CN115632787A - Management method and device for node authority in alliance chain and electronic equipment - Google Patents

Management method and device for node authority in alliance chain and electronic equipment Download PDF

Info

Publication number
CN115632787A
CN115632787A CN202211234400.XA CN202211234400A CN115632787A CN 115632787 A CN115632787 A CN 115632787A CN 202211234400 A CN202211234400 A CN 202211234400A CN 115632787 A CN115632787 A CN 115632787A
Authority
CN
China
Prior art keywords
node
authentication
trusted
application program
nodes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211234400.XA
Other languages
Chinese (zh)
Inventor
王佳帅
阮安邦
魏明
姜国仁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Octa Innovations Information Technology Co Ltd
Original Assignee
Beijing Octa Innovations Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Octa Innovations Information Technology Co Ltd filed Critical Beijing Octa Innovations Information Technology Co Ltd
Priority to CN202211234400.XA priority Critical patent/CN115632787A/en
Publication of CN115632787A publication Critical patent/CN115632787A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses a management method and a device for node authorities in a alliance chain and electronic equipment, wherein a trusted node is selected from the trusted nodes to serve as an authority authentication node responsible for node authority distribution; storing key pairs of other nodes in the alliance chain and node identity information on the authority authentication node so as to carry out main body validity authentication on the corresponding node; in response to an identity distribution request of a node passing the main body validity authentication, calling a public key packaged on the authority authentication node and binding the public key to a digital certificate; and issuing the digital certificate to the node passing the main body legality certification so as to check and sign the digital certificate carried in the data transaction request when the node passing the main body legality certification initiates the data transaction request, so as to judge whether the node passing the main body legality certification has the data transaction request permission, thereby avoiding potential safety hazards caused by impersonating block chain nodes.

Description

Management method and device for node authority in alliance chain and electronic equipment
Technical Field
The present application relates to the field of alliance chain technologies, and in particular, to a method and an apparatus for managing node permissions in an alliance chain, and an electronic device.
Background
The alliance link technology does not have an authoritative central node to uniformly manage data in the system. The data in the federation chain is stored in a copy in a disk of each federation chain node, which needs a mechanism for ensuring that the data of each node is consistent by making each node in the federation chain coordinate their actions to agree on a block through a consensus process.
However, the alliance chain is based on internet technology, so that in the process of data processing, a situation of impersonating a blockchain node exists, and a potential safety hazard exists.
Disclosure of Invention
Based on the above problems, embodiments of the present application provide a method and an apparatus for managing node permissions in a federation chain, and an electronic device.
The embodiment of the application discloses the following technical scheme:
according to a first aspect of the embodiments of the present application, a method for managing node permissions in a federation chain is provided, including:
determining a trusted node in the alliance chain based on a trusted authentication algorithm, and screening the trusted node from the trusted nodes to serve as an authority authentication node responsible for node authority distribution;
storing key pairs of other nodes in the alliance chain and node identity information on the authority authentication node so as to carry out main body validity authentication on the corresponding node;
responding to an identity distribution request of a node which passes the main body validity authentication, calling a public key packaged on an authority authentication node, and binding the public key to a digital certificate, wherein the public key has a one-to-one mapping relation with a key pair and node identity information;
and issuing the digital certificate to the node passing the main body legality certification so as to check and sign the digital certificate carried in the data transaction request when the node passing the main body legality certification initiates the data transaction request, so as to judge whether the node passing the main body legality certification has the data transaction request permission.
Optionally, determining a trusted node in the federation chain based on a trusted authentication algorithm includes: determining a plurality of trusted behavior data of block chain nodes of the alliance chain for running each application program according to the trusted value of each application program in the application program white list of the alliance chain so as to form a trusted behavior data rule base; collecting real-time behavior data of any application program running on a blockchain node in real time; and determining the matching degree of the real-time behavior data and the credible behavior data so as to determine the credible nodes in the alliance chain.
Optionally, determining, according to the trusted value of each application program in the application program white list of the federation chain, multiple pieces of trusted behavior data of the block chain node of the federation chain in which each application program runs to form a trusted behavior data rule base, where the determining includes: and generating a credibility measurement log according to the calculated credibility value of each application program in the application program white list, wherein the credibility measurement log records the file called in the starting process of each application program and the corresponding credibility value.
Optionally, determining, according to the trusted value of each application program in the application program white list of the federation chain, multiple pieces of trusted behavior data of the block chain node of the federation chain in which each application program runs to form a trusted behavior data rule base, where the determining includes: and analyzing the credibility measurement log to obtain files called in the starting process of each application program and corresponding credibility values.
Optionally, generating a trust metric log according to the calculated trust value of each application program in the application program white list, where the generating includes: after the block chain link points of each application program in the application program white list are operated and started, and before the application program is started, carrying out hash operation on the integrity data of each application program in the application program white list to obtain a hash value, and calculating the credible value of each application program in the application program white list when the application program operates on the corresponding block chain node according to the hash value.
Optionally, determining a trusted node in the federation chain based on a trusted authentication algorithm includes: determining a second block chain node which starts communication to the first block chain node in the alliance chain, and establishing authentication connection between the first block chain node and the second block chain node to obtain a neighbor credibility certificate in the first block chain node; judging whether the first block link point performs trust authentication on the second block link point according to the neighbor reliability certificate; if not, determining a trust propagation path of the first block chain node and the second block chain node; determining other block chain nodes which are positioned on the trust propagation path and are respectively adjacent to the first block chain node and the second block chain node; and propagating the neighbor credibility certificates of other block chain nodes adjacent to the first block chain node and the second block chain node respectively to the first block chain node along the belief propagation path so as to determine all block chain nodes passed by the belief propagation path as credible nodes.
Optionally, obtaining the neighbor reliability certificate in the first block chain node includes: and acquiring a credibility authentication kernel, and analyzing the credibility authentication kernel to acquire a neighbor credibility certificate.
Optionally, screening a trusted node from the trusted nodes as an authority authentication node responsible for node authority distribution includes: and quantizing the credibility of the credible nodes to obtain corresponding credible values, and selecting the credible node with the maximum credible value from all the credible nodes as the authority authentication node based on the comparison between the credible values and the set credible threshold value.
Optionally, the verifying and signing the digital certificate carried in the data transaction request includes: and analyzing the digital certificate to obtain a public key bound in the digital certificate, judging whether the public key is a public key having a mapping relation with the key pair and the node identity information, if so, verifying and passing the digital certificate, and judging that the node passing the main body validity authentication has the data transaction request authority.
According to a second aspect of the embodiments of the present application, there is provided an apparatus for managing node permissions in a federation chain, including:
the first program unit is used for determining a trusted node in the alliance chain based on a trusted authentication algorithm, and screening the trusted node from the trusted nodes to serve as an authority authentication node responsible for node authority distribution;
the second program unit is used for storing the key pairs of other nodes in the alliance chain and the node identity information on the authority authentication node so as to carry out main body validity authentication on the corresponding node;
a third program unit, configured to, in response to an identity assignment request of a node that passes subject validity authentication, invoke a public key encapsulated on an authority authentication node and bind the public key to a digital certificate, where the public key has a one-to-one mapping relationship with a key pair and node identity information;
and the fourth program unit is used for issuing the digital certificate to the node passing the main body legality authentication so as to check and sign the digital certificate carried in the data transaction request when the node passing the main body legality authentication initiates the data transaction request, so as to judge whether the node passing the main body legality authentication has the data transaction request permission.
Optionally, the first program element is further configured to: determining a plurality of credible behavior data of block chain nodes of the alliance chain for running each application program according to the credible value of each application program in the application program white list of the alliance chain so as to form a credible behavior data rule base; acquiring real-time behavior data of any application program running on a blockchain node in real time; and determining the matching degree of the real-time behavior data and the credible behavior data so as to determine the credible nodes in the alliance chain.
Optionally, the first program element is further configured to: and generating a credibility measurement log according to the calculated credibility value of each application program in the application program white list, wherein the credibility measurement log records the file called in the starting process of each application program and the corresponding credibility value.
Optionally, the first program element is further configured to: and analyzing the credibility measurement log to obtain files called in the starting process of each application program and corresponding credibility values.
Optionally, the first program element is further configured to: after the block chain link points of each application program in the application program white list are powered on and started and before the application program is started, carrying out hash operation on the integrity data of each application program in the application program white list to obtain a hash value, and calculating the credibility value of each application program in the application program white list when the application program runs on the corresponding block chain node according to the hash value.
Optionally, the first program element is further configured to: determining a second block chain node which starts communication to the first block chain node in the alliance chain, and establishing authentication connection between the first block chain node and the second block chain node to obtain a neighbor credibility certificate in the first block chain node; judging whether the first block link point performs trust authentication on the second block link point according to the neighbor reliability certificate; if the trust propagation path does not exist, determining the trust propagation path of the first block chain node and the trust propagation path of the second block chain node; determining other block chain nodes which are positioned on the trust propagation path and are respectively adjacent to the first block chain node and the second block chain node; and propagating the neighbor credibility certificates of other block chain nodes adjacent to the first block chain node and the second block chain node respectively to the first block chain node along the belief propagation path so as to determine all block chain nodes passed by the belief propagation path as credible nodes.
Optionally, the first program element is further configured to: and acquiring a trusted authentication kernel, and analyzing the trusted authentication kernel to acquire a neighbor credibility certificate.
Optionally, the first program element is further configured to: and quantizing the credibility of the credible nodes to obtain corresponding credible values, and selecting the credible node with the maximum credible value from all the credible nodes as the authority authentication node based on the comparison between the credible values and the set credible threshold value.
Optionally, the fourth program element is further configured to: and analyzing the digital certificate to obtain a public key bound in the digital certificate, judging whether the public key is a public key having a mapping relation with the key pair and the node identity information, if so, verifying and passing the digital certificate, and judging that the node passing the main body legality authentication has the data transaction request authority.
According to a third aspect of the embodiments of the present application, there is provided an electronic device, including a memory and a processor, where the memory stores an executable program, and the processor executes the executable program to perform the following steps:
determining a trusted node in the alliance chain based on a trusted authentication algorithm, and screening the trusted node from the trusted nodes to serve as an authority authentication node responsible for node authority distribution;
storing key pairs of other nodes in the alliance chain and node identity information on the authority authentication node so as to carry out main body validity authentication on the corresponding node;
responding to an identity distribution request of a node passing through main body validity authentication, calling a public key packaged on an authority authentication node, and binding the public key to a digital certificate, wherein the public key has a one-to-one mapping relation with a key pair and node identity information;
and issuing the digital certificate to the node passing the main body legality certification so as to check and sign the digital certificate carried in the data transaction request when the node passing the main body legality certification initiates the data transaction request, so as to judge whether the node passing the main body legality certification has the data transaction request permission.
In the technical scheme of the embodiment of the application, the trusted nodes in the alliance chain are determined based on the trusted authentication algorithm, so that one trusted node is selected from the trusted nodes to serve as the authority authentication node responsible for node authority distribution; storing key pairs of other nodes in the alliance chain and node identity information on the authority authentication node so as to carry out main body validity authentication on the corresponding node; responding to an identity distribution request of a node passing through main body validity authentication, calling a public key packaged on an authority authentication node, and binding the public key to a digital certificate, wherein the public key has a one-to-one mapping relation with a key pair and node identity information; and issuing the digital certificate to the node passing the main body legality certification so as to check and sign the digital certificate carried in the data transaction request when the node passing the main body legality certification initiates the data transaction request, so as to judge whether the node passing the main body legality certification has the data transaction request permission, thereby avoiding potential safety hazards caused by impersonating block chain nodes.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the description below are only some embodiments of the present application, and for those skilled in the art, other drawings may be obtained according to these drawings without inventive labor.
Fig. 1 is a schematic flowchart of a method for managing node permissions in a federation chain according to an embodiment of the present application;
FIG. 2 is a schematic structural diagram of an apparatus for managing node permissions in a federation chain according to an embodiment of the present application;
FIG. 3 is a schematic structural diagram of an electronic device in an embodiment of the present application;
fig. 4 is a schematic hardware structure diagram of an electronic device in an embodiment of the present application.
Detailed Description
It is not necessary for any particular embodiment of the invention to achieve all of the above advantages at the same time.
In order to make those skilled in the art better understand the technical solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the technical scheme of the embodiment of the application, the trusted nodes in the alliance chain are determined based on a trusted authentication algorithm, and a trusted node is selected from the trusted nodes to serve as an authority authentication node responsible for node authority distribution; storing the key pairs of other nodes in the alliance chain and node identity information on the authority authentication node so as to carry out main body validity authentication on the corresponding node; responding to an identity distribution request of a node passing through the main body validity authentication, calling a public key packaged on the authority authentication node, and binding the public key to a digital certificate, wherein the public key has a one-to-one mapping relation with the key pair and the node identity information; and issuing the digital certificate to the node passing the main body legality certification so as to check the digital certificate carried in the data transaction request when the node passing the main body legality certification initiates the data transaction request, so as to judge whether the node passing the main body legality certification has the data transaction request permission, thereby avoiding potential safety hazard caused by impersonating block link points.
Fig. 1 is a schematic flowchart illustrating a method for managing node permissions in a federation chain according to an embodiment of the present application; as shown in fig. 1, it includes:
s101, determining trusted nodes in the alliance chain based on a trusted authentication algorithm, and screening one trusted node from the trusted nodes to serve as an authority authentication node responsible for node authority distribution;
s102, storing key pairs of other nodes in the alliance chain and node identity information on the authority authentication node so as to carry out main body validity authentication on the corresponding node;
s103, responding to an identity distribution request of the node passing the main body validity authentication, calling a public key packaged on the authority authentication node, and binding the public key to a digital certificate, wherein the public key has a one-to-one mapping relation with the key pair and the node identity information;
s104, the digital certificate is issued to the node passing the main body legality certification, so that when the node passing the main body legality certification initiates a data transaction request, the digital certificate carried in the data transaction request is checked, and whether the node passing the main body legality certification has the data transaction request permission or not is judged.
Optionally, the determining a trusted node in the federation chain based on a trusted authentication algorithm includes: determining a plurality of trusted behavior data of block chain nodes of the alliance chain for operating each application program according to the trusted value of each application program in the white list of the application programs of the alliance chain so as to form a trusted behavior data rule base; acquiring real-time behavior data of any application program running on the blockchain node in real time; and determining the matching degree of the real-time behavior data and the credible behavior data to determine the credible nodes in the alliance chain, so that the determined credible nodes have higher reliability.
Optionally, the determining, according to the trust value of each application in the application white list of the federation chain, a plurality of trusted behavior data of a blockchain node of the federation chain running the each application to form a trusted behavior data rule base includes: and generating a credibility measurement log according to the calculated credibility value of each application program in the application program white list, wherein the credibility measurement log records the file called in the starting process of each application program and the corresponding credibility value, so that the generated credibility value is ensured to be more accurate, meanwhile, the data amount processed by the algorithm is reduced, and the execution efficiency of the algorithm is improved.
Optionally, the determining, according to the trust value of each application in the application white list of the federation chain, a plurality of trusted behavior data of the block chain node of the federation chain running the each application to form a trusted behavior data rule base includes: and analyzing the credibility measurement log to obtain the files called in the starting process of each application program and the corresponding credibility values, thereby improving credibility accuracy.
Optionally, the generating a confidence metric log according to the calculated confidence value of each application program in the application program white list includes: after the block chain link points of each application program in the application program white list are operated and started, and before the application program is started, carrying out hash operation on the integrity data of each application program in the application program white list to obtain a hash value, and calculating the credible value of each application program in the application program white list when the application program runs on the corresponding block chain node according to the hash value, so that the calculation process of the credible value is a dynamic process, and the accuracy of the credible value is effectively ensured.
Optionally, the determining a trusted node in the federation chain based on a trusted authentication algorithm includes: determining a second block chain node which starts communication to a first block chain node in a alliance chain, and establishing authentication connection between the first block chain node and the second block chain node to obtain a neighbor credibility certificate in the first block chain node; judging whether the first block link point performs trust authentication on the second block link point according to the neighbor reliability certificate; if not, determining a trust propagation path of the first block chain node and the second block chain node; determining other blockchain nodes which are located on the trust propagation path and are respectively adjacent to the first blockchain node and the second blockchain node; propagating neighbor belief certificates of other blockchain nodes respectively adjacent to the first blockchain node and the second blockchain node to the first blockchain node along the belief propagation path to determine all blockchain nodes passed by the belief propagation path as the belief nodes.
In this embodiment, based on the trust propagation path, trust mutual authentication is equivalently implemented, so that it is ensured that the determined trusted node has higher reliability.
Optionally, the obtaining the neighbor confidence certificate in the first blockchain node includes: and acquiring a trusted authentication kernel, and analyzing the trusted authentication kernel to acquire the neighbor credibility certificate. Through the trusted authentication kernel, the phenomenon that relevant data of trusted authentication is not leaked is avoided, and therefore the reliability degree of the trusted node is guaranteed.
Optionally, the screening a trusted node from the trusted nodes as an authority authentication node responsible for node authority allocation includes: and quantizing the credibility of the credible nodes to obtain corresponding credible values, and selecting the credible node with the maximum credible value from all the credible nodes as the authority authentication node based on the comparison between the credible values and the set credible threshold value, thereby improving the efficiency of algorithm execution.
Optionally, the verifying and signing the digital certificate carried in the data transaction request includes: and analyzing the digital certificate to obtain a public key bound in the digital certificate, judging whether the public key is a public key having the mapping relation with the key pair and the node identity information, if so, verifying and signing the digital certificate, and judging that the node passing the main body validity authentication has the data transaction request authority.
Through the mapping relation among the public key, the key pair and the node identity information, the isolation performance among data in the algorithm execution process is improved, and the safety of the data is ensured.
FIG. 2 is a schematic structural diagram of an apparatus for managing node permissions in a federation chain according to an embodiment of the present application; as shown in fig. 2, it includes:
a first program unit 201, configured to determine, based on a trusted authentication algorithm, trusted nodes in the federation chain, so as to filter, from the trusted nodes, a trusted node as an authority authentication node responsible for node authority allocation;
a second program unit 202, configured to store key pairs of other nodes in the federation chain and node identity information on the authority authentication node, so as to perform subject validity authentication on a corresponding node;
a third program unit 203, configured to, in response to an identity assignment request of a node that passes the subject legitimacy authentication, invoke a public key encapsulated in the authority authentication node and bind the public key to a digital certificate, where the public key has a one-to-one mapping relationship with the key pair and the node identity information;
a fourth program unit 204, configured to issue the digital certificate to the node that passes the main body legitimacy authentication, so that when the node that passes the main body legitimacy authentication initiates a data transaction request, the digital certificate carried in the data transaction request is checked to determine whether the node that passes the main body legitimacy authentication has a data transaction request permission.
Optionally, the first program element 201 is further configured to: determining a plurality of trusted behavior data of the block chain nodes of the alliance chain running each application program according to the trusted value of each application program in the application program white list of the alliance chain to form a trusted behavior data rule base; acquiring real-time behavior data of any application program running on the blockchain node in real time; and determining the matching degree of the real-time behavior data and the credible behavior data so as to determine the credible nodes in the alliance chain.
Optionally, the first program element 201 is further configured to: and generating a credibility measurement log according to the calculated credibility value of each application program in the application program white list, wherein the credibility measurement log records the file called in the starting process of each application program and the corresponding credibility value.
Optionally, the first program element 201 is further configured to: and analyzing the credibility measurement log to obtain the files called in the starting process of each application program and the corresponding credibility values.
Optionally, the first program element 201 is further configured to: after the block chain link points of each application program in the application program white list are operated and started, and before the application program is started, carrying out hash operation on the integrity data of each application program in the application program white list to obtain a hash value, and calculating the credible value of each application program in the application program white list when the application program runs on the corresponding block chain node according to the hash value.
Optionally, the first program element 201 is further configured to: determining a second block chain node which starts communication to a first block chain node in a alliance chain, and establishing authentication connection between the first block chain node and the second block chain node to obtain a neighbor credibility certificate in the first block chain node; judging whether the first block link point performs trust authentication on the second block link point according to the neighbor reliability certificate; if not, determining a trust propagation path of the first block chain node and the second block chain node; determining other block chain nodes which are located on the belief propagation path and are respectively adjacent to the first block chain node and the second block chain node; propagating neighbor belief credentials of other block chain nodes respectively adjacent to the first block chain node and the second block chain node along the belief propagation path to the first block chain node to determine all block chain nodes traversed by the belief propagation path as the trusted nodes.
Optionally, the first program element 201 is further configured to: and acquiring a credibility authentication kernel, and analyzing the credibility authentication kernel to acquire the neighbor credibility certificate.
Optionally, the first program element 201 is further configured to: quantifying the credibility of the credible nodes to obtain corresponding credible values, and selecting the credible node with the maximum credible value from all the credible nodes as the authority authentication node based on the comparison between the credible values and the set credible threshold value.
Optionally, the fourth program unit 204 is further configured to: and analyzing the digital certificate to obtain a public key bound in the digital certificate, judging whether the public key is a public key having the mapping relation with the key pair and the node identity information, if so, verifying and signing the digital certificate, and judging that the node passing the main body validity authentication has the data transaction request authority.
Fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application; as shown in fig. 3, it includes a memory 301 and a processor 302, the memory stores an executable program, and the processor executes the executable program and executes the following steps:
determining trusted nodes in the alliance chain based on a trusted authentication algorithm, and screening one trusted node from the trusted nodes to serve as an authority authentication node responsible for node authority distribution;
storing the key pairs of other nodes in the alliance chain and node identity information on the authority authentication node so as to carry out main body validity authentication on the corresponding node;
responding to an identity distribution request of a node passing the main body validity authentication, calling a public key packaged on the authority authentication node, and binding the public key to a digital certificate, wherein the public key has a one-to-one mapping relation with the key pair and the node identity information;
and issuing the digital certificate to the node passing the main body legality certification so as to check the digital certificate carried in the data transaction request when the node passing the main body legality certification initiates the data transaction request, so as to judge whether the node passing the main body legality certification has the data transaction request permission. FIG. 4 is a schematic diagram of a hardware structure of an electronic device in an embodiment of the present application; as shown in fig. 4, the hardware structure of the electronic device may include: the electronic device 400 includes a computing unit 401 that can perform various appropriate actions and processes according to a computer program stored in a Read Only Memory (ROM) 402 or a computer program loaded from a storage unit 406 into a Random Access Memory (RAM) 403. In the RAM 403, various programs and data required for the operation of the device 400 can also be stored. The computing unit 401, ROM 402, and RAM 403 are connected to each other via a bus 404. An input/output (I/O) interface 405 is also connected to bus 404.
A number of components in the electronic device 400 are connected to the I/O interface 405, including: an input unit 406, an output unit 407, a storage unit 408, and a communication unit 409. The input unit 406 may be any type of device capable of inputting information to the electronic device 400, and the input unit 406 may receive input numeric or character information and generate key signal inputs related to user settings and/or function controls of the electronic device. Output unit 407 may be any type of device capable of presenting information and may include, but is not limited to, a display, speakers, a video/audio output terminal, a vibrator, and/or a printer. The storage unit 404 may include, but is not limited to, a magnetic disk, an optical disk. The communication unit 409 allows the electronic device 400 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunications networks, and may include, but is not limited to, modems, network cards, infrared communication devices, wireless communication transceivers and/or chipsets, such as bluetooth (TM) devices, wiFi devices, wiMax devices, cellular communication devices, and/or the like.
Computing unit 401 may be a variety of general and/or special purpose processing components with processing and computing capabilities. Some examples of the computing unit 401 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. The calculation unit 401 executes the respective methods and processes described above. For example, in some embodiments, the above steps may be implemented as a computer software program tangibly embodied in a machine-readable medium, such as storage unit 40. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 400 via the ROM 402 and/or the communication unit 409. In some embodiments, the computing unit 401 may be configured to perform the above steps in any other suitable manner (e.g., by means of firmware).
The electronic device of the embodiments of the present application exists in various forms, including but not limited to:
(1) Mobile communication devices, which are characterized by mobile communication capabilities and are primarily targeted at providing voice and data communications. Such terminals include smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) The ultra-mobile personal computer equipment belongs to the category of personal computers, has the functions of calculation and processing, and generally has the mobile internet access characteristic. Such terminals include PDA, MID, and UMPC devices, such as ipads.
(3) Portable entertainment devices such devices may display and play multimedia content. Such devices include audio and video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) The server is similar to a general computer architecture, but has higher requirements on processing capability, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic devices with data interaction functions.
It should be noted that, in the present specification, all the embodiments are described in a progressive manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the apparatus and system embodiments, because they are substantially similar to the method embodiments, are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described embodiments of the apparatus and system are merely illustrative, and the modules described as separate components may or may not be physically separate, and the components suggested as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement without inventive effort.
The above description is only one specific embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (19)

1. A method for managing node authority in a federation chain is characterized by comprising the following steps:
determining trusted nodes in the alliance chain based on a trusted authentication algorithm, and screening a trusted node from the trusted nodes to serve as an authority authentication node responsible for node authority distribution;
storing the key pairs of other nodes in the alliance chain and node identity information on the authority authentication node so as to carry out main body validity authentication on the corresponding node;
responding to an identity distribution request of a node passing the main body validity authentication, calling a public key packaged on the authority authentication node, and binding the public key to a digital certificate, wherein the public key has a one-to-one mapping relation with the key pair and the node identity information;
and issuing the digital certificate to the node passing the main body legality certification so as to check the digital certificate carried in the data transaction request when the node passing the main body legality certification initiates the data transaction request, so as to judge whether the node passing the main body legality certification has the data transaction request permission.
2. The method for managing node authority in a federation chain according to claim 1, wherein the determining a trusted node in the federation chain based on a trusted authentication algorithm comprises: determining a plurality of trusted behavior data of the block chain nodes of the alliance chain running each application program according to the trusted value of each application program in the application program white list of the alliance chain to form a trusted behavior data rule base; acquiring real-time behavior data of any application program running on the blockchain node in real time; and determining the matching degree of the real-time behavior data and the credible behavior data so as to determine the credible nodes in the alliance chain.
3. A method for managing node permissions in a federation chain as recited in claim 1, wherein said determining a plurality of trust behavior data for blockchain nodes of the federation chain running respective applications based on trust values of the respective applications in an application whitelist of the federation chain to form a trust behavior data rule base previously comprises: and generating a credibility measurement log according to the calculated credibility value of each application program in the application program white list, wherein the credibility measurement log records the file called in the starting process of each application program and the corresponding credibility value.
4. The method for managing node permissions in a federation chain of claim 3, wherein the determining a plurality of trusted behavior data of blockchain nodes of the federation chain running each application according to a trusted value of each application in an application whitelist of the federation chain to form a trusted behavior data rule base comprises: and analyzing the credibility measurement log to obtain the files called in the starting process of each application program and the corresponding credibility values.
5. A method for managing node permissions in a federation chain as recited in claim 3, wherein said generating a confidence metric log based on the computed confidence values of each application in the application white-list comprises: after the block chain link points of each application program in the application program white list are operated and started, and before the application program is started, carrying out hash operation on the integrity data of each application program in the application program white list to obtain a hash value, and calculating the credibility value of each application program in the application program white list when the application program is operated on the corresponding block chain node according to the hash value.
6. The method for managing node permissions in a federation chain of claim 1, wherein the determining a trusted node in the federation chain based on a trusted authentication algorithm comprises: determining a second block chain node which starts communication to a first block chain node in a alliance chain, and establishing authentication connection between the first block chain node and the second block chain node to obtain a neighbor credibility certificate in the first block chain node; judging whether the first block link point performs trust authentication on the second block link point according to the neighbor reliability certificate; if the first block chain node does not exist, determining a trust propagation path of the first block chain node and the second block chain node; determining other blockchain nodes which are located on the trust propagation path and are respectively adjacent to the first blockchain node and the second blockchain node; propagating neighbor belief certificates of other blockchain nodes respectively adjacent to the first blockchain node and the second blockchain node to the first blockchain node along the belief propagation path to determine all blockchain nodes passed by the belief propagation path as the belief nodes.
7. The method for managing node permissions in a federation chain of claim 6, wherein said obtaining a neighbor confidence measure in the first blockchain node comprises: and acquiring a credibility authentication kernel, and analyzing the credibility authentication kernel to acquire the neighbor credibility certificate.
8. The method for managing node permissions in a federation chain of claim 1, wherein the screening a trusted node from the trusted nodes as a permission authentication node responsible for node permission assignment comprises: quantifying the credibility of the credible nodes to obtain corresponding credible values, and selecting the credible node with the maximum credible value from all the credible nodes as the authority authentication node based on the comparison between the credible values and the set credible threshold value.
9. The method for managing node permissions in a federation chain of claim 1, wherein the validating and signing of the digital certificate carried in the data transaction request comprises: and analyzing the digital certificate to obtain a public key bound in the digital certificate, judging whether the public key is a public key having the mapping relation with the key pair and the node identity information, if so, verifying and signing the digital certificate, and judging that the node passing the main body legality authentication has the data transaction request authority.
10. An apparatus for managing node permissions in a federation chain, comprising:
the first program unit is used for determining trusted nodes in the alliance chain based on a trusted authentication algorithm so as to screen one trusted node from the trusted nodes as an authority authentication node responsible for node authority distribution;
a second program unit, configured to store key pairs of other nodes in the federation chain and node identity information on the authority authentication node, so as to perform subject validity authentication on a corresponding node;
a third program unit, configured to, in response to an identity assignment request of a node that passes the subject legitimacy authentication, invoke a public key encapsulated in the authority authentication node and bind the public key to a digital certificate, where the public key has a one-to-one mapping relationship with the key pair and the node identity information;
and the fourth program unit is used for issuing the digital certificate to the node passing the main body legality authentication so as to check and sign the digital certificate carried in the data transaction request when the node passing the main body legality authentication initiates the data transaction request, so as to judge whether the node passing the main body legality authentication has the data transaction request permission.
11. An apparatus for managing node permissions in a federation chain as recited in claim 10, wherein said first program unit is further to: determining a plurality of trusted behavior data of the block chain nodes of the alliance chain running each application program according to the trusted value of each application program in the application program white list of the alliance chain to form a trusted behavior data rule base; acquiring real-time behavior data of any application program running on the blockchain node in real time; and determining the matching degree of the real-time behavior data and the credible behavior data so as to determine the credible nodes in the alliance chain.
12. An apparatus for managing node permissions in a federation chain as recited in claim 10, wherein said first program unit is further to: and generating a credibility measurement log according to the calculated credibility value of each application program in the application program white list, wherein the credibility measurement log records the file called in the starting process of each application program and the corresponding credibility value.
13. An apparatus for managing node permissions in a federation chain as recited in claim 12, wherein said first program unit is further adapted to: and analyzing the credibility measurement log to obtain the files called in the starting process of each application program and the corresponding credibility values.
14. An apparatus for managing node permissions in a federation chain as recited in claim 12, wherein said first program unit is further adapted to: after the block chain link points of each application program in the application program white list are operated and started, and before the application program is started, carrying out hash operation on the integrity data of each application program in the application program white list to obtain a hash value, and calculating the credibility value of each application program in the application program white list when the application program is operated on the corresponding block chain node according to the hash value.
15. An apparatus for managing rights to nodes in a federation chain as recited in claim 10, wherein the first program unit is further configured to: determining a second block chain node which starts communication to a first block chain node in a alliance chain, and establishing authentication connection between the first block chain node and the second block chain node to obtain a neighbor credibility certificate in the first block chain node; judging whether the first block link point performs trust authentication on the second block link point according to the neighbor reliability certificate; if not, determining a trust propagation path of the first block chain node and the second block chain node; determining other blockchain nodes which are located on the trust propagation path and are respectively adjacent to the first blockchain node and the second blockchain node; propagating neighbor belief certificates of other blockchain nodes respectively adjacent to the first blockchain node and the second blockchain node to the first blockchain node along the belief propagation path to determine all blockchain nodes passed by the belief propagation path as the belief nodes.
16. An apparatus for managing node permissions in a federation chain as recited in claim 15, wherein said first program unit is further adapted to: and acquiring a trusted authentication kernel, and analyzing the trusted authentication kernel to acquire the neighbor credibility certificate.
17. An apparatus for managing rights to nodes in a federation chain as recited in claim 10, wherein the first program unit is further configured to: quantifying the credibility of the credible nodes to obtain corresponding credible values, and selecting the credible node with the maximum credible value from all the credible nodes as the authority authentication node based on the comparison between the credible values and the set credible threshold value.
18. An apparatus for managing node permissions in a federation chain as recited in claim 10, wherein said fourth program element is further configured to: and analyzing the digital certificate to obtain a public key bound in the digital certificate, judging whether the public key is a public key having the mapping relation with the key pair and the node identity information, if so, verifying and signing the digital certificate, and judging that the node passing the main body legality authentication has the data transaction request authority.
19. An electronic device, comprising a memory and a processor, wherein the memory stores an executable program, and the processor executes the executable program to perform the following steps:
determining trusted nodes in the alliance chain based on a trusted authentication algorithm, and screening a trusted node from the trusted nodes to serve as an authority authentication node responsible for node authority distribution;
storing the key pairs of other nodes in the alliance chain and node identity information on the authority authentication node so as to carry out main body validity authentication on the corresponding node;
responding to an identity distribution request of a node passing the main body validity authentication, calling a public key packaged on the authority authentication node, and binding the public key to a digital certificate, wherein the public key has a one-to-one mapping relation with the key pair and the node identity information;
and issuing the digital certificate to the node passing the main body legality certification so as to check the digital certificate carried in the data transaction request when the node passing the main body legality certification initiates the data transaction request, so as to judge whether the node passing the main body legality certification has the data transaction request permission.
CN202211234400.XA 2022-10-10 2022-10-10 Management method and device for node authority in alliance chain and electronic equipment Pending CN115632787A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211234400.XA CN115632787A (en) 2022-10-10 2022-10-10 Management method and device for node authority in alliance chain and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211234400.XA CN115632787A (en) 2022-10-10 2022-10-10 Management method and device for node authority in alliance chain and electronic equipment

Publications (1)

Publication Number Publication Date
CN115632787A true CN115632787A (en) 2023-01-20

Family

ID=84904434

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211234400.XA Pending CN115632787A (en) 2022-10-10 2022-10-10 Management method and device for node authority in alliance chain and electronic equipment

Country Status (1)

Country Link
CN (1) CN115632787A (en)

Similar Documents

Publication Publication Date Title
CN108259438B (en) Authentication method and device based on block chain technology
JP6574168B2 (en) Terminal identification method, and method, system, and apparatus for registering machine identification code
CN108769230B (en) Transaction data storage method, device, server and storage medium
CN110177124B (en) Identity authentication method based on block chain and related equipment
CN107133520B (en) Credibility measuring method and device for cloud computing platform
CN104715183B (en) A kind of trust authentication method and apparatus during virtual machine operation
CN110046901B (en) Credibility verification method, system, device and equipment of alliance chain
CN110022345B (en) Method, system, device and equipment for processing request in alliance chain
JP2024505692A (en) Data processing methods, devices and computer equipment based on blockchain networks
CN111031519B (en) Terminal access authentication method and device based on edge calculation
CN110990790B (en) Data processing method and equipment
CN113890739B (en) Cross-blockchain authentication method and device, electronic equipment and medium
CN109981288B (en) Fine-grained cloud server side rapid external certification method based on aggregated signature
CN111899104B (en) Service execution method and device
CN115632787A (en) Management method and device for node authority in alliance chain and electronic equipment
CN114092101B (en) Transaction verification method and device, storage medium and electronic equipment
CN114329424A (en) Authority determination method and device, computer equipment and computer readable storage medium
CN115391801A (en) Method and device for updating encryption module in block chain system and related products
CN112804305B (en) Credible networking method and system of internet node and related product
CN112214759A (en) Behavior authority distribution method and device for application program based on credible root measurement and related products
CN112688960B (en) Method, system and related product for calculating connection strength in internet node authentication
CN112165399B (en) Method and device for processing block link point faults based on credible root metrics and related products
CN112804088B (en) Method, system and related product for internet node authentication based on neighbor credibility
CN108874696A (en) Automatic test approach, device and the electronic equipment of more legal power safety storage equipment
CN115618411A (en) Access method and device for shared data in alliance chain and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination