ut,并将w′类型转换为比特串;B8: Calculate the element w'=ut in the group GT , and convert the w' type into a bit string;

B9:h2=H2(M′||w′,N),检验h2=h′是否成立,成立,则验证通过。B9: h 2 =H 2 (M'||w',N), check whether h 2 =h' holds, and if it holds, the verification is passed.

其中,M′:消息M的数字签名,即(h′,S′);Among them, M': the digital signature of the message M, namely (h', S');

GT:群T;G T : group T;

P1:群1的生成元P1P 1 : generator P 1 of group 1 ;

Ppub-s:签名主公钥;P pub-s : signature master public key;

g:群T中的一个元素g;g: an element g in the group T;

t:通过g、h′计算得到的群T中的一个元素t;t: an element t in the group T calculated by g, h';

IDA:用户身份标识符;ID A : User identity identifier;

hid:用户私钥类型标识;hid: User private key type identifier;

N:随机数取值范围;N: random number value range;

h1:通过IDA、hid和N计算得到的整数;h 1 : an integer calculated from ID A , hid and N;

G2:群2;G 2 : group 2;

P2:群2的生成元P2;P 2 : generator P2 of group 2;

u:群T中的一个元素u;u: an element u in the group T;

w′:通过u、t计算得到的群T中的一个元素w′;w': an element w' in the group T calculated by u, t;

h2:消息M的数字签名M′、元素w′和随机数范围N计算所得的整数。h 2 : an integer calculated from the digital signature M' of the message M, the element w' and the random number range N.

用户使用用户私钥对消息进行数字签名过程需要用到企业组织的主公钥,对用户的数字签名进行验签的过程中同样需要用到企业组织的主公钥。验证某个企业组织内用户的数字签名,只需要信任此KGC,并从KGC获得该企业组织的主公钥,就可以离线单独验证数字签名,从而对企业组织内的用户进行认证。The process of digitally signing a message with the user's private key requires the master public key of the enterprise organization, and the process of verifying the user's digital signature also requires the master public key of the enterprise organization. To verify the digital signature of a user in an enterprise organization, it is only necessary to trust the KGC and obtain the master public key of the enterprise organization from the KGC, and then the digital signature can be independently verified offline, thereby authenticating users in the enterprise organization.

但是对于跨组织的用户身份认证,因为没有像CA这种权威的机构,无法信任其他组织的KGC公布出来的主公钥,也就无法对跨组织的数字签名进行验签,也就是无法进行跨组织的用户身份认证。However, for cross-organization user identity authentication, because there is no authoritative organization like CA, it is impossible to trust the master public key published by the KGC of other organizations, so it is impossible to verify the cross-organization digital signature, that is, it is impossible to perform cross-organizational digital signature verification. User authentication for the organization.

本实施例中通过企业组织之间组成一个联盟链,每个企业组织都在联盟链中创建自己的企业身份。企业组织使用自己的KGC生成自己企业的主密钥对(主公钥和主私钥),主私钥由企业组织独立保存,不对外公布。而把企业组织的主公钥使用自己联盟链上的数字身份注册到联盟链上,对联盟链的所有成员公开此主公钥,目的是让联盟链中其他企业组织也能验证自己签发的用户。In this embodiment, a consortium chain is formed between enterprise organizations, and each enterprise organization creates its own enterprise identity in the consortium chain. The enterprise organization uses its own KGC to generate the master key pair (master public key and master private key) of its own enterprise, and the master private key is independently stored by the enterprise organization and will not be released to the public. The main public key of the enterprise organization is registered on the alliance chain using the digital identity on its own alliance chain, and the main public key is disclosed to all members of the alliance chain. The purpose is to allow other enterprise organizations in the alliance chain to verify the users issued by themselves .

作为改进,本实施例中每个企业组织将其主公钥上传并注册至联盟链后,建立一个信任清单,通过所述信任清单记录联盟链中所述企业组织信任的其他企业组织的主公钥;每个企业组织接收到联盟链中其它企业组织用户发送的签名消息后,如果其它企业组织位于信任清单中,从信任清单中获取所述其它企业组织的主公钥,并对接收的签名消息进行验签。As an improvement, in this embodiment, after each enterprise organization uploads and registers its master public key to the alliance chain, it establishes a trust list, and records the masters of other enterprise organizations trusted by the enterprise organization in the alliance chain through the trust list. After each enterprise organization receives the signed message sent by the user of other enterprise organization in the alliance chain, if the other enterprise organization is in the trust list, it obtains the master public key of the other enterprise organization from the trust list, and signs the received The message is checked.

联盟链中注册了由大量的企业组织参与方,每一个企业组织参与方都可以在联盟链中发布自己的主公钥。联盟链中所有加入的企业组织都是要经过联盟其他成员同意,并且所有上到区块链上的主公钥都使用联盟链中的企业组织的私钥进行签名上链的。一方面可以防止其他未经联盟审核的企业组织恶意注册自己的主公钥,保证是可信的企业组织发布的主公钥;另外一方面,只要是联盟成员的KGC所签发的用户也无法进行否认,因为企业组织的主公钥上链都使用的企业组织在联盟链上的身份私钥进行签名的,别的用户使用其链上的主公钥认证的用户都是基于都这个企业组织的信任。A large number of enterprise organization participants are registered in the alliance chain, and each enterprise organization participant can publish its own master public key in the alliance chain. All the enterprise organizations that join the alliance chain are subject to the consent of other members of the alliance, and all the master public keys on the blockchain are signed on the chain with the private key of the enterprise organization in the alliance chain. On the one hand, it can prevent other enterprise organizations that have not been audited by the alliance from maliciously registering their own master public key, and ensure that the master public key issued by a trusted enterprise organization; Deny, because the main public key of the enterprise organization on the chain is signed by the identity private key of the enterprise organization on the alliance chain, and the users authenticated by other users using the main public key on the chain are all based on the enterprise organization. trust.

实际中,某个企业组织可以不信任联盟链上上链的某些企业组织,只选择信任自己认为可信的企业组织,在联盟链中维护属于自己的一个信任清单,只信任自己信任清单中企业组织。用户按照自己所属企业组织的信任清单来认证其他用户的身份。In practice, an enterprise organization may not trust some of the enterprise organizations on the consortium chain, but only choose to trust the enterprise organization that it believes to be credible, maintain a trust list of its own in the consortium chain, and only trust its own trust list. business organization. Users authenticate the identities of other users according to the trust list of their own enterprise organization.

不同企业组织从区块链上调取自己区块链上维护的企业信任清单,例如A企业在区块链上的信任清单中包含B企业,A企业就可以从区块链上调取B企业的主公钥。当B企业组织签发的用户签名的消息到A企业处请求认证时,A企业就可以使用从区块链上信任清单中调取的B企业的主公钥进行认证。因为A企业所调取的B企业的主公公钥是由B企业使用自己在联盟链上的数字身份上传到区块链上的,A企业可以放心的使用,不用担心B企业的主公钥被恶意篡改。Different enterprise organizations retrieve the enterprise trust list maintained on their own blockchain from the blockchain. For example, if company A includes company B in the trust list on the blockchain, company A can retrieve company B from the blockchain. 's primary public key. When the message signed by the user signed by the B company organization requests the authentication from the A company, the A company can use the B company's master public key retrieved from the trust list on the blockchain for authentication. Because the public key of company B's public key transferred by company A is uploaded to the blockchain by company B using its digital identity on the alliance chain, company A can use it with confidence without worrying about the public key of company B being used by company B. Malicious tampering.

实施例2:Example 2:

本发明基于区块链和SM9算法的跨组织身份认证系统,包括联盟链、主密钥生成模块、主密钥管理模块、签名模块以及验签模块,联盟链中包括多个企业组织,每个企业组织均通过其数字身份注册至区块链组成联盟链;每个企业组织通过所述主密钥管理模块基于KGC生成主密钥对,所述主密钥对为用于签名和验签的签名主密钥对,包括主公钥和主私钥;每个企业组织通过所述主密钥管理模块私有其主私钥,并通过所述主密钥管理模块将其主公钥上传并注册至联盟链,向联盟链中其它企业组织公开其主公钥;作为签名方的企业组织的用户通过所述签名模块对待签名消息进行数字签名得到签名消息,并将签名消息发送至联盟链中其它企业组织;作为验签方的企业组织接收到签名消息后,通过所述验签模块判断作为签名方的企业组织是否被信任,如果是,从联盟链中获取所述作为签名方的企业组织对应的主公钥,并对接收的签名消息进行验签。The cross-organization identity authentication system based on the blockchain and SM9 algorithm of the present invention includes a consortium chain, a master key generation module, a master key management module, a signature module and a signature verification module. The alliance chain includes a plurality of enterprise organizations, each All enterprise organizations register to the blockchain through their digital identities to form a consortium chain; each enterprise organization generates a master key pair based on KGC through the master key management module, and the master key pair is used for signature and verification. Signature master key pair, including master public key and master private key; each enterprise organization privatizes its master private key through the master key management module, and uploads and registers its master public key through the master key management module Go to the alliance chain, and disclose its master public key to other enterprise organizations in the alliance chain; the user of the enterprise organization as the signer obtains the signed message by digitally signing the message to be signed through the signature module, and sends the signed message to other organizations in the alliance chain. Enterprise organization; after the enterprise organization as the signer receives the signed message, it judges whether the enterprise organization as the signer is trusted through the signature verification module, and if so, obtains the correspondence of the enterprise organization as the signer from the alliance chain , and verify the received signed message.

本实施例中,签名模块用于基于主私钥和用户身份标识、通过KGC生成用户私钥,通过所述用户私钥对待签名的消息进行数字签名的,得到签名消息。In this embodiment, the signature module is configured to generate a user's private key through KGC based on the master private key and the user's identity, and obtain a signed message by digitally signing the message to be signed by the user's private key.

通过签名模块发送签名消息的同时,还发送有作为验签方的企业组织对应的主公钥、用户对应的用户标识、以及签名消息对应的待签名消息。验签模块用于以主公钥、用户标识、待签名消息以及签名消息作为输入,从联盟链中获取作为签名方的企业组织对应的主公钥,并对接收的签名消息进行验签,以验证用户身份。When the signed message is sent through the signature module, the master public key corresponding to the enterprise organization serving as the signature verification party, the user ID corresponding to the user, and the to-be-signed message corresponding to the signed message are also sent. The signature verification module is used to take the main public key, user ID, message to be signed and signed message as input, obtain the main public key corresponding to the enterprise organization as the signer from the alliance chain, and verify the signature of the received signed message to obtain Authenticate the user.

对于数字签名过程,设待签名的消息为比特串M,为获取消息M的数字签名(h,S),作为签名者的用户A进行如下运算步骤:For the digital signature process, let the message to be signed be a bit string M, in order to obtain the digital signature (h, S) of the message M, the user A as the signer performs the following operation steps:

A1:计算群GT中的元素g=e(P1,Ppub-s);A1: Calculate the element g=e(P 1 , P pub-s ) in the group GT ;

A2:产生随机数r∈[1,N-1];A2: Generate random numbers r∈[1,N-1];

A3:计算群GT中的元素w=gr,再将w的数据类型转换为比特串;A3: Calculate the element w=g r in the group GT , and then convert the data type of w into a bit string;

A4:计算整数h=H2(M||w,N);A4: Calculate the integer h=H 2 (M||w,N);

A5:计算整数l=(r-h)mod N,若l=0则返回A2;A5: Calculate the integer l=(r-h)mod N, if l=0, return to A2;

A6:计算群GT中元素

Figure BDA0003498525880000111
A6: Calculate the elements in the group G T
Figure BDA0003498525880000111

A7:消息M的签名为(h,S)。A7: The signature of message M is (h, S).

对于数字签名验签过程,步骤如下:For the digital signature verification process, the steps are as follows:

B1:检验h′∈[1,N-1]是否成立,不成立则验证不通过;B1: Check whether h′∈[1,N-1] holds, if not, the verification fails;

B2:将S′的数据类型转换成椭圆曲线上的点,检验S′∈G1,若不成立,验证不通过;B2: Convert the data type of S' to a point on the elliptic curve, and check S'∈G 1 , if it does not hold, the verification fails;

B3:计算群GT中元素g=e(P1,Ppub-s);B3: Calculate the element g=e(P 1 , P pub-s ) in the group GT ;

B4:计算群GT中元素t=gh′B4: Calculate the element t =g h′ in the group GT;

B5:计算整数h1=H1(IDA||hid,N);B5: Calculate the integer h 1 =H 1 (ID A ||hid,N);

B6:计算群G2中的元素P=[h1]P2+Ppub-sB6: Calculate the element P=[h 1 ]P 2 +P pub-s in the group G 2 ;

B7:计算群GT中元素u=e(S′,P);B7: Calculate the element u=e(S′,P) in the group GT ;

B8:计算群GT中元素w′=ut,并将w′类型转换为比特串;B8: Calculate the element w'=ut in the group GT , and convert the w' type into a bit string;

B9:h2=H2(M′||w′,N),检验h2=h′是否成立,成立,则验证通过。B9: h 2 =H 2 (M'||w',N), check whether h 2 =h' holds, and if it holds, the verification is passed.

通过该系统可执行实施例公开的方法,通过企业组织之间组成一个联盟链,每个企业组织都在联盟链中创建自己的企业身份。企业组织使用自己的KGC生成自己企业的主密钥对(主公钥和主私钥),主私钥由企业组织独立保存,不对外公布。而把企业组织的主公钥使用自己联盟链上的数字身份注册到联盟链上,对联盟链的所有成员公开此主公钥,目的是让联盟链中其他企业组织也能验证自己签发的用户。The method disclosed in the embodiments can be executed through the system, and a consortium chain is formed between enterprise organizations, and each enterprise organization creates its own enterprise identity in the consortium chain. The enterprise organization uses its own KGC to generate the master key pair (master public key and master private key) of its own enterprise, and the master private key is independently stored by the enterprise organization and will not be released to the public. The main public key of the enterprise organization is registered on the alliance chain using the digital identity on its own alliance chain, and the main public key is disclosed to all members of the alliance chain. The purpose is to allow other enterprise organizations in the alliance chain to verify the users issued by themselves .

作为该本实施例系统的改进,该系统还包括信任清单构建模块,每个企业组织通过信任清单构建模块建立一个信任清单,通过信任清单记录联盟链中所述企业组织信任的其他企业组织的主公钥;作为验签方的企业组织通过所述验签模块读取其信任清单,并验证作为签名方的企业组织是否被信任,如果作为签名方的企业组织位于信任清单中,从信任清单中获取作为签名方的企业组织对应的主公钥,并通过所述验签模块对接收的签名消息进行验签。As an improvement of the system in this embodiment, the system further includes a trust list building module, each enterprise organization establishes a trust list through the trust list building module, and records the masters of other enterprise organizations trusted by the enterprise organization in the alliance chain through the trust list. Public key; the enterprise organization as the signer reads its trust list through the signature verification module, and verifies whether the enterprise organization as the signer is trusted, if the enterprise organization as the signer is in the trust list, from the trust list The master public key corresponding to the enterprise organization serving as the signer is obtained, and the received signature message is verified by the signature verification module.

在实际中,某个企业组织可以不信任联盟链上上链的某些企业组织,只选择信任自己认为可信的企业组织,在联盟链中维护属于自己的一个信任清单,只信任自己信任清单中企业组织。用户按照自己所属企业组织的信任清单来认证其他用户的身份。In practice, an enterprise organization may not trust some enterprise organizations on the consortium chain, but only choose to trust the enterprise organization that it believes to be credible, maintain a trust list of its own in the consortium chain, and only trust its own trust list. medium enterprise organization. Users authenticate the identities of other users according to the trust list of their own enterprise organization.

不同企业组织从区块链上调取自己区块链上维护的企业信任清单,例如A企业在区块链上的信任清单中包含B企业,A企业就可以从区块链上调取B企业的主公钥。当B企业组织签发的用户签名的消息到A企业处请求认证时,A企业就可以使用从区块链上信任清单中调取的B企业的主公钥进行认证。因为A企业所调取的B企业的主公公钥是由B企业使用自己在联盟链上的数字身份上传到区块链上的,A企业可以放心的使用,不用担心B企业的主公钥被恶意篡改。Different enterprise organizations retrieve the enterprise trust list maintained on their own blockchain from the blockchain. For example, if company A includes company B in the trust list on the blockchain, company A can retrieve company B from the blockchain. 's primary public key. When the message signed by the user signed by the B company organization requests the authentication from the A company, the A company can use the B company's master public key retrieved from the trust list on the blockchain for authentication. Because the public key of company B transferred by company A is uploaded to the blockchain by company B using its digital identity on the alliance chain, company A can use it with confidence, without worrying about the public key of company B being used by company B. Malicious tampering.

上文通过附图和优选实施例对本发明进行了详细展示和说明,然而本发明不限于这些已揭示的实施例,基与上述多个实施例本领域技术人员可以知晓,可以组合上述不同实施例中的手段得到本发明更多的实施例,这些实施例也在本发明的保护范围之内。The present invention is shown and described in detail above through the accompanying drawings and preferred embodiments. However, the present invention is not limited to these disclosed embodiments. Those skilled in the art can know that the above-mentioned different embodiments can be combined based on the above-mentioned multiple embodiments. More embodiments of the present invention can be obtained by the means in the present invention, and these embodiments are also within the protection scope of the present invention.

Claims (8)

1.基于区块链和SM9算法的跨组织身份认证方法,其特征在于包括如下步骤:1. The cross-organization identity authentication method based on blockchain and SM9 algorithm is characterized by comprising the following steps: 每个企业组织通过KGC生成主密钥对,所述主密钥对为用于签名和验签的签名主密钥对,包括主公钥和主私钥;Each enterprise organization generates a master key pair through KGC, and the master key pair is a signature master key pair used for signature and verification, including a master public key and a master private key; 每个企业组织将其主私钥私有保存,将其主公钥上传并注册至联盟链,向联盟链中其它企业组织公开其主公钥;Each enterprise organization keeps its master private key privately, uploads and registers its master public key to the alliance chain, and discloses its master public key to other enterprise organizations in the alliance chain; 每个企业组织接收到联盟链中其它企业组织的用户发送的签名消息后,对于被所述企业组织信任的其它企业组织,从联盟链中获取所述其它企业组织的主公钥,并对接收的签名消息进行验签。After each enterprise organization receives the signed message sent by the user of other enterprise organization in the alliance chain, for other enterprise organization trusted by the enterprise organization, obtain the master public key of the other enterprise organization from the alliance chain, and receive The signed message is verified. 2.根据权利要求1所述的基于区块链和SM9算法的跨组织身份认证方法,其特征在于每个企业组织将其主公钥上传并注册至联盟链后,建立一个信任清单,通过所述信任清单记录联盟链中所述企业组织信任的其他企业组织的主公钥;2. The cross-organization identity authentication method based on blockchain and SM9 algorithm according to claim 1, characterized in that after each enterprise organization uploads and registers its master public key to the consortium chain, establishes a trust list, The trust list records the master public keys of other enterprise organizations trusted by the enterprise organization in the alliance chain; 每个企业组织接收到联盟链中其它企业组织用户发送的签名消息后,如果所述其它企业组织位于信任清单中,从信任清单中获取所述其它企业组织的主公钥,并对接收的签名消息进行验签。After each enterprise organization receives the signed message sent by the user of other enterprise organization in the alliance chain, if the other enterprise organization is in the trust list, obtains the master public key of the other enterprise organization from the trust list, and signs the received The message is checked. 3.根据权利要求1或2所述的基于区块链和SM9算法的跨组织身份认证方法,其特征在于基于主私钥和用户身份标识、通过KGC生成用户私钥,通过所述用户私钥对待签名的消息进行数字签名的,得到签名消息。3. the cross-organization identity authentication method based on block chain and SM9 algorithm according to claim 1 and 2, it is characterized in that based on master private key and user identity, generate user private key by KGC, by described user private key If the message to be signed is digitally signed, a signed message is obtained. 4.根据权利要求3所述的基于区块链和SM9算法的跨组织身份认证方法,其特征在于其它企业组织的用户发送向企业组织发送签名消息的同时,还发送有所述企业组织对应的主公钥、所述用户对应的用户标识、以及所述签名消息对应的待签名消息;4. The cross-organization identity authentication method based on block chain and SM9 algorithm according to claim 3, it is characterized in that when the user of other enterprise organization sends a signed message to the enterprise organization, it also sends the corresponding information of the enterprise organization. the master public key, the user ID corresponding to the user, and the message to be signed corresponding to the signed message; 所述企业组织以所述主公钥、用户标识、待签名消息以及签名消息作为输入,从联盟链中获取所述其它企业组织的主公钥,并对接收的签名消息进行验签,以验证用户身份。The enterprise organization takes the master public key, the user ID, the message to be signed, and the signed message as input, obtains the master public key of the other enterprise organization from the alliance chain, and verifies the received signed message to verify user ID. 5.基于区块链和SM9算法的跨组织身份认证系统,其特征在于用于通过如权利要求1-4任一项所述的基于区块链和SM9算法的跨组织身份认证方法对跨组织的用户身份进行认证,所述系统包括:5. The cross-organizational identity authentication system based on blockchain and SM9 algorithm is characterized in that it is used for cross-organizational identity authentication method based on blockchain and SM9 algorithm as described in any one of claims 1-4. The user identity is authenticated, and the system includes: 联盟链,所述联盟链中包括多个企业组织,每个企业组织均通过其数字身份注册至区块链组成联盟链;Consortium chain, the consortium chain includes multiple enterprise organizations, and each enterprise organization registers to the blockchain through its digital identity to form a consortium chain; 主密钥生成模块,每个企业组织通过所述主密钥管理模块基于KGC生成主密钥对,所述主密钥对为用于签名和验签的签名主密钥对,包括主公钥和主私钥;Master key generation module, each enterprise organization generates a master key pair based on KGC through the master key management module, and the master key pair is a signature master key pair used for signature and verification, including the master public key and the master private key; 主密钥管理模块,每个企业组织通过所述主密钥管理模块私有其主私钥,并通过所述主密钥管理模块将其主公钥上传并注册至联盟链,向联盟链中其它企业组织公开其主公钥;Master key management module, each enterprise organization privately owns its master private key through the master key management module, and uploads and registers its master public key to the consortium chain through the master key management module, and transfers it to other organizations in the consortium chain. The enterprise organization discloses its master public key; 签名模块,作为签名方的企业组织的用户通过所述签名模块对待签名消息进行数字签名得到签名消息,并将签名消息发送至联盟链中其它企业组织;The signature module, the user of the enterprise organization as the signer obtains the signature message by digitally signing the message to be signed through the signature module, and sends the signature message to other enterprise organizations in the alliance chain; 验签模块,作为验签方的企业组织接收到签名消息后,通过所述验签模块判断作为签名方的企业组织是否被信任,如果是,从联盟链中获取所述作为签名方的企业组织对应的主公钥,并对接收的签名消息进行验签。The signature verification module, after the enterprise organization as the signature verification party receives the signed message, judges whether the enterprise organization as the signature party is trusted through the signature verification module, and if so, obtains the enterprise organization as the signature party from the alliance chain. The corresponding master public key, and verify the received signed message. 6.根据权利要求5基于区块链和SM9算法的跨组织身份认证系统,其特征在于还包括:6. according to claim 5 based on block chain and the cross-organizational identity authentication system of SM9 algorithm, it is characterized in that also comprising: 信任清单构建模块,每个企业组织通过所述信任清单构建模块建立一个信任清单,通过所述信任清单记录联盟链中所述企业组织信任的其他企业组织的主公钥;a trust list building module, each enterprise organization establishes a trust list through the trust list building module, and records the master public keys of other enterprise organizations trusted by the enterprise organization in the alliance chain through the trust list; 作为验签方的企业组织通过所述验签模块读取其信任清单,并验证作为签名方的企业组织是否被信任,如果作为签名方的企业组织位于信任清单中,从信任清单中获取作为签名方的企业组织对应的主公钥,并通过所述验签模块对接收的签名消息进行验签。The enterprise organization as the signer reads its trust list through the signature verification module, and verifies whether the enterprise organization as the signer is trusted. If the enterprise organization as the signer is in the trust list, obtain the signature from the trust list as the signature The main public key corresponding to the party's enterprise organization is verified, and the received signature message is verified by the signature verification module. 7.根据权利要求5或6所述的基于区块链和SM9算法的跨组织身份认证系统,其特征在于所述签名模块用于基于主私钥和用户身份标识、通过KGC生成用户私钥,通过所述用户私钥对待签名的消息进行数字签名的,得到签名消息。7. the cross-organization identity authentication system based on block chain and SM9 algorithm according to claim 5 or 6, it is characterized in that described signature module is used to generate user private key by KGC based on master private key and user identity, A signed message is obtained by digitally signing the message to be signed by the user's private key. 8.根据权利要求7所述的基于区块链和SM9算法的跨组织身份认证系统,其特征在于通过签名模块发送签名消息的同时,还发送有作为验签方的企业组织对应的主公钥、用户对应的用户标识、以及签名消息对应的待签名消息;8. The cross-organization identity authentication system based on block chain and SM9 algorithm according to claim 7, is characterized in that while sending the signed message through the signature module, also send the master public key corresponding to the enterprise organization as the signature verification party , the user ID corresponding to the user, and the message to be signed corresponding to the signed message; 所述验签模块用于以主公钥、用户标识、待签名消息以及签名消息作为输入,从联盟链中获取作为签名方的企业组织对应的主公钥,并对接收的签名消息进行验签,以验证用户身份。The signature verification module is used to take the main public key, the user ID, the message to be signed and the signed message as input, obtain the main public key corresponding to the enterprise organization as the signer from the alliance chain, and verify the signature of the received signed message. , to authenticate the user.
CN202210121174.8A 2022-02-09 2022-02-09 Cross-organization identity authentication method and system based on blockchain and SM9 algorithm Pending CN114499883A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210121174.8A CN114499883A (en) 2022-02-09 2022-02-09 Cross-organization identity authentication method and system based on blockchain and SM9 algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210121174.8A CN114499883A (en) 2022-02-09 2022-02-09 Cross-organization identity authentication method and system based on blockchain and SM9 algorithm

Publications (1)

Publication Number Publication Date
CN114499883A true CN114499883A (en) 2022-05-13

Family

ID=81478382

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210121174.8A Pending CN114499883A (en) 2022-02-09 2022-02-09 Cross-organization identity authentication method and system based on blockchain and SM9 algorithm

Country Status (1)

Country Link
CN (1) CN114499883A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277009A (en) * 2022-07-01 2022-11-01 浪潮软件股份有限公司 Signature method and system based on block chain and SM9 algorithm
CN115589303A (en) * 2022-07-11 2023-01-10 昆明理工大学 Data sharing and privacy protection method based on SM9 algorithm and cross-chain technology
CN115834085A (en) * 2022-12-05 2023-03-21 中电科大数据研究院有限公司 Method and device for generating signature and method and device for security authentication
CN116170148A (en) * 2022-10-28 2023-05-26 成都国泰网信科技有限公司 A Fast Signature Verification Method Based on SM9

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110138560A (en) * 2019-06-04 2019-08-16 北京理工大学 A kind of dual-proxy cross-domain authentication method based on id password and alliance's chain
CN111010272A (en) * 2019-12-20 2020-04-14 武汉理工大学 A kind of identification private key generation and digital signature method, system and device
CN111262691A (en) * 2020-01-07 2020-06-09 武汉理工大学 Identification private key generation and use method, system and device based on hybrid master key
WO2020140931A1 (en) * 2019-01-03 2020-07-09 菜鸟智能物流控股有限公司 Blockchain access control method and apparatus, and electronic device
WO2020237751A1 (en) * 2019-05-27 2020-12-03 国家电网有限公司 Method and device employing smart contract to realize identity-based key management
CN112069547A (en) * 2020-07-29 2020-12-11 北京农业信息技术研究中心 Supply chain responsibility main body identity authentication method and system
CN113987546A (en) * 2021-11-05 2022-01-28 浪潮云信息技术股份公司 Alliance chain system based on identification password system
CN114006708A (en) * 2020-07-13 2022-02-01 山东爱城市网信息技术有限公司 Key center authentication method and device based on block chain

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020140931A1 (en) * 2019-01-03 2020-07-09 菜鸟智能物流控股有限公司 Blockchain access control method and apparatus, and electronic device
WO2020237751A1 (en) * 2019-05-27 2020-12-03 国家电网有限公司 Method and device employing smart contract to realize identity-based key management
CN110138560A (en) * 2019-06-04 2019-08-16 北京理工大学 A kind of dual-proxy cross-domain authentication method based on id password and alliance's chain
CN111010272A (en) * 2019-12-20 2020-04-14 武汉理工大学 A kind of identification private key generation and digital signature method, system and device
CN111262691A (en) * 2020-01-07 2020-06-09 武汉理工大学 Identification private key generation and use method, system and device based on hybrid master key
CN114006708A (en) * 2020-07-13 2022-02-01 山东爱城市网信息技术有限公司 Key center authentication method and device based on block chain
CN112069547A (en) * 2020-07-29 2020-12-11 北京农业信息技术研究中心 Supply chain responsibility main body identity authentication method and system
CN113987546A (en) * 2021-11-05 2022-01-28 浪潮云信息技术股份公司 Alliance chain system based on identification password system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277009A (en) * 2022-07-01 2022-11-01 浪潮软件股份有限公司 Signature method and system based on block chain and SM9 algorithm
CN115589303A (en) * 2022-07-11 2023-01-10 昆明理工大学 Data sharing and privacy protection method based on SM9 algorithm and cross-chain technology
CN115589303B (en) * 2022-07-11 2024-02-27 昆明理工大学 SM9 algorithm and cross-link technology based data sharing and privacy protection method
CN116170148A (en) * 2022-10-28 2023-05-26 成都国泰网信科技有限公司 A Fast Signature Verification Method Based on SM9
CN115834085A (en) * 2022-12-05 2023-03-21 中电科大数据研究院有限公司 Method and device for generating signature and method and device for security authentication

Similar Documents

Publication Publication Date Title
CN113014392B (en) Block chain-based digital certificate management method, system, equipment and storage medium
CN101674304B (en) Network identity authentication system and method
CN110581768B (en) Registration login system based on block chain zero-knowledge proof and application
CN114499883A (en) Cross-organization identity authentication method and system based on blockchain and SM9 algorithm
CN112039872A (en) Cross-domain anonymous authentication method and system based on block chain
CN108768988A (en) Block chain access control method, equipment and computer readable storage medium
US20090240936A1 (en) System and method for storing client-side certificate credentials
CN108270571A (en) Internet of Things identity authorization system and its method based on block chain
US20070081667A1 (en) User authentication based on asymmetric cryptography utilizing RSA with personalized secret
US10742426B2 (en) Public key infrastructure and method of distribution
Toorani et al. LPKI-a lightweight public key infrastructure for the mobile environments
CN113301022A (en) Internet of things equipment identity security authentication method based on block chain and fog calculation
Chalaemwongwan et al. A practical national digital ID framework on blockchain (NIDBC)
CN108900309B (en) Authentication method and authentication system
JP2023503607A (en) Method and device for automatic digital certificate verification
CN109327309A (en) A kind of domain traversal key management method based on IBC Yu PKI mixed system
CN109981287A (en) A kind of code signature method and its storage medium
CN108494559B (en) Electronic contract signing method based on semi-trusted third party
CN115174091A (en) Homomorphic encryption privacy protection method for distributed digital identity
Gulati et al. Self-sovereign dynamic digital identities based on blockchain technology
NL1043779B1 (en) Method for electronic signing and authenticaton strongly linked to the authenticator factors possession and knowledge
CN110851859B (en) Authentication method of distributed authority node block chain system with (n, t) threshold
CN114584323B (en) Lattice-based proxy signature and verification method, device, equipment and storage medium
US7366911B2 (en) Methods and apparatus for computationally-efficient generation of secure digital signatures
CN116366239A (en) Cloud auditing method and system for anonymous data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20220513

RJ01 Rejection of invention patent application after publication