CN117294719A - Communication authentication and point-to-point encryption transmission method and device based on did - Google Patents
Communication authentication and point-to-point encryption transmission method and device based on did Download PDFInfo
- Publication number
- CN117294719A CN117294719A CN202311487160.9A CN202311487160A CN117294719A CN 117294719 A CN117294719 A CN 117294719A CN 202311487160 A CN202311487160 A CN 202311487160A CN 117294719 A CN117294719 A CN 117294719A
- Authority
- CN
- China
- Prior art keywords
- user
- point
- communication
- identity
- user terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 146
- 238000000034 method Methods 0.000 title claims abstract description 31
- 230000005540 biological transmission Effects 0.000 title claims abstract description 23
- 238000012544 monitoring process Methods 0.000 claims abstract description 34
- 238000012795 verification Methods 0.000 claims abstract description 19
- 230000007246 mechanism Effects 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 10
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- YSCNMFDFYJUPEF-OWOJBTEDSA-N 4,4'-diisothiocyano-trans-stilbene-2,2'-disulfonic acid Chemical compound OS(=O)(=O)C1=CC(N=C=S)=CC=C1\C=C\C1=CC=C(N=C=S)C=C1S(O)(=O)=O YSCNMFDFYJUPEF-OWOJBTEDSA-N 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 239000012086 standard solution Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The invention discloses a communication authentication and point-to-point encryption transmission method and device based on did, comprising the following steps: the user A obtains point-to-point communication monitoring information and DID document information of the user B from the distributed identity service based on the DID of the user B, wherein the DID document information comprises an encryption public key; the user A links with the user B based on the acquired data, encrypts the DID, the identity VC and the communication VC of the user A by using the encryption public key of the user B and sends the encrypted DID, the identity VC and the communication VC to the user B; the user B receives the encrypted data, decrypts the data by using an encryption private key in the DID of the user B, obtains the DID document of the user A from the distributed service based on the DID of the user A after decryption and based on the DID of the user A after decryption, verifies the identity of the user A, and returns the DID, the identity VC and the communication VC information of the user B to the user A after verification.
Description
Technical Field
The invention relates to a communication authentication and point-to-point encryption transmission method and device based on dids, and belongs to the technical field of distributed digital identity and point-to-point communication.
Background
The communication protocol currently in the market is HTTPS, and consists of HTTP protocol+tls, wherein the certificate of the server TLS is issued by a CA operating agency authorized by the country. The authenticity of the server TLS certificate can be verified by the national electronic root CA certificate and the CA certificate of the operating organization.
Aiming at the point-to-point communication scene, the current technical market has 2 sets of technical schemes:
1) A Server agent forwarding mode, namely client A- > Server- > client B;
2) A server intermediary mode, wherein the server acts as an intermediary and acts as a transit server before the clients A and B are truly linked, introducing the service addresses and certificate information of the clients A and B;
HTTPS protocol is the mainstream communication mode, with high maturity and ease of use, but is not suitable for point-to-point communication scenarios. For the point-to-point communication scenario, a communication mode of server proxy forwarding or server-side intermediation is generally adopted in architecture design. Although the mode is developed and verified through the Internet, the mode can completely meet the requirements of Internet application, and potential vulnerabilities are left for the application.
1. HTTPS is a CA certificate that relies entirely on the national electronic root, and that an individual or service needs to use, and that needs to apply for certificates by a CA operator that authenticates to the country. The whole set of flow and mechanism is a strong dependence on national electronic root CA. The certificate is trusted and endorsed by a government agency, thereby achieving service credibility. But this scenario is poorly applicable to entities or individuals, where certificate application periods and fees prevent peer-to-peer communication from entity to entity in a trusted manner.
2. HTTPS, proxy forwarding at server and intermediary mode at server, although solving the problem of man-in-the-middle attack, do not solve the problem of server dislike. In the server proxy forwarding mode, the server knows the communication information. In the server-side intermediary mode, the client needs unconditionally trust the server-side information, on one hand, if the server-side fails, the whole point-to-point communication service may not be available, and on the other hand, the server-side may disliked to initiate man-in-the-middle attack.
3. The server proxy forwarding and mediation mode can solve the problem of communication between two parties, but is limited to the fact that an application program is connected with the same service, and cannot solve any problem of communication across services. Cannot be a standard solution.
Disclosure of Invention
The invention aims to overcome the defects in the prior art and provides a communication authentication and point-to-point encryption transmission method and device based on the did, which can realize the trusted identity communication without depending on a national electronic root CA certificate system, realize the trusted point-to-point communication between entities and reduce the possibility of information leakage.
In order to achieve the above purpose, the invention is realized by adopting the following technical scheme:
in a first aspect, the present invention provides a communication authentication and point-to-point encryption transmission method based on the did, which is applicable between a user a and a user B, and includes:
the user A obtains point-to-point communication monitoring information and DID document information of the user B from the distributed identity service based on the DID of the user B, wherein the DID document information comprises an encryption public key;
the user A carries out basic protocol link with the user B based on the obtained point-to-point communication monitoring information and DID document information of the user B, encrypts the DID, the identity VC and the communication VC of the user A by using the encryption public key of the user B and sends the encrypted DID, the identity VC and the communication VC to the user B;
and the user B receives the encrypted data, decrypts the data by using an encryption private key in the DID of the user B, acquires the DID document of the user A from the distributed service based on the DID of the user A after decryption, verifies the identity of the user A, returns the DID, the identity VC and the communication VC of the user B if the verification is passed, returns an error code if the verification is not passed, and breaks the link.
Further, before the point-to-point encrypted transmission, the user a or the user B performs local interception of the point-to-point communication and externally exposed service, which specifically includes:
the user A or the user B applies for registering the DID to the distributed identity service system;
the user A or the user B applies for an identification VC from an identity issuing mechanism, wherein the identification VC comprises the identification information of the user and the signature of the identity issuing mechanism on the identification;
the user A or the user B applies for communication VC to the distributed identity service system, wherein the communication VC comprises public and private key pairs for encrypting and decrypting data during communication;
the user A or the user B adopts a basic protocol to establish network monitoring and waits for a subsequent link request;
user a or user B registers point-to-point communication listening information with the distributed identity service.
Further, when the user a or the user B uses a base protocol to establish network interception, any base protocol may be used, for example, ZMQ, RPC, TCP, or UDP is used to establish interception.
Further, the verifying the identity of the user a includes: it is verified whether it is desired to link user a, whether the identity of user a is reliable and whether the identity VC and the communication VC match.
Furthermore, when the identity of the user A is verified, whether the verification is passed or not, the returned data is encrypted through the communication VC public key of the user A, so that the confidentiality of the communication data is ensured.
Further, after the identity of the user A is verified, the user A can be successfully linked to perform message communication, data of the message communication is encrypted by using a public key in a communication VC of the opposite terminal, and the opposite terminal decrypts the communication data by using a private key of the communication VC of the opposite terminal.
In a second aspect, the present invention provides a communication authentication and point-to-point encryption transmission device based on the did, including a user terminal a and a user terminal B, wherein:
the method comprises the steps that a user side A obtains point-to-point communication monitoring information and DID document information of a user side B from a distributed identity service based on DID of the user side B, wherein the DID document information comprises a basic communication encryption public key;
the user terminal A carries out basic protocol link with the user terminal B based on the obtained point-to-point communication monitoring information and DID document information of the user terminal B, encrypts the DID, the identity VC and the communication VC of the user terminal A by using an encryption public key of the user terminal B and sends the encrypted DID, the identity VC and the communication VC to the user terminal B;
the user terminal B receives the encrypted data, decrypts the data by using an encryption private key in the DID of the user terminal B, obtains a DID document of the user terminal A from the distributed service, verifies the identity of the user terminal A, returns the DID, the identity VC and the communication VC of the user terminal B if the verification is passed, returns an error code if the verification is not passed, and breaks the link.
Further, the system further comprises a peer-to-peer communication monitoring module, which is configured to perform local monitoring of peer-to-peer communication and external exposure service before the peer-to-peer encrypted transmission of the user side a or the user side B, and specifically includes:
the user side A or the user side B applies for registering the DID to the distributed identity service system;
the user terminal A or the user terminal B applies for an identification VC to an identity issuing mechanism, wherein the identification VC comprises the identification information of a user and the signature of the identity issuing mechanism on the identification;
the user terminal A or the user terminal B applies for communication VC to the distributed identity service system, wherein the communication VC comprises public and private key pairs for encrypting and decrypting data during communication;
the user terminal A or the user terminal B adopts a base protocol to establish network monitoring and waits for a subsequent link request;
the user A or the user B registers point-to-point communication monitoring information to the distributed identity service.
In a third aspect, the present invention provides an electronic device, comprising a processor and a storage medium;
the storage medium is used for storing instructions;
the processor is operative according to the instructions to perform the steps of the method according to any one of the preceding claims.
In a fourth aspect, the present invention provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of any of the methods described in the preceding claims.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides a communication authentication and point-to-point encryption transmission method and device based on the DID, which realize a set of point-to-point communication protocol based on the DID, and by using the protocol, the trusted identity communication without depending on a national electronic root CA certificate system can be realized, the trusted point-to-point communication among entities is realized, and the possibility of information leakage is reduced.
Drawings
Fig. 1 is a schematic diagram of DID registration, identification VC and start listening provided in an embodiment of the present invention;
fig. 2 is a schematic diagram of an overall process of point-to-point linking and identity verification provided by an embodiment of the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings. The following examples are only for more clearly illustrating the technical aspects of the present invention, and are not intended to limit the scope of the present invention.
Example 1
As shown in fig. 1 and fig. 2, this embodiment describes a communication authentication and point-to-point encryption transmission method based on did, which is applicable between a user a and a user B, and includes:
the user A obtains point-to-point communication monitoring information and DID document information of the user B from the distributed identity service based on the DID of the user B, wherein the DID document information comprises an encryption public key;
the user A carries out basic protocol link with the user B based on the obtained point-to-point communication monitoring information and DID document information of the user B, encrypts the DID, the identity VC and the communication VC of the user A by using the encryption public key of the user B and sends the encrypted DID, the identity VC and the communication VC to the user B;
and the user B receives the encrypted data, decrypts the data by using an encryption private key in the DID of the user B, acquires the DID document of the user A from the distributed service based on the DID of the user A after decryption, verifies the identity of the user A, returns the DID, the identity VC and the communication VC of the user B if the verification is passed, returns an error code if the verification is not passed, and breaks the link.
Before the point-to-point encryption transmission, the user A or the user B firstly performs local monitoring of point-to-point communication and externally exposed service, and specifically comprises the following steps:
the user A or the user B applies for registering the DID to the distributed identity service system;
the user A or the user B applies for an identification VC from an identity issuing mechanism, wherein the identification VC comprises the identification information of the user and the signature of the identity issuing mechanism on the identification;
the user A or the user B applies for communication VC to the distributed identity service system, wherein the communication VC comprises public and private key pairs for encrypting and decrypting data during communication;
the user A or the user B adopts a basic protocol to establish network monitoring and waits for a subsequent link request;
user a or user B registers point-to-point communication listening information with the distributed identity service.
The description of the above embodiment will be made with reference to a preferred embodiment.
Distributed Identity (DID) is a new set of digital identity protocol standards defined and standardized by W3C, which together with another set of protocol verifiable credentials (Verifiable credentials, VC for short) form the underlying protocol for autonomous digital identity. In the scheme, a set of distributed digital identities is realized by adopting a distributed identity DID, verifiable credentials VC and a distributed storage block chain technology.
The key reason for the trust of certificates issued by the national CA operating institutions is that the operating institutions are centralized institutions authenticated by the China, and Verifiable Certificates (VC) in distributed digital identities have certificate-like effects and are generally issued by trusted institutions. There are very many similarities between certificates and VCs, and both core techniques are asymmetric encryption algorithms in cryptography. b. Identity authentication can be achieved. c. Are non-tamper-evident. c. Are verifiable.
ZMQ is a multithreaded-based network library, and the underlying layer abstracts and encapsulates network sockets, link processing, etc. The scheme adopts ZMQ as the communication protocol of the bottom layer.
Before the scheme is described in detail, relevant knowledge points in the lower distributed digital identity technology are supplemented, and the distributed digital identity technology has 3 types of roles, namely a certification party, a certification party and a verification party. The issuing party is responsible for responding to the request of the proving party, issuing the VC to the proving party, and the verifying party is responsible for verifying whether the VC of the proving party is valid. The 3 types of roles all have a unique DID (distributed identity), and the DID is associated with a DID Document, key information (such as public key, controller and the like) of the DID is stored in the DID Document, and the key information is stored in the blockchain, so that anyone can conveniently verify the identity.
The design idea of the scheme is based on a distributed identity technology, and a set of trusted point-to-point communication scheme between entities is realized. The specific scheme is as follows:
1. the entity registers the distributed identity with the distributed identity service system, in the process, the entity is required to self-hold or substitute for the private key. Self-sustaining is a special case of proxy-sustaining, we take the distributed identity service system proxy-sustaining here as an example.
2. The entity performs identity authentication, the identity authentication mechanism issues VC identity authentication, and the VC identity authentication comprises identity information of the entity and signature of the identity authentication by the identity mechanism.
3. And applying for communication VC, wherein the communication VC mainly comprises public and private key pairs for encrypting and decrypting data during communication. In general, the public-private key pair involved in communication VC is different from the public-private key pair of the authentication VC.
4. Starting the point-to-point communication monitoring service, adopting a base protocol to establish network monitoring, and waiting for a subsequent link request. In this case, ZMQ is used to establish the listening. This flow may not employ ZMQ and may use any underlying communication protocol. Such as RPC (remote procedure call) or direct use of TCP, UDP.
5. The point-to-point communication related information is registered with the distributed identity service. The process mainly publishes the point-to-point communication information of the entity to the outside, and adopts a mode of registering with a server to register the point-to-point communication monitoring information with the distributed identity service. And other nodes can conveniently and quickly search the link information through the DID.
6. The above flow is completed, and the user has completed functions of local monitoring of the service of the point-to-point communication, exposing the service to the outside, and the like. Only waiting for communication links of other users. The following flow takes the user a and the user B as examples, and describes a specific flow of point-to-point link communication.
7. And acquiring link information of a link opposite terminal, wherein the user A acquires point-to-point communication monitoring information and DID document information of the user B from the distributed identity service based on the DID of the user B.
8. The user A links with the user B based on the information acquired by the previous procedure, encrypts the DID, the identity VC and the communication VC of the user A by using the encryption public key (in the DID document) of the user B, and sends the encrypted information to the user B.
9. And the user B receives the data, decrypts the data by using an encryption private key in the DID of the user B, acquires the DID document of the user A from the distributed service based on the DID of the user A after decryption, verifies the identity of the user A (verifies whether the user A wants to be linked, whether the identity of the user A is reliable, whether the identity VC is matched with the communication VC and the like), returns the DID, the identity VC and the communication VC of the user B if the verification is not passed, returns an error code and breaks the link. Whether or not the verification is passed, the returned data needs to be encrypted by the communication VC public key of user a.
10. And the message communication can be carried out subsequently after the link is successful, and the data of the message communication is encrypted by using the public key in the communication VC of the opposite terminal. The opposite terminal uses the own communication VC private key to decrypt the communication data.
The DID-based point-to-point communication design is adopted, the DID and the VC are used for realizing identity authentication, and the ZMQ middleware is used for building a communication framework.
The scheme realizes a set of DID-based point-to-point communication protocol, and by using the protocol, the trusted identity communication without depending on a national electronic root CA certificate system can be realized, the trusted point-to-point communication among entities is realized, and the possibility of information leakage is reduced.
Example 2
The embodiment provides a communication authentication and point-to-point encryption transmission device based on did, which comprises a user end A and a user end B, wherein:
the method comprises the steps that a user side A obtains point-to-point communication monitoring information and DID document information of a user side B from a distributed identity service based on DID of the user side B, wherein the DID document information comprises an encryption public key;
the user terminal A carries out basic protocol link with the user terminal B based on the obtained point-to-point communication monitoring information and DID document information of the user terminal B, encrypts the DID, the identity VC and the communication VC of the user terminal A by using an encryption public key of the user terminal B and sends the encrypted DID, the identity VC and the communication VC to the user terminal B;
the user terminal B receives the encrypted data, decrypts the data by using an encryption private key in the DID of the user terminal B, obtains a DID document of the user terminal A from the distributed service, verifies the identity of the user terminal A, returns the DID, the identity VC and the communication VC of the user terminal B if the verification is passed, returns an error code if the verification is not passed, and breaks the link.
Further, the system further comprises a peer-to-peer communication monitoring module, which is configured to perform local monitoring of peer-to-peer communication and external exposure service before the peer-to-peer encrypted transmission of the user side a or the user side B, and specifically includes:
the user side A or the user side B applies for registering the DID to the distributed identity service system;
the user terminal A or the user terminal B applies for an identification VC to an identity issuing mechanism, wherein the identification VC comprises the identification information of a user and the signature of the identity issuing mechanism on the identification;
the user terminal A or the user terminal B applies for communication VC to the distributed identity service system, wherein the communication VC comprises public and private key pairs for encrypting and decrypting data during communication;
the user terminal A or the user terminal B adopts a base protocol to establish network monitoring and waits for a subsequent link request;
the user A or the user B registers point-to-point communication monitoring information to the distributed identity service.
Example 3
The embodiment provides an electronic device, which comprises a processor and a storage medium;
the storage medium is used for storing instructions;
the processor is operative according to the instructions to perform the steps of the method according to any one of embodiment 1.
Example 4
The present embodiment provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method of any of embodiment 1.
The foregoing is merely a preferred embodiment of the present invention, and it should be noted that modifications and variations could be made by those skilled in the art without departing from the technical principles of the present invention, and such modifications and variations should also be regarded as being within the scope of the invention.
It will be appreciated by those skilled in the art that embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the foregoing embodiments are merely for illustrating the technical solution of the present disclosure and not for limiting the scope thereof, and although the present disclosure has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that various changes, modifications or equivalents may be made to the specific embodiments of the invention after reading the present disclosure, and these changes, modifications or equivalents are within the scope of the claims appended hereto.
Claims (10)
1. A communication authentication and point-to-point encryption transmission method based on did, which is characterized by being applicable between a user a and a user B, comprising:
the user A obtains point-to-point communication monitoring information and DID document information of the user B from the distributed identity service based on the DID of the user B, wherein the DID document information comprises an encryption public key;
the user A carries out basic protocol link with the user B based on the obtained point-to-point communication monitoring information and DID document information of the user B, encrypts the DID, the identity VC and the communication VC of the user A by using the encryption public key of the user B and sends the encrypted DID, the identity VC and the communication VC to the user B;
and the user B receives the encrypted data, decrypts the data by using an encryption private key in the DID of the user B, acquires the DID document of the user A from the distributed service based on the DID of the user A after decryption, verifies the identity of the user A, returns the DID, the identity VC and the communication VC of the user B if the verification is passed, returns an error code if the verification is not passed, and breaks the link.
2. The method for performing communication authentication and point-to-point encrypted transmission according to claim 1, wherein the user a or the user B performs local interception of point-to-point communication and externally exposed service before performing point-to-point encrypted transmission, specifically comprising:
the user A or the user B applies for registering the DID to the distributed identity service system;
the user A or the user B applies for an identification VC from an identity issuing mechanism, wherein the identification VC comprises the identification information of the user and the signature of the identity issuing mechanism on the identification;
the user A or the user B applies for communication VC to the distributed identity service system, wherein the communication VC comprises public and private key pairs for encrypting and decrypting data during communication;
the user A or the user B adopts a basic protocol to establish network monitoring and waits for a subsequent link request;
user a or user B registers point-to-point communication listening information with the distributed identity service.
3. The method for performing communication authentication and point-to-point encrypted transmission according to claim 2, wherein when the user a or the user B uses a base protocol to establish network interception, the interception is established using ZMQ or RPC or TCP or UDP.
4. The method for the communication authentication and the point-to-point encryption transmission based on the did according to claim 1, wherein verifying the identity of the user a comprises: it is verified whether it is desired to link user a, whether the identity of user a is reliable and whether the identity VC and the communication VC match.
5. The method for performing communication authentication and point-to-point encrypted transmission according to claim 1, wherein the returned data is encrypted by the VC public key of the user a when verifying the identity of the user a, whether the verification is passed or not.
6. The method for authenticating communication and transmitting point-to-point encryption based on the did according to claim 1, wherein after the authentication of the identity of the user a is passed, the message communication can be performed after the link is successful, the data of the message communication is encrypted by using the public key in the communication VC of the opposite terminal, and the opposite terminal decrypts the communication data by using the private key of the communication VC of the opposite terminal.
7. The communication authentication and point-to-point encryption transmission device based on the did is characterized by comprising a user end A and a user end B, wherein:
the user terminal A is used for acquiring point-to-point communication monitoring information and DID document information of the user terminal B from the distributed identity service based on the DID of the user terminal B, wherein the DID document information comprises an encryption public key;
the user terminal A is used for carrying out base protocol link with the user terminal B based on the obtained point-to-point communication monitoring information and DID document information of the user terminal B, encrypting the DID, the identity VC and the communication VC of the user terminal A by using the encryption public key of the user terminal B and sending the encrypted DID, the identity VC and the communication VC to the user terminal B;
the user terminal B is used for receiving the encrypted data, decrypting the data by using an encryption private key in the DID of the user terminal B, acquiring a DID document of the user terminal A from the distributed service, verifying the identity of the user terminal A, returning the DID, the identity VC and the communication VC of the user terminal B if the identity of the user terminal A passes the verification, and if the identity of the user terminal B does not pass the verification, returning an error code and disconnecting the link.
8. The apparatus for performing point-to-point communication authentication and point-to-point encryption transmission according to claim 7, further comprising a point-to-point communication monitoring module, configured to perform local monitoring of point-to-point communication and external exposure service before performing point-to-point encryption transmission by the user terminal a or the user terminal B, and specifically comprising:
the user side A or the user side B applies for registering the DID to the distributed identity service system;
the user terminal A or the user terminal B applies for an identification VC to an identity issuing mechanism, wherein the identification VC comprises the identification information of a user and the signature of the identity issuing mechanism on the identification;
the user terminal A or the user terminal B applies for communication VC to the distributed identity service system, wherein the communication VC comprises public and private key pairs for encrypting and decrypting data during communication;
the user terminal A or the user terminal B adopts a base protocol to establish network monitoring and waits for a subsequent link request;
the user A or the user B registers point-to-point communication monitoring information to the distributed identity service.
9. An electronic device, characterized in that: comprises a processor and a storage medium;
the storage medium is used for storing instructions;
the processor being operative according to the instructions to perform the steps of the method according to any one of claims 1 to 6.
10. A computer-readable storage medium having stored thereon a computer program, characterized by: which program, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311487160.9A CN117294719A (en) | 2023-11-09 | 2023-11-09 | Communication authentication and point-to-point encryption transmission method and device based on did |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311487160.9A CN117294719A (en) | 2023-11-09 | 2023-11-09 | Communication authentication and point-to-point encryption transmission method and device based on did |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117294719A true CN117294719A (en) | 2023-12-26 |
Family
ID=89258794
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311487160.9A Pending CN117294719A (en) | 2023-11-09 | 2023-11-09 | Communication authentication and point-to-point encryption transmission method and device based on did |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117294719A (en) |
-
2023
- 2023-11-09 CN CN202311487160.9A patent/CN117294719A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7119040B2 (en) | Data transmission method, device and system | |
| US10027670B2 (en) | Distributed authentication | |
| US11159307B2 (en) | Ad-hoc trusted groups on a blockchain | |
| US20220318907A1 (en) | Systems and methods for generating secure, encrypted communications across distributed computer networks for authorizing use of cryptography-based digital repositories in order to perform blockchain operations in decentralized applications | |
| CN110380852B (en) | Bidirectional authentication method and communication system | |
| US9137017B2 (en) | Key recovery mechanism | |
| US8788811B2 (en) | Server-side key generation for non-token clients | |
| US10516543B2 (en) | Communication protocol using implicit certificates | |
| US20100228968A1 (en) | Split termination of secure communication sessions with mutual certificate-based authentication | |
| WO2019178942A1 (en) | Method and system for performing ssl handshake | |
| CN111050322B (en) | GBA-based client registration and key sharing method, device and system | |
| US10798086B2 (en) | Implicit certificates using ring learning with errors | |
| WO2022111102A1 (en) | Method, system and apparatus for establishing secure connection, electronic device, and machine-readable storage medium | |
| CN112543166B (en) | Real name login method and device | |
| CN110493272B (en) | Communication method and communication system using multiple keys | |
| US8613057B2 (en) | Identity management facilitating minimum disclosure of user data | |
| CN111698264A (en) | Method and apparatus for maintaining user authentication sessions | |
| CN116684093B (en) | Identity authentication and key exchange method and system | |
| JP2014147039A (en) | Cryptocommunication device, proxy server, cryptocommunication system, cryptocommunication program and proxy server program | |
| US20230246817A1 (en) | Systems and methods for generating secure, encrypted communications across distributed computer networks for authorizing use of cryptography-based digital repositories in order to perform blockchain operations in decentralized applications | |
| US20230245111A1 (en) | Systems and methods for requesting secure, encrypted communications across distributed computer networks for authorizing use of cryptography-based digital repositories in order to perform blockchain operations in decentralized applications | |
| CN113722726B (en) | Encryption and decryption method and system based on software and hardware cooperation | |
| CN117294719A (en) | Communication authentication and point-to-point encryption transmission method and device based on did | |
| Babu et al. | Fog‐Sec: Secure end‐to‐end communication in fog‐enabled IoT network using permissioned blockchain system | |
| WO2022111838A1 (en) | Methods, devices and system related to a distributed ledger and user identity attribute |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |