CN115277168B - Method, device and system for accessing server - Google Patents

Method, device and system for accessing server Download PDF

Info

Publication number
CN115277168B
CN115277168B CN202210875708.6A CN202210875708A CN115277168B CN 115277168 B CN115277168 B CN 115277168B CN 202210875708 A CN202210875708 A CN 202210875708A CN 115277168 B CN115277168 B CN 115277168B
Authority
CN
China
Prior art keywords
client
access
credential
server
controller
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210875708.6A
Other languages
Chinese (zh)
Other versions
CN115277168A (en
Inventor
李智科
刘文懋
李德全
吕亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Nsfocus Technologies Inc
Priority to CN202210875708.6A priority Critical patent/CN115277168B/en
Publication of CN115277168A publication Critical patent/CN115277168A/en
Application granted granted Critical
Publication of CN115277168B publication Critical patent/CN115277168B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to a method and a device for accessing a server, which specifically comprise the following steps: the client sends a request message to the credential issuing end, wherein the request message is used for requesting to acquire an access credential, the request message comprises identity information of the client, and the access credential is used for the client to apply for access rights of the access server. Then, the client receives the access credential sent by the credential issuing end and sends the access credential to the controller, wherein the access credential is generated based on the intelligent contract of the blockchain, and the client, the credential issuing end and the controller are all nodes in the blockchain network. The client receives authorization information of the controller, wherein the authorization information is used for indicating whether the client can access the server. And if the authorization information indicates that the client can access the server, the client sends an access request for accessing the server to the server. The method effectively avoids the risk of leakage caused by the fact that the identity information of the client is concentrated in the controller, and improves the safety of server access.

Description

Method, device and system for accessing server
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method, an apparatus, and a system for accessing a server.
Background
The software defined boundary (Software Defined Perimeter, SDP) is a network security technology. The SDP technology can be used for creating a safety boundary for the server so as to isolate unsafe networks and hide data resources, thereby achieving the aim of network safety.
The SDP network comprises an SDP controller, an SDP initiating host and an SDP receiving host. The SDP controller stores information such as the identity of the SDP initiating host and the SDP receiving host. An SDP initiating host having access to an SDP accepting host may access the SDP accepting host. When the SDP initiating host accesses the SDP receiving host, the SDP controller can conduct identity verification on the SDP initiating host, and if the identity verification of the SDP initiating host is passed, the SDP controller authorizes the SDP initiating host to access the SDP receiving host, so that the SDP initiating host accesses the SDP receiving host.
However, the SDP controller in the SDP architecture centrally manages information such as the identity of the SDP initiating host and the SDP receiving host, which may cause leakage of the stored information once the SDP controller encounters an attack. In addition, the data in the process of carrying out identity verification on the SDP initiating host by the SDP controller can be tampered, so that the safety is low.
Disclosure of Invention
The application provides a method for accessing a server, which improves the security of server access.
In a first aspect, the present application provides a method for accessing a server, where the method may be used in a network including a client, a credential issuing end, and a controller, where authorization is obtained through the network, and a connection is established with the server after the authorization is obtained. Taking application to a client as an example, the method specifically includes:
the client sends a request message to the credential issuing end, wherein the request message is used for requesting to acquire an access credential, the request message comprises identity information of the client, and the access credential is used for the client to apply for access rights of the access server. The client receives the access certificate sent by the certificate issuing end and sends the access certificate to the controller, wherein the access certificate is generated based on the intelligent contract of the blockchain, and the client, the certificate issuing end and the controller are all nodes in the blockchain network. And then, the client receives authorization information of the controller, wherein the authorization information is used for indicating whether the client can access the server. If the authorization information indicates that the client can access the server, the client sends an access request for accessing the server to the server. In the embodiment of the application, the client, the credential issuing end and the controller form the blockchain network, information is carried through the blockchain network, even if the controller is attacked, an attacker cannot acquire the identity information of the client, and cannot tamper with the interactive data in the blockchain network, so that the access process has high security.
Optionally, before the client sends the request message to the credential issuer, the method further includes: the client registers identity information on the blockchain based on the intelligent combination of the blockchain to obtain the identity of the client. It can be understood that when the client generates the identity, the blockchain automatically performs hash operation to obtain the hash value of the identity, and stores the hash value on the blockchain. Identity information is generated through intelligent contracts, so that a client can independently register and manage own identity marks, the identity marks cannot be tampered based on tamper-proof characteristics of blockchain, and the identity marks are ensured to be true and reliable in the subsequent authentication process of the identity marks.
Optionally, after the client receives the access credential sent by the credential issuing end, the method further includes: the client adds a signature to the received access ticket according to the private key, the signature being used by the controller to verify the identity of the client. The private key is obtained when the client registers identity information, and the access credential sent by the client to the controller is the access credential added with the signature. The client adds a signature to the access certificate by using the private key of the client, so that the signature can be verified when the access certificate is verified later, and the safety and reliability in the information interaction process are further improved.
Optionally, before the client sends an access request for accessing the server to the server, the method further includes: the client generates a random number, generates an access message according to the random number and the authorization information, and sends the access message to the server. The access message comprises a random number and an SPA key, and the SPA key is generated according to the random number and the authorization information, so that the access message can be used for a client to request to acquire SPA authorization of a server.
In a second aspect, the present application provides a method of accessing a server, the method being applicable to a network comprising a client, a credential issuing side, and a controller, wherein the client, the controller, and the credential issuing side are nodes in a blockchain network. And acquiring authorization through the network, and establishing connection with a server after acquiring the authorization. Taking the example that the method is applied to a controller, the method specifically comprises the following steps:
the controller receives an access credential sent by the client, the access credential being for the client to apply for access rights to the server, the access credential being generated based on a blockchain-based smart contract. The controller verifies the received access credentials based on the blockchain's smart contract. If the access credential passes verification, the controller sends authorization information to the client and sends authorization synchronization information to the server. The authorization information is used for indicating that the client has the access right of the server, and the authorization synchronous information is used for verifying the identity of the client by the server. Because the client, the credential issuing end and the controller form the blockchain network, the blockchain network is used for carrying information, even if the controller is attacked, an attacker cannot acquire the identity information of the client and cannot tamper with the interactive data in the blockchain network, so that the verification process has high security.
Optionally, before the controller receives the access credential sent by the client, the method further includes: the controller registers identity information on the blockchain based on the intelligent combination of the blockchain, and obtains the identity of the controller. When the controller generates the identity, the blockchain automatically carries out hash operation to obtain the hash value of the identity, and the hash value is stored on the blockchain. The controller registers identity information through the blockchain network to become a node of the blockchain network, and performs verification and authorization through the blockchain network, so that the security of server access is improved.
Optionally, the access ticket includes a signature encrypted by the client with a private key, and the controller verifies the access ticket based on the blockchain smart contract, including: the controller obtains a public key of the client from the blockchain, and decrypts the signature of the client based on the intelligent contract of the blockchain according to the public key, wherein if the signature can be decrypted, the access credential passes the verification.
Optionally, after the controller verifies the access credential, the method further comprises: if the access certificate is not verified, the controller sends indication information to the client and records the nth presentation of the access certificate by the client. Wherein the indication information indicates that the client does not have the right to access the server.
Optionally, after the controller sends the indication information to the client, the method further includes: the controller obtains record information, the record information indicates the client to present the access credential for the nth time, and when N is greater than a preset threshold, the controller deletes the client from the blockchain. By setting the preset threshold, the controller can remove the client side showing the invalid access credentials for many times from the blockchain network, thereby avoiding malicious attacks of illegal client sides and further improving the security of the network.
In a third aspect, the present application provides a client, the client and credential issuing side, and a controller being nodes in a blockchain network. The client comprises a credential acquisition module, a credential presentation module and a server access module. The credential acquisition module is used for sending a request message to the credential issuing end, wherein the request message is used for requesting acquisition of an access credential, the request message comprises identity information of a client, and the access credential is used for the client to apply for access rights of an access server.
The certificate presentation module is used for receiving the access certificate sent by the certificate issuing end and sending the access certificate to the controller, wherein the access certificate is generated based on the intelligent contract of the blockchain.
The server access module is used for receiving authorization information of the controller, and the authorization information is used for indicating whether the client can access the server. If the authorization information indicates that the client can access the server, the server access module is further configured to send an access request for accessing the server to the server.
Optionally, before the credential obtaining module sends the request message to the credential issuing end, the credential obtaining module is further configured to register identity information on the blockchain based on the intelligent combination of the blockchain, so as to obtain the identity of the client. It can be understood that when the client generates the identity, the blockchain automatically performs hash operation to obtain the hash value of the identity, and stores the hash value on the blockchain.
Optionally, after receiving the access credential sent by the credential issuer, the credential presentation module is further configured to add a signature to the received access credential according to a private key, where the signature is used for verifying the identity of the client by the controller. The private key is obtained when the client registers identity information, and the access credential sent to the controller by the credential presentation module is the access credential added with the signature.
Optionally, before sending an access request for accessing the server to the server, the server access module is further configured to generate a random number, generate an access message according to the random number and the authorization information, and send the access message to the server. The access message comprises a random number and an SPA key, the SPA key is generated according to the random number and authorization information, and the access message is used for a client to request to acquire SPA authorization of a server.
In a fourth aspect, the present application provides a controller. The controller and the client end, the certificate issuing end are all nodes of the blockchain network. The controller comprises a credential receiving module, a credential verifying module and an authorized access module. The certificate receiving module is used for receiving an access certificate sent by the client, the access certificate is used for the client to apply for the access authority of the server, and the access certificate is generated based on the intelligent contract of the blockchain. And the certificate verification module is used for verifying the access certificate based on the intelligent contract of the blockchain. And the authorization access module is used for sending authorization information to the client and sending authorization synchronous information to the server if the access certificate passes the verification. The authorization information is used for indicating that the client has the access right of the server, and the authorization synchronous information is used for verifying the identity of the client by the server.
Optionally, before the credential receiving module receives the access credential sent by the client, the credential receiving module is further configured to: based on intelligent combination of the blockchain, identity information is registered on the blockchain to obtain the identity of the controller. It can be appreciated that when the controller generates the identity, the blockchain automatically performs hash operation to obtain the hash value of the identity, and stores the hash value on the blockchain.
Optionally, the access credential includes a signature encrypted by the client with a private key, and the credential verification module is further configured to: the public key of the client is obtained from the blockchain, and the signature of the client is decrypted based on the intelligent contract of the blockchain according to the public key. If it is possible to decrypt, the access ticket is authenticated.
Optionally, after the credential verification module verifies the access credential, the method is further used for: if the access certificate is not verified, sending indication information to the client, and recording the nth presentation access certificate of the client. Wherein the indication information indicates that the client does not have the right to access the server.
Optionally, after sending the indication information to the client, the credential verification module is further configured to: recording information is acquired, wherein the recording information indicates that the client presents the access credential for the nth time. When N is larger than a preset threshold, the credential verification module deletes the client from the blockchain.
In a fifth aspect, an embodiment of the present application provides a communication system, including a client as in the third aspect, a controller as in the fourth aspect, a credential issuing end, and a server.
In a sixth aspect, embodiments of the present application provide a computer storage medium storing a computer program comprising program instructions that, when executed by a computer, cause the computer to perform the steps of the foregoing first or second aspects.
In a seventh aspect, the present application provides a computer program product comprising: computer program code which, when executed, causes the method of any of the first to second aspects described above to be performed. A storage medium storing a computer program comprising program instructions which, when executed by a computer, cause the computer to perform the steps of the first or second aspects as hereinbefore described.
Advantageous effects of the above third to seventh aspects and implementations thereof reference may be made to the description of the advantageous effects of the first to second aspects and implementations thereof.
Drawings
Fig. 1 is a schematic diagram of a conventional SDP network architecture;
fig. 2 is a schematic diagram of an SDP network architecture provided in an embodiment of the present application;
fig. 3 is a schematic diagram of an identification label provided in an embodiment of the present application;
fig. 4 is a flowchart of a method for accessing a server according to an embodiment of the present application;
FIG. 5 is a schematic diagram of an access ticket according to an embodiment of the present application;
FIG. 6 is a schematic diagram of an access message according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a client according to an embodiment of the present application;
Fig. 8 is a schematic structural diagram of a controller according to an embodiment of the present application.
Detailed Description
In order to better understand the solutions provided by the embodiments of the present application, some technical concepts related to the embodiments of the present application are first described.
1) A blockchain is a chain of blocks, each of which can store information. This chain is maintained in all servers in the blockchain network, i.e., each server stores all of the information of the blockchain. The entire blockchain is safe as long as one server in the entire blockchain network can work, and the blockchain can be considered to have the property of decentralization. These servers are referred to as nodes in a blockchain system, each of which can query blockchain information. Although each node stores blockchain information, to modify the information in the blockchain, more than half of the nodes must be agreed to and the blockchain information in all nodes modified. Because the nodes are usually mastered in different subjects, such as some nodes at clients and some nodes at cloud ends, the information in the blockchain is difficult to tamper with and safer.
2) An intelligent contract, which is an automatically executable computer contract, may be considered a digital version of a traditional contract. A blockchain's smart contracts refer to contracts in code written into the blockchain. Because of the neutral, tamper-resistant nature of blockchains, blockchain smartcontracts can allow users to conduct transactions and agreements anonymously without central authorization.
3) The public key and the private key are a key pair obtained by an algorithm. Wherein the public key is disclosed to the outside, and the private key is reserved by the user. Asymmetric encryption can be achieved using a key pair. The public key is typically used to encrypt a session key, verify a digital signature, or encrypt data that may be decrypted with a corresponding private key. The key pair obtained by this algorithm can be guaranteed to be unique. When using this key pair, if a piece of data is encrypted with one of the keys, it must be decrypted with the other key. For example, encrypting data with a public key must be decrypted with a private key, and if encrypted with a private key must also be decrypted with a public key, otherwise decryption will not succeed.
4) A distributed digital identity (decentralized identifiers, DID) identifier, which is an identifier consisting of a string, is used to represent a digital identity that does not require a central registration authority for registration. As each DID identification is generated, the public and private key pairs associated therewith are generated. The DID identifier is a decentralised verifiable digital identifier, and the DID identifier based on the blockchain has the characteristic of being autonomous and controllable. The user using the DID identification can autonomously complete registration, resolution, update, or revocation of the DID identification.
5) Single packet access (single packet access, SPA) authorization is an access mechanism. SPA authorization refers to that before a client and a server are connected, a data packet is sent for authorization authentication, and if the authentication passes, the client and the server are allowed to be connected, so that the protection capability of the server can be improved.
Some technical concepts related to the embodiments of the present application are introduced above, and technical solutions related to the embodiments of the present application are introduced below. Referring to fig. 1, an architecture of an SDP network is shown. As shown in fig. 1, the SDP network includes an SDP controller (also referred to as an authentication end), an SDP initiator (i.e., a client), and an SDP receiver (which may be considered as a gateway), where the SDP receiver may obtain data from a data center, including a physically deployed data center, and also including a cloud data center.
Based on the architecture shown in fig. 1, when a user needs to access a resource, an SDP initiating host initiates an access request to an SDP controller, and before a secure connection is established with an SDP receiving host, an authentication application is submitted to the SDP controller, and the SDP controller authenticates the identity of the SDP initiating host according to the request of the SDP initiating host. After the SDP controller verifies the identity of the SDP initiating host, the SDP initiating host is fed back with the verification result. If the verification result indicates that the identity verification of the SDP initiating host passes, the SDP controller also sends synchronous data to the SDP receiving host for informing the SDP receiving host that the identity verification of the SDP initiating host passes. After receiving the verification result sent by the SDP controller, the SDP initiating host sends an access request carrying SPA to the SDP receiving host to request to access the SDP receiving host. The SDP receiving host receives the access request of the SDP initiating host and establishes a bidirectional encryption connection with the SDP initiating host.
Since the SDP receiving host defaults to not respond to the connection attempt, i.e., only after the SDP initiating host is authenticated and authorized by the SDP controller, a connection with the SDP initiating host is established. This avoids providing any information to a potential attacker as to whether the port is being listened to, reducing the risk of the server being attacked. In addition, when the SDP initiating host establishes connection with the SDP receiving host, SPA authorization is adopted, and the SDP initiating host and the SDP receiving host establish a bidirectional (Transport Layer Security, TLS) tunnel through the SPA authorization, so that safe access to data resources can be realized. Even if a user carries malicious code, the attack scope of the malicious code is narrow because an access tunnel is established with a server.
However, in the SDP architecture shown in fig. 1, information such as the identity of the SDP initiator and information of the SDP acceptor are centrally managed by the SDP controller. If the SDP controller is attacked maliciously, information such as the identity of the SDP initiating host and information of the SDP receiving host can be revealed, data in the authentication and authorization process are easy to tamper, and the security is low.
Therefore, the embodiment of the application provides a distributed identity access method based on a blockchain, in which a client verifies according to the blockchain to obtain the authorization of a controller, so that the risk of information leakage caused by the concentration of the identity information of the client in the controller is avoided, and the user identity information and gateway information under a new network architecture are safer.
Referring to fig. 2, an SDP architecture provided in an embodiment of the present application includes a client, a credential issuing end, a controller, and a server. Compared to the SDP architecture shown in fig. 1, the SDP architecture provided in the embodiment of the present application adds a credential issuing end. The credential issuer may issue access credentials for the client to apply for access to the server. The certificate issuing end is a third-party digital certificate issuing platform and can issue certificates so that servers of different operators can trust each other to finish identity authentication. Specifically, when the client accesses the server, the client firstly obtains the access certificate from the certificate issuing end, then sends the access certificate to the controller, and the controller verifies the access certificate to verify the identity of the client, so as to determine whether to grant the authority of the client to access the server. The controller grants the client access to the server after determining that the authentication of the client is passed, the client being able to establish a connection with the server only after the authentication.
In the architecture shown in fig. 2, the client, the credential issuing end and the controller can be used as nodes in the blockchain network, so that the client, the credential issuing end and the controller can store all information on the blockchain to achieve the purposes of decentralized management and difficulty in tampering information in the identity verification process.
The client may register identity information on the blockchain and obtain an identity of the client, such as a DID identity of the client. It is appreciated that the DID of the client is generated based on the intelligence contracts on the blockchain. In an embodiment of the present application, the smart contract may implement the following functions: a digital identity creation function, an identity reading and identity verification function, a digital credential creation function, and a credential reading and verification function. Accordingly, the smart contract includes the following functional functions: function CreateDid corresponding to digital identity creation function, function VerifyDocument corresponding to identity reading and verification function, function CreateCredential corresponding to digital credential creation function, and function VerifyCredential corresponding to credential reading and verification function. The embodiment of the application does not limit the specific implementation of the functions CreateDid, verifyDocument, createCredential and verifydedential, as long as the corresponding functions can be implemented.
The client can call the CreateDid function in the intelligent contract to create the identity, and the identity mark, namely the DID mark, is generated. Referring to fig. 3, the DID identifier includes a DID identifier and a DID document. Wherein the DID identifier includes fields: the method_ name, specific _string indicates an identification key, the method_name indicates a domain in which the client identity is located, and the specific_string indicates a unique address. The DID document includes fields: the @ context, id, created, publicKey, authentication, @ context is used for describing document structure information of the DID document, id is that the DID identifier is used for self-description of the DID identifier, created is used for recording creation time of the DID document, public Key is a public key information set of a client, and authentication is an authentication information set of the client.
In addition, when the client calls the CreateDid function of the intelligent contract to generate the identity, the blockchain automatically carries out hash operation to obtain the hash value of the identity, and the hash value is stored on the blockchain. Thus, any node in the blockchain network can acquire the hash value of the identity of the client. Due to the unneutralization characteristic of the blockchain, the client can independently register and manage the identity of the client. And the client achieves the aim of reality and reliability when using the identity based on the tamper-proof characteristic of the blockchain.
In order to implement the above-described functions of the smart contract, the developer designs the smart contract by dividing it into three levels, namely, a data contract, a rights contract, and a logic contract. The data contract is used for defining a data structure, storing data and standardizing an interface protocol. The permission contracts are used for judging the identity of the nodes and giving different operation permissions to the nodes. The logic contract is responsible for logic processing of the data and returns the processing results to the data contract. According to the functions of the functions generated by the three levels, the intelligent contract has the characteristics of clear logic, complete structure, decoupling of the modules and high safety, and can be convenient for subsequent updating of the contract. Therefore, in the implementation of the application, functions with different functions are conveniently generated according to the hierarchical design of the intelligent contract, the functions endow different operation authorities to the client, the controller and the certificate issuing end, endow the controller with the manager authority of the blockchain, have the authority to reject illegal clients which do not pass verification, endow the authenticated clients with access authorities, enable the controller to realize the access control function, and improve the security of the access control mechanism.
The client registers identity information on the blockchain similarly, and the controller and the credential issuer can register identity information on the blockchain. Specifically, the method for registering the identity information on the blockchain by the controller and the credential issuing terminal may refer to the method for registering the identity information on the blockchain by the client terminal, which is not described herein. It will be appreciated that the controller and the credential issuer will also broadcast the hash value of the respective identity to the blockchain. So that the client, the controller and the credential issuer can all obtain each other's identity information from the blockchain.
Based on the SDP architecture shown in fig. 2, the embodiment of the present application provides a method for accessing a server. Referring to fig. 4, a flowchart of a method for accessing a server according to an embodiment of the present application is shown, and a specific flowchart is described below.
S401, the client sends a request message to the credential issuing terminal, and the credential issuing terminal receives the request message, wherein the request message comprises identity information of the client.
The client may send a request message to the credential issuer when accessing the server, the request message being used to obtain the access credential. For example, the request message includes identity information of the client, such as a DID identification of the client. The certificate issuing end receives the request message, acquires the identity information of the client from the request message, and calls the public key information set publicKey in the identity information sent by the intelligent contract verification client to verify the identity information of the client. It should be understood that the identity information of the client registered on the blockchain is truly valid, and if the public key information set publicKey in the identity information sent by the verification client passes, the credential issuing end verifies that the identity of the client passes.
S402, the certificate issuing end sends the access certificate to the client, and correspondingly, the client receives the access certificate sent by the certificate issuing end.
If the identity information of the client passes the verification of the certificate issuing end, the certificate issuing end calls a digital certificate creating function CreateCredential in the intelligent contract to create an access certificate for the client and sends the access certificate to the client.
The access ticket may include, in particular, a DID identifier and a Verifiable Claim (VC). For example, referring to FIG. 5, a specific format of an access credential is shown. The definition of the DID identifier is as before, and the VC includes the following fields: @ context, id, issuer, issued, claim, proof. The @ context is used for describing access credential structure information, id is a client DID identifier, the issuer comprises a DID identifier of a credential issuing end, the issued is used for recording creation time of the access credential, the clain comprises an attribute declaration set of the client, and the proof comprises a signature set of the access credential.
After the client obtains the access ticket from the ticket issuer, a signature of the client may be added to the access ticket. Since the client generates the identity, a key pair for encryption and decryption is generated based on the characteristics of the smart contract. Thus, the client can sign the access credential with the private key of the key pair, facilitating the controller to verify the identity of the client. The signed information may be stored in the proof field of the access ticket VC. By signing in the access certificate, the security and reliability in the information interaction process can be further improved and ensured.
S403, the client sends the access certificate to the controller, and correspondingly, the controller receives the access certificate sent by the client.
The access ticket may be used to obtain access rights to the server from the controller. The controller receives the access ticket and may verify the access ticket. Because the access ticket is added with the signature encrypted by the private key of the client, the public key of the client can be queried from the blockchain when the controller verifies the access ticket, and the signature in the proof field of the access ticket is decrypted based on the intelligent contract of the blockchain. If the signature in the access credential can be decrypted using the public key of the client, the access credential verifies. If the signature in the access credential cannot be decrypted using the public key of the client, the access credential verification is not passed.
S404, the controller sends authorization information to the client, and the client receives the authorization information correspondingly.
S405, the controller determines that the access certificate passes verification, sends authorization synchronization information to the server, and correspondingly, the server receives the authorization synchronization information.
The controller determines that the access credential is verified, and sends authorization information to the client indicating that the client has access to the server. The controller determines that the access credential is not verified, and sends authorization information to the client indicating that the client does not have access to the server.
If the authorization information indicates that the client has access to the server, the authorization information may include a token, a shared key, and gateway information for the server. The token is used for bearing the authentication result of the certificate. The shared key is used by the server to verify the identity of the client. The gateway information includes the IP address and port information of the gateway of the server accessed by the client.
The controller also needs to send authorization synchronization information to the server if the controller determines that the access credentials are verified. The authorization synchronization information, similar to the authorization information, may include a token, identity information of the client, the same shared key as the authorization information, a list of services accessible to the user, and the like, for authentication between the server and the client.
After receiving the authorization information, the client determines that the server can be accessed according to the authorization information, and then sends an access request to the server to access the server. Specifically, after receiving the authorization information, the client generates a random number Nonce, and generates an SPA key according to the shared key in the authorization information and the random number Nonce. The SPA key and the random number Nonce can be used for SPA authorized access of the client, and the server verifies the identity of the client according to the SPA key and the random number Nonce. The client generates an access message by using the SPA key, the random number Nonce, the identity information of the client, the token, the server gateway information and the timestamp of the client, and sends the access message to the server gateway for acquiring the SPA authority of the server. Referring to fig. 6 specifically, the server gateway information specifically includes a target IP and a port, that is, the controller carries the IP address of the server gateway in the sent authorization information, so that the client knows the address of the gateway in the "stealth" state, and accesses by obtaining the SPA authorization.
After receiving an access message sent by a client, a server acquires an SPA key and a random number Nonce in the access message. Since the server has already obtained the authorization synchronization information from the controller, the server can acquire the shared key in the authorization synchronization information. And then, the server generates an SPA key according to the shared key and the random number Nonce in the access message, compares the SPA key with the SPA key in the message, and if the shared key and the random number Nonce are the same, proves that the client side has obtained the access right granted by the controller. After the server verifies the identity of the client, the server opens the service port and establishes a bidirectional TLS tunnel connection with the client.
In the embodiment of the application, the server gateway defaults to not open a TCP port, refuses all external TCP connection and does not respond to any message, so that an attacker cannot know the IP of the server gateway under the unauthorized condition and cannot scan the server gateway, thereby improving the safety. For the outside, the server gateway is in a stealth state, so that the resources of the server are effectively protected.
If the controller verifies that the access credential sent by the client does not pass, the controller may send indication information to the client indicating that the client does not have permission to access the server. In embodiments of the present application, the controller may also record the number of times the client presents the access ticket, e.g., record the nth presentation of the access ticket. When the controller verifies that the access ticket sent by the client does not pass, the controller obtains the record information and determines the number of times the client presents the access ticket, such as N. When N is greater than a preset threshold, the controller may delete the client from the blockchain. That is, if the access ticket presented by a client multiple times is not verified, the client is an illegitimate client, in which case the controller may delete the client from the blockchain network according to the administrator authority granted by the smart contract. By setting the preset threshold, the security of the access control mechanism is further improved, and network attacks are effectively prevented.
In the embodiment of the application, the client, the controller and the credential issuing end serve as nodes in the blockchain network, and identity information and the like of the client, the controller and the credential issuing end can be stored on the blockchain. Therefore, even if the controller is attacked, the identity information and the like can be lost due to the identity information of the client and the like stored on the blockchain. In addition, the data in the authentication and authorization process can be prevented from being tampered, and the security is high.
Based on the above embodiments, the embodiments of the present application further provide corresponding devices, and various devices provided by the embodiments of the present application are described below with reference to the accompanying drawings.
Referring to fig. 7, based on the same inventive concept, an embodiment of the present application provides a client 700, where the client 700, the credential issuing side and the controller are all nodes in a blockchain network. The client 700 includes a credential acquisition module 701, a credential presentation module 702, and a server access module 703. The credential acquisition module 701 is configured to send a request message to the credential issuer, where the request message is used to request acquisition of an access credential, and the request message includes identity information of the client 700. The access ticket is used by the client 700 to apply for access rights to the server. The credential presentation module 702 is configured to receive an access credential sent by a credential issuer, and send the access credential to a controller, where the access credential is generated based on a blockchain-based smart contract. The server access module 703 is configured to receive authorization information of the controller, where the authorization information is used to indicate whether the client 700 can access the server. If the authorization information indicates that the client 700 is able to access the server, the server access module 703 sends an access request to the server for accessing the server.
Optionally, before the credential obtaining module 701 sends the request message to the credential issuing end, the credential obtaining module is further configured to register identity information on the blockchain based on the intelligent combination of the blockchain, and obtain the identity of the client 700. It can be appreciated that when the communication device 700 generates the identifier, the blockchain automatically performs a hash operation to obtain a hash value of the identifier, and stores the hash value on the blockchain.
Optionally, after receiving the access credential sent by the credential issuer, the credential presentation module 702 is further configured to add a signature to the received access credential according to the private key, where the signature is used by the controller to verify the identity of the client 700. Wherein the private key is obtained when the client 700 registers the identity information. The access credential sent by the credential presentation module 702 to the controller is an access credential to which a signature has been added.
Optionally, before sending an access request for accessing the server to the server, the server access module 703 is further configured to generate a random number, generate an access message according to the random number and the authorization information, and then send the access message to the server. The access message is for the client 700 to request access to the SPA authorization of the server. The access message comprises a random number and an SPA key, and the SPA key is generated according to the random number and authorization information.
Referring to fig. 8, based on the same inventive concept, the embodiment of the present application provides a controller 800, where the controller 800, the client and the credential issuing end are all nodes in a blockchain network. The controller 800 includes a credential receiving module 801, a credential verification module 802, and an authorized access module 803. The credential receiving module 801 is configured to receive an access credential sent by a client, where the access credential is used for the client to apply for access rights of a server, and the access credential is generated based on a blockchain-based intelligent contract. The credential verification module 802 is used to verify access credentials based on a blockchain-based smart contract. The authorization access module 803 is configured to send authorization information to the client and authorization synchronization information to the server if the access credential passes verification. The authorization information is used to indicate that the client has access to the server. The authorization synchronization information is used by the server to verify the identity of the client.
Optionally, before the credential receiving module 801 receives the access credential sent by the client, the credential receiving module 801 is further configured to register identity information on the blockchain based on the intelligent combination of the blockchain to obtain an identity of the controller 800, and it is understood that when the communication device 800 generates the identity, the blockchain automatically performs a hash operation to obtain a hash value of the identity, and stores the hash value on the blockchain.
Optionally, the access ticket includes a signature encrypted by the client with a private key, and the ticket verification module 802 is further configured to obtain the public key of the client from the blockchain, and decrypt the signature of the client based on the blockchain-based smart contract according to the public key. Wherein, if decryption is possible, the access ticket is authenticated.
Optionally, after the credential verification module 802 verifies the access credential, the method is further used to send indication information to the client and record the nth presentation of the access credential by the client if the access credential is not verified. Wherein the indication information indicates that the client does not have the right to access the server.
Optionally, after sending the instruction information to the client, the credential verification module 802 is further configured to obtain record information, where the record information instructs the client to present the access credential for the nth time. When N is greater than a preset threshold, the credential verification module 802 deletes the client from the blockchain.
Based on the same inventive concept, the embodiment of the present application also provides a communication system, which includes the client 700, the controller 800, the credential issuing end and the server.
The present application also provides a computer storage medium storing a computer program comprising program instructions which, when executed by a computer, cause the computer to perform the steps of the method of accessing a server as provided in the above embodiments.
The present application also provides a computer program code storage medium which, when run on a computer, causes the computer to perform the steps of the method of accessing a server as provided in the above embodiments.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.

Claims (19)

1. A method of accessing a server, comprising:
the client sends a request message to the credential issuing end, wherein the request message is used for requesting to acquire an access credential, the request message comprises identity information of the client, and the access credential is used for the client to apply for access rights of an access server;
the client receives the access certificate sent by the certificate issuing end and sends the access certificate to a controller, wherein the access certificate is generated based on an intelligent contract of a blockchain, and the client, the certificate issuing end and the controller are all nodes in the blockchain network;
the client receives authorization information of the controller, wherein the authorization information is used for indicating whether the client can access the server;
and if the authorization information indicates that the client can access the server, the client sends an access request for accessing the server to the server.
2. The method of claim 1, wherein before the client sends the request message to the credential issuer, the method further comprises:
the client registers identity information on the blockchain based on the intelligent combination of the blockchain to obtain the identity of the client.
3. The method of claim 2, wherein after the client receives the access ticket sent by the ticket issuer, the method further comprises:
the client adds a signature to the received access credential according to a private key, wherein the signature is used for verifying the identity of the client by the controller; the private key is obtained when the client registers identity information, and the access credential sent by the client to the controller is the access credential added with the signature.
4. The method of claim 3, wherein before the client sends an access request to the server for accessing the server, further comprising:
the client generates a random number and generates an access message according to the random number and the authorization information, wherein the access message comprises the random number and an SPA key, the SPA key is generated according to the random number and the authorization information, and the access message is used for the client to request acquisition of the SPA authorization of the server;
and the client sends the access message to the server.
5. A method of accessing a server, comprising:
The method comprises the steps that a controller receives an access credential sent by a client, wherein the access credential is used for the client to apply for access authority of a server, the access credential is generated based on intelligent contracts of a blockchain, and the client and the controller are nodes in the blockchain network;
the controller verifies the access credential based on a blockchain smart contract;
if the access certificate passes verification, the controller sends authorization information to the client and sends authorization synchronization information to the server, wherein the authorization information is used for indicating that the client has the access right of the server, and the authorization synchronization information is used for checking the identity of the client by the server.
6. The method of claim 5, wherein prior to the controller receiving the access ticket sent by the client, further comprising:
the controller registers identity information on the blockchain based on the intelligent combination of the blockchain, and obtains the identity of the controller.
7. The method of claim 6, wherein the access credential comprises a signature encrypted by the client with a private key, the controller verifying the access credential based on a blockchain smart contract, comprising:
The controller obtains a public key of the client from the blockchain, and decrypts a signature of the client based on an intelligent contract of the blockchain according to the public key, wherein if decryption is possible, the access credential passes verification.
8. The method of claim 7, wherein after the controller verifies the access credential, the method further comprises:
and if the access credential is not verified, the controller sends indication information to the client and records that the client presents the access credential for the Nth time, wherein the indication information indicates that the client does not have the authority to access the server.
9. The method of claim 8, wherein after the controller sends the indication information to the client, further comprising:
the controller acquires record information, wherein the record information indicates the client to present the access credential for the Nth time;
and deleting the client from the blockchain by the controller when N is larger than a preset threshold.
10. A client, comprising:
the system comprises a credential acquisition module, a credential issuing module and a client, wherein the credential acquisition module is used for sending a request message to the credential issuing end, the request message is used for requesting to acquire an access credential, the request message comprises identity information of the client, and the access credential is used for the client to apply for access authority of an access server;
The system comprises a credential presentation module, a controller and a client, wherein the credential presentation module is used for receiving the access credential sent by the credential issuing end and sending the access credential to the controller, wherein the access credential is generated based on an intelligent contract of a blockchain, and the client, the credential issuing end and the controller are all nodes in the blockchain network;
the server access module is used for receiving the authorization information of the controller, wherein the authorization information is used for indicating whether the client can access the server;
and if the authorization information indicates that the client can access the server, the server access module is further used for sending an access request for accessing the server to the server.
11. The client of claim 10, wherein the credential acquisition module is further configured to,
and registering identity information on the blockchain based on the intelligent combination of the blockchain to obtain the identity of the client.
12. The client of claim 11, wherein the credential presentation module, after receiving the access credential sent by the credential issuer, is further configured to,
Adding a signature to the received access credential according to a private key, the signature being used by the controller to verify the identity of the client; the private key is obtained when the client registers identity information, and the access credential sent to the controller by the credential presentation module is the access credential added with the signature.
13. The client of claim 12, wherein the server access module is further configured to, prior to sending an access request to the server to access the server:
generating a random number, and generating an access message according to the random number and the authorization information, wherein the access message comprises the random number and an SPA key, the SPA key is generated according to the random number and the authorization information, and the access message is used for the client to request to acquire SPA authorization of the server;
and sending the access message to the server.
14. A controller, comprising:
the system comprises a credential receiving module, a credential sending module and a processing module, wherein the credential receiving module is used for receiving an access credential sent by a client, the access credential is used for the client to apply for the access authority of a server, the access credential is generated based on an intelligent contract of a blockchain, and the client and the controller are nodes in the blockchain network;
The certificate verification module is used for verifying the access certificate based on the intelligent contract of the blockchain;
and the authorization access module is used for sending authorization information to the client and sending authorization synchronous information to the server under the condition that the access certificate passes verification, wherein the authorization information is used for indicating that the client has the access right of the server, and the authorization synchronous information is used for checking the identity of the client by the server.
15. The controller of claim 14, wherein prior to the credential receiving module receiving the access credential sent by the client, the credential receiving module is further to:
and registering identity information on the blockchain based on the intelligent combination of the blockchain to obtain the identity of the controller.
16. The controller of claim 15, wherein the access credential includes a signature encrypted by the client with a private key, the credential verification module further to:
and obtaining a public key of the client from the blockchain, and decrypting the signature of the client based on the intelligent contract of the blockchain according to the public key, wherein if decryption is possible, the access credential passes verification.
17. The controller of claim 16, wherein after the credential verification module verifies the access credential, further to:
and if the access certificate is not verified, sending indication information to the client, and recording that the client presents the access certificate for the Nth time, wherein the indication information indicates that the client does not have the authority to access the server.
18. The controller of claim 17, wherein the credential verification module, after sending the indication information to the client, is further to:
acquiring record information, wherein the record information indicates the client to present the access credential for the nth time;
when N is greater than a preset threshold, the credential verification module deletes the client from the blockchain.
19. A communication system, comprising: a client according to any of claims 10-13, a controller according to any of claims 14-18, and a credential issuing side and a server.
CN202210875708.6A 2022-07-25 2022-07-25 Method, device and system for accessing server Active CN115277168B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210875708.6A CN115277168B (en) 2022-07-25 2022-07-25 Method, device and system for accessing server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210875708.6A CN115277168B (en) 2022-07-25 2022-07-25 Method, device and system for accessing server

Publications (2)

Publication Number Publication Date
CN115277168A CN115277168A (en) 2022-11-01
CN115277168B true CN115277168B (en) 2023-05-26

Family

ID=83770052

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210875708.6A Active CN115277168B (en) 2022-07-25 2022-07-25 Method, device and system for accessing server

Country Status (1)

Country Link
CN (1) CN115277168B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115834253B (en) * 2023-02-15 2023-04-14 布比(北京)网络技术有限公司 Identity verification method, identity verification system, client and server
CN116318912B (en) * 2023-03-01 2024-09-13 华能信息技术有限公司 Dynamic network interface hiding method
CN116455645B (en) * 2023-04-24 2024-02-02 中国工程物理研究院计算机应用研究所 Fine granularity isolation protection method and system for network target range data
CN117216789A (en) * 2023-08-31 2023-12-12 中移互联网有限公司 Sensitive data protection method, device and system based on block chain

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109344647A (en) * 2018-09-12 2019-02-15 上海点融信息科技有限责任公司 For the access credentials generation method of block chain network, data access method, storage medium, calculate equipment
CN109617896A (en) * 2018-12-28 2019-04-12 浙江省公众信息产业有限公司 A kind of Internet of Things access control method and system based on intelligent contract
CN109617977A (en) * 2018-12-24 2019-04-12 北京神州绿盟信息安全科技股份有限公司 A kind of web-page requests processing method and processing device
CN109992976A (en) * 2019-02-27 2019-07-09 平安科技(深圳)有限公司 Access credentials verification method, device, computer equipment and storage medium
CN110050474A (en) * 2016-12-30 2019-07-23 英特尔公司 The type name of subobject for the composite object in Internet of Things network and block chain
CN111835528A (en) * 2020-07-16 2020-10-27 广州大学 Decentralized Internet of things cross-domain access authorization method and system
CN112035810A (en) * 2020-08-19 2020-12-04 绿盟科技集团股份有限公司 Access control method, device, medium and equipment
WO2021136290A1 (en) * 2019-12-31 2021-07-08 华为技术有限公司 Identity authentication method and apparatus, and related device
CN114239046A (en) * 2021-11-02 2022-03-25 广东电网有限责任公司 Data sharing method

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106911641A (en) * 2015-12-23 2017-06-30 索尼公司 For authorizing the client terminal device for accessing, server unit and access control system
US11657176B2 (en) * 2016-08-23 2023-05-23 Health Blockchain Convergence, Inc. Blockchain-based mechanisms for secure health information resource exchange
CN107079036A (en) * 2016-12-23 2017-08-18 深圳前海达闼云端智能科技有限公司 Registration and authorization method, apparatus and system
CN107980216B (en) * 2017-05-26 2020-05-08 深圳前海达闼云端智能科技有限公司 Communication method, device, system, electronic equipment and computer readable storage medium
US11621959B2 (en) * 2017-11-03 2023-04-04 Lenovo (Singapore) Pte. Ltd. User authentication using connection information provided by a blockchain network

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110050474A (en) * 2016-12-30 2019-07-23 英特尔公司 The type name of subobject for the composite object in Internet of Things network and block chain
CN109344647A (en) * 2018-09-12 2019-02-15 上海点融信息科技有限责任公司 For the access credentials generation method of block chain network, data access method, storage medium, calculate equipment
CN109617977A (en) * 2018-12-24 2019-04-12 北京神州绿盟信息安全科技股份有限公司 A kind of web-page requests processing method and processing device
CN109617896A (en) * 2018-12-28 2019-04-12 浙江省公众信息产业有限公司 A kind of Internet of Things access control method and system based on intelligent contract
CN109992976A (en) * 2019-02-27 2019-07-09 平安科技(深圳)有限公司 Access credentials verification method, device, computer equipment and storage medium
WO2021136290A1 (en) * 2019-12-31 2021-07-08 华为技术有限公司 Identity authentication method and apparatus, and related device
CN111835528A (en) * 2020-07-16 2020-10-27 广州大学 Decentralized Internet of things cross-domain access authorization method and system
CN112035810A (en) * 2020-08-19 2020-12-04 绿盟科技集团股份有限公司 Access control method, device, medium and equipment
CN114239046A (en) * 2021-11-02 2022-03-25 广东电网有限责任公司 Data sharing method

Also Published As

Publication number Publication date
CN115277168A (en) 2022-11-01

Similar Documents

Publication Publication Date Title
CN114553568B (en) Resource access control method based on zero-trust single-package authentication and authorization
US11849029B2 (en) Method of data transfer, a method of controlling use of data and cryptographic device
US9847882B2 (en) Multiple factor authentication in an identity certificate service
CN111416807B (en) Data acquisition method, device and storage medium
CN115277168B (en) Method, device and system for accessing server
CN108701094B (en) Securely storing and distributing sensitive data in cloud-based applications
JP5860815B2 (en) System and method for enforcing computer policy
AU2019236667A1 (en) System and method for decentralized identity management, authentication and authorization of applications
US20220247576A1 (en) Establishing provenance of applications in an offline environment
KR20200080441A (en) Distributed device authentication protocol in internet of things blockchain environment
KR101817152B1 (en) Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential
EP3674938A2 (en) Identifying computing processes on automation servers
KR101631635B1 (en) Method, device, and system for identity authentication
CN114091009A (en) Method for establishing secure link by using distributed identity
KR20170111809A (en) Bidirectional authentication method using security token based on symmetric key
Sciancalepore et al. Multi-Domain Access Rights Composition in Federated IoT Platforms.
US20240121083A1 (en) Secure restoration of private key
US20240012933A1 (en) Integration of identity access management infrastructure with zero-knowledge services
CN117728958A (en) Communication method, device and system
CN114996770A (en) Identity recognition method based on host management system
CN116886374A (en) Identity authentication method and cloud computing service platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant