CN117424694A - Block chain-based company certificate management method and device and electronic equipment - Google Patents
Block chain-based company certificate management method and device and electronic equipment Download PDFInfo
- Publication number
- CN117424694A CN117424694A CN202311353461.2A CN202311353461A CN117424694A CN 117424694 A CN117424694 A CN 117424694A CN 202311353461 A CN202311353461 A CN 202311353461A CN 117424694 A CN117424694 A CN 117424694A
- Authority
- CN
- China
- Prior art keywords
- verification
- data
- ciphertext
- certificate
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims description 151
- 238000012795 verification Methods 0.000 claims abstract description 243
- 238000000034 method Methods 0.000 claims abstract description 59
- 230000004044 response Effects 0.000 claims abstract description 6
- 238000004891 communication Methods 0.000 claims description 31
- 238000004364 calculation method Methods 0.000 claims description 10
- 238000003491 array Methods 0.000 claims description 8
- 238000012163 sequencing technique Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 description 17
- 230000006870 function Effects 0.000 description 13
- 238000012545 processing Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000013459 approach Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000001105 regulatory effect Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000001010 compromised effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 210000001525 retina Anatomy 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/018—Certifying business or products
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Biodiversity & Conservation Biology (AREA)
- Development Economics (AREA)
- General Health & Medical Sciences (AREA)
- Power Engineering (AREA)
- Computing Systems (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Entrepreneurship & Innovation (AREA)
- Accounting & Taxation (AREA)
- Biomedical Technology (AREA)
- Economics (AREA)
- Finance (AREA)
- Marketing (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a method, a device and electronic equipment for managing company certificates based on a blockchain, wherein the method comprises the following steps: acquiring biological information of a user in response to an operation of the user to view the encryption certificate; generating an authentication key based on the biological information by a preset method; acquiring a prestored verification ciphertext, wherein the verification ciphertext is generated by encrypting verification data based on an encryption certificate; decrypting the verification ciphertext by adopting a preset algorithm according to the verification key to obtain a first verification plaintext; receiving a decryption private key input by a user, and decrypting the acquired ciphertext data to obtain decrypted data; performing hash operation on the decrypted data to obtain a second verification plaintext; judging whether the first verification plaintext is identical to the second verification plaintext or not, and if the first verification plaintext is identical to the second verification plaintext, determining that the decrypted data is an encryption certificate. The method and the device can help the user to verify whether the received ciphertext data is the data encrypted by the original certificate.
Description
Technical Field
The application relates to the technical field of blockchain encryption, in particular to a method and a device for managing company certificates based on blockchains and electronic equipment.
Background
Typically, a company or enterprise needs to manage various certificates to ensure that their business is legal, compliant, and meets regulatory requirements. And some of them have high confidentiality requirements, as they relate to sensitive information, security or special legal requirements. Such as electronic signatures and authentication certificates, corporate confidentiality protocols, information security management system authentication, etc. Companies or enterprises need to ensure that they comply with applicable regulations and take necessary measures to protect confidentiality.
At present, when a company or an enterprise or public institution manages a certificate with high confidentiality requirement, the certificate is often encrypted to obtain ciphertext data. However, ciphertext data after encrypting the certificate may be intercepted on the way to the user, resulting in the user may not be able to obtain the original certificate. There is therefore a need for a method to assist the user in verifying whether the received ciphertext data is the original certificate encrypted data.
Disclosure of Invention
The application provides a method, a device and electronic equipment for managing company certificates based on a blockchain, which can help a user to verify whether received ciphertext data is encrypted data of an original certificate.
In a first aspect of the present application, there is provided a blockchain-based company certificate management method applied to any one of a plurality of certificate management nodes in a certificate management system, the method comprising:
acquiring biological information of a user in response to an operation of the user to view an encryption certificate;
generating a verification key based on the biological information by a preset method;
acquiring a pre-stored verification ciphertext, wherein the verification ciphertext is generated by encrypting verification data based on the encryption certificate;
decrypting the verification ciphertext by adopting a preset algorithm according to the verification key to obtain a first verification plaintext;
receiving a decryption private key input by a user, and decrypting the acquired ciphertext data to obtain decrypted data;
performing hash operation on the decrypted data to obtain a second verification plaintext;
judging whether the first verification plaintext is identical to the second verification plaintext or not, and if the first verification plaintext is identical to the second verification plaintext, determining that the decrypted data is the encryption certificate.
By adopting the technical scheme, when a user needs to check the encryption certificate, the certificate management node decrypts the verification ciphertext according to the verification key generated by the biological information of the user. Because the verification ciphertext is encrypted verification data generated based on the encryption certificate, the verification ciphertext is decrypted to obtain a first verification plaintext. And when the user acquires the ciphertext data, the user needs to verify whether the ciphertext data is encrypted by the original encryption certificate. Firstly, decryption is to decrypt the data to obtain decrypted data. And then the certificate management node carries out hash operation on the decrypted data to obtain a second verification plaintext. Finally, the certificate management node judges whether the decrypted data is an encrypted certificate by comparing whether the first verification plaintext is consistent with the second verification plaintext. And if the first verification plaintext is consistent with the second verification plaintext, indicating that the ciphertext data obtained by the user is the data encrypted by the original encryption certificate.
Optionally, the generating, by a preset method, the verification key based on the biological information specifically includes:
acquiring binary data of the biological information;
performing group splitting on the binary data to obtain a plurality of groups of sub data;
coding each group of the sub data to obtain a plurality of coding results;
inserting each coding result into corresponding sub data to obtain a plurality of coded data;
according to the sequence of each group of the sub data, sequencing and merging the coded data to obtain an encryption key;
and generating the verification key by adopting an asymmetric encryption algorithm according to the encryption key.
By adopting the technical scheme, the biological information is split and encoded and then the encryption key is formed, and the encryption key obtained after the biological information is processed is difficult to be deduced because the biological information is generally unique. The biological information is processed to obtain an encryption key, and then an authentication key is generated according to the encryption key through an asymmetric encryption algorithm, so that the most complicated processing process makes it very difficult to infer the authentication key. Meanwhile, an encryption key for encrypting the verification plaintext or a decryption key for unlocking the verification ciphertext is generated based on the biological information of the user. If the verification ciphertext is forged, the decryption key of the user cannot decrypt the forged verification ciphertext, so that the user can judge that the verification ciphertext received by the user is forged. And when the user decrypts the verification ciphertext in the follow-up process, the user can obtain the verification key only by inputting the biological information of the user, the user does not need to memorize the verification key, and the manager does not need to send the verification key to the user, so that the possibility of leakage of the verification key is greatly reduced.
Optionally, before the obtaining the pre-stored verification ciphertext, the method further includes:
performing the hash operation on the encrypted certificate to obtain a verification plaintext;
and encrypting the verification plaintext by adopting the preset encryption algorithm according to the encryption key to obtain the verification ciphertext.
By adopting the technical scheme, the encryption certificate is subjected to hash operation to obtain a verification plaintext, and the verification plaintext is encrypted by adopting an encryption key generated based on the user identity information to obtain a verification ciphertext. The user can verify that the ciphertext is stolen in time when verifying the ciphertext data received by the user through the verification ciphertext, and the encryption certificate cannot be deduced through the verification ciphertext, so that the security of the encryption certificate is ensured.
Optionally, before the acquiring the biological information of the user in response to the operation of viewing the encrypted certificate by the user, the method further includes:
receiving communication broadcasting sent by a plurality of management nodes, wherein the communication broadcasting comprises network connection information of the management nodes;
verifying the network connection information according to the communication broadcast;
after the network connection information is verified to pass, a connection request is sent to a management node corresponding to the network connection information which passes the verification;
And determining that the management node responding to the connection request and returning connection information is the certificate management node in the plurality of management nodes, and establishing connection with other certificate management nodes.
By adopting the technical scheme, when the certificate management system is built by the plurality of certificate management nodes, the security of other management nodes is verified according to the network connection information received by communication broadcast. After verification, connection with other nodes of the certificate is established to form a certificate management system, and the verification process ensures the security of the certificate management node to a certain extent, so that the risk of leakage of the subsequent encrypted certificate is reduced.
Optionally, before decrypting the verification ciphertext by a preset algorithm according to the verification key to obtain a first verification plaintext, the method further includes:
binding the verification ciphertext with the preset algorithm;
and sending the verification ciphertext after binding to a plurality of other certificate management nodes.
By adopting the technical scheme, the verification ciphertext is bound with the preset algorithm, and the subsequent user can decrypt the verification ciphertext by adopting the preset algorithm through the decryption key. Meanwhile, the certificate management node sends the verification ciphertext to other certificate management nodes, so that data synchronization can be realized, and a user can verify at any one certificate management node. Meanwhile, only the verification ciphertext is synchronized, and the encryption certificate cannot be reversely pushed out through the verification ciphertext, so that the possibility of secret leakage of the encryption certificate in the verification process is reduced.
Optionally, before the receiving the decryption private key input by the user and decrypting the obtained ciphertext data to obtain the decrypted data, the method further includes:
generating a set of random arrays, and setting the random arrays as the decryption private key;
generating an encryption public key according to the decryption private key according to an asymmetric encryption algorithm;
and encrypting the encryption certificate by adopting the preset algorithm according to the encryption public key to obtain the ciphertext data.
By adopting the technical scheme, the generated random array is used as a decryption private key. This makes the decryption private key more difficult to predict, improving the security of the decryption private key. The encryption public key obtained through the non-characteristic encryption algorithm cannot be used for pushing out the decryption private key through the encryption public key even if the encryption public key is leaked, so that the ciphertext data cannot be decrypted to obtain the encryption certificate.
7, optionally, receiving a decryption private key input by the user, and decrypting the obtained ciphertext data to obtain decrypted data, which specifically includes:
receiving the ciphertext data input by the user and the unlocking private key;
and decrypting the ciphertext data by adopting a preset algorithm according to the unlocking private key to obtain decrypted data.
By adopting the technical scheme, in the blockchain technology, the decryption private key is used as the core part of encryption, and as long as the decryption private key is not revealed, other people can never decrypt through the encrypted real ciphertext data to obtain the original encryption certificate. Even if the encrypted public key is known, the decrypted data decrypted by the user through the decrypted private key is not the original encrypted certificate.
In a second aspect of the present application, there is provided a blockchain-based company certificate management apparatus, the apparatus being any one of a plurality of certificate management nodes in a certificate management system, the certificate management node including an acquisition module, a generation module, a calculation module, and a verification module, wherein:
the acquisition module is used for responding to the operation of checking the encryption certificate by the user and acquiring the biological information of the user;
the generation module is used for generating a verification key based on the biological information through a preset method;
the acquisition module is used for acquiring a prestored verification ciphertext;
the computing module is used for decrypting the verification ciphertext by adopting a preset algorithm according to the verification key to obtain a first verification plaintext;
The computing module is used for receiving a decryption private key input by a user, decrypting the acquired ciphertext data and obtaining decrypted data;
the computing module is used for carrying out hash operation on the decrypted data to obtain a second verification plaintext;
the verification module is configured to determine whether the first verification plaintext is identical to the second verification plaintext, and if the first verification plaintext is identical to the second verification plaintext, determine that the decrypted data is the encrypted certificate.
Optionally, binary data of the biological information is acquired.
And carrying out group splitting on the binary data to obtain a plurality of groups of sub data.
And encoding each group of the sub data to obtain a plurality of encoding results.
And inserting each coding result into the corresponding sub data to obtain a plurality of coded data.
And according to the sequence of the sub data of each group, sequencing and combining the coded data to obtain an encryption key.
And generating the verification key by adopting an asymmetric encryption algorithm according to the encryption key.
Optionally, the hash operation is performed on the encrypted certificate to obtain a verification plaintext.
And encrypting the verification plaintext by adopting the preset encryption algorithm according to the encryption key to obtain the verification ciphertext.
Optionally, a communication broadcast sent by a plurality of the management nodes is received, where the communication broadcast includes network connection information of the management nodes.
And verifying the network connection information according to the communication broadcast.
After the network connection information is verified to pass, a connection request is sent to a management node corresponding to the network connection information which passes the verification.
And determining that the management node responding to the connection request and returning connection information is the certificate management node in the plurality of management nodes, and establishing connection with other certificate management nodes.
Optionally, the verification ciphertext is bound with the preset algorithm.
And sending the verification ciphertext after binding to a plurality of other certificate management nodes.
Optionally, a set of random arrays is generated, and the random arrays are set as the decryption private key.
And generating an encryption public key according to the decryption private key according to an asymmetric encryption algorithm.
And encrypting the encryption certificate by adopting the preset algorithm according to the encryption public key to obtain the ciphertext data.
Optionally, the ciphertext data input by the user and the unlocking private key are received.
And decrypting the ciphertext data by adopting a preset algorithm according to the unlocking private key to obtain decrypted data.
In a third aspect the present application provides an electronic device comprising a processor, a memory for storing instructions, a user interface and a network interface, both for communicating with other devices, the processor being for executing the instructions stored in the memory to cause the electronic device to perform a method as claimed in any one of the preceding claims.
In a fourth aspect of the present application, there is provided a computer readable storage medium storing instructions that, when executed, perform a method as claimed in any one of the preceding claims.
In summary, one or more technical solutions provided in the embodiments of the present application at least have the following technical effects or advantages:
1. and after the manager encrypts the encryption certificate by adopting the encryption public key, the encrypted ciphertext data is sent to the user. But may be intercepted on the way to the user, resulting in the user receiving non-authentic ciphertext data, which the user needs to verify as being authentic. After the user decrypts the ciphertext data by the decryption private key, decrypted data is obtained, and the decrypted data may be the original encryption certificate or may not be the original encryption certificate. The management node carries out hash operation on the decrypted data to obtain a second verification plaintext.
And the manager carries out hash operation on the encryption certificate to obtain a verification plaintext. And then encrypting the verification plaintext by adopting an encryption key generated based on the biological information of the user to obtain the verification ciphertext. Since the encryption key is generated based on the biometric information of the user, even if the authentication ciphertext is counterfeited when encrypting the authentication plaintext, the user cannot decrypt the counterfeited authentication ciphertext by using the decryption key generated based on the biometric information of the user. Only after decrypting the true verification ciphertext, a first verification plaintext may be obtained. Finally, the certificate management node determines whether the original encryption certificate is obtained by the user by judging whether the first verification plaintext and the second verification plaintext which are obtained by two approaches are consistent. And if the first verification plaintext is consistent with the second verification plaintext, indicating that the ciphertext data received by the user is ciphertext data encrypted by the encryption certificate. And if the first verification plaintext is inconsistent with the second verification plaintext, indicating that the ciphertext data received by the user is not ciphertext data encrypted by the original encryption certificate.
2. The biological information is split-encoded and then constitutes an encryption key, which is difficult to infer after processing because the biological information is generally unique. The biological information is processed to obtain an encryption key, and then an authentication key is generated according to the encryption key through an asymmetric encryption algorithm, so that the most complicated processing process makes it very difficult to infer the authentication key. Meanwhile, an encryption key for encrypting the verification plaintext or a decryption key for unlocking the verification ciphertext is generated based on the biological information of the user. If the verification ciphertext is forged, the decryption key of the user cannot decrypt the forged verification ciphertext, so that the user can judge that the verification ciphertext received by the user is forged. And when the user decrypts the verification ciphertext in the follow-up process, the user can obtain the verification key only by inputting the biological information of the user, the user does not need to memorize the verification key, and the manager does not need to send the verification key to the user, so that the possibility of leakage of the verification key is greatly reduced.
Drawings
FIG. 1 is a flow diagram of a blockchain-based company certificate management method as disclosed in embodiments of the present application;
FIG. 2 is a schematic diagram of a certificate management system according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a blockchain-based company certificate management method as disclosed in embodiments of the present application;
FIG. 4 is a schematic diagram of a blockchain-based company certificate management device according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Reference numerals illustrate: 401. an acquisition module; 402. a generating module; 403. a computing module; 404. a verification module; 501. a processor; 502. a communication bus; 503. a user interface; 504. a network interface; 505. a memory.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only some embodiments of the present application, but not all embodiments.
In the description of embodiments of the present application, words such as "for example" or "for example" are used to indicate examples, illustrations or descriptions. Any embodiment or design described herein as "such as" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "or" for example "is intended to present related concepts in a concrete fashion.
In the description of the embodiments of the present application, the term "plurality" means two or more. For example, a plurality of systems means two or more systems, and a plurality of screen terminals means two or more screen terminals. Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating an indicated technical feature. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.
Typically, a company or enterprise needs to manage various certificates to ensure that their business is legal, compliant, and meets regulatory requirements. And some of them have high confidentiality requirements, as they relate to sensitive information, security or special legal requirements. Such as electronic signatures and authentication certificates, corporate confidentiality protocols, information security management system authentication, etc. Companies or enterprises need to ensure that they comply with applicable regulations and take necessary measures to protect confidentiality.
At present, when a company or an enterprise or public institution manages a certificate with high confidentiality requirement, a mode of ensuring communication and data security based on a digital certificate issued by a centralized authority is often adopted. In this traditional management approach, an authority (e.g., a CA) issues digital certificates that are used to verify the identity of the entity, thereby establishing trust. These digital certificates are then used to encrypt communications and verify the integrity of the data, ensuring the security of the information.
Traditional management methods rely on centralized authorities that may be compromised if they are attacked or fail. Resulting in the certificate of the company or enterprise being subject to accidental disclosure. The blockchain technology is a technical scheme which does not depend on a third party and performs storage, verification, transmission and communication of network data through self-distributed nodes. Blockchain technology is a distributed, de-centralized technology that uses cryptography to ensure the security and integrity of data by storing the data in a series of interlinked blocks.
Typically, the manager encrypts the encrypted certificate that needs to be encrypted using a public key. And then the encrypted ciphertext data is sent to the user, and the public key is generated according to the private key of the user, so that the user can decrypt the ciphertext data by using the private key to obtain the encryption certificate. But ciphertext data may be intercepted on the way to the user, such that the user may not be able to obtain the original encryption certificate. There is therefore a need for a method to assist the user in verifying whether the received ciphertext data is the original certificate encrypted data.
The embodiment discloses a method for managing company certificates based on a blockchain, referring to fig. 1, comprising the following steps:
s110, responding to the operation of checking the encryption certificate by the user, and acquiring the biological information of the user.
The embodiment of the application discloses a block chain-based company certificate management method which is applied to any one of a plurality of certificate management nodes in a certificate management system, wherein the certificate management node is an execution unit on the certificate management system. A plurality of certificate management nodes are connected to each other to form a P2P network that carries communications, computations, and storage over the blockchain. After the certificate management node is networked (joins the federation), it becomes a consensus unit on the certificate management system. The plurality of certificate management nodes participate in the consensus, ensuring the consistency of transactions on the certificate management system.
Before this, each management node needs to establish a connection with other management nodes, and the certificate management system is assembled. Since all management nodes are peer nodes to each other, all management nodes use a peer discovery protocol at the time of construction to discover and connect to other online nodes. Any one of the management nodes first sends a communication broadcast to other management nodes in the network via a broadcast message. These broadcasts may be based on different communication protocols, such as UDP (user datagram protocol) or TCP (transmission control protocol). The communication broadcast typically contains network connection information such as identification information of the management node, IP address, port number, and other network related information. The communication broadcast further includes a specific identifier of the network in which the management node is located so that other management nodes can determine whether the communication broadcast should be responded to.
After the received connection information is verified, any management node sends a connection request to the management node corresponding to the verified network connection information. For example, after the management node a verifies that the network connection information of the management node B passes, a connection request is sent to the management node B. The connection request typically includes identification information of the requesting initiator so that the receiving party knows who is requesting to establish the connection. The connection request also includes a certificate or digital signature of the requesting party to increase the trustworthiness of the request. Then, if the management node B receives the connection request, the connection request is responded and the returned connection information is management node a, and the identification information of the receiving party should be included in the connection information, so that the requesting party knows which management node it is communicating with. Finally, the management node A establishes connection with the management node B, and mutually sets the other party as a certificate management node. Based on the above principle, any one certificate management node needs to establish connection with all other certificate management nodes, and referring to fig. 2, a certificate management system is formed. Thus, any certificate management node in the certificate management system fails, and the certificate management system can still normally operate.
When the certificate management system is built by the plurality of certificate management nodes, the security of other management nodes is verified according to the network connection information received by the communication broadcast. After verification, connection with other nodes of the certificate is established to form a certificate management system, and the verification process ensures the security of the certificate management node to a certain extent, so that the risk of leakage of the subsequent encrypted certificate is reduced.
After the certificate management system is built, a manager needs to encrypt the certificate, and the manager is authenticated and authorized and has certificate management authority. The manager can verify at any certificate management node, and can verify biological information or other verification modes. After the certificate management node passes the verification of the manager, a random decryption private key is generated, and an encryption public key is generated according to the decryption private key, which means that the encryption public key can be obtained through the decryption private key, but the decryption private key cannot be obtained through the encryption public key. Key pairs are typically generated using asymmetric encryption algorithms, such as RSA or Elliptic Curve Cryptography (ECC).
The manager then inputs the encryption certificate to the node, the certificate management node encrypts the encryption certificate, first selects the appropriate asymmetric encryption algorithm (e.g., RSA or ECC), and ensures that the data will be encrypted according to the selected algorithm. The plaintext data of the encrypted certificate is then converted to a binary format for mathematical operations. An encryption operation is performed using the encryption public key. This typically involves performing a mathematical operation on the encrypted certificate to generate ciphertext data. This operation is irreversible, meaning that only the receiver with the corresponding decryption private key can decrypt the ciphertext data.
After the manager determines the user capable of viewing the encryption certificate, the ciphertext data and the decryption private key are separately transmitted to the user through a secure path, and the user can unlock the encryption certificate through the decryption private key at the moment. But in general, since unlocking the private key uses an entity file to deliver the user, the ciphertext data is sent online. And the encryption public key is public, then means that encrypted ciphertext data is intercepted, then a pseudo certificate is made, and encryption is carried out by adopting the same algorithm through the encryption public key, so as to obtain a section of ciphertext data. After the ciphertext data is sent to the user, the user can not judge the authenticity of the decrypted data after decrypting the ciphertext data through the decryption private key, namely, whether the decrypted data is an encryption certificate can not be judged. The user needs to verify whether the ciphertext data is encrypted by the original encryption certificate.
In order to facilitate the subsequent authentication of the user, the certificate management node obtains the biological information of the user, which is the information of the physical or physiological characteristics of the user, and is generally used for identifying, authenticating identity or performing biological identification. Such biometric information is typically data related to a unique physiological characteristic of the individual, including, but not limited to, fingerprint, iris, retina, face, voiceprint, and handwriting recognition. The binary data of the biometric information is then encoded and converted into an encryption key comprising random numbers and letters.
Specifically, binary data is first split into multiple groups, each group of sub-data is random in length, but any two groups of data cannot have overlapping portions. For example, there is a set of binary data "10110110101011", which can be split into two sets of sub-data "1011011" and "0101011", but not "10110110" and "0101011". Each set of sub-data is then converted to decimal data, yielding "91" and "43" respectively in the example above. And then, according to the decimal data, standard Base64 coding is carried out, and a corresponding coding result is obtained. In the above example, "91" is encoded to obtain "OTE" and "43" is encoded to obtain "NDM". And finally, selecting an inserting mode, and inserting the coding result into the corresponding sub-data to obtain the coding data. And finally, sequencing and combining the coded data according to the sequence to obtain an encryption key. In the above example, the obtained encoding result is inserted into the first sub data, and then combined, thereby obtaining the encryption key "OTE1011011NDM0101011". An asymmetric encryption algorithm is then used to generate an authentication key based on the encryption key for subsequent decryption of ciphertext encrypted by the encryption key.
The biological information is split-encoded and then constitutes an encryption key, which is difficult to infer after processing because the biological information is generally unique. The biological information is processed to obtain an encryption key, and then an authentication key is generated according to the encryption key through an asymmetric encryption algorithm, so that the most complicated processing process makes it very difficult to infer the authentication key. Meanwhile, an encryption key for encrypting the verification plaintext or a decryption key for unlocking the verification ciphertext is generated based on the biological information of the user. If the verification ciphertext is forged, the decryption key of the user cannot decrypt the forged verification ciphertext, so that the user can judge that the verification ciphertext received by the user is forged. And when the user decrypts the verification ciphertext in the follow-up process, the user can obtain the verification key only by inputting the biological information of the user, the user does not need to memorize the verification key, and the manager does not need to send the verification key to the user, so that the possibility of leakage of the verification key is greatly reduced.
S120, generating a verification key based on the biological information through a preset method.
According to the principle in step S110, the certificate management node generates an encryption key based on the received biometric information of the user, using the same encryption algorithm method as in step S110, and then generates a verification key based on the encryption key. Since the above steps are described in detail as to how to convert the biometric information into the authentication key according to the preset method, further description is omitted herein.
S130, obtaining a pre-stored verification ciphertext.
Before that, the certificate management node generates a verification ciphertext according to the encryption certificate, and the verification ciphertext is used for a subsequent user to judge whether the received original encryption certificate is sent by a manager or not. Firstly, a hash function, such as SHA-256, is selected to hash the encrypted certificate to obtain a set of hash values with fixed length, namely, to verify the plaintext. And then, encrypting the verification plaintext by adopting a preset encryption algorithm according to the encryption key to obtain the verification ciphertext. The generation of the verification ciphertext requires the use of an asymmetric encryption algorithm, such as RSA or Elliptic Curve Digital Signature Algorithm (ECDSA). And carrying out hash operation on the encryption certificate to obtain a verification plaintext, and encrypting the verification plaintext by adopting an encryption key generated based on the user identity information to obtain a verification ciphertext. The user can verify that the ciphertext is stolen in time when verifying the ciphertext data received by the user through the verification ciphertext, and the encryption certificate cannot be deduced through the verification ciphertext, so that the security of the encryption certificate is ensured.
After the preparation work, the certificate management node performing the preparation work binds the verification ciphertext with the adopted preset encryption algorithm and sends the verification ciphertext to all other certificate management nodes to complete data synchronization. By binding the verification ciphertext with a preset algorithm, a subsequent user can decrypt the verification ciphertext by using the preset algorithm through a decryption key. Meanwhile, the certificate management node sends the verification ciphertext to other certificate management nodes, so that data synchronization can be realized, and a user can verify at any one certificate management node. Meanwhile, only the verification ciphertext is synchronized, and the encryption certificate cannot be reversely pushed out through the verification ciphertext, so that the possibility of secret leakage of the encryption certificate in the verification process is reduced.
After the manager generates the verification ciphertext according to the encryption certificate through any one certificate management node, the certificate management node sends the verification ciphertext to all other certificate management nodes, so that any one certificate management node stores the verification ciphertext in a certificate management system. When the user refers to the encryption certificate, after generating the verification key according to the biological information, the verification ciphertext can be downloaded at any certificate management node.
And S140, decrypting the verification ciphertext by adopting a preset algorithm according to the verification key to obtain a first verification plaintext.
In the previous step, the certificate management node encrypts the verification plaintext by adopting a preset algorithm according to the certificate encryption key. After the user obtains the verification ciphertext through the certificate management node and obtains the verification key according to the biological information of the user, the certificate management node needs to adopt the same preset algorithm as that in the encryption process, and the verification ciphertext is decrypted by using the verification key. For example, the authentication plaintext is encrypted by using the RSA algorithm in the encryption process, so that the decryption process also needs to use the RSA algorithm to decrypt. Because it is not determined whether the verification ciphertext downloaded by the certificate management node is the ciphertext encrypted by the original verification plaintext at this time, the user decrypts the downloaded verification ciphertext, and the obtained plaintext is called a first verification plaintext.
S150, carrying out hash operation on the decrypted data to obtain a second verification plaintext.
And then, after obtaining ciphertext data sent by a manager, the user inputs the ciphertext data to the certificate management node, and simultaneously inputs the obtained unlocking private key. And the certificate management node decrypts the ciphertext data by adopting a preset algorithm which is the same as the encryption certificate according to the decryption private key. For example, in the process of encrypting the encryption certificate, if the encryption certificate is encrypted by adopting an RSA algorithm according to the encryption public key. Then the ciphertext data should be decrypted using the same RSA algorithm based on the decryption private key. If the ciphertext data obtained by the user is encrypted data of the encryption certificate, the decrypted data after being decrypted should be theoretically the encryption certificate.
The generated random array is used as a decryption private key. This makes the decryption private key more difficult to predict, improving the security of the decryption private key. The encryption public key obtained through the non-characteristic encryption algorithm cannot be used for pushing out the decryption private key through the encryption public key even if the encryption public key is leaked, so that the ciphertext data cannot be decrypted to obtain the encryption certificate.
After obtaining the decrypted data, the certificate management node carries out hash operation on the decrypted data. Note that the hash function used at this time should be identical to the hash function used by the manager when the certificate management node generates the verification text in step S130. For example, by using the SHA-256 function to cause the encrypted certificate to generate the verification plaintext, then the decrypted data should also be caused to generate a second verification plaintext by the SHA-256 function.
In the blockchain technology, a decryption private key is used as a core part of encryption, and as long as the decryption private key is not revealed, others can never decrypt through the encrypted real ciphertext data to obtain an original encryption certificate. Even if the encrypted public key is known, the decrypted data decrypted by the user through the decrypted private key is not the original encrypted certificate.
S160, judging whether the first verification plaintext is identical to the second verification plaintext, and if the first verification plaintext is identical to the second verification plaintext, determining that the decrypted data is an encryption certificate.
Referring to fig. 3, the manager encrypts the encryption certificate using the encryption public key and then transmits the encrypted ciphertext data to the user. But may be intercepted on the way to the user, resulting in the user receiving non-authentic ciphertext data, which the user needs to verify as being authentic. After the user decrypts the ciphertext data by the decryption private key, decrypted data is obtained, and the decrypted data may be the original encryption certificate or may not be the original encryption certificate. The management node carries out hash operation on the decrypted data to obtain a second verification plaintext.
And the manager carries out hash operation on the encryption certificate to obtain a verification plaintext. And then encrypting the verification plaintext by adopting an encryption key generated based on the biological information of the user to obtain the verification ciphertext. Since the encryption key is generated based on the biometric information of the user, even if the authentication ciphertext is counterfeited when encrypting the authentication plaintext, the user cannot decrypt the counterfeited authentication ciphertext by using the decryption key generated based on the biometric information of the user. Only after decrypting the true verification ciphertext, a first verification plaintext may be obtained. Finally, the certificate management node determines whether the original encryption certificate is obtained by the user by judging whether the first verification plaintext and the second verification plaintext which are obtained by two approaches are consistent. And if the first verification plaintext is consistent with the second verification plaintext, indicating that the ciphertext data received by the user is ciphertext data encrypted by the encryption certificate. And if the first verification plaintext is inconsistent with the second verification plaintext, indicating that the ciphertext data received by the user is not ciphertext data encrypted by the original encryption certificate.
The embodiment also discloses a blockchain-based company certificate management device, which is any one of a plurality of certificate management nodes in a certificate management system, referring to fig. 4, the certificate management node includes an acquisition module 401, a generation module 402, a calculation module 403 and a verification module 404, wherein:
the obtaining module 401 is configured to obtain biometric information of the user in response to an operation of viewing the encrypted certificate by the user.
A generation module 402, configured to generate a verification key based on the biometric information through a preset method.
The obtaining module 401 is configured to obtain a pre-stored verification ciphertext.
The calculation module 403 is configured to decrypt the verification ciphertext by using a preset algorithm according to the verification key, to obtain a first verification plaintext.
The calculation module 403 is configured to receive a decryption private key input by a user, decrypt the obtained ciphertext data, and obtain decrypted data.
The calculation module 403 is configured to perform a hash operation on the decrypted data to obtain a second verification plaintext.
The verification module 404 is configured to determine whether the first verification plaintext is identical to the second verification plaintext, and determine that the decrypted data is an encrypted certificate if the first verification plaintext is identical to the second verification plaintext.
In one possible implementation, the acquiring module 401 is configured to acquire binary data of biological information.
The calculating module 403 is configured to split the binary data into groups to obtain multiple groups of sub-data.
The calculating module 403 is configured to encode each group of sub-data to obtain a plurality of encoding results.
The calculating module 403 is configured to insert each encoding result into the corresponding sub-data to obtain a plurality of encoded data.
The generating module 402 is configured to sort and combine the encoded data according to the order of the sets of sub-data, so as to obtain an encryption key.
The computing module 403 is configured to generate the verification key according to the encryption key by adopting an asymmetric encryption algorithm.
In one possible implementation, the computing module 403 is configured to hash the encrypted certificate to obtain the verification plaintext.
The calculation module 403 is configured to encrypt the verification ciphertext by using a preset encryption algorithm according to the encryption key, so as to obtain the verification ciphertext.
In a possible implementation manner, the obtaining module 401 is configured to receive a communication broadcast sent by a plurality of management nodes, where the communication broadcast includes network connection information of the management nodes.
And the verification module 404 is configured to verify the network connection information according to the communication broadcast.
And the verification module 404 is configured to send a connection request to a management node corresponding to the network connection information passing through the verification after the network connection information passes through the verification.
The generating module 402 is configured to determine that, among the plurality of management nodes, a management node that responds to the connection request and returns connection information is a certificate management node, and establish a connection with another certificate management node.
In one possible implementation, the generating module 402 is configured to bind the verification ciphertext with a preset algorithm.
And the verification module 404 is configured to send the verification ciphertext after binding to the other certificate management nodes.
In one possible implementation, the generating module 402 is configured to generate a set of random arrays, and set the random arrays to the decryption private key.
A calculation module 403, configured to generate an encrypted public key according to the decryption private key according to an asymmetric encryption algorithm.
The calculation module 403 is configured to encrypt the encrypted certificate by using a preset algorithm according to the encrypted public key, so as to obtain ciphertext data.
In one possible implementation, the obtaining module 401 is configured to receive ciphertext data input by a user and unlock a private key.
The calculation module 403 is configured to decrypt the ciphertext data by using a preset algorithm according to the unlocking private key, to obtain decrypted data.
It should be noted that: in the device provided in the above embodiment, when implementing the functions thereof, only the division of the above functional modules is used as an example, in practical application, the above functional allocation may be implemented by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to implement all or part of the functions described above. In addition, the embodiments of the apparatus and the method provided in the foregoing embodiments belong to the same concept, and specific implementation processes of the embodiments of the method are detailed in the method embodiments, which are not repeated herein.
The embodiment also discloses an electronic device, referring to fig. 5, the electronic device may include: at least one processor 501, at least one communication bus 502, a user interface 503, a network interface 504, at least one memory 505.
Wherein a communication bus 502 is used to enable connected communications between these components.
The user interface 503 may include a Display screen (Display) and a Camera (Camera), and the optional user interface 503 may further include a standard wired interface and a standard wireless interface.
The network interface 504 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), among others.
Wherein the processor 501 may include one or more processing cores. The processor 501 connects various parts throughout the server using various interfaces and lines, performs various functions of the server and processes data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 505, and invoking data stored in the memory 505. Alternatively, the processor 501 may be implemented in hardware in at least one of digital signal processing (Digital Signal Processing, DSP), field programmable gate array (Field-Programmable Gate Array, FPGA), programmable logic array (Programmable Logic Array, PLA). The processor 501 may integrate one or a combination of several of a central processor 501 (Central Processing Unit, CPU), an image processor 501 (Graphics Processing Unit, GPU), and a modem, etc. The CPU mainly processes an operating system, a user interface, an application program and the like; the GPU is used for rendering and drawing the content required to be displayed by the display screen; the modem is used to handle wireless communications. It will be appreciated that the modem may not be integrated into the processor 501 and may be implemented by a single chip.
The Memory 505 may include a random access Memory 505 (Random Access Memory, RAM), or may include a Read-Only Memory 505. Optionally, the memory 505 comprises a non-transitory computer readable medium (non-transitory computer-readable storage medium). Memory 505 may be used to store instructions, programs, code sets, or instruction sets. The memory 505 may include a stored program area and a stored data area, wherein the stored program area may store instructions for implementing an operating system, instructions for at least one function (such as a touch function, a sound playing function, an image playing function, etc.), instructions for implementing the above-described various method embodiments, etc.; the storage data area may store data or the like involved in the above respective method embodiments. The memory 505 may also optionally be at least one storage device located remotely from the processor 501. As shown, an operating system, network communication module, user interface 503 module, and an application of a blockchain-based company certificate management method may be included in the memory 505 as a computer storage medium.
In the electronic device shown in fig. 5, the user interface 503 is mainly used for providing an input interface for a user, and acquiring data input by the user; and the processor 501 may be configured to invoke an application in the memory 505 that stores a blockchain-based company certificate management method that, when executed by the one or more processors 501, causes the electronic device to perform the method as in one or more of the embodiments described above.
It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of action combinations, but it should be understood by those skilled in the art that the present application is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required in the present application.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments.
In the several embodiments provided herein, it should be understood that the disclosed apparatus may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, such as a division of units, merely a division of logic functions, and there may be additional divisions in actual implementation, such as multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some service interface, device or unit indirect coupling or communication connection, electrical or otherwise.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable memory 505. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a memory 505, including several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. Whereas the aforementioned memory 505 includes: various media capable of storing program codes, such as a U disk, a mobile hard disk, a magnetic disk or an optical disk.
The foregoing is merely exemplary embodiments of the present disclosure and is not intended to limit the scope of the present disclosure. That is, equivalent changes and modifications are contemplated by the teachings of this disclosure, which fall within the scope of the present disclosure. Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure. This application is intended to cover any adaptations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a scope and spirit of the disclosure being indicated by the claims.
Claims (10)
1. A blockchain-based company certificate management method, wherein the method is applied to any one of a plurality of certificate management nodes in a certificate management system, the method comprising:
acquiring biological information of a user in response to an operation of the user to view an encryption certificate;
generating a verification key based on the biological information by a preset method;
acquiring a pre-stored verification ciphertext, wherein the verification ciphertext is generated by encrypting verification data based on the encryption certificate;
Decrypting the verification ciphertext by adopting a preset algorithm according to the verification key to obtain a first verification plaintext;
receiving a decryption private key input by a user, and decrypting the acquired ciphertext data to obtain decrypted data;
performing hash operation on the decrypted data to obtain a second verification plaintext;
judging whether the first verification plaintext is identical to the second verification plaintext or not, and if the first verification plaintext is identical to the second verification plaintext, determining that the decrypted data is the encryption certificate.
2. The blockchain-based company certificate management method according to claim 1, wherein the generating the verification key based on the biometric information by the preset method specifically comprises:
acquiring binary data of the biological information;
performing group splitting on the binary data to obtain a plurality of groups of sub data;
coding each group of the sub data to obtain a plurality of coding results;
inserting each coding result into corresponding sub data to obtain a plurality of coded data;
according to the sequence of each group of the sub data, sequencing and merging the coded data to obtain an encryption key;
and generating the verification key by adopting an asymmetric encryption algorithm according to the encryption key.
3. The blockchain-based company certificate management method of claim 2, wherein prior to the obtaining the pre-stored verification ciphertext, the method further comprises:
performing the hash operation on the encrypted certificate to obtain a verification plaintext;
and encrypting the verification plaintext by adopting the preset encryption algorithm according to the encryption key to obtain the verification ciphertext.
4. The blockchain-based company certificate management method of claim 1, wherein before the acquiring the biometric information of the user in response to the operation of viewing the encrypted certificate by the user, the method further comprises:
receiving communication broadcasting sent by a plurality of management nodes, wherein the communication broadcasting comprises network connection information of the management nodes;
verifying the network connection information according to the communication broadcast;
after the network connection information is verified to pass, a connection request is sent to a management node corresponding to the network connection information which passes the verification;
and determining that the management node responding to the connection request and returning connection information is the certificate management node in the plurality of management nodes, and establishing connection with other certificate management nodes.
5. A blockchain-based company certificate management method as in claim 3, wherein prior to said decrypting said verification ciphertext using a predetermined algorithm based on said verification key to obtain a first verification plaintext, said method further comprises:
binding the verification ciphertext with the preset algorithm;
and sending the verification ciphertext after binding to a plurality of other certificate management nodes.
6. The blockchain-based company certificate management method of claim 1, wherein before the receiving a decryption private key input by a user decrypts the obtained ciphertext data to obtain decrypted data, the method further comprises:
generating a set of random arrays, and setting the random arrays as the decryption private key;
generating an encryption public key according to the decryption private key according to an asymmetric encryption algorithm;
and encrypting the encryption certificate by adopting the preset algorithm according to the encryption public key to obtain the ciphertext data.
7. The blockchain-based company certificate management method of claim 6, wherein the receiving the decryption private key input by the user decrypts the obtained ciphertext data to obtain the decrypted data, and specifically comprises:
Receiving the ciphertext data input by the user and the unlocking private key;
and decrypting the ciphertext data by adopting a preset algorithm according to the unlocking private key to obtain decrypted data.
8. A blockchain-based company certificate management apparatus, wherein the apparatus is any one of a plurality of certificate management nodes in a certificate management system, the certificate management node comprising an acquisition module (401), a generation module (402), a calculation module (403), and a verification module (404), wherein:
the acquisition module (401) is used for responding to the operation of checking the encryption certificate by a user and acquiring the biological information of the user;
-the generation module (402) for generating, by a preset method, a verification key based on the biometric information;
the acquisition module (401) is used for acquiring a prestored verification ciphertext;
the computing module (403) is configured to decrypt the verification ciphertext by using a preset algorithm according to the verification key, so as to obtain a first verification plaintext;
the computing module (403) is used for receiving a decryption private key input by a user, decrypting the acquired ciphertext data and obtaining decrypted data;
the computing module (403) is configured to perform a hash operation on the decrypted data to obtain a second verification plaintext;
The verification module (404) is configured to determine whether the first verification plaintext is identical to the second verification plaintext, and if the first verification plaintext is identical to the second verification plaintext, determine that the decrypted data is the encrypted certificate.
9. An electronic device comprising a processor (501), a memory (505), a user interface (503) and a network interface (504), the memory (505) for storing instructions, the user interface (503) and the network interface (504) each for communicating with other devices, the processor (501) for executing the instructions stored in the memory (505) to cause the electronic device to perform the method of any of claims 1-7.
10. A computer readable storage medium storing instructions which, when executed, perform the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311353461.2A CN117424694A (en) | 2023-10-18 | 2023-10-18 | Block chain-based company certificate management method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311353461.2A CN117424694A (en) | 2023-10-18 | 2023-10-18 | Block chain-based company certificate management method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117424694A true CN117424694A (en) | 2024-01-19 |
Family
ID=89531873
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311353461.2A Pending CN117424694A (en) | 2023-10-18 | 2023-10-18 | Block chain-based company certificate management method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117424694A (en) |
-
2023
- 2023-10-18 CN CN202311353461.2A patent/CN117424694A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109756485B (en) | Electronic contract signing method, electronic contract signing device, computer equipment and storage medium | |
| US11128477B2 (en) | Electronic certification system | |
| CN109714167B (en) | Identity authentication and key agreement method and equipment suitable for mobile application signature | |
| US10972272B2 (en) | Providing high availability computing service by issuing a certificate | |
| US8572387B2 (en) | Authentication of a peer in a peer-to-peer network | |
| CN113596046B (en) | Bidirectional authentication method, device, computer equipment and computer readable storage medium | |
| US9531540B2 (en) | Secure token-based signature schemes using look-up tables | |
| CN111131336B (en) | Resource access method, device, equipment and storage medium under multi-party authorization scene | |
| CN112351037B (en) | Information processing method and device for secure communication | |
| CN112291062B (en) | Voting method and device based on block chain | |
| CN110020869B (en) | Method, device and system for generating block chain authorization information | |
| CN112703702A (en) | Distributed authentication | |
| CN114692218A (en) | Electronic signature method, equipment and system for individual user | |
| CN116633530A (en) | Quantum key transmission method, device and system | |
| CN112272088A (en) | Auditable signature method based on multiple secure parties and related components | |
| CN114168922B (en) | User CA certificate generation method and system based on digital certificate | |
| CN115277010A (en) | Identity authentication method, system, computer device and storage medium | |
| JP6742557B2 (en) | Authentication system | |
| CN107888548A (en) | A kind of Information Authentication method and device | |
| CN117436043A (en) | Method and device for verifying source of file to be executed and readable storage medium | |
| CN111245594B (en) | Homomorphic operation-based collaborative signature method and system | |
| CN110572257A (en) | Anti-quantum computing data source identification method and system based on identity | |
| CN113872769B (en) | Device authentication method and device based on PUF, computer device and storage medium | |
| CN112995213B (en) | Security authentication method and application device thereof | |
| CN112837064B (en) | Signature method, signature verification method and signature verification device for alliance chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |