CN116055055A - Cross-domain authentication method and system - Google Patents
Cross-domain authentication method and system Download PDFInfo
- Publication number
- CN116055055A CN116055055A CN202211517101.7A CN202211517101A CN116055055A CN 116055055 A CN116055055 A CN 116055055A CN 202211517101 A CN202211517101 A CN 202211517101A CN 116055055 A CN116055055 A CN 116055055A
- Authority
- CN
- China
- Prior art keywords
- trust
- trust domain
- domain
- information
- belongs
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000012795 verification Methods 0.000 claims description 6
- 230000007246 mechanism Effects 0.000 claims description 4
- 230000003993 interaction Effects 0.000 abstract description 26
- 230000008569 process Effects 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 8
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to the field of cross-domain authentication and provides a cross-domain authentication method and system. The method comprises the following steps: downloading and authenticating information of the first trust domain from the blockchain; issuing a trust credential for the information of the first trust domain and uploading the trust credential to the blockchain; receiving information to be processed sent by the first trust domain; and verifying the information to be processed by utilizing the information of the first trust domain and the information of the second trust domain. The cross-domain authentication method and the system provided by the embodiment of the application can store the privacy information in the interaction process in a decentralizing manner when two domains belonging to different systems interact information, ensure the safety of the interaction information and realize the cross-domain trusted authentication.
Description
Technical Field
The application relates to the technical field of cross-domain authentication, in particular to a cross-domain authentication method and a system.
Background
At present, a large number of systems are built on public key infrastructure PKI (Public Key Infrastructure, PKI) and identification-based password IBC (Identity-Based Cryptograph, IBC) systems, when a domain based on the IBC system needs to interact with a domain based on the PKI system, the trust degree of the public key infrastructure PKI (Public Key Infrastructure, PKI) and the identification-based password IBC (Identity-Based Cryptograph, IBC) cannot be guaranteed due to the fact that the public key infrastructure PKI and the identification-based password IBC have independent trust systems, however, data sharing and collaboration in a distributed environment have high requirements on security, privacy protection and efficiency, and therefore direct cross-domain mutual recognition cannot be achieved under the condition that the two systems are mutually not trusted.
Disclosure of Invention
The embodiment of the application provides a cross-domain authentication method and a cross-domain authentication system, which are used for solving the technical problem that direct cross-domain mutual authentication cannot be realized under the condition that two systems are mutually not trusted.
In a first aspect, an embodiment of the present application provides a cross-domain authentication method, applied to a second trust domain, including:
downloading and authenticating information of the first trust domain from the blockchain;
issuing a trust credential for the information of the first trust domain and uploading the trust credential to the blockchain;
receiving information to be processed sent by the first trust domain;
and verifying the information to be processed by utilizing the information of the first trust domain and the information of the second trust domain.
In one embodiment, if the first trust domain belongs to a PKI hierarchy and the second trust domain belongs to an IBC hierarchy, the information of the first trust domain includes a system root certificate of the first trust domain;
if the first trust domain belongs to an IBC system and the second trust domain belongs to a PKI system, the information of the first trust domain comprises a system main public key of the first trust domain;
if the first trust domain belongs to an IBC system and the second trust domain belongs to the IBC system, the information of the first trust domain comprises a system main public key of the first trust domain.
In one embodiment, if the first trust domain belongs to a PKI hierarchy and the second trust domain belongs to an IBC hierarchy, the information to be processed includes a signature value and the trust credential;
if the first trust domain belongs to an IBC system and the second trust domain belongs to a PKI system, the information to be processed comprises a signature value and an identity of the first trust domain;
if the first trust domain belongs to an IBC system and the second trust domain belongs to the IBC system, the information to be processed comprises a signature value and the trust certificate;
the signature value is generated after the first trust domain signs the information to be sent.
In one embodiment, if the first trust domain belongs to an IBC system and the second trust domain belongs to a PKI system, before verifying the information to be processed by using the information of the first trust domain and the information of the second trust domain, the method includes:
and inquiring the trust certificate by using the identity of the first trust domain.
In one embodiment, the verifying the information to be processed using the information of the first trust domain and the information of the second trust domain includes:
if the first trust domain belongs to a PKI system and the second trust domain belongs to an IBC system, verifying the validity of the trust credentials by using the identity of the second trust domain, and verifying the validity of the signature value by using the system root certificate;
if the first trust domain belongs to an IBC system and the second trust domain belongs to a PKI system, verifying the validity of the trust credentials by using the identity of the second trust domain, and verifying the validity of the signature value by using an IBC signature verification mechanism and the system main public key;
if the first trust domain belongs to an IBC system and the second trust domain belongs to the IBC system, verifying the validity of the trust credentials by using the identity of the second trust domain, and verifying the validity of the signature value by using the system main public key.
In a second aspect, an embodiment of the present application provides a cross-domain authentication method, applied to a first trust domain, including:
uploading information of the first trust domain to the blockchain;
downloading trust credentials issued by a second trust domain for the information of the first trust domain from the blockchain;
and generating and sending the information to be processed to the second trust domain so as to carry out cross-domain authentication on the second trust domain.
In one embodiment, if the first trust domain belongs to a PKI hierarchy and the second trust domain belongs to an IBC hierarchy, the information of the first trust domain includes a system root certificate of the first trust domain;
if the first trust domain belongs to an IBC system and the second trust domain belongs to a PKI system, the information of the first trust domain comprises a system main public key of the first trust domain;
if the first trust domain belongs to an IBC system and the second trust domain belongs to the IBC system, the information of the first trust domain comprises a system main public key of the first trust domain.
In one embodiment, if the first trust domain belongs to an IBC architecture and the second trust domain belongs to a PKI architecture, after downloading the trust credential issued by the second trust domain for the information of the first trust domain from the blockchain, the method includes:
issuing the trust credential.
In one embodiment, the generating and sending the information to be processed to the second trust domain comprises:
if the first trust domain belongs to a PKI system and the second trust domain belongs to an IBC system, signing information to be sent to generate a signature value, and sending the signature value and the trust certificate to the second trust domain as information to be processed;
if the first trust domain belongs to an IBC system and the second trust domain belongs to a PKI system, signing information to be sent to generate a signature value, and sending the signature value and the identity of the first trust domain to the second trust domain as information to be processed;
if the first trust domain belongs to an IBC system and the second trust domain belongs to the IBC system, signing the information to be sent, generating a signature value, and sending the signature value and the trust certificate to the second trust domain as the information to be processed.
In a third aspect, embodiments of the present application provide a cross-domain authentication system, including:
a first trust domain and a second trust domain;
the first trust domain is for:
uploading information of the first trust domain to the blockchain;
downloading trust credentials issued by a second trust domain for the information of the first trust domain from the blockchain;
generating and sending information to be processed to the second trust domain for cross-domain authentication by the second trust domain;
the second trust domain is for:
downloading and authenticating information of the first trust domain from the blockchain;
issuing a trust credential for the information of the first trust domain and uploading the trust credential to the blockchain;
receiving information to be processed sent by the first trust domain;
and verifying the information to be processed by utilizing the information of the first trust domain and the information of the second trust domain.
According to the cross-domain authentication method and system, the second trust domain downloads and authenticates information of the first trust domain from the blockchain, then issues a trust certificate for the information of the first trust domain, uploads the trust certificate to the blockchain, receives information to be processed sent by the first trust domain, and verifies the information to be processed by utilizing the information of the first trust domain and the information of the second trust domain. When the first trust domain and the second trust domain belong to different cryptography systems, because data sharing and collaboration in a distributed environment have higher requirements on safety, privacy protection and efficiency, two domains belonging to different systems need to introduce a third party identity/certificate management system for information interaction, a large amount of private identity information in the two systems is stored in a decentralised mode, and the two systems have stronger trust on the third party identity/certificate management system.
Drawings
For a clearer description of the present application or of the prior art, the drawings that are used in the description of the embodiments or of the prior art will be briefly described, it being apparent that the drawings in the description below are some embodiments of the present application, and that other drawings may be obtained from these drawings without inventive effort for a person skilled in the art.
Fig. 1 is one of flow diagrams of a cross-domain authentication method provided in an embodiment of the present application;
fig. 2 is a schematic diagram of an IBC system trust PKI system in a cross-domain authentication method provided in an embodiment of the present application;
fig. 3 is a schematic diagram of a PKI system trust IBC system in a cross-domain authentication method provided in an embodiment of the present application;
fig. 4 is a schematic diagram of internal trust of an IBC system in the cross-domain authentication method provided in the embodiment of the present application;
fig. 5 is a second flowchart of a cross-domain authentication method according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the present application more apparent, the technical solutions in the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
Fig. 1 is one of flow diagrams of a cross-domain authentication method provided in an embodiment of the present application; referring to fig. 1, an embodiment of the present application provides a cross-domain authentication method, which is applied to a second trust domain, and may include:
101. downloading and authenticating information of the first trust domain from the blockchain;
102. issuing a trust credential for the information of the first trust domain and uploading the trust credential to the blockchain;
103. receiving information to be processed sent by a first trust domain;
104. and verifying the information to be processed by using the information of the first trust domain and the information of the second trust domain.
In step 102, a trust credential may be issued for information of the first trust domain using a signature private key of the second trust domain.
It should be noted that, the first trust domain and the second trust domain may belong to the same cryptography system, or may belong to different cryptography systems, which is not limited herein, and in this embodiment, the first trust domain and the second trust domain may have the following three cases:
first case: the first trust domain belongs to a PKI system, and the second trust domain belongs to an IBC system;
second case: the first trust domain belongs to an IBC system, and the second trust domain belongs to a PKI system;
third case: the first trust domain belongs to an IBC hierarchy and the second trust domain belongs to an IBC hierarchy.
The PKI system generally adopts a multi-level certificate to carry out identity management and is widely applied to all mainstream service systems; the IBC system performs encryption and decryption based on the user identity information, and the user can finish the cryptography authentication without additionally storing the corresponding public and private keys.
When the first trust domain belongs to the IBC system and the second trust domain belongs to the IBC system, the information interaction of the first trust domain and the second trust domain belongs to the IBC system, so that the information interaction of the two trust domains has higher trust degree, but the data sharing and the collaboration under the distributed environment have higher requirements on safety, privacy protection and efficiency, so that the embodiment can store the privacy information in the interaction process in a decentralization manner when two different domains interact with information by introducing a blockchain, further improve the safety of the interaction information, and realize more credible cross-domain authentication.
According to the cross-domain authentication method provided by the embodiment, the second trust domain downloads and authenticates the information of the first trust domain from the blockchain, then issues a trust certificate for the information of the first trust domain, uploads the trust certificate to the blockchain, receives the information to be processed sent by the first trust domain, and verifies the information to be processed by utilizing the information of the first trust domain and the information of the second trust domain. When the first trust domain and the second trust domain belong to different cryptography systems, because data sharing and collaboration in a distributed environment have higher requirements on safety, privacy protection and efficiency, two domains belonging to different systems need to introduce a third party identity/certificate management system for information interaction, a large amount of private identity information in the two systems is stored in a decentralized manner, the two systems have stronger trust on the third party identity/certificate management system, and the embodiment introduces a blockchain, so that privacy information in the interaction process can be stored in a decentralized manner when the two domains belonging to different systems interact information, the safety of the interaction information is ensured, and cross-domain trusted authentication is realized.
Fig. 2 is a schematic diagram of an IBC system trust PKI system in a cross-domain authentication method provided in an embodiment of the present application;
the first trust domain uploads the identity mark and the system root certificate of the first trust domain to the blockchain, the second trust domain issues a trust certificate for the identity mark and the system root certificate after downloading the identity mark and the system root certificate, and uploads the trust certificate to the blockchain, the first trust domain signs information to be sent after downloading the trust certificate from the blockchain, generates a signature value, and sends the signature value and the trust certificate to the second trust domain for cross-domain authentication by the second trust domain.
Fig. 3 is a schematic diagram of a PKI system trust IBC system in a cross-domain authentication method provided in an embodiment of the present application;
the first trust domain uploads the identity mark and the system main public key of the first trust domain to the blockchain, the second trust domain issues a trust certificate for the identity mark and the system main public key after downloading the identity mark and the system main public key, and uploads the trust certificate to the blockchain, the first trust domain downloads and issues the trust certificate from the blockchain, signs information to be sent, generates a signature value, and sends the signature value and the identity mark of the second trust domain to the second trust domain for cross-domain authentication.
Fig. 4 is a schematic diagram of internal trust of an IBC system in the cross-domain authentication method provided in the embodiment of the present application;
the first trust domain uploads the identity mark and the system main public key of the first trust domain to the blockchain, the second trust domain issues a trust certificate for the identity mark and the system main public key after downloading the identity mark and the system main public key, and uploads the trust certificate to the blockchain, the first trust domain signs information to be sent after downloading the trust certificate from the blockchain, generates a signature value, and sends the signature value and the trust certificate to the second trust domain for cross-domain authentication by the second trust domain.
1-4, in one embodiment, if the first trust domain belongs to a PKI hierarchy and the second trust domain belongs to an IBC hierarchy, the information of the first trust domain includes a system root certificate of the first trust domain;
if the first trust domain belongs to the IBC system and the second trust domain belongs to the PKI system, the information of the first trust domain comprises a system main public key of the first trust domain;
if the first trust domain belongs to the IBC system and the second trust domain belongs to the IBC system, the information of the first trust domain comprises a system main public key of the first trust domain.
It should be noted that, in the above three cases, the information of the first trust domain may further include an identity of the first trust domain.
According to the embodiment, according to different systems to which the first trust domain and the second trust domain respectively belong, the content included in the information of the first trust domain is limited, so that the cross-domain authentication can be carried out by utilizing different information of the first trust domain pertinently according to different conditions.
Referring to fig. 1-4, in one embodiment, if the first trust domain belongs to the PKI architecture and the second trust domain belongs to the IBC architecture, the information to be processed includes a signature value and a trust credential, and in this case, it may be that a specific node in the second trust domain receives the signature value and the trust credential sent by a specific node in the first trust domain, where the signature value is generated after the specific node in the first trust domain signs the information to be sent;
if the first trust domain belongs to the IBC system and the second trust domain belongs to the PKI system, the information to be processed includes a signature value and an identity of the first trust domain, and in this case, the specific node of the second trust domain may receive the signature value sent by the specific node in the first trust domain and the identity of the first trust domain, where the signature value is generated after the specific node in the first trust domain signs the information to be sent;
if the first trust domain belongs to the IBC system and the second trust domain belongs to the IBC system, the information to be processed includes a signature value and a trust credential, and in this case, it may be that a specific node of the second trust domain receives the signature value and the trust credential sent by the specific node in the first trust domain, where the signature value is generated after the specific node in the first trust domain signs the information to be sent.
It should be noted that, when the first trust domain belongs to the PKI system and the second trust domain belongs to the IBC system, or the first trust domain belongs to the IBC system and the second trust domain belongs to the IBC system, the second trust domain may also accept the query request sent by the first trust domain, query the trust state of the first trust domain in the trust domain of the second trust domain, and verify the validity of the trust state by using the identity of the second trust domain, without receiving the trust credential sent by the first trust domain.
According to the embodiment, the content included in the information to be processed is limited according to different systems to which the first trust domain and the second trust domain belong, so that the cross-domain authentication can be carried out by utilizing different information to be processed in a targeted manner according to different conditions, and meanwhile, the information interaction between the nodes of the two domains can be realized.
Referring to fig. 1 and 3, in an embodiment, if the first trust domain belongs to the IBC architecture and the second trust domain belongs to the PKI architecture, before verifying the information to be processed by using the information of the first trust domain and the information of the second trust domain, the method may include:
and inquiring the trust credential by using the identity of the first trust domain.
A particular node, which may be a second trust domain, queries the trust credential using the identity of the first trust domain.
The embodiment uses the identity of the first trust domain to inquire the corresponding trust certificate, thereby facilitating the subsequent verification of the trust certificate.
Referring to fig. 1-4, in one embodiment, verifying the information to be processed using the information of the first trust domain and the information of the second trust domain may include:
if the first trust domain belongs to the PKI system and the second trust domain belongs to the IBC system, verifying the validity of the trust certificate by using the identity of the second trust domain and verifying the validity of the signature value by using the system root certificate, in this case, the specific node of the second trust domain can verify the validity of the trust certificate by using the identity of the second trust domain, namely, whether the trust certificate is issued by the second trust domain or not; this particular node, which may be a second trust domain, verifies the validity of the signature value with the system root certificate, i.e. verifies whether the system root certificate matches the signature value.
If the first trust domain belongs to the IBC system and the second trust domain belongs to the PKI system, verifying the validity of the trust certificate by using the identity of the second trust domain, and verifying the validity of the signature value by using the IBC signing verification mechanism and the system main public key, wherein in the case, a specific node of the second trust domain can verify the validity of the trust certificate by using the identity of the second trust domain, namely, verifying whether the trust certificate is issued by the second trust domain; the particular node, which may be the second trust domain, verifies the validity of the signature value using the IBC signing mechanism and the system master public key, i.e. verifies if the system master public key matches the signature value.
If the first trust domain belongs to the IBC system and the second trust domain belongs to the IBC system, verifying the validity of the trust certificate by using the identity of the second trust domain and verifying the validity of the signature value by using the system main public key, in this case, the specific node of the second trust domain can verify the validity of the trust certificate by using the identity of the second trust domain, namely, whether the trust certificate is issued by the second trust domain or not; this particular node, which may be a second trust domain, verifies the validity of the signature value using the system master public key, i.e. verifies if the system master public key matches the signature value.
According to the embodiment, verification modes of information to be processed are limited according to different systems to which the first trust domain and the second trust domain belong, information verification can be performed on different collocations of the systems to which the first trust domain and the second trust domain belong in a targeted mode, and meanwhile information authentication between nodes of the two domains can be achieved.
FIG. 5 is a second flow chart of a cross-domain authentication method according to the embodiment of the present application; referring to fig. 2-5, an embodiment of the present application provides a cross-domain authentication method, applied to a first trust domain, may include:
501. uploading information of the first trust domain to the blockchain;
502. downloading a trust credential issued by the second trust domain for the information of the first trust domain from the blockchain;
503. and generating and sending the information to be processed to the second trust domain for cross-domain authentication by the second trust domain.
In step 502, the trust credential may be issued by the second trust domain for information of the first trust domain using its own private signature key.
It should be noted that, the first trust domain and the second trust domain may belong to the same cryptography system, or may belong to different cryptography systems, which is not limited herein, and in this embodiment, the first trust domain and the second trust domain may have the following three cases:
first case: the first trust domain belongs to a PKI system, and the second trust domain belongs to an IBC system;
second case: the first trust domain belongs to an IBC system, and the second trust domain belongs to a PKI system;
third case: the first trust domain belongs to an IBC hierarchy and the second trust domain belongs to an IBC hierarchy.
When the first trust domain belongs to the IBC system and the second trust domain belongs to the IBC system, the information interaction of the first trust domain and the second trust domain belongs to the IBC system, so that the information interaction of the two trust domains has higher trust degree, but the data sharing and the collaboration under the distributed environment have higher requirements on safety, privacy protection and efficiency, so that the embodiment can store the privacy information in the interaction process in a decentralization manner when two different domains interact with information by introducing a blockchain, further improve the safety of the interaction information, and realize more credible cross-domain authentication.
According to the cross-domain authentication method provided by the embodiment, the information of the first trust domain is uploaded to the blockchain, the trust certificate issued by the second trust domain for the information of the first trust domain is downloaded from the blockchain, and the information to be processed is regenerated and sent to the second trust domain for cross-domain authentication by the second trust domain. When the first trust domain and the second trust domain belong to different cryptography systems, because data sharing and collaboration in a distributed environment have higher requirements on safety, privacy protection and efficiency, two domains belonging to different systems need to introduce a third party identity/certificate management system for information interaction, a large amount of private identity information in the two systems is stored in a decentralized manner, the two systems have stronger trust on the third party identity/certificate management system, and the embodiment introduces a blockchain, so that privacy information in the interaction process can be stored in a decentralized manner when the two domains belonging to different systems interact information, the safety of the interaction information is ensured, and cross-domain trusted authentication is realized.
Referring to fig. 2-5, in one embodiment, if the first trust domain belongs to a PKI hierarchy and the second trust domain belongs to an IBC hierarchy, the information of the first trust domain includes a system root certificate of the first trust domain;
if the first trust domain belongs to the IBC system and the second trust domain belongs to the PKI system, the information of the first trust domain comprises a system main public key of the first trust domain;
if the first trust domain belongs to the IBC system and the second trust domain belongs to the IBC system, the information of the first trust domain comprises a system main public key of the first trust domain.
It should be noted that, in the above three cases, the information of the first trust domain may further include an identity of the first trust domain.
According to the embodiment, according to different systems to which the first trust domain and the second trust domain respectively belong, the content included in the information of the first trust domain is limited, so that the cross-domain authentication can be carried out by utilizing different information of the first trust domain pertinently according to different conditions.
Referring to fig. 3 and 5, in one embodiment, if the first trust domain belongs to the IBC architecture and the second trust domain belongs to the PKI architecture, downloading the trust credential issued by the second trust domain for the information of the first trust domain from the blockchain may include:
issuing a trust credential.
After the first trust domain downloads the trust credential, the trust credential may be issued by its own credential issuing system.
The present embodiment facilitates subsequent second trust domains to query the trust credential by issuing the trust credential.
Referring to fig. 2-5, in one embodiment, generating and sending the information to be processed to the second trust domain may include:
if the first trust domain belongs to the PKI system and the second trust domain belongs to the IBC system, signing the information to be sent to generate a signature value, and sending the signature value and the trust certificate as the information to be processed to the second trust domain, wherein in this case, the specific node of the first trust domain signs the information to be sent to generate the signature value; the particular node of the first trust domain may send the signature value and the trust credential as pending information to the particular node of the second trust domain for cross-domain authentication by the particular node of the second trust domain.
If the first trust domain belongs to the IBC system and the second trust domain belongs to the PKI system, signing the information to be sent to generate a signature value, and sending the signature value and the identity of the first trust domain as the information to be processed to the second trust domain, wherein in the case, the specific node of the first trust domain signs the information to be sent to generate the signature value; the specific node of the first trust domain may send the signature value and the identity of the first trust domain as the information to be processed to the specific node of the second trust domain, so that the specific node of the second trust domain performs cross-domain authentication.
If the first trust domain belongs to the IBC system and the second trust domain belongs to the IBC system, signing the information to be sent to generate a signature value, and sending the signature value and the trust certificate as the information to be processed to the second trust domain, wherein in this case, the specific node of the first trust domain signs the information to be sent to generate the signature value; it may be that a specific node of the first trust domain sends the signature value and the trust credential as the information to be processed to a specific node of the second trust domain for cross-domain authentication by the specific node of the second trust domain.
It should be noted that, when the first trust domain belongs to the PKI system and the second trust domain belongs to the IBC system, or the first trust domain belongs to the IBC system and the second trust domain belongs to the IBC system, the first trust domain may also send a query request to the second trust domain to request the second trust domain to query the trust state of the first trust domain in the trust domain of the second trust domain, so that the second trust domain verifies the validity of the trust state by using the identity of the second trust domain, without sending a trust credential to the second trust domain.
According to the embodiment, the content included in the information to be processed is limited according to different systems to which the first trust domain and the second trust domain belong, so that the cross-domain authentication can be carried out by utilizing different information to be processed in a targeted manner according to different conditions, and meanwhile, the information interaction between the nodes of the two domains can be realized.
Referring to fig. 1-5, embodiments of the present application provide a cross-domain authentication system, which may include: a first trust domain and a second trust domain;
the first trust domain is for:
uploading information of the first trust domain to the blockchain;
downloading a trust credential issued by the second trust domain for the information of the first trust domain from the blockchain;
the trust credential may be issued by the second trust domain for information of the first trust domain using its own signature private key;
generating and sending information to be processed to a second trust domain for cross-domain authentication by the second trust domain;
the second trust domain is for:
downloading and authenticating information of the first trust domain from the blockchain;
issuing a trust credential for the information of the first trust domain and uploading the trust credential to the blockchain;
a trust credential may be issued for the information of the first trust domain using the signature private key of the second trust domain;
receiving information to be processed sent by a first trust domain;
and verifying the information to be processed by using the information of the first trust domain and the information of the second trust domain.
It should be noted that, the first trust domain and the second trust domain may belong to the same cryptography system, or may belong to different cryptography systems, which is not limited herein, and in this embodiment, the first trust domain and the second trust domain may have the following three cases:
first case: the first trust domain belongs to a PKI system, and the second trust domain belongs to an IBC system;
second case: the first trust domain belongs to an IBC system, and the second trust domain belongs to a PKI system;
third case: the first trust domain belongs to an IBC hierarchy and the second trust domain belongs to an IBC hierarchy.
When the first trust domain belongs to the IBC system and the second trust domain belongs to the IBC system, the information interaction of the first trust domain and the second trust domain belongs to the IBC system, so that the information interaction of the two trust domains has higher trust degree, but the data sharing and the collaboration under the distributed environment have higher requirements on safety, privacy protection and efficiency, so that the embodiment can store the privacy information in the interaction process in a decentralization manner when two different domains interact with information by introducing a blockchain, further improve the safety of the interaction information, and realize more credible cross-domain authentication.
According to the cross-domain authentication system provided by the embodiment, when the first trust domain and the second trust domain belong to different cryptography systems, because data sharing and collaboration in a distributed environment have higher requirements on safety, privacy protection and efficiency, a third party identity/certificate management system is required to be introduced for information interaction between two domains belonging to different systems, a large amount of privacy identity information in the two systems is stored in a decentralised mode, the two systems have stronger trust on the third party identity/certificate management system, a block chain is introduced in the embodiment, privacy information in the interaction process can be stored in a decentralised mode when the two domains belonging to different systems interact information, the safety of the interaction information is guaranteed, and cross-domain trusted authentication is realized.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.
Claims (10)
1. A cross-domain authentication method, applied to a second trust domain, comprising:
downloading and authenticating information of the first trust domain from the blockchain;
issuing a trust credential for the information of the first trust domain and uploading the trust credential to the blockchain;
receiving information to be processed sent by the first trust domain;
and verifying the information to be processed by utilizing the information of the first trust domain and the information of the second trust domain.
2. The cross-domain authentication method of claim 1, wherein:
if the first trust domain belongs to a PKI system and the second trust domain belongs to an IBC system, the information of the first trust domain comprises a system root certificate of the first trust domain;
if the first trust domain belongs to an IBC system and the second trust domain belongs to a PKI system, the information of the first trust domain comprises a system main public key of the first trust domain;
if the first trust domain belongs to an IBC system and the second trust domain belongs to the IBC system, the information of the first trust domain comprises a system main public key of the first trust domain.
3. The cross-domain authentication method of claim 2, wherein:
if the first trust domain belongs to a PKI system and the second trust domain belongs to an IBC system, the information to be processed comprises a signature value and the trust certificate;
if the first trust domain belongs to an IBC system and the second trust domain belongs to a PKI system, the information to be processed comprises a signature value and an identity of the first trust domain;
if the first trust domain belongs to an IBC system and the second trust domain belongs to the IBC system, the information to be processed comprises a signature value and the trust certificate;
the signature value is generated after the first trust domain signs the information to be sent.
4. A cross-domain authentication method according to claim 3, characterized in that:
if the first trust domain belongs to an IBC system and the second trust domain belongs to a PKI system, before verifying the information to be processed by using the information of the first trust domain and the information of the second trust domain, the method includes:
and inquiring the trust certificate by using the identity of the first trust domain.
5. The cross-domain authentication method of claim 4, wherein verifying the information to be processed using the information of the first trust domain and the information of the second trust domain comprises:
if the first trust domain belongs to a PKI system and the second trust domain belongs to an IBC system, verifying the validity of the trust credentials by using the identity of the second trust domain, and verifying the validity of the signature value by using the system root certificate;
if the first trust domain belongs to an IBC system and the second trust domain belongs to a PKI system, verifying the validity of the trust credentials by using the identity of the second trust domain, and verifying the validity of the signature value by using an IBC signature verification mechanism and the system main public key;
if the first trust domain belongs to an IBC system and the second trust domain belongs to the IBC system, verifying the validity of the trust credentials by using the identity of the second trust domain, and verifying the validity of the signature value by using the system main public key.
6. A cross-domain authentication method, applied to a first trust domain, comprising:
uploading information of the first trust domain to the blockchain;
downloading trust credentials issued by a second trust domain for the information of the first trust domain from the blockchain;
and generating and sending the information to be processed to the second trust domain so as to carry out cross-domain authentication on the second trust domain.
7. The cross-domain authentication method of claim 6, wherein:
if the first trust domain belongs to a PKI system and the second trust domain belongs to an IBC system, the information of the first trust domain comprises a system root certificate of the first trust domain;
if the first trust domain belongs to an IBC system and the second trust domain belongs to a PKI system, the information of the first trust domain comprises a system main public key of the first trust domain;
if the first trust domain belongs to an IBC system and the second trust domain belongs to the IBC system, the information of the first trust domain comprises a system main public key of the first trust domain.
8. The cross-domain authentication method of claim 7, wherein:
if the first trust domain belongs to an IBC system and the second trust domain belongs to a PKI system, the downloading of the trust credential issued by the second trust domain for the information of the first trust domain from the blockchain includes:
issuing the trust credential.
9. The cross-domain authentication method of claim 8, wherein the generating and sending the information to be processed to the second trust domain comprises:
if the first trust domain belongs to a PKI system and the second trust domain belongs to an IBC system, signing information to be sent to generate a signature value, and sending the signature value and the trust certificate to the second trust domain as information to be processed;
if the first trust domain belongs to an IBC system and the second trust domain belongs to a PKI system, signing information to be sent to generate a signature value, and sending the signature value and the identity of the first trust domain to the second trust domain as information to be processed;
if the first trust domain belongs to an IBC system and the second trust domain belongs to the IBC system, signing the information to be sent, generating a signature value, and sending the signature value and the trust certificate to the second trust domain as the information to be processed.
10. A cross-domain authentication system, comprising: a first trust domain and a second trust domain;
the first trust domain is for:
uploading information of the first trust domain to the blockchain;
downloading trust credentials issued by a second trust domain for the information of the first trust domain from the blockchain;
generating and sending information to be processed to the second trust domain for cross-domain authentication by the second trust domain;
the second trust domain is for:
downloading and authenticating information of the first trust domain from the blockchain;
issuing a trust credential for the information of the first trust domain and uploading the trust credential to the blockchain;
receiving information to be processed sent by the first trust domain;
and verifying the information to be processed by utilizing the information of the first trust domain and the information of the second trust domain.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211517101.7A CN116055055A (en) | 2022-11-29 | 2022-11-29 | Cross-domain authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211517101.7A CN116055055A (en) | 2022-11-29 | 2022-11-29 | Cross-domain authentication method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116055055A true CN116055055A (en) | 2023-05-02 |
Family
ID=86124454
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211517101.7A Pending CN116055055A (en) | 2022-11-29 | 2022-11-29 | Cross-domain authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116055055A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101453476A (en) * | 2009-01-06 | 2009-06-10 | 中国人民解放军信息工程大学 | Cross domain authentication method and system |
| CN108737436A (en) * | 2018-05-31 | 2018-11-02 | 西安电子科技大学 | Based on the cross-domain services device identity identifying method for trusting alliance's block chain |
| WO2019093963A1 (en) * | 2017-11-10 | 2019-05-16 | 华为国际有限公司 | Heterogeneous identity-based interactive system and method |
| CN111835528A (en) * | 2020-07-16 | 2020-10-27 | 广州大学 | Decentralized Internet of things cross-domain access authorization method and system |
| US20210218740A1 (en) * | 2019-04-29 | 2021-07-15 | Tsinghua University | Method and device for cross-domain strong logical isolation and secure access control in the internet of things |
| CN113824563A (en) * | 2021-09-07 | 2021-12-21 | 电子科技大学 | Cross-domain identity authentication method based on block chain certificate |
-
2022
- 2022-11-29 CN CN202211517101.7A patent/CN116055055A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101453476A (en) * | 2009-01-06 | 2009-06-10 | 中国人民解放军信息工程大学 | Cross domain authentication method and system |
| WO2019093963A1 (en) * | 2017-11-10 | 2019-05-16 | 华为国际有限公司 | Heterogeneous identity-based interactive system and method |
| CN108737436A (en) * | 2018-05-31 | 2018-11-02 | 西安电子科技大学 | Based on the cross-domain services device identity identifying method for trusting alliance's block chain |
| US20210218740A1 (en) * | 2019-04-29 | 2021-07-15 | Tsinghua University | Method and device for cross-domain strong logical isolation and secure access control in the internet of things |
| CN111835528A (en) * | 2020-07-16 | 2020-10-27 | 广州大学 | Decentralized Internet of things cross-domain access authorization method and system |
| CN113824563A (en) * | 2021-09-07 | 2021-12-21 | 电子科技大学 | Cross-domain identity authentication method based on block chain certificate |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107196966B (en) | Identity authentication method and system based on block chain multi-party trust | |
| CN108599954B (en) | Identity verification method based on distributed account book | |
| US7181015B2 (en) | Method and apparatus for cryptographic key establishment using an identity based symmetric keying technique | |
| KR100827650B1 (en) | Methods for authenticating potential members invited to join a group | |
| CN111884805A (en) | Data hosting method and system based on block chain and distributed identity | |
| CN113746632B (en) | Multi-level identity authentication method for Internet of things system | |
| CN111130777B (en) | Issuing management method and system for short-lived certificate | |
| CN114036539A (en) | Safety auditable Internet of things data sharing system and method based on block chain | |
| CN113852632B (en) | SM9 algorithm-based vehicle identity authentication method, system, device and storage medium | |
| CN111614621A (en) | Internet of things communication method and system | |
| CN111224784A (en) | Role separation distributed authentication and authorization method based on hardware trusted root | |
| EP3841703A1 (en) | Systems and methods for a butterfly key exchange program | |
| CN114091009A (en) | Method for establishing secure link by using distributed identity | |
| Liou et al. | T-auth: A novel authentication mechanism for the IoT based on smart contracts and PUFs | |
| CN110752934B (en) | Method for network identity interactive authentication under topological structure | |
| CN116318784B (en) | Identity authentication method, identity authentication device, computer equipment and storage medium | |
| CN107395364B (en) | Combined key cross-domain authentication method based on identification | |
| CN114389808B (en) | OpenID protocol design method based on SM9 blind signature | |
| CN114189338B (en) | SM9 key secure distribution and management system and method based on homomorphic encryption technology | |
| CN113676330B (en) | Digital certificate application system and method based on secondary secret key | |
| CN113329003B (en) | Access control method, user equipment and system for Internet of things | |
| CN115633060A (en) | CAN-Ethernet-oriented vehicle-mounted network safety communication system | |
| CN116055055A (en) | Cross-domain authentication method and system | |
| CN117397199A (en) | Secure root of trust registration and identity management for embedded devices | |
| CN116318637A (en) | Method and system for secure network access communication of equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |