CN115208642A

CN115208642A - Identity authentication method, device and system based on block chain

Info

Publication number: CN115208642A
Application number: CN202210743161.4A
Authority: CN
Inventors: 裴磊; 苏恒; 罗伟彬; 马爱莲
Original assignee: Industrial and Commercial Bank of China Ltd ICBC
Current assignee: Industrial and Commercial Bank of China Ltd ICBC
Priority date: 2022-06-28
Filing date: 2022-06-28
Publication date: 2022-10-18

Abstract

The invention provides an identity authentication method, device and system based on a block chain, which can be used in the technical field of block chains, and the method comprises the following steps: obtaining a node with user identity information in a block chain, wherein an intelligent contract for user identity authentication is deployed in the block chain; receiving an encrypted identity authentication result sent by a node with user identity information; and decrypting the identity authentication result and feeding back the identity authentication result to the user. Receiving an encrypted user cross-node identity authentication request sent by a node in the block chain; the block chain is provided with an intelligent contract for user identity authentication; when the user passes the identity authentication, generating an identity authentication result aiming at the cross-node identity authentication request of the user; and encrypting the identity authentication result and sending the identity authentication result to the node. The invention realizes the safe circulation and authentication of the identity attribute information among the cross-institutions and strengthens the safe trust mechanism of the cross-institution identity authentication.

Description

Identity authentication method, device and system based on block chain

Technical Field

The present invention relates to the field of computer data processing technologies, and in particular, to the field of a block chain technology, and in particular, to a method, an apparatus, and a system for identity authentication based on a block chain.

Background

More and more business systems need to verify identity attribute information of users who want to transact business according to the safety requirements of the business systems, and corresponding services are provided for the users after the verification is passed. When the business service flow relates to the business system processing of a plurality of organizations, the user needs to authorize the cross-organization identity authentication through the open authorization auth protocol. For example, the user information is stored in a system A, when the user performs identity authentication on a system B which has an interaction channel with the system A, the user authorizes the system B to perform identity authentication through the system A, and the system A transmits the related user information to the system B.

The third party authorization login mode is carried out through an open authorization auth protocol, and the method is a leading cross-organization identity authentication method in the prior art, and the method needs to rely on authorization and user information interface interaction between organizations, the authenticity and accuracy of user information completely rely on organization credit for storing the user information, a user identity information interaction flow is not transparent to users, and the actual use condition of the user identity information completely relies on the organization credit. For the situation that a mechanism system and other reasons cannot establish a path, mutual identity information authentication between cooperative mechanisms cannot be realized, and potential safety hazards of user information leakage are easily caused by the fact that the actual transmission information range is larger than the information required by actual user authentication.

Disclosure of Invention

The identity authentication method, the device and the system based on the block chain, provided by the invention, realize the safe transfer and authentication of the identity attribute information among the trans-organizations, the identity provider issues a blank certificate for the identity authentication of the user, the identity attribute information is classified and stored, the authenticity of the chain-linked guarantee data of the fingerprint can be verified, the endorsement on the whole flow chain is used for guaranteeing the open, transparent and traceable property of the transfer flow of the user information, and the safety trust mechanism of the trans-organization identity authentication is strengthened.

In order to achieve the above object, in one aspect, the present invention discloses an identity authentication method based on a block chain, which is applicable to an identity authentication initiating node, and includes:

responding to a received user cross-node identity authentication request, forwarding and encrypting the user cross-node identity authentication request to a node with user identity information in a block chain, wherein an intelligent contract for user identity authentication is deployed in the block chain;

receiving an encrypted identity authentication result sent by the node with the user identity information;

and decrypting the identity authentication result and feeding back the identity authentication result to the user.

Preferably, the identity authentication method based on the blockchain further includes:

forwarding the encrypted user cross-node identity authentication request to other nodes in the block chain;

receiving a consensus result of the other nodes for the user cross-node identity authentication request;

and when the consensus results of the other nodes are consistent, the identity authentication result is persisted on the block chain.

Preferably, the decrypting the identity authentication result includes:

persisting on the block chain according to the public key of the user and the user identification information to generate a unique identifier;

and decrypting the identity authentication result according to the unique identifier.

On the other hand, the invention also provides an identity authentication method based on the block chain, which is suitable for the identity authentication node, and the method comprises the following steps:

receiving an encrypted user cross-node identity authentication request sent by a node in a block chain; the block chain is provided with intelligent contracts used for user identity authentication;

when the user passes the identity authentication, generating an identity authentication result aiming at the cross-node identity authentication request of the user;

and encrypting the identity authentication result and sending the identity authentication result to the node.

The generating an authentication result for the user cross-node authentication request comprises:

calling the node to perform blank certificate registration in the block chain;

and filling the blank certificate according to the cross-node identity authentication request of the user to generate the identity authentication result.

Preferably, before generating an authentication result for the user cross-node authentication request when the user passes authentication, the method includes:

and decrypting the user cross-node identity authentication request according to the unique identifier corresponding to the user in the block chain to determine the identity of the user.

Correspondingly, the invention also discloses an identity authentication device based on the block chain and suitable for the identity authentication initiating node, which comprises:

a request forwarding first module, configured to forward, in response to a received user cross-node identity authentication request, an encrypted user cross-node identity authentication request to a node having user identity information in a block chain; the block chain is provided with intelligent contracts used for user identity authentication;

the authentication result receiving module is used for receiving the encrypted identity authentication result sent by the node with the user identity information;

and the authentication result decryption module is used for decrypting the identity authentication result and feeding back the identity authentication result to the user.

Preferably, the block chain-based identity authentication apparatus adapted to the identity authentication initiating node further includes:

a request forwarding second module, configured to forward the encrypted user cross-node identity authentication request to other nodes in the block chain;

a consensus result receiving module, configured to receive a consensus result of the user cross-node identity authentication request from the other node;

and the authentication result persistence module is used for persisting the identity authentication result on the block chain when the consensus results of the other nodes are consistent.

Preferably, the authentication result decryption module includes:

the identifier generating unit is used for persisting on the block chain according to a public key of a user and user identification information so as to generate a unique identifier;

and the authentication result generating unit is used for decrypting the identity authentication result according to the unique identifier.

The invention also discloses an identity authentication device based on the block chain, which is suitable for the identity authentication node, and the device comprises:

the authentication request receiving module is used for receiving an encrypted user cross-node identity authentication request sent by a node in the block chain; the intelligent contract used for user identity authentication is deployed in the block chain;

the authentication result generation module is used for generating an identity authentication result aiming at the cross-node identity authentication request of the user when the user passes the identity authentication;

and the authentication result encryption module is used for encrypting the identity authentication result and sending the identity authentication result to the node.

Preferably, the authentication result generating module includes:

a blank certificate registration unit, configured to invoke the node to perform blank certificate registration in the block chain;

and the authentication result generating unit is used for filling the blank certificate according to the cross-node identity authentication request of the user so as to generate the identity authentication result.

Preferably, the block chain-based identity authentication apparatus adapted to perform identity authentication on a node further includes:

and the user identity determining module is used for decrypting the user cross-node identity authentication request according to the unique identifier corresponding to the user in the block chain so as to determine the user identity.

The invention also discloses a block chain link point which is configured to respond to the received user cross-node identity authentication request and forward the encrypted user cross-node identity authentication request to a node with user identity information in the block chain; receiving an encrypted identity authentication result sent by the node with the user identity information; decrypting the identity authentication result and feeding back the identity authentication result to the user, wherein an intelligent contract for user identity authentication is deployed in the block chain, and

receiving an encrypted user cross-node identity authentication request sent by a node in a block chain; when the user passes the identity authentication, generating an identity authentication result aiming at the cross-node identity authentication request of the user; and encrypting the identity authentication result and sending the identity authentication result to the node, wherein an intelligent contract used for user identity authentication is deployed in the block chain.

The invention also discloses an identity authentication system based on the block chain, which comprises an identity authentication request node, an identity authentication node and the block chain;

the identity authentication request node is used for responding to the received user cross-node identity authentication request and forwarding the encrypted user cross-node identity authentication request to a node with user identity information in the block chain; receiving an encrypted identity authentication result sent by the node with the user identity information; decrypting the identity authentication result and feeding the identity authentication result back to the user;

the identity authentication node is used for receiving an encrypted user cross-node identity authentication request sent by a node in the block chain; when the user passes the identity authentication, generating an identity authentication result aiming at the cross-node identity authentication request of the user; encrypting the identity authentication result and sending the identity authentication result to the node;

and intelligent contracts used for user identity authentication are deployed in the blockchain.

The invention also discloses an electronic device, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor executes the program and realizes the steps of the identity authentication method based on the block chain.

The invention also discloses a computer-readable medium, on which a computer program is stored which, when executed by a processor, implements a method as described above.

As can be seen from the above description, first, an embodiment of the present invention provides a block chain-based identity authentication method for an identity authentication initiating node, where the method includes responding to a received user cross-node identity authentication request, and forwarding an encrypted user cross-node identity authentication request to a node having user identity information in a block chain, where an intelligent contract for user identity authentication is deployed in the block chain; receiving an encrypted identity authentication result sent by a node with user identity information; and decrypting the identity authentication result and feeding back the identity authentication result to the user.

Next, an embodiment of the present invention further provides a block chain-based identity authentication method for an identity authentication node, including: receiving an encrypted user cross-node identity authentication request sent by a node in a block chain; the block chain is provided with an intelligent contract for user identity authentication; when the user passes the identity authentication, generating an identity authentication result aiming at the cross-node identity authentication request of the user; and encrypting the identity authentication result and sending the identity authentication result to the node.

The invention realizes the safe transfer and authentication of the inter-mechanism identity attribute information based on DPKI, verifiable certificates, data fingerprints and other technologies, firstly, an identity provider signs and issues blank certificates for user identity authentication, then, the identity attribute information is stored in a classified mode, the authenticity of fingerprint chaining guarantee data can be verified, finally, a user freely selects the disclosed information and signs for accurate authorization, the open transparency and traceability of a user information transfer flow are guaranteed through full-flow chain endorsement, and the safety trust mechanism of the inter-mechanism identity authentication is strengthened.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a first flowchart (suitable for an identity authentication initiating node) of an identity authentication method based on a block chain in an embodiment of the present invention;

fig. 2 is a second flowchart (suitable for an identity authentication initiating node) of the identity authentication method based on the blockchain in the embodiment of the present invention;

FIG. 3 is a flowchart illustrating a step 300 of a block chain-based file transfer method according to an embodiment of the present invention;

fig. 4 is a first flowchart (suitable for performing an identity authentication node) of an identity authentication method based on a blockchain according to an embodiment of the present invention;

FIG. 5 is a flowchart illustrating step B of the block chain-based file transmission method according to an embodiment of the present invention;

fig. 6 is a schematic flowchart of a second method for identity authentication based on a blockchain in an embodiment of the present invention (suitable for performing an identity authentication node);

FIG. 7 is a block diagram of a block chain based identity authentication system in accordance with an embodiment of the present invention;

FIG. 8 is a block diagram of a blockchain node 2 in an embodiment of the present invention;

FIG. 9 is a flowchart of a block chain based identity authentication method according to an embodiment of the present invention;

FIG. 10 is a schematic diagram illustrating a verification process of an identity credential of the blockchain node 2 according to the embodiment of the present invention;

FIG. 11 is a block chain based first identity authentication device (adapted for a file sender) in an embodiment of the present invention;

fig. 12 is a block chain-based identity authentication apparatus of fig. two (suitable for a file sender) in an embodiment of the present invention;

FIG. 13 is a block diagram of the authentication result decryption module 30 of the identity authentication device based on the blockchain according to the embodiment of the present invention;

fig. 14 is a diagram of a first identity authentication device based on a blockchain (suitable for performing an identity authentication node) according to an embodiment of the present invention;

FIG. 15 is a block diagram of an authentication result generation module B based on a blockchain according to an embodiment of the present invention;

fig. 16 is a block chain-based identity authentication apparatus diagram ii (suitable for performing an identity authentication node) in an embodiment of the present invention;

fig. 17 is a schematic structural diagram of an electronic device in an embodiment of the invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.

It should be noted that the identity authentication method, device and system based on the blockchain disclosed in the present application can be used in the technical field of artificial intelligence, and can also be used in any field except the technical field of artificial intelligence.

In order to facilitate understanding of the technical solutions provided in the present application, the following first describes relevant contents of the technical solutions in the present application. The identity authentication method based on the block chain provided by the embodiment of the invention is based on the existing data storage technology on the block chain structured chain, further based on the DPKI and the technologies of verifying certificates, data fingerprints and the like, the safe transfer and authentication of the identity attribute information among the cross-organizations are realized, the identity provider issues a blank certificate for the identity authentication of the user, the identity attribute information is stored in a classified mode, the authenticity of the fingerprint chain-linked guarantee data can be verified, and the user freely selects the disclosure information and signs the signature for accurate authorization, so that the identity authentication method based on the block chain is obtained.

According to the technical scheme, the data acquisition, storage, use, processing and the like meet relevant regulations of national laws and regulations.

According to an aspect of the present invention, the present embodiment discloses an identity authentication method based on a block chain, which is applicable to an identity authentication initiating node. As shown in fig. 1, in this embodiment, the method includes:

step 100: responding to a received user cross-node identity authentication request, forwarding and encrypting the user cross-node identity authentication request to a node with user identity information in a block chain, wherein an intelligent contract for user identity authentication is deployed in the block chain;

specifically, a federation chain is established between an identity authentication initiating node (which receives a cross-institution identity authentication request of a user) and a verification institution with user identity information, and the identity authentication initiating node encrypts and sends the cross-institution identity authentication request to the verification institution node with the user identity information.

Step 200: receiving an encrypted identity authentication result sent by the node with the user identity information;

each alliance (block chain link point) generates a public-private key cipher pair with own user identity information interaction, registers the public key information on the chain and records the addressing information on the chain. After the user uploads the identity attribute information from the identity information providing mechanism and the identity attribute information is authenticated by the providing mechanism, the public and private key pair information of the user is recorded on the downlink and the addressing information on the link is returned to the user.

Step 300: and decrypting the identity authentication result and feeding back the identity authentication result to the user.

When the user performs identity verification at the verification mechanism, the disclosure information is authorized by the providing mechanism and is encrypted by the providing mechanism, and then the disclosure information is transmitted to the verification mechanism to complete the user identity cross-mechanism authentication process.

In a preferred embodiment, as shown in fig. 2, a block chain-based identity authentication method applied to an identity authentication initiating node further includes:

step 400: forwarding the encrypted user cross-node identity authentication request to other nodes in the block chain;

step 500: receiving a consensus result of the other nodes for the user cross-node identity authentication request;

block chain nodes are distributed for different service systems, the structures of the block chain nodes are consistent, and identity authentication service intelligent contracts are deployed, for example, the total number of the block chain nodes in a service chain is 3f +1, wherein f represents the number of supportable fault-tolerant nodes, and the minimum value is 1. The intelligent contract transaction request adopts a pbft Byzantine fault-tolerant algorithm for consensus, after each block link point in a service chain receives at least 2f +1 consistent confirmation messages from other block link nodes, the transaction can complete consensus, and an execution result can be used as legal data to generate a new block and carry out persistence.

Step 600: and when the consensus results of the other nodes are consistent, the identity authentication result is persisted on the block chain.

On the other hand, the user cross-node identity authentication request can be replaced by a service transaction request such as public key registration, digital certificate issuance, data directory registration and the like, the internal structures of all block chain nodes are consistent, the transaction is subjected to authority verification and repeated submission and parameter validity check, the transaction is broadcasted to all other block chain nodes in the service chain 1 after the check is passed, a consensus transaction request broadcast notification of other block chain nodes is received, the parameter validity check is performed on the consensus transaction, consensus is entered after the check is passed, each block chain node can complete consensus after receiving a consensus confirmation message of 2f +1 other block chain nodes, new block data is generated according to the data after logic processing in the contract, and the world state is updated.

In a preferred embodiment, as shown in fig. 3, step 300 specifically includes:

step 301: persisting on the block chain according to the public key of the user and the user identification information to generate a unique identifier;

public key information of the organization and the user is registered on the chain, and a pubID unique identifier is generated on the chain and is used as a unique identifier addressed by the public key information of the organization and the user on the chain.

Step 302: and decrypting the identity authentication result according to the unique identifier.

In a preferred embodiment, after the user receives the authentication result, the user further needs to sign the authentication result and sort out information that needs to be authorized, so as to achieve precise authorization.

According to an aspect of the present invention, the present embodiment discloses an identity authentication method based on a block chain, which is suitable for performing an identity authentication node. As shown in fig. 4, in this embodiment, the method includes:

step A: receiving an encrypted user cross-node identity authentication request sent by a node in a block chain; the intelligent contract used for user identity authentication is deployed in the block chain;

specifically, the identity authentication node calls an identity authentication request initiating node to register the public key information of the organization. And the identity authentication request initiating node verifies the validity of the identity authentication node, generates a public key addressing index PubID for the organization after the verification is passed, and updates the public key information, the organization identification information and other additional self-defined attribute information such as organization description and the like on the chain by taking the PubID as a key. The private key is stored by the identity authentication node.

And B: when the user passes the identity authentication, generating an identity authentication result aiming at the cross-node identity authentication request of the user;

specifically, identity information interaction standard agreement is carried out among different nodes according to the use requirements of identity attribute information, user identity information is classified according to attributes by an identity authentication node, fingerprints are extracted, an identity information interaction blank certificate is issued, when the identity authentication node needs to obtain the user identity information, the identity authentication node signs and authorizes the correspondingly classified identity attribute information by a user, then the identity authentication node carries out blank certificate filling and encryption and sends the blank certificate to an identity authentication request initiating node, and the identity authentication node obtains the user attribute information after processes of decryption, signature checking, fingerprint verification and the like.

And C: and encrypting the identity authentication result and sending the identity authentication result to the node.

The user selects identity disclosing information at the identity authentication node according to the classification, confirms the information and generates an identity authentication voucher after signing by using a user private key. The identity certificate is transmitted by the identity providing mechanism or the identity certificate is directly submitted to the identity verification mechanism by the user, and the chain public key of the identity verification mechanism can be used for encryption when the identity certificate is transmitted by the identity providing mechanism. And the identity authentication mechanism decrypts the identity certificate, and then completes certificate authentication according to the public key information and the data fingerprint information on the chain, acquires the identity attribute information of the real user, and completes user identity authentication.

In one embodiment, as shown in fig. 5, step B includes:

step B1: calling the node to perform blank certificate registration in the block chain;

and step B2: and filling the blank certificate according to the cross-node identity authentication request of the user to generate the identity authentication result.

In step B1 and step B2, the identity authentication node invokes the area identity authentication request initiating node to perform blank credential information registration. After the area identity authentication request initiating node verifies the validity of the identity authentication node, a unique index VCid is generated for the blank certificate, and the certificate fingerprint information, the mechanism information and the like are updated on the chain by taking the VCid and the mechanism PubID as keys.

In an embodiment, as shown in fig. 6, the block chain-based identity authentication method for performing an identity authentication node further includes:

step D: and decrypting the user cross-node identity authentication request according to the unique identifier corresponding to the user in the block chain so as to determine the user identity.

And the identity authentication node decrypts the identity certificate by using a matched private key of a public key corresponding to the pubID on the chain.

The invention realizes the safe transfer and authentication of the identity attribute information among the cross-institutions based on the DPKI and the technologies of verifiable certificates, data fingerprints and the like. The organization and the user both have own public and private key pair information, store the public key information on the block chain and return the chain addressing information of the public key information. The identity information interaction standard agreement is carried out among mechanisms according to the use requirements of identity attribute information, a user identity information providing mechanism classifies the user identity information according to attributes and extracts fingerprints, and issues identity information interaction blank certificates, when the authentication mechanism needs to obtain the user identity information, a user signs and authorizes the correspondingly classified identity attribute information, the providing mechanism carries out blank certificate filling and encryption and then sends the blank certificates to the authentication mechanism, and the authentication mechanism obtains the user attribute information after the processes of decryption, signature verification, fingerprint verification and the like. The full-flow chain endorsement ensures accurate user authorization range, identity information verification and traceability of interaction information, and strengthens a safety trust mechanism of cross-organization authentication.

In a specific embodiment, the present invention further provides a specific embodiment of an identity authentication method based on a block chain, which specifically includes the following contents.

Brief description of terms:

federation chain: and building a block chain alliance network among the service cooperation organizations according to service requirements, extracting service rules into service intelligent contracts, and deploying the service intelligent contracts to the block chain alliance network to endorse specific service data.

Verifiable digital certificates: the certificate is an attribute description of an entity, and the verifiable certificate is a tamper-proof certificate encrypted by a signature of an issuer, and has the characteristics of cryptology safety and privacy protection. It is generally composed of at least two sets of information: one is the verifiable credential itself, which contains credential metadata and statements. The second is that the digital signature of the certificate can be verified.

DPKI-a decentralized public key infrastructure that associates public keys with entity identifiers and performs public key information storage and retrieval based on decentralized nodes.

Data fingerprint: the method is characterized in that original data are compressed through a hash function technology, and a generated unique hash value, namely a hash value, is extracted, and the hash values generated by different original data are different and can be used as a basis for judging whether the original data are modified.

Referring to fig. 7, the embodiment of the present invention first provides an identity authentication system based on a block chain, where the system includes: a service chain 1, a block chain node 2 and a service system 3.

Service chain 1: the method is established according to identity authentication requirements among service systems of different outside organizations, block chain nodes 2 are distributed for each service system, the link point structures of each block are consistent, identity authentication service intelligent contracts are deployed, the total number of the block chain nodes in a service chain is 3f +1, wherein f represents the number of supportable fault-tolerant nodes, and the minimum value is 1. The intelligent contract transaction request adopts a pbft Byzantine fault-tolerant algorithm for consensus, after each block link point in a service chain receives at least 2f +1 consistent confirmation messages from other block link nodes, the transaction can complete consensus, and an execution result can be used as legal data to generate a new block and carry out persistence.

Block chain node 2: the method is used for identity authentication related transaction requests initiated by the service system 3, including service transaction requests such as public key registration, digital certificate issuance, data directory registration and the like. The internal structures of all block chain nodes are consistent, the transaction is subjected to authority verification, repeated submission and parameter validity verification are completed, the transaction is broadcasted to all other block chain nodes 2 in the service chain 1 after the verification is passed, the common identification transaction request broadcast notification of the other block chain nodes 2 is received, the parameter validity verification is performed on the common identification transaction, common identification is performed after the verification is passed, each block chain node 2 can complete the common identification after receiving the consistency confirmation message of 2f +1 other block chain nodes 2, new block data are generated according to the data after logic processing in the contract, and the world state is updated.

The service system 3: the service transaction request initiating system integrates a public and private key pair, data fingerprint extraction and other cryptography components, submits an identity authentication intelligent contract transaction request to the blockchain node 2 of the service chain 1 according to an identity authentication operation request of a user, receives the transaction request processing return information of the blockchain node 2, and performs related service logic closed loop.

In a more specific embodiment, the block link points are responsible for the following operations:

1. public key registration: public key information of the organization and the user is registered on the chain, and a pubID unique identifier is generated on the chain and is used as a unique identifier for addressing the public key information of the organization and the user on the chain.

2. Issuing a digital certificate: the organization realizes the identity verification business process to generate a blank certificate which contains the signature information of the enterprise mutual authentication information and the template of the user identity information: and when the user needs to transmit the identity information, filling the identity information according to the blank certificate and generating an identity authentication certificate.

3. Data directory registration: the cooperation organization negotiates and appoints user identity attribute information classification, such as basic strong verification information (including user name and identity card information), basic weak verification information (including user name and birth year and month), academic record certification (graduation colleges and universities, certificate numbers), interest and hobbies (adding association information) and the like, and the identity providing organization stores the user information in classification according to the appointed classification and links the fingerprint information of the classified and stored metadata information. Is numbered by a structure blank certificate,

It is understood that the blank voucher can be designed with attribute fields according to mutual authentication of the authorities and mutual authentication of user identities required to be revealed among the alliances, see table 1:

TABLE 1

The identity certificate is formed by superposing user identity information according to a blank certificate, and is decrypted by using the pubID on the verification mechanism chain during sending, and the specific structure is shown in a table 2:

TABLE 2

Further, referring to fig. 8, the block link node 2 includes a transaction checking and routing device 11, an authentication service device 12 and a transaction consensus and processing device 13.

The transaction checking and routing device 11 is used for initializing the block chain nodes, instantiates the authentication intelligent contract when the block chain node 2 is started, starts the authentication service device, and establishes a trusted communication connection with all other block chain nodes 2 in the block chain 1. After networking between the block link nodes 2 is successful, a transaction request initiated by the service system 3 can be received, transaction certificate authentication is carried out on the service system 3, and the authenticated legal transaction is routed to the identity verification service device 12.

The authentication service device 12 is used for receiving requests of registration and query of a user public key, application and verification of a certificate, registration and query of a data directory, and the like in an organization to which the block chain node 2 belongs. Specifically, the system comprises a public key registration and query module 121, a certificate application and query module 122, and a directory registration and query module 123

The public key registration and query module 121 is configured to receive an organization and user public key registration request initiated by the service system 3. And during registration, the public key information of the organization and the user, the identification information of the organization and the user and other additional custom attribute messages are persisted on a chain, and an unique index key PubID is generated and returned to the service system 3. And returning the public key and attribute information during registration according to the PubID number during query, wherein the public key information, the identification information and other additional custom attribute information of the organization and the user are included.

The voucher application and query module 122 is configured to receive a blank voucher application and a verification request initiated by the service system 3. When in application, a globally unique certificate number VCid is generated for the certificate, and key element information such as certificate fingerprint information and issuing organization information is persisted on a chain. And inquiring according to the certificate number during verification, and returning the certificate attribute information registered on the chain, including the certificate fingerprint information, the issuing organization and other key element information.

The directory registration and query module 123 is configured to register and query a directory according to user information initiated by the service system 3. During registration, the mechanism pubID, the user pubID and the data classification serial number are used as index keys, registration is carried out on a chain according to user information classification, and a user identity information catalog and fingerprint information of specific identity information are persisted on the chain.

The transaction consensus and processing device 14 is a core module for completing the update-type service transaction consensus and persistence, and performs three-stage consensus processing on the transaction by using a Byzantine consensus algorithm, wherein the first stage is pre-prefix consensus, the second stage is prefix consensus, the third stage is commit consensus, the three stages are sequentially executed, after the consistency confirmation messages of 2f +1 other transaction consensus nodes are cumulatively received in the current stage, the consensus in the current stage is completed and the next stage is entered, and after all the consensus in the three stages are completed, the service request is legal. And after the consensus succeeds, executing intelligent contract transaction logic, and persisting the business data into a world state. The system specifically comprises public key information of an organization and a user, blank certificate and identity certificate information, a user information directory and the like.

Referring to fig. 9, based on the identity authentication system based on the block chain, the identity authentication method based on the block chain provided by the specific application example of the present invention includes the following steps:

step S201: and (5) forming a alliance service chain 1 by alliance cooperative mechanisms needing to participate in identity joint authentication and completing initialization.

Each organization deploys the block chain nodes 2, and accesses the service system 3 needing cross-organization identity authentication to the block chain nodes 2 of the organization. And initializing and starting the service chain 1, completing node authentication among all the organization block chain nodes 2, recording consensus communication safety connection, and registering a client identity certificate for each service system client. The service system integrates a public and private key pair cryptographic algorithm and a data fingerprint extraction algorithm component, and a client identity certificate issued by a service chain 1 is configured in the system.

Step S202: the service system 3 calls the block chain node 2 to register the public key information of the organization.

The block chain node 2 verifies the validity of the service system 3, generates a public key addressing index PubID for the organization after the verification is passed, and updates the public key information, the organization identification information and other additional self-defined attribute information such as organization description and the like on the chain by taking the PubID as a key. The private key is stored by the business system 3 itself.

Step S203: the service system 3 calls the blockchain node 2 to register blank certificate information.

After verifying the validity of the service system 3, the block chain node 2 generates a unique index VCid for the blank certificate, and updates the certificate fingerprint information, the mechanism information and the like on the chain by taking the VCid and the mechanism PubID as keys. The verification mechanism inquires a public key corresponding to the orgPubID of the providing mechanism, a public key corresponding to the userPubID of the user, a blank certificate data fingerprint corresponding to the VCid and a data fingerprint corresponding to the userPubID under the data classification in the userLabe on a chain.

Step S204: the service system 3 registers a public key for the user according to the user cross-organization identity authentication and authorization protocol.

After the service system 3 performs identity authentication on the user, a public key and identity information are registered for the user according to the cross-organization identity authentication and identity information disclosure authorization protocol of the user. And the block chain node 2 generates a public key addressing index PubID for the user according to the public key request, and updates the public key information of the user, the identification information of the organization and the other additional self-defined attribute information such as user description and the like on the chain by taking the PubID as a key. The user private key is stored by the user himself.

Step S205: the service system 3 registers the identity information directory for the user according to the user cross-organization identity information disclosing authorization protocol.

The business system classifies the identity information according to the authorized disclosure range of the user and the convention standard among the alliances to generate a copy, and registers the information classification and the fingerprint information of the identity information on the chain, so that the data resource directory disclosed by the identity information of the user is provided. And the block chain node 2 is used for persisting fingerprint information of the user identity information under the classification on a chain by taking the mechanism pubID, the user pubID and the data classification serial number as keys according to the service system request.

Step S206: the user requests the service system 3 of the identity providing organization to generate an identity certificate for the user and performs cross-organization identity authentication.

The user selects identity disclosure information according to classification in the service system 3, confirms the information and generates an identity authentication certificate after signing by using a user private key. The identity certificate is transmitted by the identity providing mechanism or the identity certificate is directly submitted to the identity verification mechanism by the user, and the chain public key of the identity verification mechanism can be used for encryption when the identity certificate is transmitted by the identity providing mechanism. And the identity authentication mechanism decrypts the identity certificate and then completes certificate authentication according to the public key information and the data fingerprint information on the chain, so as to obtain the identity attribute information of the real user and complete user identity authentication. The verification mechanism decrypts the identity certificate by using a matching private key of a public key corresponding to the public key of the verification mechanism and the chain PubID, and verifies the orgsinginfo information by using the public key of the providing mechanism, so that the verification is proved to be an enterprise endorsement.

In addition, referring to fig. 10, the verification process of the block chain node point 2 for the identity certificate includes the following steps:

s100: and (5) verifying the certificate decryption.

The verification mechanism decrypts the identity certificate by using a matched private key of a public key corresponding to the public key of the verification mechanism and the public key on the chain PubID

S200: and querying information on the chain.

The verifying mechanism inquires a public key corresponding to the orgPubID of the providing mechanism, a public key corresponding to the userPubID of the user, a blank certificate data fingerprint corresponding to the VCid, and a data fingerprint corresponding to the userPubID under the data classification in the userlabe on the chain.

S300: and verifying the credential information.

Verifying the orgsinginfo information by using a public key of a providing organization, and proving that the orgsinginfo information is an enterprise endorsement; verifying usersigninfo information by using a public key of the user, wherein the user is verified information; verifying the data integrity of the blank voucher by using the blank voucher fingerprint; the integrity of the user identity information is verified with a digital fingerprint of the user data.

S400: and verifying the user attribute information.

And verifying the user identity by using the user disclosure information and providing the service according to the verification result.

As can be seen from the foregoing description, first, an embodiment of the present invention provides a block chain-based identity authentication method for an identity authentication initiating node, where the method includes responding to a received user cross-node identity authentication request, and forwarding an encrypted user cross-node identity authentication request to a node having user identity information in a block chain, where an intelligent contract for user identity authentication is deployed in the block chain; receiving an encrypted identity authentication result sent by a node with user identity information; and decrypting the identity authentication result and feeding back the identity authentication result to the user.

Specifically, the invention has the following beneficial effects:

1. the authenticity guarantee of identity information is improved: the fingerprint information of the identity metadata information is linked by the identity providing mechanism, and the verification mechanism can verify the data through the linked fingerprint information after receiving the data so as to ensure the authenticity and the integrity of the data.

2. The leakage risk of the user identity information is reduced: the identity information interaction standard agreed by the providing mechanism and the verification mechanism is used for carrying out classification management on the user identity attribute information, and the user carries out accurate authorization according to the actual use requirement of the verification mechanism so as to ensure that the user identity information is disclosed in a minimum range.

3. And (3) improving the trust mechanism of the whole process: the authorization and use information of the user information is permanently stored on the chain, the mechanism and the user on the chain are disclosed, meanwhile, the supervision of the authority mechanism introduced in a superposition mode based on the information on the chain can be supported, and the trust mechanism of the whole verification process is improved.

Based on the same principle, the embodiment also discloses an identity authentication method based on the block chain. The execution subject of the method is a block chain node, and the method comprises the following steps:

responding to a received user cross-node identity authentication request, and forwarding an encrypted user cross-node identity authentication request to a node with user identity information in a block chain; receiving an encrypted identity authentication result sent by the node with the user identity information; decrypting the identity authentication result and feeding back the identity authentication result to the user, wherein an intelligent contract for user identity authentication is deployed in the blockchain, and

Because the principle of solving the problems by the method is similar to that of the method, the implementation of the method can be referred to the implementation of the method, and details are not repeated herein.

Based on the same principle, referring to fig. 11, this embodiment further discloses an identity authentication apparatus based on a block chain and applicable to an identity authentication initiating node, where the apparatus includes:

a request forwarding first module 10, configured to forward, in response to a received user cross-node authentication request, an encrypted user cross-node authentication request to a node having user identity information in a block chain; the block chain is provided with intelligent contracts used for user identity authentication;

an authentication result receiving module 20, configured to receive an encrypted identity authentication result sent by the node with the user identity information;

and the authentication result decryption module 30 is configured to decrypt the identity authentication result and feed the identity authentication result back to the user.

Preferably, referring to fig. 12, the block chain-based identity authentication apparatus adapted for an identity authentication initiating node further includes:

a request forwarding second module 40, configured to forward the encrypted user cross-node identity authentication request to other nodes in the block chain;

a consensus result receiving module 50, configured to receive a consensus result of the other node for the user cross-node identity authentication request;

and an authentication result persistence module 60, configured to persist the identity authentication result on the block chain when the consensus results of the other nodes are consistent.

Preferably, referring to fig. 13, the authentication result decryption module 30 includes:

an identifier generating unit 301, configured to persist the public key of the user and the user identification information on the block chain to generate a unique identifier;

an authentication result generating unit 302, configured to decrypt the identity authentication result according to the unique identifier.

In an embodiment, referring to fig. 14, the present invention further discloses an identity authentication apparatus based on a block chain, where the apparatus is adapted to perform an identity authentication node, and the apparatus includes:

the authentication request receiving module A is used for receiving an encrypted user cross-node identity authentication request sent by a node in a block chain; the intelligent contract used for user identity authentication is deployed in the block chain;

the authentication result generation module B is used for generating an identity authentication result aiming at the cross-node identity authentication request of the user when the user passes the identity authentication;

and the authentication result encryption module C is used for encrypting the identity authentication result and sending the identity authentication result to the node.

Preferably, referring to fig. 15, the authentication result generating module B includes:

a blank voucher registering unit B1, configured to invoke the node to perform blank voucher registration in the block chain;

and the authentication result generating unit B2 is used for filling the blank certificate according to the cross-node identity authentication request of the user so as to generate the identity authentication result.

Preferably, referring to fig. 16, the block chain-based identity authentication apparatus adapted to perform identity authentication on a node further includes:

and the user identity determining module D is used for decrypting the user cross-node identity authentication request according to the unique identifier corresponding to the user in the block chain so as to determine the user identity.

Since the principle of the device for solving the problems is similar to the method, the implementation of the device can refer to the implementation of the method, and the detailed description is omitted here.

Based on the same principle, the embodiment also discloses a block link point. The blockchain node is configured to forward an encrypted user cross-node authentication request to a node in the blockchain having user identity information in response to the received user cross-node authentication request; receiving an encrypted identity authentication result sent by the node with the user identity information; decrypting the identity authentication result and feeding back the identity authentication result to the user, wherein an intelligent contract for user identity authentication is deployed in the blockchain, and

Because the principle of the node for solving the problem is similar to the method, the implementation of the node can refer to the implementation of the method, and details are not described herein.

Based on the same principle, the embodiment also discloses an identity authentication system based on the block chain. The identity authentication system based on the block chain comprises an identity authentication request node, an identity authentication node and the block chain;

the identity authentication request node is used for responding to the received user cross-node identity authentication request and forwarding an encrypted user cross-node identity authentication request to a node with user identity information in a block chain; receiving an encrypted identity authentication result sent by the node with the user identity information; decrypting the identity authentication result and feeding the identity authentication result back to the user;

Since the principle of solving the problem of the system is similar to the above method, the implementation of the system can refer to the implementation of the method, and details are not described herein.

The systems, apparatuses, modules or units described in the above embodiments may be specifically implemented by a computer chip or an entity, or implemented by a product with certain functions. A typical implementation device is a computer device, which may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

In a typical example, the computer device specifically comprises a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method performed by the client as described above when executing the program, or the processor implementing the method performed by the server as described above when executing the program.

Reference is now made to fig. 17, which illustrates a block diagram of a computer device suitable for use in implementing embodiments of the present application.

As shown in fig. 17, the computer apparatus includes a Central Processing Unit (CPU) 601 which can perform various appropriate jobs and processes in accordance with a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM)) 603. In the RAM603, various programs and data necessary for system operation are also stored. The CPU601, ROM602, and RAM603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.

The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, a mouse, and the like; an output portion 607 including a Cathode Ray Tube (CRT), a liquid crystal feedback (LCD), and the like, and a speaker and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The driver 610 is also connected to the I/O interface 605 as needed. A removable medium 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted as necessary on the storage section 608.

In particular, according to an embodiment of the present invention, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the invention include a computer program product comprising a computer program tangibly embodied on a machine-readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.

The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or apparatus comprising the element.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the system embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for relevant points.

The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art to which the present application pertains. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims

1. An identity authentication method based on a block chain is characterized by comprising the following steps:

2. The identity authentication method based on the blockchain according to claim 1, further comprising:

3. The blockchain-based identity authentication method of claim 1, wherein the decrypting the identity authentication result comprises:

4. An identity authentication method based on a block chain is characterized by comprising the following steps:

5. The blockchain-based identity authentication method according to claim 4, wherein the generating an identity authentication result for the user cross-node identity authentication request includes:

calling the node to perform blank certificate registration in the block chain;

6. The blockchain-based identity authentication method according to claim 4, before generating an identity authentication result for the user cross-node identity authentication request when the user passes identity authentication, comprising:

and decrypting the user cross-node identity authentication request according to the unique identifier corresponding to the user in the block chain so as to determine the user identity.

7. An identity authentication device based on a block chain, comprising:

a request forwarding first module, configured to forward, in response to a received user cross-node authentication request, an encrypted user cross-node authentication request to a node having user identity information in a block chain; the intelligent contract used for user identity authentication is deployed in the block chain;

8. An identity authentication device based on a blockchain, comprising:

the authentication request generation module is used for generating an identity authentication result aiming at the cross-node identity authentication request of the user when the user passes the identity authentication;

and the authentication request encryption module is used for encrypting the identity authentication result and sending the identity authentication result to the node.

9. An identity authentication system based on a block chain is characterized by comprising an identity authentication request node, an identity authentication node and the block chain;

10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program performs the steps of the block chain based identity authentication method of any one of claims 1 to 6.

11. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the blockchain-based identity authentication method of any one of claims 1 to 6.