CN118233193A

CN118233193A - Identity authentication method, key storage method and device of Internet of things equipment

Info

Publication number: CN118233193A
Application number: CN202410423336.2A
Authority: CN
Inventors: 孟涛; 王溥严; 程俊; 吴晓华; 陈松; 罗正
Original assignee: University of Electronic Science and Technology of China; GD Midea Heating and Ventilating Equipment Co Ltd
Current assignee: University of Electronic Science and Technology of China; GD Midea Heating and Ventilating Equipment Co Ltd
Priority date: 2024-04-09
Filing date: 2024-04-09
Publication date: 2024-06-21

Abstract

The application discloses an identity authentication method, a key storage method and a device of internet of things equipment, and belongs to the technical field of the internet of things. The method comprises the following steps: the method comprises the steps that the Internet of things equipment sends an Internet access registration request to a first manager node; the network access registration request comprises a distributed identity of the Internet of things equipment; the distributed identity is an off-center avatar identity created in the blockchain by the Internet of things equipment; the first manager node verifies the distributed identity based on the identity identification file uploaded to the upper layer blockchain in advance, generates a device certificate indicating that the identity of the Internet of things device is legal under the condition that verification is passed, and sends the device certificate to the Internet of things device; the identification file comprises the identification information of the Internet of things equipment. According to the method and the system, the data of the Internet of things system including the identity information of the Internet of things equipment is recorded on the blockchain, so that the identity of the Internet of things equipment can be effectively verified, the risk of data leakage is reduced, and the safety of the data is improved.

Description

Identity authentication method, key storage method and device of Internet of things equipment

Technical Field

The application belongs to the technical field of the Internet of things, and particularly relates to an identity authentication method, a key storage method and a key storage device of Internet of things equipment.

Background

The internet of things (Internet of Things, ioT) refers to a network that interconnects various physical devices, sensors, electronic devices and other objects through internet connection and communication technologies, and entity objects in the internet of things exchange and communicate information through information propagation media, so as to realize functions of intelligent identification, positioning, tracking, supervision and the like. The aim of the internet of things is to achieve seamless connection of the physical world and the digital world, so that physical devices can interact with each other, share data and make intelligent decisions. With development and popularization of electronic information technology, the internet of things technology can be applied to multiple fields such as smart home, intelligent transportation, smart power grids and the like.

The equipment in the internet of things can interact through information transmission media, and for newly adding or updating certain functions, equipment can be added in the internet of things, in order to prevent illegal equipment from being added in the internet of things, data leakage is avoided, identity authentication is generally carried out on new network access equipment through a centralized network mode, and a typical identity authentication main flow is as follows: the equipment A sends an identity authentication request to the central server S, the central server receives the request, if the central server S considers that the equipment A is illegal, the equipment A is refused to join the Internet of things, and if the central server S considers that the equipment A is legal, the equipment A is allowed to heat the Internet of things.

Along with the wider and wider application fields of the Internet of things, devices added into the Internet of things are increased continuously, if the devices are managed in a traditional centralized network mode, huge data center infrastructure construction investment and maintenance investment are brought, the capability of the centralized platform for resisting malicious attacks is poor, private data is easy to leak, and safety is weak.

Disclosure of Invention

The present application aims to solve at least one of the technical problems existing in the prior art. Therefore, the application provides an identity authentication method, a key storage method and a device for Internet of things equipment, so that the risk of data leakage is reduced, and the safety of data is improved.

In a first aspect, the present application provides an identity authentication method for an internet of things device, which is characterized by comprising:

The method comprises the steps that the Internet of things equipment sends an Internet access registration request to a first manager node; the network entry registration request comprises a distributed identity of the internet of things device; the distributed identity is an off-center identity identifier created in a blockchain by the Internet of things equipment;

the first manager node verifies the distributed identity based on an identity identification file uploaded to an upper layer blockchain in advance, generates a device certificate indicating that the identity of the Internet of things device is legal under the condition that verification is passed, and sends the device certificate to the Internet of things device; the identification file comprises the identification information of the Internet of things equipment.

According to the method for authenticating the identity of the Internet of things equipment, the Internet of things and the blockchain are combined, a decentralised control and management mechanism is provided, so that the Internet of things equipment and other participants can have a unique identity, and the identity of the Internet of things equipment is authenticated by using the identity document comprising the identity information of the Internet of things equipment, so that the unauthorized equipment can be prevented from accessing the system, only authorized users can operate the equipment, and the distributed account book of the blockchain can ensure the integrity of data and prevent tampering. Through the data record of the Internet of things system including the identity information of the Internet of things equipment on the blockchain, the identity of the Internet of things equipment can be effectively verified, the risk of data leakage is reduced, and the safety of the data is improved.

According to one embodiment of the application, the method further comprises:

The Internet of things equipment sends an equipment identifier to an authoritative center node; the equipment identifier is an identifier for representing the identity of the equipment of the Internet of things;

The authority center node carries out hash operation on the equipment identifier to obtain a corresponding first hash value, and the first hash value is sent to the Internet of things equipment;

The internet of things equipment generates a key pair based on a random number, generates an identity identification file according to a public key in the key pair, the first hash value and the distributed identity identification, and uploads the identity identification file to an upper layer block chain.

In the embodiment, the authority center is used for generating the corresponding hash value for the Internet of things equipment based on the equipment identifier, the access precondition required by the Internet of things equipment in registration is provided, the vulnerability of the registration of the traditional Internet of things equipment is improved, the identity information of the Internet of things equipment is stored by adopting the identity identification file, the identity information of the Internet of things equipment is stored on the blockchain, on one hand, the legality of the Internet of things equipment is conveniently checked, on the other hand, the information of the Internet of things equipment is stored, the information is provided for the follow-up verification of the Internet of things equipment, and the safety of data is further improved.

According to one embodiment of the present application, the first administrator node verifies the distributed identity based on an identity document previously uploaded to an upper layer blockchain, and generates a device credential indicating that the identity of the internet of things device is legal if the verification passes, including:

The first manager node forwards the network access registration request to a plurality of second manager nodes under the condition that the network access registration request is verified to be not tampered;

The second manager node acquires an identity document corresponding to the Internet of things device from an upper layer blockchain, verifies the distributed identity according to the identity document, generates a device sub-certificate under the condition that the verified identity is legal, and sends the device sub-certificate to the first manager node device;

and under the condition that the first manager node receives at least a preset number of device sub-credentials, generating the device credentials according to the at least preset number of device sub-credentials.

In the embodiment, the request message is forwarded to the plurality of second manager nodes, the plurality of second manager nodes respectively authenticate the Internet of things equipment, and the equipment certificate is generated after the authentication of the preset number of second manager nodes is passed.

According to one embodiment of the application, the method further comprises:

The first manager node broadcasts a first message that the Internet of things equipment is legal equipment in an upper layer block chain under the condition that the equipment certificate is generated, and uploads first authentication information representing that the Internet of things equipment is legal equipment to an upper layer authentication list of the upper layer block chain under the condition that the first message agrees; broadcasting a second message of the identification file positioning mode in a lower-layer blockchain, and uploading second authentication information representing the identification file positioning mode to a lower-layer authentication list of the lower-layer blockchain under the condition that the second message achieves consensus.

In the embodiment, after broadcasting and consensus is achieved between the upper layer block chain and the lower layer block chain, related information of the internet of things equipment is stored in different authentication lists of the upper layer block chain and the lower layer block chain, so that on one hand, whether the internet of things equipment is judged to be a malicious node or not is facilitated, on the other hand, a positioning mode of an identity identification file of the internet of things equipment is saved, and the method is used for positioning the identity identification file of the internet of things equipment.

According to one embodiment of the application, the method further comprises:

The Internet of things equipment sends a communication request to a base station node, wherein the communication request comprises the distributed identity and the equipment certificate;

And under the condition that the equipment certificate passes verification, the base station node verifies whether the Internet of things equipment corresponding to the distributed identity is legal or not based on the first authentication information in the upper authentication list, if so, the identity file is positioned based on the second authentication information in the lower authentication list, the distributed identity is verified according to the identity file, and if so, a transmission channel with the Internet of things equipment is established.

In the embodiment, in the transmission channel of the base station and the Internet of things equipment, the distributed identity of the Internet of things equipment is verified through the authentication list in the upper layer block chain and the distributed identity of the Internet of things equipment is verified through the authentication list in the lower layer block chain, and even if some data is tampered with by a malicious attacker, the malicious attacker cannot pass the verification through the multi-level verification mode, so that the capability of resisting malicious attacks is greatly improved, and the communication safety is improved.

In a second aspect, the present application provides an identity authentication method for an internet of things device, which is characterized by comprising:

Sending a network access registration request to a first manager node; the network entry registration request comprises a distributed identity of the internet of things device; the distributed identity is an off-center identity identifier created in a blockchain by the Internet of things equipment, so that a first manager node can conveniently verify the distributed identity based on an identity identifier file uploaded to an upper blockchain in advance, and under the condition that verification is passed, an equipment certificate which indicates that the Internet of things equipment identity is legal is generated, and the equipment certificate is returned; the identification file comprises the identification information of the Internet of things equipment.

According to one embodiment of the application, the method further comprises:

Transmitting the device identification to an authoritative central node; the equipment identifier is an identifier for representing the identity of the equipment of the Internet of things, so that the authority center node can perform hash operation on the equipment identifier to obtain a corresponding first hash value, and the first hash value is sent to the equipment of the Internet of things;

And generating a key pair based on the random number, generating an identity identification file according to a public key, a hash value and a distributed identity identification in the key pair, and uploading the identity identification file to an upper layer block chain.

According to one embodiment of the application, the method further comprises:

And sending a communication request to a base station node, wherein the communication request comprises the distributed identity and the equipment certificate, so that the base station node can verify whether the Internet of things equipment corresponding to the distributed identity is legal or not based on the first authentication information in the upper authentication list under the condition that the equipment certificate passes, if so, the identity file is positioned based on the second authentication information in the lower authentication list, the distributed identity is verified according to the identity file, and if so, a transmission channel with the Internet of things equipment is established.

In a third aspect, the present application provides an identity authentication method for an internet of things device, which is characterized by comprising:

Verifying the distributed identity based on the identity file which is uploaded to the upper layer block chain in advance; the distributed identity is obtained from a network access registration request which is sent by the Internet of things equipment; the identity identification file comprises identity information of the Internet of things equipment;

Generating a device certificate which indicates that the identity authentication of the Internet of things device is legal under the condition that verification is passed;

and sending the equipment certificate to the Internet of things equipment.

According to one embodiment of the present application, the verifying the distributed identity based on the identity file uploaded to the upper layer blockchain in advance includes:

Forwarding the network access registration request to a plurality of second manager nodes under the condition that the network access registration request is verified to be not tampered, so that the second manager nodes can acquire an identity identification file corresponding to the Internet of things equipment from an upper layer blockchain, verify the distributed identity according to the identity identification file, generate equipment sub-credentials under the condition that the verified identity is legal, and return the equipment sub-credentials;

and under the condition that at least a preset number of device sub-certificates are received, the verification is passed, and the device certificates are generated according to the at least preset number of device sub-certificates.

According to one embodiment of the application, the method further comprises:

Broadcasting a first message that the Internet of things device is legal in an upper layer block chain under the condition that the device certificate is generated;

under the condition that the first message achieves consensus, uploading first authentication information representing that the Internet of things equipment is legal equipment to an upper authentication list of the upper block chain;

Broadcasting a second message of the identification file positioning mode in a lower layer block chain;

and under the condition that the second message reaches consensus, uploading second authentication information representing the positioning mode of the identification document to a lower authentication list of the lower blockchain.

In a fourth aspect, the present application provides a key storage method, including:

Selecting any target random code from random code groups sent by an administrator node, and carrying out hash operation on the target random code based on a preset hash function to obtain a second hash value; the random code group comprises n random codes;

performing exclusive OR operation on the hash value and a private key to obtain third hash values, and randomly generating n-1 third hash values;

And adding the second hash value and the fourth hash value into a hash value group and sending the hash value group to the manager node so that the manager node can upload the hash value group into an underlying blockchain.

According to the key storage method, hash operation is carried out on any random code in the random code group, real key data is formed based on the value obtained after the hash operation and the private key, a plurality of false key data are randomly generated, the hash value group formed by the real key data and the false key data is used as a fraud group, so that even if an attacker knows the hash function operation mode of the user, the time complexity when the user breaks the key is greatly increased, the time complexity when the user obtains the key is not increased, the fault tolerance is greatly improved, huge calculation expenditure is brought to the attacker, the user is helped to update the key before the key is broken, and the security of key storage is improved.

According to one embodiment of the application, the method further comprises:

Receiving the random code group, the hash value group and an encrypted message encrypted by a public key corresponding to the private key, which are sent by the administrator node, under the condition that the private key is lost;

Performing hash operation on a target random code in the random code group based on the hash function to obtain a second hash value;

Performing exclusive OR operation on the hash values in the hash value group based on the second hash value to obtain an operation value;

And taking the operation value as the private key under the condition that the operation value successfully decrypts the encrypted message.

In this embodiment, after the key is lost, the user only needs to run an operation with a time complexity of n, and even if an attacker knows the operation mode of the hash function, the attacker only needs to pay out an exponential time complexity of n, and only after the target random code and the hash function are both accurately cracked, and hash value group data in the lower-layer blockchain are also cracked, the attacker still needs to perform an operation with a time complexity of n, and has fault-tolerant time to perform operations such as freezing user rights, thereby improving the security of key storage.

According to one embodiment of the application, the method further comprises:

And under the condition that the operation value decrypts the encrypted message successfully, sending the decrypted message obtained by decrypting the encrypted message to the manager node so that the manager node returns a notice of updating the hash value group under the condition that the decrypted message passes verification.

In this embodiment, after the key is lost and after the key is restored, it is explained that there is a risk of leakage based on the value after the hash operation and the private key being formed into the real key data, and in the case where the decryption information decrypted by the user using the restored private key is verified, even if the user is notified to update the hash value group formed of the real key data and the false key data, the security of the key storage can be further improved.

In a fifth aspect, the present application provides an apparatus for authenticating an identity of an internet of things device, including:

The first sending module is used for sending a network access registration request to the first manager node; the network entry registration request comprises a distributed identity of the internet of things device; the distributed identity is an off-center identity identifier created in a blockchain by the Internet of things equipment, so that a first manager node can conveniently verify the distributed identity based on an identity identifier file uploaded to an upper blockchain in advance, and under the condition that verification is passed, an equipment certificate which indicates that the Internet of things equipment identity is legal is generated, and the equipment certificate is returned; the identification file comprises the identification information of the Internet of things equipment.

According to the device for authenticating the identity of the Internet of things equipment, the Internet of things and the blockchain are combined, a decentralised control and management mechanism is provided, so that the Internet of things equipment and other participants can have a unique identity, and the identity of the Internet of things equipment is authenticated by using the identity document comprising the identity information of the Internet of things equipment, so that the unauthorized equipment can be prevented from accessing the system, only authorized users can operate the equipment, and the distributed account book of the blockchain can ensure the integrity of data and prevent tampering. Through the data record of the Internet of things system including the identity information of the Internet of things equipment on the blockchain, the identity of the Internet of things equipment can be effectively verified, the risk of data leakage is reduced, and the safety of the data is improved.

In a sixth aspect, the present application provides an apparatus for authenticating an identity of an internet of things device, which is characterized by comprising:

The verification module is used for verifying the distributed identity based on the identity file which is uploaded to the upper layer block chain in advance; the distributed identity is obtained from a network access registration request which is sent by the Internet of things equipment; the identity identification file comprises identity information of the Internet of things equipment;

The generation module is used for generating a device certificate which indicates that the identity authentication of the Internet of things device is legal under the condition that verification is passed;

And the second sending module is used for sending the equipment certificate to the Internet of things equipment.

In a seventh aspect, the present application provides a key storage device comprising:

the first operation module is used for selecting any target random code from random code groups sent by the manager node, and carrying out hash operation on the target random code based on a preset hash function to obtain a second hash value; the random code group comprises n random codes;

The second operation module is used for carrying out exclusive OR operation on the hash value and the private key to obtain third hash values, and generating n-1 third hash values randomly;

And the third sending module is used for adding the second hash value and the fourth hash value into a hash value group and sending the hash value group to the manager node so that the manager node can upload the hash value group to a lower-layer blockchain.

According to the key storage device, hash operation is carried out on any random code in the random code group, real key data is formed based on the value obtained after the hash operation and the private key, a plurality of false key data are randomly generated, the hash value group formed by the real key data and the false key data is used as a fraud group, so that even if an attacker knows the hash function operation mode of the user, the time complexity of the user in decoding the key is greatly increased, the time complexity of the user in obtaining the key is not increased, the fault tolerance is greatly improved, huge calculation expenditure is brought for the attacker, the user is helped to update the key before the key is decoded, and the security of key storage is improved.

In an eighth aspect, the present application provides an electronic device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the method for authenticating an identity of an internet of things device according to the first, second, or third aspect, or the method for storing a key according to the fourth aspect when executing the computer program.

In a ninth aspect, the present application provides a non-transitory computer readable storage medium, on which a computer program is stored, the computer program implementing the internet of things device identity authentication method according to the first, second or third aspect, or the key storage method according to the fourth aspect, when executed by a processor.

In a tenth aspect, the present application provides a chip, where the chip includes a processor and a communication interface, where the communication interface is coupled to the processor, and the processor is configured to execute a program or instructions to implement the method for authenticating an identity of an internet of things device according to the first, second, or third aspect, or the method for storing a key according to the fourth aspect.

In an eleventh aspect, the present application provides a computer program product, comprising a computer program which, when executed by a processor, implements the method for authenticating the identity of an internet of things device according to the first, second or third aspect, or the method for storing a key according to the fourth aspect.

The above technical solutions in the embodiments of the present application have at least one of the following technical effects:

Further, in some embodiments, the authority center is used for generating the corresponding hash value for the internet of things device based on the device identifier, so that the access precondition required by the internet of things device during registration is provided, the vulnerability of the traditional internet of things device registration is improved, the identity information of the internet of things device is stored by adopting the identity identification file, the identity information of the internet of things device is stored on the blockchain, on one hand, the validity of the internet of things device is conveniently checked, on the other hand, the information of the internet of things device is stored, information is provided for subsequent verification of the internet of things device, and the safety of data is further improved.

Further, in some embodiments, the request message is forwarded to the plurality of second manager nodes, the plurality of second manager nodes respectively authenticate the internet of things device, and device credentials are generated after the authentication of the preset number of second manager nodes is passed.

Further, in some embodiments, after broadcasting and consensus is achieved between the upper layer blockchain and the lower layer blockchain, related information of the internet of things device is stored in different authentication lists of the upper layer blockchain and the lower layer blockchain, so that on one hand, whether the internet of things device is once judged to be a malicious node or not is facilitated, on the other hand, a positioning mode of an identity identification file of the internet of things device is saved, and the positioning mode is used for positioning the identity identification file of the internet of things device.

Still further, in some embodiments, in the transmission channel of the base station and the internet of things device, the distributed identity of the internet of things device is verified through the authentication list in the upper layer block chain and the distributed identity of the internet of things device is verified through the authentication list in the lower layer block chain, and even if some data is tampered with by a malicious attacker, the malicious attacker cannot pass the verification, so that the capability of resisting malicious attacks is greatly improved, and the communication security is improved.

Additional aspects and advantages of the application will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application.

Drawings

The foregoing and/or additional aspects and advantages of the application will become apparent and may be better understood from the following description of embodiments taken in conjunction with the accompanying drawings in which:

fig. 1 is a architecture diagram of an identity authentication system of an internet of things device provided by an embodiment of the present application;

fig. 2 is one of flow diagrams of an identity authentication method of an internet of things device according to an embodiment of the present application;

FIG. 3 is one of the schematic diagrams of an example of a scenario provided by an embodiment of the present application;

Fig. 4 is a second flow chart of an authentication method for an internet of things device according to an embodiment of the present application;

fig. 5 is a third flow chart of an authentication method for an internet of things device according to an embodiment of the present application;

FIG. 6 is a schematic flow chart of a key storage method according to an embodiment of the present application;

FIG. 7 is a second schematic diagram of an example of a scenario provided by an embodiment of the present application;

FIG. 8 is a third schematic diagram of an example of a scenario provided by an embodiment of the present application;

Fig. 9 is one of schematic structural diagrams of an identity authentication device of an internet of things device according to an embodiment of the present application;

Fig. 10 is a second schematic structural diagram of an identity authentication device of an internet of things device according to an embodiment of the present application;

FIG. 11 is a schematic diagram of a key storage device according to an embodiment of the present application;

Fig. 12 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

The technical solutions of the embodiments of the present application will be clearly described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which are obtained by a person skilled in the art based on the embodiments of the present application, fall within the scope of protection of the present application.

The terms first, second and the like in the description and in the claims, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged, as appropriate, such that embodiments of the present application may be implemented in sequences other than those illustrated or described herein, and that the objects identified by "first," "second," etc. are generally of a type, and are not limited to the number of objects, such as the first object may be one or more. Furthermore, in the description and claims, "and/or" means at least one of the connected objects, and the character "/", generally means that the associated object is an "or" relationship.

Identity authentication refers to the process of confirming the authenticity and validity of an individual or entity's identity. In information systems and networks, identity authentication is used to verify whether a user, device or entity has a purported identity and grants corresponding rights and access rights.

The identity authentication of the equipment of the Internet of things is the first step of the safety of the whole system of the Internet of things, for legal equipment, an identity authentication mechanism permits the equipment to be accessed into the system and interact with other equipment, and for illegal equipment, the identity authentication mechanism limits the equipment to be accessed into the system of the Internet of things so as to avoid potential safety hazards brought by the equipment.

Data centers in centralized network mode typically store large amounts of sensitive information centrally, which makes it a major goal for malicious attackers. Once a data center is under attack, the entire network is at risk of crashing because an attacker can easily obtain a large amount of data. Second, since all data is stored centrally in the same place, the privacy of the user is at great risk once this center is attacked or data compromised. In addition, the security of the centralized network mode is weak due to the characteristic of single point failure, and once the central node is attacked or fails, the whole network is affected, so that the system is unstable and has security problems. Therefore, the network access equipment is authenticated by the existing centralized network mode, and the security is low.

According to the application, if the Internet of things and the blockchain can be combined, the identity of the Internet of things equipment is authenticated through the decentralised control and management mechanism, so that the problem of low security caused by the fact that the network access equipment is authenticated through the existing decentralised network mode is hopefully solved.

The identity authentication method, the key storage method and the device of the internet of things equipment provided by the embodiment of the application are described in detail through specific embodiments and application scenes thereof with reference to the accompanying drawings.

In the embodiment of the application, the internet of things equipment can be various equipment capable of mutually communicating and exchanging data through the internet. Such devices may include sensors, actuators, smart home devices, industrial control devices, medical devices, and the like. The internet of things device generally has an embedded system and a network connection function, can collect environmental data through a sensor, and can transmit data or receive instructions through a network.

The intelligent building is a building system which converts a traditional building into intelligence, automation and management through technologies such as the Internet of things, sensors, an automatic control system and the like. The method utilizes advanced information technology and communication technology to integrate, monitor, control and optimize various devices, systems and resources in the building. The intelligent building field also includes a plurality of internet of things devices, which can include, but are not limited to, access control systems, monitoring cameras, fire alarm systems, air conditioning and heating systems, elevator and stairwell lighting systems, intelligent door lock systems, intelligent building management systems, and the like

For example, as shown in fig. 1, fig. 1 is a system architecture diagram of an embodiment of the present application. The system architecture may include an upper level blockchain, a lower level blockchain, an administrator node, a base station node, a building, a user, and an authoritative center. The authority center does not necessarily mean a trusted authority node, but may be a group of trusted authority nodes.

In this system, an administrator node may be used to authenticate a newly joined internet of things device and issue device credentials CD (credential of device) by which to store relevant sensitive information. The internet of things device can construct a secure transmission channel between the internet of things device and the base station node by means of the device certificate, so that the authenticity and the security of the transmission data are guaranteed. The user can keep the user key through the manager node, and in the case that the user key is lost, the user can recover the key through the manager node.

The system combines the Internet of things with the block chain, and can well solve the safety problem of the traditional Internet of things, such as: vulnerability of device authentication, weak passwords, default credential issuance, centralization, etc. After the blockchain is combined with the Internet of things technology, the advantages of decentralization, powerful identity verification, complete data tamper resistance, privacy protection and the like can be brought. The blockchain technology can provide a decentralised control and management mechanism, eliminating the risk of single-point faults; after the blockchain technology is introduced, each Internet of things device and other participants can have a unique identity, and the identity is verified by using an encryption technology, so that unauthorized devices can be prevented from accessing a system, and only authorized users can operate the devices; in addition, the distributed ledger of the blockchain may ensure data integrity and tamper resistance. By recording the data of the intelligent building Internet of things system on the blockchain, the difficulty of malicious tampering or deleting of the data can be increased, and the credibility of the data is increased.

As shown in fig. 2, an embodiment of the present application provides an identity authentication method for an internet of things device, which may include step 201, step 202, step 203 and step 204.

Step 201, the internet of things device sends a network access registration request to a first administrator node.

In an embodiment of the present application, the first manager node may be a trusted manager node, such as the manager node shown in fig. 1. The administrator node may be a node with a high degree of trust and authority in the blockchain network responsible for verifying transactions, packaging blocks, and maintaining the safe and stable operation of the entire blockchain network. The manager nodes are typically acted upon by authenticated and authorized entities or organizations, the participation and behavior of which is subject to strict regulatory and specification. The first manager node may be one server, or may be a server cluster including a plurality of servers.

In the implementation of the application, the network access registration request refers to that the Internet of things equipment requests to register in a certain Internet of things, and after the registration is passed, the Internet of things equipment can be accessed into an Internet of things system, and communicate and exchange data with other equipment in the Internet of things system within the granted authority range.

The network entry registration request may include a distributed identity identifier (Decentralized Identifier, DID) that characterizes the identity of the internet of things device, and is used to indicate which internet of things device wants to be registered in the network. DID is an off-center identity identification system based on blockchain technology, which allows users to create and control their own identity without relying on a centralized identity verification mechanism. The DID may be used in a variety of scenarios such as digital authentication, identity management, digital identity ownership verification, and the like.

The DID may be created on a private blockchain or a public blockchain, depending on the particular implementation and use scenario. Creating a DID on a private blockchain may provide more control and customization, fit the identity management and verification requirements inside a particular organization or enterprise, because the private blockchain may provide higher privacy protection and may be custom developed and deployed according to the needs of the organization. Creating a DID on a public blockchain may then provide for more extensive verifiability and interoperability because the DID on the public blockchain may be easily accessed and verified by other organizations or individuals, which facilitates cross-organization, cross-platform authentication and data exchange. It should be noted that whether a DID is created on a private blockchain or a public blockchain, the corresponding standards and protocols need to be followed to ensure the security, verifiability, and interoperability of the DID.

In some embodiments, the network entry registration request may further include, in addition to the DID, signature information of the internet of things device by a private key, a timestamp characterizing a time when the first request message was sent, and so on, e.g., the network entry registration request is { msg_ regis, DID, t_ regis, σ }, where msg_ regis represents the registration request information, t_ regis represents the timestamp, and σ represents the signature. The network access registration request may be sent in a plaintext or ciphertext manner, and if sent in a ciphertext manner, the public key multi-network access registration request of the first administrator node may be used for encryption.

Step 202, the first administrator node verifies the distributed identity based on the identity file uploaded to the upper layer blockchain in advance.

In the embodiment of the application, the upper layer block chain can be a private block chain, and the lower layer block chain can be a alliance block chain. The identification file corresponding to the Internet of things equipment comprises identification information for proving the identity of the Internet of things equipment. The identity information may be a DID, a public key of an internet of things device, or other information that can indicate an identity.

The first administrator node may obtain the DID of the internet of things device from the network access registration request, and if the received network access registration request is a ciphertext, decrypt the ciphertext using the private key, and then obtain the DID of the internet of things device from the decrypted information. If the network access request includes a time stamp, verifying timeliness of the network access registration request according to the time stamp, for example, if a time interval between the time stamp and the current time is too large, the network access registration request is considered to be expired, communication with the internet of things device is terminated, and if the time interval between the time stamp and the current time is within a reasonable range, for example, 2s, 5s and the like, the network access registration request is considered to have timeliness, and a subsequent processing step can be performed.

After the DID of the Internet of things equipment is obtained, an identity identification file corresponding to the Internet of things equipment can be queried from an upper layer blockchain according to the DID, whether the DID of the Internet of things equipment is legal or not is then determined according to the identity information in the identity identification file, for example, whether the DID in the identity identification file is consistent with the DID in the network access registration request or not is determined, if so, the DID of the Internet of things equipment is considered to be legal, and verification is passed.

And 203, generating a device certificate which indicates that the identity authentication of the Internet of things device is legal under the condition that the verification is passed.

If the verification is passed, the Internet of things equipment can be considered legal, and is not malicious equipment, equipment certificates can be generated, and the Internet of things equipment can be accessed into the Internet of things system by virtue of the certificates, and communicate and exchange data with other equipment in the Internet of things system within the granted authority range. The device credential may include an identification of a device credential sender, a DID of an internet of things device, or other pre-agreed content that may be identified by the internet of things system, such that the internet of things device may join the internet of things system via the device credential.

Step 204, the device credential is sent to the internet of things device.

In some embodiments, the method further comprises:

The Internet of things equipment sends the equipment identification to an authoritative center node; the equipment identifier is an identifier for representing the identity of the equipment of the Internet of things;

The internet of things equipment generates a key pair based on the random number, generates an identity identification file according to a public key, a first hash value and the distributed identity identification in the key pair, and uploads the identity identification file to an upper layer block chain.

The authoritative central node may be a node with high trust and authority in the blockchain network, responsible for verifying transactions, packaging blocks, and maintaining the safe and stable operation of the entire blockchain network. The authoritative hub node is typically acted upon by an authenticated and authorized entity or organization whose participation and behavior is subject to strict regulation and specification. The authoritative central node may be one server or may be a server cluster comprising a plurality of servers.

When the Internet of things equipment leaves a factory, the unique identification ID representing the identity of the Internet of things equipment is attached, the ID is the equipment identification, if the Internet of things equipment is produced by other factories, a unique ID can be registered according to a pre-unified standard, and the registered ID is the equipment identification. The identity of the internet of things device can be represented by the device identification.

In the message of sending the device identifier to the authority center, the internet of things device may further add a timestamp to the message to indicate the time of sending the message in order to improve the timeliness of the message.

After receiving the message, the authority center node can verify the timeliness of the message according to the time stamp, and if the time interval between the time stamp and the current time is smaller than a reasonable time, the authority center node can verify the equipment identifier in the message, wherein the authority center node can consider that the message is timeliness. Specifically, the aforementioned internet of things device may be attached when shipped or registered according to a unified standard, so that the authority center node may verify whether the format of the device identifier is the unified standard, and if so, pass the verification. After passing verification, the authority center node can perform hash operation on the equipment identifier through a hash function to obtain a hash value token_ID, and then sends the hash value token_ID to the Internet of things equipment.

After receiving the hash value sent by the authority center node, the internet of things device can select the random number SK as a private key of the internet of things device, and obtain the public key PK through SK calculation. And then obtaining an identification document doc= { DID, PK, token_ID, t_doc } according to the hash value, the public key PK and the distributed identification sent by the authority center node, wherein t_doc represents the generation time of the identification document, and uploading the identification document to an upper block chain for storage. By adding the generation time of the file into the identification document Doc, the object inquiring the identification document can know the timeliness of the identification document.

In some embodiments, the first administrator node verifies the distributed identity based on the identity file previously uploaded to the upper layer blockchain, and generates a device credential indicating that the device identity of the internet of things is legal if the verification passes, including:

the second manager node acquires an identity document corresponding to the Internet of things device from the upper layer blockchain, verifies the distributed identity according to the identity document, generates a device sub-certificate under the condition that the verified identity is legal, and sends the device sub-certificate to the first manager node device;

The first manager node generates device credentials from at least a preset number of device sub-credentials if it receives at least a preset number of device sub-credentials.

The second manager node may be other manager nodes different from the first manager node, and the second manager node may be plural. The first manager node may send an on-network registration request to the second manager node and sign. Specifically, the first administrator node may verify the signature of the network-access registration request by using the public key of the internet of things device, so as to ensure that the message is not tampered, and check timeliness through the timestamp included in the network-access registration request. If the authentication is passed, forwarding an incoming registration request message { msg_forward, DID, UID, t_msg_forward, σ }, wherein msg_forward represents the forwarded message content, UID represents the identification information of the first administrator node, t_msg_forward represents a timestamp, and σ represents a signature.

The plurality of second manager nodes may be predetermined manager nodes for assisting in generating the device credential, or may be manager nodes that are selected according to a preset rule each time when the generation requirement of the device credential is generated. After receiving the forwarding message sent by the first manager node, the second manager node can query an identity document corresponding to the internet of things device from an upper layer blockchain through the DID of the internet of things device, then determine whether the DID of the internet of things device is legal or not according to the identity information in the identity document, for example, whether the DID in the identity document is consistent with the DID in the network access registration request or not according to the identity information in the identity document, if not, consider the malicious device of the internet of things device, feed back the notification that the internet of things device is the malicious device to the first manager device, or directly stop the subsequent operation, if so, consider the DID of the internet of things device to be legal, verify and generate a device sub-credential, and send the device sub-credential to the first manager node, wherein the device sub-credential can be a part of the device credential.

After receiving the replies from the at least k second manager nodes, the first manager node may aggregate the at least k device sub-credentials into a complete device credential, e.g. a threshold algorithm aggregates the k device sub-credentials to obtain the complete device credential. Wherein k may be 2, 3, 5, 10, 15, etc. or other values, and a person skilled in the art may set different values according to actual needs, which is not limited in the embodiment of the present application.

In some embodiments, the method further comprises:

The method comprises the steps that under the condition that equipment credentials are generated, a first manager node broadcasts a first message that the Internet of things equipment is legal equipment in an upper layer block chain, and under the condition that the first message agrees, first authentication information representing the Internet of things equipment as legal equipment is uploaded to an upper layer authentication list of the upper layer block chain; and broadcasting a second message of the identification file positioning mode in the lower-layer blockchain, and uploading second authentication information representing the identification file positioning mode to a lower-layer authentication list of the lower-layer blockchain under the condition that the second message achieves consensus.

When a node performs an operation (e.g., transfer, signing a contract, etc.) on the blockchain, it packages the operation into a transaction and broadcasts it over the network to other nodes. Other nodes will verify after receiving the transaction to ensure that the transaction meets the rules and protocols of the blockchain, such as verifying the identity of the sender, checking whether the transaction is legal, etc. Once validated, the transaction is packed into a block and then added to the blockchain, which is a consensus process. Achieving consensus means that all nodes participating in the blockchain network agree on the validity of the transaction and add it to the blockchain. This consensus mechanism ensures the security and consistency of the blockchain because only authenticated transactions will be added to the blockchain and all nodes will keep the same copy of the blockchain, thereby avoiding data tampering and fraud.

In different blockchain systems, different consensus algorithms may be employed to implement consensus-reaching processes, such as Proof of Work (Proof of Work), proof of equity (Proof of status), and the like. These consensus algorithms are all aimed at ensuring the security and reliability of blockchain networks.

In this embodiment, after generating the device credential, the first administrator node may generate a first message, for example, may generate the first message as (RegisUP, DID, UID, t, evil =0, σ), where RegisUP represents that the first message is used for upper layer blockchain consensus, DID is the DID of the device internet of things device, UID is the first administrator node unique identifier, t is a timestamp, evil =0 represents that the internet of things device is not a malicious device or represents that the internet of things device is a legal device, σ is a signature of the above message, after consensus is reached, the first administrator node may generate first authentication information, for example, generate the first authentication information as (DID, token_id, evil =0), and add the first authentication information to the upper layer authentication list.

In this embodiment, after generating the device credential, the first administrator node may further generate a second message, for example, the second message may be generated as (RegisUNDER, DID, UID, h, t, σ), where RegisUNDER represents that the second message is used for the lower layer blockchain consensus, DID is the DID of the device of the internet of things, UID is the unique identifier of the first administrator node, t is a timestamp, h is a hash value of the identity identification file of the device of the internet of things, σ is a signature of the above message, after consensus is achieved, the first administrator node may generate second authentication information, for example, generate the second authentication information as (DID, h), and add the second authentication information to the lower layer authentication list. The mapping relation between the hash value h of the identification file of the Internet of things equipment and the identification file can be used for positioning the identification file.

In order to facilitate understanding of the device credential generation and forwarding process in the embodiments of the present application, the present application is described using a scenario example in which an internet of things device is taken as an example of a device in an intelligent building. As shown in fig. 3, the device credential generation and forwarding process may include steps A3-A5.

A3, the building manager node and other building manager nodes in the current district of the Internet of things equipment jointly calculate partial certificates of the Internet of things equipment, and the complete certificates of the Internet of things equipment are recovered through a threshold algorithm.

Specifically, the step A3 includes the following steps:

A301, the internet of things device sends a registration request to an administrator node, wherein the registration request comprises registration request information, internet of things device DID, request time and signature of the former three: { msg_ regis, DID, t_ regis, σ };

a302, the manager node verifies and signs by using the public key of the Internet of things equipment, so that the message is ensured not to be tampered, the message timeliness is checked, and if the message timeliness is not tampered, the A303 is executed; if tampered, terminating the communication;

A303, the manager node forwards the registration request message, forwards the registration request to other currently elected incumbent manager nodes in a dynamic election mode, and the registration request message, DID of the Internet of things equipment, unique identifier UID of the current manager node, forwarding time and signs the four nodes: { msg_forward, DID, UID, t_msg_forward, σ };

A304, other manager nodes verify whether the message is tampered or not by using the public key of the forwarding manager node, verify whether the message is the forwarding message or not, verify timeliness, if the message passes the verification, execute A305, otherwise terminate communication;

a305, other manager nodes inquire an identity identification file in an upper layer block chain through DID, check whether the Internet of things equipment is judged to be malicious or not, and if not, execute A306;

A306, other manager nodes generate part CD', and include public keys of the Internet of things equipment, legal equipment certificates (LEGAL DEVICE), true and signatures of the above information: CD ' = { PK, ' LEGAL DEVICE ', ' true ', σ };

A307, other manager nodes generate plaintext Proclaim ', CD' contained in the device DID of the Internet of things, unique identification UID of the forwarding node, time stamp t_msg_forward, and signature on the above information: proclaim '= { CD', DID, UID, t_msg_forward, σ };

A308, other administrators encrypt the plaintext Proclaim 'by using the public key of the forwarding administrator to obtain ciphertext SProclaim', and send a reply registration message to the forwarding administrator: reply= { rpl (flag text is Reply registration message), SProclaim' };

A309, after receiving the reply registration message, the forwarding manager node checks the flag rpl, determines that the reply registration message is followed by decrypting the ciphertext by using the private key of the forwarding manager node, verifies the signature to check whether the plaintext is tampered, verifies timeliness, if not, continues to extract CD' from the plaintext to verify the signature, checks whether the signature is tampered, and if not, executes A310;

and A310, after receiving the reply registration messages with the value greater than the threshold value k, the forwarding manager node restores the partial signature to a complete signature by adopting an aggregate signature algorithm, and replaces the complete signature with the partial signature in the CD' to obtain the complete CD.

And A4, broadcasting information to an upper layer block chain and a lower layer block chain by the forwarding manager node, and issuing respective registration transactions after consensus is achieved.

Specifically, the step A4 includes the following steps:

A401, the manager node broadcasts the following information in the upper layer blockchain: (RegisUP, DID, UID, t, evil =0, σ), regisUP indicates that the message is used for upper layer blockchain consensus, DID is DID of the internet of things device, UID is unique identifier of an administrator node, t is a timestamp, evil =0 indicates that the device is not malicious, σ is signature of the above message, and after consensus is reached, (DID, token_id, evil =0) is added to the upper layer authentication list;

A402, the manager node broadcasts the following information in the lower layer block chain: (RegisUNDER, DID, UID, h, t, sigma) RegisUNDER shows that the message is used for consensus of a lower layer blockchain, UID is unique identification of an administrator node, t is a time stamp, h is a hash value of an identity identification document of the internet of things equipment, sigma is a signature of the message, and after consensus is achieved, (DID, h) is added into a lower layer authentication list.

A5, returning the complete CD to the Internet of things equipment by the district manager node, and storing the Internet of things equipment.

Specifically, the step A5 includes the following steps:

A501, an administrator node generates a plaintext (CD, DID, sigma), wherein the CD is a complete equipment certificate, the DID is the DID of the Internet of things equipment, the sigma is the signature of the message, then the plaintext is encrypted, the public key of the Internet of things equipment is used for encrypting the plaintext to obtain a ciphertext, and the ciphertext is sent to the Internet of things equipment;

A502, the internet of things device decrypts the ciphertext by using the private key, then verifies the signature to ensure that the message is not tampered, and finally acquires the CD from the plaintext and stores the CD in the local place.

In some embodiments, the method further comprises:

The method comprises the steps that an Internet of things device sends a communication request to a base station node, wherein the communication request comprises a distributed identity and a device credential;

And under the condition that the certificate of the verification equipment passes, the base station node verifies whether the Internet of things equipment corresponding to the distributed identity is legal or not based on the first authentication information in the upper authentication list, if so, the base station node locates an identity file based on the second authentication information in the lower authentication list, verifies the distributed identity according to the identity file, and if so, establishes a transmission channel with the Internet of things equipment.

In this embodiment, the base station node may be an important component in the internet of things network, for connecting and managing the internet of things devices. The base station node may be a wireless communication device or a wired network device, and functions to collect, process and forward data of the internet of things device. The base station node may employ different communication technologies, such as cellular network, loRaWAN, NB-IoT, etc., and select an appropriate base station node technology according to different application scenarios and requirements. The deployment of the base station nodes can be centralized or distributed, and is designed according to the specific architecture and scale of the Internet of things system.

The internet of things device may generate plaintext including DID, CD, information MsgData requesting data, current timestamp t_ MsgData, and signature of the above message: { DID, CD, msgData, t_ MsgData, σ }; then, the internet of things equipment can encrypt the plaintext by using the public key of the base station node to obtain a ciphertext;

The base station node uses the private key of the base station node to decrypt the ciphertext sent by the Internet of things device, queries the first authentication information in the upper authentication list based on the DID, determines whether the Internet of things device is legal or not from the first authentication information, queries the second authentication information in the lower authentication list based on the DID if the Internet of things device is legal, locates the identity identification file of the Internet of things device according to the hash value of the identity identification file in the second authentication information, compares the DID obtained by the DID in the identity identification file and the decryption text, obtains the public key of the Internet of things device from the identity identification file if the DID is consistent, verifies the signature by using the public key of the Internet of things device, verifies whether the message is tampered, verifies the timeliness of the message, and can establish a transmission channel with the Internet of things device if the verification message is not tampered and is within the timeliness range.

The identity authentication method of the internet of things device provided by the embodiment of the application is described below by taking the internet of things device as an execution subject.

As shown in fig. 4, the method for authenticating the identity of the internet of things device includes: step 410.

Step 410, sending a network entry registration request to a first administrator node; the network access registration request comprises a distributed identity of the Internet of things equipment; the distributed identity is an off-center identity identifier created in the blockchain by the Internet of things equipment, so that the first manager node can conveniently verify the distributed identity based on an identity identifier file uploaded to an upper blockchain in advance, and under the condition that verification is passed, an equipment certificate indicating that the Internet of things equipment identity is legal is generated, and the equipment certificate is returned; the identification file comprises the identification information of the Internet of things equipment.

In some embodiments, the method further comprises:

Transmitting the device identification to an authoritative central node; the device identifier is an identifier for representing the identity of the device of the Internet of things, so that the authority center node carries out hash operation on the device identifier to obtain a corresponding first hash value, and the first hash value is sent to the device of the Internet of things;

And generating a key pair based on the random number, generating an identity identification file according to the public key, the hash value and the distributed identity identification in the key pair, and uploading the identity identification file to an upper layer block chain.

In some embodiments, the method further comprises:

And sending a communication request to the base station node, wherein the communication request comprises a distributed identity and a device certificate, so that the base station node can verify whether the Internet of things device corresponding to the distributed identity is legal or not based on the first authentication information in the upper authentication list under the condition that the device certificate passes, if so, locating an identity file based on the second authentication information in the lower authentication list, verifying the distributed identity according to the identity file, and if so, establishing a transmission channel with the Internet of things device.

The method for authenticating the identity of the internet of things device provided by the embodiment of the application is described below by taking the first administrator node as an execution subject.

As shown in fig. 5, the method for authenticating the identity of the internet of things device includes: step 510, step 520 and step 530.

Step 510, verifying the distributed identity based on the identity file pre-uploaded to the upper layer blockchain; the distributed identity is obtained from a network access registration request which is sent by the Internet of things equipment; the identity identification file comprises identity information of the Internet of things equipment;

Step 520, generating a device credential indicating that the identity of the device of the internet of things is legal if the verification is passed;

step 530, the device credential is sent to the internet of things device.

In some embodiments, verifying the distributed identity based on the identity file previously uploaded to the upper blockchain includes:

Under the condition that the network access registration request is verified to be not tampered, forwarding the network access registration request to a plurality of second manager nodes so that the second manager nodes can acquire identity identification files corresponding to the Internet of things equipment from an upper layer block chain, verifying the distributed identity according to the identity identification files, generating equipment sub-certificates under the condition that the verification identity is legal, and returning the equipment sub-certificates;

In some embodiments, the method further comprises:

Broadcasting a first message that the Internet of things device is legal in an upper layer block chain under the condition of generating a device certificate;

Under the condition that the first message achieves consensus, uploading first authentication information representing the Internet of things equipment as legal equipment into an upper authentication list of an upper block chain;

Broadcasting a second message of the identification file positioning mode in the lower layer block chain;

And uploading second authentication information representing the positioning mode of the identification document to a lower authentication list of a lower blockchain under the condition that the second message achieves consensus.

In blockchain technology, users typically hold private keys through a software wallet or a hardware wallet.

The software wallet is an application program and can be installed on a computer, a mobile phone or other devices. It may generate and store a private key and allow the user to sign a transaction to send cryptocurrency. The advantage of a software wallet is ease of use and access, but the disadvantage is that it may be vulnerable to malware, viruses or cyber attacks, resulting in theft of the private key.

A hardware wallet is a specially designed physical device for holding a private key and signing transactions. It is typically connected to a computer or mobile device and generates and stores a private key in an off-line state, thereby providing greater security. The hardware wallet has the advantage of storing the private key offline, effectively preventing network attacks and the threat of malware, but has the disadvantage of possibly requiring the purchase of additional equipment and being relatively inconvenient to use.

However, if the user forgets the password or the private key is lost, the cryptocurrency asset will not be accessed again, which is also a potential risk of the above-described way of maintaining the private key, which is less secure.

In order to solve the problem of low security in the existing key preservation mode, the embodiment of the application further provides a key storage method. The key storage method can be applied to the terminal, and can be specifically executed by hardware or software in the terminal.

The terminal includes, but is not limited to, a portable communication device such as a mobile phone or tablet having a touch sensitive surface (e.g., a touch screen display and/or a touch pad). It should also be appreciated that in some embodiments, the terminal may not be a portable communication device, but rather a desktop computer having a touch-sensitive surface (e.g., a touch screen display and/or a touch pad).

In the following various embodiments, a terminal including a display and a touch sensitive surface is described. However, it should be understood that the terminal may include one or more other physical user interface devices such as a physical keyboard, mouse, and joystick.

The execution main body of the key storage method provided by the embodiment of the application can be an electronic device or a functional module or a functional entity in the electronic device capable of realizing the key storage method, and the electronic device provided by the embodiment of the application comprises, but is not limited to, a mobile phone, a tablet computer, a camera, a wearable device and the like.

As shown in fig. 6, the key storage method includes: step 610, step 620, and step 630.

Step 610, selecting any target random code from the random code groups sent by the manager node, and performing hash operation on the target random code based on a preset hash function to obtain a second hash value; the random code group comprises n random codes;

Step 620, performing exclusive OR operation on the hash value and the private key to obtain a third hash value, and randomly generating n-1 third hash values;

step 630, adding the second hash value and the fourth hash value to the hash value set and sending the hash value set to the administrator node, so that the administrator node can upload the hash value set to the lower blockchain.

In the embodiment of the present application, the administrator node may be the first administrator node, the second administrator node, or any other administrator node that may be trusted.

In particular, to facilitate understanding of the key storage process in the embodiment of the present application, the present application is illustrated using a scenario example, and as shown in fig. 7, the key storage process may include steps C1-C3.

And C1, when the user has the key storage requirement, the registration information can be sent to the manager node through the electronic equipment, and after the manager node receives the registration information, the registration information is randomly sent to the user for a group of random codes, and the random codes are stored in the lower-layer blockchain.

Specifically, the administrator node verifies the authenticity of the user identity a priori, n random codes { Rand1, rand2, … …, randn } are selected after verification, and after signing, the n random codes are encrypted by using a public key of the user and sent to the user, wherein n can be an integer greater than or equal to 2, for example, can be 2, 5, 10, 15, and the like, and the greater n means the greater difficulty of being cracked after the key is stored, the greater the calculated amount of course, and a person skilled in the art can set different values according to actual requirements.

And C2, receiving n random codes by a user, carrying out j hash operations on any random code by using a preset hash function to obtain an operated random code (namely the second hash value), carrying out exclusive OR operation on the operated random code and a private key of the user to obtain an exclusive OR operation result (namely the third hash value), storing the random code, the hash function and the value j, and returning the exclusive OR operation result and the n-1 fourth hash values which are randomly generated to an administrator node.

Specifically, step C2 may include the steps of:

C201, the user randomly selects one of the n received random codes, and performs j operations by using a user-defined hash function to obtain H ^j (Randk), wherein k=1, 2, … …, n, and exclusive or is used with the n random codes, so that the following public expression is satisfied:

H ^j (Randk) XOR sk=sk'; where SK represents the private key and SK' represents the exclusive OR result.

C202, a user saved value j, a hash function and a random code Randk, randomly generating n-1 fourth hash values, and transmitting the n-1 fourth hash values and SK 'added hash value groups to an administrator node, wherein the SK' and the n-1 fourth hash values together form a hash value group as a fraud group (DECEIVING-group): { SK ', randSK '1, … …, ranSK ' (n-1) }.

And C3, the manager node stores the received n operation results (fraud groups) into the lower-layer blockchain.

Specifically, the manager node receives the fraud group, decrypts the fraud group by using its own private key, and then verifies the consistency of the messages before and after signing by using the public key of the user, if the consistency is found, the fraud group and the public key of the user are stored in the user table of the lower blockchain, and it is noted that the manager node does not know which value in the fraud group is SK'.

According to the key storage method, hash operation is carried out on any random code in the random code group, real key data is formed based on the value obtained after the hash operation and a private key, a plurality of false key data are randomly generated, the hash value group formed by the real key data and the false key data is used as a fraud group, so that even if an attacker knows the hash function operation mode of the user, the time complexity of the user in decoding the key is greatly increased, the time complexity of the user in obtaining the key is not increased, the fault tolerance is greatly improved, huge calculation expenditure is brought for the attacker, the user is helped to update the key before the key is decoded, and the security of key storage is improved.

In some embodiments, the method further comprises:

under the condition that the private key is lost, receiving a random code group, a hash value group and an encrypted message encrypted by a public key corresponding to the private key, which are sent by an administrator node;

performing hash operation on a target random code in the random code group based on a hash function to obtain a second hash value;

in the case that the operation value decryption of the encrypted message is successful, the operation value is taken as a private key.

In particular, to facilitate understanding of the recovery process after the key is lost in the embodiment of the present application, the present application is illustrated by using a scenario example, and as shown in fig. 8, the key storage process may include steps C401 to C403.

C401, when the user key is lost, the user finds out the authority center node to perform self-verification, and after verification, the authority center node sends a temporary certificate token to the user;

C402, the user transmits the key loss information and the temporary proof token to the manager node, and after receiving the information, the manager node verifies the timeliness of the temporary proof token, and if the verification is passed, C403 is executed;

C403, the manager node finds n random code groups and fraud groups when the user registers from the lower-layer blockchain, encrypts a random message by using a public key of the user to obtain a ciphertext of the random message, sends the information of the random code groups and the ciphertext to the user, signs the information, carries out j hash operations on the hash function stored by the manager node and the random code Randk after the user verifies the signed information to obtain a second hash value, carries out exclusive OR operation on the second hash value and the hash value in the fraud group, decrypts the ciphertext by using the operation value after each operation to obtain the operation value, if the decrypted message is a messy code, indicates that decryption fails, carries out exclusive OR operation on the operation value obtained by the operation at this time and the hash value in the fraud group until the message obtained by decrypting the ciphertext by using the operation value is a normal message, and can determine that the operation value obtained by the operation at this time is the private key of the user.

In some embodiments, the method may further comprise:

And under the condition that the operation value decrypts the encrypted message successfully, sending the decrypted message obtained by decrypting the encrypted message to an administrator node so that the administrator node returns a notification of updating the hash value group under the condition that the decrypted message passes verification.

Specifically, when the message obtained by decrypting the ciphertext by using the operation value is a normal message, the user can determine that the operation value obtained by the operation is the private key of the user, sign the decrypted message, encrypt the decrypted message by using the public key of the manager node, and send the encrypted message to the manager node.

The manager node verifies the decrypted ciphertext message sent by the user, and if it is consistent, proves that the user has found the key, and then sends a hash value set update request, because the second hash value SK' may be at risk of leakage during the process of recovering the private key.

After receiving the hash value set update request, the user may update the hash function, update the j value, recalculate H ^j (Rand), and repeatedly execute C1-C3.

According to the method for authenticating the identity of the equipment of the Internet of things, provided by the embodiment of the application, the executive body can be the device for authenticating the identity of the equipment of the Internet of things. In the embodiment of the application, the method for executing the equipment identity authentication of the internet of things by the equipment identity authentication device of the internet of things is taken as an example, and the equipment identity authentication device of the internet of things provided by the embodiment of the application is explained.

The embodiment of the application also provides an identity authentication device of the Internet of things equipment.

As shown in fig. 9, the device for authenticating the identity of the internet of things equipment includes:

A first sending module 910, configured to send a network entry registration request to a first administrator node; the network access registration request comprises a distributed identity of the Internet of things equipment; the distributed identity is an off-center identity identifier created in the blockchain by the Internet of things equipment, so that the first manager node can conveniently verify the distributed identity based on an identity identifier file uploaded to an upper blockchain in advance, and under the condition that verification is passed, an equipment certificate indicating that the Internet of things equipment identity is legal is generated, and the equipment certificate is returned; the identification file comprises the identification information of the Internet of things equipment.

In some embodiments, the apparatus may further include an identification document uploading module configured to:

In some embodiments, the apparatus may further include a communication request sending module configured to:

As shown in fig. 10, the device for authenticating an identity of an internet of things apparatus includes:

The verification module 1010 is configured to verify the distributed identity based on an identity file that is uploaded to the upper layer blockchain in advance; the distributed identity is obtained from a network access registration request which is sent by the Internet of things equipment; the identity identification file comprises identity information of the Internet of things equipment;

The generating module 1020 is configured to generate a device credential that indicates that the identity of the device of the internet of things is legal if the verification is passed;

And the second sending module 1030 is configured to send the device credential to the internet of things device.

In some embodiments, the verification module 1010 is further to:

In some embodiments, the apparatus further comprises a broadcast module for:

According to the key storage method provided by the embodiment of the application, the execution main body can be a key storage device. In the embodiment of the application, a key storage device is taken as an example to execute a key storage method, and the key storage device provided by the embodiment of the application is described.

The embodiment of the application also provides a key storage device.

As shown in fig. 11, the key storage device includes:

A first operation module 1110, configured to select any target random code from the random code groups sent by the administrator node, perform hash operation on the target random code based on a preset hash function, and obtain a second hash value; the random code group comprises n random codes;

The second operation module 1120 is configured to perform an exclusive-or operation on the hash value and the private key to obtain third hash values, and randomly generate n-1 third hash values;

the third sending module 1130 is configured to send the second hash value and the fourth hash value to the hash value set to the administrator node, so that the administrator node uploads the hash value set to the lower blockchain.

In some embodiments, the apparatus further comprises a key recovery module for:

In some embodiments, the apparatus further comprises an update notification module to:

The identity authentication device and the key storage device of the internet of things equipment in the embodiment of the application can be electronic equipment, and can also be components in the electronic equipment, such as an integrated circuit or a chip. The electronic device may be a terminal, a server, or other devices other than a terminal. The electronic device may be a Mobile phone, a tablet computer, a notebook computer, a palm computer, a vehicle-mounted electronic device, a Mobile internet appliance (Mobile INTERNET DEVICE, MID), an augmented reality (augmented reality, AR)/Virtual Reality (VR) device, a robot, a wearable device, an ultra-Mobile personal computer (UMPC), a netbook or a Personal Digital Assistant (PDA), etc., and may also be a server, a network attached storage (Network Attached Storage, NAS), a personal computer (personal computer, PC), a Television (TV), a teller machine, a self-service machine, etc., which are not particularly limited in the embodiments of the present application.

The identity authentication device and the key storage device of the internet of things equipment in the embodiment of the application can be devices with an operating system. The operating system may be a microsoft (Windows) operating system, an Android operating system, an IOS operating system, or other possible operating systems, and the embodiment of the present application is not limited specifically.

In some embodiments, as shown in fig. 12, an electronic device 1200 is further provided in the embodiments of the present application, which includes a processor 1201, a memory 1202, and a computer program stored in the memory 1202 and capable of running on the processor 1201, where the program when executed by the processor 1201 implements each process of the embodiment of the device identity authentication method or the key storage method of the internet of things and can achieve the same technical effect, and for avoiding repetition, a detailed description is omitted herein.

The electronic device in the embodiment of the application includes the mobile electronic device and the non-mobile electronic device.

The embodiment of the application also provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor, realizes the processes of the above embodiment of the method for authenticating the identity of the internet of things device or the method for storing the secret key, and can achieve the same technical effects, and in order to avoid repetition, the description is omitted here.

The processor is a processor in the electronic device in the above embodiment. Readable storage media include computer readable storage media such as computer readable memory ROM, random access memory RAM, magnetic or optical disks, and the like.

The embodiment of the application also provides a computer program product, which comprises a computer program, wherein the computer program realizes the method for authenticating the identity of the equipment of the Internet of things or the method for storing the secret key when being executed by a processor.

The embodiment of the application further provides a chip, the chip comprises a processor and a communication interface, the communication interface is coupled with the processor, the processor is used for running programs or instructions, the processes of the embodiment of the identity authentication method or the key storage method of the Internet of things equipment are realized, the same technical effects can be achieved, and the repetition is avoided, and the repeated description is omitted.

It should be understood that the chips referred to in the embodiments of the present application may also be referred to as system-on-chip chips, chip systems, or system-on-chip chips, etc.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element. Furthermore, it should be noted that the scope of the methods and apparatus in the embodiments of the present application is not limited to performing the functions in the order shown or discussed, but may also include performing the functions in a substantially simultaneous manner or in an opposite order depending on the functions involved, e.g., the described methods may be performed in an order different from that described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.

From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a computer software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present application.

The embodiments of the present application have been described above with reference to the accompanying drawings, but the present application is not limited to the above-described embodiments, which are merely illustrative and not restrictive, and many forms may be made by those having ordinary skill in the art without departing from the spirit of the present application and the scope of the claims, which are to be protected by the present application.

In the description of the present specification, reference to the terms "one embodiment," "some embodiments," "illustrative embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

While embodiments of the present application have been shown and described, it will be understood by those of ordinary skill in the art that: many changes, modifications, substitutions and variations may be made to the embodiments without departing from the spirit and principles of the application, the scope of which is defined by the claims and their equivalents.

Claims

1. The method for authenticating the identity of the equipment of the Internet of things is characterized by comprising the following steps:

2. The method according to claim 1, wherein the method further comprises:

3. The method of claim 1, wherein the first administrator node verifies the distributed identity based on an identity file previously uploaded to an upper blockchain, and in the event that the verification passes, generates a device credential indicating that the device identity of the internet of things is legitimate, comprising:

4. The method according to claim 1, wherein the method further comprises:

5. The method of claim 4, wherein the method further comprises:

6. The method for authenticating the identity of the equipment of the Internet of things is characterized by comprising the following steps:

7. The method of claim 6, wherein the method further comprises:

8. The method of claim 6, wherein the method further comprises:

9. The method for authenticating the identity of the equipment of the Internet of things is characterized by comprising the following steps:

and sending the equipment certificate to the Internet of things equipment.

10. The method of claim 9, wherein verifying the distributed identity based on the identity file previously uploaded to the upper blockchain comprises:

11. The method according to claim 9, wherein the method further comprises:

12. A key storage method, comprising:

performing exclusive OR operation on the hash value and a private key to obtain a third hash value, and randomly generating n-1 fourth hash values;

13. The method according to claim 12, wherein the method further comprises:

14. The method according to claim 13, wherein the method further comprises:

15. The utility model provides an thing networking equipment identity authentication device which characterized in that includes:

16. The utility model provides an thing networking equipment identity authentication device which characterized in that includes:

17. A key storage device, comprising:

The second operation module is used for carrying out exclusive OR operation on the hash value and the private key to obtain a third hash value and randomly generating n-1 fourth hash values;

18. A non-transitory computer readable storage medium, having stored thereon a computer program, which when executed by a processor, implements the method according to any of claims 1-14.