CN118413304A - Block chain-based national cipher double certificate issuing and managing method and system - Google Patents

Block chain-based national cipher double certificate issuing and managing method and system Download PDF

Info

Publication number
CN118413304A
CN118413304A CN202410314537.9A CN202410314537A CN118413304A CN 118413304 A CN118413304 A CN 118413304A CN 202410314537 A CN202410314537 A CN 202410314537A CN 118413304 A CN118413304 A CN 118413304A
Authority
CN
China
Prior art keywords
certificate
blockchain
transaction
issuing
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410314537.9A
Other languages
Chinese (zh)
Inventor
何道敬
李尚宇
陈磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Institute Of Technology shenzhen Shenzhen Institute Of Science And Technology Innovation Harbin Institute Of Technology
Original Assignee
Harbin Institute Of Technology shenzhen Shenzhen Institute Of Science And Technology Innovation Harbin Institute Of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Institute Of Technology shenzhen Shenzhen Institute Of Science And Technology Innovation Harbin Institute Of Technology filed Critical Harbin Institute Of Technology shenzhen Shenzhen Institute Of Science And Technology Innovation Harbin Institute Of Technology
Priority to CN202410314537.9A priority Critical patent/CN118413304A/en
Publication of CN118413304A publication Critical patent/CN118413304A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention relates to the technical field of network security, in particular to a method and a system for issuing and managing national secret double certificates based on a blockchain, which comprise the following steps: a client, a blockchain and a certificate issuing mechanism; the user may send a credential application, credential revocation, credential verification, and credential update request message to a node of the blockchain; when the nodes of the blockchain receive the messages, the intelligent combination date contained in the nodes of the blockchain carries out corresponding operation on different messages; wherein, the intelligent contract includes: certificate issuing contracts, certificate management contracts, and certificate verification contracts; forwarding the certificate application message to a certificate issuing organization, and processing the certificate application message by the certificate issuing organization; the smart contract may have a certificate or log that is to be chained after the completion of the associated operation. Compared with the prior art, the invention can safely store the information of the digital certificate and can prevent an attacker from causing single point failure to the certificate authority attack.

Description

Block chain-based national cipher double certificate issuing and managing method and system
Technical Field
The invention relates to the technical field of network security, in particular to a method and a system for issuing and managing national secret double certificates based on a blockchain.
Background
Public key infrastructure is a security framework and architecture for managing public keys and digital certificates. Public key infrastructure provides a set of techniques and procedures for generating digital certificates, issuing digital certificates, distributing digital certificates, verifying digital certificates, and revoking digital certificates, which ensure secure identity authentication, data encryption, and electronic signature secure communications and interactions. The digital certificate authority is a core component in the public key infrastructure architecture and is responsible for issuing and managing digital certificates. The digital certificate issuing organization verifies the identity of the applicant, generates a digital certificate and signs the digital certificate, and ensures the credibility and the integrity of the certificate.
The double-certificate system comprises two types, namely an encryption certificate and a signature certificate, wherein the encryption certificate is only used for data encryption and cannot be used for digital signature. The signature certificate is used only for digital signature and cannot be used for data encryption. The signature certificate private key is private by a certificate owner, so that the non-repudiation of the signature is ensured, and the encryption certificate private key is commonly owned by the certificate owner and a supervision organization, so that the supervision organization can conveniently and illegally supervise the encryption flow.
In recent years, attacks against public key infrastructure frequently occur, and malicious domain name certificates issued by digital certificate issuing institutions invaded by attackers are common. When the public key infrastructure is attacked, an attacker can forge or tamper with the certificate, and the risk of false certificates can be increased; the revoked certificate may steal sensitive information of the certificate due to the inefficient update of the certificate status. In addition, attack on a digital certificate authority by an attacker can cause unsafe single-point invalidation, so that related operations such as certificate inquiry, certificate revocation, certificate issue, certificate verification and the like cannot be performed normally.
Disclosure of Invention
In order to solve the technical problems of lower security of a certificate management system and lower flow efficiency of the certificate management system management in the prior art, the embodiment of the invention provides a method and a system for issuing and managing double national certificates based on a blockchain. The technical scheme is as follows:
in one aspect, a method for issuing and managing a double-certificate of a country password based on a blockchain is provided, the method is implemented by a double-certificate issuing and managing device of a country password based on a blockchain, and the method comprises the following steps:
S1, a user side sends a certificate application message to a node of a blockchain, when the node of the blockchain receives the certificate application message, the node of the blockchain executes a preset certificate issuing contract, and the node of the blockchain sends the certificate application message to a certificate issuing organization;
S2, verifying the certificate application message by a certificate issuing organization; if the verification is passed, generating an encryption certificate, a signature certificate and key information;
s3, returning the encryption certificate, the signature certificate and the key information to the node of the blockchain by a certificate issuing mechanism; executing preset certificate issuing contracts by nodes of the blockchain, setting the certificate states of the encrypted certificates and the signed certificates to be valid, generating related transactions of certificate issuing, and submitting the related transactions of certificate issuing to the blockchain for storage; wherein the certificate issue related transaction comprises a certificate transaction, comprising: the certificate status is valid encryption certificates and signature certificates and key information;
s4a, when a user side sends a certificate revocation message to a node of the blockchain, and when the node of the blockchain receives the certificate revocation message, the node of the blockchain executes a preset certificate management contract, processes the certificate revocation message, generates a certificate revocation related transaction, and submits the certificate revocation related transaction to the blockchain for storage;
S4b, when the user side sends a certificate verification message to the node of the blockchain, and when the node of the blockchain receives the certificate verification message, the node of the blockchain executes a preset certificate verification contract to verify the certificate; and if the verification is passed, the node of the blockchain sends a certificate verification success message to the user terminal.
Optionally, the generating the certificate issue related transaction in S3 submits the certificate issue related transaction to the blockchain for storage, including:
Creating and broadcasting a transaction containing a certificate by a node of the blockchain, wherein the transaction containing the certificate contains a signature certificate, an encryption certificate, a certificate state and key information;
According to the POW consensus mechanism, the nodes of the blockchain with the block-out weight pack the related transactions of certificate issuing without the uplink into blocks and broadcast the blocks;
the nodes of the block chain cross-verify the blocks to be submitted; if the verification is passed, the block is uploaded to the blockchain.
Optionally, the certificate issue related transaction, the certificate revocation related transaction and the certificate verification related transaction each include: transactions containing certificates and transactions containing logs;
the transaction containing the certificate comprises: certificate transaction identification, certificate transaction type, certificate information, certificate status information, certificate transaction signature, and certificate transaction timestamp;
The transaction comprising the log comprises: log transaction identification, log transaction type, smart contract identification, log content, associated user identification, log transaction signature, and log transaction timestamp.
Optionally, the node of the blockchain of S4a executes a preset certificate management contract to process a certificate revocation message, including:
When a certificate issuing mechanism regularly checks and revokes part of certificates, the certificate issuing mechanism regularly checks all certificates in the system, changes the certificates which are expired or have other security problems, signs certificate information and the changed states, and uploads the certificate information and the changed states to the blockchain; executing a preset certificate management contract by the node of the blockchain, processing certificate revocation information, generating a new certificate transaction and submitting the new certificate transaction to the blockchain;
When a user applies for updating a certificate to cancel an old certificate, a node of the blockchain executes a preset certificate management contract to verify whether the state of the old certificate is valid; if so, changing the old certificate state into revocation, generating a new certificate transaction and submitting the new certificate transaction to the blockchain;
When a user applies for canceling a certificate, the node of the blockchain executes a preset certificate management contract to verify whether the current state of the certificate is a valid state; if so, changing the state of the certificate to revoke, generating a new certificate transaction and submitting the new certificate transaction to the blockchain.
Optionally, the verifying the certificate of S4b includes: verifying the integrity and authenticity of the certificate, verifying whether the state of the certificate is valid, and verifying whether the certificate is within the validity period.
In another aspect, a system for issuing and managing a double certificate of a country password based on a blockchain is provided, the system is applied to a double certificate issuing and managing method of a country password based on a blockchain, and the system comprises:
The system for issuing and managing the national secret double certificates based on the blockchain comprises a user side, a blockchain and a certificate issuing mechanism; wherein:
The user terminal is used for sending a certificate application message to the node of the blockchain; the user terminal sends a certificate revocation message to the node of the block chain; the user sends a certificate verification message to the node of the blockchain;
The block chain is used for executing preset certificate issuing contracts when the nodes of the block chain receive the certificate application messages, and the chain link points of the block send the certificate application messages to a certificate issuing organization; executing preset certificate issuing contracts by nodes of the blockchain, setting the certificate states of the encrypted certificates and the signed certificates to be valid, generating related transactions of certificate issuing, and submitting the related transactions of certificate issuing to the blockchain for storage; when the node of the block chain receives the certificate revocation message, the node of the block chain executes a preset certificate management contract, processes the certificate revocation message, generates a certificate revocation related transaction, and submits the certificate revocation related transaction to the block chain for storage; when the node of the block chain receives the certificate verification message, the node of the block chain executes a preset certificate verification contract, verifies the certificate, generates a certificate verification related transaction, and submits the certificate verification related transaction to the block chain for storage; if the verification is passed, the node of the block chain sends a certificate verification success message to the user terminal;
the certificate issuing mechanism is used for verifying the certificate application message; if the verification is passed, generating an encryption certificate, a signature certificate and key information; the certificate authority returns the encrypted certificate, the signed certificate and the key information to the node of the blockchain;
Optionally, the generating a certificate issue related transaction and submitting the certificate issue related transaction to the blockchain for storage includes:
Creating and broadcasting a transaction containing a certificate by a node of the blockchain, wherein the transaction containing the certificate contains a signature certificate, an encryption certificate, a certificate state and key information;
According to the POW consensus mechanism, the nodes of the blockchain with the block-out weight pack the related transactions of certificate issuing without the uplink into blocks and broadcast the blocks;
the nodes of the block chain cross-verify the blocks to be submitted; if the verification is passed, the block is uploaded to the blockchain.
Optionally, the certificate issue related transaction, the certificate revocation related transaction and the certificate verification related transaction each include: transactions containing certificates and transactions containing logs;
the transaction containing the certificate comprises: certificate transaction identification, certificate transaction type, certificate information, certificate status information, certificate transaction signature, and certificate transaction timestamp;
The transaction comprising the log comprises: log transaction identification, log transaction type, smart contract identification, log content, associated user identification, log transaction signature, and log transaction timestamp.
Optionally, the node of the blockchain executes a preset certificate management contract to process a certificate revocation message, including:
When a certificate issuing mechanism regularly checks and revokes part of certificates, the certificate issuing mechanism regularly checks all certificates in the system, changes the certificates which are expired or have other security problems, signs certificate information and the changed states, and uploads the certificate information and the changed states to the blockchain; executing a preset certificate management contract by the node of the blockchain, processing certificate revocation information, generating a new certificate transaction and submitting the new certificate transaction to the blockchain;
When a user applies for updating a certificate to cancel an old certificate, a node of the blockchain executes a preset certificate management contract to verify whether the state of the old certificate is valid; if so, changing the old certificate state into revocation, generating a new certificate transaction and submitting the new certificate transaction to the blockchain;
When a user applies for canceling a certificate, the node of the blockchain executes a preset certificate management contract to verify whether the current state of the certificate is a valid state; if so, changing the state of the certificate to revoke, generating a new certificate transaction and submitting the new certificate transaction to the blockchain.
Optionally, the verifying the certificate includes: verifying the integrity and authenticity of the certificate, verifying whether the state of the certificate is valid, and verifying whether the certificate is within the validity period.
In another aspect, there is provided a blockchain-based double-certificate issuing and managing apparatus, the blockchain-based double-certificate issuing and managing apparatus comprising: a processor; a memory having stored thereon computer readable instructions that, when executed by the processor, implement any of the blockchain-based national cryptographic dual certificate issuing and management methods described above.
In another aspect, a computer readable storage medium having stored therein at least one instruction loaded and executed by a processor to implement any of the blockchain-based dual-certificate issuing and management methods described above is provided.
The technical scheme provided by the embodiment of the invention has the beneficial effects that at least:
In the embodiment of the invention, when a user side sends a certificate application message to a node of a blockchain, the node of the blockchain receives the certificate application message and executes a preset certificate issuing contract, and the node of the blockchain sends the certificate application message to a certificate issuing authority; the certificate issuing organization verifies the certificate application message; if the verification is passed, generating an encryption certificate, a signature certificate and key information; the certificate authority returns the encryption certificate, the signature certificate and the key information to the node of the blockchain; executing preset certificate issuing contracts by nodes of the blockchain, setting the certificate states of the encrypted certificates and the signed certificates to be valid, generating related transactions for certificate issuing, and submitting the related transactions for certificate issuing to the blockchain for storage; when a user side sends a certificate revocation message to a node of a blockchain, the node of the blockchain receives the certificate revocation message and executes a preset certificate management contract, the certificate revocation message is processed, a certificate revocation related transaction is generated, and the certificate revocation related transaction is submitted to the blockchain for storage; when a user side sends a certificate verification message to a node of a blockchain, the node of the blockchain receives the certificate verification message and executes a preset certificate verification contract, verifies the certificate, generates a certificate verification related transaction, and submits the certificate verification related transaction to the blockchain for storage; if the verification is passed, the node of the blockchain sends a certificate verification success message to the user.
Compared with the prior art, the embodiment of the invention can safely store the information of the digital certificate and prevent an attacker from causing single-point failure to the certificate authority attack; cross verification is performed before the certificate is uplink, so that whether a person falsifies or falsifies the certificate is determined, and the risk of false certificates can be reduced; the intelligent contract provided by the embodiment of the invention can periodically check the validity of the certificate, so that the certificate with the problem of safety can be prevented from being used continuously; wherein, the intelligent contract includes: certificate issuing contracts, certificate management contracts, and certificate verification contracts; the certificate can be automatically managed through the intelligent contract, so that the efficiency of the certificate management flow is improved; the process comprises the following steps: certificate issuance, certificate status management, and certificate querying; the embodiment of the invention can monitor all operations and detect abnormal conditions by disclosing and visualizing the newly created certificate and the states of all certificates and recording all operations related to certificate management in a blockchain; the embodiment of the invention enhances the security of the certificate management system and the traceability of the security problem by saving the operation log of the intelligent contract to the blockchain.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a structure for issuing and managing a cryptographic dual certificate based on a blockchain according to an embodiment of the present invention;
FIG. 2 is a flowchart of a method for issuing and managing a cryptographic dual certificate based on a blockchain according to an embodiment of the present invention;
FIG. 3 is a diagram of a certificate structure provided by an embodiment of the present invention;
FIG. 4 is a block diagram of an embodiment of the present invention;
FIG. 5 is a block diagram of a system for issuing and managing cryptographic double certificates based on a blockchain according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a dual certificate issuing and managing device based on a blockchain according to an embodiment of the present invention.
Detailed Description
The technical scheme of the invention is described below with reference to the accompanying drawings.
In embodiments of the invention, words such as "exemplary," "such as" and the like are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, the term use of an example is intended to present concepts in a concrete fashion. Furthermore, in embodiments of the present invention, the meaning of "and/or" may be that of both, or may be that of either, optionally one of both.
In the embodiments of the present invention, "image" and "picture" may be sometimes used in combination, and it should be noted that the meaning of the expression is consistent when the distinction is not emphasized. "of", "corresponding (corresponding, relevant)" and "corresponding (corresponding)" are sometimes used in combination, and it should be noted that the meaning of the expression is consistent when the distinction is not emphasized.
In embodiments of the present invention, sometimes a subscript such as W 1 may be wrongly written in a non-subscript form such as W1, and the meaning of the expression is consistent when the distinction is not emphasized.
In order to make the technical problems, technical solutions and advantages to be solved more apparent, the following detailed description will be given with reference to the accompanying drawings and specific embodiments.
The embodiment of the invention provides a method for issuing and managing a double national secret certificate based on a block chain, which can be realized by a double national secret certificate issuing and managing device based on the block chain, wherein the double national secret certificate issuing and managing device based on the block chain can be a terminal or a server. Fig. 1 is a schematic diagram of a structure of issuing and managing a cryptographic dual certificate based on a blockchain according to an embodiment of the present invention. The system comprises a user side, a blockchain and a certificate issuing mechanism; the user end can send a certificate application, a certificate revocation and a certificate verification request message to a node of the blockchain, wherein the node of the blockchain comprises an intelligent contract and can perform corresponding operations on the certificate application, the certificate revocation and the certificate verification request message, when the user end sends a certificate issuance message, the node of the blockchain forwards the certificate issuance message to a trusted certificate issuing mechanism of a third party, and the certificate issuing mechanism processes the certificate issuance message; the intelligent contract processes the information sent by the user terminal and uploads the state of the certificate and the related transaction of the certificate to the blockchain for storage; wherein, the intelligent contract includes: certificate issuing contracts, certificate management contracts, and certificate verification contracts. The blockchain-based double certificate issuing and management method shown in fig. 2 is a flowchart, and the processing flow of the method can comprise the following steps:
S1, a user side sends a certificate application message to a node of a blockchain, when the node of the blockchain receives the certificate application message, the node of the blockchain executes a preset certificate issuing contract, and the node of the blockchain sends the certificate application message to a certificate issuing organization.
Before the user side sends a certificate application message to a node of the blockchain, the user side generates a pair of public and private keys belonging to the user side as signature public and private keys; wherein the private key is stored locally offline securely. And the user side encrypts the certificate application message according to the public and private key to obtain encrypted information.
In one possible implementation, the specific implementation process for obtaining the encrypted information may include:
(1) The client hashes an application message, wherein the application message comprises: a user's signature public key, user's identity information, and other relevant information of the user; the specific procedure of the hash processing can be represented by the following formula (1):
H1=Hash(id||pkid||msg) (1)
Wherein H 1 represents an initial Hash value, id represents identity information of a user, pk id represents a signature public key of the user, msg represents other related information submitted by the user, and Hash represents a Hash algorithm.
(2) The user side calculates to obtain signature information through a signature algorithm according to the initial hash value and the private key; the specific procedure for obtaining the signing key can be represented by the following formula (2):
S1=Sign(H1,skid) (2)
where S 1 represents signature information of the application message by the user, sk id represents a private key of the user, H 1 represents an initial hash value, and Sign represents a signature algorithm.
(3) And the user side encrypts the certificate application message through an asymmetric encryption algorithm according to the initial hash value, the signature public key of the user and the public key of the certificate issuing mechanism to obtain encryption information. The specific process of obtaining the encrypted information can be represented by the following formula (3):
C1=Encrypt(id||pkid||msg||H1||S1,pkCA) (3)
Wherein C 1 represents encryption information, id represents identity information of a user, pk id represents a signature public key of the user, msg represents other related information submitted by the user, H 1 represents an initial hash value, S 1 represents signature information of the user on an application message, pk CA represents a public key of a certificate authority, and Encrypt represents an asymmetric encryption algorithm.
(4) The user transmits the signature information S 1 and the encryption information C 1 to the certificate authority.
S2, verifying the certificate application message by a certificate issuing organization; and if the verification is passed, generating an encryption certificate, a signature certificate and key information.
Fig. 3 is a schematic diagram of a certificate structure provided in an embodiment of the present invention. Wherein the certificate format includes: version number, serial number, signing algorithm, signer, expiration date, public key information, principal ID, blockchain name, hash algorithm, certificate authority identifier, certificate key identifier, and signature value.
When the certificate issuing organization receives the certificate application message, the certificate issuing organization decrypts the certificate application message to obtain decryption information, and verifies the decryption information.
In one possible implementation, the implementation of the specific decryption may include:
(1) The registration mechanism RA adopts an asymmetric decryption algorithm to decrypt the certificate application message, wherein the registration mechanism RA is a subordinate mechanism of the certificate issuing mechanism and assists the certificate issuing mechanism to register the certificate; the decryption process can be represented by equation (4):
id||pkid||msg||H1||S1=Decrypt(C1,skCA) (4)
Wherein id represents identity information of the user, pk id represents a signature public key of the user, msg represents other related information submitted by the user, H 1 represents an initial hash value, S 1 represents signature information of the user on an application message, pk CA represents a public key of a certificate authority, C 1 represents encryption information, sk CA represents a private key of the certificate authority, and Decrypt represents an asymmetric decryption algorithm.
(2) The registration authority RA adopts a signature verification algorithm to verify the identity information of the user to obtain a verification result, and the verification process can be represented by the following formula (5):
val=Verify(S1,pkid) (5)
Wherein val represents a logical value, which may be wire or false; s 1 represents signature information of the application message by the user, and Verify represents a verification algorithm.
H2=Hash(id||pkid||msg) (6)
Wherein id represents identity information of the user, pk id represents a public key of the user, msg represents other related information submitted by the user, H 2 represents application data Hash values calculated by a registration authority RA, and Hash represents a Hash algorithm.
If val=wire and H 1=H2 is verified, then the message verification passes.
(3) If the verification is passed, the registration authority RA sends the verification result, the signature key and the user information to a certificate issuing authority; when the certificate authority receives the verification result, the signature key and the user information, the certificate authority generates a pair of encrypted public and private keys belonging to the application user and a symmetric key through a key management center; and the certificate issuing mechanism adopts an asymmetric encryption algorithm according to the public and private keys and the symmetric key to obtain key information. The specific procedure for obtaining the key information can be represented by the following formula (7):
C2=Encrypt(k1,pkid) (7)
Where C 2 denotes encryption information 1, k 1 denotes a symmetric key, pk id denotes a signature public key of a user, and Encrypt denotes an asymmetric encryption algorithm.
(4) The certificate authority safely stores the encrypted public key of the user;
(5) The certificate issuing mechanism generates a signature certificate according to the user signature public key and the user information, wherein the state of the signature certificate is set to be valid; the certificate issuing mechanism generates an encryption certificate according to the user encryption public key and the user information, wherein the state of the encryption certificate is set to be valid;
(6) If the verification fails, the certificate issuing mechanism cannot issue a signature certificate and an encryption certificate, and the certificate issuing mechanism sends a verification failure message to the user side.
S3, returning the encryption certificate, the signature certificate and the key information to the node of the blockchain by the certificate issuing mechanism; executing preset certificate issuing contracts by nodes of the blockchain, setting the certificate states of the encrypted certificates and the signed certificates to be valid, generating related transactions for certificate issuing, and submitting the related transactions for certificate issuing to the blockchain for storage; wherein, the transaction related to certificate issue mainly refers to a transaction containing a certificate, and the transaction comprises: the certificate status is valid encryption certificates and signature certificates and key information.
Optionally, generating the certificate issue related transaction in S3, submitting the certificate issue related transaction to the blockchain for storage includes:
Creating and broadcasting a transaction containing a certificate by a node of the blockchain, wherein the transaction containing the certificate contains a signature certificate, an encryption certificate, a certificate state and key information;
According to the POW consensus mechanism, the nodes of the blockchain with the block-out weight pack the related transactions of certificate issuing without the uplink into blocks and broadcast the blocks;
the nodes of the block chain cross-verify the blocks to be submitted; if the verification is passed, the block is uploaded to the blockchain.
Wherein, if the cross-validation fails, the block is not allowed to be uploaded to the blockchain.
Wherein cross-validation is the process of comparing and validating the results of validation of multiple nodes against the same set of transactions or the same block. The cross verification can ensure that verification results among different block chain nodes are consistent so as to enhance the credibility and consistency of data; the specific implementation process can comprise the following steps:
(1) Each blockchain node independently verifies the candidate blocks, including certificate verification, block hash verification, and workload certification verification. The blockchain node checks the integrity and authenticity of the certificate, the trustworthiness of the certificate authority, and the data integrity of the transaction;
(2) Broadcasting the self verification result by the block chain link point, comparing the self verification result with the verification results of other block chain nodes, if the verification information exceeding 1/2 of the total block chain nodes passes the verification, the cross verification passes, otherwise, the verification fails, and uploading to the block chain is not allowed; after the cross-validation passes, the block is uploaded to the blockchain.
FIG. 4 is a block diagram according to an embodiment of the present invention; wherein, the block data format includes: block height, block identification, version information, previous block digest value, block random number, block timestamp, transaction list, merck root, difficulty coefficient, and block hash.
Wherein the transaction list in the block data format comprises: transactions containing certificates and transactions containing logs; a transaction comprising a certificate, including a certificate transaction identification, a certificate transaction type, a certificate type, certificate information, certificate status information, a certificate signature, and a certificate transaction timestamp; a transaction containing a log, comprising: log transaction identification, log transaction type, smart contract identification, log content, associated user identification, log signature, and log transaction timestamp.
Wherein the certificate type may be an encrypted certificate or a signed certificate; if the encrypted certificate is the encrypted certificate, the certificate information comprises the encrypted certificate and a user encryption private key encrypted by a certificate authority; if the certificate is a signature certificate, the certificate information packet only contains the signature certificate; the certificate status includes a certificate identifier, a signature of the certificate authority that the certificate status is valid; the certificate information comprises a certificate returned by a certificate issuing organization, and if the certificate is an encryption certificate, the certificate information also comprises encryption private key related information.
The user side can download the encryption certificate, the signature certificate and the key information from the blockchain; and the user obtains an encryption private key according to the downloaded key information. Wherein obtaining the encrypted private key can be represented by equation (8) and equation (9):
k1=Dec(C2,skid) (8)
skdec=Dec(C3,k1) (9)
Where k 1 denotes a symmetric key, C 2 denotes encryption information 1, C 3 denotes encryption information 2, sk dec denotes a private key of a certificate authority, and sk id denotes a private key of a user.
Optionally, the certificate issue related transaction, the certificate revocation related transaction and the certificate verification related transaction each include: transactions containing certificates and transactions containing logs;
A transaction containing a certificate, comprising: certificate transaction identification, certificate transaction type, certificate information, certificate status information, certificate transaction signature, and certificate transaction timestamp;
A transaction containing a log, comprising: log transaction identification, log transaction type, smart contract identification, log content, associated user identification, log transaction signature, and log transaction timestamp.
Wherein the certificate issues related transactions, comprising: transactions containing certificates and transactions containing logs.
Wherein the certificate revokes related transactions, comprising: transactions containing certificates and transactions containing logs.
Wherein the certificate validates the related transaction, comprising: transactions containing certificates and transactions containing logs.
S4a, when the user side sends a certificate revocation message to a node of the blockchain, when the node of the blockchain receives the certificate revocation message, the node of the blockchain executes a preset certificate management contract, processes the certificate revocation message, generates a certificate revocation related transaction, and submits the certificate revocation related transaction to the blockchain for storage.
The state of the certificate is divided into a valid state and a revoked state. Wherein the current state of the certificate is determined by the state of the latest block storing the certificate.
Optionally, the node of the blockchain of S4a executes a preset certificate management contract to process a certificate revocation message, including:
When a certificate issuing mechanism regularly checks and revokes part of certificates, the certificate issuing mechanism regularly checks all certificates in the system, changes the certificates which are expired or have other security problems, signs certificate information and the changed states, and uploads the certificate information and the changed states to a blockchain; executing a preset certificate management contract by a node of the blockchain, processing certificate revocation information, generating a new certificate transaction and submitting the new certificate transaction to the blockchain;
When a user applies for updating a certificate to cancel an old certificate, a node of a blockchain executes a preset certificate management contract to verify whether the state of the old certificate is valid or not; if so, changing the old certificate state into revocation, generating a new certificate transaction and submitting the new certificate transaction to a blockchain;
And when the old certificate is invalid, the node of the blockchain sends a certificate verification failure message to the user terminal.
When a user applies for canceling a certificate, a node of the blockchain executes a preset certificate management contract to verify whether the current state of the certificate is a valid state; if so, changing the state of the certificate to revoke, generating a new certificate transaction and submitting the new certificate transaction to the blockchain.
If invalid, the node of the blockchain sends a certificate verification failure message to the user terminal.
When the blockchain-based national double-certificate issuing and managing system discovers a certificate issuing organization with a security problem, the certificate managing contract in the system can update the infected certificate issuing organization and the corresponding certificate status immediately without waiting until the next certificate revocation list update.
The certificate revocation of the blockchain-based national encryption double-certificate issuing and managing system manages the certificate through the certificate state, so that the certificate state can be updated under a smaller time delay, and the security risk is reduced.
The certificate management contract can process not only the certificate revocation message but also the certificate update message. In a possible implementation manner, when a node of the blockchain receives a certificate update message sent by a user side, a certificate management contract in the node of the blockchain revokes an old certificate and invokes a certificate issuing contract to issue a new certificate; after the certificate management contract execution operation is finished, generating a transaction containing the log according to the transaction log, the contract call log, the exception log and the like, and submitting the transaction to the blockchain.
S4b, when the user side sends a certificate verification message to the node of the blockchain, and when the node of the blockchain receives the certificate verification message, the node of the blockchain executes a preset certificate verification contract to verify the certificate; if the verification is passed, the node of the blockchain sends a certificate verification success message to the user.
If verification fails, the node of the blockchain sends a certificate verification failure message to the user terminal, generates a new certificate transaction, and modifies the certificate state into revocation.
Wherein the certificate verification contract can quickly search and automatically verify the certificate, and comprises the following steps: verifying a certificate chain, checking a certificate validity period, and checking a certificate revocation status.
Wherein the certificate validity query may be performed by querying the blockchain for content comprising the latest block of the certificate and obtaining the current status of the digital certificate.
Optionally, the verifying the certificate of S4b includes: verifying the integrity and authenticity of the certificate, verifying whether the state of the certificate is valid, and verifying whether the certificate is within the validity period.
The digital signature encrypts the certificate through the private key, and other users can verify the validity, the integrity and the authenticity of the signature through the public key; verification certificates are to ensure that each certificate is issued by a certificate authority. In the verification process, the integrity of the certificate chain needs to be checked, and each certificate is confirmed to have a valid signature and can be matched with the next certificate; when the root certificate is traced back and both verified, the integrity and authenticity of the certificate can be determined.
One possible implementation, verifying whether the state of the certificate is a valid state, may be by querying a transaction containing the certificate that currently needs to be verified, and obtaining the current state of the certificate based on the latest certificate transaction therein.
One possible implementation ensures that the certificate is valid within the current time frame by verifying the validity period of the certificate. Wherein the certificate date contains a start date and an end date, the verification process needs to ensure that the current date is within the validity period.
If the integrity and the authenticity of the certificate, whether the state of the certificate is a valid state or not and whether the certificate is successfully verified in the validity period or not, the node of the blockchain sends a certificate verification success message to the user side; if one verification fails, the node of the block chain sends a certificate verification failure message to the user terminal; after the certificate verification contract execution operation is finished, generating a transaction containing the log according to the transaction log, the contract call log, the exception log and the like, and submitting the transaction to the blockchain.
In the embodiment of the invention, when a user side sends a certificate application message to a node of a blockchain, and the node of the blockchain receives the certificate application message, the node of the blockchain executes a preset certificate issuing contract, and the node of the blockchain sends the certificate application message to a certificate issuing organization; the certificate issuing organization verifies the certificate application message; if the verification is passed, generating an encryption certificate, a signature certificate and key information; the certificate authority returns the encryption certificate, the signature certificate and the key information to the node of the blockchain; executing preset certificate issuing contracts by nodes of the blockchain, setting the certificate states of the encrypted certificates and the signed certificates to be valid, generating related transactions for certificate issuing, and submitting the related transactions for certificate issuing to the blockchain for storage; when a user side sends a certificate revocation message to a node of a blockchain, the node of the blockchain receives the certificate revocation message and executes a preset certificate management contract, the certificate revocation message is processed, a certificate revocation related transaction is generated, and the certificate revocation related transaction is submitted to the blockchain for storage; when a user side sends a certificate verification message to a node of a blockchain, the node of the blockchain receives the certificate verification message and executes a preset certificate verification contract, verifies the certificate, generates a certificate verification related transaction, and submits the certificate verification related transaction to the blockchain for storage; if the verification is passed, the node of the blockchain sends a certificate verification success message to the user.
Compared with the prior art, the embodiment of the invention can safely store the information of the digital certificate and prevent an attacker from causing single-point failure to the certificate authority attack; cross verification is performed before the certificate is uplink, so that whether a person falsifies or falsifies the certificate is determined, and the risk of false certificates can be reduced; the intelligent contract provided by the embodiment of the invention can periodically check the validity of the certificate, so that the certificate with the problem of safety can be prevented from being used continuously; wherein, the intelligent contract includes: certificate issuing contracts, certificate management contracts, and certificate verification contracts; the certificate can be automatically managed through the intelligent contract, so that the efficiency of the certificate management flow is improved; the process comprises the following steps: certificate issuance, certificate status management, and certificate querying; the embodiment of the invention can monitor all operations and detect abnormal conditions by disclosing and visualizing the newly created certificate and the states of all certificates and recording all operations related to certificate management in a blockchain; the embodiment of the invention enhances the security of the certificate management system and the traceability of the security problem by saving the operation log of the intelligent contract to the blockchain.
FIG. 5 is a block diagram illustrating a blockchain-based dual national cryptographic credential issuance and management system for a blockchain-based dual national cryptographic credential issuance and management method in accordance with an exemplary embodiment. Referring to fig. 5, the system includes a client 310, a blockchain 320, and a certificate authority 330. Wherein:
The client 310 is configured to send a certificate application message to a node of the blockchain; the user terminal sends a certificate revocation message to the node of the block chain; the user terminal sends a certificate verification message to a node of the blockchain;
the blockchain 320 is configured to, when a node of the blockchain receives the certificate application message, execute a preset certificate issuing contract, and the link point of the block sends the certificate application message to a certificate issuing authority; executing preset certificate issuing contracts by nodes of the blockchain, setting the certificate states of the encrypted certificates and the signed certificates to be valid, generating related transactions for certificate issuing, and submitting the related transactions for certificate issuing to the blockchain for storage; when a node of the blockchain receives a certificate revocation message, the node of the blockchain executes a preset certificate management contract, processes the certificate revocation message, generates a certificate revocation related transaction, and submits the certificate revocation related transaction to the blockchain for storage; when the node of the blockchain receives the certificate verification message, the node of the blockchain executes a preset certificate verification contract, verifies the certificate, generates a certificate verification related transaction, and submits the certificate verification related transaction to the blockchain for storage; if the verification is passed, the node of the block chain sends a certificate verification success message to the user;
A certificate authority 330 for verifying the certificate application message; if the verification is passed, generating an encryption certificate, a signature certificate and key information; the certificate authority returns the encryption certificate, the signature certificate and the key information to the node of the blockchain;
Optionally, generating the certificate issuance related transaction, submitting the certificate issuance related transaction to the blockchain for storage includes:
Creating and broadcasting a transaction containing a certificate by a node of the blockchain, wherein the transaction containing the certificate contains a signature certificate, an encryption certificate, a certificate state and key information;
According to the POW consensus mechanism, the nodes of the blockchain with the block-out weight pack the related transactions of certificate issuing without the uplink into blocks and broadcast the blocks;
the nodes of the block chain cross-verify the blocks to be submitted; if the verification is passed, the block is uploaded to the blockchain.
Optionally, the certificate issue related transaction, the certificate revocation related transaction and the certificate verification related transaction each include: transactions containing certificates and transactions containing logs;
a transaction containing a certificate, comprising: certificate transaction identification, certificate transaction type, certificate information, certificate status information, transaction signature of the certificate, and transaction timestamp of the certificate;
a transaction containing a log, comprising: log transaction identification, log transaction type, smart contract identification, log content, associated user identification, transaction signature of the log, and transaction timestamp of the log.
Optionally, the node of the blockchain executes a preset certificate management contract to process a certificate revocation message, including:
When a certificate issuing mechanism regularly checks and revokes part of certificates, the certificate issuing mechanism regularly checks all certificates in the system, changes the certificates which are expired or have other security problems, signs certificate information and the changed states, and uploads the certificate information and the changed states to a blockchain; executing a preset certificate management contract by a node of the blockchain, processing certificate revocation information, generating a new certificate transaction and submitting the new certificate transaction to the blockchain;
When a user applies for updating a certificate to cancel an old certificate, a node of a blockchain executes a preset certificate management contract to verify whether the state of the old certificate is valid or not; if so, changing the old certificate state into revocation, generating a new certificate transaction and submitting the new certificate transaction to a blockchain;
When a user applies for canceling a certificate, a node of the blockchain executes a preset certificate management contract to verify whether the current state of the certificate is a valid state; if so, changing the state of the certificate to revoke, generating a new certificate transaction and submitting the new certificate transaction to the blockchain.
Optionally, verifying the certificate includes: verifying the integrity and authenticity of the certificate, verifying whether the state of the certificate is valid, and verifying whether the certificate is within the validity period.
In the embodiment of the invention, when a user side sends a certificate application message to a node of a blockchain, the node of the blockchain receives the certificate application message and executes a preset certificate issuing contract, and the node of the blockchain sends the certificate application message to a certificate issuing authority; the certificate issuing organization verifies the certificate application message; if the verification is passed, generating an encryption certificate, a signature certificate and key information; the certificate authority returns the encryption certificate, the signature certificate and the key information to the node of the blockchain; executing preset certificate issuing contracts by nodes of the blockchain, setting the certificate states of the encrypted certificates and the signed certificates to be valid, generating related transactions for certificate issuing, and submitting the related transactions for certificate issuing to the blockchain for storage; when a user side sends a certificate revocation message to a node of a blockchain, the node of the blockchain receives the certificate revocation message and executes a preset certificate management contract, the certificate revocation message is processed, a certificate revocation related transaction is generated, and the certificate revocation related transaction is submitted to the blockchain for storage; when a user side sends a certificate verification message to a node of a blockchain, the node of the blockchain receives the certificate verification message and executes a preset certificate verification contract, verifies the certificate, generates a certificate verification related transaction, and submits the certificate verification related transaction to the blockchain for storage; if the verification is passed, the node of the blockchain sends a certificate verification success message to the user.
Compared with the prior art, the embodiment of the invention can safely store the information of the digital certificate and prevent an attacker from causing single-point failure to the certificate authority attack; cross verification is performed before the certificate is uplink, so that whether a person falsifies or falsifies the certificate is determined, and the risk of false certificates can be reduced; the intelligent contract provided by the embodiment of the invention can periodically check the validity of the certificate, so that the certificate with the problem of safety can be prevented from being used continuously; wherein, the intelligent contract includes: certificate issuing contracts, certificate management contracts, and certificate verification contracts; the certificate can be automatically managed through the intelligent contract, so that the efficiency of the certificate management flow is improved; the process comprises the following steps: certificate issuance, certificate status management, and certificate querying; the embodiment of the invention can monitor all operations and detect abnormal conditions by disclosing and visualizing the newly created certificate and the states of all certificates and recording all operations related to certificate management in a blockchain; the embodiment of the invention enhances the security of the certificate management system and the traceability of the security problem by saving the operation log of the intelligent contract to the blockchain.
Fig. 6 is a schematic structural diagram of a dual-certificate issuing and managing device based on a blockchain according to an embodiment of the present invention, where, as shown in fig. 6, the dual-certificate issuing and managing device based on a blockchain may include the dual-certificate issuing and managing system based on a blockchain shown in fig. 5. Alternatively, the blockchain-based dual certificate issuing and management device 410 may include the first processor 2001.
Optionally, the blockchain-based dual certificate issuing and management device 410 may also include a memory 2002 and a transceiver 2003.
The first processor 2001 may be connected to the memory 2002 and the transceiver 2003, for example, via a communication bus.
The following describes the respective constituent elements of the blockchain-based double certificate issuing and management apparatus 410 in detail with reference to fig. 6:
The first processor 2001 is a control center of the blockchain-based dual certificate issuing and managing device 410, and may be one processor or a generic name of a plurality of processing elements. For example, the first processor 2001 is one or more central processing units (central processing unit, CPU), may be an Application SPECIFIC INTEGRATED Circuit (ASIC), or may be one or more integrated circuits configured to implement embodiments of the present invention, such as: one or more microprocessors (DIGITAL SIGNAL processors, DSPs), or one or more field programmable gate arrays (field programmable GATE ARRAY, FPGAs).
Alternatively, the first processor 2001 may perform various functions of the blockchain-based dual certificate issuing and management device 410 by running or executing a software program stored in the memory 2002, and invoking data stored in the memory 2002.
In a specific implementation, first processor 2001 may include one or more CPUs, such as CPU0 and CPU1 shown in fig. 6, as an example.
In a specific implementation, as an embodiment, the blockchain-based dual certificate issuing and management device 410 may also include multiple processors, such as the first processor 2001 and the second processor 2004 shown in fig. 6. Each of these processors may be a single-core processor (single-CPU) or a multi-core processor (multi-CPU). A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
The memory 2002 is used for storing a software program for executing the solution of the present invention, and is controlled by the first processor 2001 to execute the solution, and the specific implementation may refer to the above method embodiment, which is not described herein.
Alternatively, memory 2002 may be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory, RAM) or other type of dynamic storage device that can store information and instructions, or an electrically erasable programmable read-only memory (ELECTRICALLY ERASABLE PROGRAMMABLE READ-only memory, EEPROM), compact disc read-only memory (compact disc read-only memory) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, without limitation. The memory 2002 may be integrated with the first processor 2001, may exist independently, and may be coupled to the first processor 2001 through an interface circuit (not shown in fig. 6) of the blockchain-based double certificate issuing and management device 410, which is not specifically limited in this embodiment of the present invention.
A transceiver 2003 for communicating with a network device or with a terminal device.
Alternatively, transceiver 2003 may include a receiver and a transmitter (not separately shown in fig. 6). The receiver is used for realizing the receiving function, and the transmitter is used for realizing the transmitting function.
Alternatively, the transceiver 2003 may be integrated with the first processor 2001, or may exist separately, and be coupled to the first processor 2001 through an interface circuit (not shown in fig. 6) of the blockchain-based dual certificate issuing and management device 410, which is not specifically limited in this embodiment of the present invention.
It should be noted that the structure of the blockchain-based dual certificate issuing and management device 410 shown in fig. 6 is not limited to this router, and an actual knowledge structure identification device may include more or less components than those shown, or may combine some components, or may be a different arrangement of components.
In addition, the technical effects of the blockchain-based dual-certificate issuing and managing device 410 may refer to the technical effects of the blockchain-based dual-certificate issuing and managing method described in the above method embodiments, and are not described herein.
It is to be appreciated that the first processor 2001 in embodiments of the invention may be a central processing unit (central processing unit, CPU) which may also be other general purpose processors, digital signal processors (DIGITAL SIGNAL processors, DSPs), application Specific Integrated Circuits (ASICs), off-the-shelf programmable gate arrays (field programmable GATE ARRAY, FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It should also be appreciated that the memory in embodiments of the present invention may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an erasable programmable ROM (erasable PROM), an electrically erasable programmable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM) which acts as external cache memory. By way of example, and not limitation, many forms of random access memory (random access memory, RAM) are available, such as static random access memory (STATIC RAM, SRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double data rate synchronous dynamic random access memory (double DATA RATE SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (ENHANCED SDRAM, ESDRAM), synchronous link dynamic random access memory (SYNCHLINK DRAM, SLDRAM), and direct memory bus random access memory (direct rambus RAM, DR RAM).
The above embodiments may be implemented in whole or in part by software, hardware (e.g., circuitry), firmware, or any other combination. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions or computer programs. When the computer instructions or computer program are loaded or executed on a computer, the processes or functions described in accordance with embodiments of the present invention are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable system. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center by wired (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more sets of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.
It should be understood that the term "and/or" is merely an association relationship describing the associated object, and means that three relationships may exist, for example, a and/or B may mean: there are three cases, a alone, a and B together, and B alone, wherein a, B may be singular or plural. In addition, the character "/" herein generally indicates that the associated object is an "or" relationship, but may also indicate an "and/or" relationship, and may be understood by referring to the context.
In the present invention, "at least one" means one or more, and "a plurality" means two or more. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b, or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or plural.
It should be understood that, in various embodiments of the present invention, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the apparatus, system and unit described above may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided by the present invention, it should be understood that the disclosed apparatus, system, and method may be implemented in other ways. For example, the system embodiments described above are merely illustrative, e.g., the division of the elements is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple elements or components may be combined or integrated into another device, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interface, system or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. The method for issuing and managing the double-certificate based on the blockchain is characterized in that the method for issuing and managing the double-certificate based on the blockchain is realized by a double-certificate issuing and managing system based on the blockchain, and the double-certificate issuing and managing system based on the blockchain comprises a user side, a blockchain and a certificate issuing mechanism; the method comprises the following steps:
S1, a user side sends a certificate application message to a node of a blockchain, when the node of the blockchain receives the certificate application message, the node of the blockchain executes a preset certificate issuing contract, and the node of the blockchain sends the certificate application message to a certificate issuing organization;
S2, verifying the certificate application message by a certificate issuing organization; if the verification is passed, generating an encryption certificate, a signature certificate and key information;
s3, returning the encryption certificate, the signature certificate and the key information to the node of the blockchain by a certificate issuing mechanism; executing preset certificate issuing contracts by nodes of the blockchain, setting the certificate states of the encrypted certificates and the signed certificates to be valid, generating related transactions of certificate issuing, and submitting the related transactions of certificate issuing to the blockchain for storage; wherein the certificate issue related transaction comprises a certificate transaction, comprising: the certificate status is valid encryption certificates and signature certificates and key information;
s4a, when a user side sends a certificate revocation message to a node of the blockchain, and when the node of the blockchain receives the certificate revocation message, the node of the blockchain executes a preset certificate management contract, processes the certificate revocation message, generates a certificate revocation related transaction, and submits the certificate revocation related transaction to the blockchain for storage;
S4b, when the user side sends a certificate verification message to the node of the blockchain, and when the node of the blockchain receives the certificate verification message, the node of the blockchain executes a preset certificate verification contract to verify the certificate; and if the verification is passed, the node of the blockchain sends a certificate verification success message to the user terminal.
2. The blockchain-based double-certificate issuing and management method according to claim 1, wherein the generating a certificate issuing related transaction in S3, submitting the certificate issuing related transaction to the blockchain for storage, includes:
s31, creating and broadcasting a transaction containing a certificate by a node of the blockchain, wherein the transaction containing the certificate contains a signature certificate, an encryption certificate, a certificate state and key information;
s32, according to the POW consensus mechanism, the nodes of the blockchain with the block-out weight pack the related transactions of certificate issuing without uplink into blocks and broadcast the blocks;
s33, the nodes of the block chain cross-verify the blocks to be submitted; if the verification is passed, the block is uploaded to the blockchain.
3. The blockchain-based double certificate issuing and management method of claim 1, wherein the certificate issuing related transaction, the certificate revocation related transaction, and the certificate verification related transaction each comprise: transactions containing certificates and transactions containing logs;
the transaction containing the certificate comprises: certificate transaction identification, certificate transaction type, certificate information, certificate status information, certificate transaction signature, and certificate transaction timestamp;
The transaction comprising the log comprises: log transaction identification, log transaction type, smart contract identification, log content, associated user identification, log transaction signature, and log transaction timestamp.
4. The blockchain-based double certificate issuing and management method according to claim 1, wherein the blockchain node of S4a executes a preset certificate management contract, and processes a certificate revocation message, including:
When a certificate issuing mechanism regularly checks and revokes part of certificates, the certificate issuing mechanism regularly checks all certificates in the system, changes the certificates which are expired or have other security problems, signs certificate information and the changed states, and uploads the certificate information and the changed states to the blockchain; executing a preset certificate management contract by the node of the blockchain, processing certificate revocation information, generating a new certificate transaction and submitting the new certificate transaction to the blockchain;
When a user applies for updating a certificate to cancel an old certificate, a node of the blockchain executes a preset certificate management contract to verify whether the state of the old certificate is valid; if so, changing the old certificate state into revocation, generating a new certificate transaction and submitting the new certificate transaction to the blockchain;
When a user applies for canceling a certificate, the node of the blockchain executes a preset certificate management contract to verify whether the current state of the certificate is a valid state; if so, changing the state of the certificate to revoke, generating a new certificate transaction and submitting the new certificate transaction to the blockchain.
5. The blockchain-based double certificate issuing and management method according to claim 1, wherein the step S4b of verifying the certificate comprises: verifying the integrity and authenticity of the certificate, verifying whether the state of the certificate is valid, and verifying whether the certificate is within the validity period.
6. A blockchain-based double-certificate issuing and management system for implementing the blockchain-based double-certificate issuing and management method according to any one of claims 1 to 5, the blockchain-based double-certificate issuing and management system comprising a user side, a blockchain, and a certificate issuing authority; wherein:
The user terminal is used for sending a certificate application message to the node of the blockchain; the user terminal sends a certificate revocation message to the node of the block chain; the user sends a certificate verification message to the node of the blockchain;
The block chain is used for executing preset certificate issuing contracts when the nodes of the block chain receive the certificate application messages, and the chain link points of the block send the certificate application messages to a certificate issuing organization; executing preset certificate issuing contracts by nodes of the blockchain, setting the certificate states of the encrypted certificates and the signed certificates to be valid, generating related transactions of certificate issuing, and submitting the related transactions of certificate issuing to the blockchain for storage; when the node of the block chain receives the certificate revocation message, the node of the block chain executes a preset certificate management contract, processes the certificate revocation message, generates a certificate revocation related transaction, and submits the certificate revocation related transaction to the block chain for storage; when the node of the block chain receives the certificate verification message, the node of the block chain executes a preset certificate verification contract, verifies the certificate, generates a certificate verification related transaction, and submits the certificate verification related transaction to the block chain for storage; if the verification is passed, the node of the block chain sends a certificate verification success message to the user terminal;
The certificate issuing mechanism is used for verifying the certificate application message; if the verification is passed, generating an encryption certificate, a signature certificate and key information; the certificate authority returns the encryption certificate, the signature certificate, and the key information to the nodes of the blockchain.
7. The blockchain-based dual certificate issuing and management system of claim 6, wherein the generating a certificate issuing related transaction, submitting a certificate issuing related transaction to storage on the blockchain, comprises:
Creating and broadcasting a transaction containing a certificate by a node of the blockchain, wherein the transaction containing the certificate contains a signature certificate, an encryption certificate, a certificate state and key information;
According to the POW consensus mechanism, the nodes of the blockchain with the block-out weight pack the related transactions of certificate issuing without the uplink into blocks and broadcast the blocks;
the nodes of the block chain cross-verify the blocks to be submitted; if the verification is passed, the block is uploaded to the blockchain.
8. The blockchain-based double certificate issuing and management system of claim 6, wherein the certificate issuing related transaction, the certificate revocation related transaction, and the certificate verification related transaction each comprise: transactions containing certificates and transactions containing logs;
the transaction containing the certificate comprises: certificate transaction identification, certificate transaction type, certificate information, certificate status information, certificate signature, and certificate transaction timestamp;
The transaction comprising the log comprises: log transaction identification, log transaction type, smart contract identification, log content, associated user identification, log signature, and log transaction timestamp.
9. A blockchain-based dual-certificate issuing and managing device, characterized in that the blockchain-based dual-certificate issuing and managing device comprises:
A processor;
A memory having stored thereon computer readable instructions which, when executed by the processor, implement the method of any of claims 1 to 5.
10. A computer readable storage medium having stored therein program code which is callable by a processor to perform the method of any one of claims 1 to 5.
CN202410314537.9A 2024-03-19 2024-03-19 Block chain-based national cipher double certificate issuing and managing method and system Pending CN118413304A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410314537.9A CN118413304A (en) 2024-03-19 2024-03-19 Block chain-based national cipher double certificate issuing and managing method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410314537.9A CN118413304A (en) 2024-03-19 2024-03-19 Block chain-based national cipher double certificate issuing and managing method and system

Publications (1)

Publication Number Publication Date
CN118413304A true CN118413304A (en) 2024-07-30

Family

ID=92003858

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410314537.9A Pending CN118413304A (en) 2024-03-19 2024-03-19 Block chain-based national cipher double certificate issuing and managing method and system

Country Status (1)

Country Link
CN (1) CN118413304A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768657A (en) * 2018-04-17 2018-11-06 深圳技术大学(筹) A kind of digital certificate based on block platform chain issues system and method
CN110598482A (en) * 2019-09-30 2019-12-20 腾讯科技(深圳)有限公司 Block chain-based digital certificate management method, device, equipment and storage medium
CN113722696A (en) * 2021-07-28 2021-11-30 微易签(杭州)科技有限公司 Method, system, apparatus and medium for issuing electronic signature certificate based on block chain

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768657A (en) * 2018-04-17 2018-11-06 深圳技术大学(筹) A kind of digital certificate based on block platform chain issues system and method
CN110598482A (en) * 2019-09-30 2019-12-20 腾讯科技(深圳)有限公司 Block chain-based digital certificate management method, device, equipment and storage medium
CN113722696A (en) * 2021-07-28 2021-11-30 微易签(杭州)科技有限公司 Method, system, apparatus and medium for issuing electronic signature certificate based on block chain

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
阎军智;彭晋;左敏;王珂;: "基于区块链的PKI数字证书系统", 电信工程技术与标准化, no. 11, 15 November 2017 (2017-11-15) *

Similar Documents

Publication Publication Date Title
TWI730692B (en) Improving integrity of communications between blockchain networks and external data sources
CN110603783B (en) Secure dynamic threshold signature scheme using trusted hardware
US11128477B2 (en) Electronic certification system
CN106789090B (en) Public key infrastructure system based on block chain and semi-random combined certificate signature method
JP4879176B2 (en) System and method for implementing a digital signature using a one-time private key
CN109618326B (en) User dynamic identifier generation method, service registration method and login verification method
US10284378B2 (en) Certificate authority master key tracking on distributed ledger
CN106878318B (en) Block chain real-time polling cloud system
EP2882156B1 (en) Computer implemented method and a computer system to prevent security problems in the use of digital certificates in code signing and a computer program product thereof
TW202036345A (en) Program execution and data proof scheme using multiple key pair signatures
WO2019127278A1 (en) Safe access blockchain method, apparatus, system, storage medium, and electronic device
US20220286440A1 (en) Secure Media Delivery
KR20200080441A (en) Distributed device authentication protocol in internet of things blockchain environment
US10756896B2 (en) Trustless account recovery
CN112968779B (en) Security authentication and authorization control method, control system and program storage medium
Kwon et al. Certificate transparency with enhanced privacy
CN118413304A (en) Block chain-based national cipher double certificate issuing and managing method and system
CN115242471A (en) Information transmission method and device, electronic equipment and computer readable storage medium
KR20240045162A (en) Secure root of trust registration and identity management for embedded devices
WO2020232200A1 (en) Method for managing data reflecting a transaction
KR101737925B1 (en) Method and system for authenticating user based on challenge-response
CN118590325A (en) Lightweight secure communication method, electronic equipment and storage medium
CN118233193A (en) Identity authentication method, key storage method and device of Internet of things equipment
GB2612217A (en) Secure media delivery
KR20070117422A (en) Authentication method between entities in a user domain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination