CN115865320A - Block chain-based security service management method and system - Google Patents
Block chain-based security service management method and system Download PDFInfo
- Publication number
- CN115865320A CN115865320A CN202211418921.0A CN202211418921A CN115865320A CN 115865320 A CN115865320 A CN 115865320A CN 202211418921 A CN202211418921 A CN 202211418921A CN 115865320 A CN115865320 A CN 115865320A
- Authority
- CN
- China
- Prior art keywords
- user
- key
- message
- kdc
- block chain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 24
- 238000013507 mapping Methods 0.000 claims abstract description 15
- 230000004044 response Effects 0.000 claims description 26
- 238000012795 verification Methods 0.000 claims description 17
- 238000000034 method Methods 0.000 claims description 13
- 230000007246 mechanism Effects 0.000 claims description 10
- 150000003839 salts Chemical class 0.000 claims description 8
- 238000004891 communication Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000013475 authorization Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000012790 confirmation Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000006872 improvement Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a block chain-based security service management method and system, relating to the technical field of block chains, wherein S1: KDC encrypts the AES key of the participant; s2: KDC sends registration request, sets participant information mapping and stores; s3: the user sends AS _ REQ, and the intelligent contract is checked; the KDC authentication server acquires an authentication request message S4: the KDC authentication server generates Kc and tgs, constructs an authentication bill license and sends AS _ REP to the block chain; s5: the user sends TGS _ REQ, and the intelligent contract is checked; s6: the KDC bill server generates Kc and v, constructs ST, and sends TGS _ REP to the block chain; s7: the user generates Ksession, sends an application request transaction, and checks an intelligent contract; the server acquires the AP _ REQ; s8: and the server sends the AP _ REP to the block chain, and the user decrypts to obtain the Ksession and then opens the service session. The invention protects the information security of the user by authenticating the identity information for many times, prevents the privacy of the user from being revealed by taking the AES key as a cryptology scheme, and improves the security.
Description
Technical Field
The present invention relates to the field of block chain technologies, and in particular, to a method and a system for managing security services based on a block chain.
Background
With the rise of big data technology, data security becomes one of the most widely discussed topics for research and security experts today. In a distributed environment, big data is developing more and more rapidly, some workstations may be installed in unsafe places, and users are not completely trusted. The client needs authentication at login so that the user must obtain a license issued by the authentication server to use the service on the target server.
Kerberos is widely applied to big data ecology as an identity authentication protocol, and plays a role in intra-domain security service management. Big data systems such as Apache Hadoop rely on Kerberos protocols for user identification and authentication. Although Kerberos plays an important role in identity authentication, there are some problems with it: such as single point failures caused by centralization, replay attacks, offline password guessing attacks, DDos, etc., are not well addressed. And the authentication and authorization protocols that are currently popular are centralized, which raises additional security issues such as personal data leakage, unauthorized access, identity theft.
There are many studies that propose improvements based on the Kerberos protocol. Wang et al improve on dynamic passwords and Diffie-Hellman secure key exchange; du et al improved the traditional Kerberos originally based on AES keys based on dynamic cryptography and one-time public keys. However, most require a Trusted Third Party (TTP) to provide the service, posing a degree of centralization.
To address the centralization problem caused by TTP, some scholars have attempted solutions using blockchain techniques. Blockchain technology emerged in 2008 as this wisdom proposed bitcoins. As a revolutionary technique, blockchains are distributed shared accounts that combine blocks (blocks) of data into a particular data structure (blockchain) in a time-sequential and chain-like manner. Each node has a copy of the ledger.
Hena et al propose a three-tier authentication framework based on secure remote password protocol (SRP), one-time password (OTP) and Thershold passwords, aiming to eliminate password guessing attacks and single point of failure problems in Hadoop clusters. To do so, the author replaces the local database of the KDC with blockchain storage. However, this approach of simply storing the blockchain technology as a database does not take advantage of the blockchain technology to the maximum extent, such as not deploying and running smart contracts, and is not centralized to a high degree.
Smart contracts are programs deployed on a chain that can store data or perform functions that trigger certain functions to run when predetermined conditions are met. Etherhouses were the first intelligent contract development platform to allow developers to design and run open intelligent contracts. The automatic triggering mechanism of the intelligent contract gives the blockchain the ability to develop decentralized applications. It is therefore an urgent problem to be solved to decentralize Kerberos using blockchain intelligence contracts.
The prior art discloses a security management system and a method for block chain big data, wherein the method comprises the following steps: the method comprises the following steps: s1, establishing a big data node, applying for joining an information asset network through the big data node, and uploading identity authentication data; s2, carrying out safety encryption processing on the identity authentication data and the transaction information uploaded by the big data node; s3, performing credibility authentication on the identity authentication data subjected to the security encryption processing; s4, if the authentication is passed, the big data node is judged to be a reliable big data node, and a timestamp is added to the big data block chain; s5, carrying out safety management on the transaction information of each trusted big data node in the big data block chain; and S6, carrying out information interaction sharing among the trusted big data nodes. However, the prior art does not deploy intelligent contracts, has low decentralization degree, does not carry out multiple verification and confirmation on identity information, and has low safety.
Disclosure of Invention
The invention provides a block chain-based security service management method and system for solving the problems that an intelligent contract is not deployed, the decentralization degree is low, multiple verification and confirmation are not performed on identity information, and the security is not high.
In order to solve the technical problems, the invention adopts the technical scheme that:
a block chain-based security service management method is applied to the block chain-based security service management system, and is characterized by comprising the following steps:
s1: a participant inputs a character string password to generate an AES key and sends ID-block chain account address-key mapping to a key distribution center KDC; the KDC encrypts the AES key of the participant by using the AES key of the KDC to generate an AES key encrypted by a CP-ABE encryption algorithm; the participants comprise a user C, a key distribution center KDC and a server V;
s2: KDC sends a registration request to the block chain, sets all participant information mapping and stores to the block chain, and hosts a database of the KDC to the block chain;
s3: the user C sends an authentication request transaction AS _ REQ, and the intelligent contract checks the identity ID and the random number Nonce of the authentication request message; the KDC authentication server obtains an authentication request message from the block chain, and if the decryption is successful and the timestamp is within a certain range, the authentication request passes;
s4: the KDC authentication server randomly generates session keys Kc and tgs, constructs an authentication bill license and sends an authentication response message AS _ REP to the block chain;
s5: the user C sends a ticket request transaction TGS _ REQ, and the intelligent contract checks the identity ID and the random number Nonce of the ticket request message; a KDC bill server acquires TGS _ REQ from a block chain, and if the bill license obtained by decryption is valid and the authority is approved, the bill request passes;
s6: a KDC bill server randomly generates session keys Kc and V for communication between a user C and a server V, constructs a service bill ST, and sends a bill response message TGS _ REP to a block chain;
s7: the user C randomly generates a session key Ksession for communication between the user C and the server V, sends an application request transaction, and the intelligent contract checks the identity ID and the random number Nonce of the application request message; the server V obtains an application request message AP _ REQ from a block chain, and if the decryption message check authority passes, the application request passes;
s8: and the server V sends a service response message AP _ REP to the block chain, and the user C acquires the service response message AP _ REP, decrypts the service response message AP _ REP to obtain the Kservice and then starts the service session.
A block chain-based security service management system comprises a user C, a server V and a key distribution center KDC;
the key distribution center KDC comprises an authentication server AS, a bill server TGS and a database DB;
the user C is a service application party, and realizes the application of the security service by sending an authentication request AS _ REQ, a ticket request TGS _ REQ and an application request AP _ REQ;
the server V is a service provider and realizes the safe service supply by sending a service response AP _ REP;
and the key distribution center KDC provides authentication Service AS _ Service, ticket Service TGS _ Service and Service security intermediary Service AP _ Service for the user C and the server V by managing the AES key of the participant, the distribution session key and the ticket.
The system is based on AES key authentication, and the number of exchange participants is not limited actually. The intelligent contract is used for recording the public information and the associated messages of the exchange participants.
The working principle of the invention is as follows:
the identity authentication of the participants is performed for multiple times through the intelligent contract of the Ethengfang block chain, the decentralization is realized, the safety is improved, the scheme of cryptography is added, the information privacy of the participants is further protected, and the information safety of the participants is protected.
Preferably, the AES key is generated using the PBKDF2 algorithm; the PBKDF2 algorithm expression is as follows:
DK=PBKDF2(PRF,Password,Salt,c,dkLen)
in the formula, PRF is a pseudo-random function, and the pseudo-random function is HMAC-SHA256; password is a set of user C-defined string passwords; the Salt is a group of 64-bit random character strings, and a new character is formed by artificially combining a group of random characters with the original password of a user, so that the difficulty of Hash decoding is increased; c represents the iteration times, and the Hash decoding difficulty is increased through continuous Hash iteration; dkLen represents the length of the key output finally, and is 256 bits; DK is the last generated 256bit AES key.
Further, the calculation steps of the CP-ABE encryption algorithm comprise the following steps:
d1: initializing, and generating a public parameter, a system public key PK and a system master key;
d2: encrypting, namely encrypting the message M, constructing an access tree according to an access strategy formulated by a data owner aiming at the ciphertext, and generating a node secret value; only users who satisfy a certain number of node secret value combinations can decrypt to obtain the message M;
d3: generating a secret key, and generating a private key corresponding to the user according to the user attribute set and the master private key;
d4: and (4) decrypting, namely, the user provides a private key to decrypt and obtain the corresponding message M.
Further, the verification of the random number Nonce and the verification of the timestamp in S3 use a question-answer response mechanism;
the question-answer response mechanism comprises a timestamp verification algorithm and a random number verification algorithm;
the timestamp verification algorithm is as follows: when all messages are subjected to uplink operation, the timestamp of the block is taken as the timestamp of the message, and after the user takes the message, the timestamp is compared with the local time of the user; if the time difference is within the time threshold, the message is considered to be effective, and uplink is allowed; if the time difference exceeds a time threshold value, the message is considered to be invalid;
the random number verification algorithm is as follows: during registration, each user sets a random number Nonce, which is derived from an intelligent contract according to block height block.
The user sends a message to a block chain, before a get _ Nonce function of an intelligent contract is executed to obtain a random number, the random number Nonce is uplinked together with a message, and in the block chain uploading process, the intelligent contract executes a random number check algorithm, check _ Nonce: if the random number Nonce is the same as the stored random number Nonce corresponding to the block chain account address of the participant, the random number Nonce is automatically +1, and the block chain on the message is successful; if not, the random number Nonce is wrong, and the upper block chain is not allowed.
Furthermore, the intelligent contract comprises a User structure User and a message structure Packet;
the User structure User comprises an identity identifier ID serving AS a string variable, a block chain account Address, an AES key, a Permission List, an effective Time Life Time, a login state is _ login serving AS a bootean variable, a random number nonce serving AS a uint256 variable, a User registration timestamp, and a plurality of mapping (string = > Packet) binding message AS-REQ, AS-REP, TGS-REQ, TGS-REP, AP-REQ and AP-REP of character string types with a message sender;
the Packet structure includes a content as a string variable and a timestamp as a message of a uint256 variable.
Furthermore, a Packet of the message structure is bound with the identity identifier ID through a plurality of mapping (string = > Packet);
initialization, replay attack resistance and message access of the intelligent contract storage content are completed through setup, get _ nonce, check _ nonce, AS _ EX, TGS _ EX and AP _ EX.
Furthermore, the participant information mapping includes an identity ID, a block chain account Address, an AES key, a Permission List, and a valid Time Life Time;
the format of the ID is as follows: the nickname @ domain name of the user and the Permission List of the authority List are also encrypted by a KDC key; the Permission List is a service List which can be accessed by the user, and the user automatically goes off line after the effective time is specified; all the User information is stored in the User structure User of the intelligent contract.
More specifically, the propagation direction of the AS _ REQ is from C to AS, and the contents are: { IDc, IDtgs, nonce, kc { TimeStamp } };
the propagation direction of the AS-REP is from AS to C, and the contents are AS follows: kc { Kc, tgs, IDc, IDtgs, nonce, timeStamp, TGT }, TGT = Ktgs { IDc, IDtgs, kc, tgs, lifetime };
the propagation direction of TGS-REQ is from C to TGS, and the contents are as follows: IDc, IDv, timeStamp, nonce, TGT, authenticator1; authenticator1= Kc, tgs { IDc, checkSum, timeStamp };
the propagation direction of TGS-REP is from TGS to C, and the contents are: kc, tgs { Kc, v, IDc, IDv, ST, nonce, timestamp };
the propagation direction of the AP-REQ is from C to S, and the contents are as follows: IDc, IDv, timeStamp, ST, authenticator2; authenticator2= Kc, v { IDc, checkSum, ksession, timeStamp };
the propagation direction of the AP-REP is from S to C, and the contents are Kc, v { IDc, IDv, timeStamp };
kx { } represents encryption by the key of the subscript, and in all labels, the subscripts kdc and tgs represent the same individual; kc represents a user key and is used for encrypting an AS-REQ timestamp and an AS-REP message; ktgs: representing a KDC key for encrypting the TGT; kv denotes a server key used to encrypt ST; kc and TGS represent session keys of the client and the KDC, and Authenticator1 in the TGS-REQ message is encrypted; kc and v represent session keys of the client and the server, and encrypt the Authenticator2 in the AP-REQ message; ksession represents a temporary session key of the client and the server, and encrypts a service session of the client and the server; the key types of Kc, ktgs, kv, kc, v and Ksession are AES-256.
More specifically, the ABE key comprises a system public key PK, a system master private key MSK and a KDC private key SK;
the system public key PK is used for encrypting a KDC AES key;
the system master private key MSK is used for decrypting a KDC AES key;
and the KDC private key SK is used for decrypting the KDC AES key.
Compared with the prior art, the invention has the beneficial effects that:
1. and a cryptography scheme CP-ABE is added to realize data privacy on the chain, protect a private key of a user and protect the information security and privacy security of the user.
2. The intelligent contract is deployed, centralization is achieved, multiple verification and confirmation are carried out on identity information, and safety is improved.
3. Since conventional Kerberos does not provide authorization services, the present invention simplifies the authorization process into a participant's reading of the Permission List to confirm the rights. Compared with the traditional safety service management, the invention increases the characteristics of decentralization, traceability, privacy protection, transparency and the like, and realizes the 3AS principle, namely three functions of access control, authorization and audit.
Drawings
Fig. 1 is a schematic flowchart of a block chain-based security service management method according to the present invention.
Fig. 2 is a schematic structural diagram of a block chain-based security service management system according to the present invention.
Fig. 3 is a schematic diagram of the question-answer response mechanism described in the embodiment.
FIG. 4 is a diagram illustrating a decentralized authentication and authorization mechanism according to an embodiment.
Detailed Description
The invention is described in detail below with reference to the drawings and the detailed description.
Example 1
A block chain-based security service management method, as shown in fig. 1, is applied to the block chain-based security service management system, and is characterized by comprising the following steps:
s1: a participant inputs a character string password to generate an AES key and sends ID-block chain account address-key mapping to a key distribution center KDC; the KDC encrypts the AES key of the participant by using the AES key of the KDC to generate an AES key encrypted by a CP-ABE encryption algorithm; the participants comprise a user C, a key distribution center KDC and a server V;
s2: KDC sends a registration request to the block chain, sets all participant information mapping and stores to the block chain, and hosts a database of the KDC to the block chain;
s3: the user C sends an authentication request transaction AS _ REQ, and the intelligent contract checks the identity ID and the random number Nonce of the authentication request message; the KDC authentication server obtains an authentication request message from the block chain, and if the decryption is successful and the timestamp is within a certain range, the authentication request passes;
s4: the KDC authentication server randomly generates session keys Kc and tgs, constructs an authentication bill license and sends an authentication response message AS _ REP to the block chain;
s5: a user C sends a ticket request transaction TGS _ REQ, and an intelligent contract checks the identity ID and the random number Nonce of a ticket request message; a KDC bill server acquires TGS _ REQ from a block chain, and if the bill license obtained by decryption is valid and the authority is approved, the bill request passes;
s6: a KDC bill server randomly generates session keys Kc and V for communication between a user C and a server V, constructs a service bill ST, and sends a bill response message TGS _ REP to a block chain;
s7: the user C randomly generates a session key Ksession for communication between the user C and the server V, sends an application request transaction, and the intelligent contract checks the identity ID and the random number Nonce of the application request message; the server V obtains an application request message AP _ REQ from a block chain, and if the decryption message check authority passes, the application request passes;
s8: and the server V sends a service response message AP _ REP to the block chain, and the user C acquires the service response message AP _ REP, decrypts the service response message AP _ REP to obtain the Kservice and then starts the service session.
A block chain-based security service management system, as shown in fig. 2, includes a user C, a server V, a key distribution center KDC, an intelligent contract, and a block chain;
the key distribution center KDC comprises an authentication server AS, a bill server TGS and a database DB;
the user C is a service application party, and realizes the application of the security service by sending an authentication request AS _ REQ, a ticket request TGS _ REQ and an application request AP _ REQ;
the server V is a service provider and realizes the safe service supply by sending a service response AP _ REP;
and the key distribution center KDC provides authentication transaction, bill transaction and application transaction for the user C and the server V by managing the AES key of the participant, the distribution session key and the bill.
The working principle of the invention is as follows:
the identity authentication of the participants is carried out for multiple times through the intelligent contract of the Ethengfang block chain, the decentralization is realized, the safety is improved, the scheme of cryptography is added, the information privacy of the participants is further protected, and the information safety of the participants is protected.
In this embodiment, the AES key is generated using PBKDF2 algorithm; the PBKDF2 algorithm is an algorithm for deriving a key based on a password phrase and salt hash;
the PBKDF2 algorithm expression is as follows:
DK=PBKDF2(PRF,Password,Salt,c,dkLen)
in the formula, the PRF is a pseudo-random function which can be understood as a Hash function, and the pseudo-random function is HMAC-SHA256; password is a set of user C-defined string passwords; the Salt is a group of 64-bit random character strings, and a new character is formed by artificially combining a group of random characters with the original password of a user, so that the difficulty of Hash decoding is increased; c represents the iteration times, and the Hash decoding difficulty is increased through continuous Hash iteration; dkLen represents the length of the last output key, which is 256 bits; DK is the last generated 256bit AES key.
The initial cipher and salt generate an initial key through PRF operation, then the initial key is used as the next input and the cipher is subjected to PRF operation again to generate a subsequent key, the iteration times defined above are repeatedly reached, the generated key is subjected to XOR operation again, and the final AES key is generated.
Example 2
In this embodiment, the calculation steps of the CP-ABE encryption algorithm include the following steps:
d1: initializing, and generating a public parameter, a system public key PK and a system master key;
d2: encrypting and encrypting the message M, constructing an access tree according to an access strategy formulated by a data owner aiming at the ciphertext, and generating a node secret value; only users who satisfy a certain number of node secret value combinations can decrypt to obtain the message M;
d3: generating a secret key, and generating a private key corresponding to the user according to the user attribute set and the master private key;
d4: and (4) decrypting, namely, the user provides a private key to decrypt and obtain the corresponding message M.
In S3, a question-answer response mechanism is used for verifying the random number Nonce and the timestamp;
more specifically, the question-answer response mechanism comprises a timestamp verification algorithm and a random number verification algorithm;
the timestamp verification algorithm is as follows: when all messages are subjected to uplink operation, taking the timestamp of the block as the timestamp of the message, and comparing the timestamp with the local time of a user after the user takes the message; if the time difference is within the time threshold, the message is considered to be effective, and uplink is allowed; if the time difference exceeds a time threshold value, the message is considered to be invalid;
the random number verification algorithm is as follows: during registration, each user sets a random number Nonce, which is derived from an intelligent contract according to block height block.
The user sends a message to a block chain, a get _ Nonce function of an intelligent contract is executed before the message is sent to the block chain to obtain a random number, the random number is uplinked together with the message, and in the process of loading the block chain, the intelligent contract executes a random number checking algorithm, check _ Nonce: if the random number Nonce is the same as the stored random number Nonce corresponding to the block chain account address of the participant, the random number Nonce is automatically +1, and the block chain on the message is successful; if the difference is not the same, the random number Nonce is wrong, and the upper blockchain is not allowed.
Example 3
In this embodiment, the intelligent contract includes a User structure User and a Packet of a message structure;
the User structure User comprises an identity identifier ID serving AS a string variable, a block chain account Address, an AES key, a Permission List, an effective Time Life Time, a login state is _ login serving AS a bootean variable, a random number nonce serving AS a uint256 variable, a User registration timestamp, and a plurality of mapping (string = > Packet) binding message AS-REQ, AS-REP, TGS-REQ, TGS-REP, AP-REQ and AP-REP of character string types with a message sender;
the Packet structure includes a content as a string variable and a timestamp as a message of a uint256 variable.
More specifically, a Packet of the message structure is bound with the ID by a plurality of mapping (string = > Packet);
initialization, replay attack resistance and message access of the intelligent contract storage content are completed through setup, get _ nonce, check _ nonce, AS _ EX, TGS _ EX and AP _ EX.
In this embodiment, as shown in fig. 4, the decentralized authentication and authorization mechanism is adopted as follows:
the binding of the user identification and the block chain account address is realized through an intelligent contract, each transaction sent by a user through a decentralized application program can prove the identity of the user, an authentication transaction is set, the authentication transaction comprises an authentication request AS-REQ, and the access of an authentication response AS-REP message is responded; setting a ticket transaction which comprises a ticket request TGS-REQ, wherein the ticket responds to the access of the TGS-REP message and is used for acquiring an access certificate ST for accessing a specific server service; setting application transaction including application request AP-REQ, application responding AP-REP message access to realize safety service session.
The participant information mapping comprises an identity Identifier (ID), a block chain account Address, an AES key, an authority List Permission List and an effective Time Life Time;
the format of the ID is as follows: the nickname @ domain name of the user and the Permission List of the authority List are also encrypted by a KDC key; the Permission List is a service List which can be accessed by the user, and the user automatically goes offline after the effective time is specified; all the User information is stored in the User structure User of the intelligent contract.
More specifically, the propagation direction of the AS _ REQ is from C to AS, and the contents are: { IDc, IDtgs, nonce, kc { TimeStamp } };
the propagation direction of the AS-REP is from AS to C, and the contents are AS follows: kc { Kc, tgs, IDc, IDtgs, nonce, timeStamp, TGT }, TGT = Ktgs { IDc, IDtgs, kc, tgs, lifetime };
the propagation direction of TGS-REQ is from C to TGS, and the contents are as follows: IDc, IDv, timeStamp, nonce, TGT, authenticator1; authenticator1= Kc, tgs { IDc, checkSum, timeStamp };
the propagation direction of TGS-REP is from TGS to C, and the contents are: kc, tgs { Kc, v, IDc, IDv, ST, nonce, timestamp };
the propagation direction of the AP-REQ is from C to S, and the contents are as follows: IDc, IDv, timeStamp, ST, authenticator2; authenticator2= Kc, v { IDc, checkSum, ksession, timeStamp };
the propagation direction of the AP-REP is from S to C, and the contents are Kc, v { IDc, IDv, timeStamp };
kx { } represents encryption by the key of the subscript, and in all labels, the subscripts kdc and tgs represent the same individual; kc represents a user key and is used for encrypting an AS-REQ timestamp and an AS-REP message; ktgs: representing a KDC key for encrypting the TGT; kv denotes a server key used to encrypt ST; kc and TGS represent session keys of the client and the KDC, and Authenticator1 in the TGS-REQ message is encrypted; kc and v represent session keys of the client and the server, and encrypt Authenticator2 in the AP-REQ message; ksession represents a temporary session key of the client and the server, and encrypts a service session of the client and the server; the key types of Kc, ktgs, kv, kc, v and Ksession are AES-256.
More specifically, the ABE key comprises a system public key PK, a system master private key MSK and a KDC private key SK;
the system public key PK is used for encrypting a KDC AES key;
the system master private key MSK is used for decrypting a KDC AES key;
and the KDC private key SK is used for decrypting the KDC AES key.
It should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.
Claims (10)
1. A block chain-based security service management method is characterized by comprising the following steps:
s1: a participant inputs a character string password to generate an AES key and sends ID-block chain account address-key mapping to a key distribution center KDC; the KDC encrypts the AES key of the participant by using the AES key of the KDC to generate an AES key encrypted by a CP-ABE encryption algorithm; the participants comprise a user C, a key distribution center KDC and a server V;
s2: KDC sends a registration request to the block chain, sets all participant information mapping and stores to the block chain, and trusts KDC database to the block chain;
s3: the user C sends an authentication request transaction AS _ REQ, and the intelligent contract checks the identity ID and the random number Nonce of the authentication request message; the KDC authentication server obtains an authentication request message from the block chain, and if the decryption is successful and the timestamp is within a certain range, the authentication request passes;
s4: the KDC authentication server randomly generates session keys Kc and tgs, constructs an authentication bill license and sends an authentication response message AS _ REP to the block chain;
s5: the user C sends a ticket request transaction TGS _ REQ, and the intelligent contract checks the identity ID and the random number Nonce of the ticket request message; a KDC bill server acquires TGS _ REQ from a block chain, and if the bill license obtained by decryption is valid and the authority is approved, the bill request passes;
s6: a KDC bill server randomly generates session keys Kc and V for communication between a user C and a server V, constructs a service bill ST, and sends a bill response message TGS _ REP to a block chain;
s7: the user C randomly generates a session key Ksession for communication between the user C and the server V, sends an application request transaction, and the intelligent contract checks the identity ID and the random number Nonce of the application request message; the server V obtains an application request message AP _ REQ from a block chain, and if the decryption message check authority passes, the application request passes;
s8: and the server V sends a service response message AP _ REP to the block chain, and the user C acquires the service response message AP _ REP, decrypts the service response message AP _ REP to obtain the Kservice and then starts the service session.
2. The block chain-based security service management method of claim 1, wherein the AES key is generated using a PBKDF2 algorithm; the PBKDF2 algorithm expression is as follows:
DK=PBKDF2(PRF,Password,Salt,c,dkLen)
in the formula, PRF is a pseudo-random function, and the pseudo-random function is HMAC-SHA256; password is a set of user C-defined string passwords; the Salt is a group of 64-bit random character strings, and a new character is formed by artificially combining a group of random characters with the original password of a user, so that the difficulty of Hash decoding is increased; c represents the iteration times, and the Hash decoding difficulty is increased through continuous Hash iteration; dkLen represents the length of the last output key, which is 256 bits; DK is the last generated 256bit AES key.
3. The method as claimed in claim 1, wherein the calculation of the CP-ABE encryption algorithm comprises the following steps:
d1: initializing, and generating a public parameter, a system public key PK and a system master key;
d2: encrypting, namely encrypting the message M, constructing an access tree according to an access strategy formulated by a data owner aiming at the ciphertext, and generating a node secret value; only users who satisfy a certain number of node secret value combinations can decrypt to obtain the message M;
d3: generating a secret key, and generating a private key corresponding to the user according to the user attribute set and the master private key;
d4: and (4) decrypting, namely, the user provides a private key to decrypt and obtain the corresponding message M.
4. The block chain-based security service management method according to claim 1, wherein the challenge-response mechanism is used for verifying the random number Nonce and the timestamp in S3;
the question-answer response mechanism comprises a timestamp verification algorithm and a random number verification algorithm;
the timestamp verification algorithm is as follows: when all messages are subjected to uplink operation, the timestamp of the block is taken as the timestamp of the message, and after the user takes the message, the timestamp is compared with the local time of the user; if the time difference is within the time threshold, the message is considered to be effective, and uplink is allowed; if the time difference exceeds a time threshold, the message is considered to be invalid;
the random number verification algorithm is as follows: during registration, each user sets a random number Nonce, which is derived from an intelligent contract according to block height block.
The user sends a message to a block chain, a get _ Nonce function of an intelligent contract is executed before the message is sent to the block chain to obtain a random number, the random number is uplinked together with the message, and in the process of loading the block chain, the intelligent contract executes a random number checking algorithm, check _ Nonce: if the random number Nonce is the same as the random number Nonce stored in correspondence with the block chain account address of the participant, the random number Nonce is automatically +1, and the block chain is successfully completed in the message; if the difference is not the same, the random number Nonce is wrong, and the upper blockchain is not allowed.
5. The block chain-based security service management method according to claim 1, wherein the intelligent contract comprises a User structure User and a Packet of a message structure;
the User structure User comprises an identity identifier ID serving AS a string variable, a block chain account Address, an AES key, a Permission List, an effective Time Life Time, a login state is _ login serving AS a bootean variable, a random number Nonce serving AS a uint256 variable, a User registration timestamp, and a plurality of mapping (string = > Packet) binding message AS-REQ, AS-REP, TGS-REQ, TGS-REP, AP-REQ and AP-REP of character string types with a message sender;
the Packet structure includes a content as a string variable and a timestamp as a message of a uint256 variable.
6. The block chain-based security service management method according to claim 5, wherein a Packet of the Packet structure is bound to the ID by a plurality of mapping (string = > Packet);
initialization, replay attack resistance and message access of the intelligent contract storage content are completed through setup, get _ nonce, check _ nonce, AS _ EX, TGS _ EX and AP _ EX.
7. The method of claim 6, wherein the participant information map comprises an identity ID, a blockchain account Address, an AES key, a Permission List, a valid Time Life Time;
the format of the ID is as follows: the nickname @ domain name of the user and the Permission List of the authority List are also encrypted by a KDC key; the Permission List is a service List which can be accessed by the user, and the user automatically goes offline after the effective time is specified; all the User information is stored in the User structure User of the intelligent contract.
8. The method of claim 7, wherein the propagation direction of AS _ REQ is from C to AS, and the contents are: { IDc, IDtgs, nonce, kc { TimeStamp } };
the propagation direction of the AS-REP is from AS to C, and the contents are AS follows: kc { Kc, tgs, IDc, IDtgs, nonce, timeStamp, TGT }, TGT = Ktgs { IDc, IDtgs, kc, tgs, lifetime };
the propagation direction of TGS-REQ is from C to TGS, and the contents are as follows: IDc, IDv, timeStamp, nonce, TGT, authenticator1; authenticator1= Kc, tgs { IDc, checkSum, timeStamp };
the propagation direction of TGS-REP is from TGS to C, and the contents are: kc, tgs { Kc, v, IDc, IDv, ST, nonce, timestamp };
the propagation direction of the AP-REQ is from C to S, and the contents are as follows: IDc, IDv, timeStamp, ST, authenticator2; authenticator2= Kc, v { IDc, checkSum, ksession, timeStamp };
the propagation direction of the AP-REP is from S to C, and the contents are Kc, v { IDc, IDv, timeStamp };
kx { } represents encryption by the key of the subscript, and in all labels, the subscripts kdc and tgs represent the same individual; kc represents a user key and is used for encrypting an AS-REQ timestamp and an AS-REP message; ktgs: representing a KDC key for encrypting the TGT; kv denotes a server key used to encrypt ST; kc and TGS represent session keys of the client and the KDC, and Authenticator1 in the TGS-REQ message is encrypted; kc and v represent session keys of the client and the server, and encrypt Authenticator2 in the AP-REQ message; ksession represents a temporary session key of the client and the server, and encrypts a service session of the client and the server; the key types of Kc, ktgs, kv, kc, v and Ksession are AES-256.
9. The block chain-based security service management method of claim 1, wherein the ABE key comprises a system public key PK, a system master private key MSK, a KDC private key SK;
the system public key PK is used for encrypting a KDC AES key;
the system master private key MSK is used for decrypting a KDC AES key;
and the KDC private key SK is used for decrypting the KDC AES key.
10. A blockchain-based security service management system, which is applied to the blockchain-based security service management method according to claim 1, and comprises a user C, a server V, a key distribution center KDC, a smart contract, and a blockchain;
the key distribution center KDC comprises an authentication server AS, a bill server TGS and a database DB;
the user C is a service application party, and realizes the application of the security service by sending an authentication request AS _ REQ, a ticket request TGS _ REQ and an application request AP _ REQ;
the server V is a service provider and realizes the safe service supply by sending a service response AP _ REP;
and the key distribution center KDC provides authentication transaction, bill transaction and application transaction for the user C and the server V by managing the AES key of the participant, the distribution session key and the bill.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211418921.0A CN115865320A (en) | 2022-11-14 | 2022-11-14 | Block chain-based security service management method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211418921.0A CN115865320A (en) | 2022-11-14 | 2022-11-14 | Block chain-based security service management method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115865320A true CN115865320A (en) | 2023-03-28 |
Family
ID=85663331
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211418921.0A Pending CN115865320A (en) | 2022-11-14 | 2022-11-14 | Block chain-based security service management method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115865320A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117155649A (en) * | 2023-08-31 | 2023-12-01 | 金锐软件技术(杭州)有限公司 | System and method for security protection of third party system accessing JAVA gateway |
CN117590873A (en) * | 2024-01-18 | 2024-02-23 | 广东永浩信息技术有限公司 | Intelligent monitoring system based on artificial intelligence and photovoltaic energy supply |
-
2022
- 2022-11-14 CN CN202211418921.0A patent/CN115865320A/en active Pending
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117155649A (en) * | 2023-08-31 | 2023-12-01 | 金锐软件技术(杭州)有限公司 | System and method for security protection of third party system accessing JAVA gateway |
CN117155649B (en) * | 2023-08-31 | 2024-03-22 | 金锐软件技术(杭州)有限公司 | System and method for security protection of third party system accessing JAVA gateway |
CN117590873A (en) * | 2024-01-18 | 2024-02-23 | 广东永浩信息技术有限公司 | Intelligent monitoring system based on artificial intelligence and photovoltaic energy supply |
CN117590873B (en) * | 2024-01-18 | 2024-04-19 | 广东永浩信息技术有限公司 | Intelligent monitoring system based on artificial intelligence and photovoltaic energy supply |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109918878B (en) | Industrial Internet of things equipment identity authentication and safe interaction method based on block chain | |
Zhang et al. | SMAKA: Secure many-to-many authentication and key agreement scheme for vehicular networks | |
US7334255B2 (en) | System and method for controlling access to multiple public networks and for controlling access to multiple private networks | |
US7231526B2 (en) | System and method for validating a network session | |
US5497421A (en) | Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system | |
US7688975B2 (en) | Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure | |
Yu et al. | A view about cloud data security from data life cycle | |
KR102179497B1 (en) | System for Data Storing and Managing based on Multi-cloud and Driving method thereof | |
CN113553574A (en) | Internet of things trusted data management method based on block chain technology | |
JP2004180310A (en) | Method for setting and managing confidence model between chip card and radio terminal | |
CN108173827B (en) | Block chain thinking-based distributed SDN control plane security authentication method | |
CN115865320A (en) | Block chain-based security service management method and system | |
CN112653553A (en) | Internet of things equipment identity management system | |
CN105471901A (en) | Industrial information security authentication system | |
CN113572765B (en) | Lightweight identity authentication key negotiation method for resource-limited terminal | |
Lu et al. | Research on trusted DNP3-BAE protocol based on hash chain | |
Sammy et al. | An Efficient Blockchain Based Data Access with Modified Hierarchical Attribute Access Structure with CP‐ABE Using ECC Scheme for Patient Health Record | |
US9485229B2 (en) | Object level encryption system including encryption key management system | |
US20060053288A1 (en) | Interface method and device for the on-line exchange of content data in a secure manner | |
CN110602083B (en) | Secure transmission and storage method of digital identity authentication data | |
CN110519222A (en) | Outer net access identity authentication method and system based on disposable asymmetric key pair and key card | |
Krishnamoorthy et al. | Proposal of HMAC based Protocol for Message Authenication in Kerberos Authentication Protocol | |
CN109981662A (en) | A kind of safe communication system and method | |
Wang et al. | READ: Resource efficient authentication scheme for digital twin edge networks | |
Saleem et al. | A Cost-Efficient Anonymous Authenticated and Key Agreement Scheme for V2I-Based Vehicular Ad-Hoc Networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |