CN114844700A - Identity authentication method, system, equipment and storage medium based on trusted storage in distributed environment - Google Patents
Identity authentication method, system, equipment and storage medium based on trusted storage in distributed environment Download PDFInfo
- Publication number
- CN114844700A CN114844700A CN202210470140.XA CN202210470140A CN114844700A CN 114844700 A CN114844700 A CN 114844700A CN 202210470140 A CN202210470140 A CN 202210470140A CN 114844700 A CN114844700 A CN 114844700A
- Authority
- CN
- China
- Prior art keywords
- block
- information
- digital certificate
- certificate
- block chain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000012795 verification Methods 0.000 claims abstract description 24
- 230000008569 process Effects 0.000 abstract description 13
- 230000008520 organization Effects 0.000 description 14
- 230000008014 freezing Effects 0.000 description 7
- 238000007710 freezing Methods 0.000 description 7
- 230000007246 mechanism Effects 0.000 description 6
- 238000010257 thawing Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 5
- 101000759879 Homo sapiens Tetraspanin-10 Proteins 0.000 description 4
- 102100024990 Tetraspanin-10 Human genes 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000003999 initiator Substances 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000001105 regulatory effect Effects 0.000 description 2
- 102100021870 ATP synthase subunit O, mitochondrial Human genes 0.000 description 1
- 238000007792 addition Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 108010007425 oligomycin sensitivity conferring protein Proteins 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The invention discloses an identity authentication method, a system, equipment and a storage medium based on trusted storage in a distributed environment, wherein the method comprises the steps that a user inputs digital certificate application information at a client, and the application information comprises identity information and a CA center address; signing the application information by using a private key to generate a CSR file, creating a transaction request by using the CSR file, the application time and the public key, and broadcasting the transaction request to a block chain for transaction; analyzing and verifying the transaction request, and sending the transaction request to a CA center corresponding to the CA center address after the transaction request passes the verification; the CA center generates a digital certificate and generates the digital certificate and the application information into a first block; storing a first block in a distributed memory, broadcasting the first block to a block chain, and storing a storage address of the first block on the block chain; in the invention, the user application process and the certificate issuing process are carried out on the blockchain in a transaction mode, and the block is identified through the blockchain whole network nodes, so that the users accessing the blockchain can share the certificate.
Description
Technical Field
The invention relates to the technical field of block chains, in particular to an identity authentication method, system, equipment and storage medium based on trusted storage in a distributed environment.
Background
With the increasing degree of social informatization, more and more users rely on an informatization system, and the importance of a digital certificate as a digital identity certificate of the users is highlighted. At present, the issuing, management and authentication operations of digital certificates are based on a PKI system, a key management platform following a set standard can provide cryptographic services such as encryption and digital signature and a necessary key and certificate management system for all network applications, and in brief, PKI is an infrastructure for providing security services established by using public key theory and technology. The PKI system can provide a whole set of secure identity authentication services for internet communication and transactions, but the following disadvantages exist in a distributed environment:
1) problem of rights centralization
The traditional PKI system has a plurality of centralized service organizations, such as KMC (key management organization), CA (certificate management center), OSCP (certificate status query service), RA (certificate registration management organization), so many centralized services increase the complexity of the whole system, and each service needs to face the problems of attack, single point of failure, traffic, response speed, etc., and meanwhile, the plurality of centralized service organizations inevitably lead to the use cost of users and the complexity of software system design.
2) Digital certificate revoking and freezing timeliness problems
The inquiry of the state of the digital certificate is a necessary step for verifying the digital certificate, and at present, there are two ways for verifying the digital certificate: the CRL (local revocation list) mode and the OCSP (online status query) mode, the CRL needs to download the latest revocation list file for determination, and many steps are required from revocation initiation to the user using the latest CRL, which results in low timeliness. Although the OCSP mode is real-time verification, the OCSP data processing time and the network query delay exist, the basic timeliness is not strong, and the OCSP mode is rarely used in general applications.
3) Transparency of information within a system
Under a traditional PKI system, the generation process of a digital certificate is relatively private, and a plurality of key service organizations of the PKI system can acquire the certificate and the public key information of a user, but it is almost impossible for an ordinary user to know the certificate information of other people and want to acquire the whole amount of certificates in the certificate system, but in a distributed internet thinking, the public key and the certificate are absolutely public information.
Disclosure of Invention
Aiming at the defects existing in the problems, the invention provides an identity authentication method, system, equipment and storage medium based on trusted storage in a distributed environment.
In order to achieve the above object, the present invention provides an identity authentication method based on trusted storage in a distributed environment, including:
a user inputs digital certificate application information at a client, wherein the application information comprises identity information and a CA center address;
signing the application information by using a private key to generate a CSR file, creating a transaction request by using the CSR file, the application time and a public key, and broadcasting the transaction request to a block chain;
analyzing and verifying the transaction request, and sending the transaction request to a CA center corresponding to the CA center address after the transaction request passes the verification;
the CA center generates a digital certificate, and generates a first block by the digital certificate and the application information;
storing the first block in distributed memory, broadcasting the first block to the block chain, and storing a storage address of the first block on the block chain.
Preferably, after the storage address of the first block is stored on the block chain, the method further comprises:
the block chain receives an authentication request, wherein the authentication request carries certificate information of the digital certificate;
according to the verification request, obtaining a storage address on the block chain corresponding to the verification request, and downloading the digital certificate according to the storage address;
and acquiring the state information corresponding to the digital certificate.
Preferably, the status information corresponding to the digital certificate includes:
and inquiring the state information corresponding to the digital certificate in a state database, wherein the state database is used for storing the latest state information corresponding to any certificate information.
Preferably, when it is determined that the digital certificate satisfies the freeze condition, generating a second block, the second block including the user information, certificate information of the digital certificate, and freeze status information;
the block chain broadcasts the second block.
Preferably, after the block chain broadcasts the second block, the method further comprises:
when the digital certificate is determined to meet the unfreezing condition, generating a third block, wherein the third block comprises the user information, the certificate information of the digital certificate and the normal state information;
the block chain broadcasts the third block.
Preferably, when it is determined that the digital certificate satisfies a logout condition, a fourth block is generated, where the fourth block includes the user information, certificate information of the digital certificate, and logout state information;
the block chain broadcasts the fourth block.
Preferably, when it is determined that the digital certificate satisfies the update condition, a fifth block is generated, where the fifth block includes the user information, certificate information of the digital certificate, and update status information;
the block chain broadcasts the fifth block.
The invention also provides a system according to the identity authentication method based on the trusted storage in the distributed environment, which comprises the following steps:
the system comprises an application module, a client and a server, wherein the application module is used for inputting digital certificate application information at the client by a user, and the application information comprises identity information and a CA center address;
the request module is used for signing the application information by using a private key to generate a CSR file, creating a transaction request by using the CSR file, the application time and the public key, and broadcasting the transaction request to the block chain for transaction;
the verification module is used for analyzing and verifying the transaction request and sending the transaction request to a CA center corresponding to the CA center address after the transaction request passes the verification;
the generation module is used for generating a digital certificate by the CA center and generating a first block by the digital certificate and the application information;
a storage module to store the first block in a distributed memory, and to broadcast the first block to the block chain and to store a storage address of the first block on the block chain.
The invention also provides a computer device, which comprises a processor and a memory, wherein at least one program code is stored in the memory, and the at least one program code is loaded and executed by the processor to realize the operation executed by the identity authentication method based on the trusted storage in the distributed environment.
The present invention also provides a computer-readable storage medium having at least one program code stored therein, where the at least one program code is loaded into and executed by a processor, so as to implement the operations performed by the identity authentication method based on trusted storage in the distributed environment.
Compared with the prior art, the invention has the beneficial effects that:
in the invention, the user application process and the certificate issuing process are carried out on the blockchain in a transaction mode, and the block is identified through the blockchain whole network nodes, so that the user accessing the blockchain can share the certificate.
Drawings
FIG. 1 is a flow chart of a trusted storage based method of identity authentication in a distributed environment of the present invention;
FIG. 2 is a flowchart of a trusted storage based identity authentication application method in a distributed environment according to the present invention;
FIG. 3 is a flowchart of a trusted storage based method for generating authentication credentials in a distributed environment in accordance with the present invention;
FIG. 4 is a diagram of storing certificate objects on a chain of trusted storage based authentication blocks in a distributed environment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
The invention is described in further detail below with reference to the accompanying drawing 1:
some of the terms referred to in this embodiment are to be interpreted:
blockchain (Blockchain): the method is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. The blockchain is essentially a decentralized database, which is a string of data blocks associated by cryptography, each data block containing information about a network transaction for verifying the validity (anti-counterfeiting) of the information and generating the next block, each block containing a timestamp and a link to the previous block. In a narrow sense, a blockchain is a distributed ledger of data blocks assembled in a sequential manner into a chain data structure in chronological order and cryptographically secured as non-falsifiable and non-forgeable, i.e. the data in the blockchain will be irreversible once recorded.
Public Key (Public Key) and Private Key (Private Key): is a key pair (i.e., a public key and a private key) obtained by an algorithm, the public key being a public part of the key pair, and the private key being a non-public part. Public keys are typically used to encrypt data, verify digital signatures, and the like. By means of this algorithm it is ensured that the resulting key pair is unique, and that when using this key pair, if one of the keys is used to encrypt a piece of data, the other key must be used to decrypt it, e.g. if the data is encrypted with the public key, the private key must be used to decrypt it, and if the data is encrypted with the private key, the public key must be used to decrypt it, otherwise the decryption will not succeed.
Consensus mechanism (Consensus mechanism): the block chain system is a mathematical algorithm for establishing trust and obtaining rights and interests among different nodes. In the block chain system, the verification and confirmation of the transaction can be completed in a short time through the voting of special node equipment, and if a plurality of nodes with irrelevant benefits can achieve consensus, all the node equipment in the system can also achieve consensus.
Referring to fig. 1, the present invention provides an identity authentication method based on trusted storage in a distributed environment, including:
step 1, a user inputs digital certificate application information at a client, wherein the application information comprises identity information and a CA center address;
the application information includes input related parameter information, such as organization, address, identity information, CA organization, etc., that is, the target CA organization address of the application must be formulated when the application is made.
Further, the user information is used to represent the identity of the user. The user may be an individual, a business, or other organization. In one possible implementation, the user information includes a user identification. When the user is an individual, the user identification can be information used for representing the identity of the user, such as a user name, a certificate number and the like; when the user is a business, the user identification may be a business name, organization code, or other information used to represent the identity of the user. In addition, the user information may also include information such as the gender, age, contact information, etc. of the user.
Step 2, using a private key to sign the application information to generate a CSR file, creating a transaction request from the CSR file, the application time and the public key, and broadcasting the transaction request to the blockchain for transaction, as shown in FIG. 2;
the steps are all completed in the client, the client is equipment used when a user applies for a digital certificate, and the client can be various types of terminals such as a portable terminal, a pocket terminal, a handheld terminal and the like, such as a mobile phone, a computer, a tablet computer and the like. The client is directly connected with the block chain link points, related content of application is input at the client, the client directly formats user input information into transaction parameters, block chain transaction with the type of certificate application is generated through the block chain link points, and the block chain transaction is broadcasted to the block chain.
Step 3, analyzing and verifying the transaction request, and sending the transaction request to a CA center corresponding to the CA center address after the transaction request passes the verification;
after receiving a transaction request sent by a client, the regional link needs to verify user information carried by the request, and only after the user information is verified, a unique digital certificate corresponding to the user information is generated.
The client side is internally provided with a public key and a private key, the public key and the private key form a pair of key pairs, the public key is a public part of the key pairs, any node device in the block chain system can obtain the public key, the private key is a private part of the key pairs, and only the client side can possess the private key. The node device verifies the user information, and signs the user information and the public key according to the organization information of the issuing organization to which the node device belongs to obtain the digital certificate. Where the issuing structure may be a CA organization or other organization, the organization information is used to indicate the identity of the issuing structure. The digital certificate is certified by an issuing authority signature, representing that the issuing authority has certified the authenticity of the digital certificate. Namely, the CA center can monitor the transaction on the chain and analyze and process the transaction of the certificate application type. The CA center can be a plurality of subordinate CA centers classified according to different scenes, each CA center only relates to application transactions related to the CA center, issues a digital certificate for the application after the application information is approved, writes the certificate and the signature of the CA center into the transactions (the type is 'certificate issuing'), and broadcasts the transactions to the blockchain network. For the nodes on the blockchain, due to the fact that the full certificate ledger of the system is stored, reasonable consensus verification can be conducted on an issuer. Each node analyzes through the block transaction, and writes the analyzed certificate into a local certificate book, and the flow of the process is shown in fig. 3.
Step 4, the CA center generates a digital certificate, and generates the digital certificate and the application information into a first block;
when the digital certificate is generated, a first block is generated. The first block includes user information and certificate information of a digital certificate. The certificate information is used for describing the digital certificate, corresponds to the digital certificate one by one, and can include a digital certificate number, a validity period of the digital certificate, a client public key, organization information, and other information.
In one possible implementation, the process of generating the first tile may include: the last block in the block chain is called as a previous block, the node device may obtain information of the previous block from the block chain, so as to generate a block header characteristic value (hash value) of the previous block based on the information of the previous block, perform characteristic value calculation on information such as user information and certificate information of a digital certificate, which needs to be stored in the first block, and obtain a block body characteristic value of the first block, and further, the node device may store the block header characteristic value of the previous block and the block body characteristic value of the first block to a block header of the first block, and store the information such as the user information and the certificate information of the digital certificate to a block body of the first block, thereby generating the first block. Thus, the last block and the first block are related by the block head characteristic value of the last block, so that the purpose of connecting blocks in series in a block chain can be realized, and the next block can be used for verifying whether the previous block is correct or not. It should be noted that the above description of the block generation process is only an exemplary description of one block generation method, and the embodiment of the present invention does not limit which block generation method is specifically adopted.
In addition, the digital certificate has a plurality of states, such as a normal state, a frozen state, a revoked state, and the like, and accordingly, the digital certificate has state information indicating a current state. The status information is used to indicate whether the digital certificate can be used normally. In the process of using the digital certificate, whether the digital certificate can be normally used or not can be judged by acquiring the state information, when the state information is the normal state information, the digital certificate can be normally used, and when the state information is the frozen state information or the logout state information, the digital certificate can not be normally used.
Therefore, when the node device generates the digital certificate, the status information of the digital certificate is set as the normal status information, and when the first block is generated, the normal status information can also be included in the first block to indicate that the digital certificate is in the normal status and can be normally used
And 5, storing the first block in the distributed memory, broadcasting the first block to the block chain, and storing the storage address of the first block on the block chain.
Wherein the first block is identified by a plurality of nodes in the block chain, and the first block is added to the block chain after the first block passes the identification. Each node performs consensus on the first block to determine whether the information in the first block is accurate, i.e., to verify the information in the first block. The consensus process described above may be implemented based on a consensus mechanism, which may be, for example, a user identification mechanism or other mechanism. It should be noted that the above-mentioned consensus process is only an exemplary description, and the embodiment of the present invention does not limit this. After the first block passes the consensus, any node in the block chain system can store the digital certificate, and the digital certificates stored by all the node devices are consistent, so that the distributed storage of the digital certificates can be realized, and the authenticity and the transparency of the digital certificates are ensured.
Further, the certificate ledger is a list set of all digital certificates issued on the blockchain, and since all digital certificates occupy a large storage space and are not suitable for placing a certificate entity in blockchain transactions, but the certificate entity is stored in a trusted distributed storage service, a certificate object in the list only includes address mapping of the distributed storage service. The chain certificate object is shown in fig. 4.
The invention also provides a digital certificate verification method, which can locally complete the validity check of other certificates, and when the storage address of the first block is stored in the block chain, the method comprises the following steps:
the block chain receives an authentication request, and the authentication request carries certificate information of a digital certificate;
the authentication request can be a device of any organization, and the device can be a terminal or a server, for example, the device can be various types of terminals such as a portable terminal, a pocket terminal, a handheld terminal and the like, such as a mobile phone, a computer, a tablet computer and the like, or a server cluster composed of a plurality of servers, or a cloud computing service center. The digital certificate in the block chain is subjected to state change or entity replacement by revoking, freezing, unfreezing and updating operations of the digital certificate existing in the certificate book, the initiator is a directly superior certificate owner of the target certificate and generally a corresponding CA center, target information and operation parameters are written into transactions and attached with an initiator signature, the transaction information and the operation parameters are broadcasted to the block chain network, the rationality is verified by nodes of the whole network, and the related transaction types comprise 'certificate revoking', 'certificate freezing', 'certificate unfreezing' and 'certificate updating'. Each node is analyzed through block transaction and written into different local lists according to different transaction types.
According to the verification request, obtaining a storage address on a block chain corresponding to the verification request, and downloading the digital certificate according to the storage address;
specifically, a link storage location mapping is found in a certificate book of a node according to public key hashing of a digital certificate, and then the target certificate is downloaded from a distributed storage service, so that a trusted certificate entity is obtained. The validity period can be directly judged according to the downloaded trusted certificate entity, the revocation status and the frozen status of the target certificate are inquired and judged by utilizing a revocation list and a frozen list on a chain, all certificates from the target certificate to the Root certificate are found by utilizing a core Merkel tree used for certificate verification on the chain to form a verification Bundle, and the Bundle is used for Root certificate verification on the certificates.
And acquiring state information corresponding to the digital certificate, and determining whether the digital certificate is valid according to the state information so as to determine the verification result of the digital certificate.
The state information corresponding to the digital certificate comprises:
and inquiring the state information corresponding to the digital certificate in a state database, wherein the state database is used for storing the latest state information corresponding to any certificate information.
In this embodiment, the "revoke list" and the "freeze list" are not two independent entities, and may be combined into one as a "certificate status list", where operations on the list include addition, deletion, and modification, the list has a status hash that changes with each operation, and a new status hash StateHash-new is generated according to the last status hash StateHash-pre after each operation, and the calculation process is as follows:
StateHash-new=Base64(HASH256(StateHash-pre+StateOP);
in the formula: base64 is a serialized string of Base64 encoding algorithm, HASH256 is a HASH algorithm, and StateOP is a list operation.
When the digital certificate is determined to meet the freezing condition, generating a second block, wherein the second block comprises user information, certificate information of the digital certificate and freezing state information;
the block chain broadcasts a second block.
When the digital certificate is determined to meet the unfreezing condition, generating a third block, wherein the third block comprises user information, certificate information of the digital certificate and normal state information;
the block chain broadcasts a third block.
In one possible implementation, the thawing condition includes a user applying for thawing for freezing. When a user retrieves the terminal corresponding to the digital certificate and repairs the terminal, the user triggers a unfreezing request for the digital certificate on the terminal, and the unfreezing request carries certificate information of the digital certificate. And the terminal sends a thawing request to the block chain, and when the thawing request is received, the digital certificate is determined to meet the thawing condition.
It should be noted that only when a user applies for a frozen digital certificate, the digital certificate can be thawed after the thawing condition is met; however, for a digital certificate that is frozen due to the fact that the digital certificate expires or the usage rule of the digital certificate is violated, the digital certificate cannot be defrosted, and the user needs to reapply the digital certificate.
In another possible implementation, the logout condition includes that the user applies for logout. When the user does not need the digital certificate, the user can trigger a logout request of the digital certificate on the terminal, and the logout request carries the certificate information of the digital certificate. The terminal sends the logout request to the block chain, and when the logout request is received, the digital certificate is determined to meet the logout condition.
Or, the logout condition may further include that a node device configured by a regulatory agency or an auditing agency applies for logout, and when the regulatory agency or the auditing agency determines that the digital certificate does not satisfy the usage rule, a logout request for the digital certificate may be triggered by the configured node device, where the logout request carries certificate information of the digital certificate. And when the node equipment receives the logout request, the digital certificate is determined to meet the logout condition.
When the digital certificate is determined to meet the logout condition, generating a fourth block, wherein the fourth block comprises user information, certificate information of the digital certificate and logout state information; the block chain broadcasts a fourth block.
In another possible implementation manner, when it is determined that the digital certificate satisfies the update condition, a fifth block is generated, where the fifth block includes user information, certificate information of the digital certificate, and update status information;
the block chain broadcasts a fifth block.
It should be noted that, the processing procedures in the foregoing embodiments may be combined in any form, and the processing procedures may be performed independently, simultaneously, or in tandem, and the timing relationship between the processing procedures is not limited in the embodiments of the present application. For example, the user may apply for the digital certificate by using the certificate application method in the above embodiment, and after obtaining the digital certificate, when the user uses the digital certificate, the authentication apparatus may authenticate the digital certificate by using the certificate authentication method in the above embodiment. When the freezing condition, the unfreezing condition, or the logout condition of the digital certificate in the above-described embodiments is satisfied, the state information of the digital certificate may be updated accordingly.
The invention also relates to a system based on the identity authentication method based on the trusted storage in the distributed environment, which comprises the following steps:
the application module is used for inputting digital certificate application information at a client by a user, wherein the application information comprises identity information and a CA center address;
the request module is used for signing the application information by using a private key to generate a CSR file, creating a transaction request by using the CSR file, the application time and the public key, and broadcasting the transaction request to the block chain for transaction;
the verification module is used for analyzing and verifying the transaction request and sending the transaction request to a CA center corresponding to the CA center address after the transaction request passes the verification;
the generation module is used for generating a digital certificate by the CA center and generating a first block by the digital certificate and the application information;
and the storage module is used for storing the first block in the distributed memory, broadcasting the first block to the block chain and storing the storage address of the first block on the block chain.
The invention also provides a computer device, which comprises a processor and a memory, wherein at least one program code is stored in the memory, and the at least one program code is loaded and executed by the processor, so as to realize the operation executed by the identity authentication method based on the trusted storage in the distributed environment.
The present invention also provides a computer-readable storage medium having at least one program code stored therein, where the at least one program code is loaded and executed by a processor to implement the operations performed by the identity authentication method based on trusted storage in the distributed environment.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes will occur to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. An identity authentication method based on trusted storage in a distributed environment is characterized by comprising the following steps:
a user inputs digital certificate application information at a client, wherein the application information comprises identity information and a CA center address;
signing the application information by using a private key to generate a CSR file, creating a transaction request by using the CSR file, the application time and a public key, and broadcasting the transaction request to a block chain;
analyzing and verifying the transaction request, and sending the transaction request to a CA center corresponding to the CA center address after the transaction request passes the verification;
the CA center generates a digital certificate, and generates a first block by the digital certificate and the application information;
storing the first block in distributed memory, broadcasting the first block to the block chain, and storing a storage address of the first block on the block chain.
2. A method for trusted storage based authentication in a distributed environment as claimed in claim 1, wherein after said first block's storage address is stored on said block chain, said method further comprises:
the block chain receives an authentication request, wherein the authentication request carries certificate information of the digital certificate;
according to the verification request, obtaining a storage address on the block chain corresponding to the verification request, and downloading the digital certificate according to the storage address;
and acquiring the state information corresponding to the digital certificate.
3. The identity authentication method based on the trusted storage in the distributed environment according to claim 2, wherein the state information corresponding to the digital certificate comprises:
and inquiring the state information corresponding to the digital certificate in a state database, wherein the state database is used for storing the latest state information corresponding to any certificate information.
4. The identity authentication method based on trusted storage in distributed environment according to claim 3, characterized in that, when determining that the digital certificate satisfies a freeze condition, generating a second block, the second block comprising the user information, certificate information of the digital certificate and freeze status information;
the block chain broadcasts the second block.
5. A method of trusted storage based authentication in a distributed environment according to claim 4, wherein after said block chain broadcasts said second block, said method further comprises:
when the digital certificate is determined to meet the unfreezing condition, generating a third block, wherein the third block comprises the user information, the certificate information of the digital certificate and the normal state information;
the block chain broadcasts the third block.
6. The method of identity authentication based on trusted storage in distributed environment according to claim 3, wherein when it is determined that said digital certificate satisfies a logout condition, a fourth block is generated, said fourth block comprising said user information, certificate information of said digital certificate and logout status information;
the block chain broadcasts the fourth block.
7. The identity authentication method based on the trusted storage in the distributed environment according to claim 3, wherein when determining that the digital certificate satisfies the update condition, generating a fifth block, the fifth block comprising the user information, the certificate information of the digital certificate, and update status information;
the block chain broadcasts the fifth block.
8. A system for a trusted storage based authentication method in a distributed environment according to any of claims 1-7, comprising:
the system comprises an application module, a client and a server, wherein the application module is used for inputting digital certificate application information at the client by a user, and the application information comprises identity information and a CA center address;
the request module is used for signing the application information by using a private key to generate a CSR file, creating a transaction request by using the CSR file, the application time and the public key, and broadcasting the transaction request to the block chain for transaction;
the verification module is used for analyzing and verifying the transaction request and sending the transaction request to a CA center corresponding to the CA center address after the transaction request passes the verification;
the generation module is used for generating a digital certificate by the CA center and generating a first block by the digital certificate and the application information;
a storage module to store the first block in a distributed memory, and to broadcast the first block to the block chain and to store a storage address of the first block on the block chain.
9. A computer device comprising a processor and a memory, the memory having stored therein at least one program code, the at least one program code loaded into and executed by the processor to perform operations performed by a trusted storage based authentication method in a distributed environment as claimed in any one of claims 1 to 7.
10. A computer-readable storage medium having at least one program code stored therein, the at least one program code being loaded and executed by a processor to perform operations performed by the method for trusted storage based authentication in a distributed environment as claimed in any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210470140.XA CN114844700A (en) | 2022-04-28 | 2022-04-28 | Identity authentication method, system, equipment and storage medium based on trusted storage in distributed environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210470140.XA CN114844700A (en) | 2022-04-28 | 2022-04-28 | Identity authentication method, system, equipment and storage medium based on trusted storage in distributed environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114844700A true CN114844700A (en) | 2022-08-02 |
Family
ID=82567915
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210470140.XA Pending CN114844700A (en) | 2022-04-28 | 2022-04-28 | Identity authentication method, system, equipment and storage medium based on trusted storage in distributed environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114844700A (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107181765A (en) * | 2017-07-25 | 2017-09-19 | 光载无限(北京)科技有限公司 | Network digital identity identifying method based on block chain technology |
| CN108111314A (en) * | 2018-01-19 | 2018-06-01 | 中链科技有限公司 | The generation of digital certificate and method of calibration and equipment |
| CN109962890A (en) * | 2017-12-25 | 2019-07-02 | 中国科学院信息工程研究所 | A kind of the authentication service device and node access, user authen method of block chain |
| CN109992953A (en) * | 2019-02-18 | 2019-07-09 | 深圳壹账通智能科技有限公司 | Digital certificate on block chain signs and issues, verification method, equipment, system and medium |
| CN110598482A (en) * | 2019-09-30 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Block chain-based digital certificate management method, device, equipment and storage medium |
| US10547457B1 (en) * | 2016-10-21 | 2020-01-28 | Wells Fargo Bank N.A. | Systems and methods for notary agent for public key infrastructure names |
| CN111478769A (en) * | 2020-03-18 | 2020-07-31 | 西安电子科技大学 | Distributed credible identity authentication method, system, storage medium and terminal |
| CN112202558A (en) * | 2020-12-02 | 2021-01-08 | 江苏通付盾区块链科技有限公司 | Credible digital signature method and device based on block chain |
-
2022
- 2022-04-28 CN CN202210470140.XA patent/CN114844700A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10547457B1 (en) * | 2016-10-21 | 2020-01-28 | Wells Fargo Bank N.A. | Systems and methods for notary agent for public key infrastructure names |
| CN107181765A (en) * | 2017-07-25 | 2017-09-19 | 光载无限(北京)科技有限公司 | Network digital identity identifying method based on block chain technology |
| CN109962890A (en) * | 2017-12-25 | 2019-07-02 | 中国科学院信息工程研究所 | A kind of the authentication service device and node access, user authen method of block chain |
| CN108111314A (en) * | 2018-01-19 | 2018-06-01 | 中链科技有限公司 | The generation of digital certificate and method of calibration and equipment |
| CN109992953A (en) * | 2019-02-18 | 2019-07-09 | 深圳壹账通智能科技有限公司 | Digital certificate on block chain signs and issues, verification method, equipment, system and medium |
| CN110598482A (en) * | 2019-09-30 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Block chain-based digital certificate management method, device, equipment and storage medium |
| CN111478769A (en) * | 2020-03-18 | 2020-07-31 | 西安电子科技大学 | Distributed credible identity authentication method, system, storage medium and terminal |
| CN112202558A (en) * | 2020-12-02 | 2021-01-08 | 江苏通付盾区块链科技有限公司 | Credible digital signature method and device based on block chain |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11438173B2 (en) | Methods and apparatus for providing blockchain participant identity binding | |
| Lu et al. | A blockchain-based privacy-preserving authentication scheme for VANETs | |
| US11677569B1 (en) | Systems and methods for notary agent for public key infrastructure names | |
| WO2022042301A1 (en) | Data processing method and apparatus, smart device and storage medium | |
| US11483298B2 (en) | Information masking using certificate authority | |
| Fromknecht et al. | A decentralized public key infrastructure with identity retention | |
| CN111884815A (en) | Block chain-based distributed digital certificate authentication system | |
| Feng et al. | An efficient privacy-preserving authentication model based on blockchain for VANETs | |
| US20110167258A1 (en) | Efficient Secure Cloud-Based Processing of Certificate Status Information | |
| CN113328997B (en) | Alliance chain crossing system and method | |
| KR101974062B1 (en) | Electronic Signature Method Based on Cloud HSM | |
| CN112187712A (en) | Anonymous authentication method and system for trust in de-center mobile crowdsourcing | |
| WO2021154157A1 (en) | Blockchain-based data exchange | |
| JP2023503607A (en) | Method and device for automatic digital certificate verification | |
| JP2023524715A (en) | Identity provisioning across networks | |
| CN113228560A (en) | Issuing apparatus and method for issuing, and requesting apparatus and method for requesting digital certificate | |
| CN113949544A (en) | DAG block chain-based lightweight authentication and access authorization method for Internet of things equipment | |
| CN114978635A (en) | Cross-domain authentication method and device, and user registration method and device | |
| CN115102695A (en) | Vehicle networking certificate authentication method based on block chain | |
| CN114051031A (en) | Encryption communication method, system, equipment and storage medium based on distributed identity | |
| Kubilay et al. | KORGAN: An efficient PKI architecture based on PBFT through dynamic threshold signatures | |
| Ozcelik et al. | Cryptorevocate: A cryptographic accumulator based distributed certificate revocation list | |
| Garba et al. | BlockVoke–fast, blockchain-based certificate revocation for PKIs and the Web of Trust | |
| Wang et al. | Decentralized CRL Management for Vehicular Networks With Permissioned Blockchain | |
| CN114978698B (en) | Network access method, target terminal, credential management network element and verification network element |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |