CN116707799A

CN116707799A - Key management method, terminal and service system based on block chain

Info

Publication number: CN116707799A
Application number: CN202310876026.1A
Authority: CN
Inventors: 岑健明; 裴磊; 黄剑; 吴业骏
Original assignee: Industrial and Commercial Bank of China Ltd ICBC
Current assignee: Industrial and Commercial Bank of China Ltd ICBC
Priority date: 2023-07-17
Filing date: 2023-07-17
Publication date: 2023-09-05

Abstract

The application discloses a key management method, a terminal and a service system based on a blockchain, which can be used in the technical field of blockchains, wherein the method comprises the following steps: generating a main public and private key based on a specified encryption algorithm, and generating a user identifier according to the main public and private key; generating corresponding sub public private keys according to the main public private key and a plurality of different prime numbers respectively, and determining the prime numbers corresponding to the sub public private keys; and multiplying prime numbers corresponding to the plurality of sub public and private keys of the user to obtain prime number products, and storing the user identification of the user and the corresponding prime number products in a block chain in a correlated manner. According to the application, the prime numbers of the sub public and private keys are set, and the sub public and private keys are stored through prime number products, so that the safety of the sub public and private keys of a user is improved, and any sub public and private keys can be recovered.

Description

Key management method, terminal and service system based on block chain

Technical Field

The present application relates to the field of information security technologies, and in particular, to the field of blockchain technologies, and in particular, to a blockchain-based key management method, a terminal, and a service system.

Background

This section is intended to provide a background or context to the embodiments of the application that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.

Distributed digital identity refers to a digital identity wallet which is autonomously managed by a user, the user keeps the key and identity related information of the user through the digital identity wallet, and a plurality of identities of one user can be associated with a plurality of keys. This decentralized user-autonomous management mode, unlike the traditional centralized management mode, has serious consequences once the user private key is compromised and lost.

Current hierarchical deterministic wallets allow users to create massive sub-keys from one master (root) key. This means that once the master key is controlled, you can generate all the sub-keys, which form a tree structure. Thus, all sub-keys can be recreated from the master key by only backing up one master (root) key when creating the wallet, and recovery of the sub-keys is realized. Therefore, the digital identity wallet in the prior art can obtain all sub-keys by acquiring the main key, and the user key is easy to reveal. And, only all the sub-keys can be recovered when the sub-keys are recovered, and a specific one or more sub-keys cannot be recovered.

Disclosure of Invention

The application aims to provide a key management method based on a blockchain, which is used for storing sub public private keys through prime numbers of the sub public private keys and prime numbers product, improving the safety of the sub public private keys of users and recovering any sub public private key. Another object of the present application is to provide a terminal. It is yet another object of the present application to provide a blockchain-based business system. It is a further object of the application to provide a computer device. It is a further object of the application to provide a readable medium.

To achieve the above object, an aspect of the present application discloses a blockchain-based key management method, including:

generating a main public and private key based on a specified encryption algorithm, and generating a user identifier according to the main public and private key;

generating corresponding sub public private keys according to the main public private key and a plurality of different prime numbers respectively, and determining the prime numbers corresponding to the sub public private keys;

and multiplying prime numbers corresponding to the plurality of sub public and private keys of the user to obtain prime number products, and storing the user identification of the user and the corresponding prime number products in a block chain in a correlated manner.

Preferably, the method further comprises:

transmitting a sub public and private key invalidation request to the blockchain, wherein the sub public and private key invalidation request comprises a user identifier to be invalidated and a target prime number corresponding to the sub public and private key to be invalidated;

and dividing the prime number product corresponding to the user identification to be disabled by the target prime number by the blockchain to update the prime number product corresponding to the user identification to be disabled.

Preferably, the generating the corresponding sub public private keys according to the main public private key and the plurality of different prime numbers, and determining the prime numbers corresponding to each sub public private key includes:

determining prime numbers corresponding to a plurality of sub public private keys of a user respectively, wherein the prime numbers corresponding to the sub public private keys are different;

generating corresponding sub public private keys based on the main public private key of the user and each prime number respectively to obtain a plurality of sub public private keys of the user;

and associating and corresponding each sub public and private key of the user and prime numbers.

Preferably, the method further comprises:

sending a sub public and private key recovery request to the blockchain;

the blockchain determines a user identifier to be recovered according to the sub public and private key recovery request, and determines a corresponding prime number product according to the user identifier to be recovered;

and determining the prime numbers to be recovered corresponding to the user identifiers to be recovered according to the prime number product, and respectively generating corresponding sub public private keys according to each prime number to be recovered and the main public private key of the user identifier to be recovered.

The application also discloses a terminal, which comprises:

the identification generation module is used for generating a main public and private key based on a specified encryption algorithm and generating a user identification according to the main public and private key;

the key generation module is used for respectively generating corresponding sub public private keys according to the main public private key and a plurality of different prime numbers and determining the prime numbers corresponding to the sub public private keys;

and the data uplink module is used for multiplying prime numbers corresponding to the plurality of sub public and private keys of the user to obtain prime number products, and storing the user identification of the user and the corresponding prime number products in a block chain in a correlated way.

The application also discloses a service system based on the block chain, which comprises a terminal, a service server and the block chain;

the terminal is used for generating a main public and private key based on a specified encryption algorithm and generating a user identifier according to the main public and private key; generating corresponding sub public private keys according to the main public private key and a plurality of different prime numbers respectively, and determining the prime numbers corresponding to the sub public private keys; and multiplying prime numbers corresponding to the plurality of sub public and private keys of the user to obtain prime number products, and storing the user identification of the user and the corresponding prime number products in a correlation manner to the block chain.

Preferably, the method further comprises a service server;

the terminal transmits an authentication request to a service server, wherein the authentication request comprises user information;

the service server acquires a user identifier and a sub public key corresponding to the user information from the blockchain according to the user information;

the terminal receives the user identification transmitted by the service server, and determines a corresponding sub-private key according to the user identification; signing the login request according to the sub private key and transmitting the signed login request to the service server;

and the service server performs signature verification on the signed login request according to the sub public key, and if the signature verification is successful, the user authentication is passed.

Preferably, the method further comprises a service server;

the terminal is used for determining user information and signature information of the sub private key signature when the user registers; transmitting the user information and the signature information to a service server;

and the service server acquires a corresponding sub-public key from the blockchain according to the user identifier, performs signature verification on the signature information according to the sub-public key, and correspondingly associates the user information with the user identifier if the signature verification passes.

The embodiment of the application also provides computer equipment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the method when executing the computer program.

Embodiments of the present application also provide a computer-readable storage medium storing a computer program which, when executed by a processor, implements the above-described method.

The key management method based on the blockchain generates a main public and private key based on a specified encryption algorithm, and generates a user identifier according to the main public and private key; generating corresponding sub public private keys according to the main public private key and a plurality of different prime numbers respectively, and determining the prime numbers corresponding to the sub public private keys; and multiplying prime numbers corresponding to the plurality of sub public and private keys of the user to obtain prime number products, and storing the user identification of the user and the corresponding prime number products in a block chain in a correlated manner. Therefore, the application generates a plurality of sub public private keys according to the main public private key and the prime numbers, wherein each sub public private key has the corresponding prime number, the prime numbers of all sub public private keys are multiplied to obtain prime number products, and the prime number products and the sub public private keys can be stored in the block chain correspondingly. Therefore, in the application, after the main public and private keys are obtained independently, all the sub public and private keys cannot be obtained according to the main public and private keys, and the corresponding sub public and private keys can be recovered only by obtaining the prime numbers corresponding to the main public and private keys and the sub public and private keys, thereby improving the security of the sub public and private keys of the user and protecting the digital identity of the user. The sub public and private keys are obtained through the calculation of the main public and private keys and the prime numbers, so that the required sub public and private keys can be directly recovered according to the main public and private keys and the prime numbers when the sub public and private keys are recovered, and all sub public and private keys do not need to be regenerated.

Drawings

In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art. In the drawings:

FIG. 1 is a flow chart of an embodiment of a blockchain-based key management method of the present application;

FIG. 2 is a flowchart of a blockchain-based key management method embodiment S200 of the present application;

FIG. 3 is a flowchart of a blockchain-based key management method embodiment S400 of the present application;

FIG. 4 is a flowchart of a blockchain-based key management method embodiment S500 of the present application;

FIG. 5 is a block diagram of a specific embodiment of a terminal of the present application;

FIG. 6 is a block diagram of a particular embodiment of a business system of the present application;

fig. 7 shows a schematic diagram of a computer device suitable for use in implementing embodiments of the application.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings. The exemplary embodiments of the present application and their descriptions herein are for the purpose of explaining the present application, but are not to be construed as limiting the application.

It should be noted that, the key management method, terminal and service system based on blockchain disclosed in the present application can be used in the blockchain technical field, and also can be used in any field other than the blockchain technical field, and the application field of the key management method, terminal and service system based on blockchain disclosed in the present application is not limited.

It should be noted that, in one or more embodiments of the present application, a blockchain refers to a distributed shared database generated based on cryptography, which is essentially a technical solution for collectively maintaining a reliable database in a decentralised manner. By means of the multiple nodes in the scheme, point-to-point network relations are formed, trust effects are built by utilizing mathematical bases, and the distributed system which can operate without trust based on each other or reliance on a single centralization mechanism is formed. The system can ensure the authenticity of data, realizes the reliable transfer of trust and value with extremely low cost, and constructs a system which is more open and shared, transparent and reliable and can check and trace.

It should be noted that in one or more embodiments of the present application, the digital wallet is comprised of software (and optionally hardware) that enables the wallet controller to generate, store, manage and protect keys, confidential and other sensitive private data.

It should be noted that in one or more embodiments of the present application, the digital wallet is a digital wallet mainly applied to the authentication service scenario.

It should be noted that in one or more embodiments of the present application, the concept of hierarchical certainty in a hierarchical deterministic wallet (Hierachical Deterministic Wallets, HD Wallets) is proposed in BIP32 proposal, where a master private key is generated by a seed, and then a huge number of child private keys and addresses are derived.

In one or more embodiments of the present application, the prime numbers are: also called prime numbers, refers to numbers that are not divisible by other natural numbers (1 is not prime) other than 1 and itself among natural numbers larger than 1.

According to one aspect of the present application, this embodiment discloses a blockchain-based key management method. As shown in fig. 1, in this embodiment, the method includes:

s100: and generating a main public and private key based on a specified encryption algorithm, and generating a user identifier according to the main public and private key.

It can be understood that the user can interact with the service system through the terminal, so that the APP corresponding to the digital identity wallet can be set on the terminal, and the main public and private keys and the sub public and private keys of the user are generated through the APP of the digital identity wallet on the terminal. Of course, in practical application, the main public and private keys and the sub public and private keys may be generated by other execution bodies, and the functions of information interaction with the service system may be implemented, which is not limited in the present application.

Specifically, a unique primary public-private key may be first generated by a predetermined specified encryption algorithm, where the primary public-private key includes a primary public key and a pair of keys of the primary private key as the primary public-private key of the user's digital identity. Further, a unique user identifier can be regenerated according to the generated main public and private keys and used for uniquely identifying the user.

For example, in a specific example, a unique primary public-private key may be generated by specifying an encryption algorithm, such as a cryptographic algorithm, as the digital identity of the user, and then generating a unique user identifier based on the primary public key. Preferably, the user identity may be generated by the algorithm base58 (rivemd 160 (sha 256 ([ primary public key ])), and since the primary public key has unique characteristics, the generated user identity also naturally has unique characteristics. Of course, in practical application, those skilled in the art may select an algorithm for specifying the encryption algorithm and a generation algorithm for the user identifier according to practical situations, which is not limited in the present application.

S200: and respectively generating corresponding sub public private keys according to the main public private key and a plurality of different prime numbers, and determining the prime numbers corresponding to the sub public private keys.

S300: and multiplying prime numbers corresponding to the plurality of sub public and private keys of the user to obtain prime number products, and storing the user identification of the user and the corresponding prime number products in a block chain in a correlated manner.

Optionally, the terminal may communicate with the blockchain, and store the generated user identifier in association with the corresponding prime number product to the blockchain by invoking an intelligent contract of the blockchain.

Optionally, when storing the user identifier of the user and the corresponding prime number product in association with the blockchain, the prime number product may be encrypted by using a master public key in a master public private key, and then the user identifier of the user and the corresponding encrypted prime number product may be stored in association with the blockchain. Therefore, only the user with the main private key corresponding to the main public private key can decrypt the encrypted prime number product acquired on the chain to obtain a plaintext, so that only the user can decrypt the plaintext to obtain the prime number product, the prime number product of the sub public private key is prevented from being revealed, and the safety of key storage is improved.

In an alternative embodiment, as shown in fig. 2, the step S200 of generating the corresponding sub-public-private keys according to the main public-private key and the plurality of different prime numbers, and determining the prime numbers corresponding to the sub-public-private keys includes:

s210: and determining prime numbers corresponding to the plurality of sub public private keys of the user respectively, wherein the prime numbers corresponding to the plurality of sub public private keys are different.

S220: and generating corresponding sub public private keys based on the main public private key of the user and each prime number respectively to obtain a plurality of sub public private keys of the user.

S230: and associating and corresponding each sub public and private key of the user and prime numbers.

It can be understood that, in order to ensure that even if the main public and private keys of the user are revealed, all the sub public and private keys cannot be obtained through the operation of the main public and private keys of the user, the application firstly determines a plurality of prime numbers to be used for generating the sub public and private keys, and the prime numbers can be selected according to the prime number arrangement from small to large, thereby ensuring that the selected prime numbers are mutually different, further ensuring that the sub public and private keys respectively generated according to the prime numbers are mutually different, and ensuring the uniqueness of each sub public and private key. For example, prime numbers are ordered from small to large as 2,3,5, …, and when 3 child public-private keys need to be generated, 3 prime numbers of 2,3, and 5 can be selected. If more sub public and private keys need to be generated, larger and larger prime numbers can be sequentially selected from the smallest prime number 2 according to the number of the generated sub public and private keys. Of course, in practical application, those skilled in the art may also determine a specific manner of selecting different prime numbers according to actual needs, and the present application is not limited thereto.

Further, corresponding sub-public and private keys can be generated according to the main public and private key and each prime number, wherein the sub-public and private keys comprise a pair of sub-public keys and sub-private keys, and each sub-public and private key can be used as a digital identity of a user. Therefore, in the process of generating the sub public and private keys according to the main public and private key, the prime numbers corresponding to the sub public and private keys and the main public and private key are operated together to generate the sub public and private keys corresponding to the prime numbers, and the sub public and private keys of the user cannot be obtained through calculation on the basis of only mastering the main public and private key, so that the safety of the user key is ensured, and the safety of the digital identity of the user is improved.

In a specific example, if 3 sub public private keys need to be generated, 3 prime numbers of 2,3 and 5 can be selected, and the sub public private keys are generated through a preset key generation algorithm after specific operation is performed on the main public private key and the prime numbers. Therefore, each generated sub public private key corresponds to the prime number participating in operation during generation, and the prime number corresponding to the sub public private key can uniquely identify one sub public private key.

It should be noted that the preset key generation algorithm may be the same as or different from the specified encryption algorithm. In practical applications, the key generation algorithm can be predetermined by those skilled in the art according to practical requirements, and the key generation algorithm existing in the art can be adopted, which is not limited in the present application.

It should be noted that, the specific operation performed by the primary public key and the prime number may be splicing the primary public key and the prime number together, or may be other specific operations such as multiplication or addition, which may be flexibly determined by a person skilled in the art according to the actual situation, and the present application is not limited to this.

After generating a plurality of sub public private keys, the product of a plurality of prime numbers can only be decomposed to obtain the multiplied result of the prime numbers, namely, each prime number product corresponds to a unique combination of a plurality of prime numbers. For example, when the prime numbers corresponding to the 3 sub-public-private keys are 2,3, and 5, respectively, the user's digital identity may be associated with the user identification using the product 30 of 2,3, and 5. When the prime number product corresponding to the user identifier is 30, the unique prime number combination of the user is determined to be 2,3 and 5, and the number and prime number of the prime number combination are determined uniquely, so that all the sub-public and private keys of the user can be recovered accurately, the leakage of the sub-public and private keys of the user is avoided, the user is ensured to recover all the sub-public and private keys of the user accurately through the product of the main public and private keys and the prime number product, and after the user determines all the prime numbers according to the prime number product corresponding to the user identifier, one or more of the prime numbers can be selected to recover the corresponding sub-public and private keys according to the requirement, so that the independent recovery of the specific sub-public and private keys is realized.

Optionally, when generating the sub public private key, prime numbers used for generating the sub public private key can be recorded, so that prime numbers used for generating the sub public private key in the prior art are avoided being reused in the subsequent generation of the sub public private key, and the problem of generating the same sub public private key is avoided. It should be noted that, when prime numbers used are recorded, all prime numbers can be arranged from small to large, the ranking of prime numbers used in the sub public private key counter recording in the arrangement is set, for example, prime numbers are arranged to be 2,3,5, and 7, …, then prime numbers used in generating 3 sub public private keys are respectively 2,3, and 5, and then the current counter value is 3. The role of this counter is that if the 3 rd sub private key fails, the prime number product will be changed from 30 to 6, and when this counter is used to record that prime number 5 has been used, the 4 th prime number 7 needs to be skipped over from the 3 rd prime number 5 when the sub public private key is generated later.

In an alternative embodiment, as shown in fig. 3, the method further includes S400:

s410: and transmitting a sub public and private key invalidation request to the blockchain, wherein the sub public and private key invalidation request comprises a user identifier to be invalidated and a target prime number corresponding to the sub public and private key to be invalidated.

S420: and dividing the prime number product corresponding to the user identification to be disabled by the target prime number by the blockchain to update the prime number product corresponding to the user identification to be disabled.

It can be appreciated that the user can disable one or more of the plurality of sub-public-private keys corresponding to the user identification according to the need, i.e., delete one or more sub-public-private keys from all sub-public-private keys of the user. Wherein in this alternative embodiment, one or more of all the sub-public-private keys corresponding to the user identity are invalidated by transmitting a sub-public-private key invalidation request to the blockchain in a manner that updates the prime number product corresponding to the user identity.

Specifically, the user may transmit a sub-public-private key invalidation request to the blockchain through the user terminal. The invalidation request comprises a user identifier and prime numbers corresponding to the sub-public and private keys to be invalidated, namely target prime numbers. After receiving a sub public private key invalidation request transmitted by a user terminal, the blockchain analyzes the request to obtain a user identifier, determines a prime number product corresponding to the user identifier in the request from the corresponding relation between the user identifier stored on the blockchain and the prime number product, and directly divides the prime number product by a target prime number obtained by analyzing the request to update the prime number product corresponding to the user identifier. The updated prime number product is the prime number product which does not comprise the target prime number any more, thereby realizing the purpose of deleting the sub public and private keys corresponding to the target prime number.

In an alternative embodiment, as shown in fig. 4, the method further includes S500:

s510: and sending a sub public and private key recovery request to the blockchain.

S520: and the blockchain determines a user identifier to be recovered according to the sub public and private key recovery request, and determines a corresponding prime number product according to the user identifier to be recovered.

S530: and determining the prime numbers to be recovered corresponding to the user identifiers to be recovered according to the prime number product, and respectively generating corresponding sub public private keys according to each prime number to be recovered and the main public private key of the user identifier to be recovered.

It is understood that when the user's sub-public-private key is lost or needs to be regenerated, the user can recover the particular sub-public-private key as desired. Specifically, the user may send a sub public private key recovery request to the blockchain through the terminal. The sub public and private key recovery request can comprise a user identifier, and after the block chain receives the recovery request, the user identifier of the sub public and private key to be recovered can be obtained from the recovery request in a resolving mode, and then prime number products corresponding to the user identifier are determined according to information stored in the block chain. And obtaining a plurality of prime numbers to be recovered according to the prime number product, and enabling the product of the prime numbers to be recovered to be the prime number product. Furthermore, the corresponding main public and private keys can be determined according to the user identification, and then the corresponding sub public and private keys are generated according to one or more prime numbers to be recovered and the main public and private keys, so that at least partial sub public and private keys are recovered.

Based on the same principle, the application also discloses a terminal. As shown in fig. 5, the terminal includes an identification generation module 11, a key generation module 12, and a data uplink module 13.

The identifier generating module 11 is configured to generate a primary public-private key based on a specified encryption algorithm, and generate a user identifier according to the primary public-private key.

The key generation module 12 is configured to generate a corresponding sub-public-private key according to the main public-private key and a plurality of different prime numbers, and determine prime numbers corresponding to each sub-public-private key.

The data uplink module 13 is configured to multiply prime numbers corresponding to the plurality of sub public and private keys of the user to obtain prime number products, and store the user identification of the user and the corresponding prime number products in association to a blockchain.

Since the principle of the terminal for solving the problem is similar to that of the above method, the implementation of the terminal can refer to the implementation of the method, and will not be described herein.

Based on the same principle, the application also discloses a business system based on the block chain. As shown in fig. 6, the service system includes a terminal 1, a service server 2, and a blockchain 3.

The terminal 1 is used for generating a main public and private key based on a specified encryption algorithm, and generating a user identifier according to the main public and private key; generating corresponding sub public private keys according to the main public private key and a plurality of different prime numbers respectively, and determining the prime numbers corresponding to the sub public private keys; and multiplying prime numbers corresponding to the plurality of sub public and private keys of the user to obtain prime number products, and storing the user identification of the user and the corresponding prime number products in the blockchain 3 in a correlated manner.

In an alternative embodiment, the service system further comprises a service server 2. The user can interact with the service server 2 through the terminal 1 so that the service server 2 verifies the digital identity of the user terminal 1, and after the verification is passed, the user can achieve the purpose of calling the service server 2 to complete service request processing.

Wherein the terminal 1 transmits an authentication request to the service server 2, the authentication request comprising user information.

And the service server 2 acquires the user identification and the sub public key corresponding to the user information from the blockchain 3 according to the user information.

The terminal 1 receives the user identification transmitted by the service server 2, and determines a corresponding sub-private key according to the user identification; and signing the login request according to the sub private key and transmitting the login request to the service server 2.

And the service server 2 performs signature verification on the signed login request according to the sub-public key, and if the signature verification is successful, the user authentication is passed.

It can be understood that the blockchain 3 stores information such as a main public key, a sub public private key, a prime number product and the like corresponding to the user identifier of the user, and can also store information such as user information, a designated encryption algorithm or a key generation algorithm and the like. When the blockchain 3 stores information, a user can be uniquely identified by a user identification, and the user identification is correspondingly associated with and stored in correspondence with the corresponding user information, the main public private key, the sub public private key and the prime number product.

The terminal 1 may transmit user information such as a user name to the service server 2, so that the service server 2 may transmit the user information to the blockchain 3, and query the blockchain 3 for a user identifier and a sub-public key corresponding to the user information. The service server 2 may transmit the user identification back to the user terminal 1. The user terminal 1 can query the corresponding sub private key from the blockchain 3 according to the user identifier and the server IP of the service server 2, and the sub private key and the sub public key acquired by the service server 2 are a sub public private key pair. The user terminal 1 signs the login request by adopting the sub private key and then transmits the login request to the service server 2, and the service server 2 signs the signed login request by adopting the sub public key, and if the verification is passed, the digital identity verification of the user is indicated to be passed.

In an alternative embodiment, the service system further comprises a service server 2. The terminal 1 is used for determining user information and signature information of a sub private key signature when a user registers; the user information and the signature information are transmitted to the service server 2.

And the service server 2 acquires a corresponding sub-public key from the blockchain 3 according to the user identifier, performs signature verification on the signature information according to the sub-public key, and correspondingly associates the user information with the user identifier if the signature verification passes.

It can be understood that the user can complete digital authentication at the same time in the registration form, so as to save the service flow and improve the user experience. Specifically, when a user registers, the user terminal 1 can select user information and signature information signed by a sub private key, and the user information and the signature information can be transmitted to the service server 2. When receiving a registration request of user information and signature information, the service server 2 acquires a corresponding user identifier and a sub public key corresponding to a sub private key from the blockchain 3 through the user information, performs signature verification on the signature information through the sub public key, and if verification is passed, associates the user information with the user identifier correspondingly, thereby completing the registration process. In this alternative embodiment, the service server 2 stores the user identifier, and the subsequent service server 2 may obtain the corresponding sub-public key from the blockchain 3 according to the user identifier corresponding to the user information during the authentication, or may perform digital authentication by using only the user information, which is similar to the above embodiment and will not be repeated herein.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program for producing a system, apparatus, module, or unit as set forth in the above embodiments, and may be embodied in a computer chip or entity, or in an article of manufacture having some function. A typical implementation device is a computer device, which may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

In a typical example, the computer apparatus includes a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the program to implement a method performed by a client as described above, or where the processor executes the program to implement a method performed by a server as described above.

Referring now to FIG. 7, there is illustrated a schematic diagram of a computer device 600 suitable for use in implementing embodiments of the present application.

As shown in fig. 7, the computer apparatus 600 includes a Central Processing Unit (CPU) 601, which can perform various appropriate works and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM603, various programs and data required for the operation of the computer device 600 are also stored. The CPU601, ROM602, and RAM603 are connected to each other through a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.

The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, mouse, etc.; an output portion 607 including a Cathode Ray Tube (CRT), a liquid crystal feedback device (LCD), and the like, and a speaker, and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The drive 610 is also connected to the I/O interface 605 as needed. Removable media 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on drive 610 as needed, so that a computer program read therefrom is mounted as needed as storage section 608.

In particular, according to embodiments of the present application, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program tangibly embodied on a machine-readable medium, the computer program comprising program code for performing the method shown in the flowchart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.

For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in the same piece or pieces of software and/or hardware when implementing the present application.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.

The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.

Claims

1. A blockchain-based key management method, comprising:

2. The blockchain-based key management method of claim 1, further comprising:

3. The blockchain-based key management method of claim 1, wherein the generating the corresponding sub-public-private keys according to the main public-private key and the plurality of different primes, respectively, and determining primes corresponding to each sub-public-private key comprises:

4. The blockchain-based key management method of claim 1, further comprising:

sending a sub public and private key recovery request to the blockchain;

5. A terminal, comprising:

6. A business system based on a block chain is characterized by comprising a terminal, a business server and the block chain;

7. The blockchain-based business system of claim 6, further comprising a business server;

8. The blockchain-based business system of claim 6, further comprising a business server;

9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 4 when executing the computer program.

10. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when executed by a processor, implements the method of any of claims 1 to 4.