CN118282670A - Block chain bidirectional identity authentication system and method based on marker - Google Patents
Block chain bidirectional identity authentication system and method based on marker Download PDFInfo
- Publication number
- CN118282670A CN118282670A CN202410589354.8A CN202410589354A CN118282670A CN 118282670 A CN118282670 A CN 118282670A CN 202410589354 A CN202410589354 A CN 202410589354A CN 118282670 A CN118282670 A CN 118282670A
- Authority
- CN
- China
- Prior art keywords
- result
- information
- medical institution
- institution server
- user terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 239000003550 marker Substances 0.000 title claims abstract description 92
- 238000000034 method Methods 0.000 title claims abstract description 40
- 230000002457 bidirectional effect Effects 0.000 title abstract description 23
- 230000004044 response Effects 0.000 claims abstract description 40
- 230000007246 mechanism Effects 0.000 claims abstract description 12
- 238000004364 calculation method Methods 0.000 claims description 54
- 238000012795 verification Methods 0.000 claims description 23
- 238000011084 recovery Methods 0.000 claims description 13
- 239000000090 biomarker Substances 0.000 claims description 9
- 238000004891 communication Methods 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 15
- 238000005516 engineering process Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 8
- 238000000605 extraction Methods 0.000 description 5
- 230000036541 health Effects 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 4
- 230000007613 environmental effect Effects 0.000 description 4
- 238000013473 artificial intelligence Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 210000004556 brain Anatomy 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000000295 complement effect Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 208000033748 Device issues Diseases 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 101150028842 ctxA gene Proteins 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 208000024335 physical disease Diseases 0.000 description 1
- 238000013215 result calculation Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Medical Treatment And Welfare Office Work (AREA)
Abstract
The invention provides a block chain bidirectional identity authentication system and a method based on a marker.A DID issuer node device generates a first key, a second key and a generation element through a block chain consensus mechanism so as to register a medical institution server and a user terminal; the user terminal generates DID credential information according to the first registration information and sends the DID credential information and the marker information to the medical institution server, so that the user terminal performs identity authentication on the user terminal and outputs response information; the user terminal performs identity authentication on the medical institution server based on the response information. In the system, after the medical institution server performs identity authentication on the user terminal based on the DID credential information and the marker information, response information can be output, and the user terminal can perform identity authentication on the medical institution server based on the response information, so that the data of the medical institution server can be ensured to be accessed by legal user terminals, the data security is protected, and meanwhile, an attacker is prevented from masquerading the medical institution server to initiate phishing attack on the user terminal.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a block chain bidirectional identity authentication system and method based on a marker.
Background
With the rapid development of new technology groups such as a sensing chip, artificial intelligence and big data, the Internet of things (Internet of MEDICAL THINGS, IOMT) is one of typical applications in the Internet, and the application of the Internet of things is supported in an Internet digital environment, so that user identity authentication is a necessary precondition. However, in the conventional cryptographic identity authentication system, the problem that an attacker impersonates a server to launch a phishing attack on a user terminal used by a user easily occurs while protecting the security of medical data information.
Disclosure of Invention
The invention aims to provide a block chain bidirectional identity authentication system and a block chain bidirectional identity authentication method based on a marker, which are used for protecting data security and simultaneously preventing an attacker from masquerading as a medical institution server to launch phishing attacks on a user terminal.
The invention provides a block chain bidirectional identity authentication system based on a marker, which comprises: a user terminal, a medical institution server and a DID issuer node device which are mutually connected in communication; the DID issuer node equipment is used for generating a first key, a second key and a generation element through a block chain consensus mechanism; registering the medical institution server and the user terminal based on the first key and the second key; wherein, the registered user terminal stores first registration information; the user terminal is used for generating DID credential information based on the first registration information, sending the DID credential information and marker information of a preset marker to the medical institution server, so that the medical institution server performs identity authentication on the user terminal based on the DID credential information and the marker information, and outputting response information; wherein the predetermined markers comprise at least one of: a biomarker for the user, a digital marker for the institution to which the user belongs; the user terminal is used for carrying out identity authentication on the medical institution server based on the response information.
Further, the DID issuer node device is configured to receive the data tuple declaration information and the first identifier of the user sent by the user terminal, and generate signature information according to the data tuple declaration information and the first identifier; generating a pre-credential based on the data tuple declaration information, the first identifier, and the signature information; generating a master credential and an environment credential based on the pre-credential, wherein the data tuple declaration information includes: statement content, description information corresponding to the statement content.
Further, the DID issuer node equipment calculates to obtain a first result according to the node private key of the DID issuer node equipment and slice information of the description information, and generates a master certificate according to the first result, the first identifier, the data tuple declaration information and signature information corresponding to the data tuple declaration information; sending the master certificate to the user terminal;
the DID issuer node equipment receives the relation attribute sent by the user terminal and generates environment credentials based on the environment according to the second identifier, the data tuple declaration information, the relation attribute and the signature information of the user based on the environment; the environment credential is sent to the user terminal.
Further, the medical institution server is used for generating a private key of the medical institution server and a public key of the medical institution server, storing the private key of the medical institution server, and sending the public key of the medical institution server to the DID issuer node equipment; the DID issuer node device is used for calculating a hash value based on the public key and the second key of the medical institution server to obtain a verification certificate, returning the verification certificate to the medical institution server and storing the verification certificate, and finishing registration of the medical institution server.
Further, the user terminal acquires the DID identity, the first marker information and the first random number r of the user, calculates a hash value according to the environment evidence, the DID identity and the first marker information, and obtains a first intermediate result; generating a registration request corresponding to the user according to the first intermediate result and the first random number, and sending the registration request to DID issuer node equipment;
The DID issuer node equipment is used for determining a first pseudo identity corresponding to a user based on the received registration request, determining a distributed identity corresponding to the user, and calculating a hash value according to the first pseudo identity, the distributed identity and the first key to obtain a second result; calculating a hash value according to the registration request, the first key and the distributed identity to obtain identity authentication credential information; calculating to obtain a third result according to the second result, the identity authentication credential information and the registration request; calculating a hash value according to the identity authentication credential information, the registration request and the first key to obtain a fourth result; according to the fourth result, the first pseudo identity and the first secret key, a fifth result is obtained through calculation; generating intelligent card information of the intelligent card according to the first pseudo identity, the fifth result, the third result and the preset maximum login failure times, and sending the intelligent card information to the user terminal;
The user terminal is used for obtaining a second result and a first recovery result corresponding to the identity authentication credential information according to the registration request and the third result; obtaining an updating result corresponding to the third result according to the first recovery result and the first intermediate result; calculating a hash value according to the second result, the DID identity, the first marker information and the identity authentication credential information to obtain a sixth result; generating final information of the smart card according to the first pseudo identity, the fifth result, the updating result corresponding to the third result, the sixth result and the preset maximum login failure times, and storing the final information of the smart card to the user terminal to finish the registration of the user terminal.
Further, the user terminal is configured to input actual login information input by the user into the smart card, so that the smart card calculates a hash value according to the actual login information to obtain a first actual result, and calculates a seventh actual result according to the first actual result, an updated result corresponding to the third result and the actual login information; if the seventh actual result is the same as the sixth result, extracting a current first time stamp, and determining a first login parameter according to the medical institution server public key, the identity authentication credential information and the fifth result; calculating a hash value according to the identity authentication credential information, the fifth result, the medical institution server public key and the first timestamp to obtain a second login parameter; generating a login message according to the first pseudo identity, the first login parameter, the second login parameter and the first timestamp, and sending the login message to the medical institution server;
The medical institution server is used for acquiring the current time stamp, calculating a first time interval between the current time stamp and the first time stamp, decrypting the first login parameter by adopting a private key of the medical institution server to obtain a third decryption result if the first time interval is smaller than a preset time threshold, calculating a hash value according to the third decryption result, the public key of the medical institution server and the first time stamp to obtain a second calculation parameter, and determining that identity authentication is completed on the user terminal if the second calculation parameter is identical to the second login parameter;
extracting a current second time stamp, and calculating to obtain a third calculation parameter and a fourth calculation parameter according to a fifth result, a verification certificate, a medical institution server public key and the second time stamp; the response information is output based on the first pseudo-identity, the third calculation parameter, the fourth calculation parameter, and the second timestamp.
Further, the medical institution server is further configured to send the first pseudo-identity, the third calculation parameter, the fourth calculation parameter, and the second timestamp to the DID issuer node device; the DID issuer node equipment is used for calculating a second time interval between the current time stamp and the second time stamp, and if the second time interval is smaller than a preset time threshold, a sixth actual result is calculated according to a third calculation parameter, the medical institution server public key and the second key; calculating according to the sixth actual result, the medical institution server public key, the second secret key and the second timestamp to obtain a fourth actual result, and if the fourth actual result is the same as the fourth calculation parameter, recovering the fourth result according to the fifth result, the first pseudo identity and the first secret key; if the fourth result is confirmed to exist in the blockchain, recording a current third timestamp, and determining a second pseudo identity corresponding to the user; calculating a hash value according to the first pseudo identity, the distributed identity and the first key to obtain a seventh result; calculating a hash value according to the second pseudo-identity, the distributed identity and the first key to obtain an eighth result; calculating a hash value according to the second pseudo identity, the eighth result and the seventh result to obtain a ninth result; according to the fifth result, the fourth result, the medical institution server public key, the second key and the third timestamp, a tenth result and a fifteenth result are obtained through calculation; according to the seventh result, the second pseudo identity, the ninth result, the fifth result, the fourth result, the eighth result, the medical institution server public key and the second key, calculating to obtain an eleventh result and a twelfth result; transmitting the tenth, fifteenth, eleventh and twelfth results and a third timestamp to the medical facility server;
the medical facility server is configured to output response information based on the tenth, fifteenth, eleventh, and twelfth results and the third timestamp.
Further, the medical institution server is configured to calculate a third time interval between the current timestamp and the third timestamp, calculate a sixteenth calculation parameter according to the tenth result, the verification certificate, the medical institution server public key and the third timestamp if the third time interval is smaller than the preset time threshold, and calculate a fourteenth result and a seventeenth result according to the eleventh result, the fifth result, the fourth result, the twelfth result and the verification certificate if the sixteenth calculation parameter is the same as the fifteenth result; calculating a hash value according to the ninth result, the eighth result and the second pseudo identity to obtain a sixteenth result; transmitting the fourteenth, seventeenth and sixteenth results to the user terminal;
The user terminal is used for carrying out recovery processing according to the fourteenth result, the seventeenth result and the sixteenth result to obtain seventeenth calculation parameters, judging whether the sixteenth result is equal to the seventeenth calculation parameters, and if so, determining that the identity authentication is completed on the medical institution server.
Further, the user terminal is further configured to receive a tag information update request; the marker information updating request carries second marker information;
And updating the first marker information into the second marker information according to the marker information updating request, and updating the information associated with the first marker information stored in the smart card into the information associated with the second marker information.
The invention provides a block chain bidirectional identity authentication method based on a marker, which comprises the following steps: the DID issuer node equipment generates a first key, a second key and a generation element through a block chain consensus mechanism; registering the medical institution server and the user terminal based on the first key and the second key; wherein, the registered user terminal stores first registration information; the user terminal generates DID credential information based on the first registration information, and sends the DID credential information and marker information of a preset marker to the medical institution server so that the medical institution server performs identity authentication on the user terminal based on the DID credential information and the marker information and outputs response information; wherein the predetermined markers comprise at least one of: a biomarker for the user, a digital marker for the institution to which the user belongs; the user terminal is used for carrying out identity authentication on the medical institution server based on the response information.
The block chain bidirectional identity authentication system and method based on the marker are characterized in that the DID issuer node equipment is used for generating a first key, a second key and a generation element through a block chain consensus mechanism; registering the medical institution server and the user terminal based on the first key and the second key; wherein, the registered user terminal stores first registration information; the user terminal is used for generating DID credential information based on the first registration information, sending the DID credential information and marker information of a preset marker to the medical institution server, so that the medical institution server performs identity authentication on the user terminal based on the DID credential information and the marker information, and outputting response information; wherein the predetermined markers comprise at least one of: a biomarker for the user, a digital marker for the institution to which the user belongs; the user terminal is used for carrying out identity authentication on the medical institution server based on the response information. In the system, after the medical institution server performs identity authentication on the user terminal based on the DID credential information and the marker information, response information can be output, and the user terminal can perform identity authentication on the medical institution server based on the response information, so that the data of the medical institution server can be ensured to be accessed by legal user terminals, the data security is protected, and meanwhile, an attacker is prevented from masquerading the medical institution server to initiate phishing attack on the user terminal.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a block chain two-way identity authentication system based on a tag according to an embodiment of the present invention;
FIG. 2 is an explanatory diagram of a symbol and meaning provided by an embodiment of the present invention;
FIG. 3 is a schematic workflow diagram of a CanDID identity system according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a registration stage of a user terminal and a medical institution server according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a login and authentication phase according to an embodiment of the present invention;
Fig. 6 is a flowchart of a block chain bidirectional identity authentication method based on a tag according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be clearly and completely described in connection with the embodiments, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
With the rapid development of new technology groups such as a sensing chip, artificial intelligence and big data, the Internet of things (Internet of MEDICAL THINGS, IOMT) is one of typical applications in the Internet of things (Internet of MEDICAL THINGS, IOMT) in case of the rapid development of the new technology groups such as the Internet of things, the artificial intelligence and big data, the Internet of things provides Remote Patient Monitoring (RPM) and on-line rehabilitation intervention solutions for patients through a digital networking platform, provides medical assistance for the first time of the patients, can reduce various problems such as delay and travel cost caused by the fact that the patients get down to the medical scene in person, and realizes the benefit of the digital health technology for human health. Meanwhile, the digital network medical health service platform also provides convenience for visiting medical data such as historical medical health records and electronic medical records among patients and different medical institutions visited by the patients so as to better diagnose and treat physical diseases, manage health, intervene in rehabilitation and the like.
The application of medical Internet of things is supported in an Internet digital environment, and user identity authentication is a necessary precondition. However, facing a medical data access scenario, medical related personnel (e.g., doctors, nurses, technicians, patients themselves) need to interact with the medical institution to access the medical data records. The storage of very private medical data on a server increases the risk of medical information leakage caused by illegal user intrusion, not only in the case of fraud and attacks, but also in the case of phishing. Clearly, this existing safety hazard leaks vital and sensitive physiological data of the patient, and also interferes with the treatment of professionals. The main problems highlighted by the prior cryptography identity authentication technology are as follows: with a centralized trusted organization or an untrusted third party operator, the user cannot really control own identity information or identity attribute information (birth year, user name, marker information and the like), and the risk that the identity information is easy to leak and misuse for buying and selling exists. However, the latest and most authoritative solution at present cannot solve the problem, and based on the problem, the embodiment of the invention provides a block chain bidirectional identity authentication system and method based on a marker, and the technology can be applied to a scene that both communication parties need to carry out identity authentication in a medical scene.
For the understanding of the present embodiment, first, a block chain bidirectional identity authentication system based on a tag disclosed in the present embodiment is described, as shown in fig. 1, and the system includes: a user terminal, a medical institution server and a DID (Decentralized Identity, distributed digital identity) issuer node device communicatively connected to each other;
The DID issuer node equipment is used for generating a first secret key x, a second secret key y and a generation element P through a block chain consensus mechanism; medical institution server based on first secret key x and second secret key y Registering with a user terminal; wherein, the registered user terminal stores first registration information;
The block chain consensus mechanism can adopt PBFT (PRACTICAL BYZANTINE FAULT TOLERANCE, practical Bayesian fault-tolerant protocol) consensus algorithm and the like; the DID issuer node equipment can select two lengths to meet the security parameters through a block chain consensus mechanism in the initialization stage Large prime number of (2)Based on finite fieldsGenerating an elliptic curveAnd is based onIn the finite prime number domainOne withOrder addition subgroupIs a generator of (1)The generatorIs the coordinate information of a point on the elliptic curve. Further, the DID issuer node devices negotiate a long-term key pair via a group key negotiation protocol (e.g., a blockchain-based group key negotiation algorithm)Wherein x corresponds to the first key and y corresponds to the second key. Finally, the DID issuer node device will publish the system parametersAnd the first key x and the second key y are stored in secret. The DID issuer node device may send the first key x and the second key y to the medical institution serverAnd registering the user terminal, wherein after the user terminal is registered, the first registration information can be stored in the user terminal.
The user terminal is used for generating DID credential information based on the first registration information, sending the DID credential information and marker information of a preset marker to the medical institution server, so that the medical institution server performs identity authentication on the user terminal based on the DID credential information and the marker information, and outputting response information; wherein the predetermined markers comprise at least one of: a biomarker for the user, a digital marker for the institution to which the user belongs; the user terminal is used for carrying out identity authentication on the medical institution server based on the response information.
The first registration information generally stores information such as an identifier of the user; the biomarker of the user may include: fingerprint, palm, etc. of the user; the digital marker of the user-affiliated institution may be understood as a digital information representation of the user-affiliated institution or the like; the above-mentioned marker information may be biometric information corresponding to the biomarker, a digital identifier corresponding to the digital marker, etc.; for example, fingerprint characteristics of the user, a digital identifier of an organization to which the user belongs is 00001, and the like; in the process of connecting a user terminal and a medical institution serverAfter registration is completed, the user terminal can communicate with the medical institution serverThe user terminal can perform hash calculation, remainder calculation and other processes on the first registration information to generate DID credential information, and send the DID credential information and marker information of a preset marker to the medical institution serverMedical institution serverThe identity of the user terminal can be authenticated according to the DID credential information and the marker information of the preset marker, and after the identity authentication of the user terminal is passed, the medical institution server responds to the authenticationThe response information can be output and sent to the user terminal, and the user terminal can send the response information to the medical institution serverAuthentication is performed on the identity of the user terminal, thereby realizing the user terminal and the medical institution serverAnd (3) bidirectional identity authentication between the two.
The block chain bidirectional identity authentication system based on the marker is characterized in that the DID issuer node equipment is used for generating a first secret key x, a second secret key y and a generation element P through a block chain consensus mechanism; medical institution server based on first secret key x and second secret key yRegistering with a user terminal; wherein, the registered user terminal stores first registration information; the user terminal is used for generating DID credential information based on the first registration information, sending the DID credential information and marker information of a preset marker to the medical institution server, so that the medical institution server performs identity authentication on the user terminal based on the DID credential information and the marker information, and outputting response information; the user terminal is used for carrying out identity authentication on the medical institution server based on the response information. In the system, after the medical institution server performs identity authentication on the user terminal based on the DID credential information, response information can be output, and the user terminal can perform identity authentication on the medical institution server based on the response information, so that the data of the medical institution server can be ensured to be accessed by legal user terminals, the data security is protected, and meanwhile, an attacker is prevented from masquerading the medical institution server to initiate fishing attacks on the user terminal.
For ease of understanding, an explanatory diagram of one symbol and meaning as shown in fig. 2 is provided first, and the relevant symbols and meaning in the subsequent embodiments may be referred to in the explanation of fig. 2. Further, the DID issuer node device is configured to receive the data tuple declaration information sent by the user terminalAnd a first identifier of the userStatement information based on data tuplesAnd a first identifierGenerating signature information; Declaring information based on data tuplesA first identifierSignature informationGenerating a pre-credential; generating master credentials based on pre-credentialsAnd environmental credentialsWherein the data tuple declares the informationComprises the following steps: statement content a, description information corresponding to statement content a。
To realize user terminal and medical institution serverThe identity authentication between the two users ensures that the data is accessed by legal users, and meanwhile, the users cannot suffer from the requirement that malicious service providers initiate phishing attacks.
For the DID credential extraction technology, since CanDID identity system solves four main challenges (legacy compatibility, sybil-resistance, account ability, and key recovery) faced by the well-known W3C DID workgroup with respect to the DID identity system, this embodiment extracts the DID credential adapted for multi-factor identity authentication for the user based on CanDID identity system. A workflow diagram of CanDID identity system as shown in fig. 3, involves an extraction process comprising: credential bootstrapping (this process generates pre-credentials), credential issuance (this process generates master credentials, environment-based environment credentials), credential verification, and credential revocation.
A) Credential bootstrapping
The user gives an own data tuple declaration information claim=via the user terminalWherein(Attribute) is a character string for representing declaration contents such as a professional class of the user; Is to Corresponding description (such as occupation of user, cardiology department physician), namely description information of the statement content a; Is a string that illustrates a professional class data provider, such as hospital a for example, class a, for supporting the statement. Recommended Town Crier in CanDID identity system then uses trusted execution environment (Trusted Execution Environment, TEE) to export a proof Wherein, the method comprises the steps of, wherein,Is the first identifier of the user. At the end of this step, the DID issuer node device generates pre-credentialsAnd transmitted to the user terminal. The user will be pre-vouched by a professional class related statement (e.g). Based on the pre-credential, a master credential may be generatedAnd an environment-based environment credential。
Specifically, the DID issuer node device is based on the node private key of the DID issuer node deviceAnd description informationIs calculated to obtain a first resultAccording to the first resultA first identifierData tuple declaration informationAnd data tuple declaration informationCorresponding signature informationGenerating master vouchers; Will master vouchersTransmitting to the user terminal;
The DID issuer node equipment receives the relation attribute sent by the user terminal Based on the second identifier of the user based on the environmentData tuple declaration informationRelationship attributesSignature informationGenerating environment-based environment credentials; Environmental evidenceAnd sending the message to the user terminal.
Referring to fig. 3, the following description continues for credential issuance by DID credential extraction technique:
b) Credential issuance
Credential issuance includes two phases: master certificateAnd Context-based (CT) environment credentials。
Stage 1: master certificateIssuing. After generating a pre-credential of a professional class related statement, information is interpreted for the decision based on a repetition mechanismWhether or not it should be removed, the user needs to go through zero knowledge proof protocol to the DID issuer node deviceSubmitting descriptive informationSlice information of (a)DID issuer node device thenExecuting a multiparty computing protocol to compute a first resultAnd declare whether or notIf it belongs to, it indicates that the database already containsSo discard the user's submission at this time. Assume assertion ofIf true, the DID issuer node device sends toIs added with. Finally, using digital signature technique, DID issuer node device issues a master certificateWhereinIs to declare information for data tuplesIs a signature of the electronic device; master stands for master credential; Representing that the master credential has executed a past heavy protocol. By means of the de-duplication mechanism, each user can obtain a unique main certificate 。
Stage 2: credential issuance based on environment ctx. Master credential post release using deduplication policyTypically do not contain attributes that the user would like to use when interacting with various applications. For a medical data access scene (the environment ctx is the medical data access scene at this time), in order to obtain environment credentials based on the environment, a user uses a master credentialBased on, to DID issuer node deviceSubmitting a relationship attribute(E.g., an electronic job card labeled hospital a, such as level three, etc.), wherein,Is a new identifier that the user needs to use in the environment ctx,Is thatComprising a new declaration of ctx requirements. The DID issuer node devices maintain a set of issued ctx identifiers that are in one-to-one correspondence with the issued environment-based credentials. If this is appliedNot in this set, then the context-based credential will be issued. Finally, the DID issuer node device returns an environment-based environment credentialWherein, the method comprises the steps of, wherein,Is a new claimSimultaneously with the digital signature of (a)Will be added to the published ctx. That is, the user will get an environment-based environment credentialThis credential indicates that "the user may be entitled to access medical data provided by the medical institution that is of interest to the brain department.
As shown in fig. 3, the following describes the credential verification and credential revocation of the DID credential extraction technique:
c) Credential verification
When a user wants to access a medical facility serverMedical institution server for providing medical data concerning brain departmentMay pass through environment credentials based on environment ctxA first identifierAnd associated commitments to verify the signature of the user. If medical institution serverThe unilateral signature of the user is accepted, so that the user can successfully access the cardio-cerebral medical data.
D) Credential revocation
In CanDID identity systems, the DID issuer node devices are able to identify suspicious users or known malicious users from the user's real identity and add relevant information for such users in a public revocation list maintained by the DID issuer node devices. Thus, in the presence of the revocation list, in order to obtain the master credentialAnd environmental credentialsAny user must prove that it is not in the revocation list.
Further, medical institution serverFor generating medical institution server private keysAnd medical institution server public keyPreserving medical institution server private keysPublic key of medical institution serverSending to the DID issuer node device; DID issuer node device for medical institution server public key basedAnd a second key y, calculating a hash value to obtain a verification certificateWill verify the credentialsReturning to medical institution serverAnd save, finish the server of medical institutionIs a register of (a).
The following is a user terminal and medical institution serverAnd registration phase-login phase-verification phase flow by the DID issuer node equipment are respectively introduced:
Registration phase:
A schematic diagram of the registration phase of a user terminal with a medical facility server is shown in fig. 4. The following first describes a server for a medical institution Is registered with the medical institution serverLocally generating a public/private key pairWherein, the method comprises the steps of, wherein,For the medical facility server public key,For private key of medical institution server, public key of medical institution server is used through secure channelSent to DID issuer node device. DID issuer node deviceComputing verification credentialsAnd will verify the credentialsReturning to medical institution server through secure channel. Finally, medical institution serverSecret storage medical institution server private keyAnd verifying credentials。
Further, the user terminal obtains the DID identity of the userFirst marker informationAnd a first random number r based on the environmental credentialDID identityFirst marker informationCalculating a hash value to obtain a first intermediate result; According to the first intermediate resultAnd a first random number r, generating a registration request corresponding to the userWill register the requestSending to the DID issuer node device;
The DID issuer node device is used for receiving registration request Determining a first pseudo identity corresponding to a userAnd determining the corresponding distributed identity of the userAccording to the first pseudo-identityDistributed identityAnd the first key x, calculating a hash value to obtain a second result; According to the registration requestFirst key x and distributed identityCalculating a hash value to obtain identity authentication credential information; According to the second resultIdentity authentication credential informationRegistration requestCalculating to obtain a third result; Based on identity authentication credential informationRegistration requestAnd the first key x, calculating a hash value to obtain a fourth result; According to the fourth resultFirst pseudo identityAnd the first secret key x, calculating to obtain a fifth result; According to the first pseudo-identityFifth resultThird resultAnd a preset maximum login failure number SUM to generate a smart cardThe smart card information is sent to the user terminal;
the user terminal is used for registering request And third resultObtaining a second resultAnd identity authentication credential informationA corresponding first recovery result; based on the first recovery result and the first intermediate resultObtaining a third resultA corresponding updating result; according to the second resultDID identityFirst marker informationAnd identity authentication credential informationCalculating the hash value to obtain a sixth result; According to the first pseudo-identityFifth resultThird resultCorresponding updated result, sixth resultAnd a preset maximum login failure number SUM to generate a smart cardAnd (3) storing the final information of the smart card to the user terminal to finish the registration of the user terminal.
For the userIs a registration process for usersAndThe following operations, such as step 1-step 3, are required:
Step 1:
User' s Selecting own DID identityFirst marker informationAnd an environment-based environment credentialFurther selecting a first random numberThen calculate the first intermediate resultRegistration requestThereafter, the userUsing a user terminal to request registration over a secure channelSend to DID issuer node device。
Step 2:
When DID issuer node device Receiving a registration requestWhen DID issuer node deviceFirst for the userSetting a first pseudo identityAnd uses its distributed identityAnd (3) calculating: second resultIdentity authentication credential informationThird resultAnd a fourth resultFifth resultThen generate and containIs a smart card of (2)Corresponding smart card information, wherein parametersIndicating the maximum number of login failures in the login phase. Finally, DID issuer node deviceSmart cardReturning to the user terminal and uploading the fourth resultOnto the blockchain maintained by the DID issuer node device.
Step 3: when the userReceiving a smart card via a user terminalAfter the intelligent card information of (2), the user terminal executes the recovery operation to obtain a first recovery resultThen updateAnd calculates a sixth result. Finally, the smart cardStorage ofI.e. the stored final information of the smart card.
It should be noted that, in the registration process of the present invention, based on the DID issuer committee, the user-selected DID issuer node device and the medical institution-selected DID issuer node device may not be the same entity, and for convenience of unified description, the present invention uses the user-selected DID issuer node device and the medical institution serverSelected DID issuer node devices, collectively labeled as。
Further, the user terminal is used for inputting the actual login information input by the user into the smart cardSo that the smart cardCalculating a hash value according to the actual login information to obtain a first actual resultAccording to the first actual resultThird resultCorresponding updated result and actual login information, and calculating to obtain a seventh actual result; If the seventh actual resultAnd a sixth resultThe same, extract the current first timestampAccording to the public key of the medical institution serverIdentity authentication credential informationFifth resultDetermining a first login parameter C1; based on identity authentication credential informationFifth resultMedical institution server public keyFirst time stampCalculating a hash value to obtain a second login parameter C2; according to the first pseudo-identityFirst login parameter C1, second login parameter C2 and first timestampGenerating a login message and sending the login message to a medical institution server;
the medical institution server is used for acquiring the current time stamp Calculating a current timestampWith a first timestampA first time interval between the first and second time intervals, if the first time interval is less than a preset time threshold, using a private key of a medical institution serverDecrypting the first login parameter C1 to obtain a third decryption result [ ]) Based on the third decryption result, the medical facility server public keyAnd a first timestampCalculating the hash value to obtain a second calculation parameterIf the second calculation parametersThe identity authentication of the user terminal is determined to be completed as the second login parameter C2; extracting a current second timestampAccording to the fifth resultVerification credentialsMedical institution server public keyAnd a second time stampCalculating to obtain a third calculation parameterAnd fourth calculation parameter; Based on the first pseudo-identityThird calculation parameterFourth calculation parameterAnd a second time stampAnd outputting response information.
(II) login stage:
a schematic of the login and authentication phase as shown in fig. 5, for the purpose of being received from the medical institution server Obtaining rights to access data, userRequiring login to a smart card via a user terminalAnd calculates authentication parametersThe method specifically comprises the following step 10:
Step 10,
User' sFirst, the user terminal will log in the informationInput to a smart cardThen smart cardCalculate a first actual result; And then according to the first actual resultCalculation ofThen calculate the seventh actual result=And checking the calculated seventh actual resultWhether or not to equal the stored sixth result. If not, smart cardTerminating the session and setting up. Further, ifIf the maximum number of previous login failures is exceeded, directly revoking the smart cardAt this time, the userThe registration request needs to be reinitiated by the user terminal, e.g. during the registration phase. Otherwise, the smart cardExtracting the first timestamp at this time. Medical institution server for user to accessSmart cardThe following first login parameter C1 and second login parameter C2 are calculated:。
further, the user Corresponding user terminal transmits to medical institution server through public channelSending a login message: The login message corresponds to the DID credential information. Here the number of the elements is the number, Represents a public key encryption algorithm (such as a national encryption algorithm SM2 which is autonomously designed in China),For medical institutions serverIs a public key of (a).
And (III) a verification and key negotiation stage:
During the authentication phase, the user terminal and the medical institution server Mutual authentication of each other by a Smart Contract (SC) maintained by a DID issuer node device, specifically comprising the following steps 100-103:
In step 100 of the process of the present invention,
Given login information from a user terminalMedical institution serverFirst, the current time stamp is judgedAnd a first timestampWhether the first time interval of (2) is less than a preset time thresholdI.e. determining whether or not. If it meetsMedical institution serverUsing medical facility server private keysDecrypting the first login parameterObtaining a third decryption resultAnd calculate a second calculation parameter. Simultaneous medical institution serverJudgingIf not, terminating the session. Otherwise, the medical institution serverExtracting the second timestampThen, calculating: third calculation parameter C3 and fourth calculation parameter C4, i.e. Further, medical institution serverMessage is sent to the clientAnd transmitting to the DID issuer node device to output the response information.
Further, the medical facility server is further configured to compare the first pseudo-identity with a second pseudo-identityThird calculation parameterFourth calculation parameterAnd a second time stampSending to the DID issuer node device; DID issuer node device for calculating current time stampWith a second time stampA second time interval therebetween, if the second time interval is less than the preset time threshold, according to a third calculation parameterMedical institution server public keyCalculating a second key y to obtain a sixth actual result; According to the sixth practical resultMedical institution server public keySecond key y and second timestampCalculating to obtain a fourth actual resultIf the fourth actual resultAnd fourth calculation parameterSame, according to the fifth resultFirst pseudo identityAnd the first key x, recovering a fourth result; If the fourth result is confirmedAlready in the blockchain, record the current third timestampDetermining a second pseudo identity corresponding to the user; According to the first pseudo-identityDistributed identityAnd the first key x, calculating a hash value to obtain a seventh result; According to the second pseudo-identityDistributed identityAnd the first key x, calculating a hash value to obtain an eighth result; According to the second pseudo-identityEighth resultAnd seventh resultCalculating the hash value to obtain a ninth result; According to the fifth resultFourth resultMedical institution server public keySecond key y and third timestampCalculating to obtain tenth resultAnd fifteenth result; According to the seventh resultSecond pseudo identityNinth resultFifth resultFourth resultEighth resultMedical institution server public keyCalculating the second key y to obtain an eleventh resultAnd twelfth result; Will result in tenth resultFifteenth resultEleventh resultAnd twelfth resultAnd a third timestampTo a medical institution server;
Medical institution serverFor based on tenth resultFifteenth resultEleventh resultAnd twelfth resultAnd a third timestampAnd outputting response information.
In step 101 the process of the present invention,
When receiving the messageWhen the DID issuer node equipment judges the current time stamp firstlyWith a second time stampWhether the second time interval is smaller than the preset time threshold or not, i.e. judgingIf so, the DID issuer node device calculates a sixth actual resultAnd calculate a fourth actual resultThen checkWhether or not it is. If it isThe session is terminated. Otherwise, the DID issuer node device resumes the fourth outcomeThe DID issuer node device then examines the calculated fourth resultIf it is already present in the blockchain, the DID issuer node device will terminate this session if it is not. Otherwise, the DID issuer node device records a third timestampAnd generating a new second pseudo-identity. Further, the DID issuer node device calculates a seventh resultEighth resultNinth resultTenth resultFifteenth resultEleventh resultAnd twelfth resultThe respective corresponding calculation modes are as follows:
;
;;
;
. Finally, the DID issuer node device sends the message To a medical institution serverTo output response information.
Specifically, medical institution serverFor calculating a current time stampWith a third timestampA third time interval therebetween, if the third time interval is less than the preset time threshold, according to the tenth resultVerification credentialsMedical institution server public keyAnd a third timestampCalculate the sixteenth calculation parameterIf the sixteenth calculation parameterAnd the fifteenth resultSame, according to the eleventh resultFifth resultFourth resultTwelfth resultVerification credentialsCalculate and get the fourteenth resultSeventeenth result; According to the ninth resultEighth resultAnd a second pseudo-identityCalculating the hash value to obtain a sixteenth result; Will fourteenth resultSeventeenth resultAnd sixteenth resultTransmitting to the user terminal; the fourteenth result is thatSeventeenth resultAnd sixteenth resultI.e. corresponding to the above-mentioned response information.
The user terminal is used for according to the fourteenth resultSeventeenth resultAnd sixteenth resultPerforming recovery processing to obtain seventeenth calculation parametersJudging the sixteenth resultAnd seventeenth calculation parameterAnd if so, determining that the identity authentication is finished for the medical institution server.
In step 102 the process continues with the step of,
When obtaining a message from a DID issuer node deviceMedical institution serverFirst check the current timestampWith a third timestampWhether the third time interval is smaller than the preset time threshold or not, i.e. judgingWhether or not it is established, if so, the medical institution serverCalculate the sixteenth calculation parameterThe following are provided:
, And check Whether or not it is. If true, medical institution serverCalculation of. Then, the medical institution serverCalculate the fourteenth resultSeventeenth resultSixteenth resultThe parameters are calculated as follows;;
. Finally, medical institution serverMessage is sent to the clientAnd sending the message to the user terminal.
Step 103, the user terminal receives the messageAfter that, recovery: ; then calculate to obtain seventeenth calculation parameter The specific calculation is as follows: . After that, the user terminal checks Whether or not it is. If so, the user terminal successfully authenticates the identity of the medical institution server.
User terminal update as a complement to subsequent authentication and key agreementAnd parameters in the smart card are usedReplaced by。
Further, the user terminal is further configured to receive a tag information update request; wherein the tag information update request carries the second tag information; According to the marker information updating request, the first marker informationUpdating to second marker informationSmart cardStored with first marker informationUpdating the associated information to the second marker informationAssociated information.
In this embodiment, the user may change or update his tag information without interacting with the DID issuer node device. That is, the User submits its expired tag information to the corresponding smart card via the User terminal. When smart cardChecking in the login phaseAfter establishment, allowing the user to select a new marker informationAccordingly, smart cardUpdatingAnd (3) withAnd will have the existing parametersReplaced by。
In the prior art cryptography system, a scheme for performing two-way authentication on medical institution service providers by a user terminal is lacking.
In summary, the basic idea of the invention is summarized as follows:
(1) DID credential technology extraction stage
The DID credentials used for issuing and managing the user in the existing CanDID identity system are utilized, the pre-credentials of the user are firstly given out through the credential guiding process, and the pre-credentials are further utilized to generate the main credentials of the user and the environment credentials credCT based on the environment.
(2) System initialization phase
In the DID authentication workflow provided by the invention, the DID issuer committee forms a blockchain, completes the system initialization process and generates an initiation block, and maintains the blockchain formed by system parameters of the system, wherein the system parameters comprise a long-term key of the DID issuer and related parameters of an elliptic curve cryptography system.
(3) Registration phase
Based on the system initialization related parameters, the user and the medical institution need to interact with the DID issuer to complete the registration process. After the registration process is finished, the user terminal, the medical institution server and the DID issuer node equipment respectively store relevant parameters.
(4) Identity verification stage
In the authentication flow provided by the invention, a user terminal and a medical institution server perform bidirectional identity authentication by means of intelligent contract (SC) maintained by DID issuer node equipment.
(5) Marker information update phase
In the authentication method designed by the invention, the user using the DID can change or update the marker information thereof, and interaction with the DID issuer node equipment is not needed in the marker information updating process.
The block chain bidirectional identity authentication system based on the marker performs bidirectional identity authentication based on the DID technology, DID (Decentralized Identity) is considered as a new generation digital identity system with prospect, is a DID mode constructed based on the block chain technology, changes the mode of PKI centralized digital identity centralized control, also avoids the defect of single point failure, and has the characteristics of ensuring the authenticity and credibility of data, controllable identity, strong portability and the like. In the process of identity authentication of a user, an identity owner is truly enabled to control and manage own identity, and the problems of identity misuse and information leakage are effectively avoided. In contrast, in the related art, for a medical data access scenario, medical related personnel (e.g., doctors, nurses, technicians, patients themselves) need to interact with a medical institution to access medical data records. The storage of very private medical data on a server increases the risk of medical information leakage caused by illegal user intrusion, not only in the case of fraud and attacks, but also in the case of phishing. Clearly, this existing safety hazard leaks vital and sensitive physiological data of the patient, and also interferes with the treatment of professionals.
Along with the national issues of laws and regulations such as "network security laws" data security laws "personal information protection laws" and the like, a practical scientific solution is provided for guaranteeing the privacy security of medical data in technical means, and medical related personnel and medical institutions need to be subjected to mutual identity authentication of both parties so as to maintain secure communication.
The block chain bidirectional identity authentication system based on the marker provides a novel bidirectional identity authentication method for communication entities in a digital environment with a privacy protection function. For example: taking a digital medical scene as a case, wherein the medical institution server checks certain DID credential information submitted by the user terminal,For a pseudo-random identity of the user,For the ciphertext of the user's related DID credentials,For the hash check value of the associated DID credential,Timestamp) to verify the DID identity of the user. On the other hand, according to the protocol flow, the medical institution server sends corresponding response information to the user terminalThe user terminal then passes throughCheck dataTo verify the legitimacy of the identity of the medical facility server.
The block chain bidirectional identity authentication system based on the marker solves the problem that in the current digital network environment, the user terminal performs identity authentication on a medical institution server, and the vulnerability of phishing attack is blocked; and the scheme can be used as a complementary technology (backward compatibility) of the current CanDID scheme, and can also be compatible with new technology (forward compatibility) which is developed in future. Compared with the prior CanDID identity authentication technology, the specific technology differentiation effect generated by the method is as follows:
User terminal holds DID certificate information package And sends the authentication result to the medical institution server, and the medical institution server performs identity authentication on the user terminal. Then, in response, the user terminal feeds back response information to the medical institution serverThe authentication is performed, and the identity authentication of the medical institution server is completed, so that phishing attack is effectively avoided, and communication between a fake medical institution and a user is avoided. The bidirectional authentication function makes up for the technical defects of the conventional CanDID authentication technology.
In addition, in a digital network environment, the method solves the mutual authentication between two parallel main bodies, namely the user terminal and the medical institution server. Because mutual authentication is the main method for preventing attacks and deception, the problem that the risk of phishing or deception attacks exists because the authentication of the other party is ignored without more emphasis.
The invention provides a block chain bidirectional identity authentication method based on a marker, which is shown in fig. 6 and comprises the following steps:
Step S601, the DID issuer node equipment generates a first key, a second key and a generation element through a block chain consensus mechanism; registering the medical institution server and the user terminal based on the first key and the second key; wherein, the registered user terminal stores first registration information;
Step S602, the user terminal generates DID credential information based on the first registration information, and sends the DID credential information and marker information of a preset marker to the medical institution server so that the medical institution server performs identity authentication on the user terminal based on the DID credential information and the marker information and outputs response information; wherein the predetermined markers comprise at least one of: a biomarker for the user, a digital marker for the institution to which the user belongs;
In step S603, the user terminal is configured to perform identity authentication on the medical institution server based on the response information.
According to the block chain bidirectional identity authentication method based on the marker, after the medical institution server authenticates the identity of the user terminal based on the DID credential information and the marker information, the response information can be output, and the user terminal can authenticate the identity of the medical institution server based on the response information, so that the data of the medical institution server can be ensured to be accessed by a legal user terminal, the data security is protected, and meanwhile, an attacker is prevented from impersonating the medical institution server to initiate a phishing attack to the user terminal.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.
Claims (10)
1. A tag-based blockchain mutual identity authentication system, the system comprising: a user terminal, a medical institution server and a DID issuer node device which are mutually connected in communication;
the DID issuer node equipment is used for generating a first key, a second key and a generation element through a block chain consensus mechanism; registering the medical institution server and the user terminal based on the first key and the second key; wherein, the registered user terminal stores first registration information;
The user terminal is used for generating DID credential information based on the first registration information, sending the DID credential information and marker information of a preset marker to the medical institution server, so that the medical institution server performs identity authentication on the user terminal based on the DID credential information and the marker information, and outputting response information; wherein the predetermined markers comprise at least one of: a biomarker for the user, a digital marker for the institution to which the user belongs;
And the user terminal is used for carrying out identity authentication on the medical institution server based on the response information.
2. The system of claim 1, wherein the system further comprises a controller configured to control the controller,
The DID issuer node equipment is used for receiving the data tuple declaration information and the first identifier of the user sent by the user terminal and generating signature information according to the data tuple declaration information and the first identifier; generating a pre-credential based on the data tuple declaration information, the first identifier, and the signature information; generating a master credential and an environment credential based on the pre-credential, wherein the data tuple declaration information includes: statement content, description information corresponding to the statement content.
3. The system of claim 2, wherein the system further comprises a controller configured to control the controller,
The DID issuer node equipment calculates a first result according to the node private key of the DID issuer node equipment and the slice information of the description information, and generates a master certificate according to the first result, the first identifier, the data tuple declaration information and signature information corresponding to the data tuple declaration information; transmitting the master credential to the user terminal;
the DID issuer node equipment receives the relation attribute sent by the user terminal and generates an environment-based environment credential according to the second identifier, the data tuple declaration information, the relation attribute and the signature information of the user based on the environment; and sending the environment certificate to the user terminal.
4. The system of claim 2, wherein the system further comprises a controller configured to control the controller,
The medical institution server is used for generating a medical institution server private key and a medical institution server public key, storing the medical institution server private key and sending the medical institution server public key to the DID issuer node device;
The DID issuer node device is used for calculating a hash value based on the public key and the second key of the medical institution server to obtain a verification certificate, returning the verification certificate to the medical institution server and storing the verification certificate, and finishing registration of the medical institution server.
5. The system of claim 4, wherein the system further comprises a controller configured to control the controller,
The user terminal obtains a DID identity, first marker information and a first random number r of a user, calculates a hash value according to the environment evidence, the DID identity and the first marker information, and obtains a first intermediate result; generating a registration request corresponding to the user according to the first intermediate result and the first random number, and sending the registration request to the DID issuer node equipment;
The DID issuer node device is used for determining a first pseudo identity corresponding to the user based on the received registration request, determining a distributed identity corresponding to the user, and calculating a hash value according to the first pseudo identity, the distributed identity and the first key to obtain a second result; calculating a hash value according to the registration request, the first key and the distributed identity to obtain identity authentication credential information; calculating to obtain a third result according to the second result, the identity authentication credential information and the registration request; calculating a hash value according to the identity authentication credential information, the registration request and the first key to obtain a fourth result; calculating a fifth result according to the fourth result, the first pseudo identity and the first key; generating intelligent card information of the intelligent card according to the first pseudo identity, the fifth result, the third result and the preset maximum login failure times, and sending the intelligent card information to the user terminal;
the user terminal is used for obtaining a second result and a first recovery result corresponding to the identity authentication credential information according to the registration request and the third result; obtaining an updating result corresponding to the third result according to the first recovery result and the first intermediate result; calculating a hash value according to the second result, the DID identity, the first marker information and the identity authentication credential information to obtain a sixth result; generating final information of the smart card according to the updated result corresponding to the first pseudo identity, the fifth result, the third result, the sixth result and the preset maximum login failure times, and storing the final information of the smart card to the user terminal to finish the registration of the user terminal.
6. The system of claim 5, wherein the system further comprises a controller configured to control the controller,
The user terminal is used for inputting the actual login information input by the user into the intelligent card so that the intelligent card calculates a hash value according to the actual login information to obtain a first actual result, and calculates a seventh actual result according to the first actual result, an updated result corresponding to the third result and the actual login information; if the seventh actual result is the same as the sixth result, extracting a current first timestamp, and determining a first login parameter according to the medical institution server public key, the identity authentication credential information and the fifth result; calculating a hash value according to the identity authentication credential information, the fifth result, the medical institution server public key and the first timestamp to obtain a second login parameter; generating a login message according to the first pseudo identity, the first login parameter, the second login parameter and the first timestamp, and sending the login message to the medical institution server;
The medical institution server is used for acquiring a current time stamp, calculating a first time interval between the current time stamp and the first time stamp, decrypting the first login parameter by adopting the private key of the medical institution server to obtain a third decryption result if the first time interval is smaller than a preset time threshold, calculating a hash value according to the third decryption result, the public key of the medical institution server and the first time stamp to obtain a second calculation parameter, and determining that identity authentication is completed on the user terminal if the second calculation parameter is identical to the second login parameter;
Extracting a current second time stamp, and calculating to obtain a third calculation parameter and a fourth calculation parameter according to the fifth result, the verification certificate, the medical institution server public key and the second time stamp; outputting response information based on the first pseudo-identity, the third calculation parameter, the fourth calculation parameter and the second timestamp.
7. The system of claim 6, wherein the system further comprises a controller configured to control the controller,
The medical facility server is further configured to send the first pseudo-identity, the third calculation parameter, a fourth calculation parameter, and a second timestamp to a DID issuer node device; the DID issuer node device is configured to calculate a second time interval between the current timestamp and the second timestamp, and if the second time interval is less than a preset time threshold, calculate, according to the third calculation parameter, the medical institution server public key, and the second key, obtain a sixth actual result; calculating according to the sixth actual result, the medical institution server public key, the second key and the second timestamp to obtain a fourth actual result, and if the fourth actual result is the same as the fourth calculation parameter, recovering a fourth result according to the fifth result, the first pseudo identity and the first key; if the fourth result is confirmed to exist in the blockchain, recording a current third timestamp, and determining a second pseudo identity corresponding to the user; calculating a hash value according to the first pseudo identity, the distributed identity and the first key to obtain a seventh result; calculating a hash value according to the second pseudo-identity, the distributed identity and the first key to obtain an eighth result; calculating a hash value according to the second pseudo identity, the eighth result and the seventh result to obtain a ninth result; calculating a tenth result and a fifteenth result according to the fifth result, the fourth result, the medical institution server public key, the second key and the third timestamp; according to the seventh result, the second pseudo identity, the ninth result, the fifth result, the fourth result, the eighth result, a medical institution server public key and the second key, calculating to obtain an eleventh result and a twelfth result; transmitting the tenth, fifteenth, eleventh and twelfth results and the third timestamp to the medical facility server;
The medical facility server is configured to output response information based on the tenth, fifteenth, eleventh, and twelfth results and the third timestamp.
8. The system of claim 7, wherein the system further comprises a controller configured to control the controller,
The medical institution server is configured to calculate a third time interval between the current timestamp and the third timestamp, calculate a sixteenth calculation parameter according to the tenth result, the verification certificate, the medical institution server public key and the third timestamp if the third time interval is smaller than a preset time threshold, and calculate a fourteenth result and a seventeenth result according to the eleventh result, the fifth result, the fourth result, the twelfth result and the verification certificate if the sixteenth calculation parameter is the same as the fifteenth result; calculating a hash value according to the ninth result, the eighth result and the second pseudo identity to obtain a sixteenth result; transmitting the fourteenth result, the seventeenth result and the sixteenth result to the user terminal;
The user terminal is used for carrying out recovery processing according to the fourteenth result, the seventeenth result and the sixteenth result to obtain seventeenth calculation parameters, judging whether the sixteenth result is equal to the seventeenth calculation parameters, and if so, determining that identity authentication is completed on the medical institution server.
9. The system of claim 5, wherein the system further comprises a controller configured to control the controller,
The user terminal is also used for receiving a marker information updating request; wherein, the marker information update request carries second marker information;
And updating the first marker information into the second marker information according to the marker information updating request, and updating the information associated with the first marker information stored in the smart card into the information associated with the second marker information.
10. A tag-based blockchain mutual identity authentication method, the method comprising:
The DID issuer node equipment generates a first key, a second key and a generation element through a block chain consensus mechanism; registering the medical institution server and the user terminal based on the first key and the second key; wherein, the registered user terminal stores first registration information;
The user terminal generates DID credential information based on the first registration information, and sends the DID credential information and marker information of a preset marker to a medical institution server so that the medical institution server performs identity authentication on the user terminal based on the DID credential information and the marker information and outputs response information; wherein the predetermined markers comprise at least one of: a biomarker for the user, a digital marker for the institution to which the user belongs;
And the user terminal is used for carrying out identity authentication on the medical institution server based on the response information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410589354.8A CN118282670A (en) | 2024-05-13 | 2024-05-13 | Block chain bidirectional identity authentication system and method based on marker |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410589354.8A CN118282670A (en) | 2024-05-13 | 2024-05-13 | Block chain bidirectional identity authentication system and method based on marker |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118282670A true CN118282670A (en) | 2024-07-02 |
Family
ID=91636234
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410589354.8A Pending CN118282670A (en) | 2024-05-13 | 2024-05-13 | Block chain bidirectional identity authentication system and method based on marker |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118282670A (en) |
-
2024
- 2024-05-13 CN CN202410589354.8A patent/CN118282670A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110086608B (en) | User authentication method, device, computer equipment and computer readable storage medium | |
| Ostad-Sharif et al. | A robust and efficient ECC-based mutual authentication and session key generation scheme for healthcare applications | |
| Mishra et al. | Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce | |
| Jiang et al. | A privacy enhanced authentication scheme for telecare medical information systems | |
| EP1997271B1 (en) | Intersystem single sign-on | |
| US11882226B1 (en) | Gesture-extracted passwords for authenticated key exchange | |
| Gupta et al. | Machine learning and smart card based two-factor authentication scheme for preserving anonymity in telecare medical information system (TMIS) | |
| Azrour et al. | New Efficient and Secured Authentication Protocol for Remote Healthcare Systems in Cloud‐IoT | |
| US20120033807A1 (en) | Device and user authentication | |
| Chen et al. | An infrastructure framework for privacy protection of community medical internet of things: Transmission protection, storage protection and access control | |
| CN101427510A (en) | Digipass for the web-functional description | |
| CN112954675A (en) | Multi-gateway authentication method, system, storage medium, computer device and terminal | |
| Jung et al. | An improved and secure anonymous biometric-based user authentication with key agreement scheme for the integrated epr information system | |
| Nagaraju et al. | SecAuthn: provably secure multi-factor authentication for the cloud computing systems | |
| CN113411187B (en) | Identity authentication method and system, storage medium and processor | |
| Chandrakar et al. | Cloud-based authenticated protocol for healthcare monitoring system | |
| KR102157695B1 (en) | Method for Establishing Anonymous Digital Identity | |
| Liu et al. | An improved authenticated key agreement protocol for telecare medicine information system | |
| Servati et al. | ECCbAS: An ECC based authentication scheme for healthcare IoT systems | |
| CN107347073B (en) | A kind of resource information processing method | |
| Chen et al. | Privacy-aware smart card based biometric authentication scheme for e-health | |
| LU93150B1 (en) | Method for providing secure digital signatures | |
| Tanveer et al. | CMAP-IoT: Chaotic map-based authentication protocol for crowdsourcing Internet of Things | |
| Fareed et al. | A lightweight and secure multilayer authentication scheme for wireless body area networks in healthcare system | |
| Kamble et al. | A provably lightweight mutually authentication and key establishment protocol using extended chaotic map for telecare medicine information system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |