CN114785515A - Edge calculation identity authentication method and system based on block chain - Google Patents
Edge calculation identity authentication method and system based on block chain Download PDFInfo
- Publication number
- CN114785515A CN114785515A CN202210320479.1A CN202210320479A CN114785515A CN 114785515 A CN114785515 A CN 114785515A CN 202210320479 A CN202210320479 A CN 202210320479A CN 114785515 A CN114785515 A CN 114785515A
- Authority
- CN
- China
- Prior art keywords
- certificate
- identity
- node
- serial number
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000004364 calculation method Methods 0.000 title description 4
- 241000760358 Enodes Species 0.000 claims description 36
- 238000004422 calculation algorithm Methods 0.000 claims description 21
- 230000000977 initiatory effect Effects 0.000 claims description 17
- 230000006855 networking Effects 0.000 claims description 14
- 239000000463 material Substances 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 claims description 3
- 239000011248 coating agent Substances 0.000 claims description 2
- 238000000576 coating method Methods 0.000 claims description 2
- 238000002360 preparation method Methods 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 description 7
- 239000000284 extract Substances 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Algebra (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Pure & Applied Mathematics (AREA)
- Computer Hardware Design (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses an edge computing identity authentication method and system based on a block chain, wherein an edge node in the block chain is used as an authentication server to register, authenticate, revoke and update identities of equipment nodes of the Internet of things, so that the problems of single-point failure and mutual trust of multiple authentication centers of the traditional PKI are solved, and low-delay and high-reliability identity authentication is realized.
Description
Technical Field
The invention belongs to the technical field of communication, and relates to an edge computing identity authentication method and system based on a block chain.
Background
With the vigorous development of the technology of the internet of things, edge computing is gradually started. The edge computing is mainly deployed on terminal equipment, data analysis processing and decision control are carried out on the edge of the network under the condition that data are not uploaded to the cloud end, the pressure of cloud computing is shared, and the problems of energy limitation, limited bandwidth, data safety and the like are solved. However, the internet of things devices deployed in a large scale are managed by each special system and business department, and there are differences in authentication modes, certificate forms, and the like, so that a plurality of different trust domains are formed, and it is urgently needed to realize unified management and cross-domain interaction of the internet of things devices.
The identity authentication of the traditional internet of things is mainly based on Public Key Infrastructure (PKI), and each piece of internet of things equipment uses a digital certificate as an identity validity certificate to realize identity mutual authentication. For equipment which is not in the same trust domain, cross-domain authentication can be realized only by bridging of certificates, or by respectively registering and holding a plurality of certificates in a plurality of trust domains.
The advent of blockchain technology has provided new possibilities for solving the problem of edge-computing authentication. The block chain is used as a distributed trust environment, so that nodes which are not trusted with each other under a point-to-point network architecture are ensured to finally reach an agreed state, and the problems of identity authority, data security and privacy protection are solved under the decentralized condition. The block chain technology constructs a chain block structure, the nodes in the network generate, update and verify data based on a consensus algorithm, the completely same distributed account book is maintained, and the distributed account book has the characteristics of being difficult to tamper, traceable and the like.
In order to realize efficient and reliable edge computing identity authentication, the distributed public key infrastructure is constructed by adopting a block chain technology, the identity authentication problem of different trust domains is solved by adding authentication authorities (CA) of a plurality of trust domains into a block chain, and the functions of identity registration, identity revocation and the like of the support networking equipment are supported.
In order to realize the security of autonomous network information and improve the encryption and decryption efficiency, the invention designs a digital certificate based on a national cryptographic algorithm. The SM3 algorithm is a hash algorithm, the security is equivalent to SHA256, the SM2 algorithm is an asymmetric cryptographic algorithm, and an elliptic curve cipher is used, so that the security is higher and the calculation speed is higher compared with the RSA algorithm of the traditional certificate.
The method and the system take a block chain technology as a core, solve the problem of identity cross-domain authentication in edge calculation, dynamically add and withdraw the equipment of the Internet of things, trace back on a digital certificate issuing and revocation process chain, integrate a plurality of authentication centers, shorten a cross-domain authentication path, improve the autonomy by adopting a state secret algorithm, and realize low-delay and high-reliability cross-domain authentication of the equipment of the Internet of things.
Disclosure of Invention
The invention aims to solve the problems of long response time, low safety and the like of identity authentication in the existing scene of the Internet of things, and provides a block chain-based edge computing identity authentication method and system.
In order to achieve the purpose, the invention adopts the following technical scheme:
an edge computing identity registration method based on a block chain is applied to edge node nodes, the block chain is generated based on blocks created by each edge node, and the method comprises the following steps:
receiving an identity registration request of a first Internet of things device node, wherein the first Internet of things device node is in a trust domain of the edge node, and the identity registration request comprises: the serial number sig, the public key tpk and the identity material certificate of the first Internet of things equipment node;
setting effective starting time and effective ending time of a digital certificate for the identity material certificate passing the examination, and generating a certificate serial number of the digital certificate;
generating a signature tsig based on the certificate serial number, the serial number sig and the public key tpk of the first internet of things device node, the name and the serial number of the edge node enode, the effective starting time and the effective deadline;
and generating and returning a digital certificate to the first Internet of things equipment node based on the certificate serial number, the serial number sig and the public key tpk of the first Internet of things equipment node, the name and the serial number of the edge node, the valid start time, the valid deadline and the signature tsig.
Further, the first internet of things device node generates an identity registration request by:
randomly generating an integer dt←ZqWherein, ZqIs a residual set of {0, 1, …, q-1}, q being a finite field FqThe scale of (c);
calculating an elliptic curve E (F)q) Point P ont=dtG, wherein G is an elliptic curve E (F)q) An upper base point;
obtaining the private key tsk ═ dtPublic key tpk ═ Pt;
And generating an identity registration request based on the number sig, the public key tpk and the identity certification material of the first Internet of things equipment node.
Further, the generating a signature tsig based on the certificate serial number, the number stg and the public key tpk of the first internet of things device node, the name and the number of the edge node, the valid start time and the valid deadline includes:
calculating the certificate serial number, the serial number sig and the public key tpk of the first Internet of things equipment node, the name and the serial number of the edge node, and the hash value h of the effective starting time and the effective deadline by using an SM3 algorithmt;
Randomly choosing integer kt←ZqWherein Z isqIs a residual set of classes 0, 1, …, q-1, q being a finite field FqThe scale of (c);
calculating an elliptic curve E (F)q) Point (x) above2,y2)=ktG, wherein G is an elliptic curve E (F)q) An upper base point G;
calculating the parameter rt=(ht+x2)mod q;
Calculating a parameter st=(1+de)-1(ke-rt·de) In which d iseIs the private key of the edge node, integer ke←Zq;
Obtain signature tsig ═ (r)t,st)。
An edge computing identity authentication method based on a block chain is applied to edge node (ENode), and comprises the following steps:
receiving an authentication request of a second networked device node and a digital certificate generated by any one of the methods of claims 1-3, and downloading a certificate revocation list from a blockchain, wherein the second networked device node is in any trust domain of the blockchain, the authentication request comprising: the authentication request initiating time and the serial number sig 'and the public key tpk' of the second networking equipment node;
verifying the validity of the digital certificate based on the identity authentication request and the certificate revocation list;
and if the digital certificate is valid, judging that the second networking equipment node is legal.
Further, the verifying the validity of the digital certificate based on the authentication request and the certificate revocation list includes:
extracting the number and the public key of the second networking equipment node in the digital certificate, and comparing the number with the number sig 'and the public key tpk' of the second networking equipment node in the identity authentication request;
and (c) and (d),
extracting effective starting time and effective ending time in the digital certificate, and judging whether the authentication request initiating time is in the effective period;
and (c) and (d),
extracting a certificate serial number in the number, and judging whether the certificate is revoked or not by combining the certificate revocation list;
and the combination of (a) and (b),
extracting the name and the number of the edge node enode' in the number, and comparing the name and the number of the edge node enode:
if the certificate is consistent with the certificate issuer, judging that the certificate issuer is valid;
and if the two edge nodes are inconsistent, downloading the self-signed certificate of the edge node from the block chain to judge whether the certificate issuer is valid.
Further, the determining whether the certificate issuer is valid by downloading the self-signed certificate of the edge node from the blockchain includes:
extracting epk the public key of the edge node enode' from the self-signed certificate;
based on the public key epk of the edge node enode ', calculating the hash value h of the digital certificate serial number, the serial number sig', the public key tpk ', the name and serial number of the edge node enode', the effective starting time and the effective deadline by using the SM3 algorithmt′;
Extracting a signature tsig ═ (r) from the digital certificatet,st);
Calculating an elliptic curve E (F)q) Point (x) above2′,y2′)=st·G+(rt+st) Epk, wherein FqIs a finite field, G is an elliptic curve E (F)q) An upper base point;
by verifying rt=(h′t+x2') mod q, where q is a finite field F, holds true to determine if the certificate issuer is validqThe scale of (c).
An edge computing identity revocation method based on a block chain is applied to an edge node (enode), and comprises the following steps:
receiving an identity revocation request of a second networked device node and a digital certificate generated by the method of any of claims 1 to 3, and downloading a certificate revocation list from a blockchain, wherein the second networked device node is in any trust domain of the blockchain, the identity revocation request comprising: identity revocation request initiation time, revocation request identifier and the serial number stg 'and the public key tpk' of the second networking device node;
verifying the validity of the digital certificate based on the identity revocation request and the certificate revocation list;
and if the digital certificate is valid, updating and uploading the certificate revocation list.
An edge computing identity updating method based on a block chain is applied to an edge node (ENode), and the method comprises the following steps:
receiving an identity update request of a second networked device node and a digital certificate generated by any of the methods of claims 1-3, and downloading a certificate revocation list from a blockchain, wherein the second networked device node is in any trust domain of the blockchain, the identity update request comprising: identity updating request initiating time, updating request identifiers and the serial number sig 'and the public key tpk' of the second networking equipment node;
verifying the validity of the digital certificate based on the identity update request and the certificate revocation list;
and if the digital certificate is valid, updating the digital certificate and returning.
A storage medium having a computer program stored therein, wherein the computer program is arranged to perform any of the above methods when executed
An edge computing identity authentication system based on a blockchain, comprising:
the internet of things equipment node is used for generating an identity registration request, and the identity registration request comprises: the serial number stg, the public key tpk and the identity material certificate of the equipment node of the Internet of things; generating an identity authentication request, the identity authentication request comprising: the method comprises the steps that authentication request initiating time and the serial number sig and the public key tpk of the Internet of things equipment node are verified; generating an identity revocation request, the identity revocation request comprising: identity revocation request initiating time, revocation request identifiers and the serial number sig and the public key tpk of the Internet of things equipment node; generating an identity update request, the generating an identity update request comprising: identity updating request initiating time, updating request identifiers, and the serial number sig and the public key tpk of the Internet of things equipment node;
an edge node for creating a block to generate the block chain; and a process for the preparation of a coating,
receiving an identity registration request of an Internet of things equipment node in a trust domain;
setting effective starting time and effective ending time of a digital certificate for the identity material certificate passing the examination, and generating a certificate serial number of the digital certificate;
generating a signature tsig based on the certificate serial number, the serial number sig and the public key tpk of the internet of things equipment node, the name and the serial number of the edge node, the effective starting time and the effective deadline;
generating and returning a digital certificate to the Internet of things equipment node based on the certificate serial number, the serial number sig and the public key tpk of the first Internet of things equipment node, the name and the serial number of the edge node, the valid start time, the valid deadline and the signature tsig;
and the combination of (a) and (b),
receiving an identity authentication request and a digital certificate of an Internet of things equipment node in any trust domain, and downloading a certificate revocation list from a block chain;
verifying the validity of the digital certificate based on the identity authentication request and the certificate revocation list;
if the digital certificate is valid, judging that the node of the Internet of things equipment is legal;
and (c) and (d),
receiving an identity revocation request and a digital certificate of an internet of things equipment node in any trust domain, and downloading a certificate revocation list from a block chain;
verifying the validity of the digital certificate based on the identity revocation request and the certificate revocation list;
if the digital certificate is valid, updating and uploading the certificate revocation list;
and the combination of (a) and (b),
receiving an identity updating request and a digital certificate of an Internet of things equipment node in any trust domain, and downloading a certificate revocation list from a block chain;
verifying the validity of the digital certificate based on the identity update request and the certificate revocation list;
and if the digital certificate is valid, updating and returning the digital certificate.
Compared with the prior art, the invention has the following advantages:
(1) the distributed authentication mechanism is constructed based on the block chain technology, the distributed authentication mechanism is suitable for an edge computing scene, the edge node and the Internet of things equipment node support dynamic adjustment, and the problems of single-point failure and mutual trust of multiple authentication centers of the traditional PKI are solved;
(2) according to the identity registration, authentication, revocation and updating method of the extract networking equipment, the digital certificate and the certificate revocation list are stored on the chain and are maintained by all nodes in the block chain network together, and blocks on the chain cannot be modified or deleted, so that the transparency and the revocation transparency of the certificate are realized.
(3) The digital certificate compatible with the national cryptographic algorithm is designed, the hash algorithm of the traditional digital certificate is replaced by the SM3 algorithm, the asymmetric cryptographic algorithm is replaced by the SM2 algorithm, the domestic transformation of the digital certificate is realized, and the technology is ensured to be independently controllable.
Drawings
Fig. 1 is a block chain-based edge computing identity authentication system architecture diagram.
Fig. 2 is a system initialization flow diagram.
Fig. 3 is a device identity registration flow diagram.
Fig. 4 is a flow chart of device identity authentication.
Fig. 5 is a device identity revocation flow diagram.
Fig. 6 is a device identity update flow chart.
Detailed Description
In order to make the technical problems, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below with reference to specific embodiments thereof and with reference to the accompanying drawings.
The embodiment discloses an edge computing identity authentication system based on a block chain, which comprises a block chain network composed of edge nodes and internet of things equipment nodes, as shown in fig. 1. Suppose that there are n edge nodes and m internet-of-things device nodes. The Internet of things equipment nodes are applicants, owners and users of digital certificates, are embedded with block chain chips, have the functions of data chaining, on-chain data query and downloading and the like, are responsible for data acquisition, transmission and intelligent processing, and can send identity registration, authentication, revocation and updating requests to the edge nodes; a manager of the node certificate of the Internet of things equipment in the edge node is embedded with a block chain chip, the chip runs a consensus algorithm, has the functions of block generation, block verification, data chaining, on-chain data query and downloading and the like, and is responsible for signing and issuing a digital certificate for the node of the Internet of things equipment, authenticating, revoking or updating the node identity of the Internet of things equipment, and analyzing and processing sensing data uploaded by the node of the Internet of things equipment.
The embodiment also discloses an edge computing identity authentication method based on the block chain, which is realized based on the system and comprises the following steps:
step 1: initializing a system;
the specific implementation is shown in fig. 2, and includes the following sub-steps:
step 1.1: the edge node enode selects the parameters of the elliptic curve system, the parameters comprise the scale q of a finite field Fq, and an elliptic curve E (F)q) Equation y of2=x3The parameter a, b ∈ F of + ax + bqElliptic curve E (F)q) Base point G on (x)G,yG) The order n of G;
step 1.2: edge node enode randomly generating integer de←Zq,ZqFor the remaining set of classes {0, 1, …, q-1}, a point P is calculatede=(xPe,yPe)=deG, get private key esk ═ dePublic key epk ═ Pe;
Step 1.3: the edge node, number eid, has a public key of epk, and the hash value h of (eid, epk) is calculated using the SM3 algorithmeRandomly choosing an integer ke←ZqCalculating the point (x)1,y1)=keG, calculating re=(he+x1) mod q and se=(1+de)-1(ke-re·de) To obtain the signature esig ═ (r)e,se);
Step 1.4: the edge node enode issues itself from the signature certificate, eCert ═(eid, epk, esig), including the number eid of the edge node, the public key epk, and the signature esig for (eid, epk).
Step 1.5: creating an epoch block by the edge node enode, and synchronizing to other edge nodes in the block chain network;
step 1.6: and uploading the self-signed certificate ePert to a block chain storage by the edge node.
Step 2: registering equipment identity;
the specific implementation is shown in fig. 3, and includes the following sub-steps:
step 2.1: randomly generating integer d by Internet of things equipment node tnodet←ZqCalculating a point Pt=(xPt,yPt)=dtG, get private key tsk ═ dtPublic key tpk ═ Pt;
Step 2.2: the method comprises the steps that an Internet of things device node tnode initiates an identity registration request reg (tid, tpk, cond) to an edge node enode in a trust domain, wherein the identity registration request reg comprises auxiliary information cond such as the serial number tid, a public key tpk and identity certification materials of the Internet of things device node tnode;
step 2.3: after receiving the request reg, the edge node enode examines the identity certification material cond submitted by the equipment node of the internet of things;
step 2.4: after the edge node enode passes the audit, the valid start time notbescore and the valid deadline notAfter of the digital certificate are set, the serial number cnum of the certificate is generated, and the SM3 algorithm is used to calculate the hash value h of (cnum, tid, tpk, (enode, eid), (notbescore, notAfter))tRandomly choosing an integer kt←ZqCalculating the point (x)2,y2)=ktG, calculating rt=(ht+x2) mod q and st=(1+de)-1(ke-rt·de) Obtain the signature tsig ═ (r)t,st);
Step 2.5: the edge node enode issues a digital certificate tCert ═(cnum, tid, tpk, (enode, eid), (notbecore, notAfter), tsig) for the internet of things device node tnode, including a certificate serial number cnum, the number tid of the internet of things device node tnode, a public key tpk, the name and number (enode, eid) of the certificate issuer, a certificate validity period (notbecore, notAfter), and a signature tsig of the edge node enode;
step 2.6: the edge node enode calls a data uploading interface through an embedded block chain chip, issues a certificate tCert to a block chain, and sends the position addr of the certificate tCert on the chain to the Internet of things equipment node tnode;
step 2.7: and the Internet of things equipment node tnode calls a block chain data downloading interface to download the certificate tCert through the embedded block chain chip.
And step 3: authenticating the identity of the equipment;
the specific implementation is shown in fig. 4, and includes the following sub-steps:
step 3.1: the method comprises the steps that an Internet of things device node tnode initiates an identity authentication request log (tid, tpk, date) and a certificate tCert to an edge node enode ', wherein the identity authentication request comprises the serial number tid, a public key tpk and a request initiation time date of the Internet of things device node tnode, and the enode' and the enode may not be in the same trust domain;
step 3.2: the edge node' extracts identity information (tid, tpk) from the identity authentication request log and the certificate tCert respectively and compares the identity information (tid, tpk) with the certificate tCert to determine whether the identity information (tid, tpk) is consistent with the certificate tCert;
step 3.3: if the identity information is consistent, the edge node enode' extracts a validity period (notbecore, notAfter) from the certificate tCert, extracts an initiation time date from the request log, and verifies whether the request initiation time is within the validity period;
step 3.4: if the certificate is not expired, the edge node' downloads a certificate revocation list crl from the block chain, extracts a certificate serial number cnum from the certificate tCert, searches whether the crl contains the serial number cnum, and if the crl contains the serial number cnum, the certificate is revoked;
step 3.5: if the certificate is not revoked, the edge node 'extracts the certificate issuer information (enode, eid) from the certificate tCert, if enode ≠ enode' and eid ≠ eid ', the edge node' downloads (enode, eid) the corresponding self-signed certificate ecrert from the blockchain, extracts the public key epk from ecrert, and calculates the hash value h of (cnum, tid, tpk, (enode, eid), (notbecore, notAfter)) using the SM3 algorithmt', extracting from the certificate tCert the signature tsig ═ (r)t,st) Calculating (x)2′,y2′)=st·G+(rt+st) Epk, validation rt=(h′t+x2') whether mod q isIf yes, the identity authentication is valid;
and 4, step 4: equipment identity revocation;
the specific implementation is shown in fig. 5, and includes the following sub-steps:
step 4.1: the internet of things device node tnode initiates an identity revocation request rev ═ (tid, tpk, date, "revoke") and a certificate tCert to the edge node enode', wherein the "revoke" is a revocation request identifier;
step 4.2: the edge node' executes the step 3 to authenticate the node identity tnode of the internet of things device, if the authentication is passed, a certificate serial number cnum is extracted from the certificate tCert, a latest certificate revocation list crl (seq, ersig) is downloaded from the blockchain, the latest certificate revocation list crl (seq, ersig) comprises the revoked certificate serial number list seq and a signature ersig thereof, and whether the certificate serial number cnum is included in the seq inquiry from the certificate serial number list;
step 4.3: if the cnum is not included, the edge node enode ' adds the certificate serial number cnum to the revoked certificate serial number list seq to obtain seq ' ═ seq | | | cnum, generates a signature ersig ' for seq ', calls a data uploading interface, and uploads the updated certificate revocation list crl ' ═ seq ', ersig ' to the block chain.
And 5: updating the equipment identity;
the specific implementation is shown in fig. 6, and includes the following sub-steps:
step 5.1: the internet of things device node tnode initiates an identity update request, up ═ (tid, tpk, date, notbecore ', nottafter ', tpk ', "update") and a certificate, tCert, where "update" is an update request identifier, if only the public key in the certificate is updated, (notbecore ', nottafter ') (notbecore, nottafter) and tpk ' ≠ tpk, if only the certificate validity period is updated, (notbecore ', nottafter ') ≠ (notbecore, nottafter) and tpk '/tpk;
and step 5.2: the edge node ' performs step 3 to authenticate the identity tnode of the internet-of-things device node, and if the authentication is passed, signs the certificate contents (cnum, tid, tpk ', (enode, eid), (notbecore ', notAfter ')), and obtains an updated certificate tCert ', (cnum, tid, tpk ', (enode, eid), (notbecore ', notAfter '), tsig ');
step 5.3: the edge node 'calls a data uploading interface through an embedded blockchain chip, issues a certificate tCert' to a blockchain, and sends the position addr 'of the certificate tCert' on the chain to the equipment node tnode of the Internet of things;
step 5.4: and the Internet of things equipment node tnode calls a block chain data downloading interface through the embedded block chain chip to download the updated certificate tCert'.
Although the present invention has been described with reference to the above embodiments, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. An edge computing identity registration method based on a block chain is applied to edge node nodes, the block chain is generated based on blocks created by each edge node, and the method comprises the following steps:
receiving an identity registration request of a first internet of things device node, wherein the first internet of things device node is in a trust domain of the edge node, and the identity registration request comprises: the serial number sig, the public key tpk and the identity material identification of the first Internet of things equipment node;
setting effective starting time and effective ending time of a digital certificate for the identity material certificate passing the examination, and generating a certificate serial number of the digital certificate;
generating a signature tsig based on the certificate serial number, the serial number sig and the public key tpk of the first Internet of things equipment node, the name and the serial number of the edge node, the effective starting time and the effective ending time;
and generating and returning a digital certificate to the first Internet of things equipment node based on the certificate serial number, the serial number sig and the public key tpk of the first Internet of things equipment node, the name and the serial number of the edge node, the valid start time, the valid deadline and the signature tsig.
2. The method of claim 1, wherein the first internet of things device node generates the identity registration request by:
randomly generating an integer dt←ZqWherein, ZqIs a residual set of {0, 1, …, q-1}, q being a finite field FqThe scale of (c);
calculating an elliptic curve E (F)qPoint P ont=dtG, wherein G is an elliptic curve E (F)q) An upper base point;
obtaining the private key tsk ═ dtPublic key tpk ═ Pt;
And generating an identity registration request based on the serial number stg, the public key tpk and the identity certification material of the first Internet of things equipment node.
3. The method of claim 1, wherein generating a signature tsig based on the certificate serial number, the number sig and public key tpk of the first IoT device node, the name and number of the edge node, the validity start time and validity deadline comprises:
calculating a hash value h of the certificate serial number, the serial number sig and the public key tpk of the first Internet of things equipment node, the name and the serial number of the edge node, the effective starting time and the effective deadline by using an SM3 algorithmt;
Randomly choosing an integer kt←ZqWherein Z isqIs a residual set of {0, 1, …, q-1}, q being a finite field FqThe scale of (c);
calculating an elliptic curve E (F)q) Point (x) above2,y2)=ktG, wherein G is an elliptic curve E (F)q) An upper base point G;
calculating the parameter rt=(ht+x2)mod q;
Calculating the parameter st=(1+de)-1(ke-rt·de) In which d iseIs the private key of the edge node, integer ke←Zq;
Obtain signature tsig ═ (r)t,st)。
4. An edge computing identity authentication method based on a block chain is applied to edge node (ENode), and comprises the following steps:
receiving an authentication request of a second networked device node and a digital certificate generated by any one of the methods of claims 1-3, and downloading a certificate revocation list from a blockchain, wherein the second networked device node is in any trust domain of the blockchain, the authentication request comprising: the authentication request initiating time and the serial number stg 'and the public key tpk' of the second networking equipment node;
verifying the validity of the digital certificate based on the identity authentication request and the certificate revocation list;
and if the digital certificate is valid, judging that the second networking equipment node is legal.
5. The method of claim 4, wherein the verifying the validity of the digital certificate based on the authentication request and the certificate revocation list comprises:
extracting the number and the public key of the second networking equipment node in the digital certificate, and comparing the number and the public key tpk' of the second networking equipment node in the identity authentication request;
and (c) and (d),
extracting effective starting time and effective ending time in the digital certificate, and judging whether the authentication request initiating time is in the effective period;
and the combination of (a) and (b),
extracting a certificate serial number in the number, and judging whether the certificate is revoked or not by combining the certificate revocation list;
and the combination of (a) and (b),
extracting the name and the number of the edge node' in the number, and comparing the name and the number with the edge node:
if the certificate is consistent with the certificate issuer, judging that the certificate issuer is valid;
and if not, downloading the self-signed certificate of the edge node from the block chain to judge whether the certificate issuer is valid.
6. The method of claim 5, wherein said determining whether a certificate issuer is valid by downloading a self-signed certificate of the edge node enode' from a blockchain comprises:
extracting epk the public key of the edge node enode' from the self-signed certificate;
based on the public key epk of the edge node 'and using SM3 algorithm to calculate the hash value h of the digital certificate serial number, the serial number sig', the public key tpk ', the name and serial number of the edge node' and the valid start time and the valid deadlinet′;
Extracting a signature tsig ═ (r) from the digital certificatet,st);
Calculating an elliptic curve E (F)q) Point (x) above2′,y2′)=st·G+(rt+st) Epk, wherein FqIs a finite field, G is an elliptic curve E (F)q) An upper base point;
by verifying rt=(h′t+x2') mod q, where q is a finite field F, holds true to determine if the certificate issuer is validqThe scale of (a).
7. An edge computing identity revocation method based on a block chain is applied to an edge node (enode), and comprises the following steps:
receiving an identity revocation request of a second networked device node and a digital certificate generated by any of the methods of claims 1-3, and downloading a certificate revocation list from a blockchain, wherein the second networked device node is in any trust domain of the blockchain, the identity revocation request comprising: identity revocation request initiation time, revocation request identifier and the number sig 'and the public key tpk' of the second networking device node;
verifying the validity of the digital certificate based on the identity revocation request and the certificate revocation list;
and if the digital certificate is valid, updating and uploading the certificate revocation list.
8. An edge computing identity updating method based on a block chain is applied to an edge node (ENode), and the method comprises the following steps:
receiving an identity update request of a second networked device node and a digital certificate generated by any one of the methods of claims 1-3, and downloading a certificate revocation list from a blockchain, wherein the second networked device node is in any trust domain of the blockchain, the identity update request comprising: identity updating request initiating time, updating request identifier and the number sig 'and the public key tpk' of the second networking equipment node;
verifying the validity of the digital certificate based on the identity update request and the certificate revocation list;
and if the digital certificate is valid, updating and returning the digital certificate.
9. A storage medium having a computer program stored thereon, wherein the computer program is arranged to, when executed, perform the method of any of claims 1-8.
10. An edge computing identity authentication system based on a blockchain, comprising:
the internet of things equipment node is used for generating an identity registration request, and the identity registration request comprises: the serial number stg, the public key tpk and the identity material identification of the equipment node of the Internet of things; generating an identity authentication request, the identity authentication request comprising: the method comprises the steps that authentication request initiating time and the serial number sig and the public key tpk of the Internet of things equipment node are verified; generating an identity revocation request, the identity revocation request comprising: identity revocation request initiating time, revocation request identifiers and the serial number sig and the public key tpk of the Internet of things equipment node; generating an identity update request, the generating an identity update request comprising: identity updating request initiating time, updating request identifiers, and the serial number sig and the public key tpk of the Internet of things equipment node;
an edge node for creating a block to generate the block chain; and a process for the preparation of a coating,
receiving an identity registration request of an Internet of things equipment node in a trust domain;
setting effective starting time and effective ending time of a digital certificate for the identity material certificate passing the examination, and generating a certificate serial number of the digital certificate;
generating a signature tsig based on the certificate serial number, the serial number sig and the public key tpk of the internet of things equipment node, the name and the serial number of the edge node, the effective starting time and the effective deadline;
generating and returning a digital certificate to the Internet of things equipment node based on the certificate serial number, the serial number sig and the public key tpk of the first Internet of things equipment node, the name and the serial number of the edge node, the valid start time, the valid deadline and the signature tsig;
and the combination of (a) and (b),
receiving an identity authentication request and a digital certificate of an Internet of things equipment node in any trust domain, and downloading a certificate revocation list from a block chain;
verifying the validity of the digital certificate based on the identity authentication request and the certificate revocation list;
if the digital certificate is valid, judging that the node of the Internet of things equipment is legal;
and (c) and (d),
receiving an identity revocation request and a digital certificate of an Internet of things equipment node in any trust domain, and downloading a certificate revocation list from a block chain;
verifying the validity of the digital certificate based on the identity revocation request and the certificate revocation list;
if the digital certificate is valid, updating and uploading the certificate revocation list;
and (c) and (d),
receiving an identity updating request and a digital certificate of an Internet of things equipment node in any trust domain, and downloading a certificate revocation list from a block chain;
verifying the validity of the digital certificate based on the identity update request and the certificate revocation list;
and if the digital certificate is valid, updating and returning the digital certificate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210320479.1A CN114785515B (en) | 2022-03-29 | 2022-03-29 | Edge computing identity authentication method and system based on block chain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210320479.1A CN114785515B (en) | 2022-03-29 | 2022-03-29 | Edge computing identity authentication method and system based on block chain |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114785515A true CN114785515A (en) | 2022-07-22 |
| CN114785515B CN114785515B (en) | 2024-04-23 |
Family
ID=82424600
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210320479.1A Active CN114785515B (en) | 2022-03-29 | 2022-03-29 | Edge computing identity authentication method and system based on block chain |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114785515B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20180089668A (en) * | 2017-02-01 | 2018-08-09 | 주식회사 데일리인텔리전스 | Apparatus and method for issuing, revoking and verifying certificates using a block chain as a certificate authority |
| CN112311530A (en) * | 2020-10-29 | 2021-02-02 | 中国科学院信息工程研究所 | Block chain-based alliance trust distributed identity certificate management authentication method |
| CN112637189A (en) * | 2020-12-18 | 2021-04-09 | 重庆大学 | Multi-layer block chain cross-domain authentication method in application scene of Internet of things |
| CN114244527A (en) * | 2021-12-14 | 2022-03-25 | 中国电力科学研究院有限公司 | Block chain-based power Internet of things equipment identity authentication method and system |
-
2022
- 2022-03-29 CN CN202210320479.1A patent/CN114785515B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20180089668A (en) * | 2017-02-01 | 2018-08-09 | 주식회사 데일리인텔리전스 | Apparatus and method for issuing, revoking and verifying certificates using a block chain as a certificate authority |
| CN112311530A (en) * | 2020-10-29 | 2021-02-02 | 中国科学院信息工程研究所 | Block chain-based alliance trust distributed identity certificate management authentication method |
| CN112637189A (en) * | 2020-12-18 | 2021-04-09 | 重庆大学 | Multi-layer block chain cross-domain authentication method in application scene of Internet of things |
| CN114244527A (en) * | 2021-12-14 | 2022-03-25 | 中国电力科学研究院有限公司 | Block chain-based power Internet of things equipment identity authentication method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114785515B (en) | 2024-04-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111416807B (en) | Data acquisition method, device and storage medium | |
| JP4709815B2 (en) | Authentication method and apparatus | |
| US7461250B1 (en) | System and method for certificate exchange | |
| US11722316B2 (en) | Cryptographic communication system and cryptographic communication method based on blockchain | |
| US11706037B2 (en) | Achieving certificate pinning security in reduced trust networks | |
| CN110958229A (en) | Credible identity authentication method based on block chain | |
| BR112017017425B1 (en) | NON-TRAINER COMPUTER READABLE STORAGE MEDIUM CONFIGURED TO STORE COMPUTER-IMPLEMENTED METHOD AND PROCESS INSTRUCTIONS | |
| CN108683506B (en) | Digital certificate application method, system, fog node and certificate authority | |
| CN114884698A (en) | Kerberos and IBC security domain cross-domain authentication method based on alliance chain | |
| US20220247581A1 (en) | Establishing secure communication without local time information | |
| CN112235276A (en) | Master-slave equipment interaction method, device, system, electronic equipment and computer medium | |
| US20240187262A1 (en) | Encrypted and authenticated firmware provisioning with root-of-trust based security | |
| EP4324159A1 (en) | Secure root-of-trust enrolment and identity management of embedded devices | |
| CN114785515B (en) | Edge computing identity authentication method and system based on block chain | |
| JP2010028689A (en) | Server, method, and program for providing open parameter, apparatus, method, and program for performing encoding process, and apparatus, method, and program for executing signature process | |
| Jesudoss et al. | Enhanced certificate-based authentication for distributed environment | |
| KR101042834B1 (en) | A Self-Certified Signcryption Method for Mobile Communications | |
| Perugini et al. | On the integration of Self-Sovereign Identity with TLS 1.3 handshake to build trust in IoT systems | |
| US20240195641A1 (en) | Interim root-of-trust enrolment and device-bound public key registration | |
| Kounga et al. | Generating certification authority authenticated public keys in ad hoc networks | |
| US20240031172A1 (en) | Cryptographically Authenticated Database Representing a Multiple-Key-Pair Root Certificate Authority | |
| Gogna | COMPARISON OF X. 509, KERBEROS 5 AND PKINIT FOR OPEN DISTRIBUTED NETWORK | |
| CN116055055A (en) | Cross-domain authentication method and system | |
| CN117454445A (en) | Block chain-based data access control method and related equipment | |
| KR20070117422A (en) | Authentication method between entities in a user domain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |