CN114826618B - Certificate distribution and access control integrated system - Google Patents

Certificate distribution and access control integrated system Download PDF

Info

Publication number
CN114826618B
CN114826618B CN202210484499.2A CN202210484499A CN114826618B CN 114826618 B CN114826618 B CN 114826618B CN 202210484499 A CN202210484499 A CN 202210484499A CN 114826618 B CN114826618 B CN 114826618B
Authority
CN
China
Prior art keywords
layer
user
blockchain
attribute
contract
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210484499.2A
Other languages
Chinese (zh)
Other versions
CN114826618A (en
Inventor
阚海斌
袁和昕
刘百祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Fudan Innovation Research Institute
Original Assignee
Zhuhai Fudan Innovation Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuhai Fudan Innovation Research Institute filed Critical Zhuhai Fudan Innovation Research Institute
Priority to CN202210484499.2A priority Critical patent/CN114826618B/en
Publication of CN114826618A publication Critical patent/CN114826618A/en
Application granted granted Critical
Publication of CN114826618B publication Critical patent/CN114826618B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The invention belongs to the technical field of passwords, and particularly relates to a certificate distribution and access control integrated system. The invention comprises 4 levels and 1 SDK, and specifically comprises: the system comprises an application layer, a service layer, a contract layer, a storage layer and an access control SDK, wherein the layers interact through a public API. Based on the ABS-DPKI scheme, the invention is expected to provide a digital certificate which can utilize different identity attributes to achieve fine-grained identity endorsement for a user, and the digital certificate simultaneously meets certain fault tolerance and can ensure the safety problems of non-repudiation, non-counterfeitability and the like of identity information. The invention can also provide related functions and interfaces of the identity recognition system for access control for users in enterprises, universities and the like, and is convenient for the users to utilize the ABS-DPKI scheme to quickly carry out the application of the identity recognition.

Description

Certificate distribution and access control integrated system
Technical Field
The invention belongs to the technical field of cryptography, and particularly relates to a certificate distribution and access control integrated system.
Background
Document [1] devised a distributed public key infrastructure scheme (hereinafter ABS-DPKI scheme, meaning Distributed Public Key Infrastructure Based on Attribute-Based Signature) Based on blockchain and decentralised non-repudiation attribute signatures. The scheme carries out intensive research on the fields of cryptography such as attribute signature, zero knowledge proof and the like, and combines different technologies and theories for use. The application scene of the ABS-DPKI scheme is consistent with the current public key infrastructure system, namely the capability of mutually authenticating identities through certificates is provided for different entities in the Internet.
The blockchain is the underlying architecture of the ABS-DPKI scheme, and users in this scheme are also users in the blockchain on which they depend. However, most of the currently mainstream blockchains require a command line (or call a public API, the nature of the command line is also called an API) to complete operations in the blockchain, such as bitspin-cli of a bitcoin, geth of an ethernet, etc., and only in the step of user registration, a higher threshold is set, which has no good experience for non-professional users. While some third party software (e.g., various blockchain wallets) provide a graphical interface to meet the needs of blockchain users to register, initiate transactions, there are some problems with the ABS-DPKI scheme: on one hand, introducing third party software may introduce security problems, which is contrary to the concept of an ABS-DPKI scheme with identity authentication as a core requirement; on one hand, the introduction of the third party software increases more complicated processes, and breaks the integrity of the scheme; on the other hand, the third party software does not have many unique operations of the ABS-DPKI scheme, such as applying for attributes to the attribute authorities, and still requires command line dependent operations, which in turn reverts to the threshold problem described at the beginning. There is a need for a design to package related command line operations so that the average user can also have a good interactive experience.
The digital certificate is a certificate for identity recognition in the internet, for example, the most widely used scenario HTTPS (Hyper Text Transfer Protocol over SecureSocket Layer) of the digital certificate is to add a digital certificate handshake on the basis of HTTP (Hyper Text Transfer Protocol) to negotiate an encrypted key in communication, and the digital certificate is used for facilitating and safety identity recognition for users. Compared with the identification between common users, the Internet has the greatest demand for identification by users such as enterprises, universities, government and the like, for example, the universal identification system for the fashionable WeChat quick login and the compound denier university. The WeChat quick login is a function for providing a third party software with a function of using WeChat login to replace the user login of the software, the function provides convenience for the user, and meanwhile, the third party software can also quickly acquire information such as a user name, a mobile phone number and the like of the user, so that the user in the software can be searched by using related information. The middle-pass express micro-letter applet acquires relevant information of the micro-letter user so as to link to the user information in the middle-pass express, thereby facilitating the user to inquire express orders and the like. By means of the method, a system which is convenient for enterprise users to rapidly identify the users by using the ABS-DPKI scheme can be designed.
Therefore, the invention is to design and realize a novel certificate distribution and access control integrated system based on an ABS-DPKI scheme. The system is expected to provide a digital certificate which can utilize different identity attributes to achieve fine-grained identity endorsement for a user, and the certificate simultaneously meets certain fault tolerance and can also ensure the safety problems of non-repudiation, non-counterfeitability and the like of identity information. The system can also provide related functions and interfaces of the identity recognition system for access control for users in enterprises, universities and the like, and is convenient for the users to utilize an ABS-DPKI scheme to quickly identify the application and land.
Reference is made to:
[1] yuan He, N, liu Baixiang, N.S. N.A distributed public key infrastructure scheme based on blockchain and decent undeniable attribute signatures [ J ]. Chinese science, information science, 2021.
Disclosure of Invention
The invention aims to design and realize a novel certificate distribution and access control integrated system based on an ABS-DPKI scheme.
The invention packages complicated operations such as blockchain registration, attribute application and the like which need command line interaction, so that a common user can have good interaction experience, and the use threshold of an ABS-DPKI scheme is reduced. Meanwhile, related functions and interfaces of an Identity System (IS) for access control are provided for users with authentication requirements of enterprises, universities and the like, the application range of the ABS-DPKI scheme IS expanded, the feasibility and the practicability of the scheme are also illustrated once, and the unique advantages of the scheme are highlighted and displayed.
The invention provides a certificate distribution and access control integrated system (hereinafter referred to as the system), which is based on a cryptography algorithm. The system is divided into 4 levels and 1 SDK (Software Development Kit), and specifically comprises: an application layer, a business layer, a contract layer, a storage layer and an access control SDK. The layers interact through the disclosed API, and the method is as follows:
(1) Application layer: the front end of the application layer in the system is a part for providing a Web interface for a user, and comprises a user login registration page, a user attribute management page, a certificate management page and an information viewing page, wherein the user can perform most functions of the system such as user registration, attribute application and the like in Web page interaction, and meanwhile, the front end can send a corresponding request to a network module of a back end service layer, so that the response of the back end network module is obtained and displayed on the page. The front end part is developed by adopting a Web programming language of JavaScript+HTML+CSS, and a Vue.js is used as a JavaScript framework, and the responsive data binding mechanism provided by the framework can synchronize page data, and meanwhile, the Vue.js also has a scaffold for a developer to develop;
(2) Service layer: the business layer mainly refers to a back end in the system, the back end is up butt jointed with a front end business layer and is down butt jointed with a contract layer, the business layer comprises a plurality of business modules, namely a user management module, a user attribute management module, a certificate management module, an attribute authority management module, a registration mechanism management module, a zero knowledge proof management module, a network module, a block chain butt joint module and a Redis database, the network management module in the business layer receives a related request sent by a front end application layer and sends the related request to a corresponding business module for processing through a route, if the business module needs to interact with an ABS-DPKI, a block chain initiating transaction is also needed to be constructed to call an intelligent contract, and finally a processing result is returned to the front end application layer; the system uses Golang language to complete the realization of the service layer, wherein a network module of the service layer uses a net/http library, a Redis database connected with the service layer mainly stores user data, the Redis is used for storing, the Redis is a Key-Value memory database, a developed interface is provided, but the data is completely stored in a memory and has a certain limitation, and if the system is a formal production environment, a disk database such as MySQL can be used for the database part. The intelligent contract interaction part is related to the blockchain, and most of the blockchains provide related SDKs for developers to develop, and Hyperledger Fabric are taken as an example, related logic is realized to interact with the intelligent contracts on the blockchain through the Fabric-Go-SDKs; (3) contract layer: the contract layer refers to a blockchain intelligent contract part in the system and is also a main body of the ABS-DPKI, wherein the main components and functions of the ABS-DPKI are as described in a document [1], and a zero knowledge proof node is additionally arranged for generating zero knowledge proof. Hyperledger Fabric intelligent contracts support Golang language development, so that complex business logic development can be supported, a cryptology operation part is developed by using a crypto library of Golang, and a zero knowledge proof part is developed by using ZoKrates;
(4) Storage layer: the storage layer refers in the present system to the portion of the intelligent contract that stores data, namely blockchain Hyperledger Fabric, where the data that needs to be stored is primarily the user's attribute public key, attribute signature initial parameters, certificates, CRLs, zero knowledge proof initial parameters, certificates, and all related blockchain transactions. In Hyperledger Fabric, each peer node (base node) maintains 4 databases, namely an idStore for quickly searching which channel the node is in, a blockIndex for storing a blockfile index, a stateDB for storing blockchain state data, a historyDB for storing Key version changes in the stateDB, and in the system, the 4 databases all use a disk database level DB of Key-Value;
(5) Access control SDK: the system is expected to complete the access control function similar to WeChat quick login, namely, a third party (such as a website and an applet) can perform login operation through the identity of the system, which is convenient for users. Therefore, the system provides the JavaScript SDK for a third party developer to download, the third party developer adds a login icon (hereinafter referred to as an icon) of the system on a website through the SDK, the user can automatically jump to the user login of the system after clicking the icon, and after the login is successful, the third party developer can acquire relevant information of the user sent by the system, namely, the identity authentication is successful, and the logic of the system is shown in figure 2.
Aiming at a user, the system provides a Web front-end interface for the user to operate, is responsible for packaging related operations into a transaction of a blockchain, initiates and collects related information to an ABS-DPKI on the blockchain, and simultaneously completes all interactions under safe and reliable HTTPS. The system needs to have the following functions:
1. normal user registration/login/logout: the user registration is different from the user on the ABS-DPKI, is the user in the system, and can further apply for the user in the ABS-DPKI after the user registration is successfully logged in, otherwise, related functions such as attribute application, certificate application and the like cannot be used. The back end of the system is used as a trusted third party to store related information such as an attribute private key, a certificate and the like in the ABS-DPKI for the user, so that the user can conveniently apply for the certificate and the like. The user can choose to cancel the user, and the system is responsible for executing the transaction of a series of operation sets such as attribute private key cancellation, certificate cancellation and the like;
2. enterprise user registration/login/logout: the user registration and cancellation need to submit the application form to the system background for manual verification, after the registration and login are successful, the related functions such as the attribute application, the certificate application and the like of the common user can be used, and the related interfaces of the identity recognition system for access control provided by the system can be accessed, so that the user registration and cancellation can be used as a certificate verifier to verify the identity information of other users;
3. user attribute application/view/undo: the two users can see the information of the online attribute authority mechanism on the blockchain at the relevant interfaces, the users can select to apply for the attribute of the corresponding attribute authority mechanism by themselves, the application is submitted according to the requirements of the authority mechanism, and the public and private key pairs of the attribute can be returned after the application is successful and stored at the back end of the system. The user can check the attribute information owned by the user at any time, and can apply for attribute revocation to a certain attribute, and after the application, the system is responsible for executing the attribute private key revocation transaction and initiating the transaction on the blockchain;
4. certificate application/view/authentication/revocation: both users can apply for certificates, the application form needs to set threshold values (t, n), n appointed attributes form an attribute set, t attributes (t are appointed if the application form exceeds t attributes) are needed to be contained in the application form, the application success returns certificate related information and stores the certificate related information in the back end, and the user can download the certificate and corresponding zero knowledge proof. The user can have various certificates, the threshold value is distinguished from the attribute set, and the user can check the own certificate at any time and also can check any certificate through the serial number of the certificate. The user can specify to authenticate a certain certificate, and can also apply to revoke a certain certificate owned by the user;
5. attribute authority management: the function is mainly aimed at an attribute authority CA, a user submits a request form to be applied as the attribute authority, but background manual auditing is needed, meanwhile, the user utilizes the related API and SDK of the ABS-DPKI to build CA nodes on a blockchain, and the auditing can be online as the attribute authority after passing. Meanwhile, the system provides attribute management functions for the CA accessed to the system, including attribute application approval, active withdrawal of a certain user attribute and the like;
6. registration institution management: the function is mainly aimed at a registration authority RA, and the same CA also needs to build RA nodes and submit application forms. The system also provides registration application functions for RA accessed to the system, including certificate application/cancellation approval and the like;
7. and (5) information inquiry: the user can view various information in real time, including the states of RA and CA nodes of the blockchain, and can also query transactions (including attribute application, certificate application and the like) on the blockchain, the state of a certain certificate and the like.
The invention has the beneficial effects that: the invention is similar to the ABS-DPKI scheme and the 'intermediary' of the user, not only can provide the functions of user registration, new attribute authority mechanism application, user attribute application and the like for different users, but also can provide the related functions and interfaces of the identity recognition system for access control. To simplify the system flow, the present system does not consider the transaction cost problem in the blockchain.
Drawings
Fig. 1 is a system architecture diagram.
Fig. 2 is an illustration of access control SDK logic.
FIG. 3 is a diagram of a login and registration page.
Fig. 4 is a certificate query page illustration.
Fig. 5 is a diagram of an attribute application and certificate application page.
Fig. 6 is a certificate detail information diagram.
Detailed Description
The present invention will be further described with reference to specific examples, so that those skilled in the relevant art can better understand the technical and functional features of the present invention, but the scope of the present invention is not limited to the following examples.
This embodiment will describe how to use the present invention, including how to deploy and build the environment of each level.
Example 1:
as shown in fig. 1, the system architecture is divided into 4 levels as shown, and the layers interact through the exposed API. The application layer is a front-end application layer in the system, adopts HTML+CSS to write the layout of the webpage, uses a Vue.js frame to write the interactive logic of the webpage, obtains related data by calling an API at the back end of the service layer, and calls a related UI (User Interface) library to display the data on the webpage. The business layer is used as the back end of the system, is developed by Golang, and is divided into a user management module, a user attribute management module, a certificate management module, a zero knowledge proof management module, an attribute authority management module, a registration mechanism management module and other modules if the business layer is a formal production environment and is deployed and needs to be configured with an Nginx reverse proxy and related load balancing. The contract layer and the storage layer together form an ABS-DPKI by taking a blockchain (Hyperledger Fabric) as a bottom architecture, and the ABS-DPKI is divided into three parts, namely an attribute authority CA, a registration authority RA and a zero knowledge proof service (developed by lua). The disk database LevelDB of Key-Value is used for all 4 databases of the storage layer.
As shown in fig. 2, the access control SDK mainly sends a request to the related API of the system, the system maintains a token to a third party, and the third party obtains related information. The specific flow is as follows: the third party developer adds a login icon (called icon below) of the system on the website through the SDK, the user can automatically jump to the user login of the system by clicking the icon, and after the login is successful, the third party developer background can acquire the related information of the user sent by the system, namely the identity authentication is successful.
As shown in fig. 3, the registration information of the login and registration page needs to be input with a user name, a password and a channel on Hyperledger Fabric, and additional user information selects a mobile phone number, so that more fields can be expanded in future, and further, the user needs to agree whether the system can acquire private information.
As shown in fig. 4, the certificate inquiry page can check the existing certificate content in the online certificate library on the current blockchain, can see the user name corresponding to the certificate and the serial number of the certificate, and can see the detailed information of the certificate by clicking to check the certificate.
As shown in fig. 5, the user may select to apply for an attribute by entering an attribute application and certificate application page, input an attribute name and a public key of an attribute authority CA, and input a field required by the attribute authority to apply for a related attribute. After having a certain attribute, the certificate format that can apply for a certain attribute set is set as (t: attribute 1, attribute 2..) and the back end formats the input information according to the format.
As shown in fig. 6, clicking can view detailed information of a certificate, the certificate has information such as a version number, a serial number, a issuer, and signature content, and the signature content is a string of JSON. It can be seen that it is indeed 100 authorities that issue in tandem in a presentation environment.
Application layer and business layer:
the two parts are built and configured as a whole, the front-end application layer can be built by using npm to test the environment, and can also be compiled into a static file to be put together with the service layer back end. The system website needs to configure HTTPS to turn on TLS verification, so the backend needs to configure the relevant root certificates. The backend service binding listens for requests at ports 80 and 443 while requiring connection to the blockchain service. This section is currently hard-coded for blockchain service IP, which in a practical production environment should be flexible for blockchain service discovery through Redis or L5.
The invention is selectively built on the Ali cloud server, the system is CentOS 8.2, vCPU 2 core and memory 1GB, and the system performance is better if the server is better configured. Since the domain name is not applied for a while, there is no need to configure the Nginx reverse proxy, and the user needs to log on to the website through IP: port.
cmd enters a front-end folder, a static file of a front-end application layer can be generated by running npm packing commands, and then the file is copied and copied to a back-end service layer/templates folder:
$npm run build
the construction of the back end requires the advance configuration of the Golang environment, firstly, the back end system is compiled into an executable file, then parameter configuration and starting are carried out, and a local block chain information file is read during starting to connect the block chains. This part of the author has written a script, with part of the commands as follows:
$go build-o server_dpki main.go define.go router.go blockchain.go chaincode.go utils.go
$nohup./server_dpki-port=80-en=dev-v=1.0-blk=blk.txt-tls=1&
care should be taken here to place certificates in advance, under the back-end business layer/tls folder. In addition, the system relies on a plurality of third party libraries, and is recommended to be managed by using go mod.
Contract layer and storage layer:
this part is mainly to build up Hyperledger Fabric blockchain and run ABS-DPKI individual service nodes on it. The bottom layer block chain is built, 3 peer nodes and 1 order node are selected, information is transmitted through Kafka, and configuration management is conducted through a ZooKeeper. Since the blockchain is primarily the carrier of the smart contracts and the distributed storage in the system of the present invention, only the lowest configuration settings required for operation are made. This section selects 3 alicloud machines, and the configuration and application layer are consistent with the service layer.
For nodes in the ABS-DPKI, the present invention demonstrates that 2 virtual machines are selected, with 50 CAs running on each virtual machine bound to 1 RA node on different ports, due to the distributed mechanism to be achieved. In addition, a zero knowledge proof service needs to be configured, and the zero knowledge proof service needs to be built simultaneously by configuring the ZoKrates environment in advance.
Firstly, the intelligent contract is installed, and the following operations are executed for 3 blockchain nodes:
$peer chaincode install-n cer-v 1.0-p./ABS-DPKI/chaincode/certificate/
$peer chaincode install-n cer-v 1.0-p./ABS-DPKI/chaincode/userkey/
$peer chaincode install-n cer-v 1.0-p./ABS-DPKI/chaincode/params/
in addition, the CA and RA services in the blockchain need to be compiled and constructed, and the service IP and ports of the CA and RA are hard coded in the demonstration environment of the invention. In an actual production environment, this part should use a service discovery mechanism, and related commands are as follows:
$go build-o abs_server_ca ca.go lagRange.go abs.go define.go
$go build-o abs_server_ra ra.go define.go
$nohup./CA/abs_server_ca-port=9001-en=dev-v=1.0-blk=blk.txt&
$nohup./RA/abs_server_ra-port=8001-en=dev-v=1.0-blk=blk.txt&
in addition, zero knowledge proof services need to be configured, since the form of proof in ABS-DPKI is unique, the original code is hard-coded in ABS zok, and then a series of initialization operations are performed, with the relevant commands as follows:
$zokrates compile-i abs.zok
$zokrates setup
the $ zokrates computer-witness-a { all parameters }
$zokrates generate-proof
$zokrates verify
The zero knowledge proof service also needs to be compiled and constructed, and related commands are as follows:
$go build-o server_zk main.go define.go
$nohup./zk/server_zk-port=7001-en=dev-v=1.0-blk=blk.txt&。

Claims (2)

1. a certificate distribution and access control integrated system, which is based on a cryptography algorithm and is divided into 4 layers and 1 SDK, and specifically comprises: the system is characterized by comprising an application layer, a service layer, a contract layer, a storage layer and an access control SDK, and is specifically characterized by comprising the following steps:
(1) Application layer: the application layer is the front end of the system and is used for providing a Web interface for a user, and comprises a user login registration page, a user attribute management page, a certificate management page and an information viewing page, wherein the user can perform user registration and attribute application in Web page interaction, and meanwhile, the front end can send a corresponding request to a network module of the back end service layer, and the response of the back end network module is obtained and displayed on the page; the front end part is developed by adopting a Web programming language of JavaScript+HTML+CSS, and a Vue.js is used as a JavaScript framework, and the responsive data binding mechanism provided by the framework can synchronize page data, and meanwhile, the Vue.js also has a scaffold for a developer to develop;
(2) Service layer: the business layer is the back end of the system, the back end is up to dock the front end application layer, dock the contract layer downwards, the business layer includes several business modules, it is user management module, user attribute management module, certificate management module, attribute authority management module, registration mechanism management module, zero knowledge proof management module, network module, block chain docking module and Redis database respectively, the network management module in the business layer receives the relevant request sent by the front end application layer, and send to the corresponding business module to process through route, if need to interact with the contract layer ABS-DPKI, need to construct the intelligent contract to initiate the block chain transaction to invoke the contract layer through the block chain docking module, finally return the processing result to the front end application layer; the service layer uses Golang language to complete the realization of the service layer, wherein a network management module of the service layer uses a net/http library, a database connected with the service layer mainly stores user data, the database adopts a Redis database or a MySQL database, the Redis is used for storage, the Redis is a Key-Value memory database, a developed interface is provided, and if the service layer is a formal production environment, the Redis database part uses the MySQL database; the intelligent contract interaction part of the contract layer is related to a blockchain, the blockchain provides related SDKs for developers to develop, and related logic is interacted with intelligent contracts on the blockchain;
(3) Contract layer: the contract layer refers to a blockchain intelligent contract part in the system and is also a main body of an ABS-DPKI, wherein the ABS-DPKI is provided with an attribute authority CA related intelligent contract, a registration mechanism RA related intelligent contract and a zero knowledge proof node which are responsible for zero knowledge proof; hyperledger Fabric intelligent contracts support Golang language development, so that complex business logic development can be supported, a cryptology operation part is developed by using a crypto library of Golang, and a zero knowledge proof part is developed by using ZoKrates;
(4) Storage layer: the storage layer refers to the part of the intelligent contract for storing data in the system, namely the blockchain Hyperledger Fabric, and the data to be stored mainly comprises attribute public keys of users, attribute signature initial parameters, certificates, CRLs, zero knowledge proof initial parameters, certificates and all related blockchain transactions; in Hyperledger Fabric, each peer node, i.e. the base node, maintains 4 databases, namely an idStore for quickly querying which channel the node is in, a blockIndex for storing a blockchain index, a stateDB for storing blockchain state data, and a historyDB for storing Key version changes in the stateDB, wherein in the system, the 4 databases all use a disk database level DB of Key-Value;
(5) Access control SDK: the system comprises a quick login function, namely, a third party can log in through the identity of the system, so that the system provides a JavaScript SDK for a third party developer to download, the third party developer adds a login icon of the system on a website through the SDK, a user clicks the icon to automatically jump to the user of the system to log in, and after successful login, the third party developer can acquire user related information sent by the system, namely, the identity authentication is successful.
2. The integrated credential distribution and access control system as in claim 1 wherein the blockchain employs Fabric-Go-SDK in Hyperledger Fabric to enable related logic to interact with intelligent contracts on the blockchain.
CN202210484499.2A 2022-05-06 2022-05-06 Certificate distribution and access control integrated system Active CN114826618B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210484499.2A CN114826618B (en) 2022-05-06 2022-05-06 Certificate distribution and access control integrated system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210484499.2A CN114826618B (en) 2022-05-06 2022-05-06 Certificate distribution and access control integrated system

Publications (2)

Publication Number Publication Date
CN114826618A CN114826618A (en) 2022-07-29
CN114826618B true CN114826618B (en) 2023-07-21

Family

ID=82510848

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210484499.2A Active CN114826618B (en) 2022-05-06 2022-05-06 Certificate distribution and access control integrated system

Country Status (1)

Country Link
CN (1) CN114826618B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109936569A (en) * 2019-02-21 2019-06-25 领信智链(北京)科技有限公司 A kind of decentralization digital identity login management system based on ether mill block chain

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112865982A (en) * 2017-07-26 2021-05-28 创新先进技术有限公司 Digital certificate management method and device and electronic equipment
CN109918378B (en) * 2019-03-05 2020-09-25 中国科学院深圳先进技术研究院 Remote sensing data storage method and storage system based on block chain
CN110288307B (en) * 2019-05-13 2022-04-29 西安电子科技大学 Intelligent contract collaborative development system and data processing method based on Fabric Block chain
CN111259439B (en) * 2020-01-14 2022-06-14 江苏荣泽信息科技股份有限公司 Intangible asset management service platform based on block chain and implementation method thereof
CN112148280B (en) * 2020-09-21 2022-04-01 中国电子科技网络信息安全有限公司 Block chain-based data evidence storage service templated development method
CN112637278B (en) * 2020-12-09 2021-10-08 云南财经大学 Data sharing method and system based on block chain and attribute-based encryption and computer readable storage medium
CN112580102A (en) * 2020-12-29 2021-03-30 郑州大学 Multi-dimensional digital identity authentication system based on block chain
CN114186248B (en) * 2021-11-13 2022-08-05 云南财经大学 Zero-knowledge proof verifiable certificate digital identity management system and method based on block chain intelligent contracts
CN114301604B (en) * 2021-12-30 2023-09-29 复旦大学 Construction method of distributed public key infrastructure based on blockchain and attribute signature

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109936569A (en) * 2019-02-21 2019-06-25 领信智链(北京)科技有限公司 A kind of decentralization digital identity login management system based on ether mill block chain

Also Published As

Publication number Publication date
CN114826618A (en) 2022-07-29

Similar Documents

Publication Publication Date Title
US11636095B2 (en) System and method for providing a representational state transfer proxy service for a blockchain cloud service
US20200065300A1 (en) Dag based methods and systems of transaction processing in a distributed ledger
CN105359486B (en) Resource is accessed using agent security
US8566917B2 (en) Efficient single sign-on and identity provider configuration and deployment in a database system
CN109768965B (en) Login method, equipment and storage medium of server
US11546425B2 (en) Systems and methods of providing ledger as a service
US20130254882A1 (en) Multi-domain identity interoperability and compliance verification
CN114826618B (en) Certificate distribution and access control integrated system
US11863673B1 (en) White-labeled data connections for multi-tenant cloud platforms
Put et al. Priman: Facilitating the development of secure and privacy-preserving applications
US20240127150A1 (en) Metadata-driven dynamic user interface for registration and execution of vendor-agnostic services
Päivärinta Design and Implementation of Centralized APIs Platform and Application Portal
Tran Communication Between iOS Mobile App and Backend
Kaur User data privacy protection a decentralized application powered by Ethereum network
Rozenberg et al. D4. 2–PROGRESS REPORT ON PLATFORM IMPLEMENTATION AND PETS INTEGRATION
Graça reTHINK framework evaluation through application development
Saini et al. SURVEY: DESIGN PATTERNS IN WEB BASED APPLICATIONS
Ruhi Velasco Web Authorization and authentication for single page applications (SPAs)
Manual et al. README
Al-Sinani et al. New Architectures for Identity Management—Removing Barriers to Adoption
Agoda-Koussema Study on the highly reliable and secure data management system under weak ICT environment by blockchain technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant